MGO CPA | Tax, Audit, and Consulting Services

Topic: SEC

Tech IPOs: Steering Clear of Common Pitfalls on Your Path to Becoming a Public Company

Key Takeaways:

  • For tech founders, taking a company public can provide significant benefits like increased capital, visibility, and liquidity, but the process is complex and comes with risks, such as increased regulatory scrutiny and reduced control.
  • There are several common pitfalls to avoid during the IPO journey, including underestimating timelines, not building a strong financial foundation, and not having the right leadership in place.
  • Tech companies should focus on a few things to facilitate post-IPO success as a public entity: investor relations, internal controls, and cultural shifts. These maintain trust and compliance across the board.

~

For many tech founders, the prestige and promised rewards of taking a company public are strong motivators to pursue an initial public offering (IPO).

But IPOs, however attractive, are extremely complicated and can be overwhelming — especially if you’re not a transaction expert and have never navigated the full process. Without the right information, tech founders are liable to experience delays, derailments, and disappointments on their road to an IPO.

Are you a tech founder looking to IPO for the first time? Read our guide to understand what the IPO process looks like for tech companies like yours — and what pitfalls you’ll need to avoid along the way.

Should You Go Public?

While an IPO can be a great avenue to grow your business, it isn’t the right strategy for every company — or every founder. To make an informed decision, you need to understand the benefits and drawbacks of pursuing an IPO.

Benefits

  • Increased access to capital. An IPO can offer a massive influx of capital, enabling substantial, accelerated growth.
  • Greater visibility. Going public can improve a tech company’s market visibility and credibility, which can in turn improve brand reputation and recognition.
  • Increased liquidity for shareholders. An IPO allows early investors to cash out, while stock options remain an incredibly attractive incentive for many employees, even during times of market volatility. The stock options unlocked by an IPO can be key to attracting and retaining top talent.
  • Access to a market valuation. Being listed on the stock market means the public markets offer a valuation of the tech company, which may be seen as more objective and credible than a privately sourced valuation.

Drawbacks

  • Greater regulatory and compliance requirements. Publicly traded tech companies are subject to more regulatory and compliance requirements than their privately owned counterparts, and the transition to a publicly traded company can cause compliance costs to skyrocket. Public companies also face scrutiny from regulatory bodies like the SEC. Any mistake, like a reporting misstatement, is highly public and can damage the company’s reputation — and stock price.
  • Less control. Public tech companies must answer to shareholders and regulators, impacting how much control a founder will have over their company. Founders also often find they have less control over their finances after going public, as the IPO process can “lock up” their cash.
  • Vulnerability to market volatility. Market conditions and other external factors can cause stock prices to fluctuate, whereas private company valuations are more insulated from such forces.
  • Increased disclosure requirements. Public tech companies have additional disclosure requirements, which means competitors will have access to more information about the company. This dynamic could impact a company’s competitive advantage in the marketplace.

Are You Asking the Right IPO Questions?

Preparing for an IPO means investigating every aspect of your business. Asking the right questions will help you see beyond the obvious to gain an in-depth understanding of how investors will think about your company and how you can set yourself up for success throughout the IPO process.

Ready to get started?

Read This IPO Checklist

Stage 1

IPO Readiness Assessment

A readiness assessment can help you identify gaps or issues that could prevent your organization from successfully operating as a public company. For most tech companies, the readiness assessment will uncover substantial changes required to facilitate a transition to a public company, such as implementing more robust internal controls or developing specialized accounting capabilities in house. BDO recommends clients assess readiness in the following key areas:

  • Accounting & SEC reporting
  • Ta
  • Risk
  • Technology
  • Operations
  • People
  • Financial planning & analysis

Common Pitfalls:

