A couple of new pieces provide some interesting insights into cyber risk and the effect of the new SEC cyber disclosure rules.
Matt Kelly, formerly of Compliance Week and now the editor of Radical Compliance, shares the news with us each week. One topic he covered at the end of August was A Look at Actual Cyber Disclosures.
He tells us:
…the most contentious part of the SEC’s new cyber disclosure rule is the section requiring companies to disclose “material cybersecurity incidents” within four days of deciding that the incident is material. If we examine what companies have already been disclosing, that might give us all a better sense of the challenges ahead to meet those new and expanded disclosure details.
To answer that question I skimmed through the most recent quarterly filings of S&P 500 firms, looking for any reference to “cybersecurity incident” or “cybersecurity event.” I did indeed find several, so let’s take a look.
The first was:
AmerisourceBergen, the pharmaceutical giant with $238.6 billion in annual sales. Tucked away in the Management Discussion & Analysis of its quarterly report, the company said it suffered a cybersecurity incident at a foreign subsidiary in March 2023. The incident struck a legacy IT platform and disrupted the foreign unit’s operations for roughly two weeks.
AmerisourceBergen didn’t disclose the precise cost of that attack, but it did leave some clues elsewhere in the 10-Q. Specifically, the company said that its costs to recover from the event were a majority of its “Other” expenses listed for both Q2 and the preceding nine months. Those amounts were reported as $2.33 million and $40.54 million, respectively.
Well, do the math. If a majority of those costs were due to the cyber incident, the amount had to be at least $20.3 million, which is 50.1 percent of $40.54 million. (It’s quite possible the actual total was much more than $20.3 million; we don’t know.)
I also looked back to Amerisource’s previous quarterly report for Q1 2023, filed on May 2 of this year, which would have included March 2023 events. It said essentially the same thing: attack at a foreign subsidiary, legacy system knocked down for two weeks, majority of “Other” costs for the quarter.
This disclosure raises some interesting questions about materiality. Clearly a $20.33 million (at least) cybersecurity incident is not quantitatively material to a company with $238.5 billion in revenue — but is it somehow qualitatively material?
Matt questions whether this breach, which cost a significant level of dollars, was material. However, he doesn’t ask the question:
Did the breach result in the company failing to meet its enterprise objectives, such as revenues and profits? Did it have an effect that would potentially change a reasonable investor’s decision about buying/holding/selling their shares?
On August 2, 2023 the company reported:
AmerisourceBergen is updating its outlook for fiscal year 2023. The Company does not provide forward-looking guidance on a GAAP basis, as discussed below in Fiscal Year 2023 Expectations. Adjusted diluted EPS guidance has been raised from the previous range of $11.70 to $11.90 to a range of $11.85 to $11.95.
This was after we were told:
AmerisourceBergen Corporation (NYSE: ABC) today reported that in its fiscal year 2023 third quarter ended June 30, 2023, revenue increased 11.5 percent year-over-year to $66.9 billion. On the basis of U.S. generally accepted accounting principles (GAAP), diluted earnings per share (EPS) was $2.35 for the third quarter of fiscal 2023 compared to $1.92 in the prior year third quarter. Adjusted diluted EPS, which is a non-GAAP financial measure that excludes items described below, increased 11.5 percent to $2.92 in the fiscal third quarter from $2.62 in the prior year third quarter.
I find it hard to believe that the breach was in any way material when it said it was raising revenue projections.
Matt also talked about Ingersoll Rand:
Industrial equipment manufacturer Ingersoll Rand discussed two cybersecurity incidents in its most recent quarterly report: one that had just happened, and another that had happened a while back.
Let’s start with the recent attack. In a section titled “Recent Developments,” Ingersoll had this to say:
On April 27, 2023, the company detected a cybersecurity incident that resulted in a disruption of several of our information technology systems. We immediately launched a thorough investigation with the assistance of external cybersecurity experts to assess and mitigate impacts of the incident. The company proactively took immediate actions to maintain business continuity and to minimize disruption to operations and customers, including isolating systems and implementing workarounds. As a result, we do not expect this incident to have a material impact on our business, results of operations or financial condition. Although an investigation is ongoing, the company is not aware of any confidential customer information having been exfiltrated. If the Company becomes aware of any such information having been exfiltrated, it will make appropriate notifications.
Ingersoll’s other cybersecurity incident peeks out at us from its financial reporting. When the company reported adjusted EBITDA for Q2 2023, it included a $2.2 million adjustment labeled “cybersecurity incident costs.” In a footnote the company further described that item as “non-recoverable costs associated with a cybersecurity event,” whatever that means.
The company reported net income of $180.8 million in the quarter ended June 30, 2023.
Neither breach was even close to being material to an investor. In fact, I wouldn’t think they were material to the executive team or the board.
His final company is Conagra Brands:
Conagra Brands reported a $4.4 million adjustment to earnings for its most recent fiscal year (which ended May 28) under the label “Third-Party Vendor Cybersecurity Incident.”
Its operating profit for Q4 was $433.3 million.
Again, I don’t see this as being material to a reasonable investor.
Matt asks “whether or when a cyber incident might be qualitatively material. For example, was this a mission-critical vendor? Seems possible, since its failure disrupted Conagra’s ability to fulfill customer orders. So how had Conagra assessed its vendors’ cybersecurity? What backup plans were or weren’t in place to activate a backup system?”
Sorry, Matt, a reasonable investor wouldn’t change their investment decision because the backup failed once. If the breach affected “Conagra’s ability to fulfill customer orders” to the extent that it failed to meet the market’s revenue and profit expectations, that would be material.
The impact might have been material according to this report, which said revenues were lower than predicted:
Conagra Brands Inc (CAG) surpassed earnings projections on 7/13/2023 for Q4 2023.
Analyst expectations for Conagra Brands Inc earnings per share (EPS) were at $0.59, with the company surpassing those estimates with a reported EPS of $0.62, leading to a positive surprise of $0.03 per share (5%). Conagra Brands Inc’s earnings were down 5% year-over-year as the firm reported an EPS of $0.65 in its year-ago quarter. The negative annual growth shows the Consumer Defensive company is struggling to find form amid recent economic conditions.
Revenues were downbeat at $3 billion. That is an increase of 2.16% in revenues from the year-ago report and is 0.57% lower than consensus estimates set at $3 billion.
But the company didn’t even mention the breaches in its press release (as reported by Vending Times):
“Our business delivered strong results in fiscal 2023, as we successfully delivered on our priorities to execute inflation-justified pricing, drive gross margin recovery and reduce net leverage while investing to maintain the strength of our brands,” Sean Connolly, president and CEO, said in the press release. “Looking ahead, we anticipate transitioning toward a more normalized operating environment in fiscal 2024 — with easing inflationary pressures and improved supply chain operations — and remain committed to our long-term financial algorithm.”
Doesn’t seem material to me.
PwC has shared a few pieces on the new #SEC cyber rules. You can find them all in SEC’s new cyber disclosure rule: How to prepare for disclosures in a new era of transparency.
One of the referenced pieces is Making materiality judgments in cybersecurity incident reporting.
They have some good ideas, but don’t start the way I would – by asking:
- What information do investors rely on in making their decisions? Is it just revenue and net income, or are they also interested in market share, new product acceptance, etc?
- What changes in that information would be material to them?
How is your organization preparing for the new cyber disclosure rules?
Are you involved?
- The risk to an organization of technology debt or deficit - December 11, 2023
- When enterprise risk-based audit plans are not enough - November 15, 2023
- More useful information about cyber risk - October 18, 2023