Following are excerpts from “What’s New for 2015: Cybersecurity, Financial Reporting and Disclosure Challenges,” published by the Public Company Advisory Group of Weil, Gotshal & Manges LLP. The group is headed by Ellen J. Odoner, and this alert represents a collaboration across the entire practice area. See below for a list of contributors. To access the full alert, which includes additional challenges and responses, please click here.
The Challenge: Cybersecurity Disclosure
Cybercrime has become a chronic, enterprise-wide risk that poses one of the most significant threats to public companies. Not surprisingly, senior federal governmental officials have identified cybersecurity as a top national policy priority.
Cybersecurity as a disclosure issue has been front-and-center on the SEC’s radar screen for some time now. Concerned by mounting reports of major corporate cyber breaches, the SEC held a March 2014 “cyber roundtable” bringing together industry groups and public and private sector participants to discuss, among other things, whether or not additional SEC guidance related to the level of disclosure in a company’s public filings is necessary.
To date, neither the SEC nor its staff has taken any formal action as a follow-up to the March 2014 roundtable. That said, the Division of Corporation Finance staff continues to highlight the importance of the issue in speeches and during the comment process, and to urge companies to look to the staff’s October 2011 disclosure guidance in preparing their periodic reports.
What to do now . . .
- In addition to implementing a robust cyber risk management program, develop a comprehensive plan for addressing the scenario of an enterprise-threatening cyberattack. Specific points of vulnerability, such as vendor or other third-party access to corporate IT systems, should be identified and mitigated.
- Arrange for cyber risk training and education for board members to ensure that they are conversant in the technology and cyber risks relevant to the company’s business operations and/or financial reporting controls, and consider competence in information technology when filling a new board position.
- Arrange for robust cybersecurity training company-wide regarding password protection strategies, as well as relating to social-engineered “spear phishing.”
- Determine whether the full board, or a board committee, will have direct oversight responsibility for cybersecurity and assure that the attention devoted is extensive and carefully documented.
- Board members should review annual budgets for cybersecurity protection measures, understand and evaluate who in the company has responsibility for cybersecurity, and receive regular reports on compliance.
- Carefully review company and D&O insurance policy provisions that relate to data breach and privacy claims, and ensure that such claims are not excluded.
- Ensure that there is a robust risk factor, if appropriate, that addresses the points the SEC staff emphasized in its 2011 guidance and revisit the disclosure decision every quarter.
- If the company has been the victim of cybercrime over the past fiscal year, it should evaluate carefully the need for Form 10-K disclosure and the potential impact of the theft or other breach on the company’s internal accounting controls and/or its ICFR.
The Challenge: The Audit Committee as “Gatekeeper”
As SEC Chair Mary Jo White observed in a June 2014 speech at the Stanford Directors’ College, “audit committees, in particular, have an extraordinarily important role in creating a culture of compliance through their oversight of financial reporting.”
Throughout 2014, various members of the SEC and the staff have reinforced her message. At the same time, the Public Company Accounting Oversight Board (PCAOB) has intensified its focus on the relationship between the outside auditor and the audit committee through the adoption of new and/or amended auditing standards.
What to do now . . .
- Be mindful that Auditing Standard No. 16 (effective in 2013), which specifies a broad range of matters pertaining to the conduct of the audit that auditors must discuss with the audit committee, has been enhanced by an important new standard (discussed below) for auditor review of related party transactions, significant unusual transactions and relationships with executive officers.
- In addition, recent improvements in the PCAOB’s inspection reports that explain which auditing standards accounting firms have been found to have misapplied are useful for audit committees to promote meaningful discussions with auditors.
The Challenge: Stricter Auditor Scrutiny
With the SEC’s recent approval of PCAOB Auditing Standard No. 18 and associated amendments to other standards, auditors will be required to heighten their attention to three areas: related party transactions; significant unusual transactions; and financial relationships and transactions with executive officers, including executive compensation arrangements. Auditors are being directed to consider the linkage between these three areas, “connect the dots” and, in particular, scrutinize the business purpose (or lack thereof) of relationships and transactions falling within the standard.
It remains to be seen how outside auditors will apply the new and amended auditing standards, particularly with respect to initiating discussion with compensation committees as well as audit committees. In this connection, the auditor’s decision may turn on the quality of the company’s proxy disclosures and supporting documentation of executive officers’ employment and compensatory arrangements with the company, and the auditor’s level of confidence in the accuracy and completeness of management representations mandated by the new requirements.
What to do now . . .
- Take a fresh look at the company’s related person transaction policy, including the continuing appropriateness of any blanket carve-outs from pre-approval requirements.
