Cybersecurity Disclosures in Risk Factors

Cybersecurity has become a staple item within the Risk Factors section for the vast majority of public companies. In 2015, over 88% of Russell 3000 companies disclosed cybersecurity as a risk. In addition, over two percent of companies that disclosed cybersecurity as a risk also disclosed that they had suffered an actual cybersecurity incident.


While just about all public companies face some cyber risks, those risks can be quite different from one industry to the next. Some industries face very specific threats, and these industries often have higher than average risk factor disclosure rates. The table below shows industry-specific disclosure rates of cybersecurity risk factors for a select group of industries.

Retail and Hospitality

The retail and hospitality industries share some threats in common, particularly the threat of point-of-sale (PoS) malware. Since November, three large hotel groups, Hyatt, Starwood, and Hilton, have suffered PoS malware breaches. In addition, many of the largest breaches affecting retail companies were due to PoS malware, including Target, Supervalu, and Fred’s.

Depository Institutions

When it comes to cybersecurity risks, most companies are principally concerned with protecting data, whether it be customer data or their own intellectual property. Depository institutions are no different in this regard, but they also have to protect against distributed denial-of-service attacks (DDoS). As JPMorgan disclosed in their risk factors, DDoS attacks are often conducted by “technically sophisticated and well-resourced third parties which were intended to disrupt online banking services.” In total, 85 of the 239 (36%) depository institutions that disclosed cyber security as a risk included DDoS in their disclosure. Only 216 of the other 2,336 (9%) companies that disclosed cybersecurity as a risk included DDoS in their disclosure.


The healthcare industry has been, and continues to be, one of the most targeted industries for cyber-crime. According to Websense the healthcare industry “will be one of the most attacked sectors” in the coming year. As the report says, Protected Healthcare Information (PHI) can be sold for upward of $200 per record. This compares to just a $20-$40 range for a complete set of Personally Identifiable Information (PII) – “name and billing address; credit card number, expiration date and card security code; and Social Security number and birthdate.”

Healthcare companies are aware of the threat. Over 90% of healthcare companies identify cybersecurity as a risk. Unlike other industries, healthcare companies have a specific set of cybersecurity laws. Healthcare companies must abide by HIPAA laws. In Universal Health Services, Inc.’s risk factors they disclosed that “a cyber security incident could cause a violation of HIPAA, breach of member privacy, or other negative impacts.”

Companies in all industries face cyber risks. Traditional cyber risks, including computer viruses and phishing attacks, can target anyone. But it is important to understand the specific vulnerabilities a company faces in their industry and sector, and whether the company understands those vulnerabilities as well.