Examining Cybersecurity Risk Reporting on US SEC Form 10-K

On 27 June 2017, A.P. Moller-Maersk, Merck & Co., Inc., TNT, WPP, DLA Piper, Rosneft, the Ukrainian state postal service and Princeton Community Hospital in West Virginia, USA, were among the numerous organizations that were affected by a cybersecurity attack that held information systems hostage in exchange for ransom payments (i.e., ransomware attack).^{1, 2} This attack occurred the month after the major ransomware attack WannaCry was reported on 12 May 2017.

One day later, BBC America host Katty Kay asked Michael Chertoff, executive chairman of The Chertoff Group and former head of the US Department of Homeland Security, to comment on the chance that state-sponsored or nonstate-sponsored terrorist groups will initiate a material cyberattack. Chertoff responded that this is “the most serious threat we currently face.”³

Cybersecurity incidents and breaches cause significant losses to affected organizations. For example, if an organization’s information system is hacked and millions of customers’ data are stolen, the organization’s post-breach costs that are related to the attack will break down as follows:⁴

• 41 percent from lost customer business from either a lack of trust from existing customers or a diminished ability to attract new customers
• 17 percent for legal fees to defend the organization in lawsuits resulting from the breach
• 16 percent to discover what went wrong and why
• 26 percent comprised of eight different line items, none of which exceeds 8 percent

In the United States in 2016, the average cyberbreach cost to an organization that had a small data breach (fewer than 100,000 customer records) was US $7.35 million.⁵

Statistics from 2016 show:⁶

• One in 131 email messages contained malware.
• 15 cyberbreaches exposed more than 10 million identities in each breach.
• 1.1 billion identities were exposed due to cyberincidents.
• On average, it took two minutes for an Internet of Things (IoT) device to be attacked.
• Close to 230,000 web attacks occurred each day.
• 357 million variants of malware were detected.

Clearly, organizations face the danger of significant losses from cybersecurity incidents and breaches. The 2011 recommendations for voluntary cybersecurity risk disclosure guidance from the US Securities and Exchange Commission (SEC) for publicly traded companies have been the subject of support and criticism, but such disclosure is a valuable picture of the vulnerability of an organization’s data and information systems. These disclosure narratives—which should be included among the top risk factors in a company’s Form 10-K (the annual report required by the SEC for public companies), “if these issues are among the most significant factors that make an investment in the company speculative or risky”⁷—offer a reminder to Form 10-K readers that the information technologies on which an organization relies for its most critical business processes can be the target of enemies on the outside and the inside.

This article examined disclosures about cybersecurity threats included in Item 1A-Risk Factors on Form 10-K. A sample of organizations listed in the Standard & Poor’s (S&P) 100 Index were chosen for an examination of their cyberrisk disclosures in the year the SEC recommendations were released (fiscal year 2011) and five years later (fiscal year 2016).

Using a small sample of the largest US publicly traded companies that were considered leaders in their industries, this article identifies the cybersecurity threats that large companies deem material and highlight in their Item 1A-Risk Factors disclosures and examines specific ways that their cybersecurity risk factor narratives have changed between the year that the SEC released guidance about these disclosures (2011) and the most recent fiscal year end (2016). In this study, the terms “cyberrisk,” “cybersecurity risk,” “IT risk” and “information systems risk” are interchangeable.

Methodology

The study analyzed the cybersecurity risk factor disclosures of one-third of the corporations listed in the S&P 100 Index on 31 May 2017. Figure 1 lists the 33 studied companies.

For the several companies whose 2011 fiscal years ended within a few months prior to the October 2011 release of the SEC’s disclosure recommendations, the fiscal year 2012 Form 10-K was used for analysis because it was the first annual filing subject to the SEC’s guidance.

Each company’s Item 1A-Risk Factor disclosure was examined for narratives about information system risk. These narratives were read in full and comparisons were made between the disclosures in 2011 and 2016. Those comparisons included:

• Whether both, one or neither year’s narrative addresses the five areas of coverage recommended by the SEC
• If the two years’ disclosures are unique, follow a template or use boilerplate language
• How 2016 cybersecurity risk topics differ from those identified in 2011

Study Results and Discussion

The two key study takeaways are:

• Across the five-year period, companies provide more cybersecurity risk information.
• In nearly 40 percent of the 2016 Form 10-Ks, cyberrisk disclosures are detailed and specific.

SEC Recommended Disclosures

Figure 2 reports the 2011 and 2016 disclosures according to the five SEC suggested topic areas for Item 1A-Risk Factors on the Form 10-K.

