My cheesy but effective automated mechanism for finding 10-Q filings mentioning “cyber” incidents and risk flagged a bunch of filings that now that I’m on vacation I have been looking through. (The mechanism is described here).

In looking at these, I was struck by the proportion that acknowledged actual incidents. I think this sort of disclosure will become more common, as a result of the SEC pushing for it, and also (assuming nothing bad happens to firms so disclosing) because of herd behavior among firms.

Below, I show the reports I looked over most recently, and where applicable, an excerpt of the language used to acknowledge actual incidents.

CIENA CORP
No actual incidents acknowledged.

IDT CORP

Certain of our business units have been the subject of attempted and successful cyber-attacks in the past. While we have completed our analysis and remediation of most attacks, and have implemented security designed to foil future similar attacks, with respect to certain of these attacks, we are still in the process of determining what information may have been compromised and its potential impact.

ARUBA NETWORKS INC
No actual incidents acknowledged.

HEWLETT PACKARD CO

		No actual incidents acknowledged.  

Palo Alto Networks Inc

		No actual incidents acknowledged.  

ONCOSEC MEDICAL

		No actual incidents acknowledged.  

COPART INC

Although we have not been the victim of cyber attacks or other cyber incidents that have had a material impact on our consolidated operating results or financial position, we have from time to time experienced cyber security breaches such as computer viruses and similar information technology violations in the ordinary course of business.

VERIFONE SYSTEMS INC

We have in the past experienced and may in the future experience security breaches or fraudulent activities related to unauthorized access to sensitive customer information.

INFOBLOX INC

		No actual incidents acknowledged.  

INTUIT INC

From time to time, we detect, or receive notices from customers or public or private agencies that they have detected, vulnerabilities in our servers, our software or third-party software components that are distributed with our products. The existence of vulnerabilities, even if they do not result in a security breach, may harm customer confidence and require substantial resources to address, and we may not be able to discover or remediate such security vulnerabilities before they are exploited. In addition, hackers develop and deploy viruses, worms and other malicious software programs that may attack our offerings. Although this is an industry-wide problem that affects software across platforms, it is increasingly affecting our offerings because hackers tend to focus their efforts on the more popular programs and offerings and we expect them to continue to do so.

BROCADE COMMUNICATIONS SYSTEMS INC

		No actual incidents acknowledged.  

ITEX CORP

		No actual incidents acknowledged.  

Guidewire Software

		No actual incidents acknowledged.