Was Chrysler’s Vehicle Hacking Risk an SEC Disclosure Reportable Event?

[photo: K2D2vaca via Flickr]

[photo: K2D2vaca via Flickr]

Remember the data breach at JPMorgan Chase, exposing 76 million accounts to “hack-mapping“? Last October, JPMorgan Chase publicly disclosed the intrusion and exposure to investors in an 8-K filing with the Securities and Exchange Commission. The statement complied with the SEC’s CF Disclosure Guidance: Topic No. 2 – Cybersecurity.

Other companies whose customers’ data have been exposed also disclosed breaches in 8-Ks, including Target, TJX Companies, Heartland Payment, EMC and Google. (Firms NASDAQ, Citigroup and Amazon have not.)

Disclosure of known cybersecurity threats or attacks with potential material risks allows investors to make informed decisions. Stock share pricing will fluctuate and reflect the true market value once risk has been factored by investors — and not remain artificially high.

Fiat Chrysler America (FCA; NYSE:FCAU) has known for nearly a year about the risk that Chrysler vehicles could be hacked remotely, according to Fortune magazine Thursday.

Yet to date no filing with the SEC has been made, disclosing this specific cyber risk to investors, customers, and the public.

The SEC’s Disclosure Guidance, though, is just that — guidance. There aren’t any firm rules yet in place, and the guidance itself was published in October 2011. A lot has happened and changed about technology and cybersecurity risks since then; the guidance has not reflected the increasing threats and attacks to business’ data.

Nor does the SEC’s guidance distinguish between cybersecurity threats to service products (like banking services), versus hardlines or manufactured goods (like automobiles which offer software as an additional, non-essential feature). The software industry’s chronic security patching confuses any distinction; should software companies likewise include all security patches in their SEC filings, or continue as they have without doing so? It’s easy to see how revelations about Adobe Flash after Hacking Team was hacked have materially hurt Adobe and all companies relying on Flash — yet Adobe hasn’t released a statement at its website. (Only a statement addressing the 2013 threat to customer accounts is posted.)

Are financial services firms any more obligated than software firms? Are automobile companies, which claim ownership of on-board software, any more obligated than software companies?

It’s likely FCA chose not to reveal the vehicle hacking threat until efforts to mitigate potential damage had been completed. The now-released security patch for Chrysler vehicles is an obvious indication of this attempt.

Less visible to the public and to investors is any financial effort to reduce future financial exposures. Has FCA established a protocol for investigating any suspect vehicle accidents? Were reserves set up for future claims should there be (or have been) an accident caused by hacking of their vehicle software?

Can investors adequately account for their own financial risk if they do not know what actions FCA has taken? At this point, investors only know what Chrysler owners and the public know: FCA issued a recall Friday on 1.4 million vehicles at risk, in order to patch their UConnect systems.

Senators Richard Blumenthal (D-CT) announced Friday that he and Ed Markey (D-MA) are working on new legislation, to ensure the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) establish new safety standards for software features in vehicles, in response to the kind threat revealed this week. This is problematic — members of Congress have proven repeatedly they are not able to grasp technological subtleties and details. We’ll have to hope for the best.

But business reporting must likewise keep up with technology; the SEC should revisit cybersecurity disclosure guidance immediately, given the size and scope cybersecurity threats pose to the public. Disclosure to investors and the public should not be a hit-or-miss proposition.

Blogger since 2002, political activist since 2003, geek since birth. Opinions informed by mixed-race, multi-ethnic, cis-female condition, further shaped by kind friends of all persuasions. Sci-tech frenemy, wannabe artist, decent cook, determined author, successful troublemaker. Mother of invention and two excessively smart-assed young adult kids. Attended School of Hard Knocks; Rather Unfortunate Smallish Private Business School in Midwest; Affordable Mid-State Community College w/evening classes. Self-employed at Tiny Consulting Business; previously at Large-ish Chemical Company with HQ in Midwest in multiple marginalizing corporate drone roles, and at Rather Big IT Service Provider as a project manager, preceded by a motley assortment of gigs before the gig economy was a thing. Blogging experience includes a personal blog at the original blogs.salon.com, managing editor for a state-based news site, and a stint at Firedoglake before landing here at emptywheel as technology’s less-virginal-but-still-accursed Cassandra.
5 replies
  1. scribe says:

    The place where any car company would be hurt most by this would be in sales. As to liability, they have more coverage against defective products than you can shake the proverbial stick at, so liability claims will not (or should not) impact their bottom line. When it comes to litigation they are routinely represented by some of the thuggier insurance defense law firms around, firms which specialize in cars and their pecuiliarities.
    .
    So, insofar as they are hit in their sales by this hack, it’s 8-K-able. But try putting a causal connection between this and sales decreases, as opposed to stinky models depressing sales. Good luck with that.

  2. bloopie2 says:

    If I hack into a self-driving car and take control of it, is that like Superman flying around the Earth so fast he makes it spin backwards to reverse time? Does a self-driving car have a built-in “back door” to allow that to be done to it? And does it then become a Jeep that you can hack into? Can I hack into that slowpoke ahead of me and “move him along” just a bit faster? Is this the explanation, long-sought, for all those “the brakes failed on me, really, Officer” incidents? So many choices; so many roads less traveled. Our whole future lies ahead of us.

  3. galljdaj says:

    Then there is the case of the Hasting Murder, that is being called an ‘accident’, but sense the CIA/Military are involved all the truth is secret and FOIA REQUESTS ARE ALL STALLED.

    The evidence says there was an explosion of a runaway car, fire, and the car gently bumping only the front wheels over a curb, coming to rest a few hundred feet beyond the explosion, after the high speed run. But the ‘news’ reports were high speed crash! No truth, stalling and refusals to provide info! All National Security! No truth for the man that exposed the US gENERAL!

  4. Rayne says:

    Scribe (7:56 pm 25-JUL) — Is that why the hacking emerged NOW, on the eve of model year changeover, because sales of 2015 models can’t be depressed any more given the remaining number in the market are few? Automakers typically cut over to new models in July.

    galljdaj (7:16 am 26-JUL) — I’m not going to get into the Hastings case here, because 1) Hastings was driving a MERCEDES, not a Chrysler, and 2) Hastings is dead, whereas 1.4 million Chrysler owners and who knows how many FCAU stock owners are out there, without a clue they are exposed to risk (not to mention other drivers on the road or the rest of the market).

  5. galljdaj says:

    I agree regarding changing the ‘subject(s)’, however on the point of the Article and the dangers to us Citizens, is what Our Govt is Doing! They have developed the means of software and hacking, sharing it with only a weak inconsistent ‘threat’ and we know that many many peoples now have that same technology and we the people are now targets and victims! Hasting is an example! of a dead victim and virtually every new vehicle is compromised! From tracking to loss of control while driving! My point is the same as yours Rayne.

Comments are closed.