Former U.S. counterintelligence chief Joel Brenner recently said that over 2,000 companies, ISPs and research centers had been hit by Chinese hackers in the past decade and few of them told their shareholders about it. This is even after the SEC has made multiple requests for companies to come clean about cyber security breaches in their quarterly or annual earnings reports. Because the potential losses, do hacked companies have a responsibility to report security breaches to investors?
There’s no easy way for the SEC to force companies to comply with their requests. In some cases, the companies don’t even know they’ve been targeted by hackers until well after the attack. Sometimes, they give passing mention to an incident with boilerplate language about a security breach or the risk of data theft. They’re not likely to admit that hackers cost them billions, though. Unless rules change, it looks like if the SEC is going to get any serious hacking disclosure at all, they’ll need the help of a few companies leading the way on the disclosures.