U.S. business SEC filings suggest cyber threats may be overstated

Many large companies report to the SEC that Internet intruders cause little damage to their operations.

You may arrive at some conflicting conclusions about reported cyber attacks in recent filings with the U.S. Securities and Exchange Commission by some of the largest companies in the nation.

Of the 27 largest U.S. companies (by revenue) that reported cyber attacks to the SEC, all of them stated they suffered no major financial losses from the intrusions, according to Bloomberg.

Almost half the companies (12)which included Amazon, AT&T and Verizonreported the cyber attacks on their systems "had no material impact" on the companies. Another, Citigroup, reported it suffered "limited losses and expenditures" from Internet bandit activity.

Note: corporations have been known to keep their cards close to their vest when it comes to reporting about intrusions into their computer systems

The reports by these companies suggest that much of the controversy being generated in the public debate over American intellectual property being ransacked by foreign powers and cyber criminals may be more steam than flame.


A number of high-profile cyber attacks in recent weeks against the U.S. Federal Reserve, a number of large domestic banks and several large media outlets have raised the severity of the issue of net intrusions in the public consciousness. President Obama issued an executive order in February designed to better protect businesses and critical infrastructure from net assaults on their systems.

However, what companies are reporting to the SEC appears to contradict all the red-flag waving in Washington and other quarters about cyber attacks.

"I find it remarkable that only 27 companies disclosed they were targeted," Chris Peteren, founder and CTO of LogRhythm, a network security solutions provider in Boulder, Colo. told PCWorld.

"Every piece of evidence that's out there right now points to the fact than 100 out of 100 are certainly being targeted," he maintained.

However, he pointed out that what's "material" to these companies could have a high threshold.

"A million, two million, three million dollars is in the realm of immaterial for these organizations," he said.

SEC requirements

The SEC adopted guidelines for company reporting of cyber attacks and their threat to a business in October 2011. Those guidelines instruct companies to disclose cyber incidents "if these issues are among the most significant factors that make an investment in the company speculative or risky."

Critics of the SEC guidelines say the agency needs to pry more information about cyber attacks from companies. The SEC told Bloomberg that its guidelines are working.

However, the SEC has had to ask some companiesincluding Amazon, Comcast and Verizonto submit more information about cyber attacks in their more recent filings with the agency than they did in 2011, Bloomberg reported.

Better defenses?

While Bloomberg's findings may be a narrow view of the cyber attack landscape, it contains some positive news for system defenders, according to Michael Kaiser, executive director of the National Cyber Security Alliance in Washington, D.C.

"We've known for a long time that large enterprises have been doing a better job at defending themselves," he told PCWorld.

"So to see some of the largest brands in the world being able to resist attacks or mitigate their impact, is a good sign," he asserted.

Nevertheless, he added: "There's a huge arena of small- and medium-sized enterprises which are extremely vulnerable. Sometimes they're attacked to get a backdoor into these larger enterprises that are more defended."