China-based hackers rifled the computers of DuPont Co. at least twice in 2009 and 2010, hunting the technological secrets that made the company one of the world's most successful chemical makers.
It's not something investors would have learned from DuPont's regulatory filings, or from those of other companies victimized by hackers. The 10-K's DuPont submitted to the U.S. Securities and Exchange Commission over the period don't identify hacking as even a significant risk, much less reveal what two U.S. intelligence officials later said was a successful case of industrial espionage.
Over the next three months, as publicly traded companies file 10-K's, investors may see new admissions of corporate networks being hacked after the SEC said companies can't continue to hold back the details of those incidents.
As cyberspies from China, Russia and other countries ransack the computer networks of one major U.S. and European firm after the next, the SEC in October offered its new interpretation of disclosure requirements as applied to cybercrime. The amount of information that's forthcoming will depend on whether company lawyers determine the incidents had, or will have, a material effect on the enterprise.
Daniel Turner, a spokesman for DuPont, said, regarding the previously reported hack, "We let our disclosures speak for themselves."
Mandiant Corp., an Alexandria, Via.-based security firm that specializes in cyber-based industrial espionage, has responded to incidents at 22 Fortune 100 companies, said Richard Bejtlich, the firm's chief security officer. Mandiant estimates that more than 20 percent of Fortune 500 companies experienced serious breaches recently or are dealing with current ones, Bejtlich said.
"It doesn't square that billions of dollars in intellectual property is being lost, and investors don't care," said Jacob Olcott, a former staff expert on cybersecurity for the Senate Commerce Committee. In May, the panel asked SEC Chairman Mary Schapiro to clarify how cyber intrusions should be reported under the so-called "material fact rule."
"We're afraid investors don't know what they don't know," he said.
The guidance, which also says companies can't use vague descriptions of the risks associated with possible future cyber break-ins when describing "risk factors," raised fears that more detail could create a road map for hackers, said Alexander Tabb, a partner at TABB Group, which advises corporate clients on risk assessment.
"I have to agree with some of the critics who say the guidance is much more useful for the individuals looking to attack a company than it is for investors," Tabb said.
The victims of even serious attacks, meanwhile, are largely silent, often reporting only breaches that fit narrow legal requirements, such as the theft of credit card numbers or customer information. Many of the headline-grabbing hacks of 2011, including Sony Corp., Citicorp, and Epsilon Data Management LLC, involved such data.
Beginning in 2009, the networks of at least six major U.S. and European energy companies were breached by China-based hackers. The victims included Exxon Mobil Corp., Royal Dutch Shell Plc and ConocoPhillips.
The hackers stole exploration data and computerized topographical maps, according to several assessments, including one by McAfee Inc., a security division of Intel Corp., which didn't identify the victims. The attacks provided the cyber- thieves with valuable, confidential assessments of the quality and accessibility of oil reserves, according to Ed Skoudis, senior security consultant with InGuardians Inc., a Washington- based security firm that investigated two of the breaches.
The oil companies' financial filings from the period didn't assess possible losses or mention the attacks, which became public through a report by Bloomberg News.
Spokesmen for ConocoPhillips and Exxon Mobil said their companies don't comment on security matters. BP and Shell didn't immediately respond to requests for comment.
Investors haven't done more to press for details and the impact of attacks because "they now look at an investing cycle as maybe a quarter or at most a year," said Eden Chen, portfolio manager at Los Angeles-based Lightmark Capital. That's too short a time for stolen technology to make a significant difference in many companies' fortunes, he said.
"If you are looking at companies for 10 years down the line you would definitely ask those questions," he said.