When is a Cybersecurity Incident Material?

Recently we discussed the principle of materiality in the context of Valeant Pharmaceuticals and its Variable Interest Entity (VIE), Philidor. In that post we examined two key concepts in assessing materiality, namely quantitative and qualitative. It is possible for something to be quantitatively immaterial, but material from a qualitative perspective. In this post we will discuss some materiality considerations as they pertain to cybersecurity incidents and disclosures.

Occasionally a cybersecurity incident occurs and its effects are immediately evident. The incidents are so large and impactful that disclosure is unavoidable. Some recent examples include Anthem, JPMorgan Chase, Home Depot, and, notably, Sony and Target.

Target, for example, recently settled litigation with MasterCard stemming from the retailer’s 2013 cyber incident for $39 million, which is in addition to the $67 million settlement previously reached with Visa. The amounts may be viewed as being immaterial to the financial statements taken as a whole (3% of 2015 pre-tax income), but the press coverage, litigation, and investor relations suggest that no one considered the breach to be “no big deal”.

But not all cybersecurity incidents are as easy to evaluate. In the case of Home Depot, a significant breach was first discovered on September 2, 2014, and just a few days later the company filed an 8-K – signaling a material event occurred – disclosing details of the incident and the company’s response.

In its most recent 10-Q, Home Depot used almost 30% of the footnotes to the financial statements to disclose the impacts of the incident. To date, “the Company has recorded $252 million of pretax gross expenses related to the Data Breach, partially offset by $100 million of expected insurance proceeds.” They also expect “to incur additional legal and other professional services expenses associated with the Data Breach in future periods.”

But even in this case, the Home Depot breach appears to be quantitatively immaterial. The pretax net expense relating to the incident was $119 million for the first 3 quarters of 2015, less than 1% of earnings before taxes. Nevertheless, the breach does appear to be material from a qualitative perspective.

Home Depot disclosed processing over a billion credit and debit transactions in the first 9 months of 2014. The cyber incident affected 56 million cards, or slightly over 5% of the total transactions for the first 9 months of 2014. Assuming that some of those credit cards were used for multiple transactions, some transactions were not credit card related, and adding in the fact that the breach only occurred during 5 of the 9 months, the incident no doubt affected a material number of credit/debit card transactions. Further, there are serious implications for the company that are not directly financial, such as reputation damage and the loss of consumer confidence.

Let’s analyze the disclosures of two companies facing similar situations. In March 2014, Smucker’s experienced a cyber incident in which 23 thousand customers had financial information stolen. The breach is not disclosed in the company’s 2014 10-K and Annual Report. Cybersecurity is addressed in a general way in the Risk Factors section, but there is no mention of an actual breach.

Sally Beauty also experienced a cyber incident in March 2014, in which the financial information of 25 thousand customers was affected. In contrast to Smuckers, however, Sally Beauty did disclose the incident in both an 8-K and a 10-Q.

So what was the difference between these two breaches? One difference could be the size of the companies.

Sally Beauty is significantly smaller than Smucker’s. As of each company’s quarter end immediately following their breaches, Sally Beauty was less than half the size of Smucker’s by market capitalization. Comparatively speaking, the cyber incident may have been a bigger deal for the smaller company. But even still the incident was not quantitatively material to Sally Beauty’s 2014 financial statements. The incident cost Sally Beauty $2.5 million for the year-ended 2014, or less than 1% of pre-tax earnings.

One resource companies can use as a disclosure reference is the SEC’s publication CF Disclosure Guidance: Topic No. 2. It’s more likely that in this case, each company evaluated qualitative factors to determine whether the incident was material to the financial statements or not. By looking at each company’s risk factors we can see that electronic sales are a much bigger factor to Sally Beauty than they are to Smucker’s.

First let’s look at Smucker’s Risk Factors.

“We depend on our information technology infrastructure to effectively manage our business data, supply chain, logistics, finance, and other business processes and for digital marketing activities and electronic communications between Company personnel and our customers and suppliers.”

Smucker’s cyber incident involved the company’s online marketplace. In the company’s cybersecurity risk factor, the company doesn’t even discuss the marketplace. The only context in which customers are discussed is marketing and electronic communications. If you got to Smucker’s website, it is difficult to even find their online store.

Now consider Sally Beauty.

“We encounter risks and difficulties frequently experienced by internet-based businesses, including risks related to our ability to attract and retain customers on a cost-effective basis and our ability to operate, support, expand and develop our internet operations, websites and software and other related operational systems.”

“A significant data security breach, including misappropriation of our customers’ or employees’ confidential information, could result in significant costs to us, which may include, among others, potential liabilities to payment card networks for reimbursements of credit card fraud and card reissuance costs, including fines and penalties, potential liabilities from governmental or third party investigations, proceedings or litigation, legal, forensic and consulting fees and expenses, costs and diversion of management attention required for investigation and remediation actions, and the negative impact on our reputation and loss of confidence of our customers, suppliers and others, any of which could have a material adverse impact on our business, financial condition and operating results.”

Here, the company’s online store (“payment card networks”) is a key component of the cybersecurity Risk Factor. Further, Sally Beauty discusses electronic marketplaces throughout their other Risk Factors. In one, Sally Beauty discusses the importance of developing their electronic market. In another, they discuss how a cyber incident can have a negative impact on their reputation.

Currently it can be very difficult to identify when a company should or should not disclose a cyber incident. For instance, the SEC’s comment letter to Governor & Co of the Bank of Ireland requires a rather low threshold for inclusion in the risk factors. The SEC requested Governor & Co to “revise [their] risk factor disclosure and your operational risk disclosure […] to disclose that you have experienced such a cyber-crime or similar attack.” Governor & Co had not experienced a cyber-crime or similar attack. We suspect as cyber incidents continue to occur, and as audit committees and the SEC continue to evolve their approach, the threshold for disclosure should become clearer.