What’s New in 2015: Cybersecurity, Financial Reporting and Disclosure Challenges

As calendar-year reporting companies close the books on fiscal 2014, begin to tackle their annual reports on Form 10-K and think ahead to reporting for the first quarter of 2015, a number of issues warrant particularly close board and management attention. In highlighting these key issues, we include guidance gleaned from the late Fall 2014 programs during which members of the staff of the Securities and Exchange Commission (SEC) and other regulators delivered important messages for companies and their outside auditors to consider. Throughout this post, we offer practical suggestions on “what to do now.”

While there are no major changes in the financial reporting and disclosure rules and standards applicable to the 2014 Form 10-K, companies can expect heightened scrutiny from regulators, and heightened professional skepticism from outside auditors, regarding compliance with existing rules and standards. Companies can also expect shareholders to have heightened expectations of transparency fostered by notable 2014 events such as major corporate cyber-attacks. Looking forward into 2015, companies will need to prepare for a number of significant changes, including a new auditing standard for related party transactions, a new revenue recognition standard and, for the many companies that have deferred its adoption, a new framework for evaluating internal control over financial reporting (ICFR). The role of the audit committee in helping the company meet these challenges is undiminished—and perhaps, in regulators’ eyes, more important than ever.

Challenge One: Cybersecurity

Cyber-crime has become a chronic, enterprise-wide risk that poses one of the most significant threats to public companies. Recent, highly-publicized incidents of cyber-attacks on companies in a wide range of industry sectors—including media giant Sony Pictures Entertainment, retailers Staples, Home Depot and Target, and J.P. Morgan Chase in the financial sector, to name just a few—demonstrate the vulnerability of companies to cyber-attacks, the severe impact these attacks can have and the need for management and the board to take an integrated, proactive approach to addressing this risk. The potential costs to a company of a successful cyber-attack can include loss of intellectual property; breach of customer data privacy; service and business interruptions; damage to physical infrastructure (e.g. corrupted servers); loss of brand value; response costs; loss of stock market value; regulatory inquiries and class action litigation; and management distraction.

Not surprisingly, senior federal governmental officials have identified cybersecurity as a top national policy priority. Over the past few months, U.S. Treasury Secretary Jacob Lew and others have urged companies in the banking sector to use a voluntary framework for managing cybersecurity risk published in February 2014 and developed by the National Institute of Standards and Technology (“NIST”) in response to a Presidential executive order and policy directive. Both President Obama and Secretary Lew have called on Congress to pass legislation in 2015 that would protect companies from liabilities that might arise from sharing competitively sensitive information relating to cybersecurity risks and breaches.

The events of 2014 will require a new round of discussion with boards of directors and C-suite executives about company cybersecurity policies and practices, and what companies can do to mitigate cyber-risks. The critical IP assets of the company need to be identified and protected as best as possible, using a variety of strategies that are regularly reviewed; and incident response plans (including information systems, business continuity and recovery planning in the event of absolute destruction of data, not just theft or tampering) need to be prepared, updated as necessary, tested periodically and fully implemented. At a minimum, companies can and should maximize protection against cyber-risk exposures through company and D&O cyberinsurance. Protecting network security takes a village, involving every employee of the company. A culture of security needs to be instilled in every person touching a keyboard or a keypad.

Companies also should review carefully their disclosures surrounding cybersecurity, whether made in an SEC filing or elsewhere. Cybersecurity as a disclosure issue has been front-and-center on the SEC’s radar screen for some time now, beginning with the publication in October 2011 of Staff guidance on the disclosure obligations of public companies relating to cybersecurity risks and cyber-incidents. The focus of this guidance is on whether information concerning cybersecurity and cyber-incidents rises to the level of a significant risk factor and/or a material “known event, trend or uncertainty” for purposes of the Management Discussion and Analysis (“MD&A”) section of periodic reports and other SEC filings. With respect to the MD&A, the critical determining factor cited in this guidance is whether “the costs or other consequences associated with one or more incidents or the risks of potential incidents [of cyber-breaches] represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.”