Business Activities
The SEC encourages registrants to describe the nature of information technology-dependent business activities and the effect and financial costs of cyberrisk on those activities. Close to 50 percent of the companies reported this information in 2011 and, in 2016, about 60 percent disclosed the information; however, several qualifications must be made about the disclosures:

• Not all of the 20 companies that provided business activity narratives in 2016 included meaningful details about these activities. Some noted their IT-dependent activities in general terms, such as Costco Wholesale’s statement from its 2016 Form 10-K:

  We rely extensively on computer systems to process transactions, compile results, and manage our business.”⁸ Other companies omitted their business activities but provided lists of types of data subject to cyberrisk. Eli Lilly and Company’s 2016 Form 10-K narrative exemplified this approach, stating, “This includes valuable trade secrets and intellectual property, corporate strategic plans, marketing plans, customer information, and personally identifiable information, such as employee and patient information.”⁹

  The Colgate-Palmolive and Nike disclosures stood out for their highly useful and specific descriptions of the nature of their business functions.
• Because of overlapping content in the description of the impact of cybersecurity risk on company business activities and the SEC’s fourth suggested area for inclusion, a narrative focusing on the consequences of undetected cyberincidents, these narratives were blended together in the Item 1A disclosures.
• None of the companies quantify costs of cyberthreats, but qualitatively tally these costs in terms such as lost business, weakened competitive positions, impaired reputations and adverse impacts on profits and/or financial condition.

Outsourced IT Functions and Steps to Mitigate Associated Risk of Outsourcing
Although not the only company to do so, the American Express 2016 Form 10-K disclosure conveyed a frankness about the consequences of cybersecurity attacks on other large players in its sector, stating:

Successful cyberattacks or data breaches at other large financial institutions, large retailers or other market participants, whether or not we are impacted, could lead to a general loss of customer confidence that could negatively affect us, including harming the market perception of the effectiveness of our security measures or harming the reputation of the financial system in general, which could result in reduced use of our products and services.”¹⁰

Consequences of Undetected Risk
The most commonly included cybersecurity risk element in Item 1A-Risk Factors narratives was the impact of undetected cyberrisk. In 2016, 100 percent of companies noted this risk. Five years earlier, 97 percent of companies reported the outcome of cyberrisk. In both years, however, the risk was often depicted in generic terms that point to a negative impact on profits and financial position; a loss of customers and reputation; and a recognition that corrective, compensatory and legal costs would be incurred.

Insurance Policies Covering Cybersecurity Threats
Four of the SEC’s five recommended risk topics emphasize the hazards inherent in using information technologies. The fifth topic encourages companies to highlight the protection they have for these hazards. In 2016, just 21 percent of companies indicated that they were insured for IT risk. In the 2011 Form 10-Ks, only 7 percent of companies identified the existence of insurance coverage.

Although this reflects a three-fold increase in the number of companies voluntarily disclosing insurance coverage, often the comments were general and merely noted coverage exists. MetLife, Inc.’s 2016 disclosure is worthy of mention because it identified two relevant insurance policies and stated the coverage limits: a total of US $225 million.¹¹

Template or Unique Disclosures
From 2011 to 2016, the studied companies showed an increase in the amount of information reported in the five topic areas suggested by the SEC 2011 disclosure recommendation. The average number of Item 1A-Risk Factors paragraphs dedicated to the topic areas increased over the five-year period investigated.

The degree of qualitative improvement from 2011 to 2016 shows that lengthier disclosures appeared to be sharing more information, but not necessarily more specific cyberthreat details. One-third of the sample companies presented their 2016 disclosures using 2011’s Item 1A narrative as a template or starting point. It does not sound very impressive until the opposite perspective is considered: 67 percent of the companies took a more customized approach in writing their cybersecurity risk factor disclosures.

In addition to evaluating whether companies’ cybersecurity risk factor narratives employed boilerplate language in their 2016 Form 10-Ks, it is interesting to categorize these disclosures as vague, general or specific based on the following characteristics:

• Vague—Barely recognizes threats to information systems or writes about them in a casual fashion, almost as an afterthought
• General—In broad terms, acknowledges existence of cybersecurity threats and may identify their origins and impact on the company
• Specific—Offers comprehensive descriptions of the sources and effects of threats to IT systems or provides information unique to the company’s business activities, geographic location or customers. This definition is modeled on the Investor Responsibility Research Center (IRRC) Institute’s 2016 research of risk factor disclosures.¹²

Shifts in these categories are shown in Figure 3.

A disturbing trend is observed between the 2011 narratives and those prepared five years later. The shift away from offering detailed or specific cybersecurity risk information is puzzling, particularly because cyberthreats now come from many directions and can be sponsored by agents of unfriendly governments, entities supporting terrorism, and yet-to-be-identified sources. Perhaps after five years of experience writing these disclosures, company managers believe that Form 10-K users fully understand the risk. Unless a specific threat or event needs explanation, authors of risk factor narratives may feel that they can scale back on the content.

