Reporting risk factors started in earnest in 2005 when the SEC introduced a new section in annual 10-K reports for organizations to discuss the “most significant factors that make the company speculative or risky.” Specifically, publicly traded companies were required to include qualitative disclosures of risk factors and to update that information quarterly with changes.
There was criticism of these requirements, mostly centered around the qualitative nature of the disclosures and the inability to estimate the financial impact on performance. Since there were no requirements to quantify the likelihood of any disclosed risk, the risk factors that were ultimately disclosed included all possible risks rather than those specific or relevant to the organization, making the information useless to investors.
In 2010, because of these criticisms, the SEC revised its guidelines to instruct firms to clearly state the risk and specify how the particular risk affects the organization. Specifically, companies should not present risks that could apply to any issuer or any offering.
Oversight and governance of risk management was also becoming of interest to investors. In December 2009, the SEC approved rules to enhance information provided to shareholders so they might better evaluate corporate oversight and governance in regards to the extent of the Board’s role in the risk oversight of the company.
The term “cyber security” was formalized in public filings in October 2011. Following two years of increased cyber-attacks that resulted in significant costs and reputational damage diminishing customer or investor confidence, the SEC released guidance for organizations to provide specific disclosures of (i) their cyber security risks; (ii) the frequency and severity of prior cyber incidents; (iii) the possibility of re-occurrence; and (iv) the potential magnitude of cyber incidents. There was significant push back on this guidance by organizations that were fearful of publicly revealing cyber vulnerabilities that could be exploited by malicious outsiders.
In June 2014, in a speech at the Cyber Risks and the Boardroom Conference entitled the Role of the Board of Directors in Overseeing Cyber-Risk Management , SEC Commissioner Luis A. Aguilar warned of the “severe impact” that cyber-attacks could have on the capital markets, public companies and investors. Highlighting the responsibility of the Board of Directors, he elaborated on the lack of technical expertise on many boards to evaluate management’s actions to address cybersecurity issues. His recommendations included the conduct of a NIST-based cybersecurity assessment and the hiring of “appropriate personnel to carry out effective cyber-risk management while providing regular reports to the Board” citing several survey findings that suggested that currently wasn’t the case.
In October 2015, the New York Stock Exchange released a cybersecurity guide for public companies which included topics such as board obligations, hiring Chief Information Security Officers, incident action plans and response.
On December 17, 2015, the Cybersecurity Disclosure Act of 2015 was referred to Committee by a bipartisan Congressional group to promote transparency in the oversight of cybersecurity risks by requiring the disclosure of those Board members with information technology security expertise or, alternatively, activities underway to recruit such members. The Committee has not yet consider the details before possibly sending it on to the House or Senate… so stay tuned…
Next steps? I wouldn’t wait – sounds like it’s time to hire cyber-savvy Board members, establish Board oversight and governance, and conduct a NIST-based risk assessment!
Regulation S-K, Item 305©, SEC 2005
Risk Disclosure in SEC Corporate Filings; http://repository.upenn.edu/cgi/viewcontent.cgi?article=1088&context=wharton_research_scholars
17 CFR 229.503(c).
SEC Approves Enhanced Disclosure About Risk, Compensation and Corporate Governance; https://www.sec.gov/news/press/2009/2009-268.htm
Board of Directors, Corporate Governance and Cyber Risks: Sharpening the Focus; https://www.sec.gov/News/Speech/Detail/Speech/1370542057946
NYSE releases a cybersecurity guide for public companieshttp://www.marketwatch.com/story/nyse-releases-a-cybersecurity-guide-for-public-companies-2015-10-14?rss=1
S. 2410: Cybersecurity Disclosure Act of 2015; https://www.govtrack.us/congress/bills/114/s2410
Coercing Companies to Name Security-Savvy Directors http://www.govinfosecurity.com/coercing-companies-to-name-security-savvy-directors-a-8831?rf=2016-01-28-eg&mkt_tok=3RkMMJWWfF9wsRonuajMcu%2FhmjTEU5z17OotUKCwlMI%2F0ER3fOvrPUfGjI4ATctgMK%2BTFAwTG5toziV8R7DALc16wtwQWRLl