FEATURE

Examining Cybersecurity Risk Reporting on US SEC Form 10-K

On 27 June 2017, A.P. Moller-Maersk, Merck & Co., Statistics from 2016 show:6 Inc., TNT, WPP, DLA Piper, Rosneft, the Ukrainian • One in 131 email messages contained malware. state postal service and Princeton Community Hospital in West Virginia, USA, were among the • 15 cyberbreaches exposed more than 10 million numerous organizations that were affected by a identities in each breach. cybersecurity attack that held information systems • 1.1 billion identities were exposed due to hostage in exchange for ransom payments (i.e., cyberincidents. ransomware attack).1, 2 This attack occurred the month after the major ransomware attack WannaCry • On average, it took two minutes for an Internet of was reported on 12 May 2017. Things (IoT) device to be attacked. • Close to 230,000 web attacks occurred each day. One day later, BBC America host Katty Kay asked Michael Chertoff, executive chairman of • 357 million variants of malware were detected. The Chertoff Group and former head of the US Department of Homeland Security, to comment Clearly, organizations face the danger of significant on the chance that state-sponsored or nonstate- losses from cybersecurity incidents and breaches. sponsored terrorist groups will initiate a material The 2011 recommendations for voluntary . Chertoff responded that this is “the cybersecurity risk disclosure guidance from the US most serious we currently face.”3

Cybersecurity incidents and breaches cause significant losses to affected organizations. For example, if an organization’s information system is hacked and millions of customers’ data are stolen, the organization’s post-breach costs that are related to the attack will break down as follows:4 • 41 percent from lost customer business from either a lack of trust from existing customers or a diminished ability to attract new customers • 17 percent for legal fees to defend the organization in lawsuits resulting from the breach • 16 percent to discover what went wrong and why • 26 percent comprised of eight different line items, none of which exceeds 8 percent

In the United States in 2016, the average cyberbreach cost to an organization that had a small Grace F. Johnson, CPA data breach (fewer than 100,000 customer records) Is the McCoy Professor of Management and Accounting in the was US $7.35 million.5 Department of Business and Economics at Marietta College (Ohio, USA). She can be reached at [email protected].

ISACA JOURNAL VOL 4 1 ©2018 ISACA. All rights reserved. www..org Securities and Exchange Commission (SEC) for Figure 1—Companies Evaluated in the Study publicly traded companies have been the subject of support and criticism, but such disclosure Abbott Laboratories is a valuable picture of the vulnerability of an Allergan Plc organization’s data and information systems. These Alphabet Inc. disclosure narratives—which should be included American Express Company among the top risk factors in a company’s Form Apple Inc. 10-K (the annual report required by the SEC for public companies), “if these issues are among the The Bank of New York Mellon Corporation most significant factors that make an investment BlackRock Inc. 7 in the company speculative or risky” —offer a Bristol-Myers Squibb Company reminder to Form 10-K readers that the information Caterpillar Inc. technologies on which an organization relies for its most critical business processes can be the target Cisco Systems Inc. of enemies on the outside and the inside. Colgate-Palmolive Company Costco Wholesale Corporation This article examined disclosures about The Dow Chemical Company cybersecurity threats included in Item 1A-Risk Factors on Form 10-K. A sample of organizations Eli Lilly and Company listed in the Standard & Poor’s (S&P) 100 Index Exxon Mobil Corporation were chosen for an examination of their cyberrisk FedEx Corporation disclosures in the year the SEC recommendations General Motors Company were released (fiscal year 2011) and five years later Halliburton Company (fiscal year 2016). Intel Corporation Using a small sample of the largest US publicly JPMorgan Chase & Co. traded companies that were considered leaders Lockheed Martin Corporation in their industries, this article identifies the McDonald’s Corporation cybersecurity threats that large companies deem material and highlight in their Item 1A-Risk Factors MetLife, Inc. disclosures and examines specific ways that their Monsanto Company cybersecurity risk factor narratives have changed Nike Inc. between the year that the SEC released guidance Philip Morris International Inc. about these disclosures (2011) and the most Raytheon Company recent fiscal year end (2016). In this study, the terms “cyberrisk,” “cybersecurity risk,” “IT risk” and Southern Company “information systems risk” are interchangeable. Texas Instruments Incorporated Union Pacific Corporation Methodology United Technologies Corporation The study analyzed the cybersecurity risk factor Verizon Communications Inc. disclosures of one-third of the corporations listed Wal-Mart Stores Inc. in the S&P 100 Index on 31 May 2017. Figure 1 lists the 33 studied companies. For the several companies whose 2011 fiscal years ended within a few months prior to the October 2011 release of the SEC’s disclosure recommendations,

