Handling Cybersecurity Disclosures
IMGCAP(1)]Cyber-attack headlines are all too common nowadays, and involve some of the biggest names in business. With numerous cyber-attacks and threats occurring each year, the Securities and Exchange Commission has taken a keen interest in cybersecurity disclosure in public filings.
In October 2011, it issued CF Disclosure Guidance: Topic No. 2, which outlines the commission’s initial stance on cybersecurity disclosure. Since then, the SEC has built upon its initial guidance through its comment letters to public companies.
The SEC’s view is that investors should know about actual or potential cyber-threats in order to make informed investment decisions. To facilitate this type of transparency, the SEC has outlined in Topic No. 2 what registrants should disclose in their public filings. However, the SEC’s guidance, while helpful, has also led to many questions. For example, if a company has never suffered a cyber-attack, do they still need to include disclosure about general cybersecurity risks in their Form 10-K? What type of cybersecurity risk disclosure is sufficient and where in the Form 10-K should a company disclose such risks? If a company has suffered a cyber-attack, what amount of disclosure is acceptable without risking another cyber-attack? If they fail to make adequate disclosure in their Form 10-K, do they need to include disclosure in their Form 10-Q even though Form 10-Q disclosure really focuses on “material” changes?
Although Topic No. 2 discusses six areas within certain SEC filings in which disclosures about cybersecurity threats or incidents may be appropriate, the Risk Factors section is where most disclosures concerning cyber-threats and prior incidents are located. However, prior material cyber-incidents also might be disclosed in the management’s discussion and analysis, description of business, legal proceedings and financial statement notes. Nevertheless, most of the comment letters the SEC has sent to registrants questioning their cybersecurity disclosures address the Risk Factors section, which in turn is the focus of this article.
The Risk Factor section of a periodic report must discuss the most significant factors that make an investment in the registrant speculative or risky. The SEC staff generally expects to find a cybersecurity risk factor when a registrant has experienced prior cyber-attacks. But even if a registrant has had no prior cyber-incidents, the SEC staff is apt to require a cybersecurity risk factor if the registrant relies heavily on technology or if the staff has heard about increased cyber-attacks in the registrant’s industry. As an example of the former, the staff required Meredith Corp. to include a cybersecurity risk factor in its filings because the company publishes several magazines and sponsors several Web sites and Web applications. As an example of the latter, the staff required Wynn Resorts Ltd. to include a cybersecurity risk factor because there had been several press releases about increasing cyber-attacks against companies in the hotel and resort industry.
The two primary issues regarding cybersecurity risk factors are whether prior, immaterial cyber-attacks must be discussed, and whether new or augmented risk factors must be disclosed in a registrant’s next Form 10-Q, rather than the next Form 10-K.
-- Disclosure of immaterial prior attacks. Despite language in Topic No. 2 that suggests that the SEC requires disclosure of only material prior attacks, the SEC staff routinely requires registrants to disclose that prior immaterial attacks have occurred to provide the proper context for risk factor disclosures.
Tip: The staff does not expect such immaterial attacks to be specifically identified and it allows registrants to state whether they have been able to successfully thwart or minimize the prior attacks.
There have been some exceptions in which the SEC staff has not required a registrant to mention the existence of prior immaterial attacks.
Tip: A registrant that would like to omit reference to prior, immaterial incidents should be prepared to explain why such a reference is not necessary to place its cyber-risk in the proper context for investors.
-- Disclosure in Form 10-Q. When a registrant fails to include a cybersecurity risk factor in its Form 10-K or its cybersecurity risk factor is deemed inadequate, the staff frequently requests that the registrant include a new or augmented risk factor in its next Form 10-Q.
Typically, however, only material changes to risk factors are required to be disclosed in the Form 10-Q, so many registrants fear that providing a new or updated cybersecurity risk factor in a Form 10-Q would improperly signal to investors that there is a significant new cyber-risk. The SEC staff has been inconsistent by allowing some registrants to simply provide the new or updated cybersecurity risk factor in their next Form 10-K, while requiring other registrants to make such disclosures in their next Form 10-Q.
Tip: The key to avoiding a Form 10-Q disclosure might be to argue that the prior Form 10-K disclosure, while lacking, was adequate enough to inform investors of the cyber-risks the registrant faces. But at least one registrant that did provide an augmented disclosure in its next Form 10-Q stated that no material changes to the Risk Factor on its Form 10-K had occurred, and that the information was being provided for the purpose of providing context to the risk.
Despite having seemingly varying standards for different companies, it appears clear that the SEC staff is concerned that companies acknowledge to investors that cyber-attacks have occurred even if the companies were able to avoid major security breaches. Moreover, even if a company has not experienced cyber-attacks in the past, if it relies on computer systems or information technology in any meaningful manner or is in an industry that is experiencing increased cyber attacks, the SEC staff appears to expect a cybersecurity risk factor.
The issue with which the SEC staff seems most inconsistent is whether a registrant must include a cybersecurity risk factor in its next Form 10-Q when its cybersecurity risk factor was inadequate in its previous Form 10-K. Whether a registrant will be able to avoid a Form 10-Q disclosure likely will depend on whether its prior risk factor was “adequate enough” to alert investors to the risks to justify not augmenting the risk factor in its next Form 10-Q.
Joan L. Rood is an attorney and technical consultant to Bloomberg BNA’s Accounting Policy and Practice Library.