3.3 Disclosures About Risk
The SEC staff continues to expect registrants to provide investors with tailored, comprehensive, and transparent risk disclosures.
3.3.1 Risk Factors
Examples of SEC Comments
- The risk factors that you present appear to apply to nearly any issuer in any industry. Please significantly revise the risk factors to ensure that they are tailored to the [Type A] business.
- This risk factor appears to combine two risks: the general risk of business failure and the company’s lack of a saleable product now and in the future. Please consider revising to present these risks separately.
- Please add a risk factor discussing the going concern, as discussed in [a footnote] to the financial statements.
-
We note your risk factor discussion is greater than fifteen pages. Please revise to provide a section with a series of concise, bulleted or numbered statements that is no more than two pages summarizing the principal factors that make an investment in the registrant or offering speculative or risky. See Item 105(b) of Regulation S-K. Please also revise the risk factors section consistent with Item 105(a), including applicable headings.
-
Please revise this section to relocate any generic risk factors you present to the end of the section, under the caption “General Risk Factors.” See Item 105(a) of Regulation S-K.
Regulation S-K, Item 105, requires registrants to provide “a discussion of the
material factors that make an investment in the registrant or offering
speculative or risky.” Certain indicators of risk may be present in the
footnotes to the financial statements, in MD&A, or elsewhere in investor
presentations or other periodic filings. The SEC staff commonly requests that
registrants include new or more detailed risk factors specific to matters
identified elsewhere in the filing. Registrants should be diligent in ensuring
that risk factors are comprehensive and are related to their particular
circumstances.
Further, instead of combining separate risk factors under a single heading and
providing a general discussion, registrants are asked to review each risk factor
heading to ensure that it clearly conveys and adequately describes a separate,
detailed risk to investors. To the extent that generic risk factors are
presented, registrants should disclose them at the end of the Risk Factors
section under the caption “General Risk Factors.” In addition, the SEC staff
requests more specific discussion and enhanced explanations of how the risks
could materially affect the registrant’s business. This discussion may be
supplemented with quantitative information to provide additional context about
the risks. In addition, the staff often asks registrants whether they have (1)
discussed all relevant risk factors and (2) provided sufficient MD&A
discussion when a risk constitutes a material trend or uncertainty.
Item 105 also requires registrants with more than 15 pages of
disclosures in the Risk Factors section to provide a summary of such factors
that must be no more than two pages and consist of “a series of concise,
bulleted or numbered statements . . . summarizing the principal factors.” The
SEC staff commonly requests that registrants include such a summary when
applicable and the disclosure is not included.
3.3.2 Disclosures Related to Complex and Evolving Risks
The SEC has identified certain complex and evolving market risks and encouraged
registrants to evaluate their disclosures of such risks when the risks may be
material to investors. In remarks3 about evolving market risks delivered at the Practising Law Institute’s
18th Annual Institute on Securities Regulation in Europe, then Division Director
William Hinman emphasized that the SEC’s principles-based disclosure
requirements related to risk factors and MD&A “should result in disclosure
that keeps pace with emerging issues.” Emerging risks that have been a recent
focus of the SEC include, but are not limited to, (1) cybersecurity, (2) climate
change, (3) COVID-19, and (4) the Russia-Ukraine war. In connection with
COVID-19, the Russia-Ukraine war, and other events, registrants have also faced
supply-chain issues, labor shortages, inflation, and the effects of rising
interest rates. The SEC continues to monitor public-company disclosures on these
topics.
At the 2019 AICPA Conference, the SEC staff noted the need for
registrants to make transparent disclosures related to the emerging risks listed
above and other world events that pose risks. Mara Ransom, chief of the
Division’s Office of Trade and Services, emphasized that if registrants expect
the impacts of these evolving risks to be material, they should consider
including disclosures that address:
-
How management assesses the risks.
-
What management is doing to mitigate and manage the risks.
-
What the board’s role is in risk oversight.
While the SEC staff’s remarks above predate the COVID-19
pandemic, many of the same concepts were incorporated into CFDG Topics 9 and 9A;
consequently, registrants may still find these concepts relevant to the risks
associated with the pandemic and other significant events. Many registrants may
already provide disclosures about general risk related to issues such as
potential rising interest rates, supply-chain disruptions, inflation, natural
disasters, war, or pandemics. They should consider updating such disclosures to
(1) clarify when the risk is no longer hypothetical and (2) provide more
specificity about the actual and evolving potential future impact of such risks.
For more information, see Deloitte’s March 25, 2020 (updated January 11, 2021);
December 2,
2021; March 10,
2022 (updated May 7, 2022); and September 15, 2023, Financial Reporting Alert
newsletters.
