3.3 Disclosures About Risk

The SEC staff continues to expect registrants to provide investors with tailored, comprehensive, and transparent risk disclosures.

3.3.1 Risk Factors

Examples of SEC Comments

The risk factors that you present appear to apply to nearly any issuer in any industry. Please significantly revise the risk factors to ensure that they are tailored to the [Type A] business.
This risk factor appears to combine two risks: the general risk of business failure and the company’s lack of a saleable product now and in the future. Please consider revising to present these risks separately.
Please add a risk factor discussing the going concern, as discussed in [a footnote] to the financial statements.
We note your risk factor discussion is greater than fifteen pages. Please revise to provide a section with a series of concise, bulleted or numbered statements that is no more than two pages summarizing the principal factors that make an investment in the registrant or offering speculative or risky. See Item 105(b) of Regulation S-K. Please also revise the risk factors section consistent with Item 105(a), including applicable headings.
Please revise this section to relocate any generic risk factors you present to the end of the section, under the caption “General Risk Factors.” See Item 105(a) of Regulation S-K.

Regulation S-K, Item 105, requires registrants to provide “a discussion of the material factors that make an investment in the registrant or offering speculative or risky.” Certain indicators of risk may be present in the footnotes to the financial statements, in MD&A, or elsewhere in investor presentations or other periodic filings. The SEC staff commonly requests that registrants include new or more detailed risk factors specific to matters identified elsewhere in the filing. Registrants should be diligent in ensuring that risk factors are comprehensive and are related to their particular circumstances.

Further, instead of combining separate risk factors under a single heading and providing a general discussion, registrants are asked to review each risk factor heading to ensure that it clearly conveys and adequately describes a separate, detailed risk to investors. To the extent that generic risk factors are presented, registrants should disclose them at the end of the Risk Factors section under the caption “General Risk Factors.” In addition, the SEC staff requests more specific discussion and enhanced explanations of how the risks could materially affect the registrant’s business. This discussion may be supplemented with quantitative information to provide additional context about the risks. In addition, the staff often asks registrants whether they have (1) discussed all relevant risk factors and (2) provided sufficient MD&A discussion when a risk constitutes a material trend or uncertainty.

Item 105 also requires registrants with more than 15 pages of disclosures in the Risk Factors section to provide a summary of such factors that must be no more than two pages and consist of “a series of concise, bulleted or numbered statements . . . summarizing the principal factors.” The SEC staff commonly requests that registrants include such a summary when applicable and the disclosure is not included.

3.3.2 Disclosures Related to Complex and Evolving Risks

The SEC has identified certain complex and evolving market risks and encouraged registrants to evaluate their disclosures of such risks when the risks may be material to investors. In remarks 3 about evolving market risks delivered at the Practising Law Institute’s 18th Annual Institute on Securities Regulation in Europe, then Division Director William Hinman emphasized that the SEC’s principles-based disclosure requirements related to risk factors and MD&A “should result in disclosure that keeps pace with emerging issues.” Emerging risks that have been a recent focus of the SEC include, but are not limited to, (1) cybersecurity, (2) climate change, (3) COVID-19, and (4) the Russia-Ukraine war. In connection with COVID-19, the Russia-Ukraine war, and other events, registrants have also faced supply-chain issues, labor shortages, inflation, and the effects of rising interest rates. The SEC continues to monitor public-company disclosures on these topics.

At the 2019 AICPA Conference, the SEC staff noted the need for registrants to make transparent disclosures related to the emerging risks listed above and other world events that pose risks. Mara Ransom, chief of the Division’s Office of Trade and Services, emphasized that if registrants expect the impacts of these evolving risks to be material, they should consider including disclosures that address:

How management assesses the risks.
What management is doing to mitigate and manage the risks.
What the board’s role is in risk oversight.

While the SEC staff’s remarks above predate the COVID-19 pandemic, many of the same concepts were incorporated into CFDG Topics 9 and 9A; consequently, registrants may still find these concepts relevant to the risks associated with the pandemic and other significant events. Many registrants may already provide disclosures about general risk related to issues such as potential rising interest rates, supply-chain disruptions, inflation, natural disasters, war, or pandemics. They should consider updating such disclosures to (1) clarify when the risk is no longer hypothetical and (2) provide more specificity about the actual and evolving potential future impact of such risks. For more information, see Deloitte’s March 25, 2020 (updated January 11, 2021); December 2, 2021; March 10, 2022 (updated May 7, 2022); and September 15, 2023, Financial Reporting Alert newsletters.

