January 24, 2013 6:23 pm

Break a wall of silence on cyber attacks

Many companies are terrified of talking publicly about the issue

It was at the World Economic Forum meeting in Davos six years ago that I first became seriously worried about the credit bubble. It was clear then, in January 2007, that problems were developing in complex credit. But it was also clear that the public and private sector were in widespread denial.

That partly stemmed from an “agency dilemma”, as economists say: although there was plenty of unease about complex credit, no single company or government official wanted to blow the whistle, in case they suffered stigma or created panic. Thus it was frustratingly hard to pin down tangible names or numbers to articulate my fears; all I heard were whispers in Davos corridors.

This week I have experienced an echo of this pattern at the 2013 WEF meeting. But this time my unease does not revolve around any financial threats, but another issue – cyber security. Most notably, after chatting to corporate executives at Davos this year, it is clear many are suffering a deluge of cyber attacks. Some of these emanate from teenage hackers, or opportunists trying to steal money or secrets; but many seem more malign, security experts say, with the potential to disable corporate systems or critical infrastructure.

However, as in 2007, an “agency dilemma” is at work. In recent months, some companies (such as HSBC, Wells Fargo or Lockheed) have been forced to admit to suffering cyber attacks, after the penetration has become visible. But this is just the tip of a vast iceberg, and the overwhelming majority of companies today are terrified of talking too publicly about the issue, for fear of suffering stigma or sparking panic.

That means it is tough for any outsider to get precise information about the overall scale of attacks. It is even tougher for shareholders to work out the degree to which individual companies are being targeted.

Indeed, such is the reluctance to speak in public that while this year’s Davos meeting has conducted panel debates on the issue, there were almost no CEO participants at all; and it is hard to find an annual corporate report that delves into this issue in detail.

Nevertheless, the whispers in the Davos corridors are sobering. The head of one big consultancy group, for example, says some global clients are experiencing around “15,000 attacks a day”. The chief executive of a large global bank says his institution is experiencing “10 times that” level of attack.

Utilities (such as electricity networks) are suffering on a similar scale. Even hospitals are being attacked. “We found out a couple of weeks ago that we have been penetrated 180 times recently – it was a complete surprise,” the head of one big American hospital group told me. Or as a top executive of a US tech group observes: “The attacks are increasing exponentially. The question is not if, but when, something really bad occurs.”

Is there any solution? In some countries, such as Australia, the government has become so worried about this “agency dilemma” that it has stepped in to force collective corporate action: Australian companies are being required to invest resources in cyber defences and share data about such attacks. Britain is moving in the same direction.

However, replicating that in the US is harder because there is more controversy about the state taking a leadership role. In recent months, Leon Panetta, the former defence secretary, has tried to force action: a couple of months ago he declared that a cyber attack could be worse than 9/11 and warned that “although awareness is growing, the reality is that too few companies have invested in even basic cybersecurity”.

However, many American CEOs dislike the idea of taking orders from the defence departments. Some insist they have already invested heavily in their cyber defences, and do not need government hectoring. “Yes, we are experiencing huge volumes of attacks, but the point is we have fended them off,” says one American bank CEO.

Perhaps so. But the crucial point is this: even if some companies are on top of the issue, others are not, and without more public debate, it will be tough to get corporate boards to act. Without more disclosure it will also be difficult for investors to start pricing in these risks.

So, at the very least, it is high time shareholders began demanding more information from individual companies about the issue – not just about the scale of the cyber attacks, but also the moves being taken to fend them off.

And if companies refuse to answer those questions, then shareholders – or the government – should ask them why. After all, if there is one thing we learnt from 2007, it is that maintaining an embarrassed silence about risks does not usually make them go away; least of all when there is potential damage to consumers (and investors) as well as the companies under attack.

Copyright The Financial Times Limited 2015. You may share using our article tools.
Please don't cut articles from FT.com and redistribute by email or post to the web.


Sign up for email briefings to stay up to date on topics you are interested in