Last's week's Twitter-fueled crash erased $136 billion in value in minutes, underscoring concerns about companies' use of social media.
FORTUNE — A fraudster hacks into a company’s Twitter account and posts a phony announcement about sales reaching an all-time high. Shares in the company soar and then quickly crash after investors realize the news was merely a ruse to manipulate the stock price. Companies must, of course, be vigilant in preventing hackers from infiltrating their social media accounts. But that is especially true following the Security and Exchange Commission’s decision earlier this month to let businesses disclose important financial information through Twitter and Facebook.
If all goes as expected, millions of investors will turn to social media to get quarterly earnings reports, acquisition announcements, and other “material” information. The idea is to make important corporate updates more accessible to the public, many of whom already spend hours a day on Twitter, Facebook FB , and LinkedIn LNKD . The SEC’s new guidelines represent a big change. In the past, the agency required companies to make “material” information public only via press release services like Business Wire, regulatory filings, and on their own corporate Web sites.
The addition of social media to the mix creates more risk. Corporate Twitter accounts, in particular, have proven to be vulnerable to hackers. In the past few months, news organizations like CBS, NPR, and Associated Press have all fallen victim. In the case of AP last week, hackers posted a fake report on Twitter about a bombing at the White House, causing the Dow Jones Industrial Average INDU to plunge over 140 points — erasing $136 billion in market value — within a few minutes until the fraud was exposed. A group allied with the Syrian government claimed responsibility.
Earlier in the year, hackers also breached the Twitter accounts of Burger King BKW and Jeep. Whoever took them over, however, had a sense of humor. A message posted in Burger King’s account claimed, falsely, that the company had been acquired by McDonald’s MCD . Meanwhile, Jeep was said to have been bought by Cadillac.
Companies have a self-interest in keeping their social media accounts secure. But the SEC has not issued any specific rules on the matter. In general, the SEC has said that companies “should consider” implementing “controls and procedures” to prevent insiders from posting fraudulent information online. There’s no mention of preventing outsiders like hackers from gaining access or any penalties for companies that are careless with security.
“You might get a lot of grief for being idiots, but I don’t think you’d get any SEC sanction,” says Alan Denenberg, an attorney who specializes in securities law for Davis Polk, a corporate law firm. Companies would be required, however, to quickly correct any misstatement made to investors, he said.
Companies planning to use social media for key announcements must tell investors ahead of time, according to the SEC. Everyone will therefore be on an even playing field when it comes to information. Denenberg says that the policy also helps with preventing problems like rogue employee or stock manipulators posting inaccurate information on unofficial accounts. Investors will know to look only to the chief executive’s personal Facebook account for official information, for example, and to disregard other social media.
The risk of malfeasants posting fake corporate information isn’t entirely new. Over the years, a number of fraudsters have manipulated stock prices by posting phony press releases online. In such cases, the companies and shareholders were considered the victims.
Terry Hendershott, a professor of finance and information technology at University of California at Berkeley, points out that companies whose social media accounts are hacked aren’t entirely immune from consequences. Investors who suffer a financial loss from a hacking can file a civil lawsuit accusing a company of lax security. They would need to prove the company created a weak password, for example, or that an executive lost his mobile phone. “A company would have to show that they took all reasonable precautions,” Hendershott says.
Bart Chilton, one of five commissioners with the Commodity Futures Trading Commission, which oversees commodity trading, called for more aggressive regulation to stop hackers from impacting market prices. Companies that allow their social media accounts to be infiltrated — and hackers to manipulate the market through those accounts — should be fined. Chilton plans to bring up the issue at the commission’s next meeting. He advised the SEC’s commissioners to take similar steps, although he has no authority with the agency, which oversees public companies.
Everyone in the market, Chilton says, “should super-size their computer security to ensure that their social media is as safe and secure as everything else they do.”