As the corporate and personal losses mount from the recent point-of-sale cyber hacks at Neiman Marcus and Target stores, with the FBI notifying retailers of at least 20 other cases of comparable cyber crimes in the past year, it might be useful to look in the rear view mirror to gauge whether Target, Nieman Marcus or any other merchant understood just how vulnerable they are to cyber theft losses. Target alone may be subject to nearly $2 billion in liabilities, only about $100 million of which will likely be covered by insurance.
Moreover, not only has the company's stock plummeted, but Target may also have to postpone indefinitely planned stock buybacks. So it's safe to say that Target's cyber breach, at least, is a "material" incident from an investor's standpoint.
As it so happens, the Securities and Exchange Commission (SEC) issued in 2011 disclosure guidance regarding cybersecurity risks and incidents under which publicly traded companies (both Target and Neiman Marcus are both publicly traded) may be obliged under risk reporting requirements to disclose cybersecurity risks and incidents. This guidance is not, technically speaking, a strict requirement but the SEC does say that "material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures [emphasis added]."
To date, few companies (and really none that can be found searching the Edgar database) have reported cyber attacks or breaches that have had material impacts on corporate operations or finances. But virtually every relevant company -- but significantly not all, although that's a story for another day -- includes some kind of discussion in their 10-K or 10-Q SEC financial reports which state that a cyber attack could have a material impact on their operations or finances.
Target and Neiman Marcus fall into this category. Here is Target's statement in its most recent 10-K:
If our efforts to protect the security of personal information about our guests and team members are unsuccessful, we could be subject to costly government enforcement actions and private litigation and our reputation could suffer.
The nature of our business involves the receipt and storage of personal information about our guests and team members. We have a program in place to detect and respond to data security incidents. To date, all incidents we have experienced have been insignificant. If we experience a significant data security breach or fail to detect and appropriately respond to a significant data security breach, we could be exposed to government enforcement actions and private litigation. In addition, our guests could lose confidence in our ability to protect their personal information, which could cause them to discontinue usage of REDcards, decline to use our pharmacy services, or stop shopping with us altogether. The loss of confidence from a significant data security breach involving team members could hurt our reputation, cause team member recruiting and retention challenges, increase our labor costs and affect how we operate our business.
A significant disruption in our computer systems could adversely affect our operations.
We rely extensively on our computer systems to manage inventory, process guest transactions, service REDcard accounts and summarize and analyze results. Our systems are subject to damage or interruption from power outages, telecommunications failures, computer viruses and malicious attacks, security breaches and catastrophic events. If our systems are damaged or fail to function properly, we may incur substantial costs to repair or replace them, experience loss of critical data and interruptions or delays in our ability to manage inventories or process guest transactions, and encounter a loss of guest confidence which could adversely affect our results of operations.
And here is the comparable guidance from Neiman Marcus' most recent 10-K:
Material disruption in our information systems could adversely affect our business or results of operations.
We rely on our information systems to process transactions, summarize our operating results and manage our business. Our information systems are subject to damage or interruption from power outages, computer and telecommunications failures, computer viruses, cyber-attack or other security breaches and catastrophic events such as fires, floods, earthquakes, tornadoes, hurricanes and acts of war or terrorism.
To keep pace with changing technology, we must continuously implement new information technology systems as well as enhance our existing systems. The successful execution of some of our growth strategies is dependent on the design and implementation of new systems and technologies and/or the enhancement of existing systems, in particular the expansion of our omni-channel and online capabilities.
The reliability and capacity of our information systems is critical to our operations and the implementation of our growth initiatives. Any disruptions affecting our information systems, or delays or difficulties in implementing or integrating new systems, could have an adverse effect on our business, in particular our Online operation, and results of operations.
A breach in information privacy could negatively impact our operations.
The protection of our customer, employee and company data is critically important to us. We utilize customer data captured through both our proprietary credit card programs and our online activities. Our customers have a high expectation that we will adequately safeguard and protect their personal information. A significant breach of customer, employee or company data could damage our reputation and relationships with our customers and result in lost revenues, fines and lawsuits.
We outsource certain business processes to third party vendors, which subjects us to risks, including disruptions in business and increased costs.
We outsource some technology-related business processes to third parties.
These include credit card authorization and processing, insurance claims processing, payroll processing, record keeping for retirement and benefit plans and certain information technology functions. In addition, we review outsourcing alternatives on a regular basis and may decide to outsource additional business processes in the future. Further, we depend on third party vendors for delivery of our products from manufacturers and to our customers. We try to ensure that all providers of outsourced services are observing proper internal control practices, such as redundant processing facilities; however, there are no guarantees that failures will not occur. Failure of third parties to provide adequate services could have an adverse effect on our results of operations or ability to accomplish our financial and management reporting.
Although these descriptions seem adequate in terms of laying out the risks, SEC staff have flagged similar statements by other publicly traded companies, requesting the companies modify their statements to provide more detail about whether cyber incidents have occurred and what those incidents entailed.
For example, Walmart was pressed by SEC staff to strengthen their cybersecurity risk language. In June 22, 2012 correspondence with the SEC, Walmart agreed to modify its cybersecurity language, stating:
Each year, computer hackers make numerous attempts to breach the Company's information systems. None of the attempts by computer hackers have resulted in any unauthorized person gaining access to the personal information of the Company's customers, associates or vendors stored on the Company's information systems. In light of these facts, the Company does not believe that such attempts to access that information have previously constituted, or currently constitute, a material risk to the Company's operations, its results of operations or financial condition, or its reputation. Consistent with the Staff's guidance in CF Disclosure Guidance: Topic 2 (the “Cybersecurity Guidance”) that registrants should provide disclosure tailored to their particular circumstances, the Company has not previously disclosed its historical experience with cyberattacks in the risk factor on which the Staff has commented (the “Subject Risk Factor”).
