Companies are expected to face major challenges related to financial disclosure and corporate governance this year. Cybersecurity is considered a major threat to public companies and a top national policy priority policy for senior federal government officials, according to the latest report released by the Weil, a prominent international law firm.
Weil noted that the SEC did not implement major changes in the financial reporting and disclosure rules and standards applicable to Form 10-K for 2014. However, the law firm emphasized the possibility of “heightened scrutiny” from regulators and “heightened professional skepticism from outside auditors” to ensure that companies complied with the existing rules and standards.
For the year 2015, Weil said companies should be ready to address significant challenges including a new auditing standard for related party transactions, a new revenue recognition standard and a new framework for evaluating internal control over financial reporting (ICFR).
Potential damages of cyberattacks to companies
A number of major public companies including Home Depot, JPMorgan, Staples, Sony and Target Corporation among others recently suffered massive cybersecurity breaches.
The situation clearly showed that companies are vulnerable to cyberattacks. The board and management of every company should implement and integrated and proactive approach to address the risk, according to Weil.
According to the law firm, companies could endure significant damages in the event of a successful cyberattack. These may include loss of intellectual property, breach of customer data privacy, service and business interruptions, damage to physical infrastructure, and loss of brand value.It may also include response costs; loss of stock market value; regulatory inquiries,class action litigation and management distraction.
Given the extent of damage a cyberattack could bring to companies, senior federal government officials consider cybersecurity a top national policy priority.
President Barack Obama and Treasury Secretary Jacob Lew urged the congress to pass legislation this 2015 to protect companies from liabilities that may arise from competitively sensitive information related to cybersecurity breaches and risks.
Secretary Lew and other government officials encouraged companies in the banking sector to voluntary adopt the cybersecurity framework developed by the National Institute of Standards and Technology (NIST) published on February 2014.
BOD on cybersecurity policies and practices
The board of directors and C-suite executives of companies need a new round of discussions about cybersecurity policies and practices and how to mitigate risks given the events that happened last year, according to Weil.
The law firm emphasized that the leadership of companies need to identify and protect the critical IP assets, implement various strategies that are reviewed regularly, and prepare incident response plans (updated as necessary, tested periodically and fully implemented).
The board and management can the company against cybersecurity risks at a minimum level and should provide maximum protection through company and D&O cyberinsurance, according to Weil. The law firm added that every employee must be involved in protecting the company against cyberattacks
Weil emphasized, “A culture of security needs to be instilled in every person touching a keyboard or a keypad.”
Cybersecurity as a disclosure issue
The SEC conducted a “cyber roundtable” participated by private and public sectors as well as industry groups due to its concern regarding the increasing reports of cyberattacks on major corporations on March 2014.
One of the issues discussed during the cyber roundtable was whether it is necessary or not to implement additional SEC guidance related to the level of disclosure in public filings of companies.
A few months after the event, SEC Commissioner Luis Aguilar emphasized in his speech to the New York Stock Exchange (NYSE) that a “board oversight of cyber-risk management is critical” to ensure that companies taking appropriate actions to prevent and prepare for any harms from cyberattacks.
According to Weil, cybersecurity as disclosure issue has been in the front and center of the SEC radar screen. It is imperative for companies to carefully review their cybersecurity-related disclosures.
The Division of Corporation Finance Staff of the SEC continues to encourage companies to refer to the October 2011 published guidance on the disclosure of public companies related to cybersecurity risks and cyber-incidents when preparing periodic reports.
The law firm noted that the Staff October 2011 guidance is focused on information whether cybersecurity and cyber-incidents escalate to a level of a significant risk factor and/or a material known event, trend or uncertainty— for the purposes of Management Discussion and Analysis (MD&A) section of periodic reports and other SEC filings.
The critical factors in the guidance with respect to the MD&A are the costs or other consequences associated with one or more incidents, or the risks of potential cyberattacks.
The SEC wants to know whether such incident represents a material event, trend or uncertainty that has significant impact on the financial condition, operations or liquidity of the reporting company.
“Companies should be aware that the Staff often monitors media coverage of a public company as part of any review of its periodic reports, and may ask tough questions in that context if reports of a potentially material cyber-breach appear to be inconsistent with a company’s risk factor, MD&A and/or contingent liability footnote disclosures,” according to Weil.