  1. Failure to develop a compelling story. Before a leader even considers pursuing an IPO, they need to create a narrative that gets potential investors excited about the future of the company. They must define success, determine what metrics will be used to track it, and put systems in place to measure and report on progress. These steps are key to securing investor interest and confidence. Common success metrics for tech companies include annual recurring revenue (ARR), customer retention, the Rule of 40, customer acquisition costs, daily active users, and monthly active users.
  2. Overestimating existing resources. Tech companies often fail to understand what resources they already have and what resources they still need to secure. For example, pursuing an IPO requires specialized skills related to investor relations, treasury, income tax, technical accounting, SEC reporting, and internal controls, which most private tech companies don’t have in house. Failing to conduct a proper resource assessment can lead to a delayed IPO filing, as the company will have to make up ground and secure those resources later.
  3. Lack of IPO experience. As they prepare for an IPO, tech founders should prioritize building a leadership team that includes professionals who have experience taking tech companies public. IPO veterans can help guide the rest of the team through the process while identifying and addressing potential issues before they happen.
  4. Relying on private-company experience. Private tech company founders sometimes underestimate the depth and breadth of the requirements that come with going public. They may even make the mistake of believing that a private company approach will be sufficient post IPO. Instead of relying on what they already know, founders must continuously assess their policies, procedures, and governance structures and compare them to public-company requirements to identify and proactively address gaps.
  5. Failure to protect intellectual property (IP). IP is a major asset for many tech companies and can significantly impact their valuations. Before tech leaders take their company public, they must assess their current protections and deploy tactics like developing a strong patent portfolio to ensure their IP is secure.

Stage 2

Roadmap and Program Management

Once you understand your current state, it’s time to develop a roadmap to guide your transformation from a privately held company to a public company. A strong roadmap will require input from numerous people and functions across the company, as well as reasonable estimates around the time and effort required to meet your objectives. Effective program management is critical to developing your roadmap as quickly and efficiently as possible.

Common Pitfalls:

  1. Underestimating timelines. Tech leaders often underestimate the time needed to prepare a company for an IPO, which can take as long as 18-24 months. A successful transformation depends on a realistic and carefully planned timeline. Attempting to rush the process can lead to expensive and public mistakes like financial misstatements.
  2. Missing inputs. A successful IPO process relies on participation from the full organization. Failing to include specific departments or professionals in the roadmap stage can lead to process gaps that later derail progress. For example, failure to include IT in the roadmap stage can lead to errors when it comes time to upgrade or rationalize back-office technology in advance of the IPO filing.
  3. Lack of a change management plan. Poor change management can lead to unnecessary disruption. For example, lack of a change management plan can create employee discontent during the transition, causing the company to lose key talent and disrupting operations at a crucial juncture.

Stage 3

March to IPO

At this stage, your goal is to get ready for the IPO filing, which entails executing your roadmap to prepare your organization to operate as a public company. This is also the point at which you will begin preparing for the IPO filing process itself, including selecting an underwriter, pricing the IPO, and conducting a roadshow.

Common Pitfalls:

  1. Failure to build a strong financial foundation. Tech companies preparing to go public need to review their financial statements to verify they are accurate, audited, and up to date. Many tech leaders opt to review three years of financials, even if regulations allow for fewer, to help bolster investor and regulator confidence. Failure to build a strong financial foundation can delay SEC filings, which may impact filing status and result in expensive fines.
  2. Inadequate pro forma reporting plans. Tech company leaders must vet their post-IPO reporting plans against SEC reporting rules to ensure they will meet all relevant requirements. They must also design a comprehensive reporting process, building in checks and balances to ensure all numbers are accurate.
  3. Misaligning compensation structures. As tech leaders revisit their compensation structures, they must make sure that compensation plans don’t conflict with shareholder interests. For example, option-based compensation for CEOs can encourage excessive risk-taking behavior that may damage customer relationships and firm performance, decreasing shareholder value.
  4. Skipping the trial run. Tech companies should practice operating like a public company before filing for an IPO. This trial run can help uncover hidden or overlooked issues like a lack of uniform controls and reporting policies. Companies that skip the trial run often find themselves surprised by requirements and challenges post IPO, which can take significant time and money to address.

Stage 4

Post-IPO Support

After the IPO has been filed, it’s time for your tech company to start operating as a public company. At this stage, you need to ensure you are delivering on your promises, managing expectations with your new shareholders, and meeting your new reporting requirements as a public company.

