Last week, a cyberattack on Facebook compromised the accounts of 50 million users—one of the most significant cybersecurity lapses in the company’s history. As a result, Facebook’s stock fell by over 5% in three days.
How do investors assess the cash flow implications of such an attack? They look at what companies disclose about these threats, which is next to nothing.
When you look at Facebook’s latest 10-K (a report summarizing a company’s financial condition), for example, the word “cyber-attack” appears only four times, and almost all of the disclosures related to Facebook’s vulnerability and readiness for such an attack are boilerplate and uninformative.
While the Securities and Exchange Commission earlier this year issued guidance “to assist public companies in preparing disclosures about cybersecurity risks and incidents,” we believe these guidelines do not go far enough. The SEC should require public companies to disclose the following data points:
- Company policy on cybersecurity and the implementation of that policy. Commentary on the company’s general approach toward cybersecurity would provide insights into the riskiness of the company, based on what it tells us and what it chooses to stay silent about.
- Information technology (IT) infrastructure. It is imperative to ask a company to clearly disclose the nature of its IT infrastructure. For example, is the infrastructure located on the company’s premises, or is it outsourced? And what is the dollar budget devoted to that infrastructure? The budget, as compared to the total revenue of a business, will give investors a sense for whether the firm under-invests in such infrastructure. We recommend disclosure on both hardware and software spending for the business, including data on personnel and training, and specific disclosure of the cybersecurity budget. If any material portion of the IT infrastructure is outsourced, the company should disclose the vendors and provide an outline of the services provided by such vendors. The idea is to be able to create comparable ratios in industries to identify companies that under-invest in this area. Disclosure on cybersecurity training is especially important, because 90% of cyberattacks exploit preventable human mistakes.
- The daily value of business interruption. If an automotive company produces 120,000 cars per year and the revenue per car is $10,000, the daily revenue lost by a cyberattack to its factory that relies heavily in robotics would be around $3.3 million. Skeptics might wonder whether revealing this would represent an open invitation to hackers to go after a company. We counter-argue that hackers are already aware of high-value targets. Better disclosures about, at least, the ranges of daily value of business interruption would reduce investors’ estimation risk associated with evaluating the cash flow loss from an attack.
- Continuity planning. A continuity plan identifies all of the critical information an organization needs to continue operating during an unplanned event, such as a cyberattack or natural disaster. The plan then identifies systems and processes that must be sustained and details how the company plans to keep these going.
What stops companies from being more forthcoming about their exposure to cyber risk? One answer, of course, is the fear of litigation. We propose that the SEC follow the precedent set in this regard by the Year 2000 (Y2K) Information and Readiness Disclosure Act, which read, in part, as follows:
“In enacting this legislation, Congress found that (i) the Year 2000 computer problem, if not effectively addressed, could severely adversely affect the Nation’s economy and critical infrastructure, and (ii) concern about liability arising from disclosure and exchange of Year 2000 information is impeding the ability of both government and the private sector to address the Year 2000 problem. The Act’s purpose is to create a safe harbor for the disclosure and exchange of Year 2000 information by (i) limiting liability in civil actions for such disclosure and exchange of information, and (ii) creating a temporary and narrowly tailored exemption from federal and state antitrust laws for such disclosure and exchange of information.”
Simply replacing references to the Year 2000 problem with cyberattacks would encourage companies to more willingly share information with investors about cyber exposure so that systemic risk could be detected and addressed in a timely manner.
For instance, Amazon Web Services (AWS) is clearly a systemic risk. But we currently have no idea how many public (and private companies) are hooked into AWS, and what the cumulative dollar value of business interruption for companies reliant on AWS might be. A vulnerable API from a relatively small startup company on AWS has the potential to bring down electronic commerce in a large part of our economy.
Voluntary disclosure about cyber exposure is clearly not working. It is time for the SEC to step in and mandate dollar disclosures related to cyber risk exposure. Our financial security depends on it.
Bugra M. Gezer is the founder and CEO of Cyber Rate. Shiva Rajgopal is the Kester and Byrnes professor at Columbia Business School, and a Chazen senior scholar at the Jerome A. Chazen Institute for Global Business.