Maryland, where I live, requires its practicing Certified Public Accountants to attend an ethics class every other year. My turn came last October, and the instructor turned the subject to the ethics that surround hacked credit card accounts: When do hacked companies have a responsibility to inform their victimized customers and – next – how do they win back their trust? Before launching his discussion, the teacher asked the 60 attendees one question: In the past year, who among you has had to replace a credit card because of a security breach?
Every hand in the room went up. (Mine included.)
Maybe a lot of Maryland CPAs shop at Target (TGT) or Home Depot (HD), but the unanimity surprised me nonetheless. It struck me that the problem of cyber security touches our lives more frequently than we care to think about – including when it comes to investments.
Cyber security, cyber crime, cyber threats – whatever label you chose – has grabbed an expanding parcel of 10-K real estate. Since late 2011, the Securities and Exchange Commission has urged companies to spell out the operational and financial risks posed by cyber-attacks in the risk factors section, and to converse with investors in the Management’s Discussion & Analysis (MD&A) section regarding any effects on operating results, liquidity or financial position. Yet investors often tag them as boilerplate disclosures to be shunned: the risk factors section occasionally contains fascinating corporate tidbits, but all too often they’re kitchen sink disclosures presented merely for legal prophylaxis, instead of for informing investors. The cyber-disclosures in the risk factors section usually fall into the kitchen sink category. Cyber-disclosures in the MD&A don’t generally command much more investor attention than those in the risk factors.
Target (TGT) is an example of a company doing an excellent job in their disclosure of the effects of failed cyber security. They’ve recorded a probable liability stemming from their gigantic 2013 hack incident. Lawsuits and insurance recoveries have led to the development of numbers, the stuff of financial reporting. All of it is after the fact, however, and past events are also the stuff of financial reporting. The cost of Target’s legal exposure due to cyber security is certainly of interest to existing or potential investors, but investors in companies that haven’t been hacked should be wondering about other costs — namely, how is a company spending its resources before becoming the next Target? (Pun unintended.) Hardening the security around data might be the most important capital expenditures a company can make in a new age of cyber-threats, even if it’s not the kind of capital spending that increases earnings.
If companies are spending to improve cyber security, investors might expect to see increases in capitalized software reported in the balance sheet. Companies aren’t required to disclose the nature of their capitalized software, however. Even if there are noticeable increases in capitalized software, investors can’t be sure that they relate to improved data security. Any hardening costs that affect earnings might get rationalized in the quarterly earnings call, but it’s certainly not a trend.
Maybe investors aren’t yet interested in knowing the preventive costs of cyber security. After all, Sony’s (SNE) infamous November 2014 hack was so crippling that they have been unable to produce their December 2014 quarter-end financial statements, and don’t expect to do so until the end of this month. Investors don’t seem troubled by a lack of current financial information: the stock is up about 26% since the hack.
What, me worry?
Jack T. Ciesielski is president of R.G. Associates, Inc., an asset management and research firm in Baltimore that publishes The Analyst’s Accounting Observer, a research service for institutional investors.