China-based hackers rifled the computers of DuPont Co. at least twice in 2009 and 2010, hunting the technological secrets that made the company one of the world’s most successful chemical makers. It’s not something investors would have learned from DuPont’s regulatory filings, or from those of other companies victimized by hackers. The 10-K’s DuPont submitted to the U.S. Securities and Exchange Commission over the period don’t identify hacking as even a significant risk, much less reveal what two U.S. intelligence officials later said was a successful case of industrial espionage.
Over the next three months, as publicly traded companies file 10-K’s, investors may see new admissions of corporate networks being hacked after the SEC said companies can’t continue to hold back the details of those incidents.
As cyberspies from China, Russia and other countries ransack the computer networks of one major U.S. and European firm after the next, the SEC in October offered its new interpretation of disclosure requirements as applied to cybercrime. The amount of information that’s forthcoming will depend on whether company lawyers determine the incidents had, or will have, a material effect on the enterprise.
Daniel Turner, a spokesman for Wilmington, Delaware-based DuPont, said, regarding the previously-reported hack, “We let our disclosures speak for themselves.”
Mandiant Corp., an Alexandria, Va.-based security firm that specializes in cyber-based industrial espionage, has responded to incidents at 22 Fortune 100 companies, said Richard Bejtlich, the firm’s chief security officer. Mandiant estimates that many more than 20 percent of Fortune 500 companies experienced serious breaches recently or are dealing with current ones, Bejtlich said.
