If there is any issue that is a hot topic in the business world today (and as a consequence in SEC reporting), it is cybersecurity. It seems we can’t go a week without hearing about a major cybersecurity event. From Target’s major attack last year and its consequences, to hospital records being breached, to even Apple possibly having a cybersecurity breach in it’s iCloud, cybersecurity continues to grow in complexity and impact.
One of the benefits of the SEC Institute programs now being part of PLI is that we have resources we could only have dreamed of before. One program that is particularly valuable today is our Cybersecurity 2014: Managing the Risk. This program is being held on September 10, 2014, and will be available in many cities and via webcast. You can learn more at our web page:
Meanwhile back on the disclosure front, as a reminder, the SEC’s guidance on cybersecurity disclosures (so far) is in Corp Fin’s Disclosure Guidance Topic 2. It discusses disclosures in varying levels of risk, more or less starting with risk factors, progressing to discussion of the impact of cybersecurity events in MD&A, and possibly including discussion in the Description of the Business and Legal Proceedings.
For risk factors the Disclosure Guidance Topic suggests, among other factors, considering:
“Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;
Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
Risks related to cyber incidents that may remain undetected for an extended period; and
Description of relevant insurance coverage.”
The Disclosure Topic also includes a reminder about disclosure controls and procedures surrounding this issue. You can find the disclosure topic at:
And, for the fun of it, here is an example of a current risk factor:
A significant disruption in our computer systems and our inability to adequately maintain and update those systems could adversely affect our operations and our ability to maintain guest confidence.
We rely extensively on our computer systems to manage inventory, process guest transactions, manage guest data, communicate with our vendors and other third parties, service ****** accounts and summarize and analyze results, and on continued and unimpeded access to the internet to use our computer systems. Our systems are subject to damage or interruption from power outages, telecommunications failures, computer viruses and malicious attacks, security breaches and catastrophic events. If our systems are damaged or fail to function properly, we may incur substantial repair or replacement costs, experience data loss and impediments to our ability to manage inventories or process guest transactions, and encounter lost guest confidence, which could adversely affect our results of operations. The Data Breach we experienced negatively impacted our ability to timely handle customer inquiries, and we experienced weaker than expected U.S. Segment sales following the announcement of the Data Breach. Similarly, we experienced a temporary network disruption not involving a data breach in June 2014 that prevented many of our point-of-sale registers from working in a limited geographic region. This disruption caused checkout delays and generated negative publicity, and we engaged in promotional activities to retain our customers during the delay.
We continually make significant technology investments that will help maintain and update our existing computer systems. Implementing significant system changes increases the risk of computer system disruption. Additionally, the potential problems and interruptions associated with implementing technology initiatives could disrupt or reduce our operational efficiency, and could impact the guest experience and guest confidence.