Cyberattacks: Why Companies Keep Quiet
Cyberattacks are causing so much damage to American companies that they threaten U.S. economic competitiveness around the world, according to the U.S. intelligence community.
Good luck trying to find much evidence of that kind of dramatic damage in reports companies file with the Securities and Exchange Commission, however.
Only a limited number of companies disclosed cyberattacks occurring in 2012, CNBC found after a review of 2012 SEC filings. That's even though the SEC specifically asked companies to reveal significantly damaging attacks in guidance the commission issued to companies in the fall of 2011. The volume of disclosures to the SEC doesn't bear out the picture painted by the U.S. intelligence community of massive, economy-draining cyberthreat.
(Read More: Chinese Army Unit Is Seen as Tied to Hacking Against US)
U.S. officials say the cyberattacks are happening, but that companies may not want to reveal the damage they've suffered due to concerns about possibly scaring off potential or existing customers, damaging their stock value, or incurring potential legal liabilities.
"I'd refer you to the SEC on their requirements for reporting on cyberattacks, but there are reasons why companies may choose not to disclose cyberincidents," said Caitlin Hayden, a National Security Council spokesperson. "First, they may not be aware that their networks are being compromised. Second, they may know, but believe that disclosing information will negatively impact the confidence of their customers or shareholders."
That said, Hayden pointed to a series of disclosures in recent weeks from several companies as evidence that things could be changing.
"We have seen companies come forward recently to discuss cyberevents they've experienced, which we know mirror the situations of individuals and organizations across the U.S. government and private sector," she said. "We encourage the sharing of these experiences in order help increase public awareness of these threats to U.S. security."
A House aide familiar with the situation put it more bluntly: "They're going to find every reason not to report it," the aide said. "Unless we create an environment where it's not suicidal for these guys to come clean, they're not going to do it." The aide pointed to new legislation pending on Capitol Hill that would provide some liability protection for companies wrestling with cyberintrusions as one step that could help a large group of companies come forward at the same time.
SEC spokesman John Nester reiterated the commission's expectations in a statement to CNBC.
"We issued guidance intended to help companies better understand their disclosure obligations as they relate to cyberincidents and risks," he said. "In the guidance, we confirmed that a number of our existing requirements impose disclosure obligations if the information related to a cyberincident or risk of one is material to investors."
Many companies, in response to the guidance of the SEC, have begun to include statements in their filings about general risk factors presented by possible future attacks.
And CNBC found several companies that did reveal attacks in 2012, including Korn/Ferry International, the executive search firm. "Recently, we discovered that our computer network was the target of a criminal data breach that accessed certain such information obtained from our clients, candidates and employees," the company said in a filing for the quarter ending Oct. 31. "The information we collected about this breach suggest that the intrusion falls within the category of an 'Advanced Persistent Threat,' which is activity consistent with state-sponsored cybercriminals."
Much of the attention to hacking in recent weeks has focused on so-called "Advanced Persistent Threats" coming from government-sponsored hackers in China. Korn/Ferry did not say where the attack it experienced originated. But information about high-level American executives looking to switch jobs could be helpful to an intelligence agency seeking to understand and influence how Corporate America works.
Korn/Ferry did not respond to several requests for comment for this article. But in its filing, Korn/Ferry said the attack "did not have a material adverse effect on our operations."
That's consistent with what one expert has seen in other corporate filings. "With the current crop of 10-Ks, we're starting to see a bit more disclosure, but most of what I've seen continues to refer to the fact that these attacks are not material, which is a pretty high standard to meet," said Michelle Leder, editor of the website Footnoted.com, which tracks SEC filings. "An attack doesn't have to be material to cause reputational damage or cost lots of money to fix, not to mention be a huge distraction for top execs."
In some cases, companies have been contacted by the SEC and asked for more information about security breaches they've suffered. In November 2011, the SEC contacted Citigroup about news reports that said the company had been the target of a data breach that affected more than 360,000 credit card accounts.
"We note that your quarterly report for the period ended June 30, 2011, did not address the data breach or its impact on the company," the SEC wrote the company. "Please provide us with an analysis supporting your apparent conclusion that no additional disclosure was needed in your SEC filings."
(Read More: Protecting Your Investments From Cyberterrorists)
In its response, Citigroup explained that the damage from the attack was not very significant, and that only $4.4 million in unauthorized charges had occurred as a result of it. Costs to fix the problem were less than $1 million. "Citi did not deem the incident to warrant disclosure in its second quarter 2011 Form 10-Q and Citi does not intend to provide disclosure on this particular matter in future filings," the firm wrote.
Citigroup provides extensive disclosures in filings of the general risk that cyberattacks present to its future business. And in a 10-K filed at the end of 2011 the company spelled out specifically that it had been the target of cyberattacks in the past.
Similarly, Amazon.com exchanged letters with the SEC over whether it was necessary for the firm to disclose details from a cyberattack at Zappos, a company Amazon had purchased.
"We continue to believe that the cyberattack experienced by Zappos is not covered by the Division of Corporate Finance's Disclosure Guidance Topic No. 2 (Cybersecurity), which provides examples of risk factor disclosure in the context of a registrant that has experienced a material cyberattack," wrote Amazon's Principal Accounting Officer Shelley Reynolds in a May 2012 letter to the SEC. But Amazon said it would be more forthcoming: "However, in light of the Staff's comment, we will revise our disclosure," Reynolds wrote.
Amazon did not respond to several requests for comment from CNBC for this article.
Cybersecurity experts say they would like to see more companies disclose the details of attacks, so others see how pervasive the problem is, and learn strategies to defeat the hackers.
"I definitely think that disclosing — while it may have a short-term impact on a company's brand recognition — is only going to help everybody in the industry," said Nicholas Percoco, senior vice president of the security firm Trustwave. "Zero knowledge is never good."
—By CNBC's Eamon Javers; Michael Tomaso contributed to this article.