The Division of Corporation Finance (“CorpFin”) of the Securities and Exchange Commission (the “SEC”) has recently published disclosure guidance on two topics of emerging concern: risks associated with cybersecurity breaches and exposure to European sovereign debt (“Eurodebt”).

Most recently, on Jan. 6, 2012, CorpFin published guidance for all public registrants and particularly for financial institutions that have exposures related to Eurodebt issues which could present material risks to investors.

Earlier, on October 13, 2011, CorpFin also tackled the subject of how to handle disclosures related to increasingly frequent cyber attacks and the consequent theft or corruption of sensitive information.

It is important to note that CorpFin guidance publications do not constitute rules or regulations, and they are not official statements of the SEC, but they do represent the  interpretive views of CorpFin with respect to current SEC rules.

European Sovereign Debt Exposures 

In providing guidance on disclosures related to Eurodebt, CorpFin built on their comments made to date on past filings by registrants that provided inadequate disclosure. These comments included suggestions that registrants should disclose:

  • Gross sovereign exposure, as well as exposure through financial institutions and non-financial corporations, separately by country;
  • Quantifications of exposure, explaining how gross exposures are affected by hedging; and
  • The circumstances under which losses may not be covered by credit protection.

General Disclosure Guidance

CorpFin noted that Item 303 of Reg S-K, which governs Management’s Discussion and Analysis of Financial Condition and Results of Operations (MD&A) in annual reports and other filings, requires registrants to identify:

  • Known trends, demands, commitments, events or uncertainties that are reasonably likely to result in a material change to liquidity; and
  • Known trends or uncertainties that are reasonably expected to have a material impact on income.

CorpFin also called attention to Industry Guide 3, which is specifically aimed at bank holding companies, pointing out that the Guide calls for “identification of cross-border outstanding amounts with regard to borrowers in each foreign country where exposures exceed one percent of total assets.” It was also stressed that Guide 3 calls for disclosure where “current conditions in a foreign country give rise to liquidity problems which are expected to have a material impact on the timely repayment of principal or interest.”

In addition, all registrants were reminded that they must provide disclosure “regarding risks, including risk factors and market risk,” without resort to “boilerplate” language. In determining these risks, registrants must focus on those countries experiencing “significant economic, fiscal, and/or political strains such that the likelihood of default would be higher than would be anticipated when such factors do not exist.”

More specifically, CorpFin elaborated that registrants should:

  • Provide disclosures separately by country;
  • Segregate disclosures concerning exposures associated with Eurodebt according to sovereign and non-sovereign investment exposures;
  • Provide disclosures by financial statement category;
  • Provide information regarding hedges in order to present an amount of net funded exposure; and
  • Consider providing separate disclosure of gross unfunded commitments made.

CorpFin also encouraged registrants to consider the following when making disclosures about exposure associated with Eurodebt issues.

1. Gross Funded Exposure

It was suggested that registrants should consider disclosure of gross funded exposures, demonstrating the basis for selection of countries discussed and the basis for determining the domicile of exposure. CorpFin also suggested making separate disclosure of exposures for:

  • Sovereign exposures consisting of financial instruments entered into with sovereign and local governments; and
  • Non-sovereign exposures to corporations and financial institutions at risk (which might sometimes require separate disclosure for financial and non-financial institutions).

It was recommended that registrants should consider making separate categories of disclosure for various investments as well, including:

  • For loans and leases, the gross amount prior to the deduction of the impairment provision and the net amount after that provision;
  • For held-to-maturity securities, the amortized cost basis and the fair value;
  • For available-for-sale securities, the fair value, and if material, the amortized cost basis;
  • For trading securities, the fair value;
  • For derivative assets, the fair value, except that amount could be offset by the amount of cash collateral applied if separate footnote disclosures quantifying the amount of the offset are provided;
  • For credit default contracts sold, the fair value and notional value of protections sold, along with a description of the events that would trigger payout under the contracts; and
  • For other financial exposures, to the extent carried at fair value, the fair value, and for those carried at amortized cost, the gross amount prior to the deduction of impairment and the net amount after impairment.

2. Total Unfunded Exposure

CorpFin also encouraged registrants to disclose total unfunded exposures, including:

  • The amount of unfunded commitments by type of counterparty and country; and
  • The key terms and potential limitations of the counterparty being able to draw down on the facilities.

3. Total Gross Exposure

It was suggested that registrants should consider disclosure of total gross exposures, both funded and unfunded, with separation between type of counterparty and country for total gross exposures. CorpFin added that appropriate footnote disclosure might be warranted with highlighting of additional key details, such as maturity information for all exposures.

4. Effects of Credit Default Protection and Hedging

The guidance also called for registrants to consider disclosing all of the effects of credit default protection and hedging used to arrive at net exposure conclusions. Such effects might include, in appropriate circumstances, any or all of the following:

  • The effects, by counterparty and country, of any credit default protection;
  • The fair and notional values of the purchased credit protection;
  • The nature of the payout or trigger events under the purchased protection;
  • The types of counterparties that the credit protection was purchased from and an indication of the counterparty’s credit quality; and
  • Whether credit protection purchased has a shorter maturity date than the Eurodebt or related exposures being protected.