Common Pitfalls:

  1. Lack of forecasting capabilities. As private companies transform themselves to prepare for an IPO, they need to adopt strong revenue forecasting capabilities. Unfortunately, newly public tech companies often struggle with revenue forecasting, which can cause investor distrust and reputational damage.
  2. Failure to maintain investor relations. Investor expectations will expand after going public, as shareholders await regular updates on company performance. Failing to build strong relationships with investors through proactive, comprehensive communication can breed mistrust.
  3. Failure to manage the cultural shift. When private tech businesses transition into public companies, a major cultural shift often follows. Failure to manage that shift correctly can lead to employee dissatisfaction and talent retention issues.
  4. Poor internal controls. Once a tech company goes public, it will have to comply with new reporting requirements and regulations, notably Sarbanes-Oxley (SOX). Prior to filing the IPO, the company should have all necessary internal controls in place — without them, the company may experience issues like material misstatements that can negatively impact stock price.

How MGO Can Help

There’s no question that going public is an exciting “next step” in your company’s evolution. With an IPO comes additional opportunities to transform the business, but it can also come with more challenges. MGO’s team is here to support you at every stage, from IPO planning and readiness assessments to execution and post-IPO acquisition services.

With today’s rapidly evolving technology, you want to stay at the forefront of developing products that transform how we work, think, and engage with the world. Reach out to our Technology team today to find out how we can help you achieve your goals.

Written by Hank Galligan and Jim Clayton. Copyright © 2024 BDO USA, P.C. All rights reserved. www.bdo.com

Essential IPO Questions: Your Comprehensive Checklist

Key Takeaways:

  • Proactive planning means focusing on the “how” instead of just the “what” — turning basic questions into actionable strategies for effective implementation.
  • An ecosystem perspective involves considering the broader impact on third-party stakeholders to ensure the entire supply chain is prepared for going public.
  • Holistic risk management requires cross-functional collaboration to coordinate risk mitigation, enhancing organizational resilience against new public company risks.

Preparing for your initial public offering (IPO) means investigating every facet of the business — not only to obtain the best possible valuation, but also to make the changes necessary to operate as a public company and achieve long-term growth. Asking the right questions can help you see beyond the obvious, illuminating factors you may have otherwise overlooked and setting your organization up for post-IPO success.

Here are five ways to take common IPO questions from a basic 101 level up to a more advanced 201 to deepen readiness and unlock new value.

IPO Checklist: 5 Ways to Level Up Your IPO Questions

1. Ask “How”, Not “What

Don’t plan passively. Approach key questions in a way that mandates proactive action rather than reactive changes. A seemingly small alteration — a “how” instead of a “what” — can transform a basic inquiry into a forcing function that spurs teams to take concrete steps.

  • 101: What new reporting obligations will we face as a public company?
  • 201: How can we resource and connect our finance, IT, and legal teams to meet new reporting requirements on time and without misstatements?

While the 101 question can establish new reporting needs and responsibilities, the 201 question goes further, pushing leaders to actively plan toward these goals.

2. Think About Your Ecosystem, Not Just Your Organization

Going public brings scrutiny from new stakeholders, such as boards, shareholders, and regulators. It is no longer enough for leaders to focus on their organization alone. Instead, they must broaden their perspective to consider the effects of all changes — new regulations, reporting requirements, cybersecurity risks, and more — on their third-party ecosystem.

  • 101: What new laws and regulatory bodies apply to our business as a public company?
  • 201: Are we prepared to validate that our third-party providers, in addition to our own organization, are complying with any new requirements?

Answering the 201 question requires looking beyond the organization to consider the risks posed by third-party partners. Financial institutions, for example, will need to verify that any third-party service providers comply with existing consumer protection laws under Dodd-Frank.

Cutting across all industries, the Securities and Exchange Commission (SEC) adopted new rules in 2023 requiring public companies to disclose any material cybersecurity intrusions or breaches, as well as information about their cyber risk management, governance, and security. Companies pursuing an IPO must prepare to comply with these new requirements themselves and be ready to validate that any third-party providers can also remain compliant.

3. Adopt a Holistic View of Risk

Effective risk management requires cross-functional cooperation and communication. No matter the business area — cybersecurity, operations, supply-chain management — identifying risks is not enough; nor is simply naming the strategies to mitigate risks.

  • 101: What new risks are most relevant to our business as we prepare for operations as a public company?
  • 201: What is each department’s risk mitigation responsibility, and where are there opportunities for coordination?

Every department has a role to play in risk mitigation. Clearly defining those roles and the interconnections between them can build resilience in the lead up to an IPO and help companies adapt to new risks after going public.

