“Silence is golden” is still a phrase companies adhere to when it comes to hacking incidents.
The numbers seem to back that up as at least a half-dozen major U.S. companies whose computers suffered attacks have not admitted to the incidents despite new guidance from securities regulators urging such disclosures.
It remains a known fact in the manufacturing automation market that more companies suffer from hack attempts than either will admit or know about. But silence does remain golden.
Top U.S. cyber security officials believe corporate hacking is widespread, and the Securities and Exchange Commission (SEC) issued a lengthy “guidance” document on October 13 outlining how and when publicly traded companies should report hacking incidents and cyber security risk.
With one full quarter passed since the SEC request, some major companies that had significant digital security breaches have said nothing about the incidents in their regulatory filings.
Defense contractor Lockheed Martin Corp. said last May it fought off a “significant and tenacious” cyber attack on its networks. But Lockheed’s most recent 10-Q quarterly filing, like its filing for the period that included the attack, does not even list hacking as a generic risk, let alone state that it had been a target.
A Reuters review of more than 2,000 filings since the SEC guidance found some companies, including Internet infrastructure company VeriSign Inc. and credit card and debit card transaction processor VeriFone Systems Inc, revealed significant information about hacking incidents.
Yet the vast majority of companies addressing the issue only used new boilerplate language to describe a general risk. Some hacking victims did not even do that.
“It’s completely confusing to me why companies aren’t reporting cyber risks” if only to avoid SEC enforcement or private lawsuits, said Jacob Olcott, former counsel for the Senate Commerce committee. The chair of that committee, John D. Rockefeller, urged the SEC to act last year.
Stewart Baker, a corporate attorney and former assistant secretary of the Department of Homeland Security, said the SEC guidance had enough details that hacked companies would “have to work pretty hard not to disclose something about the scope and risk of the intrusion.”
Otherwise, “this is an opportunity for enforcement that practically hands the case to the SEC on a platter,” Baker said.
Lockheed spokesman Chris Williams said the hacking topic was in the company’s most recent annual securities filing, which has as one of many risk factors “security threats, including threats to our information technology infrastructure, attempts to gain access to our proprietary or classified information, threats to physical security of our facilities and employees, and terrorist acts.”
Williams said the May attack had “no material effect on our business.”
Mantech International Corp, CACI International Inc and other defense and technology firms known to be hacking victims by security researchers remained silent in their most recent filings.
Sikorsky Aircraft, knowing New Hampshire has a strict law warning individuals at risk of identity theft, wrote to that state’s attorney general in August that hackers had gotten into its system and could have accessed Social Security numbers of 55 employees who lived in the state.
Sikorsky said the employee data likely was not the hackers’ target, which suggests that they might have been after designs or other trade secrets. But Sikorsky parent United Technologies Corp did not mention the May intrusion in subsequent SEC filings.
Cyber security has been an increasing concern in Washington, and President Barack Obama asked during his State of the Union speech for action on legislative proposals. Security experts believe hackers are frequently targeting valuable digital information including strategic plans, blueprints and secret formulas.
But security experts in and out of government have complained for years that most companies don’t disclose even very successful hacking attacks, because they never find out about them or simply don’t want to spook investors, customers or business partners.