Over 90% of the Russell 3000 companies see cybersecurity as a significant risk and provide the cyber risk disclosure in the Risk Factors section. This should come as no surprise – the number of cyber breaches for companies registered with the SEC more than tripled between 2011 and 2017, increasing from 27 in 2011 to 84 in 2017.
Yet, only 29 breaches that occurred in 2017 have been disclosed in SEC filings. And when companies do disclose breaches, the method and substance of those disclosures can vary widely from one company to the next.
On February 21, 2018, the SEC issued new guidance on cybersecurity disclosure. The guidance expands on the CF Disclosure Guidance: Topic 2 issued in 2011. While the new guidance does not change reporting requirements, it does clarify the SEC’s position and expectations for cybersecurity disclosure.
Topics covered by the new cybersecurity disclosure guidance include:
- Periodic reporting
- Risk factors
- Management disclosure & analysis of financial condition and results of operations (MD&A)
- Description of business
- Legal proceedings
- Financial statement disclosures
- Current reporting
- Policies and procedures
- Disclosure controls
- Insider trading
- Selective disclosure
The new legislation aims to improve transparency and reduce discrepancy in how the breaches are disclosed.
The most common place to find disclosure of a cybersecurity breach is in the risk factors section. Large or small, breaches are often used to exemplify the potential cybersecurity risk a company might face in the future. For example, CafePress Inc [PRSS] disclosed a breach in the risk factors of their 2014 annual report:
Any system delays, interruptions or disruptions to our servers caused by telecommunications failures, computer viruses, physical break-ins, domain attacks, hacking or other attempts to harm our systems or servers that result in the unavailability or slowdown of our websites, loss of data or reduced order fulfillment performance would reduce the volume of products sold and the attractiveness of product offerings on our websites. As an example, in the fall of 2014, we experienced a security breach in certain hosted websites operated by EZ Prints for a large retail customer that resulted in the consumer personal data and credit card information of approximately 1,900 customers being exposed to hackers. The intrusion exposed a previously undetected vulnerability in software used in the architecture of our EZ Prints product offering.
The SEC expects companies to discuss prior incidents, including the severity and frequency, as CafePress did above. For companies that have experienced an incident, they also expect a discussion of reputational harm and expected costs (litigation, investigation, remediation), if any. For companies that did not experience an incident but see cybersecurity as a risk, disclosure should include the likelihood of future incidents, the adequacy of preventative actions, industry-specific and third-party risks, precautions taken (insurance/service providers), and laws and regulations that are in place or pending.
Material cybersecurity breaches are usually disclosed throughout the report. Two areas of interest are the financial statement footnotes, and controls and procedures.
A footnote to the financial statements is usually included when a company experiences a cybersecurity incident that is expected to result in material litigation or material costs. The footnote or footnotes should include expenses incurred, impairments of assets, and expected contingencies. Nuance Communications Inc [NUAN] , for example, disclosed $6 million of remediation and restoration costs related to the breach in their latest quarterly filing. Nuance also included additional disclosure in their MD&A, Description of business and Risk factors sections.
Finally, the SEC expects companies to have policies and procedures in place to ensure information is reported to the appropriate personnel and to enable senior management to make disclosure decisions. While this is true about all material information, it should also be applied to cybersecurity related disclosure. When a break-down occurs in the transfer of cybersecurity related information a control issue may exist. These control issues must be disclosed to the public.
For example, Equifax [EFX] disclosed two cybersecurity related disclosure deficiencies in their last quarterly report:
As discussed in Note 5 of the Notes to the Consolidated Financial Statements in this Form 10-Q, on September 7, 2017, we announced a cybersecurity incident. Our review of the circumstances and resulting impact on our internal controls over financial reporting (ICFR) identified two significant deficiencies in our IT General Controls environment, at this point in time. As part of the Company’s overall plan to address the cybersecurity incident, actions have already been and are being taken in the fourth quarter of 2017 to remediate these significant deficiencies.
Stay tuned for an update to our recent article, Cybersecurity Experts on the Board of Directors, where we look at the relationship between cybersecurity and the directors and officers of public companies.
Over the past five years, the number of individuals with cybersecurity experience that have been appointed as directors to public companies has grown from 5 in 2012, to more than 20 in 2016. – Audit Analytics
A version of this article was previously available on FactSet to subscribers of our Accounting Quality Insights.
The numbers in this article have been updated to include cybersecurity incidents from additional sources, most notably The Attorney General Office websites of Iowa, Montana, Wisconsin and Oregon. Incidents for 2012 rose from 38 to 39; incidents for 2013 rose from 46 to 47; incidents for 2014 rose from 61 to 62; incidents from 2015 rose from 44 to 46; and incidents for 2017 rose from 64 to 84. Total incidents for 2011 and 2016 were unaffected.