Cybersecurity

Cyber Attacks? Companies Disclose Little Impact

Companies aren’t disclosing much impact from computer crime

Provide news feedback or report an error

Confidential tip?

Send a tip to our reporters

Site feedback:

Take our Survey

By Chris Strohm, Eric Engleman, and Dave Michaels

April 12, 2013 at 2:41 AM UTC

This article is for subscribers only.

BusinessWeek Cover Image (13_16, portrait_2x)

This article is part of the April 15, 2013 issue of businessweek.

The news is full of stories about hackers breaking into corporate computer networks, and federal officials say the attackers are stealing billions of dollars in business secrets. Yet investors would have a hard time finding evidence of any damage. Among the 27 largest U.S. companies reporting cyber attacks—including MetLife, Coca-Cola, and Honeywell International—almost all said there has been no material impact from computer breaches. Citigroup, which reported “limited losses,” was an exception. The companies declined to comment. “I would bet some are just not being forthcoming,” says Lance Hoffman, director of George Washington University’s Cyber Security Policy and Research Institute.

That mixed message has triggered a debate about whether Washington is overstating the damage from cyber attacks or companies are understating their impact—or not disclosing the attacks at all. “There is a clear discrepancy between what companies are reporting to their stockholders and what they’re declaring to policymakers,” says Sascha Meinrath, vice president of the New America Foundation, a policy group. The confusion hampers the ability of legislators and agency officials to understand cybersecurity, Meinrath says.