Sunday, March 23, 2008

Justifying Digital Security via 10-K Risk Factors

I'm a shareholder in Ball Corporation, thanks to the compensation plan I joined as an employee many years ago. Last week I received the company 10-K in the mail. I thought about my last reference to the form 10-k in my post CIO Magazine 20 Minute Miracles and Real Risks. I wondered if any of the Risk Factors in the 10-K could be used to justify a digital security program?

Let's look at each of them. If you're not familiar with Ball, it's mainly a manufacturer of packaging products, although a section is an aerospace company (where I worked).

  1. The loss of a key customer could have a significant negative impact on our sales... [Our] [c]ontracts are terminable under certain circumstances, such as our failure to meet quality or volume requirements... The primary customers for our aerospace segment are U.S. government agencies or their prime contractors... Our contracts with these customers are subject to several risks, including funding cuts and delays, technical uncertainties, budget changes, competitive activity and changes in scope. For this risk factor, a digital attack upon the manufacturing process could cause customers to turn elsewhere. Should a defense contractor lose faith in Ball's security measures, it may source defense products and services elsewhere.

  2. We face competitive risks from many sources that may negatively impact our profitability... Our current or potential competitors may offer products at a lower price or products that are deemed superior to ours. There is no clear link to digital security here, as this risk factor is fairly vague itself.

  3. We are subject to competition from alternative products, which could result in lower profits and reduced cash flows. There is no clear link to digital security here either.

  4. We have a narrow product range, and our business would suffer if usage of our products decreased. Same.

  5. Our business, financial condition and results of operations are subject to risks resulting from increased international operations... This sizeable scope of international operations may lead to more volatile financial results... Reasons for this include, but are not limited to, the following: 1) political and economic instability in foreign markets; 2) foreign governments’ restrictive trade policies; 3) the imposition of duties, taxes or government royalties; 4) foreign exchange rate risks; 5) difficulties in enforcement of contractual obligations and intellectual property rights; and 6) the geographic, language and cultural differences between personnel in different areas of the world. This item could have also listed vulnerability to economic espionage by hiring foreign nationals in overseas plants.

  6. We are exposed to exchange rate fluctuations. This is purely a business concern.

  7. Our business, operating results and financial condition are subject to particular risks in certain regions of the world... We may experience an operating loss in one or more regions of the world... Moreover, overcapacity, which often leads to lower prices, exists in a number of regions. The economic espionage aspect could fit here as well.

  8. If we fail to retain key management and personnel, we may be unable to implement our key objectives. Poor personnel management increases the likelihood of insider attacks, and poor handling of terminated personnel could result in IP loss.

  9. Decreases in our ability to apply new technology and know-how may affect our competitiveness. This is the closest we get to seeing technology mentioned as a business risk. Here it is failure to use technology, not protect data manipulated by technology.

  10. Bad weather and climate changes may result in lower sales. This is purely a business worry.

  11. We are vulnerable to fluctuations in the supply and price of raw materials. Same.

  12. Prolonged work stoppages at plants with union employees could jeopardize our financial position. The disgruntled insider is a possibility here, along with digital activism via DoS or defacement or even phishing.

  13. Our business is subject to substantial environmental remediation and compliance costs. This is mainly an environmental issue, although Ball is subject to various laws with digital security implications.

  14. There can be no assurance that any acquisition, including the U.S. Can and Alcan businesses, will be successfully integrated into the acquiring company. Acquisitions have historically been problematic for IT and security. An acquisition could be compromised or be an easy conduit for compromise.

  15. If we were required to write down all or part of our goodwill, our net earnings and net worth could be materially adversely affected. Business only.

  16. If the investments in Ball's pension plans do not perform as expected, we may have to contribute additional amounts to the plans, which would otherwise be available to cover operating expenses. Same.

  17. Our significant debt level could adversely affect our financial health and prevent us from fulfilling our obligations under the notes issued pursuant to our bond indentures. Same.

  18. We will require a significant amount of cash to service our debt and fund other investment opportunities. Our ability to generate cash depends on many factors beyond our control. Same.

  19. We are subject to U.S. generally accepted accounting principles (U.S. GAAP), under which we are often required to make changes in our accounting and reported results. Same.


Overall, the great majority of these risks that business people really care about do not have much do to with digital security. However, several of them do and several could. "Alignment" of IT with business objectives is an often-cited mantra. Perhaps digital security could try aligning itself with the risk factors in the company 10-K?

3 comments:

ntokb3 said...

Richard,

I think you may have missed one of the most important arguments for a digital security program. Risk #15 talks about "goodwill" which in the context of a 10K refers to the premium paid above book value (material assets value) for an acquisition. Included in goodwill is intellectual capital, reputation, etc. Its the reason that a consulting firm (for instance) is worth more than the value of its laptops.
In industry, its almost impossible to protect certain trade secrets legally. If Ball buys ABC Corp. and pays a 10 million when the value of the physical assets is only $1 million, then $9 million in goodwill is recorded as an asset, thus increasing Ball's value by $10 million. Now say that the secret to the cutting edge manufacturing process that came to Ball through the purchase is leaked to the public domain through a publicized breach. Well, assuming that a large part of the justification given to investors for buying ABC Corp was to acquire that intellectual capital, Ball may be required to write down (record as an expense)a potion of the goodwill paid for ABC Corp. This would have a negative material (financially significant)impact on the company's valuation (net earnings and net worth from #15)and therefore its stock price because it will then look like it overpaid for ABC Corp.
The payments made during mergers and acquisitions put a dollar value on the data assets and reputations that we protect. When presenting cases to management, information security practitioners need to be familiar enough with financial terms and accounting rules to justify their proposals in terms that management understands.

Richard Bejtlich said...

ntokb3, that is a good comment!

Richard Bejtlich said...

One of you posted the following: MARRIOTT INTERNATIONAL, INC.:

Technology, Information Protection, and Privacy Risks

That is great!