3.3.2.1 Cybersecurity

Examples of SEC Comments

We note your disclosure that you continue to face a host of cyber threats; your disclosure that cyber-crimes and denial of service attacks have increased; and your identification of cyber-attacks as a key risk. Please clarify whether you have knowledge of the occurrence of any such attacks in the past. If attacks have occurred, and were material either individually or in the aggregate, revise to discuss the related costs and consequences. Also, describe the particular aspects of your business and operations that give rise to material cybersecurity risks and the potential costs and other consequences of such risks to those businesses and operations. For additional guidance, please refer to CF Disclosure Guidance Topic No. 2 on Cybersecurity.
In this risk factor you discuss the potential impact of operational risks. Have you suffered any significant losses or other damages as a result of operational risks, or has your controls testing indicated that you have a significant deficiency? Please revise to provide a description of any cyber incidents that you have experienced that are individually, or in the aggregate, material, including a description of the costs and other consequences and to provide the investor with an idea of the likelihood that a risk may impact your results and the potential impact on your assets and earnings. Refer to CF Disclosure Guidance: Topic No. 2.
We note your risk factor discloses the heightened risk of potential cyberattacks due to the conflict between Russia and Ukraine. Please revise your risk factor to disclose if you have experienced any cyberattacks, explain how cyberattacks could impact your business, and discuss any actions you have taken to mitigate the potential risks.
In light of recent events indicating greater oversight by the Cyberspace Administration of China (CAC) over data security, please revise your disclosure to explain if and how this oversight impacts your business and to what extent you believe that you are compliant with the regulations or policies that have been issued by the CAC to date, if applicable.[4]

The SEC staff has noted the increasingly frequent occurrence of cyber incidents, which may cause registrants to incur significant remediation and other costs for (1) direct damages (both real and reputational), (2) the impact on their customers, and (3) increased protection from future cybersecurity attacks. To help combat these threats, the SEC announced on September 25, 2017, the formation of a Cyber Unit within the Commission’s Division of Enforcement to target cyber-related misconduct.

As part of the SEC’s focus on cybersecurity this past year, the SEC staff has also asked registrants to discuss increased cybersecurity risks stemming from the Russia-Ukraine war (see Section 3.3.2.2 for other considerations related to the disclosure of risks associated with that war).

On July 26, 2023, the SEC issued a final rule that requires registrants to provide enhanced and standardized disclosures regarding “cybersecurity risk management, strategy, governance, and incidents.” The SEC’s focus on cybersecurity disclosures is not new; previously, the SEC had issued (1) the Division’s October 13, 2011, interpretive guidance on cybersecurity disclosures, (2) the Commission’s February 21, 2018, interpretive guidance on such disclosures, and (3) the March 9, 2022, proposed rule on which the final rule was based.

The final rule establishes new requirements related to:

Material cybersecurity incidents, which would need to be disclosed on Form 8-K within four business days of their being deemed material. A registrant may delay filing the Form 8-K if the U.S. Attorney General “determines immediate disclosure would pose a substantial risk to national security or public safety.”
Annual disclosures in Form 10-K pertaining to (1) cybersecurity risk management and strategy, (2) “management’s role in assessing and managing material risks from cybersecurity threats,” and (3) “the board of directors’ oversight of cybersecurity risks.”
The presentation of disclosures in Inline eXtensible Business Reporting Language (iXBRL).

All types of periodic SEC filers are affected by the final rule, including domestic registrants, foreign private issuers (FPIs),5 smaller reporting companies (SRCs), and emerging growth companies (EGCs). The final rule includes the following transition provisions:

Disclosures will be required in:6
Form 8-K, Item 1.05, “Material Cybersecurity Incidents”	For all registrants other than SRCs — Starting December 18, 2023. For SRCs — Starting June 15, 2024.
Regulation S-K, Item 106 (in Form 10-K, Item 1C, “Cybersecurity”)	Beginning with annual reports for fiscal years ending on or after December 15, 2023.

Given the final rule, the SEC staff is expected to continue focusing on cybersecurity disclosures. For further details regarding the final rule, see Deloitte’s July 30, 2023, Heads Up.

