Senator Jay Rockefeller of West Virginia is asking for a provision to be added to strengthen the reporting requirement for businesses that are victims of cyber-attacks. In October 2011, The Securities and Exchange Commission issued a “cybersecurity guidance” that companies report to their investors when the company has suffered cybersecurity breaches. However, the guidance is not mandatory and many companies are not divulging the information.
In two years, hackers have broken into the computers at Wyndham Worldwide Corporation. The hotel giant had hundreds of thousands of customers’ credit card information stolen. But, Wyndham didn’t report the hack in any of their corporate filings through the SEC or to their investors. Wyndham said in an emailed statement to The Associated Press that it “fully complied with SEC regulations in regards to the disclosure of material events.” In the statement, Wyndham said the incidents were “previously reported,” an apparent reference to notices to consumers that were published on the company’s website. The company also said the FTC’s claims were without merit.
And, Wyndham isn’t the only company keeping their secret. Many companies are doing it out of fear…fear of their stock prices dropping, class action suits and simply, how they will look to the public.
Zappos, the online shoe and apparel company owned by Amazon, recently fell victim to hackers and had customers’ information stolen. But, the company omitted this news in their annual report prompting the SEC to confront Zappos regarding the decision. Amazon did modify their report but still argued that “the Zappos attack was not covered by the commission’s cyber security guidance because it had no material impact on Amazon’s business.”
In an article on Yahoo!, Neustar’s Senior Technologist Rodney Joffe said, “No one is safe. Everyone is compromised. When people tell you, ‘We are protected as a company,’ they are really fooling themselves.”
“It’s crucial that companies are disclosing to investors how cybersecurity risks affect their bottom lines, and what they are doing to address those risks,” Rockefeller said Friday.
Sen. Rockefeller’s proposed measure would have the SEC’s commissioners spell out to company leaders when they must disclose security breaches and what steps they are taking to ensure the protection of the company’s computer networks from hackers and other cyber-attacks.