Slack warns investors over cyber-attack risk to share performance

Collaboration software provider Slack has warned investors of the risks posed by hackers – including state-sponsored cyber-attacks – as it filed for a direct listing. 

The San Francisco-headquartered firm highlights a number of risk factors in a filing with the SEC, including its ‘limited operating history’, its ‘history of net losses’ and ‘quarterly fluctuations’ in its results that make its ‘future results difficult to predict and could cause our results [or] operations to fall below analyst or investor expectations.’

Interestingly, though – and unusually for a company going public – the firm also goes into depth about the cyber-security risks it faces and how those can influence the stock. As of January 31, 2019, Slack had more than 600,000 organizations signed up to its collaboration software, according to its SEC filing, making it a target for hackers and its security a key factor in how the stock performs. 

‘Increasingly, companies are subject to a wide variety of attacks on their systems,’ writes Slack in the filing, listing threats that range from traditional computer hackers to ‘malicious code (such as malware, viruses, worms and ransomware), employee theft or misuse, password spraying, phishing, credential stuffing and denial-of-service attacks.’ 

But it also highlights threats from ‘sophisticated organized crime, nation-state and nation-state-supported actors [that] engage in attacks (including advanced persistent threat intrusions).’

It’s clear the company anticipates a cyber-attack at some point and, while it notes that it has taken steps to protect its systems, Slack warns investors these might not be enough. In fact, it highlights a 2015 security breach in which ‘unauthorized third parties had access to information maintained by us that included user names, email addresses, encrypted passwords and information that users may have optionally added to their profiles, such as phone numbers.

‘Despite significant efforts to create security barriers to such threats, it is virtually impossible for us to entirely mitigate these risks,’ writes the company, adding that techniques ‘change frequently and generally are not recognized until launched against a target.’

The filing continues: ‘The security measures we have implemented or integrated into Slack and our internal systems and networks (including measures to audit third-party and custom applications), which are designed to detect unauthorized activity and prevent or minimize security breaches, may not function as expected or may not be sufficient to protect Slack and our internal systems and networks against certain attacks.’

Slack plans to forgo underwriters with a direct listing when it goes public. 

Going public on cyber-security

While it is unusual to find such detailed information on cyber-security risks in an SEC filing, the issue has been one of growing concern for boards and the investor community in recent years, with cyber-security experts increasingly in demand in boardrooms, according to Jeffrey Sanders, vice chairman and co-managing partner of Heidrick & Struggles’ global board and CEO practice.

Dr Richard Horne, cyber-security partner at PwC, last year called on companies to do more around reporting risks in a report on the topic published in October 2018. 

‘Effective corporate reporting on cyber-security is thin on the ground,’ Horne said in an open letter at the time. ‘Most companies aren’t giving much insight into how they are working to manage the threats they face. 

‘At first sight, reluctance to say much on this area is understandable. No company can reasonably be expected to publish full details of its defenses, and even those with leading cyber-security capability are reluctant to tempt fate by talking about it. But there’s a growing demand for more transparency from investors, regulators and the public.’

The report – ‘Transparency in the digital age: Companies should talk about their cyber-security’ – highlights seven ‘principles for better cyber-security reporting’:

• Be explicit about the risk and how the business is exposed
• Demonstrate that appropriate capabilities and resources are in place
• Set out a holistic framework for managing cyber-security
• Report on independent reviews and testing
• Demonstrate preparedness for a cyber-security incident
• Provide confidence that a considered approach is taken to all relevant legal and regulatory frameworks
• Report on contribution to the broader community’s cyber-security.

‘Publishing more information may feel uncomfortable to begin with but, given the reputational and financial damage that major incidents can inflict on organizations, now is the time to start talking more openly about better cyber-security reporting to build a more secure digital society,’ said Horne.