Financial Implications of a Cyber-AttackPosted: September 25, 2017
The Equifax data theft is only the latest in a long history of data thefts by hackers getting into sensitive information held by companies about their customers, employees, contractors and just about anyone else. Many CPAs think that such issues are the prevue of the ‘IT people.’ But the reality is cyber-attacks have significant financial implications to the companies hacked; and CPAs need to be prepared to determine how the incidents impact the attacked entities financial results.
Clearly, CPAs need to thoroughly evaluate contingent liabilities related to such incidents. Early on, contingent liability evaluations to determine the probability or likelihood of any amounts to accrue are difficult, but ‘difficult’ is not an excuse to avoid undertaking or thoroughly documenting the evaluation. In addition, the question of how much disclosure can and should be made will be a hot topic for the finance team to handle. Another result of the cyber-attack on Equifax was a significant drop in its share price. On the one hand, there is no direct connection between share price and an entity’s financial statements, but there are several indirect impacts.
A drop in share price can impact the accounting for share-based compensation. Any compensation accounted for as a liability will be immediately impacted by lowering the liability. This has the ironic result of increasing net income because a reduction in the liability results in a credit to expense; but it definitely is an impact that need to be accounted for in the entity’s financial results. Less obvious might be the reduction of future tax benefits from the exercise of stock options. If the tax deduction value of option exercises is less than was expensed for GAAP purposes, then the difference between the two amounts will result in an increase in tax expense on the financial statements. The change the FASB recently made means this difference will no longer be handled in an equity windfall/shortfall account, but instead it will go straight to the income statement.
Another area that is impacted by a significant change in share prices is the earnings per share calculation. A change in the share price will impact the number of additional shares in the fully diluted calculation which relies on assumptions about the exercise and potential vesting of stock options, performance shares and restricted stock, as well as the tax benefits on those exercises.
Goodwill impairment testing is another less obvious area that could be impacted by a significant drop in share price. While the valuation of reporting units is independently determined, the sum of the fair values of all reporting units needs to be reconciled to the fair value of the entity as a whole (generally the market cap of the entity plus the value of its external debt). While such comparison usually involves some level of control premium, that premium cannot be too large. Anything approaching 20% or more will be severely scrutinized by not only your auditor, but potentially the SEC.
Any business that suffers a cyber-attack has a lot of work to do to clean up the mess and reassure customers, but as discussed, that work is not limited to operations personal. The Finance team has a lot of work to do as well, and just like operations team needs to plan and prepare for disruptions, the finance team needs to think ahead about all the work they will have to do as well.