Evaluating cyber risk reporting in US financial reports

Abstract

Cyberthreats are increasing — in 2018 there were over 53,000 cyber security incidents identified. The cost of global cybercrime continues to escalate and is upwards of US$3tr according to 2015 data. US publicly traded companies report business risks in their financial reports filed with the Securities and Exchange Commission (SEC) based on guidance provided on cyber reporting. Additionally, there have been several highly visible public company cyberattacks (eg Sony, Target, Home Depot, Yahoo) in the news. Using the Wharton Research Data Services system for analysing SEC reports, a time series analysis was conducted of US publicly traded companies which submitted SEC filings identifying cyber as a risk from 2002 through 2018. We find that 2.8 per cent of companies identify cyber risk as one of their business risk concerns in their financial reporting (Form 10-K) for 2017. This paper documents the low cyber risk reporting, analyses causation of companies that are reporting, and identifies obstacles to increased reporting (ie cyber insurance coverage, negative publicity, stock price decrease, contingent legal liability and disincentives to reporting). We conclude that the SEC needs to engage relevant stakeholders (eg public companies, investment firms, regulatory offices, US Department of Homeland Security) to develop a cyber risk framework that provides more consistency in reporting cyber risks.