Blog post

Sony says there was no material financial impact from the hack. Really?

By Richard Hunter | January 26, 2015 | 0 Comments

valueprivacyIT risk

In an announcement titled “Submission of an application for approval of extension of deadline to file the quarterly securities report for the third quarter of the fiscal year ending March 31, 2015” (see the full statement here), Sony Corporation notes that:

“… today that it has filed with the Financial Services Agency of Japan (the “FSA”) an application for approval of the extension of the deadline for Sony to file its quarterly securities report for the third quarter of the fiscal year ending March 31, 2015, pursuant to paragraph 1 of Article 17-15-2 of the Cabinet Office Ordinance on Disclosure of Corporate Information, etc.”

The announcement goes on to detail the reasons for the delay, all of which are the result of the cyberattack on Sony Pictures Entertainment that took place in late 2014:

“In November 2014, Sony Pictures Entertainment Inc. (“SPE”), a consolidated subsidiary of Sony that is reported as the Pictures business segment, identified a cyberattack on SPE’s network and IT infrastructure. As a result of the cyberattack, which has been now recognized as a highly sophisticated and damaging cyberattack, a serious disruption of SPE’s network systems occurred, including the destruction of network hardware and the compromise of a large amount of data on these systems. In response to this cyberattack, SPE shut down its entire network. Since that time, SPE has worked aggressively to restore these systems. However, most of SPE’s financial and accounting applications and many other critical information technology applications will not be functional until early February 2015 due to the amount of destruction and disruption that occurred… However, even with the anticipated restoration of these applications in early February 2015, SPE will not have sufficient time to close its financial statements in time for submission of the quarterly securities report in the middle of February 2015. “

So Sony’s “critical information technology applications will not be functional until early February 2015”–three months after the onset of the attack.  Nevertheless, when we read to the end of the filing, we see this:

“While Sony continues to evaluate the impact of the cyberattack on its financial results, it currently believes that such impact is not material.”

If that statement is correct, there are major implications for enterprises and their IT organizations.  If an 8-billion-dollar-plus corporation with over 5,000 employees in the USA can run for three months with its information systems turned off without producing a material impact on its business, the whole idea of “critical information technology applications” is questionable.

Does IT create value, or not?  That’s the question.  The Sony case will sooner or later provide an answer, or at least an object lesson.

 

 

 

 

 

 

 

 

 

Leave a Comment