Share these talks and lectures with your colleagues
Invite colleaguesPractice paper
Evaluating cyber risk reporting in US financial reports
Cyber Security: A Peer-Reviewed Journal,
3
(3),
275-286
(2020)
Abstract
Cyberthreats are increasing — in 2018 there were over 53,000 cyber security incidents identified. The cost of global cybercrime continues to escalate and is upwards of US$3tr according to 2015 data. US publicly traded companies report business risks in their financial reports filed with the Securities and Exchange Commission (SEC) based on guidance provided on cyber reporting. Additionally, there have been several highly visible public company cyberattacks (eg Sony, Target, Home Depot, Yahoo) in the news. Using the Wharton Research Data Services system for analysing SEC reports, a time series analysis was conducted of US publicly traded companies which submitted SEC filings identifying cyber as a risk from 2002 through 2018. We find that 2.8 per cent of companies identify cyber risk as one of their business risk concerns in their financial reporting (Form 10-K) for 2017. This paper documents the low cyber risk reporting, analyses causation of companies that are reporting, and identifies obstacles to increased reporting (ie cyber insurance coverage, negative publicity, stock price decrease, contingent legal liability and disincentives to reporting). We conclude that the SEC needs to engage relevant stakeholders (eg public companies, investment firms, regulatory offices, US Department of Homeland Security) to develop a cyber risk framework that provides more consistency in reporting cyber risks.
Keywords: cyber risk; financial risk; cyber resilience oversight; cyber security; cyberthreats; cyber insurance
The full article is available to subscribers to the journal.
Author's Biography
Ron Fisher PhD is the director of the Infrastructure Assurance and Analysis Division at Idaho National Laboratory. He provides over 20 years’ critical infrastructure protection and resilience experience including serving on President Clinton’s Presidential Commission on Critical Infrastructure Protection. Ron’s research activities include developing vulnerability assessment methodology, risk and resiliency analyses and infrastructure interdependencies. The methodologies Ron helped to develop have been conducted at thousands of critical infrastructure facilities throughout the US. He has been the programme manager for critical infrastructure protection activities for the US Departments of Energy, Defense and Homeland Security. Ron has over 300 classified publications and over 150 unclassified publications, including contributions to multiple books, as well as a copyright and trademark in geospatial information technology. Ron received a doctorate degree in organisational development from Benedictine University and has a BS in finance and an MBA.
Justin Wood PhD is an assistant professor of accounting at the College of Business at Idaho State University. His research addresses managerial disclosure incentives and behaviour, as well as capital market responses to disclosure. Justin holds a doctorate degree in accounting from the University of Iowa, as well as a BS in economics and an MBA from Brigham Young University.
Celia Porod is a critical infrastructure analysis strategic planner at Idaho National Laboratory. She has spent more than eight years supporting the analysis of critical infrastructure risk and resilience and providing solutions for translating research into practice. Celia holds a BA in psychology and an MS in management and organisational behaviour, both from Benedictine University.
Lydia Greco is a graduate student at Idaho State University currently pursuing an MBA. She is a recipient of the Scholarship for Service Cybercorp programme and a member of the National Information Assurance Training and Education Center. Lydia has a bachelor’s degree in law and constitutional studies from Utah State University and currently interns at Idaho National Laboratory in the Infrastructure Assurance and Analysis Division.