- Look back to determine whether and how often the company has engaged in transactions that would fit the new PCAOB definition of significant unusual transactions. Use this review to understand the nature of significant unusual transactions that may occur in the future, and adopt procedures for reviewing and establishing the business purpose for such transactions.
- Consider the circumstances under which relationships and/or transactions with executive officers have been permitted and whether such relationships and/or transactions are appropriate or necessary and in the best interests of the company.
- Advise both the audit committee and the compensation committee of the scope and implications of AS 18, which will apply to the auditor’s review of the first quarterly report of 2015 to be filed by calendar-year reporting companies, and plan for the possibility that the auditor may wish to engage in dialogue with the compensation committee.
The Challenge: SEC Focus on Financial Reporting
It has been well over a year since the SEC Enforcement Division established the new Financial Reporting and Audit Task Force, which was given the job of determining whether the declining number of restatements observed by the SEC in recent years should be attributed to a reduction in fraudulent financial reporting or, instead, to the government’s failure to detect wrongdoing. Various members of the Task Force have delivered speeches identifying certain accounting-related practices as potentially indicative of fraud, including the misapplication of U.S. Generally Accepted Accounting Principles (GAAP). Because all of this involves difficult management judgments that rely heavily on assumptions and estimates, the Task Force is looking for instances in which the company’s management crossed the line between good-faith errors in judgment or calculation and bad faith or reckless conduct tantamount to fraud.
We should expect more of the same in 2015. As part of its multi-front initiative to improve the quality of ICFR and related disclosures and CEO/CFO certifications, the SEC has brought high-profile ICFR cases recently against large financial institutions as well as several non-financial companies. In the meantime, the PCAOB has been cracking down on registered public accounting firms responsible for ICFR audits. In addition, in August 2014, the SEC brought and settled a major MD&A case against Bank of America involving allegations of failure to disclose a material “known trend or uncertainty” in accordance with Item 303 of Regulation S-K.
What to do now . . .
- Companies need to take a fresh look at the adequacy of their ICFR systems and related disclosures and management certifications. Additionally, they need to review high fraud-risk areas where the application of GAAP is based heavily on management assumptions and estimates, thereby placing outside auditors on high alert.
- Corporate preparers and/or reviewers of the upcoming Form 10-K (or Form 10-Q for non-calendar year registrants), along with the disclosure committee responsible for administering the company disclosure controls and procedures that underpin certifications by the CEO and CFO, should discuss the lessons of the Bank of America case, in particular to underscore the point that MD&A requires certain forward-looking disclosures, and that companies should apply the SEC’s two-pronged test in analyzing the need for disclosure.
- In preparing each Form 10-Q and Form 10-K, thoroughly review the company’s risk factors (and cautionary statements) to determine whether they should be updated in light of recent developments.
The Challenge: More Whistleblowers
The SEC’s Dodd-Frank whistleblower bounty program has generated over 3,000 tips relating to possible federal securities law violations in each of the last three fiscal years – 3,620 total tips for the fiscal year ending September 30, 2014. Given the substantial financial incentives for potential whistleblowers – the SEC awarded over $30 million in late September 2014 to a single whistleblower residing in a foreign country – and the expansive manner in which the agency is interpreting its statutory mandate, those responsible for oversight of internal corporate complaint systems must understand the SEC’s current thinking in this area and, in particular, its relevance to the financial reporting process.
First, the SEC appears determined to enforce the anti-retaliation provisions of the Dodd-Frank whistleblower rules. Second, the SEC staff continues to express strong disapproval of perceived corporate efforts to discourage any potential whistleblower activity, whether internal or external. Finally, it is worth noting that the SEC’s Office of the Whistleblower works closely with other groups within the Division of Enforcement, including most prominently the Financial Reporting and Audit Task Force and the FCPA Unit, to achieve common objectives.
What to do now . . .
- In light of the SEC chair’s emphasis on the “gatekeeper” duties of boards of directors in the Dodd-Frank whistleblower context, we recommend that boards heed her advice “to learn and be engaged” in overseeing their companies’ whistleblower complaint systems.
- We suggest that boards request regular reports from senior management, as well as responsible legal and compliance personnel and outside counsel, on how well these systems are being administered in accordance with guidance on effective compliance programs from the SEC, the Department of Justice, the federal courts and the U.S. Sentencing Commission.
- Special care should be taken in drafting employment agreements for employees at all levels of the company to avoid problematic confidentiality provisions that could be viewed by the SEC as unduly chilling whistleblower complaints to governmental officials.
Published March 19, 2015.