Data security and breach prevention ranks low as a risk factor for most big technical companies, according to new research that identifies the most widespread concerns among the 100 largest U.S. public technology companies. The research, released by BDO, a professional services firm, examines the risk factors listed in the fiscal year 2009 10-K SEC filings of the companies; the factors were analyzed and ranked in order by frequency cited.
Among security risks, natural disasters, wars, conflicts and terrorist attacks were cited by 55 percent of respondents as a risk concern and was 16th on the list, much higher than breaches of technology security, privacy and theft, which was mentioned by 44 percent of the companies, putting it at 23rd on the list. Aftab Jamil, leader of the Technology Practice at BDO, said he thought business continuity was driving worries about risks like natural disasters and conflicts.
"I think it has to do not only with the general difficulty one might encounter as result, but also, at the end of the day, what they are concerned about is business continuity," he said. "Can they get back on their feet relatively quickly? If you in the path of a hurricane or an oil spill, can you keep your business going?"
Accounting, internal controls and Sarbanes-Oxley compliance is the 18th largest risk factor this year, according to the list. Jamil pointed to fears of market backlash or perception that could arise as a result of mistakes in complying with the regulations.
"The core risk for companies is, should they have catastrophic failure on their part; be it fraud or error or misapplication of GAAP accounting rules, eventually if this leads to restatement of historical financials, there is not only the cost involved in handling that, but, more than that, there is market perception of what is going on," said Jamil. "The taint that your reputation might suffer because of that is huge. It's so easy to lose shareholder value because market reaction might be so negative to any issue that may arise."
However, despite its appearance in the top twenty, accounting, internal controls and Sarbanes-Oxley compliance fell in rank this year, likely reflecting the increased maturity of those regulations, said Jamil.
While breaches of technology security, privacy and theft was only at 23rd on the list, it was a slight increase over last year, when 30 percent mentioned security breaches as a risk. (See Data Breach Disclosure Law, State by State.) Jamil said he was still surprised by its lower ranking.
"Given all that is going with media attention being given to this issue, I thought it would inch up higher," he said. "It would not surprise me if this particular risk factor becomes more prominent in future years. It's not top-twenty, but it's not far off from it either."
One of the most dramatic increases, he said, was in companies' concerns associated with properly executing corporate strategies, with 68 percent citing it, opposed to only 27 percent in 2009. Jamil estimates that business strategy concerns and other forces affecting companies as a result of current economic conditions may be what keeps data security concerns lower on the list.
"Companies really this year focused on executive of strategy because, as we all try to dig ourselves out of this financial hole we've been in these last two years, the focus really has been "What is it I can do to get out of this?" That overshadows a lot of other things. People will start to focus on it more when business fundamentals are on firmer ground and companies start examining from an enterprise risk standpoint where they stand." In line with the previous two years, strong competition ranked as the leading risk factor with 94 percent mentioning it. Failure to develop or market new products/services tied for the top spot at 94 percent, up from 91 percent in 2009. General economic conditions were more of a concern post-recession, rising to 93 percent from 85 percent last year and only 73 percent in 2008.
Intellectual property infringement was the tenth-top concern, with 74 percent of firms citing it.
"In tech companies, the risk of litigation regarding patent infringement is very high," explained Jamil. "As businesses become more global, not all jurisdictions where these companies do business will have robust legal protection against that. In the U.S., there is a lot of legal protection. But despite that, those patent infringement issues are always right around the corner. You never know when you are going to get hit with someone claiming that you have infringed their patents. Or you find your product is suffering because someone has abused your patent rights. To tech companies, their IP is everything."