3.3 Disclosures About Risk
The SEC staff continues to expect registrants to provide investors with tailored, comprehensive, and transparent risk disclosures.
3.3.1 Risk Factors
Examples of SEC Comments
-
The risk factors that you present appear to apply to nearly any issuer in any industry. Please significantly revise the risk factors to ensure that they are tailored to the [Type A] business.
-
This risk factor appears to combine two risks: the general risk of business failure and the company’s lack of a saleable product now and in the future. Please consider revising to present these risks separately.
-
Please add a risk factor discussing the going concern, as discussed in [a footnote] to the financial statements.
-
We note your risk factor discussion is greater than fifteen pages. Please revise to provide a section with a series of concise, bulleted or numbered statements that is no more than two pages summarizing the principal factors that make an investment in the registrant or offering speculative or risky. See Item 105(b) of Regulation S-K. Please also revise the risk factors section consistent with Item 105(a), including applicable headings.
-
Please revise this section to relocate any generic risk factors you present to the end of the section, under the caption “General Risk Factors.” See Item 105(a) of Regulation S-K.
-
Reference is made to risk factor disclosures within your definitive proxy statement . . . , where you acknowledge foreign ties and discuss the impact on your ability to complete your initial business combination. Please revise future periodic filings to include the same disclosure.
-
We note that in your Form 10-K, you provide a brief risk factor that discusses the potential impact on your business from a substantial decrease in liquidity. However, in the first two reported quarters of [the current fiscal year], you appear to have seen a significant outflow of deposits, an outflow that appears to have been particularly pronounced during the period immediately following [the occurrence of Event A. Nevertheless,] you did not update the risk factor to discuss your actual experiences with changes to your deposit mix, the availability of liquidity or the costs and availability of replacement funding sources, nor did you discuss the significant events that impacted the availability of liquidity. Please revise your risk factors disclosure. Please ensure that your risk factors discussion is updated to reflect significant changes to the risks.
Regulation S-K, Item 105, requires registrants to provide “a discussion of the
material factors that make an investment in the registrant or offering
speculative or risky.” Certain indicators of risk may be present in the
footnotes to the financial statements, in MD&A, or elsewhere in investor
presentations or other periodic filings. The SEC staff commonly requests that
registrants include new or more detailed risk factors specific to matters
identified elsewhere in the filing. Registrants should be diligent in ensuring
that risk factors are (1) comprehensive, (2) related to their particular
circumstances, and (3) updated on an ongoing basis in periodic reports if there
are any material changes.
Further, instead of combining separate risk factors under a single heading and
providing a general discussion, registrants are asked to review each risk factor
heading to ensure that it clearly conveys and adequately describes a separate,
detailed risk to investors. To the extent that generic risk factors are
presented, registrants should disclose them at the end of the Risk Factors
section under the caption “General Risk Factors.” In addition, the SEC staff
requests more specific discussion and enhanced explanations of how the risks
could materially affect the registrant’s business. This discussion may be
supplemented with quantitative information to provide additional context about
the risks. In addition, the staff often asks registrants whether they have (1)
discussed all relevant risk factors and (2) provided sufficient MD&A
discussion when a risk constitutes a material trend or uncertainty.
Item 105 also requires registrants with more than 15 pages of
disclosures in the Risk Factors section to provide a summary of such factors
that must be no more than two pages and consist of “a series of concise,
bulleted or numbered statements . . . summarizing the principal factors.” The
SEC staff commonly requests that registrants include such a summary when
applicable and the disclosure is not included.
3.3.2 Disclosures Related to Complex and Evolving Risks
The SEC has identified certain complex and evolving market risks and encouraged
registrants to evaluate their disclosures of such risks when the risks may be
material to investors. In remarks about evolving market risks
delivered at the Practising Law Institute’s 18th Annual Institute on Securities
Regulation in Europe, then Division Director William Hinman emphasized that the
SEC’s principles-based disclosure requirements related to risk factors and
MD&A “should result in disclosure that keeps pace with emerging issues.”
Emerging risks that have been a recent focus of the SEC include, but are not
limited to, (1) cybersecurity, (2) climate change, (3) crypto assets and
emerging financial technology, and (4) the Russia-Ukraine war and other
geopolitical events. In connection with the Russia-Ukraine war and other
geopolitical events, registrants have also faced supply-chain issues, labor
shortages, inflation, and the effects of rising interest rates. The SEC
continues to monitor public-company disclosures on these topics. For disclosure
requirements specific to risks for China-based operating companies, see
Section
5.3.
At the 2019 AICPA Conference, the SEC staff noted the need for
registrants to make transparent disclosures related to the emerging risks listed
above and other world events that pose risks. Mara Ransom, chief of the
Division’s Office of Trade and Services, emphasized that if registrants expect
the impacts of these evolving risks to be material, they should consider
including disclosures that address:
-
How management assesses the risks.
-
What management is doing to mitigate and manage the risks.
-
What the board’s role is in risk oversight.
