The Disclosure of Cyber-Related Matters in a Company’s Business Description- On October 13, 2011, the SEC issued a Disclosure Guidance related to cybersecurity risks and cyber incidents. Today I am continuing my discussion on that disclosure guidance.
Disclosure of cyber-related matters may be required in a company’s business description where they effect a company’s products, services, relationships with customers and suppliers or competitive conditions. Likewise, material litigation would need to be included in the “legal proceedings” section of a periodic report or registration statement.
Cyber-matters may need to be included in a company’s financial statements prior to, during and/or after an incident. Costs to prevent cyber-incidents are generally capitalized and included on the balance sheet as an asset. GAAP provides for specific recognition, measurement and classification treatment for the payment of incentives to customers or business relations, including after a cyber-attack. Cyber-incidents can also result in direct losses or the necessity to account for loss contingencies, including those related to warranties, breach of contract, product recall and replacement, indemnification or remediation. Furthermore, incidents can result in loss of, and therefore accounting impairment to, goodwill, intangible assets, trademarks, patents, capitalized software and even inventory.
To the extent that cyber-matters effect a company’s ability to record, process, summarize and report financial and other information in SEC filings, management will need to consider whether there is a reportable deficiency in disclosure controls and procedures.
The Yahoo hacking incident resulted in numerous media articles and blogs related to the disclosure of cyber-matters in SEC reports. One such blog was written by Kevin LaCroix and published in the D&O Diary. Mr. LaCroix’s blog points out that according to a September 19, 2016, Wall Street Journal article, cyber-attacks are occurring more frequently than ever but are rarely reported. The article cites a report that reviewed the filings of 9,000 public companies from 2010 to the present and found that only 95 of these companies had informed the SEC of a data breach.
As reported in a blog published by Debevoise and Plimpton, dated September 12, 2016, as pointed out by thecorporatecounsel.net, a review of Fortune 100 cyber-reporting practices revealed that most disclosures are contained in the risk-factor section of regular periodic reports such as Forms 10-Q and 10-K as opposed to interim disclosures in a Form 8-K. Moreover, only 20 incidents were reported at all in the period from January 2013 through the third quarter of 2015.
My opinion is that companies are relying on the materiality standard to avoid disclosure of cyber-incidents. Most public-company hacking involves large organizations that can reasonably make the judgment call that the incident and its effects are not material to investment decisions. However, with the current industry focus on cybersecurity, I think we will see a shift towards more disclosure. As mentioned, I also expect new SEC guidance on the topic in the near future.