TL;DR: One year after a major cyber attack, we still do not know much about Anthem’s cyber risk mitigation.
One year ago this month, health insurer Anthem Inc. (NYSE:ANTM), reported that data of millions of customers were compromised in a sophisticated cyber attack. The company reported in its FY2015 10-K filing:
“The attackers gained unauthorized access to certain of our information technology systems and obtained personal information related to many individuals and employees, such as names, birthdays, health care identification/social security numbers, street addresses, email addresses, phone numbers and employment information, including income data. To date, there is no evidence that credit card or medical information, such as claims, test results or diagnostic codes, were targeted, accessed or obtained, although no assurance can be given that we will not identify additional information that was accessed or obtained.”
ESG Spotlight: Privacy and Data Security
How has the company dealt with this issue to date? Anthem reports that it has carried out the following:
- Continued to implement security enhancements.
- Supporting federal law enforcement efforts.
- Established contingency plans and insurance plans for expenses and potential liabilities.
The attack on Anthem was one of the largest in the health insurance in terms of the number of people affected and yet the information that the company has shared to date is woefully inadequate. For one, the company has not disclosed the actual cost of the data breach. Anthem reported:
“We have contingency plans and insurance coverage for certain expenses and potential liabilities of this nature. The coverage has been sufficient to cover the majority of claims and liabilities incurred to date. While a loss from these matters is reasonably possible, we cannot reasonably estimate a range of possible losses because our investigation into the matter is ongoing, the proceedings remain in the early stages, alleged damages have not been specified, there is uncertainty as to the likelihood of a class or classes being certified or the ultimate size of any class if certified, and there are significant factual and legal issues to be resolved.”
Reports have indicated that the cost of the attack may have reached $100 million, maxing out the company’s cyber cover with AIG. Given the scale of the attack and the continuing risk posed by cyber attacks to the company, disclosing the business impact of the attack is important so that investors are aware of what they are in the hook for. And this goes for the costs associated with maintaining a security IT infrastructure as well as a new insurance cover. These are operational costs that are likely to be recurring and shouldered by the company.
We also don’t know how Anthem is addressing this risk factor structurally. Is cyber security now part of the board’s agenda or does it continue to remain as an IT issue? The company’s board committee charters do not include board oversight of cyber security issues. So does executive management have oversight? One would assume so but we do not know for sure without enhanced company transparency. CEO Joseph R.Swedish did acknowledge the cyber attack in his President’s Letter in the FY2014 report, but more information is needed if the company is to build confidence that it is capable of managing this issue well.