How 2016 Disclosures Differ From Those in 2011 In addition to looking at changes in voluntary disclosure of the SEC’s five suggested topic areas and whether they follow a template, this study examined content differences in the cybersecurity risk factor narratives. The study looked for narratives about information system risk related to 10 subtopics and whether they were included in the 2011 annual report, 2016 report or both, as shown in figure 4.

In 2016, a larger percentage of companies wrote about risk connected with failures to follow government regulations (covering data privacy), noted risk of IT embedded in their products, and identified threats posed by conducting business using mobile and cloud technologies.

Several disclosures are worth highlighting for their specificity:

• As one of three companies in 2016 to discuss risk related to social media, Bristol-Myers Squibb’s management wrote:

  Further, the disclosure of non-public Company-sensitive information by our workforce or others through external media channels could lead to information loss. Identifying new points of entry as social media continues to expand presents new challenges.¹³

• FedEx Corporation’s 2016 risk factor narrative about key geography stated:

  While we operate several integrated networks with assets distributed throughout the world, there are concentrations of key assets within our networks that are exposed to adverse weather conditions or localized risks from natural or manmade disasters….the loss of a key location such as our Memphis hub or one of our information technology centers could cause a significant disruption to our operations and cause us to incur significant costs to reestablish or relocate these functions.¹⁴

• In its 2016 risk factors report, Verizon mentioned risk related to the company’s expanding involvement in the Internet of Things (IoT):

  Moreover, our increasing presence in the IoT industry with offerings of telematics products and services, including vehicle telematics, could also increase our exposure to potential costs and expenses and reputational harm in the event of cyberattacks impacting these products or services.¹⁵

Implications for Form 10-K Preparers, Auditors and Users

Lessons learned from this examination of the cyberthreat risk descriptions in Item 1A-Risk Factors can benefit preparers, auditors and users of the Form 10-K.

Form 10-K Preparers
From an organization’s viewpoint, the responsibility to deliver adequate Item 1A-Risk Factors disclosures rests on a clear understanding of the risk from strategic and operational perspectives. The chief accounting officer (CAO), director of external reporting and chief financial officer (CFO) are key players in authoring the narratives. Also, the oversight role of an organization’s audit committee and other members of its board of directors should not be ignored. Organizations are encouraged to bring together the person responsible for dealing with cyberincidents and breaches with the author(s) of the Item 1A-Risk Factors disclosure.¹⁶ The combination of accounting reporting and information systems security expertise can enhance narrative usefulness.

While this study examined cyberrisk disclosures for financial reporting purposes in the United States, other countries’ regulatory bodies with oversight of financial markets would have their own risk disclosure requirement. For example, in the United Kingdom, the UK Financial Conduct Authority requires descriptions of significant business risk. The German Disclosure Act requires organizations listing on the Deutsche Börse to provide material information about business risk, too. In Japan, organizations wanting to list stocks on the Tokyo or Osaka exchanges would follow requirements from the Financial Instruments and Exchange Act for timely disclosure of important information to investors. And in the Republic of South Africa, to remain in good standing on the Johannesburg Stock Exchange, organizations would follow its disclosure guidelines related to reporting material matters to stockholders.

Form 10-K External Auditors
Responsibility for preparing the Form 10-K belongs to management, which makes the decision about which information is considered material and, therefore, the information to include in Item 1A-Risk Factors regarding cyberrisk. An independent audit firm extends its audit opinion on the financial statements and accompanying notes; however, management’s discussion of risk factors is reviewed by the auditors. The audit firm wants to be sure that these disclosures are congruent with what it learned and examined during the audit. External auditors, therefore, serve an important gatekeeping role by bringing to management’s attention any gaps or inconsistencies between risk-factor disclosures and auditors’ knowledge of their client’s information systems environment.

Form 10-K Users
In the aggregate, topics disclosed by organizations in their Form 10-K Item 1A have the potential to offer annual report users a picture of significant business risk that is newly trending.¹⁷ Form 10-K readers can observe patterns of cybersecurity risk among organizations or industries that they follow, and can easily notice organizations that omit the mention of cyberthreats on their Form 10-Ks (e.g., Halliburton, Monsanto and Texas Instruments fiscal year 2011). It may not appear that annual disclosures reveal much new information to readers, particularly if the narratives use a template from previous years or employ nonspecific language, but Item 1A disclosure of cybersecurity risk is a perennial reminder to investors and other Form 10-K users about the past, present and future dangers to corporate information systems.

