Cyber-disclosure norms become rule

Six companies were asked to reveal security threats they face

New York: Securities and Exchange Commission guidelines on when companies should disclose cyber-attacks have become de facto rules for at least six companies, including Google and Amazon.com, agency letters show.

The six companies were asked to break silence and tell investors in future filings that intruders had breached their computer systems, according to the SEC letters. Companies such as Amazon argued that the attacks weren’t important enough to reveal. Hacking admissions can hurt reputations, give competitors useful information and trigger investor litigation.

Before the requests, Seattle-based Amazon, the largest internet retailer, hadn’t said in its reports that cyber-thieves had raided its Zappos.com unit, stealing addresses and some credit card digits from 24 million customers in January. In April, Amazon was asked by the SEC to disclose the cyber-raid in its next quarterly filing, which it did.

Google, the world’s biggest search engine, agreed in May to put its previously disclosed cyber-assault in an earnings report. American International Group, Hartford Financial Services Group, Eastman Chemical Co and Quest Diagnostics were also prodded to improve disclosures of cyber-risks, according to SEC letters available on the regulator’s website.

Categories: Vulnerability