Search the Site

Will Facebook, Google security breaches be disclosed as risk factors?

Past SEC Comment Letter Interaction Predicted Equifax Data Breach Exactly Half a Decade Ago

Last month it was revealed that tech giants Facebook and Google were hacked. This announcement followed the arrest of a Lithuanian man who successfully stole and wired a total of more than $100 million to bank accounts, after orchestrating a fraudulent business email compromise scheme.

Over a two-year span, the corporate imposter, Evaldas Rimasaukas, convinced accounting departments at the two tech companies to make transfers worth tens of millions of dollars. In the world of data breaches, clearly no one is safe. Upon announcing the arrest of Rimasaukas, FBI Assistant Director William F. Sweeney Jr. said, “Criminals continue to commit a wide variety of crimes online, and significant cyber data breaches have had a negative impact across a variety of industries.”

Google and Facebook, which both suffered significant security breaches involving the loss of millions of dollars, appear to have been able to recoup their losses. Interestingly, however, neither company disclosed the breaches as “risk factors” in their respective SEC filings while the investigations’ countermeasures were underway.  This massive security breach raises two important issues for investors and issuers alike.

First, investors were kept in the dark about a security breach that created significant financial losses. Secondly, the incident ignites the conversation around how issuers deem an event to be material.

Following this well-publicized data breach, Google suffered yet another online attack in the form of a sophisticated phishing campaign appeared to target Google’s roughly 1 billion Gmail users worldwide. The spoofing attack sought to gain control of users’ entire email histories and spread itself to all of the users’ contacts.

Of the May 3 phishing scam, a Google spokesperson indicated that the company’s investigations show that no other data was exposed besides contact information, however, we have yet to see Google list the Internet scam as a risk factor.

In fact, during the past five years, the SEC has not questioned either company about potential security risks. In a March 2012 comment letter issued by the SEC following Facebook’s S-1 filing, SEC examiners asked what consideration Facebook officials gave to including expanded disclosure around computer malware, viruses, hacking and phishing attacks and spamming.In the company’s official response, Facebook said,To date, the Company has not experienced any cyber incidents that we believe individually, or in the aggregate, would have a substantial likelihood of being considered important by a reasonable investor in making an investment decision concerning the Company’s Class A common stock.”

The following year, the social media giant inadvertently exposed 6 million users’ phone numbers and email addresses to unauthorized viewers over a 12-month period. And now, five year later, after additional cybersecurity events, Facebook will need to rethink that response as investors will demand the disclosure of these risk factors. As we have already seen, the SEC is also taking a stronger stance with issuers on cybercrime disclosures.

Drawing on the lessons of the recent Yahoo investigation into two massive data breaches, which U.S. authorities say should have been reported sooner to investors, we will likely see new risk reporting from Google, especially after the recent phishing scam that targeted its 1-plus billion users.

Related Articles

Reg BI Headlines Four Securities Enforcement Priorities for 2020

It’s January, and around Washington, D.C., that means it’s time for government agencies to declare their priorities for the coming year. They’re...

SEC Qualifies First Offering by U.S. Pot Grower

From the release of Cheech & Chong’s Up in Smoke in 1978 to former House Speaker John Boehner joining the board of a cannabis company forty year...

SEC Moves Forward with Expansion of “Accredited Investors”

There’s a famous anecdote about a conversation between F. Scott Fitzgerald and Ernest Hemingway regarding the super rich. The author of The Great Ga...