For government agencies and private companies, the enormous hack making news this month revealed a fundamental flaw in their cyber defenses. It may have also revealed a fundamental flaw in the disclosure requirements for cyberattacks.
The hack, widely (but not universally) attributed to the Russian group Cozy Bear, installed a “backdoor” in network monitoring software made by SolarWinds Corp. and used by a wealth of government agencies and Fortune 500 companies. All told, some 18,000 customers used the compromised software, among them the State, Treasury, and Commerce Departments, not to mention the National Nuclear Security Administration, which maintains our nuclear stockpile. (Thankfully, it noted that the malware didn’t impact national security functions).
While the government victims have understandably received most of the press, plenty of public companies found themselves exposed too. Household names like AT&T, Procter & Gamble, and McDonald’s are among hundreds if not thousands of others affected. These companies face at least one pressing question their government counterparts don’t: What do we have to tell the markets?
Alas, the question of what issuers must disclose publicly after a cyberattack has eluded easy answers. The facile response is that as with any other event, cyberattacks must be disclosed whenever investors would consider them “material.” SEC guidance has affirmed this principle twice in the last decade.
But as the SEC has also recognized, cyberattacks aren’t like any other type of event. In their aftermath, compelling forces often urge victims to stay quiet—namely, law enforcement agencies investigating the crime. In such cases, public companies sit in a no-win position, forced to violate their obligations to either investors or investigators. One added complexity is the timeline for disclosure. The SEC says that companies have four days to file 8Ks for many events. SEC Commissioner Robert Jackson has previously arguedthat the four-day rule is too long for cyberattacks, given that some states require they be immediately disclosed. It’s also true, however, that even when a company knows a major breach occurred, it often needs longer than four days to figure out, for instance, what data was stolen. The SEC’s own 2018 guidance nodded toward this fact, stating that it can take time to “discern the implications” of a breach.
All of which makes it unsurprising that disclosure of cyberattacks has been uneven at best. In recent major hacks (which now feel somewhat quaint), companies like Home Depot and Heartland Payment Systems filed 8Ks, while Target, Yahoo, and Michael’s did not. When Commissioner Jackson ran his own DIY study, he found that only 4 of 82 cybersecurity incidents at public companies became the subject of 8-Ks.
This time around, two companies have already filed 8-Ks on the Cozy Bear hack: FireEye, the cybersecurity firm that first noticed it, and SolarWinds itself. SolarWinds filed two 8-Ks (one on December 14th and one on the 17th) that balanced disclosure with a determination to avoid “compromis[ing] the integrity of any investigations.” It’s first 8-K did note, however, the number of customers affected (“fewer than 18,000”), the timeframe in which the vulnerable products were installed (March to June 2020), and the revenue they generated ($343 million, or 45% of the company’s total).
FireEye was upfront about the fact that it had to hold some information back, stating in a December 14 8-K that “as this activity is subject to an ongoing FBI investigation, there are also limits to the information we are able to share.”
Of course, at this point many more than these two companies are aware that they were subject to the hack (including Microsoft, which confirmed that it “detected malicious SolarWinds binaries in our environment”), and yet have not filed 8-Ks.
Oh, and there’s this, too. On Thursday, the U.S. cyber agency known as CISA suggested that the SolarWinds software wasn’t the only access point used by the hackers. If true, that would mean there is a whole different universe of victims out there that we don’t even know about yet. Which could mean plenty more difficult calls about 8Ks to come in the months ahead.
And that, unfortunately, feels like an appropriate note on which to end this most tumultuous year. We at Intelligize will be taking a break from the blog this week and next. Our posts will resume on January 5th. Until then, we hope you have a great holiday season.