Concerned by mounting reports of major corporate cyber-breaches, the SEC held a March 2014 “cyber roundtable” bringing together industry groups and public and private sector participants to discuss, among other things, whether or not additional SEC guidance related to the level of disclosure in a company’s public filings is necessary. A few months later, SEC Commissioner Luis Aguilar delivered a speech to the New York Stock Exchange emphasizing that “board oversight of cyber-risk management is critical to ensuring that companies are taking adequate steps to prevent, and prepare for, the harms that can result from such [cyber] attacks[,]” and expressing the view that there is a disconnect between “the magnitude of the exposure presented by cyber-risks and the steps, or lack thereof, that many corporate boards have taken to address these risks.”

To date, neither the SEC nor its Staff has taken any formal action as a follow-up to the March 2014 roundtable. That said, the Division of Corporation Finance Staff continues to highlight the importance of the issue in speeches and during the comment process, and to urge companies to look to the Staff’s October 2011 disclosure guidance in preparing their periodic reports. In this regard, companies should be aware that the Staff often monitors media coverage of a public company as part of any review of its periodic reports, and may ask tough questions in that context if reports of a potentially material cyber-breach appear to be inconsistent with a company’s risk factor, MD&A and/or contingent liability footnote disclosures.

What To Do Now:

• In addition to implementing a robust cyber-risk management program, develop a comprehensive plan for addressing the scenario of an enterprise-threatening cyber-attack. Specific points of vulnerability, such as vendor or other third-party access to corporate IT systems, should be identified and mitigated. The plan should bring together not just IT personnel, but also senior executives, investor relations, in-house and outside counsel, and outside communications advisors. In this regard, we recommend that companies consult the voluntary guidelines set forth in the NIST Framework, and the guidance outlined in a new report from the Committee of Sponsoring Organizations of the Treadway Commission (COSO), entitled COSO in the Cyber Age.
  • Specifically, the plan should address how to mitigate and remediate the attack technologically; when and how disclosure should be made internally—including to the board of directors—and to the public (both customers and investors); public relations; and whether and to what extent law enforcement and regulators need to be contacted (e.g., in the case of consumer privacy breaches). The plan should be flexible, tested repeatedly in the application and, most importantly, clearly designate who among the board, the company’s management and other staff will have ownership with respect to measures for dealing with any cyber-attack should one occur.
• Arrange for cyber-risk training and education for board members to ensure that they are conversant in the technology and cyber-risks relevant to the company’s business operations and/or financial reporting controls, and consider competence in information technology when filling a new board position.
• Arrange for robust cybersecurity training company-wide regarding password protection strategies, as well as relating to social-engineered “spear phishing,” a common attack vector whereby cyber-criminals often send very normal looking email to company employees, which, if opened, will lace servers with malware.
• Determine whether the full board, or a board committee, will have direct oversight responsibility for cybersecurity. Heightened shareholder expectations regarding this responsibility may lead, in the event of a cyber-breach, to derivative suits for breach of fiduciary duties or other litigation, and/or negative voting recommendations against board members from proxy advisory firms. The attention to cyber-issues paid by the board or board committee should be extensive and carefully documented.
• Board members should review annual budgets for cybersecurity protection measures, understand and evaluate who in the company has responsibility for cybersecurity, and receive regular reports on compliance with cyber policies, procedures and controls, as well as IT risks and any cyber-breaches.
• Carefully review company and D&O insurance policy provisions that relate to data breach and privacy claims, and ensure that that such claims are not excluded. Exclusions of such claims—which we have recently seen in some policies—would also serve to exclude claims for breach of fiduciary duty and securities class actions arising out of a data breach.
• Ensure that there is a robust risk factor, if appropriate, that addresses the points the SEC Staff emphasized in its 2011 guidance and, as the Bank of America case discussed below makes clear, revisit the disclosure decision every quarter to consider:
  • Aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
  • Any outsourced functions that have material cybersecurity risks, and how the registrant addresses those risks;
  • Cyber-incidents experienced by the registrant that are individually, or in the aggregate, material, including the costs and other consequences;
  • Risks related to cyber-incidents that may remain undetected for an extended period; and
  • Relevant cyberinsurance coverage.
• If the company has been the victim of cyber-crime over the past fiscal year, whether it be a theft of valuable intellectual property, consumers’ personal financial data, or other confidential business or financial information, the company should evaluate carefully the need for Form 10-K disclosure and the potential impact of the theft or other breach on the company’s internal accounting controls (e.g., safeguarding of assets) and/or its ICFR.

