Should Hacked Companies Disclose Their Losses?

derekmead writes "By law, US companies don't have to say a word about hacker attacks, regardless of how much it might've cost their bottom line. Comment, the group of Chinese hackers suspected in the recent-reported Coke breach, also broke into the computers of the world's largest steel company, ArcelorMittal. ArcelorMittal doesn't know exactly how much was stolen and didn't think it was relevant to share news of the attack with its shareholders. Same goes for Lockheed Martin who fended off a 'significant and tenacious' attack last May but failed to disclose the details to investors and the Securities Exchange Commission. Dupont got hit twice by Chinese hackers in 2009 and 2010 and didn't say a word. Former U.S. counterintelligence chief Joel Brenner recently said that over 2,000 companies, ISPs and research centers had been hit by Chinese hackers in the past decade and few of them told their shareholders about it. This is even after the SEC has made multiple requests for companies to come clean about cyber security breaches in their quarterly or annual earnings reports. Because the potential losses, do hacked companies have a responsibility to report security breaches to investors?"

Of course they should.

[vikingpower]

You're responsible toward your shareholders. If you don't have any, at least the board & upper management should be in the know.

Re:Of course they should.

[udachny]

Oh, and I forgot to mention something: most people shouldn't be participating in stock market at all. The fact is that participation in the stock market is encouraged by government, which debases your savings with inflation, so you feel that you must do something. Since the interest rates on government bonds is non-existent, I mean it's negative given the inflation rate, you are basically forced into the stock market.

But this a huge problem, most people do not understand the stock market, so the government hands them over to the financial institutions, that basically lobby the government to push people into their hands.

My point is: you should NOT invest in things that you personally do not understand or at least didn't do homework on before you jumped into them. Government encourages people to participate in this giant casino and makes it LOOK like it's safe with various regulations. You think you are safe while in reality you are being robbed and the robbery is endorsed by the government itself. You are much better off either starting your own company if you want to invest or at the minimum to go and find out whatever you can about the company you are investing in. Visit the offices, visit the plants, visit the sites, request to see the books, etc.

If you can't spend the time and you think you can trust somebody to do it for you, I have news for you: you won't be able to choose the best options, you won't be able to choose your account manager based on past performance, because the established industry pushed for the so called 'self-regulations' (FINRA), which are really extension of government power, because you can't operate in that space unless you comply. But that system PREVENTS COMPETITION!

It ensures that you are going to give your money to the biggest crooks, the ones that are most connected to the government, which is working together with these crooks to steal your money from you by all means possible, while pretending you are protected by gov't.

There is no competition, no small money manager can start his own brokerage, it's made impossible with regulations and rules and then with FINRA that prevents advertising based on past performance.

Again: most people shouldn't be in the stock market.

(I recommend that most people buy something of value, assets that withstand inflation if they can't be sure in what they are investing. But your gov't certainly doesn't want you to do that and the tax code proves it as well).

I dissent.

[swschrad]

if the hack causes material changes in business or profitability, a public corporation is required by law to disclose what is known about the effect on continuing operations to the SEC, which 10K form is a public document. especially if a "going concern" warning is required by financial regulations.

Re:I dissent.

[captaindomon]

Exactly. This kind of reporting is already required by the SEC if it causes or could potentially cause a reasonable material change to your books. Same as if a dinosaur ate your CEO, or your data center was wiped out by a giant mutant butterfly. We shouldn't be specifying each individual case in law, the SEC laws are so complex that there are SEC specialist lawyers all over the place already.

Re:I dissent.

[TubeSteak]

Corporations have vastly more resources than the SEC's $1.3 billion budget.
That budget is about .01% of the cash flows they're supposed to be regulating,
which is why SEC violations almost always end in settlements for a fraction of the money involved, with no admission of guilt.

In reality, the SEC should be the size of the IRS (10x the budget) and the IRS should have 2x its current budget.
You'd see a lot less corporate fraud if the regulators had the resources to do their job.

Every attempted hack?? No matter how small?

[Nutria]

Must they report to investors and the SEC every time a building is physically broken into?

Of course not.

You could convince me, though, that they should be reported to the local gendarmes who should then forward it on to the FBI where it must be made public.

Re:Every attempted hack?? No matter how small?

[chill]

If that break-in has a material affect on their financials, yes, they do.

The impact is the bar here. If that break-in resulted in someone pilfering a vault with the firm's operating capital, then it needs to be reported on the form.

If they stole a lamp in the front office, no.

So, That's a No Then?

If they have an obligation to report losses by fire, storm, vandalism, or theft in meatspace, they should have the same obligations regarding over-the-net attacks.

Businesses don't report these tings to their customers or account holders or even their shareholders. They report these things to the police and their insurance companies in the hope of recovering from their losses. Even then, they are not obligated to do so, it is simply the most logical and prudent action.

So, I guess your answer to the question of; Should Hacked Companies Disclose Their Losses? your answer is no.

Highly misleading summary

[SirGarlon]

By law, US companies don't have to say a word about hacker attacks, regardless of how much it might've cost their bottom line

That claim is only true in a narrow and impractical sense. Several US states have mandatory data-breach reporting laws. A company doing business in those states, generally meaning buying or selling to/from persons or companies in those states, must comply with those laws. Generally they require notifying customers whose personal data is at risk. I have received two such letters myself since my state's law went into effect.

IANAL but really I don't think it takes a lawyer to be aware of these laws. Anyone who is informed about computer security should at least know of their existence, as should any IT manager employed in those states.