Weak Company Cyberattack Filings Irk SEC
Agency’s big push is likely to yield new disclosures; Google’s and DuPont’s China hacking cases get scrutiny.
China-based hackers rifled the computers of DuPont Co. at least twice in 2009 and 2010, hunting the technological secrets that made the company one of the world’s most successful chemical makers.
It’s not something investors would have learned from DuPont’s regulatory filings, or from those of other companies victimized by hackers. The 10-K’s DuPont submitted to the Securities and Exchange Commission over the period don’t identify hacking as even a significant risk, much less reveal what two U.S. intelligence officials later said was a successful case of industrial espionage.
Over the next three months, as publicly traded companies file 10-K’s, investors may see new admissions of corporate networks being hacked after the SEC said companies can’t continue to hold back the details of those incidents.
As cyberspies from China, Russia and other countries ransack the computer networks of one major U.S. and European firm after the next, the SEC in October offered its new interpretation of disclosure requirements as applied to cybercrime. The amount of information that’s forthcoming will depend on whether company lawyers determine the incidents had, or will have, a material effect on the enterprise.
Daniel Turner, a spokesman for Wilmington, Delaware-based DuPont, said, regarding the previously-reported hack, “We let our disclosures speak for themselves.”
Mandiant Corp., an Alexandria, Virginia-based security firm that specializes in cyber-based industrial espionage, has responded to incidents at 22 Fortune 100 companies, said Richard Bejtlich, the firm’s chief security officer. Mandiant estimates that many more than 20 percent of Fortune 500 companies experienced serious breaches recently or are dealing with current ones, Bejtlich said.
When Google Inc. announced in 2010 that China-based hackers had raided its networks, it was a rare example of a U.S. company publicly revealing a cyberburglary aimed at its intellectual property -- in this case, its source code.
Google, the world’s largest search-engine firm, said at the time that at least 34 other major companies were victims of the same attack. Only two -- Intel Corp. and Adobe Systems Inc. -- stepped forward, and they provided few specifics.
The networks of more than 2,000 companies, research universities, Internet service providers and government agencies were hit over the past decade by China-based cyber spies, according to Joel Brenner, U.S. counterintelligence chief until 2009. A November report by 14 U.S. intelligence agencies said Russia and other countries also are involved in such activities.
RIM, Boston Scientific
The companies, including firms such as Research In Motion Ltd. and Boston Scientific Corp., range from some of the largest corporations to niche innovators in sectors like aerospace, semiconductors, pharmaceuticals and biotechnology, according to intelligence data obtained by Bloomberg News.
“It doesn’t square that billions of dollars in intellectual property is being lost and investors don’t care,” said Jacob Olcott, a former staff expert on cybersecurity for the Senate Commerce Committee. In May, the panel asked SEC Chairman Mary Schapiro to clarify how cyber intrusions should be reported under the so-called material fact rule.
“We’re afraid investors don’t know what they don’t know,” he said.