Few companies are telling securities regulators about cyberattacks, a new analysis finds, despite recent efforts to bolster disclosures of such incidents to investors.
About 90% of known cyber incidents at public companies went undisclosed in regulatory filings in 2018, according to an analysis by the office of Securities and Exchange Commission member Robert Jackson, a Democrat. That’s down from 97% in 2017, before the SEC put out guidance that spelled out how public companies should disclose hacks that could be damaging to the company or its customers.
Last year’s SEC guidance stopped short of requiring companies to immediately disclose hacks in formal filings, a requirement that was advocated by Mr. Jackson and the other Democratic commissioner at the time, Kara Stein. They argued that hacks and intrusions should be treated as material events in the same way other corporate news is.
The lack of a hard-and-fast rule mandating specific disclosures has led to variations in how companies divulge information about hacks, if they reveal them at all.
“If I were in the boardroom, it would be helpful if a lawyer can say, ‘These are the rules.’ I think that sort of clear, bright-line guidance would be helpful to the market,” Mr. Jackson said Tuesday at a Wall Street Journal conference in San Francisco where he announced the findings.
Out of 42 public companies that were hacked in 2018, just four disclosed the events in SEC incident filings, according to Mr. Jackson’s analysis. The total number of hacks was based on data compiled by the nonprofit Identity Theft Resource Center.
Facebook Inc., for example, disclosed via a blog post in September that hackers had accessed 50 million user accounts and stolen data from them starting in July 2017. The company didn’t file an SEC report.
By contrast, Marriott International Inc. in November disclosed a hack of its reservation database, one of the biggest data breaches in history, in an SEC filing shortly after the breach was discovered. The attack may have exposed the personal information of up to 500 million guests.
Companies could have reasons for not immediately disclosing an attack: In some cases, law-enforcement authorities might recommend against immediate disclosure of a crime under investigation. Additionally, companies can face severe reputational damage and litigation risk from hacks, and may prefer to wait rather than immediately disclose an attack.
Regulations regarding the disclosure of cybersecurity risks and events remain a work in progress at the SEC. When last year’s guidance was released, SEC Chairman Jay Clayton said that the agency would “continue to evaluate developments in this area and consider feedback about whether any further guidance or rules are needed.”
An SEC spokeswoman didn’t immediately respond to requests for comment.