ISACA JOURNAL VOL 4 2 ©2018 ISACA. All rights reserved. www.isaca.org the fiscal year 2012 Form 10-K was used for Business Activities analysis because it was the first annual filing subject The SEC encourages registrants to describe the to the SEC’s guidance. nature of information technology-dependent business activities and the effect and financial Each company’s Item 1A-Risk Factor disclosure costs of cyberrisk on those activities. Close to 50 was examined for narratives about information percent of the companies reported this information system risk. These narratives were read in full and in 2011 and, in 2016, about 60 percent disclosed the comparisons were made between the disclosures in information; however, several qualifications must be 2011 and 2016. Those comparisons included: made about the disclosures: • Whether both, one or neither year’s narrative • Not all of the 20 companies that provided business addresses the five areas of coverage activity narratives in 2016 included meaningful recommended by the SEC details about these activities. Some noted their IT-dependent activities in general terms, such as • If the two years’ disclosures are unique, follow a Costco Wholesale’s statement from its 2016 Form template or use boilerplate language 10-K: • How 2016 cybersecurity risk topics differ from We rely extensively on computer systems to those identified in 2011 process transactions, compile results, and manage our business.”8 Other companies Study Results and Discussion omitted their business activities but The two key study takeaways are: provided lists of types of data subject to cyberrisk. Eli Lilly and Company’s 2016 • Across the five-year period, companies provide Form 10-K narrative exemplified this more cybersecurity risk information. approach, stating, “This includes valuable • In nearly 40 percent of the 2016 Form 10-Ks, trade secrets and intellectual property, cyberrisk disclosures are detailed and specific. corporate strategic plans, marketing plans, customer information, and personally SEC Recommended Disclosures identifiable information, such as employee and patient information.”9 Figure 2 reports the 2011 and 2016 disclosures according to the five SEC suggested topic areas for The Colgate-Palmolive and Nike disclosures stood Item 1A-Risk Factors on the Form 10-K. out for their highly useful and specific descriptions of the nature of their business functions. Figure 2—Five SEC-Suggested Risk Factors Topic Area Narratives 2011* Percent 2016 Percent Business activities, 13 43 20 61 impact and cost Outsourced IT 9 30 19 58 functions and steps to mitigate risk Incidents, impacts 4 13 17 52 and significance Consequences of 29 97 33 100 undetected incidents Insurance coverage 2 7 7 21 and amounts *In 2011, three companies (Halliburton, Monsanto, and Texas Instruments) did not identify information technology risk in Item 1A. Therefore, 2011 percentages reflect the number out of 30, rather than 33, companies.

ISACA JOURNAL VOL 4 3 ©2018 ISACA. All rights reserved. www.isaca.org • Because of overlapping content in the description Insurance Policies Covering Cybersecurity Threats of the impact of cybersecurity risk on company Four of the SEC’s five recommended risk topics business activities and the SEC’s fourth suggested emphasize the hazards inherent in using information area for inclusion, a narrative focusing on the technologies. The fifth topic encourages companies consequences of undetected cyberincidents, these to highlight the protection they have for these narratives were blended together in the Item 1A hazards. In 2016, just 21 percent of companies disclosures. indicated that they were insured for IT risk. In the 2011 Form 10-Ks, only 7 percent of companies • None of the companies quantify costs of identified the existence of insurance coverage. cyberthreats, but qualitatively tally these costs in terms such as lost business, weakened competitive positions, impaired reputations and adverse impacts on profits and/or financial THE DEGREE OF QUALITATIVE condition. IMPROVEMENT FROM 2011 TO 2016 SHOWS Outsourced IT Functions and Steps to Mitigate THAT LENGTHIER DISCLOSURES APPEARED Associated Risk of Outsourcing Although not the only company to do so, the TO BE SHARING MORE INFORMATION, American Express 2016 Form 10-K disclosure BUT NOT NECESSARILY MORE SPECIFIC conveyed a frankness about the consequences of cybersecurity attacks on other large players in its CYBERTHREAT DETAILS. sector, stating:

