I recently reviewed a number of annual reports, quarterly reports and similar filings to learn more about how large corporations are publicly talking about cybersecurity and the threats they face. In general, for something to be talked about in terms of risk in one of these reports, the risk must be considered 'material' in its potential for affecting the organization.
Take a look at the following excerpts from recent reports of four well-known corporations. These are some of the better examples I came across where it is clear that some thought went into articulating the specific risk for the annual report. You can see how the risks vary from company to company:
Intel Corporation (Technology)
We regularly face attempts by others to gain unauthorized access through the Internet or introduce malicious software to our IT systems. These attempts which might be the result of industrial or other espionage, or actions by hackers seeking to harm the company, its products, or end users are sometimes successful. In part because of the high profile of our McAfee subsidiary in the network and system protection business, we might become a target of computer hackers who create viruses to sabotage or otherwise attack our products and services. Hackers might attempt to penetrate our network security and gain access to our network and our data centers, steal proprietary information, including personally identifiable information, or interrupt our internal systems and services. We seek to detect and investigate these security incidents and to prevent their recurrence, but in some cases we might be unaware of an incident or its magnitude and effects. (Source: Intel Form 10-K, 2/23/2012)
This is probably the most crystalline view of the various security threats a corporation like Intel faces. What is striking is the mention of industrial or other espionage and the assertion that some actions are sometimes successful. Of course, Intel is a global technology company with substantial intellectual property including semiconductor design and process technology which substantially raises its visibility and appeal to malicious hackers. Intel cites that its McAfee acquisition also contributes to a higher profile.
Ford Motor Co. (Automotive)
Cybersecurity risks to operational systems, security systems, or infrastructure owned by us or a third-party vendor, or at a supplier facility. Interruptions, outages, or breaches of operational systems (including business, financial, accounting, data processing, in-vehicle, or manufacturing processes), security systems, or infrastructure, as a result of cyber incidents, could materially disrupt critical operations, disclose confidential intellectual property, and/or give rise to allegations of or result in a breach of data privacy or other regulations within or outside the United States. (Source: Ford Motor Co Form 10-K, February 21, 2012)
Ford has written a fairly holistic review of risks it has related to information security. Notice the mention of use of third-party systems and supplier facilities, as Ford's business model involves working with thousands of third-party providers and suppliers.
The protection of our customer, employee and company data is vitally important to us. As we operate in multiple retail channels and maintain our own credit operations, we are subject to privacy, security and cybersecurity risks and incidents. Our business involves the storage and transmission of customers personal information, consumer preferences and credit card information, in addition to employee information and company financial and strategic data. In addition, we use mobile devices, social networking and other online activities to connect with our customers. Some of our critical systems also depend upon third party providers.
As techniques used to obtain unauthorized access, sabotage systems or otherwise attack our services change frequently and often are unforeseen, we may be unable to anticipate these techniques or to implement adequate preventive measures and they may remain undetected for some period (Source: Nordstrom, Inc. Form 10-K, March 16, 2012)
Like Intel's statement, Nordstrom's statement is one of the most comprehensive I found. It is clear that management has considered risk at length, including risk related to payment card data. Note the mention of mobile devices and social networking two very important and fast-changing areas that Nordstrom management has determined could pose a significant risk to their operations.
Like any other international Company with a strong presence on the Internet, Ubisoft is exposed to multiple prerequisites such as changes in regulations and standards related to data protection, management of sensitive data and also faces numerous threats in many areas: mobility solutions, social networking, online services and games, partnerships for development to mention just a few. (Source: Ubisoft Annual Report 2011)
Ubisoft is a major video game maker based in France. If you have any type of gaming system, there's a very good chance you have one of their titles in your home. As you can imagine, many of the company's major operations leverage the Internet. Also notice the inclusion of mobility, social networking and third party partnerships.
The biggest takeaway is that cyber threats and security breaches are considered across the board to have the potential to be materially impactful and as a result, are mentioned in nearly all of the public statements I reviewed. Some of the corporations reviewed took pains to indicate the level of resources and effort spent on cybersecurity though they also acknowledged a breach could happen despite their best efforts.
What about your company?
How does it articulate its risk from cyber threats? How is the threat evolving from your organization?s perspective and are you adding more information to annual reports on cybersecurity risks? And how does mobility and social media play in to that risk?