SEC Disclosure And Corporate Governance via Weil, Gotshal & Manges LLP
What’s New for 2015: Cybersecurity, Financial Reporting and Disclosure Challenges
As calendar-year reporting companies close the books on fiscal 2014, begin to tackle their annual reports on Form 10-K and think ahead to reporting for the first quarter of 2015, a number of issues warrant particularly close board and management attention. In highlighting these key issues, we include guidance gleaned from the late Fall 2014 programs during which members of the staff of the Securities and Exchange Commission (SEC) and other regulators delivered important messages for companies and their outside auditors to consider. Throughout this Alert, we offer practical suggestions on “what to do now.”
While there are no major changes in the financial reporting and disclosure rules and standards applicable to the 2014 Form 10-K, companies can expect heightened scrutiny from regulators, and heightened professional skepticism from outside auditors, regarding compliance with existing rules and standards. Companies can also expect shareholders to have heightened expectations of transparency fostered by notable 2014 events such as major corporate cyber-attacks. Looking forward into 2015, companies will need to prepare for a number of significant changes, including a new auditing standard for related party transactions, a new revenue recognition standard and, for the many companies that have deferred its adoption, a new framework for evaluating internal control over financial reporting (ICFR). The role of the audit committee in helping the company meet these challenges is undiminished – and perhaps, in regulators’ eyes, more important than ever.
SEC 2015 Challenges – Highlights
- The No. 1 challenge: cybersecurity
- Continuing spotlight on the audit committee’s role as “gatekeeper”
- Increased auditor scrutiny of related party transactions
- Preservation of auditor independence
- Proper evaluation of control deficiencies
- The heightened possibility of a corporate whistleblower
- Heightened SEC enforcement focus on financial reporting
- The SEC Enforcement Division’s “broken windows” policy
- Hot topics in the accounting arena relevant to the 2014 Form 10-K
- The new revenue recognition standard
- The new COSO framework for evaluating ICFR
SEC Challenge One: Cybersecurity
Cyber-crime has become a chronic, enterprise-wide risk that poses one of the most significant threats to public companies. Recent, highly-publicized incidents of cyber-attacks on companies in a wide range of industry sectors – including media giant Sony Pictures Entertainment, retailers Staples, Home Depot and Target, and JPMorgan in the financial sector, to name just a few – demonstrate the vulnerability of companies to cyber-attacks, the severe impact these attacks can have and the need for management and the board to take an integrated, proactive approach to addressing this risk.1 The potential costs to a company of a successful cyber-attack can include loss of intellectual property; breach of customer data privacy; service and business interruptions; damage to physical infrastructure (e.g. corrupted servers); loss of brand value; response costs; loss of stock market value; regulatory inquiries and class action litigation; and management distraction.
Not surprisingly, senior federal governmental officials have identified cybersecurity as a top national policy priority. Over the past few months, U.S. Treasury Secretary Jacob Lew and others have urged companies in the banking sector to use a voluntary framework for managing cybersecurity risk published in February 2014 and developed by the National Institute of Standards and Technology (“NIST”) in response to a Presidential executive order and policy directive.2 Both President Obama and Secretary Lew have called on Congress to pass legislation in 2015 that would protect companies from liabilities that might arise from sharing competitively sensitive information relating to cybersecurity risks and breaches.
The events of 2014 will require a new round of discussion with boards of directors and C-suite executives about company cybersecurity policies and practices, and what companies can do to mitigate cyber-risks. The critical IP assets of the company need to be identified and protected as best as possible, using a variety of strategies that are regularly reviewed; and incident response plans (including information systems, business continuity and recovery planning in the event of absolute destruction of data, not just theft or tampering) need to be prepared, updated as necessary, tested periodically and fully implemented. At a minimum, companies can and should maximize protection against cyber-risk exposures through company and D&O cyberinsurance. Protecting network security takes a village, involving every employee of the company. A culture of security needs to be instilled in every person touching a keyboard or a keypad.
Companies also should review carefully their disclosures surrounding cybersecurity, whether made in an SEC filing or elsewhere. Cybersecurity as a disclosure issue has been front-and-center on the SEC’s radar screen for some time now, beginning with the publication in October 2011 of Staff guidance on the disclosure obligations of public companies relating to cybersecurity risks and cyber-incidents.4 The focus of this guidance is on whether information concerning cybersecurity and cyber-incidents rises to the level of a significant risk factor and/or a material “known event, trend or uncertainty” for purposes of the Management Discussion and Analysis (“MD&A”) section of periodic reports and other SEC filings. With respect to the MD&A, the critical determining factor cited in this guidance is whether “the costs or other consequences associated with one or more incidents or the risks of potential incidents [of cyber-breaches] represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.”
Concerned by mounting reports of major corporate cyber-breaches, the SEC held a March 2014 “cyber roundtable” bringing together industry groups and public and private sector participants to discuss, among other things, whether or not additional SEC guidance related to the level of disclosure in a company’s public filings is necessary. A few months later, SEC Commissioner Luis Aguilar delivered a speech to the New York Stock Exchange emphasizing that “board oversight of cyber-risk management is critical to ensuring that companies are taking adequate steps to prevent, and prepare for, the harms that can result from such [cyber] attacks[,]” and expressing the view that there is a disconnect between “the magnitude of the exposure presented by cyber-risks and the steps, or lack thereof, that many corporate boards have taken to address these risks.”
See full PDF below.