September 27, 2016

Cybersecurity Disclosures: Not Happening Much in SEC Filings

Here’s an excerpt from this “D&O Diary Blog” about how few companies are disclosing cybersecurity & data breach incidents in their SEC filings (which could be a concern for investors – and for D&O underwriters):

According to a September 19, 2016 Wall Street Journal article entitled “Corporate Judgment Call: When to Disclose You’ve Been Hacked,” nothwithstanding the long-standing SEC disclosure guidelines, companies are being hacked more frequently but are not disclosing these incidents in their periodic reports to the SEC. The article cites a recent Audit Analytics report, in which the firm reviewed the filings of nearly 9,000 reporting companies during the period January 2010 to the present. The report found that only 95 of these companies had informed the SEC of a data breach. However, according to the Privacy Rights Clearinghouse, the number of data breaches during that period experienced by all U.S. businesses – including both public and private companies – totaled 2,642.

The most important consideration accounting for this apparent discrepancy is the question of “materiality.” If the company believes that the incident or incidents it experienced are not “material” within relevant reporting obligation standards, then, many companies apparently are concluding that they have no obligation to report the incident.

Significantly, while only a small number of companies have reported cyber incidents in their periodic reports, a greater number are reporting data breaches and other incidents to other regulators. The Journal article cites the Audit Analytics report as stating that about 300 publicly traded U.S. companies have reported cybersecurity incidents to a state regulator or directly to affected consumers over the past six years.

Obviously, whether or not any potentially reportable item is “material” and therefore subject to disclosure is a judgment call of a type that corporate officials have long been called upon to make. The concern is that these types of judgment calls can be subject to hindsight scrutiny. In that regard, it is probably worth noting that to date the SEC has not yet brought a regulatory enforcement action against a company that failed to disclose a cyberincident – but, the Journal article notes, SEC officials “have not ruled out doing so.”

Disclosing “Risks”: Breaking Down Apple’s Tax Uncertainties

This blog by the “SEC Institute” does a great job of analyzing the various ways that Apple discloses the “uncertainties” related to its international tax situation, including risk factors, MD&A and financial statement disclosures…

Tomorrow’s Webcast: “Middle Market Deals – If I Had Only Known”

Tune in tomorrow for the webcast – “Middle Market Deals: If I Had Only Known” – to hear Joe Feldman of Joseph Feldman Associates talk about how to best avoid post-closing deal surprises for a mid-market deal. Please print these “Course Materials” in advance.

Broc Romanek