Public companies are required to disclose risks to their business. Responding to Congressional pressure in 2011, the SEC highlighted cyber incidents as a category for future reporting. Since then we have seen a slow but steady increase in the number of reported incidents as well as the severity of the risk language.
The comments in current filings paint a vivid picture of corporate risk and provide considerable justification for increased investment in policy, practice and products to minimize exposure to cyber risk.
“Cybersecurity becomes an issue of global importance,” according to JP Morgan. Further,”Cybersecurity is a critical priority for the entire company, from the CEO on down. Cybersecurity is increasingly becoming more complex and more dangerous.”
Once burned, and even more vigilant today, EMC states “Cybersecurity breaches could expose us to liability, damage our reputation, compromise our ability to conduct business, require us to incur significant costs or otherwise adversely affect our financial results.”
Smaller is not safer in the cyber world. Here are a couple of examples showing the nature of risk events and the ongoing liabilities resulting from cyber incidents (click the links and scroll down to highlighted words):
- TJ Maxx endures ongoing expense to remediate theft of customer data.
- “SSS” learns that their customer data is in the hands of a competitor.
- Accuray Inc. has personnel data emailed to other internal employees.
- Dealertrack sued because their employee hacked another site.
- Euronet has ongoing expense due to theft of customer information.
- Genesco reports ongoing penalties due to criminal intrusion.