The Company believes the inclusion of the Subject Risk Factor in the Company's Annual Report on Form 10-K is not currently required by Item 503 of the Commission's Regulation S-K or the Cybersecurity Guidance. Nevertheless, in light of recent disclosure trends, the Company included the Subject Risk Factor in its Annual Report on Form 10-K for the year ended January 31, 2012 (the “FY 2012 10-K”) to alert investors that it is possible for the security of the personal information that the Company holds to be breached and to inform investors of the potential consequences of such a breach for the Company. The Company employed the phrase “may be vulnerable” in the Subject Risk Factor to indicate specifically that it is possible that such a breach might occur, not that such a breach had previously occurred or was probable.
In response to the Staff's request that, in the future, certain information be included in the Subject Risk Factor to give context to existing disclosure, and in order to state more plainly the point of the phrase “may be vulnerable,” in the future the Company will modify its risk factor disclosure relating to the risk discussed in the Subject Risk Factor to read substantially as follows:
Any failure to maintain the security of the information relating to our customers, associates and vendors that we hold, whether as a result of cybersecurity attacks or otherwise, could damage our reputation with customers, associates and vendors, could cause us to incur substantial additional costs and to become subject to litigation, and could adversely affect our operating results.
As do most retailers, we receive certain personal information about our customers, and we also receive personal information concerning our associates and vendors. In addition, our online operations at www.walmart.com, www.samsclub.com and other websites depend upon the secure transmission of confidential information over public networks, including information permitting cashless payments. Each year, computer hackers make numerous attempts to access the information stored in our information systems. We maintain substantial security measures to protect, and to prevent unauthorized access to, such information.
As a result of those measures, the past attempts by computer hackers to gain access to the information stored on our information systems have been unsuccessful. Nevertheless, it is possible that computer hackers and others (through cyberattacks, which are rapidly evolving and becoming increasingly sophisticated, or by other means) might compromise our security measures in the future and obtain the personal information of customers, associates and vendors that we hold. Such an occurrence could adversely affect our reputation with our customers, associates, and vendors, as well as our operations, results of operations, financial condition and liquidity, and could result in litigation against us or the imposition of penalties. Moreover, a security breach could require that we expend significant additional resources to upgrade further the security measures that we employ to guard such important personal information against cyberattacks and other attempts to access such information and could result in a disruption of our operations, particularly our online sales operations.
[This paragraph is a quote of what the SEC said to Netflix in an earlier letter, reproduced by Netflix in its correspondence] We note that you derive a significant percentage of revenues from online subscriptions and rely on third-party encryption authentication technology to secure billing data, such as credit card numbers. We also note that you disclose that your services and those of third-parties that you use in your operations are vulnerable to computer viruses, physical or electronic break-ins and similar disruptions which could lead to theft of data. Although you disclose that your website periodically experiences directed attacks intended to cause a disruption in service, you do not provide disclosure about whether you experience the other types of cyber threats that you describe in this filing. Please tell us whether you have experienced attempts to disrupt your internal systems, including unauthorized access to data or theft of data in the past and, if so, whether disclosure of that fact would provide the proper context for your risk factor disclosures. Please refer to the Division of Corporation Finance's Disclosure Guidance Topic No. 2 at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm for additional information.
We respectfully advise the Staff that the risk factor describing “directed attacks intended to cause disruption of service” encompasses interruptions and delays in our service as well as loss, misuse or theft of data. To date these directed attacks have not been of a significant nature. In our 10-K filing for the year ended December 31, 2012, the Company will augment the risk factor by revising as follows:
“Our servers and those of third parties we use in our operations (i) are vulnerable to computer viruses, physical or electronic break ins and similar disruptions and (ii) periodically experience directed attacks intended to lead to interruptions and delays in our service and operations as well as loss, misuse or theft of data. Any attempt by hackers to disrupt our service or otherwise access our systems, if successful, could harm our business, be expensive to remedy and damage our reputation. The Company has implemented certain systems and processes to thwart hackers and to date hackers have not had a material impact on our service or systems however, this is no assurance that hackers may not be successful in the future. Our insurance does not cover expenses related to such disruptions or unauthorized access. Efforts to prevent hackers from disrupting our service or otherwise accessing our systems are expensive to implement and may limit the functionality of or otherwise negatively impact our service offering and systems. Any significant disruption to our service or access to our systems could result in a loss of subscribers and adversely affect our business and results of operation.”A few companies (such as Comcast), have pushed back against SEC staff recommendations and argued against any modification or elaboration of the cybersecurity risk language used in their financial reports.
SEC staff are extremely tight-lipped about discussing cybersecurity guidance, refusing to explain why they flag some corporate filings and not others and whether what is merely guidance today will likely become requirements tomorrow. SEC attorneys and public affairs specialists merely point to the publicly available correspondence on this matter when asked for elaboration.
Some private sector securities attorneys say that the SEC has been quietly itching to step up the pressure to make more detailed cybersecurity disclosures bona fide risk reporting requirements or, barring that, seem interested in engaging in legal battle with companies the regulatory agency believes are not reporting their cyber risks in good faith. Either way, the Target and Neiman Marcus breaches could lead to more public reporting on the cyber risks that corporations increasingly face.
(Photo Credit: Lotus Head from Johannesburg, Gauteng, South Africa under Creative Commons License).