While the SEC staff’s remarks above predate current
macroeconomic events, many of the same concepts were incorporated into CFDG
Topics 9 and 9A regarding COVID-19; consequently, registrants may still find
these concepts relevant to the risks associated with other significant events.
Many registrants may already provide disclosures about general risk related to
issues such as potential rising interest rates, supply-chain disruptions,
inflation, natural disasters, war, or pandemics. They should consider updating
such disclosures to (1) clarify when the risk is no longer hypothetical and (2)
provide more specificity about the actual and evolving potential future impact
of such risks. For more information, see Deloitte’s March 25, 2020 (updated January 11, 2021);
December 2,
2021; March 10,
2022 (updated May 7, 2022); and September 15, 2023, Financial Reporting
Alert newsletters.
3.3.2.1 Cybersecurity
Examples of SEC Comments
- We note your disclosure that you continue to face a host of cyber threats; your disclosure that cyber-crimes and denial of service attacks have increased; and your identification of cyber-attacks as a key risk. Please clarify whether you have knowledge of the occurrence of any such attacks in the past. If attacks have occurred, and were material either individually or in the aggregate, revise to discuss the related costs and consequences. Also, describe the particular aspects of your business and operations that give rise to material cybersecurity risks and the potential costs and other consequences of such risks to those businesses and operations. For additional guidance, please refer to CF Disclosure Guidance Topic No. 2 on Cybersecurity.
- In this risk factor you discuss the potential impact of operational risks. Have you suffered any significant losses or other damages as a result of operational risks, or has your controls testing indicated that you have a significant deficiency? Please revise to provide a description of any cyber incidents that you have experienced that are individually, or in the aggregate, material, including a description of the costs and other consequences and to provide the investor with an idea of the likelihood that a risk may impact your results and the potential impact on your assets and earnings. Refer to CF Disclosure Guidance: Topic No. 2.
-
We note your risk factor discloses the heightened risk of potential cyberattacks due to the conflict between Russia and Ukraine. Please revise your risk factor to disclose if you have experienced any cyberattacks, explain how cyberattacks could impact your business, and discuss any actions you have taken to mitigate the potential risks.
-
In light of recent events indicating greater oversight by the Cyberspace Administration of China (CAC) over data security, please revise your disclosure to explain if and how this oversight impacts your business and to what extent you believe that you are compliant with the regulations or policies that have been issued by the CAC to date, if applicable.[2]
-
We note your inclusion of a risk factor discussing risks related to hypothetical data breaches and other cybersecurity incidents. We also note that this risk factor has not been updated to discuss the data breach you suffered . . . . Please provide your analysis supporting the conclusion that this incident did not warrant disclosure or the updating of your hypothetical cybersecurity risk factor. Please also tell us about any ongoing processes by which you are evaluating whether disclosure of cybersecurity incidents is warranted under the federal securities laws.
The SEC staff has noted the increasingly frequent occurrence of cyber incidents,
which may cause registrants to incur significant remediation and other costs
for (1) direct damages (both real and reputational), (2) the impact on their
customers, and (3) increased protection from future cybersecurity attacks.
To help combat these threats, the SEC announced on September 25, 2017, the formation of a
Cyber Unit within the Commission’s Division of Enforcement to target
cyber-related misconduct.
On July 26, 2023, the SEC issued a final rule that requires registrants to
provide enhanced and standardized disclosures regarding “cybersecurity risk
management, strategy, governance, and incidents.” The SEC’s focus on
cybersecurity disclosures is not new; previously, the SEC had issued (1) the
Division’s October 13, 2011, interpretive guidance on cybersecurity
disclosures, (2) the Commission’s February 21, 2018, interpretive guidance on such disclosures,
and (3) the March 9, 2022, proposed rule on which the final rule was
based.
The final rule establishes new requirements related to:
-
Material cybersecurity incidents, which would need to be disclosed on Form 8-K within four business days of their being deemed material. A registrant may delay filing the Form 8-K if the U.S. attorney general “determines immediate disclosure would pose a substantial risk to national security or public safety.”
-
Annual disclosures in Form 10-K pertaining to (1) cybersecurity risk management and strategy, (2) “management’s role in assessing and managing material risks from cybersecurity threats,” and (3) “the board of directors’ oversight of cybersecurity risks.”
-
The presentation of disclosures in Inline eXtensible Business Reporting Language (iXBRL).
All types of periodic SEC
filers are affected by the final rule, including domestic registrants,
foreign private issuers (FPIs),3 smaller reporting companies (SRCs), and emerging growth companies
(EGCs). The final rule includes the following transition provisions:
Disclosures will be required in:4
| |
---|---|
Form 8-K, Item 1.05, “Material Cybersecurity
Incidents”
|
For all registrants other than SRCs — Starting
December 18, 2023.
