Companies are hacked all the time, but it's not often made public. The recent US prosecution of a cyber attacker who broke into Boeing's systems is a rare example. The FBI wants to know about cases of corporate espionage, but firms often don't want to come forward. Regulators could help by doing more to encourage disclosure and less - for now - to punish the victims.
Breaches have become an epidemic. A record 79 per cent of respondents said they detected at least one breach over 12 months and large companies discovered an average of 446 hacks each in the period, according to a 2015 report from PricewaterhouseCoopers. Cyber security professionals say more than 80 per cent of intrusions go unreported while 87 per cent of IT workers surveyed by Lieberman Software last year said big financial hacks are happening more often than reported.
One problem is that both the technological landscape and enforcers' responses are evolving. Reporting a breach can be embarrassing, and the result unpredictable. Only Boeing was mentioned by name in Chinese businessman Su Bin's guilty plea, released by prosecutors on Wednesday. But his associates also sought data on other companies' products, including fighter jets made by Lockheed Martin.
Also Read
Meanwhile, regulators have increased enforcement actions for inadequate cyber security, according to legal experts. The Securities and Exchange Commission, bank watchdogs and others have already imposed penalties. Lax defences need to be policed, but it's challenging to fight determined hackers in a fast-changing technological environment - as the US government knows, having suffered breaches at the White House, the Defense Department and elsewhere.
This environment makes companies reluctant to come clean with investors, and the rules generally don't require them to do so except in cases where personal information is hacked. Yet intellectual property breaches can be at least as damaging because rivals may learn about pricing, research and development and future plans. Prosecutors link job losses at US Steel to a cyber attack there by the Chinese military.
The SEC says companies should disclose material breaches but the regulator's guidance is vague and leads companies to cite general risks rather than specific attacks. Just as businesses disclose lawsuits and other potentially expensive mishaps, hacks that could matter to investors need regulatory sunshine.