Watchdog Transparency Blog

In our Blog we take a critical look at public company disclosures and focus on issues surrounding transparency, reliability and accuracy. It you are looking for cheerleading, you have come to the wrong place. We rely on information from the best sources available to gain insight into companies and make predictions about what will happen in the future. Nothing in business is certain, so sometimes we will be wrong, but we will always be an independent voice telling you the truth as we see it. We offer Retail Investors our Research Reports for Free.

Sign up to get all of our blogs delivered directly to your inbox.

Cyber Incidents Continue to Rise

by

Cybersecurity incidents experienced a lull in 2020, but are coming back with a vengeance in 2021.

Cybersecurity has gone from a niche concern to a hot topic in the D&O insurance world. A cybersecurity breach can be extremely disruptive to any business, but (adding injury to injury) these breaches can also be the source of damaging class action litigation.

At Watchdog Research we analyze information disclosed by public companies, including information on cybersecurity incidents, Securities Class Action lawsuits, and disclosure controls.

The research presented here relates to Nasdaq and NYSE listed public companies and is derived from our report “Cybersecurity Incidents and Litigation: 2021,” by Joseph Burke, PhD, Joseph Yarborough, PhD, and John Cheffers and primarily based on data from Audit Analytics.

Overview

We began by looking at incidents that occurred at companies listed on the NYSE and Nasdaq over the past ten years, and the growth rate of cybersecurity incidents is alarming:

CyberImage_1.png

Despite concerns that cybersecurity incidents would increase during the pandemic as businesses moved more of their operations online, total reported cybersecurity incidents fell during 2020. However, through July 2021, there have already been 106 reported cybersecurity incidents, putting 2021 on pace for a record breaking year.

If you segregate the companies by size, you can see that risk is most concentrated for large companies. Large companies, those with a market capitalization of $10 billion or more, are the population most at risk for a cyberattack.

CyberImage_2.png

Another interesting development this year is that Ransomware attacks and Unauthorized Access attacks have become much more common in the last few years.

CyberImage_3.png

Cybersecurity Securities Class Actions

A cyberbreach at a company creates all sorts of problems, including litigation. Even though the number of cyber security incidents have increased dramatically, the number of cyber-related lawsuits has not followed suit. As we can see here, the probability that a public company is named as a defendant in a cybersecurity related suit has remained very low.

CyberImage_4.png

Our review of these cases indicates that it is often difficult for the plaintiffs in these cases to allege specific damages based on a mere breach of information.

Additionally, the fact that a company suffered a cybersecurity breach, even a serious one, will not necessarily prove that the company failed to take reasonable cybersecurity measures (see the dismissal of the suit against Marriott).

Disclosure Controls Concerning IT Issues

Under Section 302 of the Sarbanes Oxley Act of 2002 (SOX), public companies must assess and report on their disclosure controls on their quarterly and annual reports. As part of their SOX 302 assessments, companies have increasingly included discussions of information technology (IT) and cybersecurity issues.

CyberImage_5.png

According to Audit Analytics, which gathers and categorizes this information, an IT issue is defined as:

[D]eficient program controls, software programs/implementation, segregation of duties associated with personnel having access to computer accounting or financial reporting records and related problems with oversight/access to electronic data/programs

A disclosure control relating to IT can also be an early warning signal for cybersecurity issues. For example, PayPal has only issued one disclosure control in the last five years, and it was on October 24, 2017 and related to IT issues. On December, 1st, 2017, PayPal revealed that it had suffered a major cybersecurity breach related to their acquisition of TIO. This led to a securities class action suit that was eventually dismissed.

Conclusion

The chance of being involved in a cybersecurity securities class action lawsuit is still relatively low, but it is increasing rapidly. Additionally, the risk profile is far higher for large companies, which are more likely to be a victim of a cybersecurity incident.

Companies are also apparently increasing their scrutiny of their own systems, as the number of companies that have identified IT issues in their disclosure controls has increased significantly over the last decade.

Thankfully, cybersecurity litigation remains relatively rare, despite the increases in attacks. If company boards wish to mitigate their risk of being victimized twice (by hackers and by lawyers), then they need to learn from their successful peers and make wise and strategic decisions.

If you want to learn more about our research or the report this blog is derived from, then please contact jcheffers@watchdogresearch.com. The underlying report is currently available for $499. You can pair this report with a snapshot of the Cybersecurity Incident data ($1500) for $1749.

