Published: December 2018
The U.S. Securities and Exchange Commission requires most publicly traded companies to annually disclose potential risk factors, including exposure to cybersecurity threats and violations of consumer privacy laws. The IAPP’s third annual study of these disclosures (part of Form 10-K) of 150 publicly traded companies shows that — like last year — effectively 100 percent identified concerns about cyberattacks in their 2017 10-K reports. New this year is a significantly higher concern about risks of legal action from privacy law violations, which jumped nearly 20 percent over last year.
Although concerns about malicious outsiders causing data breaches and taking other actions against corporate cybersecurity remained the primary threat reported by companies, more companies also acknowledged data risks posed by other actors. Companies were much more likely to acknowledge the risk of potential employee error, equipment failure, and information loss/misuse by third-party vendors than in prior years.
Loss of personal information was again the highest reported data risk, with 85 percent acknowledging it, while risks of losing intellectual property fell slightly to 31 percent. Additionally, concern about losing payment card data has more than doubled over last year (up 15 percent, to 31 percent).
The most important take-away from this year’s results, however, is the dramatic rise in companies reporting risks of privacy-related legal action, both regulatory action (up to 80 percent, from 63 percent) and civil litigation (up to 78 percent, from 52 percent last year). Consistent with this, reported concerns about legal compliance have also risen significantly, with three out of four companies now listing compliance with current U.S. privacy laws as a business risk, and nearly half citing compliance risks with non-U.S. privacy laws. More than one-quarter of surveyed companies (28 percent) specifically named the European Union’s General Data Protection Regulation as a compliance issue.
Interestingly, however, concern about new privacy regulations fell from 51 percent in 2017 to 36 percent in this year’s reports. This may prove short-sighted for global companies, however, because even though GDPR is now in effect, several new privacy laws have already come online since May 2018, including in California and Brazil, while India and others are poised to adopt privacy legislation as well.
The largest reported post-breach business cost and harm remains damage to reputation (90 percent). Although concern about financial losses (84 percent), business disruption (83 percent), and remediation expenses (65 percent) have all remained roughly the same as last year, concern about data breaches causing a loss in sales has risen 13 points to 62 percent. The number of corporations expressing concern that the handling of a data breach will distract senior management has almost quadrupled – up to 34 percent, from 9 percent last year. Additionally, concern about passing costs on to the consumer and losses exceeding insurance have also risen.
Lastly, consistent with the rise in compliance and loss of credit card data seen elsewhere, concerns about legal penalties and damages (now 85 percent) and specific credit card-related liability (now 10 percent) have also risen over last year.
Sample, representative language by selected companies, pulled from their actual 2017 10-K reports, can be found in this report’s Annex.