For SRCs — Starting June 15,
2024.
|
Regulation S-K, Item 106 (in Form 10-K, Item 1C,
“Cybersecurity”)
|
Beginning with annual reports for fiscal years ending
on or after December 15, 2023.
|
Given the final rule, the SEC staff is expected to continue
focusing on cybersecurity disclosures. For additional information related to
the disclosures required by the final rule, including comments issued by the
SEC staff on the new requirements, see Section
3.10 and Deloitte’s July 30, 2023 (updated December 19,
2023), Heads
Up.
3.3.2.2 Russia-Ukraine War
Examples of SEC Comments
- We note your disclosures . . . of your
businesses in Russia. Please enhance your
disclosures in future filings to address the
following matters. If you do not believe the
impact is material, explain why.
- Describe the impact of Russia’s invasion of the Ukraine on your businesses. In addition to the general impact, please also consider any impact from sanctions and export controls, including whether you will need to evaluate any aspects of your businesses for impairment;
- Disclose any risks that may impede your ability to sell assets located in Russia, including as a result of sanctions affecting potential purchasers;
- Disclose the risk that the Russian government may nationalize your assets and quantify the potential impact to your financial statements;
- Address your risk exposure as the paying agent, charged with receiving and processing payments into bondholders’ accounts for both Russian corporate and government issued bonds;
- Disclose any material reputational risks that may negatively impact your business associated with your response to the Russian invasion of Ukraine, for example in connection with action or inaction arising from or relating to the conflict; and
- Describe the extent and nature of the board’s role in overseeing risks related to the conflict between Russia and Ukraine, to the extent material to your business. These risks could include risks related to cybersecurity, sanctions, the employee base in affected regions, and your reputation in connection with operations or halted operations in affected regions.
- Clarify how you have assessed the need for impairment testing of your long-lived assets in Russia, Belarus and Ukraine pursuant to FASB ASC 360-10-35-21 as of [the end of the first quarter of your current fiscal year], and indicate the results of any such testing, and the key assumptions made in arriving at your conclusions.
- Describe the sanctions and trade restrictions that have been imposed on operations conducted within Russia, Belarus, and Ukraine, including related entities or persons, explain how you have assessed the applicability of such measures to your operations, and identify any uncertainties associated with your positions of being outside the scope of such measures and the implications of possible changes in those uncertainties and your positions.
-
Please disclose in future filings whether and how your business segments, products, lines of service, projects, or operations are materially impacted by supply chain disruptions, especially in light of Russia’s invasion of Ukraine. For example, discuss whether you have or expect to:
-
suspend the production, purchase, sale or maintenance of certain items;
-
experience higher costs due to constrained capacity or increased commodity prices or challenges sourcing materials [(e.g., nickel, palladium, neon, cobalt, iron, platinum or other raw material sourced from Russia, Belarus, or Ukraine)];
-
experience surges or declines in consumer demand for which you are unable to adequately adjust your supply; or
-
be unable to supply products at competitive prices or at all due to export restrictions, sanctions, or the ongoing invasion; or
-
be exposed to supply chain risk in light of Russia’s invasion of Ukraine and/or related geopolitical tension or have sought to “de-globalize” your supply chain.
Explain whether and how you have undertaken efforts to mitigate the impact and where possible quantify the impact to your business. -
On February 24, 2022, Russia invaded Ukraine, causing
significant geopolitical instability. As the war between these two countries
continues, its impact on the economic and global markets is exacerbating
ongoing economic challenges, such as rising inflation and supply-chain
disruptions. Registrants may need to consider the war’s direct and indirect
impacts on their business, which may affect certain financial accounting and
reporting matters. As a result, on May 3, 2022, the SEC staff issued a
sample letter that outlines its
expectation that companies should be providing detailed disclosures about
the war to the extent material or otherwise required. The sample letter
underscores the need for registrants to evaluate both direct and indirect
impacts, including potential or actual disruptions to suppliers, customers,
or employees, among other considerations. The sample comments in the letter
primarily focus on (1) risk factors, (2) MD&A, (3) ICFR, (4) DC&P,
and (5) non-GAAP measures.
For additional considerations and further discussion regarding financial
accounting and reporting considerations related to the Russia-Ukraine war,
see Deloitte’s March 10, 2022 (updated May 7, 2022), Financial Reporting Alert.
Footnotes
2
This type of comment is
specifically targeted at SEC registrants that have
significant operations in China.
3
The final rule amends Forms 20-F and 6-K and require
FPIs to provide disclosures that are generally consistent with those
discussed herein for domestic registrants. Specifically, FPIs must
disclose in their annual Form 20-F the board’s oversight of risks
from cybersecurity threats and management’s role in assessing and
managing material risks from cybersecurity threats. The final rule
also requires FPIs to furnish on Form 6-K information on material
cybersecurity incidents that they disclose or publicize in a foreign
jurisdiction to any stock exchange or security holders.
4
Adoption dates applicable to
FPIs for disclosures in Form 6-K are consistent
with Form 8-K, Item 1.05, and disclosures in Form
20-F are consistent with Item 106.