Government regulatory bodies and stock exchanges around the globe generally require organizations filing annual financial reports to disclose their business risk. With this information, investors and lenders—the primary beneficiaries of these financial reports—can proceed to make their decisions based on disclosures of all types of business risk, including actual and potential threats against information technologies.

Author’s Note

The author would like to thank the anonymous reviewers of this article and the ISACA Journal’s editorial team for their valuable insights and professional assistance. The author also thanks her faculty colleagues Samuel Cruz, Bev Hogue, Nicole Livengood, Harrison Potter and Bob VanCamp for reviewing various drafts of the manuscript.

Endnotes

¹ Evans, M.; “Cyberattack Forces West Virginia Hospital to Scrap Computers,” The Wall Street Journal, 29 June 2017, www.wsj.com/articles/cyberattack-forces-west-virginia-hospital-to-scrap-its-computer-systems-1498769889
² McMillan, R.; D. Gauthier-Villars; J. Marson; “Cyberattacks Hit Major Companies Across Globe,” The Wall Street Journal, 27 June 2017, www.wsj.com/articles/cyberattacks-hit-global-companies-in-europe-1498575793
³ Chertoff, M.; “Hacking ‘Most Serious Threat to US,’ Says Security Expert,” BBC News, 28 June 2017, www.bbc.com/news/av/world-us-canada-40438010/hacking-most-serious-threat-to-us-says-security-expert
⁴ Ponemon Institute, “2017 Cost of Data Breach Study,” IBM, June 2017, p. 1, 20, www.ibm.com/security/data-breach/
⁵ Ibid.
⁶ Symantec, “Internet Security Threat Report,” vol. 22, April 2017, p. 10-12, https://www.symantec.com/content/dam/symantec/docs/reports/istr-22-2017-en.pdf
⁷ US Securities and Exchange Commission, “CF Disclosure Guidance: Topic No. 2, Cybersecurity,” Division of Corporation Finance Securities and Exchange Commission, USA, 13 October 2011, www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm
⁸ Costco Wholesale Corporation, US Securities and Exchange Commission, Form 10-K, Annual Report Pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934 for the Fiscal Year Ended August 28, 2016, 2016, pg. 9, http://investor.costco.com/mobile.view?c=83830&v=200&d=3&id=11177322
⁹ Eli Lilly and Company, US Securities and Exchange Commission, Form 10-K, Annual Report Pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934 for the Fiscal Year Ended December 31, 2016, 2017, p. 20
¹⁰ American Express Company, “2016 American Express Company Annual Report,” 2017, p. 23, http://ir.americanexpress.com/Cache/1001233963.PDF?O=PDF&T=&Y=&D=&FID=1001233963&iid=102700
¹¹ MetLife, Inc., US Securities and Exchange Commission, Form 10-K, Annual Report Pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934 for the Fiscal Year Ended December 31, 2016, 2017, p. 72, http://investor.metlife.com/phoenix.zhtml?c=121171&p=irol-sec
¹² Investor Responsibility Research Center Institute, The Corporate Risk Factor Disclosure Landscape, January 2016, http://irrcinstitute.org/wp-content/uploads/2016/01/FINAL-EY-Risk-Disclosure-Study.pdf
¹³ Bristol-Myers Squibb Company, US Securities and Exchange Commission, Form 10-K, Annual Report Pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934 for the Fiscal Year Ended December 31, 2016, 2017, p. 22, http://d18rn0p25nwr6d.cloudfront.net/CIK-0000014272/c7d26961-509b-4916-9040-3466135bdd31.pdf
¹⁴ FedEx Corporation, US Securities and Exchange Commission, Form 10-K, Annual Report Pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934 Filed for the Fiscal Year Ending May 31, 2016, 2016, p. 86-87, http://d1lge852tjjqow.cloudfront.net/CIK-0001048911/0585489f-5de5-4f89-81bd-5b75272f6915.pdf
¹⁵ Verizon Communications, Inc., US Securities and Exchange Commission, Form 10-K, Annual Report Pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934 Filed for the Fiscal Year Ending December 31, 2016, 2017, p. 19, www.verizon.com/about/investors/sec-filings
¹⁶ International Association of Privacy Professionals, “The SEC Guidance on Cybersecurity and Incident Disclosure: What You Need to Know,” 9 August 2012, p. 43, http://files.dorsey.com/files/Upload/Krasnow_Mark_IAPP_080912.pdf
¹⁷ Investor Responsibility Research Center Institute, “The Corporate Risk Factor Disclosure Landscape,” 2016, p. 21, http://irrcinstitute.org/wp-content/uploads/2016/01/FINAL-EY-Risk-Disclosure-Study.pdf