Magazine article The CPA Journal

The Issue of Cyber Risk Disclosures

Magazine article The CPA Journal

The Issue of Cyber Risk Disclosures

Article excerpt

As 2015 comes to a close and companies begin to think about preparing Form 10-K annual reports and firstquarter 2016 Form 10-Q reports, disclosures concerning cyber risk that should be included in SEC filings are among the key issues requiring the attention of managers and boards of directors alike. Cyber risk disclosure is not a new issue; it has formally been on the SEC's high-interest list since October 2011, when the staff of the SEC's Division of Corporation Finance issued guidance on the disclosure obligations relating to cyber risk, cybersecurity, and cyber incidents (see, for example, "SEC Cybersecurity Disclosure Guidance Is Quickly Becoming a Requirement," Gerry H. Grant and C. Terry Grant, The CPA Journal, May 2014).

A Review of the Staffs Guidance

The SEC staff s views, which are contained in CF Disclosure Guidance: Topic 2, Cybersecurity, are consistent with relevant existing disclosure considerations and requirements that could arise in connection with just about any business risk. The staff acknowledges the concerns of constituents that furnishing detailed information could compromise an entity's cybersecurity efforts. The staff accordingly emphasizes that disclosures of such a nature are not required under the federal securities laws. In general, the staff reminds registrants that, depending upon specific facts and circumstances, a discussion about cyber risk and cybersecurity matters could be required in Forms 10-K and 10-Q as part of the disclosures included in the following:

* Risk factors, when such matters are deemed to be among the most significant factors that make an investment in the company's securities speculative or risky

* Management discussion and analysis (MD&A), if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent an event, trend, or uncertainty that is reasonably likely to have a material effect on results of operations, liquidity, or financial condition, or would cause reported financial information not necessarily to be indicative of future results

* Legal proceedings, if they concern any material pending legal proceeding involving a cyber incident

* Disclosure controls and procedures, when cyber incidents pose a risk to the entity's ability to record, process, summarize, and report information required to be included in filings with the SEC.

In addition, the staff guidance cautions that cyber risks and cyber incidents could have an impact on a company's financial statements, including: 1) claims resulting from breach of data privacy, 2) loss or diminished value of intellectual property, and 3) the direct and indirect costs of remediating the effects of a successful cyber attack and of preventing future attacks.

Recent Developments

During the four years since the issuance of the staff guidance, the SEC has dramatically increased its focus on cyber matters. In response, many companies have taken heed and have incorporated discussions concerning cybersecurity risk into their standard risk factor and MID&A disclosures. Indeed, Audit Analytics, a research company providing audit regulatory and disclosure intelligence, reports that cybersecurity disclosure in the risk factors section of SEC filings has become quite common (http://www.auditanalytics.com/blog/ exploring-the-discbsure-of-cybersecurity/). Commissioners and staff have, in public statements, recently signaled that the SEC will continue to heighten its efforts concerning cyber matters. While its initial interest centered on regulated financial institutions and key market players (i.e" securities exchanges, broker/dealers, alternative trading systems), the SEC has begun to expand its attention to cover the general population of public companies, perhaps in response to the spate of highly publicized incidents of cyber attacks on companies operating in a wide range of nonfinancial industries and sectors.

In March 2014, the SEC hosted a round table to discuss cybersecurity and the issues and challenges it raises for market participants and public companies, and how these issues are being addressed in practice. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.