In May of this year, Fitbit Inc. (Fitbit) filed for an Initial Public Offering (IPO) for upwards of $100 million. With more and more consumers using wearable devices, privacy concerns have skyrocketed. However, since 2011, the U.S. Securities and Exchange Commission (SEC) has required publicly traded companies to disclose potential risks and threats to their security when filing their S-1 IPO forms, most likely due to the increased presence of the “Internet of Things” and our connected devices. With our cars talking to our iWatches and our refrigerators sending messages to our grocery store mobile apps when we run out of milk, it is becoming increasingly important for companies to analyze cybersecurity risks and ensure that systems are in place to protect consumer data. And investors want to know that data privacy and security is on the company’s radar.
For example, in filing its S-1 form with the SEC, Fitbit disclosed, “If our security measures, some of which are managed by third parties, are breached or fail, unauthorized persons may be able to obtain access to sensitive user data. If we or our third-party service providers, business partners, or third-party apps with which our users choose to share their Fitbit data were to experience a breach of systems compromising our users’ sensitive data, our brand and reputation could be adversely affected, use of our products and services could decrease, and we could be exposed to a risk of loss, litigation, and regulatory proceedings.” This could be a big concern for Fitbit investors. If investors stand a chance of losing profits because of a company’s lax data privacy and security practices, even if those practices are that of a third-party service provider, the investment in that company may not seem so tantalizing. Companies surely know that a data breach not only affects its customers, it can also affect the company’s pockets as well. Bad press will certainly drive customers away.
Before companies enter the public markets, they are not only required by the SEC to assess and disclose their cybersecurity risks, but investors will demand that they have appropriate privacy and security policies and procedures in place to protect consumer data. Investors will surely consider a company’s cybersecurity risks along with the IPO valuation.