4. Move from the Abstract to the Specific

Tailoring approaches to specific objectives will help you manage more variables and define what kind of public company you want to be. Whenever possible, leaders should design questions to address specific challenges, rather than using general terms.

  • 101: Who are the new stakeholder audiences (e.g., board members and regulators) with whom we need to establish communications as a public company?
  • 201: How will we communicate with board members, shareholders, and regulators? What tools, channels, and reporting structures will we build?

The 101 question identifies an important consideration, but it stops there. The 201 question addresses finding and filling in the gaps. You can use what you know to pave the way toward learning what you don’t.

5. Think About Your Price on Day 100

The IPO is not an end-state; it is the beginning of a new chapter. Every action taken in service of a public offering must also include a path to further growth.

  • 101: How do we obtain the best possible valuation for our company?
  • 201: How can we leverage our momentum to improve our valuation 100 days after going public?

The 101 question speaks to an important need, but its focus is limited. Success as a public company demands growth beyond the IPO event. Asking the 201 question can help you embed a future-focused mindset into all planning decisions. The day one valuation matters, but so does valuation on day 100 — and beyond.

How MGO Can Help 

Navigating the complexities of an IPO requires guidance and a comprehensive strategy. MGO’s Transaction Advisory Services team supports you throughout the process, from proactive planning to risk management, so that your entire ecosystem is ready for the transition. Reach out to our team today to discover how MGO can help you achieve your long-term growth objectives and post-IPO success.

CFOs and CISOs: Boost Your SEC Cybersecurity Compliance with These 5 Best Practices

Key Takeaways:

  • New SEC cybersecurity rules require public companies to disclose material cybersecurity incidents, risk management processes, and governance.
  • Determining “materiality” of cyber incidents for disclosure is challenging and requires close collaboration between CISOs providing technical context and CFOs/executives making final determinations.
  • To comply, companies should take steps such as designating accountable leadership, adding specialized cybersecurity knowledge, and updating financial processes.

~

For years, chief financial officers (CFOs) could afford to be removed from the daily cybersecurity efforts led by chief information security officers (CISOs). But, with new Securities and Exchange Commission (SEC) cybersecurity rules, those days are gone.

Adopted on July 26, 2023, the SEC’s “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” rules recognize cyber incidents can significantly impact public companies’ operations, finances, and reputations. The requirements push companies to be more transparent and accountable about cybersecurity.

While compliance with these rules falls squarely on publicly traded organizations, the impact extends to private-owned companies as well. If your company is a vendor or partner to public firms, you can expect inquiries and audits to verify you meet their security standards. Liabilities and risks permeate the entire supply chain.

SEC Cybersecurity Disclosure Requirements

If you are a public company, what do you need to report under the new rules? Here are the main requirements:

Cybersecurity Incident Disclosure

  • Report within four business days of determining the incident is “material”
  • Describe the nature, scope, timing, and impacts (or potential impacts)
  • Note any undetermined details at time of filing
  • Compliance required for SEC registrants as of December 18, 2023; smaller reporting companies (SRCs) have until June 15, 2024, to comply

Annual Risk Management & Strategy Disclosure

  • Outline processes to identify, assess, and manage material cyber risks
  • Explain how these processes integrate with overall risk governance
  • Detail impacts from previous material incidents
  • Disclose use of third-party security consultants/auditors and procedures
  • Compliance required for all registrants (including SRCs) beginning with annual reports for fiscal years ending on or after December 15, 2023

Annual Governance Disclosure

  • Describe board oversight and committee responsibilities for cyber risk
  • Identify management roles accountable for cybersecurity programs
  • Specify escalation protocols to board/committees on cyber issues
  • Compliance required for all registrants for fiscal years ending on or after December 15, 2023

Determining Cybersecurity “Materiality”

A central tenet of the SEC guidelines is the “materiality” concept regarding incident reporting. Essentially, cybersecurity events are considered “material” and require disclosure if they could sway investment decisions or shareholder votes. Think of materiality as anything significant enough to concern your board and executive team.

