In the wake of massive data breaches of customer information at Target and Ebay, cybersecurity has jumped to the forefront of corporate risk discussions. The stakes are high. Identity theft, credit card fraud, and monetary loss are some of the risks facing consumers. The companies themselves face the risk of litigation, loss of customer loyalty, and sales, to name just a few.
Audit Analytics recently performed an analysis of disclosures made by public companies that have suffered data breaches and other cybersecurity lapses. Using a combination of key word searches of SEC filings (primarily 10-Ks, 10-Qs, and 8-Ks), supplemented by internet searches of news articles, we compiled a database of publicly disclosed breaches in cybersecurity at US public companies. In this post, we will review some of our findings and expand on some trends related to the issue.
There are a number of ways a company might suffer from cybersecurity weaknesses. Consumer Reports illustrated the use of credit card skimmers at gas pumps in an August 2013 article as one example. More recently, AT&T sent some of its wireless customers a letter informing them that some of their personal information may have been stolen by an employee. And notoriously, the personal information of over 70 million Target customers was hacked, leading to significant costs to the company.
As a result of these and other cases, hacking has become a major concern. It is possibly the most significant cybersecurity risk faced by companies that hold sensitive personal information about their customers. As mentioned above, customers put a lot of trust in companies to protect their credit card numbers and other sensitive information. A data breach could lead to litigation, material losses, and the loss of customer relationships.
In 2012, 14 public companies reported data breaches that involved hacking. Of those, the largest was suffered by Zappos.com, where 24 million customer accounts were affected. The number of public companies reporting hacking breaches increased to 20 in 2013. And in only the first five months of 2014, there have already been 16 such incidents, the largest affecting 145 million accounts at Ebay.
In the event that a company suffers a data breach of its customers’ personal information, the type of information that was compromised may be of greater importance than the number of individuals affected. A stolen email or mailing address may lead to spam mail – if handled properly, more of an annoyance than a real problem. A stolen credit card may lead to monetary loss – a real problem; and a stolen Social Security number may lead to identity theft – a real big problem.
Reporting Cyber Breaches
The SEC does not have rules pertaining specifically to the disclosure of a cyber-data breach; however, in discussing this issue the SEC notes that “federal securities laws, in part, are designed to elicit disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision.” And further, that disclosures about cyber security would often be required in order to comply with other disclosure requirements. In 2010, only 1,201 companies had disclosed cybersecurity in their Risk Factors (Section 1a) in a Form 10-K. That number more than doubled in 2013 to 2,488.
Of the 50 data breaches occurring between January 2012 and May 2014, only 19 were disclosed in the affected company’s financial statements. Seventeen were disclosed in a Form 10-K, while three were disclosed in a Form 8-K. (One company disclosed its data breach in both a Form 10-K and Form 8-K.) As investors begin to focus more on cybersecurity issues, look for more companies to start using 8-Ks to disclose breaches, since the 8-K is a more timely disclosure than the 10-K or 10-Q.
The second issue with disclosure relates to the comprehensiveness of the reported data. Only two companies reported the financial impact of their cybersecurity breaches. Target accrued $61,000,000 during the fourth quarter of 2013 to account for costs associated with its data breach, and accrued an additional $26,000,000 in the first quarter of 2014.
Measuring the Impact
While cyber breaches can be quite difficult to estimate, Ponemon Institute releases a global analysis of data breach costs annually. The 2014 report, sponsored by IBM, stated that a data breach costs US companies an average of $201 per compromised record. The average cost is made up of two parts: direct costs of $67 and indirect costs of $134. This number increases by $25 per compromised record for breaches caused by third parties. The study excludes “mega-breaches” – those of more than 100,000 records.
Of the 48 companies that did not disclose an estimate of costs, eight had data breaches that would have fallen within the Ponemon research parameters. Using the simple $67 direct cost figure, four of those companies would have had a material impact on earnings, assuming a 5% net income materiality threshold. 16 companies that did not disclose an estimate of costs had breaches that were larger than the Ponemon research parameters, so it’s hard to estimate what the costs might be. There was not enough information about the cybersecurity events at the remaining 24 companies to make a concrete estimate of the costs these companies might have incurred. Many of them may not have been data breaches at all, but other attacks such as a “denial of service”.
According to the National Conference of State Legislatures (NCSL), 47 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have notification laws in regards to security breaches. Only Alabama, New Mexico, and South Dakota do not have such laws. Most state laws have mirrored the California cybersecurity law, which requires companies to submit copies of their data breach notices to the Attorney General if the breach involves more than 500 Californians. Companies are still required to disclose to their customers any breaches in which unencrypted personal information is accessed by unauthorized sources.
There are currently no federal laws concerning cybersecurity, though there have been bills brought before Congress. Just yesterday, Reuters reported that the “U.S. Senate Intelligence Committee approved a bill…to encourage companies to exchange information with the government on hacking attempts and cybersecurity threats.” It is suggested that this bill may be Congress’s best chance to pass cybersecurity legislation. The bill may face difficulties with the general public, though, as anti-NSA fervor still lingers from the Snowden leaks just over ago. Sentiment circulates that the bill would give the NSA too much access to information about individuals in the name of security.
Either way, state disclosure rules and federal legislation may not be enough to quell the increase in data breaches. Commissioner Luis A. Aguilar of the SEC believes an active Board of Directors is an integral part of protecting stakeholders against data breaches. In remarks at the “Cyber Risks and the Boardroom” conference, Aguilar advocated for the voluntary NIST Cybersecurity Framework to become a tool used by more boards. This would help companies to prevent and mitigate cyber threats by incorporating cybersecurity into the company’s risk profiles and formulating a response plan in the event of a data breach.
The Costs of Ignoring Cybersecurity
For now, the consequences of data breaches have been mixed. Target may have recognized significant losses related to its data breach, but as Matt Kelly of Compliance Week points out, “Instituional Shareholder Services had recommended that shareholders vote down 7 of 10 directors up for election” at Target. “All 10 directors won their seats.” The CEO, on the other hand, resigned shortly after the breach, and the stock price fell about 11% over the subsequent couple months. The company further explained that poor holiday season sales figures were at least partly because “the breach scared off customers worried about the security of their private data.”
But other companies haven’t faced such stark consequences. Neiman Marcus, which had a breach similar to Target’s, saw year-over-year sales rise, and crafts-store Michaels also saw sales rise since a recent data breach.
Nevertheless, it’s clear that cybersecurity is a major risk and that companies appear to be behind the eight ball. With cyber incidents occurring more regularly, companies would do well to heed Commissioner Aguilar’s advice.