Successful or data breaches Although this reflects a three-fold increase in the at other large financial institutions, large number of companies voluntarily disclosing insurance retailers or other market participants, whether coverage, often the comments were general and or not we are impacted, could lead to a merely noted coverage exists. MetLife, Inc.’s 2016 general loss of customer confidence that disclosure is worthy of mention because it identified could negatively affect us, including harming two relevant insurance policies and stated the the market perception of the effectiveness coverage limits: a total of US $225 million.11 of our security measures or harming the reputation of the financial system in general, Template or Unique Disclosures which could result in reduced use of our From 2011 to 2016, the studied companies showed products and services.”10 an increase in the amount of information reported in the five topic areas suggested by the SEC 2011 Consequences of Undetected Risk disclosure recommendation. The average number The most commonly included cybersecurity risk of Item 1A-Risk Factors paragraphs dedicated to element in Item 1A-Risk Factors narratives was the the topic areas increased over the five-year period impact of undetected cyberrisk. In 2016, 100 percent investigated. of companies noted this risk. Five years earlier, 97 percent of companies reported the outcome of The degree of qualitative improvement from 2011 to cyberrisk. In both years, however, the risk was often 2016 shows that lengthier disclosures appeared to be depicted in generic terms that point to a negative sharing more information, but not necessarily more impact on profits and financial position; a loss of specific cyberthreat details. One-third of the sample customers and reputation; and a recognition that companies presented their 2016 disclosures using corrective, compensatory and legal costs would be 2011’s Item 1A narrative as a template or starting incurred. point. It does not sound very impressive until the opposite perspective is considered: 67 percent of

ISACA JOURNAL VOL 4 4 ©2018 ISACA. All rights reserved. www.isaca.org the companies took a more customized approach in specific cybersecurity risk information is puzzling, writing their cybersecurity risk factor disclosures. particularly because cyberthreats now come from many directions and can be sponsored by agents In addition to evaluating whether companies’ of unfriendly governments, entities supporting cybersecurity risk factor narratives employed terrorism, and yet-to-be-identified sources. Perhaps boilerplate language in their 2016 Form 10-Ks, it after five years of experience writing these is interesting to categorize these disclosures as disclosures, company managers believe that Form vague, general or specific based on the following 10-K users fully understand the risk. Unless a characteristics: specific threat or event needs explanation, authors of risk factor narratives may feel that they can scale • Vague—Barely recognizes threats to information back on the content. systems or writes about them in a casual fashion, almost as an afterthought How 2016 Disclosures Differ From Those in 2011 • General—In broad terms, acknowledges existence In addition to looking at changes in voluntary of cybersecurity threats and may identify their disclosure of the SEC’s five suggested topic areas origins and impact on the company and whether they follow a template, this study examined content differences in the cybersecurity • Specific—Offers comprehensive descriptions of risk factor narratives. The study looked for the sources and effects of threats to IT systems narratives about information system risk related to or provides information unique to the company’s 10 subtopics and whether they were included in the business activities, geographic location or 2011 annual report, 2016 report or both, as shown in customers. This definition is modeled on the figure 4. Investor Responsibility Research Center (IRRC) Institute’s 2016 research of risk factor disclosures.12 Shifts in these categories are shown in Figure 3. Figure 4—Percent of Companies With Cybersecurity Subtopic Narratives 2011 2016 Cybersecurity Subtopic Percent* Percent UNLESS A SPECIFIC THREAT OR EVENT Natural disasters 40 55 NEEDS EXPLANATION, AUTHORS OF RISK Infrastructure failures 33 58 FACTOR NARRATIVES MAY FEEL THAT THEY Updating hardware and/or 17 27 software CAN SCALE BACK ON THE CONTENT. State, federal or international 13 33 regulatory environment changes Product functionality 10 45 A disturbing trend is observed between the Company reputation 67 91 2011 narratives and those prepared five years later. The shift away from offering detailed or Third-party IT providers 43 64 Increasing frequency, number 37 55 Figure 3—Level of Specificity in and sophistication Risk Factor Disclosures of cyberincidents 2011* Percent 2016 Percent Greater adoption of mobile 3 30 Vague 5 17 6 18 and cloud technologies, and bring your own device (BYOD) General 11 37 15 45 work environments Specific 14 46 12 37 Increased use of social media 7 9 *2011 percentages reflect the number out of 30, rather *2011 percentages reflect the number out of 30, rather than 33, companies. than 33, companies.

