In Part One of this article, we looked at the Securities and Exchange Commission (SEC) Division of Corporation Finance’s recent release – CF Disclosure Guidance: Topic No. 2 – Cybersecurity (the “Guidance”), which is intended to provide guidance to companies on whether and how to disclose the impact of the risk and cost of cybersecurity incidents (both malicious and accidental) on a company.
In Part Two we’ll look at the specific advice provided by the Guidance regarding specific reporting regulations and how it might apply to some recent cyber-incidents.
Management’s Discussion and Analysis of Financial Condition and Results of Operations
The next section of the Guidance discusses the way that companies should address cybersecurity risks and cyber incidents under the reporting rules associated with Management’s Discussion and Analysis of Financial Condition and Results of Operations (“MD&A”) under Item 303 of Regulation S-K and Form 20-F, Item 5.
According to the SEC, the standard for discussion of cyber incidents in a company’s MD&A is the same as for non-cyber events. Thus, if the costs or other consequences associated with a cyber incident, or the risk associated with potential incidents, represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on a company’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition, then those costs, consequences or risks must be disclosed and discussed by the company.
For example, if intellectual property is stolen in a cyber attack, as was the case in the RSA attack, and the effects of the theft are reasonably likely to be material to the affected company, the Guidance suggests that the company should describe the stolen IP and the effect of the attack on its results of operations, liquidity, and financial condition and whether the attack would cause reported financial information not to be indicative of future operating results or financial condition. Since RSA is offering to replace all of the RSA SecureID tokens that could be affected by the information stolen in the RSA attack, at a potential cost of up to $52 million, that could rise to the level of a materiality. Similarly, if it is reasonably likely that the hacking attack will lead to material reduction in revenues or a material increase in cybersecurity protection costs, including related to litigation, the SEC wants the company to discuss these possible outcomes, including the amount and duration of the expected costs.
Alternatively, if a hacking attack or some other cyber incident did not result in harm to a company, but it prompted the company to materially increase its cybersecurity protection expenditures, the SEC wants the company to disclose those increased expenditures. However, the Guidance is careful to note that discussions of increased cybersecurity spending do not require disclosure of information that would make it easier to attack the company.
The Guidance goes through other disclosure requirements and provides examples of when a company might have to disclose information about a cyber incident.
If a cyber incident (or multiple incidents) materially affect a company’s products, services, relationships with customers or suppliers, or competitive conditions, the company should provide disclosure in the company’s “Description of Business” as required by Item 101 of Regulation S-K; and Form 20-F, Item 4.B. In determining whether to include disclosure, the SEC recommends that companies consider the impact on each of their reportable segments. For example, if a company has a new product in development and learns of a cyber incident that could materially impair the future viability of the product, the company should discuss the incident and the potential impact to the extent the impairment to the future of the product would be considered material. As in the previous section, the impact on RSA of the loss of intellectual property associated with the SecureID token could reach the level of materiality.
Similarly, if a company or any of its subsidiaries is a party to a litigation that involves a cyber incident, the company may need to disclose information regarding the litigation in its “Legal Proceedings” disclosure, just as it would any other litigation as required by Item 103 of Regulation S-K. For example, if a significant amount of customer information is stolen, as was the case in the Epsilon and RSA attacks, and the loss results in material litigation, the Guidance recommends that the affected company should disclose the name of the court in which the proceedings are pending, the date instituted, the principal parties, a description of the factual basis alleged to underlie the litigation and the relief sought.
Finally, the Guidance notes that risk mitigation and cyber incidents could impact a company’s financial statements, and the SEC has provided examples to help companies make sure costs are given the appropriate accounting treatment. The SEC notes, for example, that after a cyber incident companies might try to mitigate the business damage by providing customers with incentives to maintain the business relationship, which should be handled in accordance with ASC 605-50, Customer Payments and Incentives. Similarly, cyber incidents may result in losses from asserted and unasserted claims, including those related to warranties, breach of contract, product recall and replacement, and indemnification of counterparty losses from their remediation efforts, all of which should be handled in accordance with ASC 450-20, Loss Contingencies.
From a more strictly accounting perspective, cyber incidents could also result in diminished future cash flows, requiring the affected company to consider the effect of certain assets including goodwill, customer-related intangible assets, trademarks, patents, capitalized software or other long-lived assets associated with hardware or software, and inventory. According to the SEC, pursuant to FASB ASC 275-10, Risks and Uncertainties:
“[Company] may not immediately know the impact of a cyber incident and may be required to develop estimates to account for the various financial implications. [Companies] should subsequently reassess the assumptions that underlie the estimates made in preparing the financial statements. A [company] must explain any risk or uncertainty of a reasonably possible change in its estimates in the near-term that would be material to the financial statements. Examples of estimates that may be affected by cyber incidents include estimates of warranty liability, allowances for product returns, capitalized software costs, inventory, litigation, and deferred revenue.”
If a cyber incident is discovered after a company’s balance sheet date but before the company actually issues its financial statements, the SEC recommends that companies should consider whether disclosure of a recognized or non-recognized subsequent event is necessary. If the cyber incident constitutes a material non-recognized subsequent event pursuant to ASC 855-10, Subsequent Events, the company’s financial statements should disclose the nature of the incident and an estimate of its financial effect, or they should include a statement that such an estimate cannot be made.
Disclosure Controls and Procedures
The Guidance is written at a fairly high level and does not prescribe any particular technologies or practices. However, there is an interesting statement at the end of the document:
“To the extent cyber incidents pose a risk to a [company’s] ability to record, process, summarize, and report information that is required to be disclosed in Commission filings, management should also consider whether there are any deficiencies in its disclosure controls and procedures that would render them ineffective. For example, if it is reasonably possible that information would not be recorded properly due to a cyber incident affecting a [company’s] information systems, a [company] may conclude that its disclosure controls and procedures are ineffective.”
In other words, when determining whether a company’s disclosure controls and procedures are effective under Item 307 of Regulation S-K, management should consider how vulnerable those systems are to cyber incidents and whether the company can conclude in good faith that its disclosure controls and procedures are “effective.” It might be that disclosure controls and procedures should be considered “effective” only if they include a monitoring system that is protected from cyber attacks to recognize when an incident has occurred – which begs the question whether anything short of secure logging would be “effective.” On a local network, logging is relatively easy, but when we start incorporating multi-tenant cloud solutions into the environment, logging starts to get a lot more challenging. On a more general level cloud providers have been reluctant to share information about their security efforts as well as any risks or failures that they don’t have to disclose.
In Parts Three and Four we’ll talk about how you can assess whether your cloud service provider is providing a secure solution and some of the things you should look for in your cloud services contract.