Challenge Two: Continuing spotlight on the audit committee’s role as “gatekeeper”

As SEC Chair Mary Jo White observed in a June 2014 speech at the Stanford Directors’ College, “audit committees, in particular, have an extraordinarily important role in creating a culture of compliance through their oversight of financial reporting.” In March 2014, the SEC sued an audit committee chair for complicity in an accounting fraud scheme in what the SEC Enforcement Director described as a “cautionary tale of what happens when an audit committee chair fails to perform his gatekeeper function in the face of massive red flags” signaling accounting fraud. Another company’s audit committee chair settled charges that month arising from her decision to sign a Form 10-K (as director) filed with the SEC despite facts putting her on notice that this filing contained a false Sarbanes- Oxley certification by the former CEO.

Throughout 2014, various members of the SEC and the Staff have reinforced these messages regarding the importance of the audit committee’s gatekeeper role, reminding companies of that committee’s duties under the federal securities laws to: (a) oversee the quality and integrity of the company’s financial reporting process, including the company’s relationship with the outside auditor; (b) oversee the company’s confidential and anonymous whistleblower complaint policies and procedures relating to accounting and auditing matters; and (c) report annually to shareholders on the performance of these duties. Most recently, the SEC Chair has asked the Office of the Chief Accountant to re-examine the audit committee reporting requirements with a view to determining whether these requirements—which have not been updated since 1999—should be improved.

Even as the SEC has focused its attention on the performance of audit committees, the Public Company Accounting Oversight Board (PCAOB) has intensified its focus on the relationship between the outside auditor and the audit committee through the adoption of new and/or amended auditing standards. Effective in 2013 for calendar-year registrants, Auditing Standard No. 16, Communications with Audit Committees (AS 16), specifies a broad range of matters pertaining to the conduct of the audit that auditors must discuss with the audit committee. For more detail on AS 16, see our alert available here. This communication requirement has been enhanced by an important new standard, discussed below, for auditor review of related party transactions, significant unusual transactions and relationships with executive officers. In addition, as a senior SEC accounting official observed in early December, recent improvements in the PCAOB’s inspection reports that explain which auditing standards accounting firms have been found to have misapplied in connection with audits “could be particularly useful for audit committees to promote meaningful discussions with auditors about whether and how those same standards are being applied on their engagements to help to address or to avoid similar issues.”

Challenge Three: Increased auditor scrutiny of related party transactions, significant unusual transactions, and transactions/relationships between the company and executive officers (including incentive compensation)

With the SEC’s recent approval of PCAOB Auditing Standard No. 18, Related Parties (AS 18), and associated amendments to other auditing standards, auditors will be required to heighten their attention to three areas that have been at the heart of corporate financial scandals dating back to Enron: (i) related party transactions; (ii) significant unusual transactions; and (iii) financial relationships and transactions with executive officers, including executive compensation arrangements. The unifying theme is that, in the regulators’ view, these transactions and relationships pose an increased risk of material misstatement due to fraud, conflict of interest or error. Auditors are being directed to consider the linkage between these three areas, “connect the dots” and, in particular, scrutinize the business purpose (or lack thereof) of relationships and transactions falling within the standard. Moreover, as noted above, AS 18 requires discussion of these areas of the audit with the audit committee. The new standard will take effect beginning with the first quarter of fiscal 2015 (for calendar-year registrants), but senior management and audit committees should be prepared for increased focus by the outside auditor in connection with the 2014 audit.

