top of page

Analysis of SEC Cyber Disclosures

  • Jun 6, 2024
  • 1 min read

This analysis was prepared by Jacob Richards and includes disclosure from January 1, 2024 to May 1, 2024.



Opening Remarks

From January 1st to May 1st, we analyzed 19 cyber disclosures. 4 out of the 19 cyber disclosures had a disclosure date that was prior to the 2024 year. Most of the disclosures lacked specific details that could be used to inform X-Analytics, such incident severity (including record volume and duration), incident costs (including direct, indirect, and opportunity costs), and other relevant details.


Key Findings & Analysis

United Healthcare: In February 2024, this massive healthcare and well-being company suffered a newsworthy ransomware attack. The attack directly impacted Optum Insight

  1. Associated business disruption: United Healthcare reported that this incident caused $279m of business disruption within Optum Insight.

  2. Associated direct response: United Healthcare reported direct reponse costs of $230m for United Healthcare, $138m for Optum Health, and $225m for Optum Insight. Direct response total was $593m.

  3. Total cost: Combining the business disruption and direct response costs, the total cost is $872m.

  4. Perspective: Even with the cyber attack costs, Optum Insight had an adjusted operating margin of 15.9%, which was still the best adjusted operating margin when compared to all other business units.

  5. Perspective: The cost of this cyber incident is 0.9% of annual revenue.

  6. Perspective: Despite the cyber attack, United Healthcare returned $4.8b to shareholders in the first quarter through dividends and share repurchases.

LoanDepot: In Jan 2024, this nonbank holding and lending company, suffered a large data breach

  1. Records: 16.9 million personal records were taken in this breach.

  2. Response of Company: They offered customers credit monitoring and identity protection services at no cost to them.

  3. Cost of Breach: LoanDepot estimated this event would cost them $12-$17 million in expenses, not accounting for future lawsuits.

  4. Materiality: LoanDepot claims this incident is material during the first quarter of 2024, however they claim that it is immaterial for the full year 2024.

  5. Perspective: If the incident cost $15 million, this event would be 1.54% of the annual revenue of 2023.

Fidelity National Financial (FNF): In Nov 2023, this title insurance and settlement services provider suffered a large data breach.

  1. Records: This data breach contained 1.3 million customer records and FNF did not specify what types of records were taken.

  2. Response of Company: After the incident, FNF is providing credit monitoring and identity theft services to customers.

  3. Materiality: FNF reported that this event was not a material event for their company.

  4. Total Cost: Unknown, not accounting for future lawsuits.

  5. Perspective: Despite having this breach, FNF had an annual revenue of $11.75 billion for the 2023 year.

  6. Perspective: All the rules of reporting set by the SEC have been followed and since this was considered non-material by FNF, later reports will happen when major items like lawsuits occur.



Closing Comments

These are only a few of the cyber incidents that happened this quarter, it is somewhat difficult to gauge the severity (and/or materiality) of cyber incidents. We want to provide a factual look at these events so the reader can create their own opinions regarding these matters.

 


References: 

Commenti

bottom of page