The tricky part is that materiality determinations do not solely rest with technology and security leaders. Corporate officers and boards make the ultimate call, despite often lacking full context into security event ramifications on financials and operations. Bridging this disconnect through close CISO collaboration is critical to set appropriate disclosure thresholds aligned with your company’s true risk profile. Ideally, final decisions should also be independently verified by an outside, nonbiased service provider.

The SEC final rule also makes extensive (more than 40) references to “third party” impacts. A breach or attack affecting a key vendor could very well represent a material event for your organization that necessitates SEC disclosure. Do not let third-party cybersecurity shortcomings undermine compliance.

Best Practices to Comply with New SEC Cybersecurity Rules

While no one-size-fits all checklist exists, your company and relevant vendors should consider these best practices on the path to cybersecurity rule compliance:

1. Designate Accountable Leadership

Empower specific business leaders as security program owners, not just technical teams. These individuals need to establish clear reporting and communication between security operations and the board/c-suite. Executive working sessions focused on cybersecurity scenario planning are also advised.

2. Add Cybersecurity Knowledge

The rules do not explicitly require it, but it is wise to have dedicated cybersecurity oversight at the board level. Bringing in third-party advisors can help boards understand cyber responsibilities and implement improved processes. This knowledge is often lacking today despite its importance.

3. Update Financial Processes

The speedy 8-K cybersecurity incident reporting necessitates updates to disclosure management procedures. Public companies should already have 8-K drafting processes, so adjusting for cyber specifics presents a modest lift. The key is removing bottlenecks to rapidly describe incident details.

4. Dedicate Compliance Resources

CISOs in many companies oversee skeletal teams lacking the bandwidth for major initiatives like interpreting new regulations, implementing new disclosures processes, conducting risk assessments, and more. Ensure your team has the resources needed to achieve compliance.

5. Build Cybersecurity Culture

Equip your leadership team, board, and financial executives with a comprehensive understanding of cyber risks and disclosure nuances. Implement ongoing education and guidance programs to keep them well-versed in cybersecurity threats, response procedures, and the latest developments in the field.

How MGO Can Expedite Your Compliance Journey

The SEC cybersecurity rules are a wake-up call to take cyber preparedness as seriously as any other existential risk to your organization. Let our team of security, financial, and regulatory professionals guide you toward proactive, comprehensive compliance. Reach out today to discuss your roadmap.

How to Elevate Your Company’s IPE Documentation to Optimize SOX Compliance

By Jonathan Bayeff, CPA & Cesar Reynoso, CPA

Executive Summary:

  • The Sarbanes-Oxley (SOX) Act established stricter financial reporting requirements for public companies, leading to increased scrutiny of Information Produced by the Entity (IPE).
  • IPE carries different levels of risk depending on whether it is system-generated and manually prepared IPE. Strong documentation is key to validating completeness and accuracy of IPE.
  • Best practices for IPE documentation include identifying the source, parameters, and format of reports; validating totals and counts; retaining screenshots; and having knowledgeable reviewers.

~

Passed by Congress in 2002, the Sarbanes-Oxley (SOX) Act revolutionized public company audits by introducing financial reporting requirements aimed at increasing transparency and preventing fraud. Most notably, the SOX Act established the Public Company Accounting Oversight Board (PCAOB), a nonprofit organization that oversees the audits of public companies to protect investors and further the public interest in the preparation of informative, accurate, and independent audit reports.  

The PCAOB refines its auditing standards annually and, in recent years, the organization has placed greater scrutiny on the work of external auditors. To keep up with PCAOB compliance, external auditors have imposed more rigorous documentation requirements on companies. As a result, companies have felt pressure to provide more expansive Information Produced by the Entity (IPE).

If external auditors have applied greater scrutiny on your reporting, you may be wondering: What level of documentation is sufficient? How can you improve your documentation to avoid deficiencies and provide greater clarity? In this article, we will discuss: 1) what IPE is, 2) the risks associated with different IPE, and 3) how to document your IPE thoroughly.

What is IPE?

