Should Companies Be Required to Disclose Cyber Attacks?

The Securities and Exchange Commission is now advising publicly traded companies such as Bank of America to disclose harmful cyber attacks as a part of their annual reporting procedure to federal regulators.

The SEC laid out guidance last week; the advisory coming out less than two weeks after Bank of America denied allegations of a cyber attack against its consumer website. The bank attributed the disruption in service to “high volume.”

Here’s Matt Gutman’s interview with Bank of America CEO Brian Moynihan .

“This guidance fundamentally changes the way companies will address cybersecurity in the 21st century,” Sen. Jay Rockefeller, D-W.V., in a statement. “For years, cyber risks and incidents material to investors have gone unreported in spite of existing legal obligations to disclose them.” 

Under the old guidelines, companies were not obligated to disclose cyber attacks to investors because they did not technically constitute a material loss.  But many experts estimate that U.S. companies have already lost billions of dollars to foreign competitors in the form of intellectual property rights.

“The United States economy has evolved in the last 30 years from physical assets constituting the primary representation of a company’s worth, to a state wherein intellectual property comprises the majority of value for U.S. corporations,” said Tom Kellerman, the chief technology officer for Air Patrol who consults with businesses on cyber-related issues.

With blueprints to U.S. products, foreign competitors could manufacture and sell them illegally on the black market.  Drug manufacturers would lose their competitive edge in foreign markets if knock-off medicines hit the market.  Financial institutions rely on information security in defense of their customer’s monetary assets.

But some companies are choosing to ignore cyber threats out of financial hardship.  The computer security firm McAfee found that more than half of all companies surveyed in 2008 did not pursue investigations into a cyber incident because of cost.

“By trying to keep information security incidents under wraps, companies feel that they can also avoid sinking corporate assets into improving information security,” said Andrea Matwyshyn, a professor of legal studies and business ethics at the University of Pennsylvania Wharton School of Business in Philadelphia.

“It’s generally a desire to keep the company out of the headlines,” Matwyshyn said.

And in the case of Bank of America, a large interruption of service could incite a run on the bank or, in light of the Wall Street protesters, give creditability to “hacktavists” and activists who want the bank to drop its planned $5 monthly debit card fee.