5. Other Risk Management Practices

CorpFin encouraged registrants to make general risk management disclosures as well, including disclosures of:

  • How management is monitoring and/or mitigating exposures to the selected countries, including any stress tests performed;
  • How management is monitoring and/or mitigating the effects of indirect exposure; and
  • Current developments considered in identified countries of risk (such as rating downgrade developments, financial relief plans, widening credit spreads, etc.) and how those developments could impact the registrant’s financial condition, operations, liquidity or capital resources.

6. Post-Reporting Date Events

Finally, CorpFin also noted that disclosures should be considered regarding significant developments that occur after any reporting date, as well as the effects of those events on previously reported amounts.

CYBERSECURITY EXPOSURES

CorpFin expressed great concern about cybersecurity threats as well, noting that the standard for cybersecurity disclosures is that which applies under federal securities laws generally. Thus, registrants must make “timely, comprehensive and accurate” disclosure about “risks and events that a reasonable investor would consider important to an investment decision.”

It was also noted that “material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures... not misleading.”

CorpFin pointed out that registrants that are victims of cyber attacks may incur a variety of material costs or consequences worthy of disclosure, including but not limited to:

  • Remediation costs, such as liability for stolen assets and for repair of damage that may have been done, as well as incentives awarded to maintain business relationships after an attack;
  • Increased cybersecurity protection costs that may include organizational changes, deployment of new or additional personnel and/or technologies and training;
  • Lost revenues resulting from unauthorized use of proprietary information;
  • Losses and costs associated with litigation; and
  • Reputational damage affecting customer, client or investor confidence and goodwill.

Risk Factors

CorpFin suggested that registrants should make certain “risk factors” disclosures “if these issues are among the most significant factors that make an investment in the company speculative or risky.”

Prior cyber incidents should be taken into account in determining whether disclosures are required, as well as the probability of cyber incidents occurring in the future, which may be affected by the existence of explicit threats of attack.

Consistent with requirements for risk factor disclosures generally, cybersecurity risk disclosures must adequately describe the nature of the material risks and how each risk affects the registrant specifically, according to CorpFin.

The interpretive publication added that appropriate risk factor disclosures might include:

  • Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
  • Description of outsourced functions that present material risks;
  • Description of cyber incidents, costs and consequences experienced by the registrant which are material, either individually or in the aggregate;
  • Risks related to cyber incidents that could remain undetected for an extended period; and
  • Description of any relevant insurance coverage.

Management’s Discussion and Analysis

CorpFin suggested that registrants should address cybersecurity risks and cyber incidents in MD&A “if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity or financial condition or would cause reported financial information to be [misleading].”

Any discussion of the threats faced by a registrant or of how a registrant addresses those threats — either in the MD&A or in the “risk factors” section of a report — should not be generic. But CorpFin did emphasize that “the federal securities laws do not require disclosure that itself would compromise a registrant’s cybersecurity” so a potentially damaging degree of specificity is not required.

Description of Business

CorpFin suggested that a registrant should provide cybersecurity disclosures in the “Description of Business” section of a required report if “one or more cyber incidents materially affect a registrant’s products, services, relationships with customers or suppliers, or competitive conditions.”

In determining whether to include disclosure, registrants should consider the impact on their reportable business segments, CorpFin added.

Legal Proceedings

The published guidance also noted that when a pending legal proceeding is material and involves a cyber incident, relevant information must be disclosed in the “Legal Proceedings” section of any pertinent report to the SEC.

Financial Statement Disclosures

CorpFin explained how cyber incidents could impact a registrant’s financial statements and accounting decisions as well. Depending on the nature and severity of the incident, the following guidance could be relevant.

1. Prior to a Cyber Incident

When registrants incur substantial costs to prevent cyber incidents, they must consider Accounting Standards Codification (“ACS”) 350-40 regarding “Internal-Use Software” to the extent that such costs are software related.

2. During and After a Cyber Incident

When registrants mitigate damages from an incident by providing customers with incentives to maintain business relationships, they should consider ASC 605-50 regarding “Customer Payments and Incentives” to ensure appropriate recognition, measurement and classification of incentives awarded in connection with cyber attacks.

Registrants should also refer to ASC 450-20 regarding “Loss Contingencies” to determine when to recognize a cybersecurity loss, such as a loss related to warranty, breach of contract, product recall or replacement, and indemnifications.

Other potentially material impacts on future cash flows must also be properly reported, such as impacts related to asset impairment, goodwill, trademarks, patents, capitalized software, or assets associated with hardware, software and inventory.

If a cyber incident is discovered after the balance sheet date but before the issuance of financial statements, then an affected registrant should consider whether disclosure of a “subsequent event,” as defined by rule, is appropriate. If the incident is a material subsequent event, the financial statements should include an estimate of the financial effect, or a statement that an estimate cannot be made at that time, according to CorpFin.

Disclosure Controls and Procedures

CorpFin’s guidance concluded with a reminder that registrants must also disclose management conclusions related to cybersecurity and the effectiveness of disclosure controls and procedures. For instance, management must consider whether there are any deficiencies in its disclosure controls and procedures if cyber incidents pose a risk to the registrant’s ability to record, process, summarize and report information as required by the SEC.

PracticesProfessionals