Time and time again, with both guidance and comment letters, the Securities and Exchange Commission has urged companies to avoid using “boilerplate” language in their disclosures.
One might even call the SEC’s pronouncements boilerplate warnings, since they agency makes them all the time—and companies never seem to embrace the message.
“It’s an interesting tension,” says Bree Archambault of the law firm Reed Smith. “When you are working on disclosure documents, there are specific disclosures you are required to make and some of it does not change a lot from year to year. If it has passed muster in past years, the situation is still the same, and the business is generally the same—run in the same way with the same segments—the company has an incentive not to change that language.”
Jean Rogers, founder and CEO of the Sustainability Accounting Standards Board, goes even further: “There is an extraordinary amount of boilerplate disclosure across topics and across industries,” she says. SASB recently reviewed companies’ sustainability-related disclosures, and flagged nearly half as boilerplate.
“There is a problem with going too far in your disclosure, but there is also a problem with not going far enough,” Rogers says. “We see people erring on the side of not going far enough and relying on boilerplate.”
While the SEC admonishes boilerplate language, companies are challenged by a lack of uniform definition for what exactly boilerplate is. Determinations of materiality, especially about what an investor would want, are typically left to the issuer. Nearly any choice could be debated and challenged.
The prevalence of boilerplate language is “a manifestation of companies recognizing their risk factors, but not having standards or guidance on how to actually disclose them better,” Rogers says. “You have U.S. Generally Accepted Accounting Principles for financials; the Financial Accounting Standards Board does a really good job with how to disclose financial performance, but there really is very little more than ad hoc guidance from the SEC on how to look at non-financial or special topics that are material. How do you address them?”
“There is an extraordinary amount of boilerplate disclosure across topics and across industries.”
Jean Rogers, Founder & CEO, SASB
Cyber-security disclosures are the latest target for the boilerplate debate. How bad must a breach be to warrant disclosure in a Form 8-K? Should that determination be based on the number of consumers affected, the financial toll, or degree of media attention?
In 2011 the SEC’s Division of Corporation Finance did outline items that companies must consider when identifying specific business risks caused by cyber-security incidents. Among them: how those costs might affect the balance sheet; the correlation of those risks to the company’s business model; possible legal proceedings; and how to make appropriate financial statement disclosure to reflect the effect of a cyber-attack.
Regulation S-K, which governs disclosure in Form 10-K filings, requires companies to disclose material information that is a risk factor or likely to affect financial condition or operating performance. “Even when [the SEC] issued guidance on a particular topic like cyber-security, conflict minerals, or climate change, what they are really doing is interpreting S-K,” Rogers says. “The SEC tends to not get specific or raise questions about how far companies should go to determine what material is.”
The latitude given companies is problematic, critics say. “The traditional approach is to let companies assess their own cyber-risk factors, which is the equivalent of letting the chickens decide how tasty they are, or aren’t, to the fox,” says Jeffrey Carr, a cyber-security analyst and CEO of Taia Global.
Vague vs. Material
Carr cites Sony’s response to breaches over the years as an example of overly broad 10-K disclosures. After Sony’s high-profile hacker attack last November, Carr looked at the company’s cyber-risk disclosures since 2011. The language “remains pretty much the same” over the years, he says. “This is pretty generic stuff that doesn’t contain anything specific to Sony that wouldn’t apply to every other public company.”
The current crop of cyber-security disclosures “are effectively worthless from an investor’s point of view,” Carr says. “There is a false argument that you can’t expect them to inform the bad guys about weaknesses in the network. That’s not what is being asked for. The SEC doesn’t want the company to say it is vulnerable to a SQL injection, or spear fishing, or whatever. They simply want an assessment of risk.”
The unwillingness to advance beyond boilerplate cyber-security disclosures ties to “whether or not they are disclosing something that would put them at a competitive disadvantage,” Rogers says. “Companies don’t want to be at the risk of omitting material information, so they put in a boilerplate statement.”
Below is a look at Facebook’s 10-K disclosures on privacy practices and a post-breach filing by JPMorgan Chase. Advocates of better reporting on non-financial material information in disclosures to the SEC gave JPMorgan Chase high marks. As for Facebook, SASB points out that it uses “industry-specific” disclosure, such as qualitative disclosures around data security, not metric; it is working to get companies to implement disclosures that use quantitative metrics.
Selections from both disclosures are included below.
User contact information – name, address, phone number and email address – and internal JPMorgan Chase information relating to such users have been compromised.
The compromised data impacts approximately 76 million households and 7 million small businesses.
However, there is no evidence that account information for such affected customers – account numbers, passwords, user IDs, dates of birth or Social Security numbers – was compromised during this
As of such date, the firm continues not to have seen any unusual customer fraud related to this incident.
JPMorgan Chase customers are not liable for unauthorized transactions on their account that they promptly alert the firm to.
We continue to build new procedural safeguards as part of our comprehensive privacy program. These include a dedicated team of privacy professionals who are involved in new product and feature development from design through launch; ongoing review and monitoring of the way data is handled by existing features and applications; and rigorous data security practices.
We regularly work with online privacy and safety experts and regulators around the world. In August 2012, the Federal Trade Commission formally approved a 20-year settlement agreement requiring us to enhance our privacy program and to complete biennial third-party assessments.
SASB is currently working with a cross-section of industries to develop voluntary standards for cyber-security and environmental disclosures that companies can use. “Companies appreciate having a standard that helps them know exactly how far they should go when talking about this issue, and a standard can help level the playing field,” Rogers says. “They need to provide decision-useful information to investors, and boilerplate doesn’t cut it.”
A similar push is underway by Ceres, a coalition of investors and public interest groups. Its beef is with a 2010 SEC requirement that companies disclose the material effects of climate and environmental change, and the effects of related pending legislation and regulation, on their business operations. The SEC, Ceres says, “is not adequately enforcing” compliance, and companies, in turn, are ignoring the requirement.
Roughly 40 percent of companies in the S&P 500 do not make any climate-related disclosure in their 10-K filings, a recent study by Ceres found. Among those that do, “the majority of financial reporting on climate change is too brief and largely superficial.” Ceres is demanding that the SEC do a much better job enforcing those requirements.
How the SEC will react to such pressures remains to be seen. While environmental issues may not inspire much attention beyond activist shareholders, cyber-risk certainly does.
Since its 2011 cyber-risk guidance, CorpFin has issued comments to fewer than 100 companies about their related disclosures. When it does intervene, SEC staff often demand specific information.
In 2012, when the Amazon subsidiary Zappos was breached, Amazon referred in its next periodic filing only to the potential of a cyber-attack that “could expose us or our customers to a risk of loss or misuse of information, adversely affect our operating results, result in litigation or potential liability for us, and otherwise harm our business.” The SEC protested and demanded specific detail rather than vagaries. Amazon protested, but eventually acquiesced.
ConocoPhillips, in its 2012 annual report, mentioned only the phase “cyber-attacks” in its listing of potential risks. The SEC and the company tangoed for several weeks over how much additional detail CorpFin wanted included. Conoco eventually added language to indicate that several “non-material breaches” had occurred.
The SEC may soon consider more prescriptive disclosure requirements. Chairman Mary Jo White has hinted as much in public comments. Various members of Congress have called for the same, and that push gets stronger with each new high-profile breach.
The SEC’s current budget appropriation may be the tipping point. The 2015 Omnibus Appropriations bill passed by Congress in January included a rider demanding that the SEC review and “modernize” cyber-security disclosures.