The Latest Sony Breach And Its Potential SEC Problems

Sony's (NYSE: SNE) latest network breach is also potentially one of its worst when it comes to financial impact on the company. The attackers (Guardians of Peace) stole five movies including Brad Pitt's "Fury" and released them online. "Fury" alone has had over 1.2 million downloads in the last three days according to Variety, which makes it the second most downloaded movie currently being pirated. The other movies stolen by hackers include "Annie", "Mr. Turner", "Still Alice", and "To Write Love on Her Arms".  The hackers also stole multiple terabytes of internal company financial and personal data which they released today on Pastebin. Depending upon what was stolen, this could make Sony liable for millions of dollars in penalties if includes controlled PII data.

The company's PlayStation unit had been repeatedly and successfully breached by attackers in 2011 which cost it an estimated $171 million and "affect revenues for its fiscal 2011 year" according to its IR group (investor relations). Page 8 of its 2011 Annual Report dedicated one paragraph to that event, 90% of which spoke about how "sophisticated" the hackers were (they actually weren't sophisticated at all) and how they have reinforced their security, blah blah.

The current attack against Sony Entertainment Pictures has potentially done more damage and may involve one or more insiders. Sony has engaged an IR firm to investigate the attack and is cooperating with the FBI, which is pretty standard procedure.

I looked at Sony's annual reports since 2011 and the language used in describing its cyber risk factors remains pretty much the same as this quote from its 2014 20F filing:
"Moreover, as network and information systems have become increasingly important to Sony’s operating activities, the impact that network and information system shutdowns may have on Sony’s operating activities has increased. Shutdowns may be caused by events similar to those described above or other unforeseen events, such as software or hardware defects or cyber-attacks by groups or individuals." 
"Similar events in the future may result in the disruption of Sony’s major business operations, delays in production, shipments and recognition of sales, and large expenditures necessary to enhance, repair or replace such facilities and network and information systems. Furthermore, Sony may not be able to obtain sufficient insurance in the future to cover the resulting expenditures and losses, and insurance premiums may increase. These situations may have an adverse impact on Sony’s operating results and financial condition."
"Sony makes extensive use of information technology, online services and centralized data processing, including through third-party service providers. The secure maintenance and transmission of customer information is a critical element of Sony’s operations. Sony’s information technology and other systems that maintain and transmit such information, or those of service providers or business partners, and the security of such information possessed by Sony or its business partners may be compromised by a malicious third-party or a man-made or natural event, or impacted by intentional or inadvertent actions or inactions by Sony employees, or those of a third-party service provider or business partner. As a result, customer information may be lost, disclosed, misappropriated, altered or accessed without consent. For example, Sony’s network services, online game business and websites of certain subsidiaries have been subject to cyber-attacks by groups and individuals with a wide range of motives and expertise, resulting, in some instances, in unauthorized access to and the potential or actual theft of customer information."
"In addition, Sony, third-party service providers and other business partners process and maintain proprietary Sony business information and data related to Sony’s business, commercial customers, suppliers and other business partners. Sony’s information technology and other systems that maintain and transmit this information, or those of service providers or business partners, and the security of such information possessed by Sony, third party service providers or other business partners may also be compromised by a malicious third-party or a manmade or natural event, or impacted by intentional or inadvertent actions or inactions by Sony employees, or those of a third-party service provider or business partner. As a result, Sony’s business information and customer, supplier, and other business partner data may be lost, disclosed, misappropriated, altered, or accessed without consent."

This is pretty generic stuff, evidenced by the fact that the language doesn't contain anything specific to Sony that wouldn't apply to every other public company. SEC regulations on risk disclosure require that the language to be non-generic so Sony like all registrants will need to find a way to accurately estimate their risk of a cyber attack without providing actionable intelligence to potential attackers (which I believe is entirely possible).

Sony never filed an 8-K on the 2011 breach and to date they haven't filed one on this breach (8-Ks are to be filed on material corporate events that shareholders should know about). I've left a message for their IR desk to call me back so that I can ask them why that is but so far, no joy.

A Taia Global white paper on the SEC and Cyber Risk Factors was just published last Monday and is available for download at the company website.

Comments