- 52% of Fortune 500 now include privacy risk in 10-K reports
- The privacy team plays a key role in assessing and reporting data privacy risks
- According to a recent PwC survey, organizations are taking privacy risks more seriously than ever
Read more below.
To Understand Data Privacy Risks, Ask the Privacy Team
In a recent blog, privacy advisor and expert Jay Cline reported that over half of major, publicly-traded American corporations are now including privacy risks in their annual 10-K reports to the U.S. Securities and Exchange Commission (SEC).
A PwC study found that 52% of Fortune 500 companies included discussion of privacy-related risks as a means to attract stock buyers, such as language related to regulations such as HIPAA, GDPR, and the California Consumer Protection Act (CCPA), and also language related to cybersecurity.
The SEC requires companies to report “any and all risks to the business” in a mandatory 10-K annual report, and it’s appropriate that businesses and investors take data privacy risks as seriously as they do market volatility and competition. Recent years have seen new cyber threats plus new regulations with increased penalties for non-compliance.
New laws such as CCPA are also widening definitions of personal information, increasing the potential for data breaches, and granting individual rights of action for non-compliance. And, as mentioned in Incidents, Breaches, and the Human Factor, there are the direct business risks: 6 months after a breach, the median loss to a company was 5% of the stock value, and of the companies that did suffer losses after a breach, 76% were still losing after two years.
But how can a company assess those risks and report them accurately? What steps can a company take to reduce privacy risk? The privacy team has an important role to play.
Ask the Experts: The Privacy Team Has the Tools and Expertise
Cline recommends that corporate leadership teams regularly assess and communicate data privacy risks so that they can manage them proactively. At a minimum, he says the process should include:
- Modeling worst-case data privacy breach and enforcements scenarios for the CFO to guide investments in business insurance and investments in the data privacy program
- Including a data privacy update in each Board meeting
- Providing an annual data privacy assessment or status to the Board in advance of the 10-K filing
The privacy team can support these efforts in several ways:
- By tracking benchmarks, incident metrics, and KPIs, the privacy team can identify emerging risks and privacy gaps and provide data to guide investments in privacy and data security. They can also show the effectiveness of mitigation efforts, providing positive data for the 10-K and annual reports.
- Regular reports to the executive team can surface emerging privacy risks quickly and give them visibility into issues or needs that should be escalated to the board.
- The privacy team is critical to modeling a data privacy worst-case scenario. Ideally, the team has worked with IT/info security to create and maintain data maps, so they know where sensitive data exists, how it’s used, and how it’s protected. They should also have an automated incident response platform that can provide up-to-date risk assessment across all applicable jurisdictions and data sets.
Armed with these tools and their in-depth understanding of the organization’s privacy risks and requirements, the privacy team can conduct tabletop exercises to assess the most likely worst-case scenarios, providing valuable insights to executive decision-makers.
Measurement + Action = Protection
Current and potential investors want to see good news in an annual report, and that is where the privacy team’s contribution can make a business shine. The good news for privacy teams right now is that organizations are taking data privacy risks more seriously than ever before.
A 2021 PwC CEO survey found that 42% of US CEOs ranked cyber and data privacy second among 11 areas of impact and wanted to do more to measure these threats.
Of CEOs surveyed, almost half (48%) planned to increase investments in cybersecurity and data privacy by up to 9% over the next three years, and 30% planned to increase investments by 10% or more.
Good news happens when risks are not only anticipated but addressed. By providing metrics and insights to guide data privacy investments, mitigating risks, and closing privacy gaps, a privacy team can help ensure that their organization has good news to report.
And if there are tools or other resources that would help the privacy team be more effective in meeting those risks, now is the time to make the case, while executives are in a spending mood.