Publicly traded companies are required to disclose all material risks to shareholders, but thousands using Amazon’s hack-prone cloud computing platform are keeping investors in the dark.

Lawmakers should require all public companies using Amazon Web Services (AWS) – as well as AWS users getting ready for an initial public offering such as Airbnb – to come clean about their dependence on the service and how security breaches and other disruptions could severely impact data privacy and financial performance.

On face value, it might seem far-fetched, but not so fast. Just recently, a hacker broke into Capital One’s AWS cloud-stored data and accessed the personal information of more than 100 million people. True to form, Amazon denied blame, but the increased frequency and severity of these mega-hacks begs the question: is the company unwilling or simply unable to do what it takes to help prevent them?

In either case, it is time for lawmakers to step in. And to their credit, some have already sent a letter to both Capital One and Amazon demanding answers. But to move the needle, Congress should pass a no-nonsense bill requiring companies to disclose the risk of using AWS.

This would be a win-win: it would provide transparency and clarity to shareholders.

AWS, which initially debuted in 2002 but relaunched in 2006, offers cloud computing services to all types of businesses. For startups, AWS provides the ability to access the servers needed to launch a mobile app or website, for example. For Fortune 500 companies, it offers a massive global technology infrastructure.

But the AWS broad array of services also means potentially more open doors for hackers and other bad actors to interfere with a company’s AWS space, creating the possibility for lost revenues, exposure of proprietary data including intellectual property, and reputational damage. Amazon recently rolled out AWS Security Hub, which is apparently supposed to provide companies using the service tools to better secure their information, but the move seems more like an attempt to navigate liability rather than an earnest effort to fortify the platform.

When considering the potential risks, regulators should not throw caution to the wind. Amazon brags about training Chinese companies on the AWS suite of offerings, yet does little if any vetting of these companies, potentially creating an army of nation-state hackers with the ability to access, intercept, or tamper with exabytes of sensitive data entrusted to the AWS cloud. Adding to that threat is the fact that China compels civilian cooperation in intelligence operations.

In December 2018, the Justice Department accused two Chinese nationals with apparent connections to the country’s Ministry of State Security of infiltrating internet services providers. Operating under the name APT10, the group targeted cloud computing providers, according to the indictment. They stole “data, intellectual property, and confidential business and technological information.”

Quite literally a pillar of the digital infrastructure so many businesses depend on, AWS is arguably porous enough for sophisticated Chinese hackers to slip through undetected and carry out the same kinds of hacking campaigns they have been accused of in the recent past.

Uber, Lyft, and Pinterest’s IPO documents all discuss the cybersecurity and data breach risks of using AWS and the financial and reputational damage that could result. Meanwhile, Lockheed Martin’s most recent 10-K does not disclose their use of AWS’ cloud-computing offerings, despite the highly sensitive military data the company handles. Nor does Adobe Systems disclose the risk of using AWS, despite its reliance on the cloud.

To any reasonable investor, the vulnerability of AWS is a material and significant risk. In fact, the SEC should consider a rulemaking to require disclosure of certain third-party services like AWS.

But regardless of any potential SEC actions, shareholders should be demanding answers about AWS usage from companies already in their portfolio and those in which they are considering investing.

John Burnett is the Managing Director and Founder of 1 Empire Group consulting firm and a business executive with over 20 years of experience in the financial services and energy pricing industries. A veteran of politics, John is an official with the New York State Republican Party and ran for New York City Comptroller in 2013. An adjunct professor at Hampton University and New York University, John’s editorials on business, the economy, policy, and politics have appeared in HuffPost, U.S. News and World Report, and Washington Examiner. He is also a frequent guest commentator on Fox News, Fox Business News, New York 1, and PIX 11 News. John holds a B.S. with honors from New York University and an MBA from The Johnson School of Management at Cornell University. To read more of his reports — Click Here Now.