September 21, 2017

Wow! Edgar Hacked!

Last night, SEC Chair Jay Clayton issued a statement on cybersecurity disclosing a 2016 hack of the SEC’s Edgar system.  Here’s an excerpt:

In August 2017, the Commission learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading.  Specifically, a software vulnerability in the test filing component of our EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information.  We believe the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk.  Our investigation of this matter is ongoing, however, and we are coordinating with appropriate authorities.

The statement did not indicate how long hackers may have had access to nonpublic information. A few years back, Broc blogged about “When Will the SEC’s EDGAR Get Hacked? (Or Has It Already?)” – and noted that if Edgar was ever hacked, the SEC hopefully would let us know.

Edgar’s test filing system represents an attractive target for hackers.  Test filings are routinely made by public companies in order to verify that the system will accept a live filing of their documents – but are not publicly available.  An intruder able to access those materials would have an advance look at SEC filings in essentially final form.

A July 2017 GAO report on the SEC’s information security practices said that the agency had improved the security controls over its key financial systems. However, the report also noted that the SEC had not fully implemented 11 recommendations from a 2015 GAO audit. These recommendations included “consistently protecting its network boundaries from possible intrusions, identifying and authenticating users, authorizing access to resources, auditing and monitoring actions taken on its systems and network, or encrypting sensitive information while in transmission.”

Cybersecurity is a high priority item for the SEC, and this event – along with the Equifax fiasco – is likely to only increase the emphasis on cyber issues.  So it’s worth reading Jay Clayton’s statement in its entirety. The disclosure of the intrusion was part of a much broader statement addressing the SEC’s efforts on cybersecurity – both internally, and in its regulatory & enforcement programs. Doug Chia at “The Conference Board” has blogged some thoughts on the implications of the hack – and on the SEC’s disclosure about it.

Governance: Want Less Litigation? Hire a Lawyer as CEO

This “Harvard Business Review” article says that if boards of companies operating in high-risk environments want to reduce litigation & manage it better, they should make their next CEO a lawyer:

We found that lawyer CEOs were not only associated with less litigation but, conditional on experiencing litigation, were also associated with better management of litigation. So companies run by lawyers, if sued, spent less on litigation and did better — they settled less often when sued and lost less often when cases went to court.

Before you dust off your resume & throw your hat in the ring for the next CEO opening, it turns out there’s a reason that lawyers represent less than one-tenth of S&P 1500 CEOs:

We found that CEOs with legal training were associated with higher firm value, but only in a subset of firms, specifically, in high-growth firms and firms with large amounts of litigation. Outside of this setting, however, the effect of CEOs with legal training on firm value was negative. So companies in, say, the pharmaceuticals and airlines industries performed better when run by lawyer CEOs, all else being equal, while companies in, say, printing and publishing performed worse.

The authors speculate that the difference has to do with lawyers’ risk averse nature – it’s a positive in companies that face a lot of regulatory & litigation risk, but a negative in other settings. So, don’t quit your day job just yet.

Financial Reporting: Accounting for Disasters

This pales in comparison to the devastating human toll that our nation and our neighbors have experienced in the unprecedented series of hurricanes, wildfires & earthquakes that we’ve seen over the past several weeks – but for public companies, there’s also a financial reckoning that has to be made.

This Deloitte memo highlights the financial reporting implications of disasters for entities reporting under U.S. GAAP – which can include accounting for asset impairments, income statement classification of losses, insurance recoveries, and additional exposure to environmental remediation liabilities.

John Jenkins