BDO Knows: Technology

December 2016


Public Company Board Members Worry about Cybersecurity Risks as Internet of Things, Virtual Reality Grow   

Download PDF Version

The unprecedented Distributed Denial of Service (DDoS) attack in October that caused outages for some of the biggest names in tech, from Twitter to Box to Spotify, underlines the rising cybersecurity risk technology companies face. Not only are cyber-attacks growing in frequency and sophistication, innovations like the Internet of Things (IoT) and virtual reality present new attack vectors and vulnerabilities.

In fact, concern around cybersecurity is growing in the board room: 22 percent of board directors report their company experienced a cyber breach during the past two years, according to the BDO Board Survey. The figure, while consistent with last year’s results, has doubled since 2013 (11 percent).

A majority (74 percent) said the board is more involved with cybersecurity than 12 months ago. Most (88 percent) are briefed on cybersecurity at least once annually—34 percent of those individuals are briefed quarterly. 

The BDO Board Survey has documented the ascension of cybersecurity up the boardroom agenda over the past three years, and more resources are being dedicated to the issue,” said Shahryar Shaghaghi, National Leader of Technology Services for BDO Consulting. “There is measurable progress from a year ago; but still, less than half of board members have identified and developed solutions to protect their critical digital assets, and even less have cyber-risk requirements in place for third-party vendors.” 

More boards are recognizing the serious ramifications cyber-attacks can have on their organization, and they are investing more in protecting their companies. Eighty percent of board members said that budgets to defend against cyber-attacks are increasing, up by an average of 22 percent over the past 12 months.

One area to watch: only 27 percent said their company is sharing information on cyber-attacks with entities outside of their business. Over the last two years, there has been a big push from the government and law enforcement organizations to increase public-private information sharing around significant cyber threats. The Cybersecurity Information Sharing Act (CISA) passed in December 2015 made it easier for private sector companies to share intelligence with government agencies, recognizing that more can be done by working collectively to reduce and mitigate threats. Improved collaboration efforts are important, particularly for larger organizations, to protect critical infrastructure and threats to national security.

Tech companies are also finding ways to collaborate with each other to improve security. Earlier this year, several major tech companies (including Uber and Twitter) banded together to form the Vendor Security Alliance (VSA) to establish standards that businesses can use to assess the cybersecurity risks of third-party providers, recently releasing its first annual questionnaire that can help businesses assess their vendors. Many technology providers are also undertaking Service Organization Control (SOC 2) attestations conducted by independent third-party auditors to help build trust with clients and prospects. (See BDO’s guide to SOC reporting for cloud providers here.)

Reporting Non-GAAP Metrics

As board responsibilities continue to escalate in response to not only this barrage of new cybersecurity risks but also mounting regulatory pressures, the BDO Board Survey points to another key area of concern that should be on technology boards of directors’ radars: reporting on non-GAAP (Generally Accepted Accounting Principles) metrics.

Scrutiny of non-GAAP metrics, unaudited and frequently used in press releases or management discussion and analysis (MD&A) to paint an often rosier financial picture to investors, is intensifying. On May 17, 2016, the U.S. Securities and Exchange Commission (SEC) issued new Compliance & Disclosure Interpretations (C&DIs) on the use of non-GAAP financial measures. A day later, the Public Company Accounting Oversight Board (PCAOB) held a Standing Advisory Group Meeting that included a focus on non-GAAP measures and the role of auditors. Since then, the SEC has sent more than 30 comment letters to companies about their use of non-GAAP metrics and took the rare step of charging two former accounting executives with the misuse of a non-GAAP measure.

Board members believe that while non-GAAP measures can provide important insight into the business, there is also a need for greater due diligence in the process. The BDO Board Survey found that 70 percent of board members believe that all disclosures required in financial statements today can make it confusing to determine what information is most important. Directors believe the most meaningful non-GAAP financial measures are critical audit matters that involve complex judgements on material issues (49 percent), supplemental information on the company’s financial performance (29 percent) and details about the organization’s risk management strategy (19 percent). A majority (67 percent) believe auditing non-GAAP measures could improve investor confidence.

Directors are nearly evenly split on whether additional regulatory guidance on non-GAAP measures would be helpful: 51 percent favor more guidance while 49 percent are against it. Among those favoring guidance, EBITDA causes the greatest concern (46 percent), followed by restructuring costs (14 percent), stock-based compensation (13 percent) and acquisition integration costs (13 percent).

Non-GAAP measures typically have a big influence on executive pay as well. Not surprisingly, 74 percent of directors oppose prohibiting the use of non-GAAP measures in executive compensation calculations.

While non-GAAP reporting is a growing risk across all industries, its use is particularly prevalent in tech. According to data from Bloomberg, 80 percent of technology companies in the S&P 500 index relied on non-GAAP profit measures to make their earnings appear higher. In fact, for 70 technology companies in the index, their collective earnings came in 23 percent higher ($239 billion) using their preferred non-GAAP profit methodology than what was reported under GAAP ($194 billion).

While public companies must disclose GAAP figures alongside non-GAAP numbers, a report from the Financial Times (FT) pointed to concerns around the inconsistencies in the reported financials, in addition to the heavy emphasis that Wall Street tends to give to non-GAAP numbers.

For organizations concerned with keeping investor confidence afloat, though, reporting measures outside of GAAP—like Earnings Before Interest, Tax, Depreciation and Amortization (EBITDA)—can be useful tools in presenting a different context for what might otherwise be less-than-stellar financial reports. 

It’s when these measures start taking a turn toward misleading stakeholders—like by presenting a non-GAAP measure inconsistently between reporting periods—that they run the risk of being fraudulent.

For more information on BDO USA's service offerings to this industry, please contact one of the regional service leaders below:
Brian Berning
  Glenn Pomerantz
New York


Tim Clackett
Los Angeles


Anthony Reh

Slade Fester
Silicon Valley
  Amy Rojik

Demetrios Frangiskatos
New York
  Bryan Lorello

Hank Galligan
  David Yasukochi
Orange County

Aftab Jamil
Silicon Valley
  Gerry Zack
Washington, DC