ISACA JOURNAL VOL 4 5 ©2018 ISACA. All rights reserved. www.isaca.org In 2016, a larger percentage of companies wrote Implications for Form 10-K Preparers, about risk connected with failures to follow Auditors and Users government regulations (covering data privacy), noted risk of IT embedded in their products, and Lessons learned from this examination of the identified threats posed by conducting business cyberthreat risk descriptions in Item 1A-Risk Factors using mobile and cloud technologies. can benefit preparers, auditors and users of the Form 10-K. Several disclosures are worth highlighting for their specificity: • As one of three companies in 2016 to discuss risk THE OVERSIGHT ROLE OF AN related to social media, Bristol-Myers Squibb’s management wrote: ORGANIZATION’S AUDIT COMMITTEE AND OTHER MEMBERS OF ITS BOARD OF Further, the disclosure of non-public Company-sensitive information by our DIRECTORS SHOULD NOT BE IGNORED. workforce or others through external media channels could lead to information loss. Identifying new points of entry as social media continues to expand presents new Form 10-K Preparers 13 challenges. From an organization’s viewpoint, the responsibility • FedEx Corporation’s 2016 risk factor narrative to deliver adequate Item 1A-Risk Factors disclosures about key geography stated: rests on a clear understanding of the risk from strategic and operational perspectives. The chief While we operate several integrated accounting officer (CAO), director of external networks with assets distributed throughout reporting and chief financial officer (CFO) are the world, there are concentrations of key players in authoring the narratives. Also, the key assets within our networks that are oversight role of an organization’s audit committee exposed to adverse weather conditions or and other members of its board of directors should localized risks from natural or manmade not be ignored. Organizations are encouraged disasters….the loss of a key location to bring together the person responsible for such as our Memphis hub or one of our dealing with cyberincidents and breaches with the 16 information technology centers could cause author(s) of the Item 1A-Risk Factors disclosure. a significant disruption to our operations The combination of accounting reporting and and cause us to incur significant costs to information systems security expertise can enhance reestablish or relocate these functions.14 narrative usefulness.

• In its 2016 risk factors report, Verizon mentioned While this study examined cyberrisk disclosures for risk related to the company’s expanding financial reporting purposes in the United States, involvement in the Internet of Things (IoT): other countries’ regulatory bodies with oversight of financial markets would have their own risk Moreover, our increasing presence in the IoT disclosure requirement. For example, in the United industry with offerings of telematics products Kingdom, the UK Financial Conduct Authority and services, including vehicle telematics, requires descriptions of significant business risk. could also increase our exposure to potential The German Disclosure Act requires organizations costs and expenses and reputational harm listing on the Deutsche Börse to provide material in the event of cyberattacks impacting these information about business risk, too. In Japan, 15 products or services. organizations wanting to list stocks on the Tokyo

ISACA JOURNAL VOL 4 6 ©2018 ISACA. All rights reserved. www.isaca.org or Osaka exchanges would follow requirements filing annual financial reports to disclose their from the Financial Instruments and Exchange Act business risk. With this information, investors and for timely disclosure of important information to lenders—the primary beneficiaries of these financial investors. And in the Republic of South Africa, to reports—can proceed to make their decisions based remain in good standing on the Johannesburg Stock on disclosures of all types of business risk, including Exchange, organizations would follow its disclosure actual and potential threats against information guidelines related to reporting material matters to technologies. stockholders. Author’s Note Form 10-K External Auditors Responsibility for preparing the Form 10-K belongs The author would like to thank the anonymous ® to management, which makes the decision about reviewers of this article and the ISACA Journal’s which information is considered material and, editorial team for their valuable insights and therefore, the information to include in Item 1A-Risk professional assistance. The author also thanks her Factors regarding cyberrisk. An independent audit faculty colleagues Samuel Cruz, Bev Hogue, Nicole firm extends its audit opinion on the financial Livengood, Harrison Potter and Bob VanCamp for statements and accompanying notes; however, reviewing various drafts of the manuscript. management’s discussion of risk factors is reviewed by the auditors. The audit firm wants to be sure that Endnotes these disclosures are congruent with what it learned 1 Evans, M.; “Cyberattack Forces West Virginia and examined during the audit. External auditors, Hospital to Scrap Computers,” The Wall Street therefore, serve an important gatekeeping role by Journal, 29 June 2017, www.wsj.com/articles/ bringing to management’s attention any gaps or cyberattack-forces-west-virginia-hospital-to- inconsistencies between risk-factor disclosures scrap-its-computer-systems-1498769889 and auditors’ knowledge of their client’s information 2 McMillan, R.; D. Gauthier-Villars; J. Marson; systems environment. “Cyberattacks Hit Major Companies Across Globe,” The Wall Street Journal, 27 June 2017, Form 10-K Users www.wsj.com/articles/cyberattacks-hit-global- In the aggregate, topics disclosed by organizations companies-in-europe-1498575793 in their Form 10-K Item 1A have the potential to 3 Chertoff, M.; “Hacking ‘Most Serious Threat offer annual report users a picture of significant to US,’ Says Security Expert,” BBC News, 17 business risk that is newly trending. Form 10-K 28 June 2017, www.bbc.com/news/av/world-us- readers can observe patterns of cybersecurity risk canada-40438010/hacking-most-serious-threat- among organizations or industries that they follow, to-us-says-security-expert and can easily notice organizations that omit the 4 Ponemon Institute, “2017 Cost of Data Breach mention of cyberthreats on their Form 10-Ks (e.g., Study,” IBM, June 2017, p. 1, 20, www.ibm.com/ Halliburton, Monsanto and Texas Instruments security/data-breach/ fiscal year 2011). It may not appear that annual 5 Ibid. disclosures reveal much new information to readers, 6 Symantec, “Internet Security Threat Report,” particularly if the narratives use a template from vol. 22, April 2017, p. 10-12, https://www. previous years or employ nonspecific language, symantec.com/content/dam/symantec/docs/ but Item 1A disclosure of cybersecurity risk is a reports/istr-22-2017-en.pdf perennial reminder to investors and other Form 10-K 7 US Securities and Exchange Commission, users about the past, present and future dangers to “CF Disclosure Guidance: Topic No. 2, corporate information systems. Cybersecurity,” Division of Corporation Finance Securities and Exchange Commission, USA, Government regulatory bodies and stock exchanges 13 October 2011, www.sec.gov/divisions/ around the globe generally require organizations corpfin/guidance/cfguidance-topic2.htm

