China-based hackers rifled the computers of DuPont Co. at least twice in 2009 and 2010, hunting the technological secrets that made the company one of the world’s most successful chemical makers.  But those and other hacker attacks are not something investors would have learned from DuPont’s regulatory filings, or from those of other companies victimized by hackers.  The victims of these and even serious attacks, are largely silent, often reporting only breaches that fit narrow legal requirements, such as the theft of credit card numbers or customer information. Over the next three months, as publicly traded companies file 10-K’s, investors may see new admissions of corporate networks being hacked after the SEC said companies can’t continue to hold back the details of those incidents.  The SEC in October offered its new interpretation of disclosure requirements as applied to cybercrime. The amount of information that’s forthcoming will depend on whether company lawyers determine the incidents had, or will have, a material effect on the enterprise. Serious Breaches: The networks of more than 2,000 companies, research universities, Internet service providers and government agencies were hit over the past decade by China-based cyber spies, according to Joel Brenner, U.S. counterintelligence chief until 2009.  A November report by 14 U.S. intelligence agencies said Russia and other countries also are involved in such activities.  Mandiant Corp., an Alexandria, Virginia-based security firm that specializes in cyber-based industrial espionage, has responded to incidents at 22 Fortune 100 companies, said Richard Bejtlich, the firm’s chief security officer. Mandiant estimates that many more than 20 percent of Fortune 500 companies experienced serious breaches recently or are dealing with current ones. SEC/Congressional Efforts: In May, Jacob Olcott, a former staff expert on cybersecurity for the Senate Commerce Committee panel asked SEC Chairman Mary Schapiro to clarify how cyber intrusions should be reported under the so-called material fact rule. “We’re afraid investors don’t know what they don’t know,” he said. Critics, including the lawmakers who sent the letter to Schapiro in May, said narrow disclosure calculations by companies skirt several SEC requirements, including the necessity to disclose when trade secrets are compromised. “Companies will think of every single reason not to report these incidents, which is why the investor side of things really needs to take control of these issues,” said Olcott, the former Senate aide. He and others are concerned that the guidance on what a company must disclose are not specific enough. In addition, the rules that say companies can’t use vague, general descriptions of the risks associated with possible future cyber break-ins when describing “risk factors,” raised fears that more detail could create a road map for hackers, said Alexander Tabb, a partner at TABB Group, which advises corporate clients on risk assessment. Conservative Reporting: An indication of the conservative inclination in reporting cybersecurity matters occurred in March 2011, following an attack against RSA Security Inc., the network security division of EMC Corp. In that incident, China-based hackers infiltrated RSA’s computer network and stole critical technology related to SecurID, an authentication token used by banks, defense contractors and government agencies to secure their networks. It was a devastating attack by several measures, including the loss of valuable proprietary technology and damage to the reputation of a company that’s paid for its expertise in protecting its clients from hackers. In an 8-K filed on March 17, 2011, EMC told investors that the event wouldn’t have a material impact on the company or its financial results. Kevin Kempskie, a spokesman for RSA, declined to comment on the filing. Olcott said EMC based the decision on the security division’s contribution to total company revenue. Material Impact: Investors haven’t done more to press for details and the impact of attacks because “they now look at an investing cycle as maybe a quarter or at most a year,” said Eden Chen, portfolio manager at Los Angeles-based Lightmark Capital. That’s too short a time for stolen technology to make a significant difference in many companies’ fortunes, he said. “If you are looking at companies for 10 years down the line you would definitely ask those questions,” he said.   [Bloomberg 1/10/12]