By John Filar Atwood
In the upcoming filings season, the staff of the SEC’s Division of Corporation Finance will be looking closely at disclosure on the degree to which the board oversees the management of the company’s cybersecurity risks. At Practising Law Institute’s conference on securities regulation, both Deputy Director Shelley Parratt and Associate Director Cicely LaMothe emphasized that the staff expects this year’s cyber disclosure to adhere to the 2018 staff guidance in this area.
LaMothe said the staff will expect to see disclosure on the cyber risks a company faces and the board’s oversight of managing that risk. She noted that the staff reads press reports, and if it sees a cyber incident mentioned, it will look for a discussion of the incident in the company’s disclosure documents. The information disclosed must make sense in terms of what is going on with a company, she added.
Parratt agreed, and opined that cyber disclosure is improving overall. She advised companies to be sure to discuss their internal controls surrounding cybersecurity and their policies to prevent insider trading before an incident is made public. Northrop Grumman’s Jennifer McGarey said that her company puts certain employees on a no-trade list so that if a cyber breach occurs, the company can act quickly. At Northrop Grumman, cybersecurity is a board-level disclosure, she noted.
Sidley & Austin’s Thomas Kim remarked at how the Commission’s 2011 cyber guidance was a little tentative, but the 2018 has a very different tone. After reading the 2018 guidance, companies should conclude that cybersecurity and data management must be treated as a material risk by all entities, he said.
Yahoo! case. Former CorpFin Director Meredith Cross, a partner at WilmerHale, advised companies to learn some lessons from the 2018 cyber disclosure case against Yahoo! The Commission found that the company’s risk factor disclosure was materially misleading for failure to disclose a massive data breach in 2014.
Importantly, Cross said, the SEC criticized Yahoo! for not consulting with outside auditors and experts on the matter. She wondered whether prior to the Yahoo! case corporate counsel would have thought of outside consulting as part of the controls and procedures process. She advised companies to be mindful going forward of the Commission’s critique of Yahoo!.
Brexit. Another area of focus for the CorpFin staff in upcoming filings will be Brexit disclosure, according to Parratt. As the March 2019 deadline nears, she noted, the staff is monitoring the disclosure on the topic. So far the quality of reporting is wide ranging, she said, with some companies covering very thoroughly supply chain and personnel issues, and whether Brexit will cause them to have to relocate. Division Director William Hinman added that if a company is still providing generic Brexit disclosure, it should think about whether its shareholders will be surprised about it after it happens.
The LIBOR phase-out could have a significant impact on some companies, Parratt said, so the staff will want to see adequate disclosure if it is a material issue for a company. She added that the staff expects LIBOR-related reporting to improve as more information becomes available on the transition to other reference rates.
LaMothe said that the top areas on which the staff comments remain consistent from year to year. This year the staff issued numerous comments on revenue recognition, fair value disclosure, and MD&A. She advised that when the staff is drafting comments, it tries to understand what a company’s accounting method is and then examines how the company has applied the relevant staff guidance.
Staff reviews are not limited to the filings themselves, LaMothe said. The staff also looks at analyst reports, news stories, and web sites. The staff’s objective to understand the story of a company, she noted, and then to make sure the company’s MD&A coveys that.
Fewer comment letters. Cross said that overall it seems the staff is issuing fewer comment letter, but that they are harder and more well-informed. LaMothe agreed that there are fewer letters issued, noting that the staff is moving away from sending out generic comments. In addition, the staff is being more proactive in the comment process by calling companies to discuss its questions, she said.
In her opinion, companies also engage in a lot of self-correction. They take into account the comments the staff has issued and adjust their disclosure accordingly, which cuts down on the need for comment letters, LaMothe said.
She emphasized that the staff does not always require an amendment when it has questions about a company’s filing. She advised companies to call the staff for clarification. The staff can hopefully help a company target its responses to the staff’s questions, she added, and avoid having to prepare an amended filing.