Report: Most Companies Fail to Disclose Cybersecurity as a Risk Factor in SEC Filings
Companies still aren't talking about their fear of breaches in filings, but that could change as cybersecurity continues to grow as a priority for regulators.
December 08, 2017 at 05:34 PM
7 minute read
Todd Hicks, CEO of Intelligize. Courtesy of Intelligize.
In recent years, the number of companies identifying cybersecurity as a risk factor in U.S. Securities and Exchange Commission filings has grown tremendously. But there appears to have been a leveling off in 2017, which may indicate that companies “have blinders on” when it comes to disclosing cybersecurity risks, according to a new report.
From 2012 to 2016, the number of companies reporting cybersecurity as a risk factor in SEC filings has grown 277 percent, the report from Intelligize Inc. shows. Despite that increase though, the report, which is based on all public company SEC filings from 2012 to this year, indicates that there's still only a relatively small proportion of all public companies—38 percent—citing cybersecurity as a risk factor in quarterly and annual filings.
What's more, the report said, while by 2016, 1,662 public companies reported cybersecurity was a risk factor, as of Oct. 31 of this year, that number had only seen a slight bump to 1,680 companies
The slowdown in disclosing cyber as a risk may indicate one of two things, Todd Hicks, CEO of Intelligize, said in an email. It means companies “either they have blinders on—or they are deliberately not acknowledging the risks because they don't want to tip off potential hackers,” he said.
But Hicks added that he expects to see more reporting from companies in the coming years. “For the 62 percent of public companies not disclosing, I would expect that number to get smaller over the next few years, especially as the SEC gets stricter on rules around specific risk factor disclosure,” Hicks said.
And this is particularly true if clarity is provided to companies on disclosure, Hicks said. In 2011, the SEC issued disclosure guidance around cybersecurity risks, advising that companies “should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.” The SEC has since formed a cyber unit intended to combat cyber-based threats, but the guidance on disclosure has not been updated in over six years, Hicks said.
“Many issuers struggle with both the timing of disclosure around a material breach as well as determining exactly how much to disclose, especially if there is an ongoing investigation related to the breach,” he explained. “Greater clarity and guidance from the SEC will certainly trigger broader reporting around this topic.”
As is pointed out in the report, cybersecurity issues not only present a risk to a company's reputation, but can also mean backlash for company execs. Sony Pictures Entertainment Inc. CEO Amy Pascal was fired after the 2014 hack of that company, for instance, and Equifax Inc. CEO Richard Smith retired in the wake of his company's massive breach announced in September. But with the sudden departure earlier this year of former Yahoo Inc. general counsel Ron Bell behind the tech giant's two massive breaches, this risk has reached the legal department as well.
“Cybersecurity is a mainstream board-level issue—senior-level executives and the GC of organizations must protect the assets of the business,” Hicks said. “The GC needs to work closely with the board to ensure a proper cybersecurity plan is in place. In addition to the CEO, the GC has been the fall guy after some major cyber events, including the recent Yahoo and Equifax breaches.”
Todd Hicks, CEO of Intelligize. Courtesy of Intelligize.
In recent years, the number of companies identifying cybersecurity as a risk factor in U.S. Securities and Exchange Commission filings has grown tremendously. But there appears to have been a leveling off in 2017, which may indicate that companies “have blinders on” when it comes to disclosing cybersecurity risks, according to a new report.
From 2012 to 2016, the number of companies reporting cybersecurity as a risk factor in SEC filings has grown 277 percent, the report from Intelligize Inc. shows. Despite that increase though, the report, which is based on all public company SEC filings from 2012 to this year, indicates that there's still only a relatively small proportion of all public companies—38 percent—citing cybersecurity as a risk factor in quarterly and annual filings.
What's more, the report said, while by 2016, 1,662 public companies reported cybersecurity was a risk factor, as of Oct. 31 of this year, that number had only seen a slight bump to 1,680 companies
The slowdown in disclosing cyber as a risk may indicate one of two things, Todd Hicks, CEO of Intelligize, said in an email. It means companies “either they have blinders on—or they are deliberately not acknowledging the risks because they don't want to tip off potential hackers,” he said.
But Hicks added that he expects to see more reporting from companies in the coming years. “For the 62 percent of public companies not disclosing, I would expect that number to get smaller over the next few years, especially as the SEC gets stricter on rules around specific risk factor disclosure,” Hicks said.
And this is particularly true if clarity is provided to companies on disclosure, Hicks said. In 2011, the SEC issued disclosure guidance around cybersecurity risks, advising that companies “should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.” The SEC has since formed a cyber unit intended to combat cyber-based threats, but the guidance on disclosure has not been updated in over six years, Hicks said.
“Many issuers struggle with both the timing of disclosure around a material breach as well as determining exactly how much to disclose, especially if there is an ongoing investigation related to the breach,” he explained. “Greater clarity and guidance from the SEC will certainly trigger broader reporting around this topic.”
As is pointed out in the report, cybersecurity issues not only present a risk to a company's reputation, but can also mean backlash for company execs.
“Cybersecurity is a mainstream board-level issue—senior-level executives and the GC of organizations must protect the assets of the business,” Hicks said. “The GC needs to work closely with the board to ensure a proper cybersecurity plan is in place. In addition to the CEO, the GC has been the fall guy after some major cyber events, including the recent Yahoo and Equifax breaches.”
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllFinancial Watchdog Alleges Walmart Forced Army of Gig-Worker Drivers to Receive Pay Through High-Fee Accounts
GC Pleads Guilty to Embezzling $7.4 Million From 3 Banks
In Lawsuit, Ex-Google Employee Says Company’s Layoffs Targeted Parents and Others on Leave
6 minute readGC With Deep GM Experience Takes Legal Reins of Power Management Giant
2 minute readTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250