Cybersecurity risks are material to nearly every public company, and regulators will expect updated disclosures about them this year, a Securities and Exchange Commission official indicated Dec. 10.
Cybersecurity is “absolutely” a topic of interest and it’s “definitely fair” to say that the SEC “will be taking a look at that” when reviewing company disclosures this season, Cicely LaMothe, associate director in the SEC’s Division of Corporation Finance, said during a panel discussion at the American Institute of CPAs conference on SEC-PCAOB developments in Washington.
LaMothe’s remarks came nearly a year after the SEC updated guidance on cybersecurity disclosure requirements and serves as a reminder that regulator scrutiny of cybersecurity issues hasn’t waned.
“Sometimes there’s a false sense of comfort that the guidance is a year old,” Mark Kronforst, a partner at EY in Washington and a fellow panelist, said just before LaMothe’s remarks. “I would not be surprised at all if the staff has a very hard look at those disclosures this time around.”
The SEC issued guidance on cybersecurity disclosure requirements for public companies on Feb. 21 in the wake of breaches at Equifax Inc. and Verizon Communications Inc.’s Yahoo!. At the time, SEC Chairman Jay Clayton said public companies “have a clear obligation to disclose material information about cyber risks and cyber events” and he expected companies “to take this requirement seriously.”
Cybersecurity is probably the only risk that virtually every company should include in the management discussions and analysis (MD&A) section of their annual filing, said Brian Lane, a partner at Gibson, Dunn & Crutcher LLP in Washington.
“Cybersecurity is the one that crosses all, whatever company you are,” he said. Other current events, like Brexit, rising interest rates, or riots in Paris, may not pose a material risk.
“A lot of companies out there think there’s a cookie-cutter approach,” he said. But companies shouldn’t include global risks unless they will truly be affected by the event, he said. “Don’t choose to add a risk factor just to add a risk factor,” Lane said.
LaMothe suggested that companies reassess risks and update them as they understand them better. “Companies really need to think about reassessing their disclosures, and as you get closer and closer to the point that you understand what the impact is, making sure your disclosure document also lets investors know what that impact will be,” she said.