Risk Transparency – Tying Information Security Risk to Financial Risk

Any business operating today is vulnerable to wide range of risk related to information protection. For privately owned business, this is perhaps not that great of a problem, since it is up to the owner to determine the appropriate countermeasures to stay in business. But for a public organization it is different since the organization is owned by shareholders, usually a large number of shareholders, many that actually does not have any direct contact with the organization’s leadership or board of directors, outside the shareholder meetings.

To combat this, the various financial regulation agencies around the world has implemented disclosure reports that the public organization must file and make available to anyone, both current investors and prospective investors. In the United States this agency is the Securities and Exchange Commission, or the SEC, and the form they require each organization to file is the 10K (among many other forms).

The 10K has four parts, and of most important information for investors related to the risk of investing in the organization are in parts 1 and 2:

1A Risk Factors

A list of potential risks for the organizations that could have an impact on their financial result, and therefore the value of the investment made into the organization.

7 Management discussion and analysis of financial condition and results of operations

Purpose of this section is for the management to discuss why the organization performed the way it did. Usually a good place to gain some insight into the internal operational conditions of an organization.

9A Controls and Procedures

This section discusses the internal controls put in place for prevent adverse outcomes. Typically, these are related to accounting controls, and frameworks for accounting controls (COSO, or others).

Traditionally, the 10K has disclosed number of different generic risks, and organizational specific risks, ranging from currency fluctuations, which is a risk to all multinational organizations, to sourcing issues specific to the organization, and all of these are directly tied to financial risk. But how many organizations report any of the risks associated with today’s connected enterprise?

To find out, I looked at three well known retailers that had widely publicized breaches; Home Depot, Target, TJX. I looked at what each organization reported before the breach, and what changed after the breach. For reference, below is a list of the scope of each breach.

·      2007 TJX – 45.6 million credit cards stolen – cost reportedly $256M

·      2013 Target – 40 million credit cards stolen – cost reportedly close to $300M

·      2014 Home Depot – 56 million credit cards stolen – cost reportedly $179M

TJX

The year before – 2006:

Nothing about information security risk anywhere in the 10K

The year of the breach – 2007:

This year TJX highlights that they had a breach, and that there are numerous legal proceedings as a result of the breach, and that their business may be materially harmed by future breaches, as well as the reputational damage.

The year after the breach – 2008:

Almost the exact language is the previous years, but very few details.

Three years after the breach – 2010:

This year TJX has updated the language to say that the business could suffer material harm both in the form of business risk and reputational risk. And even more importantly, TJX discloses some information on what type of information they collect and store. This is a critical piece to evaluate the information security risk for any business.

Target

The year before – 2012:

In 2012, Target highlights that a significant disruption to their computer systems could affect their operations. Which is a good statement that is true for any and all organizations today, but nothing specific about information security risk.

The year of the breach – 2013:

Target highlights that they suffered a breach, and numerous investigations and litigations resulted. They also highlight the future breaches could be costly and affect sales and reputation.

They continue to state that disruptions to their computer systems would be potentially material.

The year after the breach – 2014:

Pretty much the same as the year of the breach.

Three years after the breach – 2016:

Significant reporting on technology related risks, with specific mentioning of risks related to infrastructure, data, and privacy risks.

The Home Depot

The year before – 2013:

Addresses some of the information that they are storing and processing, and highlights the risk to reputation, and the potential costs associated in the form of lost sales, fines, and lawsuits. The Home Depot also states that they implemented systems and processes to protect themselves, but provides no details of what these systems and processes are

The Home Depot continues with that system failures could affect the business and customer facing system could affect their multichannel strategy and the customer experience.

The year of the breach – 2014:

In addition to what they reported the previous year, The Home Depot discusses that they had a breach, and the possibly material impact of litigation and investigations, and that potential future breaches could bring substantial additional costs, litigation, and reputational damage. Additionally, the Home Depot highlights that they are subject to payment related risks such as fraud and theft.

There is also a significant discussion in the item 7, the management discussion.

The year after the breach – 2015:

Almost the exact same language as in the previous year, even in the management discussion.

Three years after the breach – 2017:

Well, this report has not been published yet, but the 2016 report looks very similar as the 2015 report.

Summary:

A wide range of the reported level of risk associated with information security, from nothing (TJX the year before the breach) to information about the data collected and stored, general failure of systems and the associated risk. Clearly, this range of reported level is a problem for investors, and is very symptomatic for IT in general; very low-level business integration.

IT must get better at this, including information security. But the question is, what should be reported in the 10K for information security risk? I’ll discuss that in my next post.

Disclaimer – this post is unaffiliated with my employer