Intel Notes Attack on 10K – Are We Heading to Mandated Disclosure of Cyber Attacks?

As we move toward RSA I am really intrigued by the fact that Intel included a note in their recent 10K that they experienced an attack resembling the recent Google attack.  I am not surprised about the attack, but I think the mention in the 10K is interesting.

Intel noted the recent attack in the section of the 10K called “Risk Factors” where a company discloses to investors and potential investors external factors that can affect company performance.  In other words, potential problems that may cause direct impact to the stock price.  In the words of Intel “Our business could be subject to significant disruption, and we could suffer monetary and other losses, including the cost of product recalls and returns and reputational harm, in the event of such incidents…”.

I have written 10Ks and I can tell you that items are not put onto the document on a whim.  I cannot speak for Intel, but I think it is reasonable to say that the frequency, complexity and depth of the attacks they experience has reached a place where the company feels compelled to explicitly reference these attacks as a potential risk to company performance.  We truly have come a long way from the Anna Kournikova virus and attacks for bragging rights.

Are we nearing a point where the government will step in and require disclosure of attacks?  The analogy can be found in the laws that emerged around personally identifiable information (PII) where companies were required by law to notify individuals if their PII was acquired by an unauthorized party from company systems such as California law SB 1386.  Many of the PII breaches we have seen over the past five years may have never surfaced into the public eye without such laws.

So will the SEC come to the place where the relentless attacks on corporate IP and confidential data will be seen as something that must be disclosed when such an attack is successful in order to protect investors from the potential fallout of such an attack?  What will be the criteria to require disclosure?

This much is sure – the stakes for IT security get higher every day.  If attacks are being discussed on 10Ks, then we can reasonably assume that there is much greater visibility to things such as the Advanced Persistent Threat at the executive level.  That visibility can only help the cause and move IT security from a grudge spend to a strategic investment in the fiscal health of the company.