Weak Company Cyberattack Filings Irk SEC

Agency’s big push is likely to yield new disclosures; Google’s and DuPont’s China hacking cases get scrutiny.

By Michael Riley

China-based hackers rifled the computers of DuPont Co. at least twice in 2009 and 2010, hunting the technological secrets that made the company one of the world’s most successful chemical makers.

It’s not something investors would have learned from DuPont’s regulatory filings, or from those of other companies victimized by hackers. The 10-K’s DuPont submitted to the Securities and Exchange Commission over the period don’t identify hacking as even a significant risk, much less reveal what two U.S. intelligence officials later said was a successful case of industrial espionage.

Over the next three months, as publicly traded companies file 10-K’s, investors may see new admissions of corporate networks being hacked after the SEC said companies can’t continue to hold back the details of those incidents.

[See story on SEC’s cybersecurity guidance: the impact and the cost.]

As cyberspies from China, Russia and other countries ransack the computer networks of one major U.S. and European firm after the next, the SEC in October offered its new interpretation of disclosure requirements as applied to cybercrime. The amount of information that’s forthcoming will depend on whether company lawyers determine the incidents had, or will have, a material effect on the enterprise.

Daniel Turner, a spokesman for Wilmington, Delaware-based DuPont, said, regarding the previously-reported hack, “We let our disclosures speak for themselves.”

Serious Breaches

Mandiant Corp., an Alexandria, Virginia-based security firm that specializes in cyber-based industrial espionage, has responded to incidents at 22 Fortune 100 companies, said Richard Bejtlich, the firm’s chief security officer. Mandiant estimates that many more than 20 percent of Fortune 500 companies experienced serious breaches recently or are dealing with current ones, Bejtlich said.

When Google Inc. announced in 2010 that China-based hackers had raided its networks, it was a rare example of a U.S. company publicly revealing a cyberburglary aimed at its intellectual property -- in this case, its source code.

Google, the world’s largest search-engine firm, said at the time that at least 34 other major companies were victims of the same attack. Only two -- Intel Corp. and Adobe Systems Inc. -- stepped forward, and they provided few specifics.

The networks of more than 2,000 companies, research universities, Internet service providers and government agencies were hit over the past decade by China-based cyber spies, according to Joel Brenner, U.S. counterintelligence chief until 2009. A November report by 14 U.S. intelligence agencies said Russia and other countries also are involved in such activities.

RIM, Boston Scientific

The companies, including firms such as Research In Motion Ltd. and Boston Scientific Corp., range from some of the largest corporations to niche innovators in sectors like aerospace, semiconductors, pharmaceuticals and biotechnology, according to intelligence data obtained by Bloomberg News.

“It doesn’t square that billions of dollars in intellectual property is being lost and investors don’t care,” said Jacob Olcott, a former staff expert on cybersecurity for the Senate Commerce Committee. In May, the panel asked SEC Chairman Mary Schapiro to clarify how cyber intrusions should be reported under the so-called material fact rule.

“We’re afraid investors don’t know what they don’t know,” he said.

‘Risk Factors’

Originally published on Reprinted with permission from Bloomberg News. Story copyright 2014 Bloomberg News communications. All rights reserved.