Related Party Transactions. With regard to related party transactions, AS 18 requires the auditor to:

• Perform specific procedures to understand related party relationships and transactions, including the nature, terms and business purpose (or lack thereof). These procedures include inquiring of the audit committee or its chair as to the audit committee’s understanding of these matters and whether any member of the audit committee has any concerns about
• Evaluate whether the company has properly identified its related parties and company relationships and transactions with them. If any were previously undisclosed to the auditor, require financial statement disclosure or otherwise carry significant risk, the auditor is required to perform more in-depth procedures. As part of its evaluation, the auditor must obtain more extensive management representations, including as to any transactions that were not properly authorized or for which policy exceptions were granted.
• Communicate to the audit committee the auditor’s evaluation of the company’s identification of, accounting for, and disclosure of its relationships and transactions with related parties, and other significant matters arising from this aspect of the audit.

Significant Unusual Transactions. “Significant unusual transactions” are defined as transactions that are outside the normal course of business for the company or that otherwise appear to be unusual due to timing, size or nature. With regard to these transactions, the auditor must:

• Perform specific procedures to identify significant unusual transactions, and to understand and evaluate the business purpose (or lack thereof) and other elements of such transactions.
• These procedures include reading the underlying documentation relating to the transaction and evaluating whether the terms and other information about the transaction are consistent with explanations obtained from inquiries of management and other audit evidence about the business purpose (or the lack thereof) of the transaction; determining whether the transaction has been authorized and approved in accordance with the company’s established policies and procedures; and evaluating the financial capability of the other parties to the transaction with respect to significant uncollected balances, guarantees, and other obligations.
• Communicate to the audit committee the auditor’s understanding of the business purpose (or lack thereof) of significant unusual transactions.

Executive Officer Relationships and Transactions. Finally, the auditor will be required to follow new procedures designed to help uncover incentives or pressures for the company to achieve a particular financial position or operating result. Specifically, the auditor must perform procedures to understand the company’s financial relationships and transactions with its executive officers, given the influence these officers have on the company’s accounting and financial statements. Note, however, that the auditor will not be required to assess the reasonableness or appropriateness of a company’s compensation arrangements. AS 18 provides that these additional procedures should include:

• Review of the employment and compensation contracts between the company and its executive officers.
• Review of the company’s proxy statement and other relevant filings with the SEC and other regulatory agencies that relate to the company’s financial relationships and transactions with its executive officers. In particular, the auditor must obtain an understanding of established policies and procedures regarding the authorization and approval of executive officer expense reimbursements.
• Consideration of whether to inquire of the chair of the compensation committee and any compensation consultants engaged by either the compensation committee or the company regarding the structuring of the company’s compensation for executive officers.

It remains to be seen how outside auditors will apply the new and amended auditing standards, particularly with respect to initiating discussion with compensation committees as well as audit committees. In this connection, the auditor’s decision may turn on the quality of the company’s proxy disclosures and supporting documentation of executive officers’ employment and compensatory arrangements with the company, and the auditor’s level of confidence in the accuracy and completeness of management representations mandated by the new requirements.

What To Do Now:

• Take a fresh look at the company’s related person transaction policy, including the continuing appropriateness of any blanket carve-outs from pre-approval requirements. Ask how the policy has worked in practice and whether any refinements should be made. Consider whether the committee charged with administering the policy has sufficient access to legal and other advisors to obtain the information and advice necessary to make its determinations.
• Look back to determine whether and how often the company has engaged in transactions that would fit the new PCAOB definition of significant unusual transactions. Use this review to understand the nature of significant unusual transactions that may occur in the future, and adopt (or revise, as appropriate) procedures for reviewing and establishing the business purpose for such transactions.
• Consider the circumstances under which relationships and/or transactions with executive officers have been permitted and whether such relationships and/or transactions are appropriate or necessary and in the best interests of the company. Review incentive compensation arrangements that provide incentives to achieve a particular financial result, and expect additional auditor scrutiny of such arrangements. We expect perquisites to be a particular target of auditor scrutiny.
• Advise both the audit committee and the compensation committee of the scope and implications of AS 18, which will apply to the auditor’s review of the first quarterly report of 2015 to be filed by calendar-year reporting companies, and plan for the possibility that the auditor may wish to engage in dialogue with the compensation committee.

The complete publication is available here.