The Division of Corporation Finance (“CorpFin”) of the Securities and Exchange Commission (the “SEC”) has recently published disclosure guidance on two topics of emerging concern: risks associated with cybersecurity breaches and exposure to European sovereign debt (“Eurodebt”).
Most recently, on Jan. 6, 2012, CorpFin published guidance for all public registrants and particularly for financial institutions that have exposures related to Eurodebt issues which could present material risks to investors.
Earlier, on October 13, 2011, CorpFin also tackled the subject of how to handle disclosures related to increasingly frequent cyber attacks and the consequent theft or corruption of sensitive information.
It is important to note that CorpFin guidance publications do not constitute rules or regulations, and they are not official statements of the SEC, but they do represent the interpretive views of CorpFin with respect to current SEC rules.
In providing guidance on disclosures related to Eurodebt, CorpFin built on their comments made to date on past filings by registrants that provided inadequate disclosure. These comments included suggestions that registrants should disclose:
CorpFin noted that Item 303 of Reg S-K, which governs Management’s Discussion and Analysis of Financial Condition and Results of Operations (MD&A) in annual reports and other filings, requires registrants to identify:
CorpFin also called attention to Industry Guide 3, which is specifically aimed at bank holding companies, pointing out that the Guide calls for “identification of cross-border outstanding amounts with regard to borrowers in each foreign country where exposures exceed one percent of total assets.” It was also stressed that Guide 3 calls for disclosure where “current conditions in a foreign country give rise to liquidity problems which are expected to have a material impact on the timely repayment of principal or interest.”
In addition, all registrants were reminded that they must provide disclosure “regarding risks, including risk factors and market risk,” without resort to “boilerplate” language. In determining these risks, registrants must focus on those countries experiencing “significant economic, fiscal, and/or political strains such that the likelihood of default would be higher than would be anticipated when such factors do not exist.”
More specifically, CorpFin elaborated that registrants should:
CorpFin also encouraged registrants to consider the following when making disclosures about exposure associated with Eurodebt issues.
It was suggested that registrants should consider disclosure of gross funded exposures, demonstrating the basis for selection of countries discussed and the basis for determining the domicile of exposure. CorpFin also suggested making separate disclosure of exposures for:
It was recommended that registrants should consider making separate categories of disclosure for various investments as well, including:
CorpFin also encouraged registrants to disclose total unfunded exposures, including:
It was suggested that registrants should consider disclosure of total gross exposures, both funded and unfunded, with separation between type of counterparty and country for total gross exposures. CorpFin added that appropriate footnote disclosure might be warranted with highlighting of additional key details, such as maturity information for all exposures.
The guidance also called for registrants to consider disclosing all of the effects of credit default protection and hedging used to arrive at net exposure conclusions. Such effects might include, in appropriate circumstances, any or all of the following:
CorpFin encouraged registrants to make general risk management disclosures as well, including disclosures of:
Finally, CorpFin also noted that disclosures should be considered regarding significant developments that occur after any reporting date, as well as the effects of those events on previously reported amounts.
CorpFin expressed great concern about cybersecurity threats as well, noting that the standard for cybersecurity disclosures is that which applies under federal securities laws generally. Thus, registrants must make “timely, comprehensive and accurate” disclosure about “risks and events that a reasonable investor would consider important to an investment decision.”
It was also noted that “material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures... not misleading.”
CorpFin pointed out that registrants that are victims of cyber attacks may incur a variety of material costs or consequences worthy of disclosure, including but not limited to:
CorpFin suggested that registrants should make certain “risk factors” disclosures “if these issues are among the most significant factors that make an investment in the company speculative or risky.”
Prior cyber incidents should be taken into account in determining whether disclosures are required, as well as the probability of cyber incidents occurring in the future, which may be affected by the existence of explicit threats of attack.
Consistent with requirements for risk factor disclosures generally, cybersecurity risk disclosures must adequately describe the nature of the material risks and how each risk affects the registrant specifically, according to CorpFin.
The interpretive publication added that appropriate risk factor disclosures might include:
CorpFin suggested that registrants should address cybersecurity risks and cyber incidents in MD&A “if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity or financial condition or would cause reported financial information to be [misleading].”
Any discussion of the threats faced by a registrant or of how a registrant addresses those threats — either in the MD&A or in the “risk factors” section of a report — should not be generic. But CorpFin did emphasize that “the federal securities laws do not require disclosure that itself would compromise a registrant’s cybersecurity” so a potentially damaging degree of specificity is not required.
CorpFin suggested that a registrant should provide cybersecurity disclosures in the “Description of Business” section of a required report if “one or more cyber incidents materially affect a registrant’s products, services, relationships with customers or suppliers, or competitive conditions.”
In determining whether to include disclosure, registrants should consider the impact on their reportable business segments, CorpFin added.
The published guidance also noted that when a pending legal proceeding is material and involves a cyber incident, relevant information must be disclosed in the “Legal Proceedings” section of any pertinent report to the SEC.
CorpFin explained how cyber incidents could impact a registrant’s financial statements and accounting decisions as well. Depending on the nature and severity of the incident, the following guidance could be relevant.
When registrants incur substantial costs to prevent cyber incidents, they must consider Accounting Standards Codification (“ACS”) 350-40 regarding “Internal-Use Software” to the extent that such costs are software related.
When registrants mitigate damages from an incident by providing customers with incentives to maintain business relationships, they should consider ASC 605-50 regarding “Customer Payments and Incentives” to ensure appropriate recognition, measurement and classification of incentives awarded in connection with cyber attacks.
Registrants should also refer to ASC 450-20 regarding “Loss Contingencies” to determine when to recognize a cybersecurity loss, such as a loss related to warranty, breach of contract, product recall or replacement, and indemnifications.
Other potentially material impacts on future cash flows must also be properly reported, such as impacts related to asset impairment, goodwill, trademarks, patents, capitalized software, or assets associated with hardware, software and inventory.
If a cyber incident is discovered after the balance sheet date but before the issuance of financial statements, then an affected registrant should consider whether disclosure of a “subsequent event,” as defined by rule, is appropriate. If the incident is a material subsequent event, the financial statements should include an estimate of the financial effect, or a statement that an estimate cannot be made at that time, according to CorpFin.
CorpFin’s guidance concluded with a reminder that registrants must also disclose management conclusions related to cybersecurity and the effectiveness of disclosure controls and procedures. For instance, management must consider whether there are any deficiencies in its disclosure controls and procedures if cyber incidents pose a risk to the registrant’s ability to record, process, summarize and report information as required by the SEC.