Pfizer ($PFE) has updated the risk factors section of its U.S. Securities and Exchange Commission (SEC) filings to reflect the new normal in cybersecurity. The Big Pharma lays out the situation plainly: "As a global pharmaceutical company, our systems are subject to frequent attacks."
That line is one of three significant changes to Pfizer's most recent risk factor section on information technology, the word count of which has more than tripled since 2011. Other Big Pharma companies have also expanded the range of IT security risks they communicate to investors. But the observation that being a global pharmaceutical company puts Pfizer in line for "frequent attacks" is unusually blunt, even if the statement itself is unsurprising.
Merck's ($MRK) comment that it "has been the target of events of this nature and expects them to continue" is among the more strongly worded lines from Pfizer's Big Pharma peers. As the focal point for a lot of anti-Big Pharma sentiment, Pfizer may face slightly different threats than its rivals--its SEC filing specifically mentions "hacktivists"--but all of the businesses are at risk from state-sponsored cyber-espionage teams and each has responded by investing in security.
Such defenses have limitations, though. In its SEC filings, Pfizer states it has invested in data protection--although it dropped the word "heavily" between the 2013 and 2014 texts--and taken out cyber-liability insurance. However, it accepts the loss of data or documents that could cause it "financial, legal, business and reputational harm" remains a possibility. And there is no guarantee its insurance could cover the losses.
By definition, lists of risk factors are exhaustive in reporting what could go wrong--Pfizer dedicated 915 words of its 1999 annual report to the Year 2000 Problem--but the trend for stronger and stronger warnings of IT breaches is still significant. What were once abstract fears about data security are now legitimate threats to businesses.
- read Pfizer's SEC filing