IPE is any information created by a company used as part of audit evidence. Audit evidence may be used to support an underlying internal control or as part of a substantive audit. Although there are documentation and risk severity differences between system-generated and manually prepared IPE, the fundamental questions that need to be addressed are the same:

  1. Is the data complete?  
  1. Is the data accurate?

Risk Levels of Different IPE

Here is an overview of how risk levels vary for different types of information you report to auditors:  

Low Risk

“Out of the box” reports carry the lowest risk. These reports are also referred to as “standard” or “canned” reports. Standard reports have been developed by software companies — such as Oracle NetSuite, QAD, or SAP — as part of their enterprise resource planning (ERP) systems. Typically, the end user (you) and even your IT team cannot modify these reports. Given the constrained editability, greater reliance is placed on these reports.   

Medium Risk

Custom reports are typically driven by the business team and developed in-house by your company’s IT team. When your company’s ERP system does not have a report that would provide sufficient data, the in-house developers create a custom report. The IT team follows their change management process when developing the request report. If the report results do not align with your business team’s expectations, the query is refined, and the process is repeated until it does.  

High Risk   

A manually prepared workbook or an ad-hoc query are inherently the riskiest documentation. A manually prepared workbook may be a debt reconciliation prepared by your staff accountant, or a list of litigations the company is involved in drafted by your legal department. Given that these are manually drafted, the margin of error may be high.  

An ad-hoc query is considered high risk since the report is not subject to IT General Controls (ITGC) testing. The end user may input any parameters to generate the report. Since no control testing is performed by your company, external auditors would need to rely on their own IT team to vet the nonstandard query. 

How to Document IPE? 

Your documentation will vary to a certain degree depending on whether the IPE is manually prepared or system generated. In either case, it is important to be as thorough as possible when documenting your procedures.  

Manual IPE

For a manually prepared workbook, provide thorough documentation about the origins of the data. It is ideal to have someone who is privy to the information review the workbook.  

When the reconciliation is comprised of debt instruments, the reviewer should do the following:   

  1. Match the list of individual debt instruments to the signed agreements.  
  1. Validate the reconciliation and each individual schedule for mathematical accuracy.  
  1. Confirm ending principal balances with creditors (where possible).  

If the list consists of litigations compiled by the legal department, the reviewer should do the following:   

  1. Send confirmations to outside counsel (where possible).  
  1. Obtain a list of commitments and contingency journal entries made to an accrual.    

These additional steps provide greater comfort that the list compiled is complete and accurate.   

System-Generated IPE

For system-generated IPE, there are a handful of questions to keep in mind:   

  1. Have you identified the report or saved search that was used?   
  1. What parameters were used to generate this report?   
  1. In what format is the data exported?   
  1. After you run your report and confirm the parameters are correct, what format should be utilized for your export?  

Exported Data

Most ERP systems allow the exporting of data in the following four formats:   

  1. PDF (portable document format) 
  1. Excel  
  1. CSV (comma-separated values)   
  1. Text file   

One major drawback in an Excel, CSV, and text file is that, by their nature, they are editable upon export. An additional drawback of a text file is that it does not contain formatting. As the volume of data grows, proving out the completeness and accuracy becomes more challenging. For these reasons, a PDF export is typically preferred.  

After the data is exported in one of the four formats, you want to ensure that it agrees back to the system (completeness and accuracy). Here are a few ways to do that:     

  1. Does the exported data have dollar amount totals? If so, agree the total dollar amount to the system.  
  1. Does the exported data have hash totals? An example of a hash total is employee ID numbers which in aggregate have no real value other than providing confirmation that the data is complete and accurate.   
  1. Does the report have a total line count? If totals are not available, line counts may be used. However, it is important to note that while the line count may agree, the data itself could have still been inadvertently manipulated.  

Screenshots of Data

Retaining screenshots is imperative for documentation. A detailed screenshot should include some (if not all) of the following:  

  1. Totals (dollar amounts, hash amounts, etc.)   
  1. Lines count   
  1. Parameters utilized 
  1. Time and date stamp 

The first three items validate the completeness and accuracy of the exported data. The fourth item confirms when the report was run and if it was timely. There are many reports that are point-in-time and may not be recreated at a future date. Knowing the constraints of the reports you use is important. Retaining screenshots cannot be overemphasized, especially for point-in-time reports.   

Certain ERP systems or online portals do not provide a preview of the report prior to the export. This puts a constraint on the validation of completeness and accuracy, as it inhibits screenshots from being taken. In this case, as part of the review, the reviewer should re-run the report and validate that the original report used matches the information in the re-run report.

