Investigating the impact of publicly announced information security breaches on corporate risk factor disclosure tendencies

As the reported number of data breaches increase and senators push for more disclosure regulation, the SEC staff issued a guidance in 2011 on disclosure obligations relating to cybersecurity risks and incidents. More recently, on February 26, 2018 the SEC Commission issued interpretive guidance to help assist public companies prepare disclosures regarding cybersecurity risks and incidents. As reported incidents of cybersecurity breaches occur, investors are concerned about the risks associated with these incidents and the impact they may have on financial performance. Although the SEC staff guidance warns public companies to make timely disclosure, recognizing the threat that cybercrime poses to investors in the public markets, it does not go far enough to institute direct measures that would compel companies to reveal the nature and scope of a cybersecurity breach. In light of the lack of specific guidance on cybersecurity disclosure, the aim of this study is to develop a better understanding of the cybersecurity disclosure landscape. The purpose of this study is phenomenological in nature, designed to assess the impact of the 2011 SEC staff guidance on the disclosure of cybersecurity risk factors and provide recommendations for future research following the 2018 SEC Commission’s interpretive guidance. This study analyzes the impact of the SEC guidance by investigating risk factor disclosures both before and after the SEC’s 2011 issuance date. We pay particular attention to organizations that have suffered a data breach, as determined by the Privacy Rights Clearinghouse (PRC). The study uses companies listed on the S&P 500. Results show that there has been a 23 percent increase in the number of firms referencing cybersecurity in the Risk Factor section of the 10-K and that factors such as the size of the firm, prior reported breaches and breach type were predictors of disclosure. The study also found that there is a tendency not to disclose reported breaches in the narrative of the 10-K and that the cybersecurity risk factor disclosures do not include details on actual breaches. The underreporting of cyber incidents may be in part be the result of alternative interpretations of what constitutes a “material” breach. This study should be of interest to the SEC, in particular, as they continue to evaluate cybersecurity guidance in terms of its implementation by corporate filers and as they move toward a cybersecurity disclosure regulation. In addition, as the SEC continues to scrutinize cybersecurity incident disclosures and issue comment letters to public companies with inadequate disclosures, it should be of interest to corporate filers, as well as to investors, analysts and other professionals that are concerned with the informativeness of corporate cybersecurity disclosures particularly as they affect profits

By

We wish to acknowledge the thoughtful comments of Paul Copley and 2010 American Accounting Association Annual Meeting participants on earlier versions of this manuscript. DISCLOSURE TENDENCIES FOR LIFO INVENTORY LIQUIDATIONS We examine the extent of the enhancement of net income resulting from the liquidation of Last In, First Out (LIFO) inventories and whether companies have been transparent in providing disclosure of the positive impact that LIFO liquidations have had on reported earnings. This issue is particularly relevant in light of the recent calls to eliminate LIFO for tax revenue reasons, the controversy surrounding the proposed shift to International Financial Reporting Standards (IFRS) which does not permit LIFO inventory valuation, and SEC rulings and interpretations demanding more disclosure and transparency in the Management Discussion and Analysis (MD&A) section of corporate annual reports. Not unexpectedly, our analysis shows that the percentage effect on income (i.e., materiality) is significant in explaining corporate disclosure tendencies. Despite this finding, we note that none of the material and potentially-misleading disclosures resulted in a modification (either emphasis of a matter or disclosure of a departure from generally accepted accountin

An Analysis of the Impact of Adopting IFRS 8 on the Segment Disclosures of European Blue Chip Companies

Amidst the IASB\u27s post-implementation review of IFRS 8, we examine how the standard\u27s adoption changed the reporting of segments by European blue chips (i.e. companies comprising the top tier index of 14 European stock exchanges). We focus on anticipated benefits articulated in the IASB\u27s Basis for Conclusions and concerns expressed by IFRS 8 opponents. In addition to convergence with U.S. GAAP, IFRS 8 results in the reporting of significantly more operating segments on average. However, most companies report the same number or fewer segments. Refuting claims regarding the loss of geographic data at the entity-wide level, we identify an improvement in the fineness of disclosures and a significant increase in the disclosure of geographic groupings. We do not identify an improvement in consistency of segment disclosures with other sections of the annual report, which is due to the consistency already achieved under IAS 14R. IFRS 8 results in a significant decline in the number of reportable segment information items (notably liabilities) and a significant decline in the reporting of capital expenditures at the entity-wide level. Furthermore, adoption of the standard produces a lack of comparability in segment profitability measures and extensive reporting of non-IFRS measures. However, almost all companies report a measure of segment profitability tied to a number on the consolidated income statement or reconciled to the income statement

Non-GAAP Adjustments to Net Income Appearing in the Earnings Releases of the S&P 100: An analysis of Frequency of Occurrence, Materiality and Rationale

For 2005 through 2010, we examine the extent to which S&P 100 companies provide non-GAAP income measures in their annual earnings releases. Our findings provide insight into the evolving nature and magnitude of the adjusting items characteristic of non-GAAP income measures during the post-Reg G period. We find that the number of S&P 100 companies disclosing a non-GAAP income measure increases significantly from 44% to 60% during our period of study. Based on Gray’s (1980) index of materiality, we find that for each year between 2005 and 2010, the excess of non-GAAP income compared to GAAP income is 18%, 19%, 43%, 61%, 54%, and 45%, respectively. For approximately half of the S&P 100 disclosing non-GAAP income measures, we identify repetitive adjustments for the same item (e.g. restructuring) in multiple years. While none of these companies specifically refer to repetitive adjustments as non-recurring, infrequent or unusual, several include terminology alluding to the use of non-GAAP earnings to evaluate ‘ongoing’ operating trends. Thus, our findings suggest that a change in tone at the SEC has lead to the reappearance of the disclosure of non-GAAP performance measures that the Commission previously considered to be potentially misleading. In January 2010, the SEC relaxed its position on non-GAAP disclosures clarifying that the recurring item prohibition for SEC filings is based on the description of the item adjusted, not its nature. Finally, while most of the S&P 100 providing such disclosures indicate why management believes presentation of a non-GAAP financial measure is useful to investors, the rationales are typically general and broad and accordingly not informative