Latest Regulatory Filings Reveal Mixed Results in Addressing Cyber Threats

Photo entitled "Cyber AttacK" by Marsmet501 on Flickr

Companies submitted their first 10-Q quarterly filings since the SEC issued guidance on reporting cyber issues. A Reuters review of over 2,000 filings revealed varying degrees of effort to follow the SEC’s guidance.

Issued in October, the Division of Corporate Finance’s CF Disclosure Guidance emphasized the importance of disclosing information about the risks and impacts of cyber incidents, considering among other things, the history of attacks as well as future threats and costs. Investor perception and materiality played important roles within the guidelines for public companies making the determination to release cyber threat information.

Most companies addressed cyber risks in a general sense using boilerplate language but others, including known hacking victims, did not address the issue at all. Among the notable companies to not even report cyber risks as generic threats to business were major defense contractors including Lockheed Martin Corp., Mantech International Corp., and CACI International Corp. All three corporations have been targeted in sophisticated cyber attacks.

Yet other companies were more transparent and disclosed details of cyber incidents and related threats. Internet security provider VeriSign Inc. and credit card and debit card transaction processor VeriFone Systems Inc., submitted threat details after suffering major breaches in 2010. While some companies made good faith efforts to address the SEC’s cyber concerns these attempts were by no means indicative of all public filings for the most recent quarter.

Upon initial review, most companies made some attempt to follow the SEC’s October guidelines. However, using standard terminology to address generic cyber threats is probably not what the SEC would consider ideal compliance. Such attempts do not improve corporate transparency nor do they aid investors and business partners in making thorough investment decisions.

Some experts anticipate that public companies will make better efforts to address cyber threats in their upcoming annual filings and disclose more information regarding successful hacking attempts. Others feel the guidance does not contain enough specificity and plan to watch the SEC closely as it responds to this most recent round of filings. However, most experts agree that while the disclosure is not a new concern, companies are slowly moving toward increasing transparency and acknowledge that the process will take time to develop.