Evaluating Materiality in Cybercrime Footnotes

Published date01 January 2016
Date01 January 2016
© 2016 Wiley Periodicals, Inc.
Published online in Wiley Online Library (wileyonlinelibrary.com).
DOI 10.1002/jcaf.22124
Evaluating Materiality in
G. Stevenson Smith
The recent cyber
breaches against
Home Depot,
Staples, and Target
have created a need
to report these inci-
dents in financial
statements. Today,
disclosure notes need
to clearly identify
the cyber security
risks facing a com-
pany’s core business
processes as well as
any material losses
incurred from the
breach. One of the
first footnotes related
to cybercrime disclosures came
from Intel in 2010. The foot-
note has explicit reference to
intrusion that occurred at Intel
as well as the potential effect
on the company’s financial
position from the breach. Such
a footnote should serve as a
model for disclosures about
such events. It states:
We regularly face
attempts by others
to gain unauthor-
ized access through
the Internet to our
information technology
systems by, for exam-
ple, masquerading as
authorized users or
surreptitious intro-
duction of software.
These attempts, which
might be the result
of industrial or other
espionage, or actions
by hackers seeking to
harm the company, its
products, or end users,
are sometimes success-
ful. One recent and
sophisticated incident
occurred in Janu-
ary 2010 around
the same time as
the recently pub-
licized security
incident reported
by Google. We
seek to detect
and investigate
these security
incidents and
to prevent their
recurrence, but
in some cases we
might be unaware
of an incident
or its magni-
tude and effects.
Thetheft and/or unau-
thorized use or publica-
tion of our trade secrets
and other confidential
business information
as a result of such an
incident could adversely
affect our competitive
position and reduce
marketplace acceptance
of our products; the
value of our investment
in R&D, product devel-
opment, and market-
ing could be reduced;
and third parties might
New risks face companies dependent on the
Internet for their core business processes. New
risks come from cyber breaches and attacks
from hackers. The results of these challenges are
requirements for new footnote disclosures. The
article reviews the manner in which those risks
have been reported in financial statements based
on the materiality of the event. Disclosures for
identity theft breaches and bank theft attacks are
considered. Questions are raised as to whether
intangible losses need to be considered in deter-
mining the materiality of a cyber incident as well
as suggestions as to how those losses can be
estimated. © 2016 Wiley Periodicals, Inc.
Editorial Review

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT