As evidenced by Bloomberg Businessweek's recent article entitled "The SEC Says Speak Up About Hack Attacks," tension has begun to grow between at least six of the Fortune 500 companies and the Securities and Exchange Commission (SEC) of the United States government over recent cyber-attacks on the systems of these companies. Charged with protecting investors, the SEC has employed a “voluntary disclosure plan” through which corporations can choose to report potential or minor cyber security threats, such as the attack on Amazon’s Zappos that resulted in the information hacking of 24 million customers.
At this point in time, the law of the SEC requires that companies must disclose ‘material’ information, meaning data based on revenue that could affect the decisions made by investors. The relationship that Amazon has with Zappos did not, at the company’s discretion, qualify as major enough to report a breach in Zappos security officially for the sake of investors (though it should be noted that Amazon did inform its customers of the attack in an unofficial capacity). Why, then, have Amazon, Google, and four other Fortune 500 companies officially reported cyber-attacks which could damage their respective images in the eyes of investors and reveal vulnerabilities to rival businesses?
Simply put, snail mail has been the method through which the SEC cracks the whip upon the backs of these major corporations. The SEC sent “dozens of letters” asking the companies about attacks and later bullying these companies into disclosing the attacks. The SEC has been able to throw around their regulatory weight in order to force companies to divulge information that the law does not require them to divulge. I repeat, these reports of cyber-attacks are not required by law. The federal government has turned their capacity as watch-dog for investors into school-yard tyranny. Given a choice, no company would intentionally damage their reputation and risk future revenue from investors unless the alternative was worse. In this case, it is. Litigation brought about by the SEC can cost millions of dollars if companies are not on good terms with SEC regulators, and litigation drains time and resources. Under the guise of protecting investors, the SEC has begun a power trip that will not end with a few major companies and is, quite frankly, unfair.
The information that these companies are being forced to reveal, if it is not considered materially significant by the company, would (in an ideal world) not influence investors. These companies are resisting reporting these minor attacks and potential breaches partly because the average investor will assume an incident reported is more severe than it truly is, as law requires only pertinent attacks to be reported. Once the standard by which companies report attacks becomes murky, investors have no firm knowledge of what constitutes a relevant attack, and therefore cannot make an informed decision.
The struggle between big business and those attempting to regulate it has taken a new and disturbing turn with the SEC using their power to force companies into reporting information they have no legal obligation to report. Future investors must take these reports with a grain of salt and remain aware of this struggle to make wise decisions.
Bloomberg Businessweek magazine, September 10, 2012- September 16, 2012
U.S. Securities and Exchange Commission official website http://www.sec.gov/index.htm
Dr. J.P. Krahel (definition of "material" revenue)