U.S. business SEC filings suggest cyber threats may be overstated

Many large companies report to the SEC that Internet intruders cause little damage to their operations.

You may arrive at some conflicting conclusions about reported cyber attacks in recent filings with the U.S. Securities and Exchange Commission by some of the largest companies in the nation.

Of the 27 largest U.S. companies (by revenue) that reported cyber attacks to the SEC, all of them stated they suffered no major financial losses from the intrusions, according to Bloomberg.

Almost half the companies (12)which included Amazon, AT&T and Verizonreported the cyber attacks on their systems "had no material impact" on the companies. Another, Citigroup, reported it suffered "limited losses and expenditures" from Internet bandit activity.

Note: corporations have been known to keep their cards close to their vest when it comes to reporting about intrusions into their computer systems

The reports by these companies suggest that much of the controversy being generated in the public debate over American intellectual property being ransacked by foreign powers and cyber criminals may be more steam than flame.


A number of high-profile cyber attacks in recent weeks against the U.S. Federal Reserve, a number of large domestic banks and several large media outlets have raised the severity of the issue of net intrusions in the public consciousness. President Obama issued an executive order in February designed to better protect businesses and critical infrastructure from net assaults on their systems.

However, what companies are reporting to the SEC appears to contradict all the red-flag waving in Washington and other quarters about cyber attacks.

"I find it remarkable that only 27 companies disclosed they were targeted," Chris Peteren, founder and CTO of LogRhythm, a network security solutions provider in Boulder, Colo. told PCWorld.

"Every piece of evidence that's out there right now points to the fact than 100 out of 100 are certainly being targeted," he maintained.

However, he pointed out that what's "material" to these companies could have a high threshold.

"A million, two million, three million dollars is in the realm of immaterial for these organizations," he said.

SEC requirements

The SEC adopted guidelines for company reporting of cyber attacks and their threat to a business in October 2011. Those guidelines instruct companies to disclose cyber incidents "if these issues are among the most significant factors that make an investment in the company speculative or risky."

Critics of the SEC guidelines say the agency needs to pry more information about cyber attacks from companies. The SEC told Bloomberg that its guidelines are working.

However, the SEC has had to ask some companiesincluding Amazon, Comcast and Verizonto submit more information about cyber attacks in their more recent filings with the agency than they did in 2011, Bloomberg reported.

Better defenses?

While Bloomberg's findings may be a narrow view of the cyber attack landscape, it contains some positive news for system defenders, according to Michael Kaiser, executive director of the National Cyber Security Alliance in Washington, D.C.

"We've known for a long time that large enterprises have been doing a better job at defending themselves," he told PCWorld.

"So to see some of the largest brands in the world being able to resist attacks or mitigate their impact, is a good sign," he asserted.

Nevertheless, he added: "There's a huge arena of small- and medium-sized enterprises which are extremely vulnerable. Sometimes they're attacked to get a backdoor into these larger enterprises that are more defended."

Join the CSO newsletter!

Error: Please check your email address.

Tags citigroupU.S. Securities and Exchange Commissionat&tsecurityCyberattackBloombergbusiness security

More about Amazon Web ServicesBloombergComcast CableLogRhythmSECSecurities and Exchange Commission

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello Jr.

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts