One of the requirements recently put forward by the SEC (Securities and Exchange Commission) in its revised guidance for reporting on cyber risk by registrant companies in their annual reports is for the reduction of “boilerplate” text. This might not be as easy as you think.
Annual reports are published to give shareholders as good a view as possible of the performance of the companies in which they invest, and to enable those investors to understand the risks to their capital so that they have as much information as possible on which to base their investment decisions. These are published via the SEC as 10-k reports. Foreign companies are required to submit a 20-f.
The SEC is seeking better to organise company reporting on its cyber risk management approach, brigading key statements into a separate section, rather than spreading commentary around the various parts of the 10-k.
This change takes place with effect from 15 December 2023, thereby requiring all companies with a 31 December year-end to include the new section in their 10k reports.
This does not allow much time. And for the companies whose reports we have reviewed, this could be a struggle.
Previous research has shown us that many companies recycle text year on year in their annual reports. In this instance we wanted to establish whether companies were borrowing text from their analogues (or had been borrowed from), given the SEC’s explicit wish to avoid ‘boiler plate’. We reviewed the reporting of 32 marine companies listed on NYSE. We looked at five key areas of text:
– IMO rules
– GDPR rules
– SEC rule changes
– Generic cyber risk commentary
In our analysis, we found:
The SEC wants companies to set out how they identify, detect and monitor threats to their cyber systems; they want to understand the process whereby companies decide breaches material: and they would like to see evidence of organisational changes to support the board in their execution of their fiduciary duty to protect the assets of the business.
These companies have been sharing / borrowing text liberally from each other. But while the words tell the reader of good things, their extensive repetition can hardly promote investor confidence. And for those companies whose year ends on December 31st, there is not much time to change.
As ever, please contact us if you would like to discuss things further. #astaaracyber