Among Other Tips, Experts Remind Companies to Take Care in Cyber Disclosures

Bloomberg BNA’s Corporate Law & Accountability Report is available on the Corporate Law Resource Center. This news service keeps corporate practitioners informed of legal developments of...

By Yin Wilczek

Feb. 2 — As companies prepare their annual SEC filings, experts issued a reminder that cybersecurity and related issues may require disclosure in many places on Form 10-K, especially if the company in question has experienced a breach.

In a Jan. 30 Practising Law Institute webinar, George Wilson, director of PLI's SEC Institute, noted that cybersecurity is a “very broad kind of risk” involving the protection of corporate data and network access. Beyond risk factors, companies also must consider whether cybersecurity disclosure is merited under the management discussion and analysis (MD&A), financial statements and legal proceedings portions of the annual report, he said.

Wilson and fellow SEC Institute director Carol Stacey also discussed conflict minerals disclosure. The Institute helps companies stay abreast of SEC accounting and financial reporting developments.

SEC's Cyber Guidance 

The SEC in October 2011 issued guidance on cybersecurity disclosures.

“Although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents,” the guidance states. “In addition, material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading.”

During the webinar, Wilson urged every corporation to assess whether its cyber risks merit disclosure in the “risk factors” section of the annual report. If companies incur significant expenditure to reduce or prevent cybersecurity incidents, that may warrant disclosures in the MD&A and in financial statements, he said.

If the company has experienced a breach, legal proceedings, MD&A and financial statements are all potential areas that may be implicated depending on the nature of the company's business and the extent and implications of the incident, Wilson said.

Stacey added that Target Corp.'s disclosures are a “great example” for companies mulling their own cybersecurity reporting obligations.

Among other fallout from its 2013 data breach, Target hired a new chief risk and compliance officer. 

According to materials prepared for the webinar, in assessing whether to include cyber disclosures in their MD&A and financial statements, companies should consider:

• whether a known or threatened cyber incident is a material event, trend or uncertainty that is reasonably likely to be material;

• the costs incurred to prevent cyber incidents;

• the costs to mitigate the harm from cyber incidents;

• software costs; and

• asserted/unasserted claims from a cyber attack.

 

Conflict Minerals 

Meanwhile, companies preparing their conflict minerals Forms SD should heed recent staff comments on the topic, the panelists said.

The disclosures are due by June 1 this year, given that May 31 is a Sunday.

Keith Higgins, director of the SEC Division of Corporation Finance, recently said that companies may not have been as “crisp” as they should be in distinguishing between the reasonable country of origin for their minerals and the “due diligence that they undertook to try to identify the origin of the materials”. 

The panelists urged companies to:

• disclose their reasonable countries of origins and how those were determined;

• not suggest that their products are conflict free unless they include an independent private sector audit; and

• disclose any known facilities and countries of origin.

 

“Be cautious about the language that you use” in characterizing your products “because it could trigger other questions from the SEC,” Stacey said. While the staff “didn't comment about that last year, they are warning people that they may have follow-ups this year if you suggest that you are conflict free.”

Another interesting question is whether more companies will file Forms SD this year, Stacey added.

The SEC economic analysis for the rulemaking had suggested that about 6,000 companies would file the form. However, only about 1,300 companies filed their first-ever disclosures in 2014.

Disclosure Effectiveness 

In other discussions, Stacey noted that the SEC Corp. Fin. staff—as part of their ongoing review of the SEC's disclosure requirements—is asking registrants to make their disclosures more effective. She said that among other actions, companies can:

• eliminate boilerplate language in their risk factor disclosures;

• avoid duplicative disclosures;

• include more “helpful” MD&A trend and uncertainty disclosures; and

• let go of the notion that each 10-K item must stand alone.

 

In addition, it is not true that the staff will comment every time a company makes changes in its filings, Stacey said. The truth is that the SEC doesn't have the kind of technology that can track every change, she said.

Moreover, Stacey reminded companies this year to identify in their management report which version of the Committee of Sponsoring Organizations of the Treadway Commission's framework for internal controls over financial reporting they are using for their management's assessment.

COSO updated its framework in May 2013. The original framework was from 1992.

Although the SEC may not chastise companies for using the pre-2013 framework, the staff believes companies “should be switching to the new framework,” Stacey said. Accordingly, “the longer you are on the old framework the more concerned they are,” making it more likely that you will receive a staff comment on the issue. In addition, “investors may be concerned that you are not using the latest framework,” she said.

IFRS.

The panel also noted that the SEC Office of the Chief Accountant is encouraging public companies to present international financial reporting standards (IFRS) information to supplement financial statements prepared with U.S. generally accepted accounting principles. 

Offering optional disclosure is an “interesting way to start approaching IFRS,” Stacey said. While purely domestic companies may not take advantage of the option, “a finite population” of multinational corporations would welcome “putting some of this data in their Forms 10-K” so as to offer something comparable to investors that their competitors have, she said.

To contact the reporter on this story: Yin Wilczek in Washington at ywilczek@bna.com

To contact the editor responsible for this story: Ryan Tuck at rtuck@bna.com

The SEC's guidance is available at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm.