The IT networks, systems and applications of the now-defunct Canadian maker of network telecommunications switches were apparently compromised by hackers from China, according to a story written by Siobhan Gorman on the front-page of the Wall Street Journal on February 14, 2012. The WSJ article can be found here: Chinese Hackers Suspected in Long-Term Nortel Breach – which may require a subscription.
Nortel Networks hacked for a decade
The activity of the hackers was discovered in 2004, although it is believed the IT systems at Nortel were compromised as early as 2000 according to a Mr. Shields, who’s cited as being a former employee who led an internal investigation of the breach.
The Journal article claims that technical papers, R&D plans, business plans and employee emails were among the intellectual property stolen by the hackers.
SEC guidance on cybersecurity risks and incidents
In a little-noticed section of the article, Siobhan Gorman mentions the new guidance from the SEC requiring public firms to disclose Cyber-security risks and incidents. Written on October 13, 2011, the guidance from the SEC (see CF Disclosure Guidance: Topic No. 2) may be a little-too-late for creditors and companies that are acquiring the assets of the former Nortel.
The SEC states that “material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading. As with other operational and financial risks, registrants (publicly-traded organizations) should review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents.”
Why heed the SEC cybersecurity guidance
Had the guidance from the SEC been written earlier than October 2011, it is far more likely that buyers would have futher discounted their purchase prices for Nortel Network assets. And had the guidance been in place when Nortel was a going-concern, it is likely to have had more of an impact on share-price, earnings, and customer retention.
Going forward, some smart lawyers are going to figure out what the opportunities are and it will likely involve your shareholders’ assets if the company is not demonstrating due-diligence and adhering to the new SEC guidance regarding cybersecurity.
Think of the IT security budget as cheap insurance. Although this is new territory for the SEC and the courts, the amount spent on due-diligence and managing the business risks related to information security will likely pale in comparison to erosion of shareholder value, lost-market opportunity from thieves reselling ill-gotten gains, from fines meted out by the SEC, or by awards from courts of law.