Watchdog Transparency Blog

In our Blog we take a critical look at public company disclosures and focus on issues surrounding transparency, reliability and accuracy. It you are looking for cheerleading, you have come to the wrong place. We rely on information from the best sources available to gain insight into companies and make predictions about what will happen in the future. Nothing in business is certain, so sometimes we will be wrong, but we will always be an independent voice telling you the truth as we see it. We offer Retail Investors our Research Reports for Free.

Sign up to get all of our blogs delivered directly to your inbox.

Cyber Incidents Continue to Rise

by

Cybersecurity incidents experienced a lull in 2020, but are coming back with a vengeance in 2021.

Cybersecurity has gone from a niche concern to a hot topic in the D&O insurance world. A cybersecurity breach can be extremely disruptive to any business, but (adding injury to injury) these breaches can also be the source of damaging class action litigation.

At Watchdog Research we analyze information disclosed by public companies, including information on cybersecurity incidents, Securities Class Action lawsuits, and disclosure controls.

The research presented here relates to Nasdaq and NYSE listed public companies and is derived from our report “Cybersecurity Incidents and Litigation: 2021,” by Joseph Burke, PhD, Joseph Yarborough, PhD, and John Cheffers and primarily based on data from Audit Analytics.

Overview

We began by looking at incidents that occurred at companies listed on the NYSE and Nasdaq over the past ten years, and the growth rate of cybersecurity incidents is alarming:

CyberImage_1.png

Despite concerns that cybersecurity incidents would increase during the pandemic as businesses moved more of their operations online, total reported cybersecurity incidents fell during 2020. However, through July 2021, there have already been 106 reported cybersecurity incidents, putting 2021 on pace for a record breaking year.

If you segregate the companies by size, you can see that risk is most concentrated for large companies. Large companies, those with a market capitalization of $10 billion or more, are the population most at risk for a cyberattack.

CyberImage_2.png

Another interesting development this year is that Ransomware attacks and Unauthorized Access attacks have become much more common in the last few years.

CyberImage_3.png

Cybersecurity Securities Class Actions

A cyberbreach at a company creates all sorts of problems, including litigation. Even though the number of cyber security incidents have increased dramatically, the number of cyber-related lawsuits has not followed suit. As we can see here, the probability that a public company is named as a defendant in a cybersecurity related suit has remained very low.

CyberImage_4.png

Our review of these cases indicates that it is often difficult for the plaintiffs in these cases to allege specific damages based on a mere breach of information.

Additionally, the fact that a company suffered a cybersecurity breach, even a serious one, will not necessarily prove that the company failed to take reasonable cybersecurity measures (see the dismissal of the suit against Marriott).

Disclosure Controls Concerning IT Issues

Under Section 302 of the Sarbanes Oxley Act of 2002 (SOX), public companies must assess and report on their disclosure controls on their quarterly and annual reports. As part of their SOX 302 assessments, companies have increasingly included discussions of information technology (IT) and cybersecurity issues.

CyberImage_5.png

According to Audit Analytics, which gathers and categorizes this information, an IT issue is defined as:

[D]eficient program controls, software programs/implementation, segregation of duties associated with personnel having access to computer accounting or financial reporting records and related problems with oversight/access to electronic data/programs

A disclosure control relating to IT can also be an early warning signal for cybersecurity issues. For example, PayPal has only issued one disclosure control in the last five years, and it was on October 24, 2017 and related to IT issues. On December, 1st, 2017, PayPal revealed that it had suffered a major cybersecurity breach related to their acquisition of TIO. This led to a securities class action suit that was eventually dismissed.

Conclusion

The chance of being involved in a cybersecurity securities class action lawsuit is still relatively low, but it is increasing rapidly. Additionally, the risk profile is far higher for large companies, which are more likely to be a victim of a cybersecurity incident.

Companies are also apparently increasing their scrutiny of their own systems, as the number of companies that have identified IT issues in their disclosure controls has increased significantly over the last decade.

Thankfully, cybersecurity litigation remains relatively rare, despite the increases in attacks. If company boards wish to mitigate their risk of being victimized twice (by hackers and by lawyers), then they need to learn from their successful peers and make wise and strategic decisions.

If you want to learn more about our research or the report this blog is derived from, then please contact jcheffers@watchdogresearch.com. The underlying report is currently available for $499. You can pair this report with a snapshot of the Cybersecurity Incident data ($1500) for $1749.

© 2020 Watchdog Research, Inc. All rights reserved.
Watchdog Transparency is a publication based on reports created by Watchdog Research, Inc.
Watchdog Research, Inc. is a financial research company providing due diligence information on public companies.

@WatchdogRsrch    |     rss