An analysis by audit firm BDO of the incidence of disclosure of various risk factors among tech companies over five years reflects increased emphasis on security breaches, the impact of M&A (including goodwill impairment) and accounting and internal control compliance as key issues affecting the industry. Regulatory concerns and competition continue to hold top spots on the list of the top 25 risk factors.

BDO examined and analyzed the risk factors reported in Forms 10-K filed over the years 2012 to 2016 by the 100 largest (by revenue) public U.S. technology companies and ranked the risk factors in order of frequency cited.

Not surprisingly, cybersecurity and the threat of security and privacy breaches and technology theft appeared in every 10-K, compared with only 71% in 2012. Data breaches are problematic not simply because of stock price impact, which BDO describes as typically short-lived, but more because “long-term reputational and legal consequences can have a heavy financial toll.” Interestingly, the report indicates that the “tech industry accounts for just 2.6 percent of total reported data breach incidents since 2010, according to TrendMicro data, although it’s important to note that this excludes incidents where public disclosure isn’t required. Personally Identifiable Information (PII) is the most popular record type stolen, so it stands to reason that B2B technology companies would be less frequently targeted than consumer-facing industries like banking and healthcare. The per capita cost of a data breach in the tech industry is also on the lower end, averaging $127 compared to the overall mean of $154, data from the Ponemon Institute shows.” According to this article in CFO.com reporting on the BDO analysis, a greater risk in the tech industry is the threat of theft or misuse of intellectual property, which a BDO representative suggests “‘can erode [company value] quickly and significantly’”

Related to cybersecurity are risks cited in connection with suppliers, vendors, distributors and partners/alliances, which appeared in 92% of 10-Ks in 2016, compared with 88% in 2012. As CFO.com observes, “many technology firms are exposed to risks that their products will contribute to breaches suffered by their customers.” BDO indicates that although “vendor risk extends far beyond cybersecurity, the majority of cybercrime is carried out via third parties. The risk for the tech industry is twofold: technology companies often outsource a number of key business and operational functions that, lacking the proper oversight and controls, may be vulnerable endpoints in the network; and many tech companies are also service providers to other user entities and, depending on contract terms, may be held liable or become embroiled in a lengthy and expensive data breach lawsuit.” Another cybersecurity-related risk is the ability to maintain or implement effective operational infrastructure, including information technology, which was cited as a risk in 81% of 10-Ks in 2016, compared with 73% in 2012. According to BDO, a “failure in security or a technical glitch that throws operations offline can erode trust and have lingering reputational impact, particularly in an industry like tech where data integrity and security are part of the organization’s value proposition.” Consistent with these heightened concerns, over half of the industry increased spending on cybersecurity in 2015, according to a recent BDO study.

The incidence of risks related to management of M&A transactions and divestitures increased from 88% in 2012 to 98% in 2016. According to CFO.com, a “leading cause of that shift is accelerating merger-and-acquisition activity in several technology subsectors.” Risks that may be ancillary to M&A activity also appeared more frequently. For example, goodwill impairment was a risk factor in 73% of 10-Ks in 2016 as compared with only 31% in 2012. Loss of a major customer appeared as a risk factor in 61% of 10-Ks in 2016, but was not even rated as a risk factor in 2012. As discussed in CFO.com, that change was also the result of an increase in tech M&A, as the sale of key customers has the potential to jeopardize those accounts.

Sharing the top spot on the list of risk factors is regulatory risk, which appeared in all of the 10-Ks in 2016 (up from 98% in 2012). In addition to regulations related to cybersecurity, there have been significant tax and accounting changes, and potential policy and regulatory changes could result from the approaching election. The incidence of risks related to accounting, internal controls and compliance standards increased from 69% in 2012 to 83% in 2016, reflecting in part, BDO observes, the imminent need to implement the new revenue recognition standard as well as tax rules related to inversions and “earnings stripping.” Moreover, according to BDO, the PCAOB “has stepped up its scrutiny on internal control procedures and testing, following a significant rise in tax and financial reporting control deficiencies over the last few years. In addition, the Financial Accounting Standards Board has announced a number of Accounting Standard Updates that technology companies are in the early stages of implementing. Although the new revenue recognition standard was announced in 2014, 31 percent of tech CFOs are still trying to understand the changes….” Similarly, risks concerning compliance with FCPA, anti-bribery and other anti-corruption laws were not even rated in 2012, but in 2016, appeared in 58% of 10-Ks. The frequency of risk disclosure in connection with loss or regulation of government contracts or incentives increased from 25% of 10-Ks in 2012 to 57% in 2016, reflecting concerns regarding increased competition for government contracts and budget cuts, according to BDO.

The frequency of risks related to competition and pricing pressures held relatively steady, appearing in 98% of 10-Ks in 2016, down from 99% in 2012. The risk of failing to accurately predict customer demand or successfully innovate (the incidence of which decreased slightly from 91% in 2012 to 90% in 2016) remained high, but curiously, the percentage of 10-Ks with risks related to failure to develop new products and services decreased significantly from 93% in 2012 to 83% in 2016. In addition, according to BDO, “[s]peaking to innovation as a competitive differentiator, 50 percent cite risks related to entering into new markets and product diversification, up 14 percentage points year over year.” The need to attract and retain skilled employees appeared as a risk in 91% of 10-Ks in 2016 compared with 82% in 2012, as the “war for top tech talent continues to heat up as the industry faces an ongoing shortage of skilled tech workers and a tough hiring environment.” Compounding these challenges, BDO reports, 75% “cite labor concerns, including the rising cost of healthcare and employee benefit plans,” compared with only 56% in 2012.

For obvious reasons, the prevalence of risks related to natural disasters, war and terrorist attacks remained high at 90% in 2016, compared to 88% in 2012. Threats to international operations and sales also ranked high at 96% in 2016, compared with 85% in 2012.