Strengthen Your SOX Compliance by Implementing Best Practices  

There is no perfect science to IPE documentation. But the end goal is to be as detailed as possible. By simply focusing on the fundamental questions and ensuring that your documentation addresses them, your documentation will inevitably improve.   

Developing best practices for your team is the cornerstone for any successful audit. Ensure you have the right guidance to make it happen. Our Audit and Assurance team can tailor a SOX environment to meet your needs. Contact us today to learn more.

SEC Adopts Rules on Cybersecurity Risk Management

Executive Summary

  • The Securities and Exchange Commission (SEC) is promoting the enhancement and standardization of registrants’ disclosures related to cybersecurity risk management, strategy, and governance by adopting a rule that requires public companies to disclose “material” cybersecurity breaches within four days of determining its materiality.
  • The SEC wants to know: the processes the companies use to assess, identify, and manage cybersecurity risks, as well as the board’s oversight of such risks and management’s role in assessing and managing those risks.
  • The rules apply to nearly all registrants that file periodic reports with the SEC (including foreign private issuers and smaller reporting companies).
  • Registrants must also include their risk management, strategy, and governance disclosures in their 2023 annual reports.

The SEC wants public companies to be more transparent with its investors about cybersecurity. On July 26, 2023, it voted 3-2 to adopt new rules on disclosure to promote clarity surrounding “material” breaches and what’s being done to combat them. And it wants them to do this within four days of determining if a cybersecurity breach was material on Form 8-K.
However, delays may be permitted if immediate disclosure of the breach could pose a national security or public safety risk.

Defining “material” disclosures

According to the U.S. Supreme Court, a piece of information is material to investors when its disclosure “would be viewed by the reasonable investor as having significantly altered the ‘total mix’ of information made available.”

Why is the SEC implementing this rule change?

The SEC seeks to protect companies and investors as cybersecurity incidents have increased in number and sophistication in recent years. In their fact sheet they note: “Cybersecurity risks have increased alongside the digitalization of registrants’ operations, the growth of remote work, the ability of criminals to monetize cybersecurity incidents, the use of digital payments, and the increasing reliance on third party service providers for information technology services, including cloud computing technology (…) All of these trends underscored the need for improved disclosure.”

But corporations are contesting the rules, arguing this short announcement period is unreasonable — and could reveal vulnerabilities that could be exploited by more cybercriminals looking to take advantage of a company mid-breach.

What are the requirements for risk management, strategy, and governance disclosures?

Public companies will be required to disclose their cybersecurity breaches within a four-day time period. This disclosure must include additional details too, like the timing of the incident, its impact on the company, and management’s expertise on cybersecurity in Form 10-Ks (and Form 20-Fs for Foreign Filers).

How will the SEC cybersecurity rules affect you?

The SEC has observed that previous cybersecurity announcements have been inconsistent and inadequate.

Many public companies already have plans in place to share sensitive information about their cyber incidents with federal agencies (FBI). Last year, the Cybersecurity and Infrastructure Security Agency (CISA) adopted cybersecurity rules that require critical infrastructure entities to report breaches within three days to CISA. This reporting duplication could prove confusing and time-consuming.

Ultimately, all public companies need robust internal controls and reporting systems to maintain compliance with the SEC requirements. This assumes issuers already have top-tier cybersecurity technology and processes in place. If not, they’ll need to build these functions out to minimize subsequent fallout from investors and regulators when these inadequacies are made public in their reporting.

The SEC strives to protect investors, which isn’t a bad thing. However, the enforcement of these new rules may not be the most logical option to do so.

Ultimately, the question may not necessarily be how many days you should take to disclose your breach but who should actually be regulating cybersecurity, and who has the authority to call the shots. Cybersecurity is no longer a “nice to have” function in an organization.

How we can help

It’s important to stay vigilant to protect your organization from risk and maintain compliance. Our Technology and Cybersecurity Practice can help verify you are compliant and strengthen your overall cybersecurity, so these incidents are less likely to occur. And, if they do, you’ll be ready to mitigate risks sooner— and make progress towards compliance with the SEC’s new rules.

If you are ready to assess your cybersecurity posture, or you have questions about
how the SEC’s new requirements could affect you, schedule a conversation with our Technology and Cybersecurity team today.