Have you ever shopped at Target or Ikea? Have you ever bought a car from a Kia dealership? Do you use Facebook? Have you checked your credit score with Equifax? (Are you wondering why I’m asking you all of these questions?) Well, all of these companies have had some sort of cybersecurity breach over the years! In fact, over 72% of nearly 600 respondents to Deloitte’s 2021 Future of Cyber Survey indicated that their company has experienced between one and ten cyber incidents/breaches since 2010. So, where do companies turn for guidance?
Surprisingly enough, there are no explicit disclosure requirements that exist in Regulation S-K or S-X that relate to cybersecurity. Can you believe that? In 2011, the SEC issued disclosure guidance (Topic No. 2) that discussed its views (i.e., it is not a rule or regulation) regarding company obligations relating to cybersecurity risks and incidents. Then, in 2018, the SEC released an interpretive statement (i.e., it did not create any new guidance) that expanded its views on having controls and policies in place over cybersecurity. The 2018 statement also reinforced its 2011 guidance by expanding on specific topics such as having specific cyber risk factors, timeliness of material information disclosure, impacts on MD&A, applying insider trading prohibitions, and the role of the company’s Board.
Although company disclosures have improved since 2011 as it relates to material cyber incidents and cybersecurity risk management, there has been inconsistency amongst the various company disclosures. Therefore, in order to better inform investors about cybersecurity incidents, and also considering the rise of digital technology use, increased remote working environments, and evolving crypto-assets, the SEC issued a proposed rule on March 9, 2022 that provides enhanced disclosures, but still keeps the 2011 and 2018 guidance in place.
The proposed rule includes the following:
- Material cybersecurity incidents would need to be disclosed in a Form 8-K (new Item 1.05) within four days of determining that the incident is material (not within four days of the incident occurring). Information is considered to be material if “there is a substantial likelihood that a reasonable shareholder would consider it important.”
- Forms 10-K and 10-Q would require to include updates on any previously filed material incidents in a Form 8-K (if any material changes occurred)
- Adding Item 106 to Regulation S-K, which would require a company to disclose in its Form 10-K:
- Its policies and procedures on cybersecurity risk management and strategy
- Its Board’s oversight of cybersecurity risk and management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies, procedures, and strategies
About GAAP Dynamics
We’re a DIFFERENT type of accounting training firm. We don’t think of training as a “tick the box” exercise, but rather an opportunity to empower your people to help them make the right decisions at the right time. Whether it’s U.S. GAAP training, IFRS training, or audit training, we’ve helped thousands of professionals since 2001. Our clients include some of the largest accounting firms and companies in the world. As lifelong learners, we believe training is important. As CPAs, we believe great training is vital to doing your job well and maintaining the public trust. We want to help you understand complex accounting matters and we believe you deserve the best training in the world, regardless of whether you work for a large, multinational company or a small, regional accounting firm. We passionately create high-quality training that we would want to take. This means it is accurate, relevant, engaging, visually appealing, and fun. That’s our brand promise. Want to learn more about how GAAP Dynamics can help you? Let’s talk!
This post is published to spread the love of GAAP and provided for informational purposes only. Although we are CPAs and have made every effort to ensure the factual accuracy of the post as of the date it was published, we are not responsible for your ultimate compliance with accounting or auditing standards and you agree not to hold us responsible for such. In addition, we take no responsibility for updating old posts, but may do so from time to time.
Add a Comment