Business’s cybercrime quandary
Law-enforcement officials often demand that corporations keep quiet about being victimized, but this keeps shareholders in the dark.
Craig A. Newman and Daniel L. SteinThe New York Times
Companies that come under cyberattack face a “dangerous dilemma,” said Craig A. Newman and Daniel L. Stein. Law-enforcement officials often demand that corporations keep quiet about being victimized, in order to avoid tipping off the perpetrators during ongoing investigations. But by agreeing to that silence, executives keep their shareholders in the dark about the possible loss of critical trade secrets or intellectual property, which cyberattacks can obliterate “with the click of a mouse.” This tension “between the demand for discreet cooperation and the obligation to inform investors” puts companies in an untenable position. Unfortunately, regulators have so far failed to provide clear direction. There have been calls for a regulation allowing corporations to conceal cyberattacks from investors if they’ve reported them to law enforcement, “but such a rule could easily be abused.” In many cases, executives have powerful incentives not to go public with their vulnerability. They shouldn’t be able to avoid “an embarrassing—and potentially devastating—disclosure” by making a “half-hearted referral to law enforcement.” Regulators need to step up now with a clear rule that balances “the competing demands of cooperation and disclosure.”