ISACA JOURNAL VOL 4 7 ©2018 ISACA. All rights reserved. www.isaca.org 8 Costco Wholesale Corporation, US Securities 13 Bristol-Myers Squibb Company, US Securities and Exchange Commission, Form 10-K, Annual and Exchange Commission, Form 10-K, Annual Report Pursuant to Section 13 or 15(d) of the Report Pursuant to Section 13 or 15(d) of Securities Exchange Act of 1934 for the Fiscal the Securities Exchange Act of 1934 for the Year Ended August 28, 2016, 2016, pg. 9, Fiscal Year Ended December 31, 2016, 2017, http://investor.costco.com/mobile.view?c=8383 p. 22, http://d18rn0p25nwr6d.cloudfront.net/ 0&v=200&d=3&id=11177322 CIK-0000014272/c7d26961-509b-4916-9040- 9 Eli Lilly and Company, US Securities and 3466135bdd31.pdf Exchange Commission, Form 10-K, Annual 14 FedEx Corporation, US Securities and Report Pursuant to Section 13 or 15(d) of Exchange Commission, Form 10-K, Annual the Securities Exchange Act of 1934 for Report Pursuant to Section 13 or 15(d) of the the Fiscal Year Ended December 31, 2016, Securities Exchange Act of 1934 Filed for the 2017, p. 20, http://files.shareholder.com/ Fiscal Year Ending May 31, 2016, 2016, downloads/LLY/4993495800x0xS59478% p. 86-87, http://d1lge852tjjqow.cloudfront.net/ 2D17%2D98/59478/filing.pdf CIK-0001048911/0585489f-5de5-4f89-81bd- 10 American Express Company, “2016 5b75272f6915.pdf American Express Company Annual Report,” 15 Verizon Communications, Inc., US Securities 2017, p. 23, http://ir.americanexpress.com/ and Exchange Commission, Form 10-K, Annual Cache/1001233963.PDF?O=PDF&T=&Y= Report Pursuant to Section 13 or 15(d) of the &D=&FID=1001233963&iid=102700 Securities Exchange Act of 1934 Filed for the 11 MetLife, Inc., US Securities and Exchange Fiscal Year Ending December 31, 2016, 2017, Commission, Form 10-K, Annual Report p. 19, www.verizon.com/about/investors/ Pursuant to Section 13 or 15(d) of the sec-filings Securities Exchange Act of 1934 for the 16 International Association of Privacy Fiscal Year Ended December 31, 2016, 2017, Professionals, “The SEC Guidance on p. 72, http://investor.metlife.com/phoenix. Cybersecurity and Incident Disclosure: zhtml?c=121171&p=irol-sec What You Need to Know,” 9 August 2012, p. 43, 12 Investor Responsibility Research Center http://files.dorsey.com/files/Upload/Krasnow_ Institute, The Corporate Risk Factor Disclosure Mark_IAPP_080912.pdf Landscape, January 2016, http://irrcinstitute. 17 Investor Responsibility Research Center org/wp-content/uploads/2016/01/FINAL-EY- Institute, “The Corporate Risk Factor Disclosure Risk-Disclosure-Study.pdf Landscape,” 2016, p. 21, http://irrcinstitute.org/ wp-content/uploads/2016/01/FINAL-EY-Risk- Disclosure-Study.pdf

ISACA JOURNAL VOL 4 8 ©2018 ISACA. All rights reserved. www.isaca.org