Over 90% of the Russell 3000 companies see cybersecurity as a significant risk and provide the cyber risk disclosure in the Risk Factors section. This should come as no surprise – the number of cyber breaches for companies registered with the SEC more than doubled between 2011 and 2017, increasing from 27 in 2011 to 64 in 2017.
Yet, only 24 breaches that occurred in 2017 have been disclosed in SEC filings. And when companies do disclose breaches, the method and substance of those disclosures can vary widely from one company to the next.
On February 21, 2018, the SEC issued new guidance on cybersecurity disclosure. The guidance expands on the CF Disclosure Guidance: Topic 2 issued in 2011. While the new guidance does not change reporting requirements, it does clarify the SEC’s position and expectations for cybersecurity disclosure.
Topics covered by the new cybersecurity disclosure guidance include:
- Periodic reporting
- Risk factors
- Management disclosure & analysis (MD&A) of financial condition and results of operations
- Description of business
- Legal proceedings
- Nearly 70% of Affected Public Companies Did Not Report Cybersecurity Breaches to the SEC
- Financial statement disclosures
- Current reporting
- Policies and procedures
- Disclosure controls
- Insider trading
- Selective disclosure
The new legislation aims to improve transparency and reduce discrepancy in how the breaches are disclosed.
The most common place to find disclosure of a cybersecurity breach is in the risk factors section. Large or small, breaches are often used to exemplify the potential cybersecurity risk a company might face in the future. For example, CafePress Inc [PRSS] (free summary report available from WatchdogResearch.com) disclosed a breach in the risk factors of their 2014 annual report:
Any system delays, interruptions or disruptions to our servers caused by telecommunications failures, computer viruses, physical break-ins, domain attacks, hacking or other attempts to harm our systems or servers that result in the unavailability or slowdown of our websites, loss of data or reduced order fulfillment performance would reduce the volume of products sold and the attractiveness of product offerings on our websites. As an example, in the fall of 2014, we experienced a security breach in certain hosted websites operated by EZ Prints for a large retail customer that resulted in the consumer personal data and credit card information of approximately 1,900 customers being exposed to hackers. The intrusion exposed a previously undetected vulnerability in software used in the architecture of our EZ Prints product offering.
The SEC expects companies to discuss prior incidents, including the severity and frequency, as CafePress did above. For companies that have experienced an incident, they also expect a discussion of reputational harm and expected costs (litigation, investigation, remediation), if any. For companies that did not experience an incident but see cybersecurity as a risk, disclosure should include the likelihood of future incidents, the adequacy of preventative actions, industry-specific and third-party risks, precautions taken (insurance/service providers), and laws and regulations that are in place or pending.
Material cybersecurity breaches are usually disclosed throughout the report. Two areas of interest are the financial statement footnotes, and controls and procedures.
A footnote to the financial statements is usually included when a company experiences a cybersecurity incident that is expected to result in material litigation or material costs. The footnote or footnotes should include expenses incurred, impairments of assets, and expected contingencies. Nuance Communications Inc [NUAN] , for example, disclosed $6 million of remediation and restoration costs related to the breach in their latest quarterly filing. Nuance also included additional disclosure in their MD&A, Description of business and Risk factors sections.
Finally, the SEC expects companies to have policies and procedures in place to ensure information is reported to the appropriate personnel and to enable senior management to make disclosure decisions. While this is true about all material information, it should also be applied to cybersecurity related disclosure. When a break-down occurs in the transfer of cybersecurity related information a control issue may exist. These control issues must be disclosed to the public.
For example, Equifax [EFX] (free summary report available at WatchdogResearch.com) disclosed two cybersecurity related disclosure deficiencies in their last quarterly report:
As discussed in Note 5 of the Notes to the Consolidated Financial Statements in this Form 10-Q, on September 7, 2017, we announced a cybersecurity incident. Our review of the circumstances and resulting impact on our internal controls over financial reporting (ICFR) identified two significant deficiencies in our IT General Controls environment, at this point in time. As part of the Company’s overall plan to address the cybersecurity incident, actions have already been and are being taken in the fourth quarter of 2017 to remediate these significant deficiencies.
We will typically include a major cybersecurity breach at the top of a Corporate Watchdog report. You can also find more information about such breaches in the legal/lawsuit sections as major breaches are often marked by significant legal action against a company.