Corporate Cyberattacks Come Out of the Shadows

Since the dawn of cybercrime in the late 1990s, public companies have largely operated under the notion that, while they have an essential responsibility to guard their data with appropriate security measures, they have little duty to report attacks to investors and regulators. That is all about to change.

A full-fledged cyberwar is now completely out of the shadows and was put on center stage during the June 8-9 summit between President Barack Obama and Chinese President Xi Jinping. While little specific progress came out of the meeting, National Security Adviser Tom Donilon said afterwards that cybercrime is the "key to the future" of the U.S.-China relationship, making it ever more clear that each cyber-incident is now part of a high-level military and diplomatic dance.

This escalating, and highly publicized, battle over cybercrime is going to force U.S. businesses to be more forthcoming about attacks, exposing them to significant new legal and regulatory threats.

While it might seem obvious that companies would consider nearly any significant cyberattack a material event to require proper disclosure, the reality is that the legal and regulatory implications of attacks are extremely murky. In fact, organizations are faced with intensely conflicting interests. A company trying to decide what and how much to disclose, and whom to disclose it to, faces a decision much like the one facing the kid who gets his lunch money stolen from the bully: Is there more risk in telling the authorities or in remaining silent?

Guidelines previously issued by the Securities and Exchange Commission are far from comprehensive and leave many details to the discretion of individual companies, which have been slow to alert investors, if at all. Why? Because saying too much is a very dangerous proposition.

Public disclosure can actually undermine a company's cybersecurity efforts or jeopardize an ongoing law enforcement investigation. The SEC itself acknowledged that providing too much detail could provide a "roadmap" for infiltrators.

And with that, companies have often chosen non-disclosure or vague disclosure as the best options. But in the new cyber-reality, those options are quickly disappearing.

With blame for many recent cyberattacks being put squarely on the Chinese government, it is clear that the battle against international hackers is being escalated — and each attack on a public company will be intertwined with broader diplomatic efforts. Businesses that once dealt behind closed doors with cyberbreaches will now find themselves on the front lines. The exposure that will come with this changing landscape will create rich opportunities for investors, lawyers, and regulators to seize upon any organization that has not taken adequate measures to shore up — and communicate about — its digital infrastructure.

In recent months, companies such as Google, AIG, and Quest Diagnostics have all filed revised cybercrime disclosures after being called out by the SEC. But a regulatory slap on the wrist is just the start; the potential legal liability for a company, its executives, and its board is staggering. With the new, more public reality of the global cyberbattle, prosecutors and plaintiffs lawyers will be sharpening their knives to hold corporations responsible for the inevitable losses caused by cybercriminals.

When you break down all of the issues at play, it starts to feel like doing technological battle with Chinese hackers is merely the opening act to what is sure to be a much larger drama. Businesses have no easy answers to this complex challenge, but there are two things that should happen immediately:

1. The SEC must step up with guidance that is more direct and detailed, and that takes into account the significant competing interests companies face, especially if public disclosure would jeopardize ongoing law enforcement efforts or expose critical vulnerabilities. If the federal government is going to embark on a high-profile cybercampaign, it must give businesses clear direction and guidance.
2. Regardless of regulatory guidance, corporations need to get specific with their cybersecurity preparedness — not only to protect themselves against attack, but to shield themselves from lawsuits that are in the offing.

Simply having the best technology in place isn't enough. Companies must adopt and articulate clear policies that outline the steps being taken to protect sensitive data, along with their responsibilities and plans for disclosing breaches. They should clearly define the roles of senior management and directors, address and explain their insurance coverage, and specify the frequency with which security policies are updated.