Cybersecurity, Espionage Biggest Threats to U.S. Public Companies


Collecting, storing and using personally identifiable information (PII) is a very profitable enterprise. Companies such as Facebook Inc. and Alphabet Inc.’s Google have made billions off monetizing consumer information. 

However, Yahoo! Inc. may be the poster child for how a consumer-facing company could potentially lose those earnings due to data breaches. Yahoo now faces multiple federal, state and international lawsuits stemming from the breach. Verizon Communications Inc.’s deal to buy Yahoo has also come into question post-breach.

Will Yahoo also face derivative shareholder litigation for not disclosing earlier the risk of a data breach, which the company knew about since 2014?

The U.S. Securities and Exchange Commission request most public companies to disclose risk factors through its annual filing, Form 10-K. In the annual report, public companies must disclose significant risk factors such as employment, logistical, infrastructure and other issues that may negatively impact the company. 

Although not explicitly required, some companies have used their annual reports to disclose cybersecurity risk factors. The SEC has said in guidance that cybersecurity incident disclosures aren’t required by law, but it is advisable to put in this information if it impacts a company’s financial condition or anticipated legal proceedings. Companies have filed 140 annual reports that include “cyber, cybersecurity, data breach or data security” as risk factors, Bloomberg Law data show. 

According to a recent study by the International Association of Privacy Professionals, companies that have disclosed perceived data security or privacy risks say that cybersecurity concerns (89 percent) and corporate espionage (54 percent) are the biggest threats to the company. The report went through 10-K filings for companies ranked in the Fortune 150 list. 

However, companies are more worried about losing personal protected information (PII) rather than losing trade secrets, health data and other confidential information, the report said. The report found that 70 percent of companies cited PII as a major risk factor for investment, while only 11 percent of companies listed PHI as a concern for investors. 

Yahoo’s fate is still unclear, but the company did release information on the data breach in its quarterly filing, Form 10-Q. As more cyberattacks become the norm for U.S. companies, it is almost certain that companies will be using the SEC’s Form 10-K to help avoid potential shareholder litigation. 

To keep up with the constantly evolving world of privacy and security sign up for the Bloomberg BNA Privacy and Security Update.