June 29, 2021

Hypothetical Risk Factors: Beware the 10-Q Updating Requirement!

The SEC’s 2019 enforcement action against Facebook highlighted the perils of hypothetical risk factors. Now, in In re Alphabet Securities Litig., (9th Cir.; 6/21) the 9th Circuit recently upheld disclosure claims against another tech titan premised on its alleged failure to update disclosure of a risk of a cyberbreach that was hypothetical when initially disclosed in a 10-K, but became very real by the time subsequent 10-Qs were filed.  This Morrison & Foerster memo reviews the Court’s decision. This excerpt provides an overview of the complaint’s factual allegations:

The complaint alleged that in February 2018, Alphabet, Inc. (“Alphabet”), the holding company of Google LLC (“Google”), filed its 10-K for FY 2017. In the “risk factors” section, it listed potential consequences in the event third parties were to breach Google’s cybersecurity measures and obtain access to its users’ private data.

The complaint further alleged that in April 2018, the Alphabet CEO discovered that a bug had exposed Google user data for a three-year period. The company did not disclose the breach at the time. Further, it alleged that on April 23, 2018, and July 23, 2018, Alphabet filed 10-Qs, stating affirmatively that there had been “no material changes” to the risk factors set out in its 2017 10-K and made no disclosure about the data breach.

The WSJ published an article in October 2018 that disclosed the cyberbreach, Alphabet’s stock price took a hit, and the lawsuits soon followed.  The District Court dismissed the plaintiffs’ complaint, but the 9th Circuit reversed. This excerpt from the memo lays out the Court’s reasoning:

The panel found it plausible that a reasonable investor reading the 10-Qs would have been misled by the company’s representation that there had been “no material changes” in the risk factors into believing that Google had not discovered a data breach. The panel relied on the Securities Exchange Commission’s guidance regarding the adequacy of cybersecurity-related disclosures as “judgments about the way the real world works” to inform its analysis of a
reasonable investor’s perspective.

Item 1A of Form 10-Q requires companies to update the risk factors disclosed in their 10-K filings to reflect any “material changes.” The Alphabet case makes it clear that when considering the perils of hypothetical risk factors, companies need to keep this updating requirement in mind if any of those risks have materialized since the 10-K was filed.

John Jenkins