Should Hacked Companies Disclose Their Losses? 68
derekmead writes "By law, US companies don't have to say a word about hacker attacks, regardless of how much it might've cost their bottom line. Comment, the group of Chinese hackers suspected in the recent-reported Coke breach, also broke into the computers of the world's largest steel company, ArcelorMittal. ArcelorMittal doesn't know exactly how much was stolen and didn't think it was relevant to share news of the attack with its shareholders. Same goes for Lockheed Martin who fended off a 'significant and tenacious' attack last May but failed to disclose the details to investors and the Securities Exchange Commission. Dupont got hit twice by Chinese hackers in 2009 and 2010 and didn't say a word. Former U.S. counterintelligence chief Joel Brenner recently said that over 2,000 companies, ISPs and research centers had been hit by Chinese hackers in the past decade and few of them told their shareholders about it. This is even after the SEC has made multiple requests for companies to come clean about cyber security breaches in their quarterly or annual earnings reports. Because the potential losses, do hacked companies have a responsibility to report security breaches to investors?"
Of course they should. (Score:5, Insightful)
I dissent. (Score:5, Insightful)
if the hack causes material changes in business or profitability, a public corporation is required by law to disclose what is known about the effect on continuing operations to the SEC, which 10K form is a public document. especially if a "going concern" warning is required by financial regulations.
Every attempted hack?? No matter how small? (Score:4, Insightful)
Must they report to investors and the SEC every time a building is physically broken into?
Of course not.
You could convince me, though, that they should be reported to the local gendarmes who should then forward it on to the FBI where it must be made public.
Re:I dissent. (Score:5, Insightful)