3.3.2.2 Russia-Ukraine War

Examples of SEC Comments

We note your disclosures . . . of your businesses in Russia. Please enhance your disclosures in future filings to address the following matters. If you do not believe the impact is material, explain why.
- Describe the impact of Russia’s invasion of the Ukraine on your businesses. In addition to the general impact, please also consider any impact from sanctions and export controls, including whether you will need to evaluate any aspects of your businesses for impairment;
- Disclose any risks that may impede your ability to sell assets located in Russia, including as a result of sanctions affecting potential purchasers;
- Disclose the risk that the Russian government may nationalize your assets and quantify the potential impact to your financial statements;
- Address your risk exposure as the paying agent, charged with receiving and processing payments into bondholders’ accounts for both Russian corporate and government issued bonds;
- Disclose any material reputational risks that may negatively impact your business associated with your response to the Russian invasion of Ukraine, for example in connection with action or inaction arising from or relating to the conflict; and
- Describe the extent and nature of the board’s role in overseeing risks related to the conflict between Russia and Ukraine, to the extent material to your business. These risks could include risks related to cybersecurity, sanctions, the employee base in affected regions, and your reputation in connection with operations or halted operations in affected regions.
Clarify how you have assessed the need for impairment testing of your long-lived assets in Russia, Belarus and Ukraine pursuant to FASB ASC 360-10-35-21 as of [the end of the first quarter of your current fiscal year], and indicate the results of any such testing, and the key assumptions made in arriving at your conclusions.
Describe the sanctions and trade restrictions that have been imposed on operations conducted within Russia, Belarus, and Ukraine, including related entities or persons, explain how you have assessed the applicability of such measures to your operations, and identify any uncertainties associated with your positions of being outside the scope of such measures and the implications of possible changes in those uncertainties and your positions.
Please disclose in future filings whether and how your business segments, products, lines of service, projects, or operations are materially impacted by supply chain disruptions, especially in light of Russia’s invasion of Ukraine. For example, discuss whether you have or expect to:
- suspend the production, purchase, sale or maintenance of certain items;
- experience higher costs due to constrained capacity or increased commodity prices or challenges sourcing materials [(e.g., nickel, palladium, neon, cobalt, iron, platinum or other raw material sourced from Russia, Belarus, or Ukraine)];
- experience surges or declines in consumer demand for which you are unable to adequately adjust your supply; or
- be unable to supply products at competitive prices or at all due to export restrictions, sanctions, or the ongoing invasion; or
- be exposed to supply chain risk in light of Russia’s invasion of Ukraine and/or related geopolitical tension or have sought to “de-globalize” your supply chain.
Explain whether and how you have undertaken efforts to mitigate the impact and where possible quantify the impact to your business.

On February 24, 2022, Russia invaded Ukraine, causing significant geopolitical instability. As the war between these two countries continues, its impact on the economic and global markets is exacerbating ongoing economic challenges, such as rising inflation and supply-chain disruptions. Registrants may need to consider the war’s direct and indirect impacts on their business, which may affect certain financial accounting and reporting matters. As a result, on May 3, 2022, the SEC staff issued a sample letter 7 that outlines its expectation that companies should be providing detailed disclosures about the war to the extent material or otherwise required. The sample letter underscores the need for registrants to evaluate both direct and indirect impacts, including potential or actual disruptions to suppliers, customers, or employees, among other considerations. The sample comments in the letter primarily focus on (1) risk factors, (2) MD&A, (3) ICFR, (4) DC&P, and (5) non-GAAP measures.

For additional considerations and further discussion regarding financial accounting and reporting considerations related to the Russia-Ukraine war, see Deloitte’s March 10, 2022 (updated May 7, 2022), Financial Reporting Alert.

Footnotes

Division Director William Hinman, “Applying a Principles-Based Approach to Disclosing Complex, Uncertain and Evolving Risks,” March 15, 2019.

This type of comment is specifically targeted at SEC registrants that have significant operations in China.

The final rule amends Forms 20-F and 6-K and require FPIs to provide disclosures that are generally consistent with those discussed herein for domestic registrants. Specifically, FPIs must disclose in their annual Form 20-F the board’s oversight of risks from cybersecurity threats and management’s role in assessing and managing material risks from cybersecurity threats. The final rule also requires FPIs to furnish on Form 6-K information on material cybersecurity incidents that they disclose or publicize in a foreign jurisdiction to any stock exchange or security holders.

Adoption dates applicable to FPIs for disclosures in Form 6-K are consistent with Form 8-K, Item 1.05, and disclosures in Form 20-F are consistent with Item 106.

Sample Letter to Companies Regarding Disclosures Pertaining to Russia’s Invasion of Ukraine and Related Supply Chain Issues.