3.3.2.1 Cybersecurity
Examples of SEC Comments
- We note your disclosure that you continue to face a host of cyber threats; your disclosure that cyber-crimes and denial of service attacks have increased; and your identification of cyber-attacks as a key risk. Please clarify whether you have knowledge of the occurrence of any such attacks in the past. If attacks have occurred, and were material either individually or in the aggregate, revise to discuss the related costs and consequences. Also, describe the particular aspects of your business and operations that give rise to material cybersecurity risks and the potential costs and other consequences of such risks to those businesses and operations. For additional guidance, please refer to CF Disclosure Guidance Topic No. 2 on Cybersecurity.
- In this risk factor you discuss the potential impact of operational risks. Have you suffered any significant losses or other damages as a result of operational risks, or has your controls testing indicated that you have a significant deficiency? Please revise to provide a description of any cyber incidents that you have experienced that are individually, or in the aggregate, material, including a description of the costs and other consequences and to provide the investor with an idea of the likelihood that a risk may impact your results and the potential impact on your assets and earnings. Refer to CF Disclosure Guidance: Topic No. 2.
-
We note your risk factor discloses the heightened risk of potential cyberattacks due to the conflict between Russia and Ukraine. Please revise your risk factor to disclose if you have experienced any cyberattacks, explain how cyberattacks could impact your business, and discuss any actions you have taken to mitigate the potential risks.
-
In light of recent events indicating greater oversight by the Cyberspace Administration of China (CAC) over data security, please revise your disclosure to explain if and how this oversight impacts your business and to what extent you believe that you are compliant with the regulations or policies that have been issued by the CAC to date, if applicable.[4]
The SEC staff has noted the increasingly frequent occurrence of cyber incidents,
which may cause registrants to incur significant remediation and other costs
for (1) direct damages (both real and reputational), (2) the impact on their
customers, and (3) increased protection from future cybersecurity attacks.
To help combat these threats, the SEC announced on September 25, 2017, the formation of a
Cyber Unit within the Commission’s Division of Enforcement to target
cyber-related misconduct.
As part of the SEC’s focus on cybersecurity this past year,
the SEC staff has also asked registrants to discuss increased cybersecurity
risks stemming from the Russia-Ukraine war (see Section 3.3.2.2 for other
considerations related to the disclosure of risks associated with that
war).
On July 26, 2023, the SEC issued a final rule that requires registrants to
provide enhanced and standardized disclosures regarding “cybersecurity risk
management, strategy, governance, and incidents.” The SEC’s focus on
cybersecurity disclosures is not new; previously, the SEC had issued (1) the
Division’s October 13, 2011, interpretive guidance on cybersecurity
disclosures, (2) the Commission’s February 21, 2018, interpretive guidance on such disclosures,
and (3) the March 9, 2022, proposed rule on which the final rule was
based.
The final rule establishes new requirements related to:
-
Material cybersecurity incidents, which would need to be disclosed on Form 8-K within four business days of their being deemed material. A registrant may delay filing the Form 8-K if the U.S. Attorney General “determines immediate disclosure would pose a substantial risk to national security or public safety.”
-
Annual disclosures in Form 10-K pertaining to (1) cybersecurity risk management and strategy, (2) “management’s role in assessing and managing material risks from cybersecurity threats,” and (3) “the board of directors’ oversight of cybersecurity risks.”
-
The presentation of disclosures in Inline eXtensible Business Reporting Language (iXBRL).
All types of periodic SEC filers are affected by the final
rule, including domestic registrants, foreign private issuers (FPIs),5 smaller reporting companies (SRCs), and emerging growth companies
(EGCs). The final rule includes the following transition provisions:
Disclosures will be required in:6 | |
---|---|
Form 8-K, Item 1.05, “Material Cybersecurity
Incidents”
|
For all registrants other than SRCs — Starting
December 18, 2023.
For SRCs — Starting June 15,
2024.
|
Regulation S-K, Item 106 (in Form 10-K, Item 1C,
“Cybersecurity”)
|
Beginning with annual reports for fiscal years ending
on or after December 15, 2023.
|
Given the final rule, the SEC staff is expected to continue focusing on
cybersecurity disclosures. For further details regarding the final rule, see
Deloitte’s July 30, 2023, Heads
Up.
3.3.2.2 Russia-Ukraine War
Examples of SEC Comments
- We note your disclosures . . . of your
businesses in Russia. Please enhance your
disclosures in future filings to address the
following matters. If you do not believe the
impact is material, explain why.
