Will Facebook, Google security breaches be disclosed as risk factors?

Last month it was revealed that tech giants Facebook and Google were hacked. This announcement followed the arrest of a Lithuanian man who successfully stole and wired a total of more than $100 million to bank accounts, after orchestrating a fraudulent business email compromise scheme.

Over a two-year span, the corporate imposter, Evaldas Rimasaukas, convinced accounting departments at the two tech companies to make transfers worth tens of millions of dollars. In the world of data breaches, clearly no one is safe. Upon announcing the arrest of Rimasaukas, FBI Assistant Director William F. Sweeney Jr. said, “Criminals continue to commit a wide variety of crimes online, and significant cyber data breaches have had a negative impact across a variety of industries.”

Google and Facebook, which both suffered significant security breaches involving the loss of millions of dollars, appear to have been able to recoup their losses. Interestingly, however, neither company disclosed the breaches as “risk factors” in their respective SEC filings while the investigations’ countermeasures were underway.  This massive security breach raises two important issues for investors and issuers alike.

First, investors were kept in the dark about a security breach that created significant financial losses. Secondly, the incident ignites the conversation around how issuers deem an event to be material.

Following this well-publicized data breach, Google suffered yet another online attack in the form of a sophisticated phishing campaign appeared to target Google’s roughly 1 billion Gmail users worldwide. The spoofing attack sought to gain control of users’ entire email histories and spread itself to all of the users’ contacts.

Of the May 3 phishing scam, a Google spokesperson indicated that the company’s investigations show that no other data was exposed besides contact information, however, we have yet to see Google list the Internet scam as a risk factor.

In fact, during the past five years, the SEC has not questioned either company about potential security risks. In a March 2012 comment letter issued by the SEC following Facebook’s S-1 filing, SEC examiners asked what consideration Facebook officials gave to including expanded disclosure around computer malware, viruses, hacking and phishing attacks and spamming.In the company’s official response, Facebook said,To date, the Company has not experienced any cyber incidents that we believe individually, or in the aggregate, would have a substantial likelihood of being considered important by a reasonable investor in making an investment decision concerning the Company’s Class A common stock.”

The following year, the social media giant inadvertently exposed 6 million users’ phone numbers and email addresses to unauthorized viewers over a 12-month period. And now, five year later, after additional cybersecurity events, Facebook will need to rethink that response as investors will demand the disclosure of these risk factors. As we have already seen, the SEC is also taking a stronger stance with issuers on cybercrime disclosures.

Drawing on the lessons of the recent Yahoo investigation into two massive data breaches, which U.S. authorities say should have been reported sooner to investors, we will likely see new risk reporting from Google, especially after the recent phishing scam that targeted its 1-plus billion users.