Welcome to the age of cyber insecurity

For decades, corporate assets could reliably be counted as such balance sheet staples as buildings, equipment, and inventory.

General Electric Co., for example, one of the oldest and best known U.S. companies, presents on the balance sheet its assets as cash and equivalents; investments; property plant and equipment; accumulated amortization; and inventory. Two other items get somewhat less attention, but they are also important — goodwill and intangible assets.

The legions of financial analysts who study public companies financial statements could factor in these types of tangible and intangible assets in their models and their considered judgments in determining future share price valuation.

As we enter the era of the Internet of Things, and the rapid expansion of various digitized corporate assets, it increasingly is the series of ones and zeros that could make up very significant assets of publicly traded companies. Big Data, a company’s internal resources with complex customer information, is intellectual property and at the heart of the asset base for many content provides, such as movie studios and publishers. How is a financial analyst, portfolio manager, or even the corporation that owns the assets to evaluate them?

What about goodwill and intangibles? What happens when the company's digitized assets are attacked, stolen, damaged, or compromised by deliberate or perhaps inadvertent means? What is the real effect on the balance sheet... and in turn, on the total valuation of the enterprise in the shareholder base portfolios? What is the material news to be communicated to key audiences?

Welcome to an age of great uncertainty for managements and boards, with a growing variety of known and unknown perils that could and quite often do affect the assets of all businesses.

Regarding the security of Big Data, one expert recently observed that is not a matter of if a company's valuable digital assets have been breached, it is a matter of whether the corporate managers know or not that they have already been violated.

How should companies disclose the materiality of the attack? One of the significant hacks on U.S. business was against Target Corp. The attack was revealed to the public in December 2013, at the peak of the Christmas shopping season. Target's digital assets were invaded over several days' time. The company apparently was unaware of the hacking at first, and then responded to media, investors, and customers with a statement Chairman, CEO, and President Gregg Steinhafel posted on the company web site:

  • “As you have likely heard by now, Target experienced unauthorized access to payment card data from U.S. Target stores. We take this crime seriously. It was a crime against Target, our team members, and most importantly you — our valued guest. We understand that a situation like this creates stress and anxiety about the safety of your payment card data at Target. Our brand has been built on a 50-year foundation of trust with our guests, and we want to assure you that the cause of this issue has been addressed and you can shop with confidence at Target.”

The unauthorized access took place between November 27 and December 15, 2013. The challenge to senior management: What to communicate as material to key stakeholders and how to update customers and others. The retailer’s management began to communicate via its web sites and social media channels.

By February 18, 2014, the CEO was communicating more broadly via an open letter in major U.S. newspapers that a new coalition had been formed to educate the public on the danger of scams. Three organizations teamed up in the effort: the National Cyber-Forensics and Training Alliance, National Cyber Security Alliance, and Better Business Bureau, and Target invested $5 million in the coalition’s multiyear campaign.

In March 2014, Target joined the Financial Services Information Sharing and Analysis Center, a not-for-profit initiative developed by the industry to "help facilitate the detection, prevention and response to cyber attacks and fraud activity." Target Bank, a federally regulated entity, is part of the company's financial operations and the unit became a member of the center.

On the same day Target joined the center, the media headlines read: “Target CEO Out; Board Has New Focus on Cyber Attacks.” The important insight for all CEOs and directors: Data breaches can now cost the CEO and C-suite occupants their jobs. Target’s CEO had been at the company three decades, but the long tenure was not enough to save his job. The conclusion of governance experts in the many post mortems was that Target’s CEO was too slow beefing up the company's cybersecurity efforts, especially at cash registers in its stores.

The Target hackers got vital information on at least 40 million credit card numbers and millions more personal addresses, telephone numbers, and other personal information. What was the real cost to Target as the damage was assessed?

As the risks were clarified, the National Association of Corporate Directors (NACD) convened a senior level summit on cyber risks for directors and senior executives in Chicago.

The Target attack was not an isolated incident. The Heritage Foundation examined cyber attacks on U.S. companies from November 2014 to November 2015 and questioned many companies about their ability to safeguard their most valuable information and digital assets. The report said there were 160 successful attack per week for U.S. companies, three times the 2010 average of 50 per week.

Heritage saw the 2015 cost of cyber crime among companies in the energy, finance, utilities, and defense and aerospace industries at $6.5 million on average. The maximum cost for a U.S. company in the period was calculated at $65 million. The companies included in the study included Forbes Media LLC, Sony Corp.’s Sony Pictures Entertainment, Staples Inc., Uber Technologies Inc., Premera Blue Cross, United Continental Holdings Inc., Trump International Hotels Management LLC, Experian plc and Scottrade Inc.

Is the business community doing enough to protect the valuable intangibles — Big Data and other digitized assets in the era of the Internet of Things? The cybersecurity firm CyberEdge, in its 2016 "Cyberthreat Defense Report" shared the information that one-in-four of the 1,000 security professionals queried doubt their organization has invested enough in computer-related defenses. Mobile devices and social media apps are seen as the weakest links. More than two-thirds of organizations are planning to replace or enhance their endpoint security tools. What is the greatest inhibitor to corporate defenses? Employees, who in general have low security awareness, followed by "too much" data for IT teams to analyze.

What about disclosure of cyber attacks by publicly traded companies that have been hacked? Joseph Masterson, a specialist in corporate governance law at the Milwaukee office of Quarles & Brady LLP, said in a published perspective on cybersecurity: “Since October 2011, the SEC has encouraged or required public companies to adopt and apply best practices to respond to data security incidents. The SEC’s cybersecurity guidance covers risk factor disclosure requirements, financial statement, and the disclosures companies must make in the management discussion and analysis section of their regulatory filings.”

"This emphasis has resulted in cybersecurity becoming one of the top corporate governance, disclosure and risk management issues among U.S. companies," Masterson said.

Hank Boerner is the former head of communications of the New York Stock Exchange, where he advised managements of listed companies on their NYSE rules and best practices for timely and fair disclosure. He is chairman of the Governance & Accountability Institute in New York City, a research and corporate advisory firm. email: hboerner@ga-institute.com

For more information on this topic, or to learn how Baker Tilly cybersecurity specialists can help, contact our team.

We have partnered with Thomson Reuters to issue our monthly Accounting insights. Please feel free to contact Baker Tilly at accounting@bakertilly.com if you have any questions related to these articles or Baker Tilly's Accounting and Assurance Services. © 2016 Thomson Reuters/Tax & Accounting. All Rights Reserved.