- Describe the impact of Russia’s invasion of the Ukraine on your businesses. In addition to the general impact, please also consider any impact from sanctions and export controls, including whether you will need to evaluate any aspects of your businesses for impairment;
- Disclose any risks that may impede your ability to sell assets located in Russia, including as a result of sanctions affecting potential purchasers;
- Disclose the risk that the Russian government may nationalize your assets and quantify the potential impact to your financial statements;
- Address your risk exposure as the paying agent, charged with receiving and processing payments into bondholders’ accounts for both Russian corporate and government issued bonds;
- Disclose any material reputational risks that may negatively impact your business associated with your response to the Russian invasion of Ukraine, for example in connection with action or inaction arising from or relating to the conflict; and
- Describe the extent and nature of the board’s role in overseeing risks related to the conflict between Russia and Ukraine, to the extent material to your business. These risks could include risks related to cybersecurity, sanctions, the employee base in affected regions, and your reputation in connection with operations or halted operations in affected regions.
- Clarify how you have assessed the need for impairment testing of your long-lived assets in Russia, Belarus and Ukraine pursuant to FASB ASC 360-10-35-21 as of [the end of the first quarter of your current fiscal year], and indicate the results of any such testing, and the key assumptions made in arriving at your conclusions.
- Describe the sanctions and trade restrictions that have been imposed on operations conducted within Russia, Belarus, and Ukraine, including related entities or persons, explain how you have assessed the applicability of such measures to your operations, and identify any uncertainties associated with your positions of being outside the scope of such measures and the implications of possible changes in those uncertainties and your positions.
-
Please disclose in future filings whether and how your business segments, products, lines of service, projects, or operations are materially impacted by supply chain disruptions, especially in light of Russia’s invasion of Ukraine. For example, discuss whether you have or expect to:
-
suspend the production, purchase, sale or maintenance of certain items;
-
experience higher costs due to constrained capacity or increased commodity prices or challenges sourcing materials [(e.g., nickel, palladium, neon, cobalt, iron, platinum or other raw material sourced from Russia, Belarus, or Ukraine)];
-
experience surges or declines in consumer demand for which you are unable to adequately adjust your supply; or
-
be unable to supply products at competitive prices or at all due to export restrictions, sanctions, or the ongoing invasion; or
-
be exposed to supply chain risk in light of Russia’s invasion of Ukraine and/or related geopolitical tension or have sought to “de-globalize” your supply chain.
Explain whether and how you have undertaken efforts to mitigate the impact and where possible quantify the impact to your business. -
On February 24, 2022, Russia invaded Ukraine, causing
significant geopolitical instability. As the war between these two countries
continues, its impact on the economic and global markets is exacerbating
ongoing economic challenges, such as rising inflation and supply-chain
disruptions. Registrants may need to consider the war’s direct and indirect
impacts on their business, which may affect certain financial accounting and
reporting matters. As a result, on May 3, 2022, the SEC staff issued a
sample letter7 that outlines its expectation that companies should be providing
detailed disclosures about the war to the extent material or otherwise
required. The sample letter underscores the need for registrants to evaluate
both direct and indirect impacts, including potential or actual disruptions
to suppliers, customers, or employees, among other considerations. The
sample comments in the letter primarily focus on (1) risk factors, (2)
MD&A, (3) ICFR, (4) DC&P, and (5) non-GAAP measures.
For additional considerations and further discussion regarding financial
accounting and reporting considerations related to the Russia-Ukraine war,
see Deloitte’s March 10, 2022 (updated May 7, 2022), Financial Reporting Alert.
Footnotes
3
Division Director William Hinman, “Applying a
Principles-Based Approach to Disclosing Complex, Uncertain and Evolving
Risks,” March 15, 2019.
4
This type of comment is
specifically targeted at SEC registrants that have
significant operations in China.
5
The final rule amends Forms 20-F and 6-K and require
FPIs to provide disclosures that are generally consistent with those
discussed herein for domestic registrants. Specifically, FPIs must
disclose in their annual Form 20-F the board’s oversight of risks
from cybersecurity threats and management’s role in assessing and
managing material risks from cybersecurity threats. The final rule
also requires FPIs to furnish on Form 6-K information on material
cybersecurity incidents that they disclose or publicize in a foreign
jurisdiction to any stock exchange or security holders.
6
Adoption dates applicable to
FPIs for disclosures in Form 6-K are consistent
with Form 8-K, Item 1.05, and disclosures in Form
20-F are consistent with Item 106.
7
Sample Letter to Companies Regarding Disclosures
Pertaining to Russia’s Invasion of Ukraine and Related Supply
Chain Issues.