This report from Deloitte and USC’s Marshall School of Business Peter Arkley Institute for Risk Management presents the results of their analysis of risk factor disclosure practices generally, and with respect to cybersecurity risk specifically, among 440 S&P 500 companies that have filed three Form 10-Ks between November 9, 2020 (the effective date of the SEC’s amendments to Regulation S-K that “modernized” (among other things) the risk factor disclosure requirements) and May 10, 2023 (i.e., compliance “Year 3”).
Among the key takeaways:
Risk factor section generally:
· Number of pages—Risk factor sections increased from an average of 12 pages before the Reg. S-K amendments to 13.5 as of Year 3 (on par with the second year after the amendments). By sector, Health Care, Real Estate, and Financials companies lead on page number count—averaging about 16 pages compared to, e.g., Industrials, which averaged about 10 pages.
· Number of risk factors—The number of risk factors increased from an average of 30.5 before the Reg. S-K amendments to more than 31.5 as of Year 3, with Real Estate sector companies leading the way at more than 40 risk factors on average, compared to, e.g., about 26 among Materials companies.
· Risk factor summary—Just under one-quarter of companies in Year 3 included a risk factor summary, which is required by the rule if the disclosure exceeds 15 pages. In the proposed and final rules, the SEC estimated that approximately 40% of filers would be required to provide such a summary. Some companies provide a summary voluntarily. Summaries have averaged 1.5 pages since the rule effective date.
· Risk factor headings—The average number of risk factor headings in all three years was five, with each heading averaging six risk factors.
· Heading topics—The most prevalent headings in Year 3 were variants of legal, regulatory, and compliance; business; operational; financial; cyber, information technology, data security, privacy; common stock; economic and macroeconomic conditions; strategic; industry; strategic transactions; indebtedness; human capital; market; intellectual property; international operations; and tax and accounting.
· “General Risk Factors”—A “General Risk Factors” heading that, per the rule, is designed to capture risk factors that could apply to any registrant, was used by one-third of companies each year since the rule’s effective date to encompass an average of about five risk factors. The average number of general risk factors varied widely by industry, with Materials companies averaging about 8 and Industrials companies averaging just over 3, in Year 3.
· “General Risk Factor” topics—The most prevalent “General Risk Factors” in year 3 were recruitment and retention of talent/key personnel; natural and man-made disasters/catastrophes; stock price volatility; economic conditions; cybersecurity; litigation and/or regulatory investigation; COVID-19; tax law changes; financial reporting internal control weakness; climate change; inability to pay dividends and/or repurchase shares; exchange rate fluctuations; legal and regulatory compliance; and accounting standard changes.
Cyber-related risk factors:
· All 440 companies addressed cybersecurity in at least one risk factor, with more than 80% of companies addressing cybersecurity in multiple risk factors.
· More than half of companies mentioned cyber insurance in their risk factor disclosure.
· More than 40% of companies affirmatively disclosed that they had not experienced a material cybersecurity event, with over half indicating this was the case “to date” and most of the balance omitting any time-related qualifier. Disclosure varied by sector, as shown here:
· Just over 10% of companies disclosed information about specific cybersecurity incidents. Of those, only four companies described the incident as “material.”
· Both the geopolitical landscape and remote work were identified by a number of companies as increasing their cybersecurity risks.
The report also suggests action items for companies to improve their risk factor disclosure.