Blog
What You Don’t Disclose Can Hurt You: The Power of Proactive Risk Factor Disclosures
Lenin Lopez, Esq.
Apr 09, 2025
With evolving regulations and emerging risks—including tariffs, DEI-related controversies, and cybersecurity concerns—some public companies are refining their approach to assessing and updating risk factor disclosures. Beyond mere regulatory compliance, keeping risk factor disclosures updated can serve as a critical safeguard against regulatory investigations and shareholder litigation. In this week’s blog, my partner Lenin Lopez briefly outlines the SEC’s risk factor disclosure requirements, how some companies are updating their risk factors beyond their annual reports on Form 10-K, and the benefits of a quarterly approach. —Priya Huskins
The number of risks that public companies must contend with has always been a moving target. Add the new complex business risks we are seeing lately—including social, economic, and geopolitical changes—and you are looking at a recipe for disclosure disaster if you mindlessly stick to the old playbook.
Allow me to clarify.
The US Securities and Exchange Commission (SEC) requires US publicly traded companies to disclose, in certain reports that they file with the SEC, the material risks that might make an investment in their company’s securities (e.g., common stock) speculative or risky. Failure to adequately assess, describe, and update these risks can expose companies to regulatory enforcement and subject directors and officers to lawsuits.
This article will:
- Briefly explain the SEC’s risk factor disclosure requirements
- Explain why some public companies should consider changing their risk factor reporting strategies
- Examine how one company—Target—handled the disclosure of a sensitive and emerging risk
- Outline a few takeaways for boards and management teams to enhance their risk disclosure strategies
SEC Risk Factor Disclosure Requirements: A Quick Background
From a risk factor disclosure perspective, pre-2005 was the Wild West. An overstatement? Perhaps, but public companies weren’t required to include risk factors in their periodic reports. So those lengthy risk factor sections we are accustomed to seeing in company annual reports on Form 10-K every year were strictly voluntary.
Without specific guidance to serve as a North Star, companies fashioned their own approaches to disclosing risks. Some dedicated particular sections in their Form 10-K to discuss risks while others opted to sprinkle the discussion throughout.
In 2005, the SEC adopted new disclosure requirements requiring risk factor disclosure in Form 10-Ks, as well as updates to previously disclosed risk factors in quarterly reports on Form 10-Q. The rationale for the move was that the new disclosure requirements would promote investor protection by helping investors better assess the risks a company faces or may face in the future. Another goal was to ensure risk factor disclosures were made in a more consistent and comparable way.
If this sounds familiar, it may be because the same general rationale was given in the context of the SEC’s cyber disclosure rules.
Since 2005, the SEC has adopted amendments to modernize and streamline risk factor disclosure. The SEC has also issued guidance on how companies should consider assessing and disclosing particular risks, like those related to cybersecurity, COVID-19, and Russia’s invasion of Ukraine.
Today, the SEC, investors, and plaintiffs’ attorneys are more actively scrutinizing risk factors, especially regarding artificial intelligence, climate change, and cybersecurity. This means companies need to regularly assess whether their risk factor disclosures need to be amended to reflect any material updates.
How frequently should companies assess and update their risk factor disclosures?
The SEC’s guidance on this point has been clear. In 2005, the SEC said that companies didn’t need to restate or repeat their risk factors in their Form 10-Qs; rather, companies should update the risk factors in Form 10-Qs to reflect any material changes from previously disclosed risks. Some companies, to their detriment, may have interpreted this guidance to mean that they only need to evaluate risk factor disclosure on an annual basis in connection with their Form 10-K.
On the other hand, and despite the SEC indicating that companies didn’t need to restate or repeat their risk factors quarterly in their Form 10-Qs, many have incorporated that practice into their own disclosures. There are good reasons to consider that approach.
Quarterly Restating and Repeating Risk Factors: A Strategic Approach to Risk Mitigation
As noted above, while companies are required to update risk factors annually in Form 10-Ks, many opt to restate or repeat them quarterly in Form 10-Qs. There are a few key reasons why this approach makes sense.
Enhance a Company’s Internal Processes for Assessing and Managing Material Risks
Restating risk factors in each Form 10-Q can encourage more frequent and disciplined risk assessment across the organization. By treating risk factor disclosures as a quarterly exercise—not an annual one—companies can identify emerging threats or changing risk dynamics more promptly.
Companies that do not restate their risk factors may have a tendency to gloss over the quarterly risk assessment. They may also be reluctant to add new standalone risk factors in their Form 10-Qs, which they may feel could stick out like a sore thumb. They wouldn’t be wrong.
By restating risk factors in Form 10-Qs, companies have a good chance of avoiding these issues. The quarterly risk assessment can be more intentional, and new risk factors or modifications to existing risk factors can be incorporated into the existing content. However, the approach shouldn’t be to hide the ball when it comes to the updates. Rather, companies should denote in some way where the changes were made. No real magic here. It could be simply identifying which risk factors were updated in the lead-in to the risk factor section or noting that any changes are bolded or italicized. For additional insight on approach, see this blog from Goodwin Proctor.
Mitigate Litigation Risk
Clear and timely disclosure of material risks can serve as a critical defense in securities litigation. By restating risk factors in each 10-Q—even when risks have not materially changed—companies can signal that they are actively engaged in risk disclosure and management. The exercise itself can help identify where changes need to be made.
An example of the wrong way to handle evolving risks can be seen in how Alphabet handled disclosures concerning cybersecurity in the past. This example goes back to Alphabet’s Form 10-K that it filed in February 2018. In that filing, the company identified potential consequences of third-party breaches of its cybersecurity measures.
Fast forward to April 2018, and the company’s CEO allegedly became aware of a data breach that had exposed user data for three years. Unfortunately for Alphabet, the 10-Q filings included language that many companies that don’t restate their risk factors include. That is: “There have been no material changes to our risk factors since our Annual Report on Form 10-K for the year ended...”
When the Wall Street Journal revealed the breach in October 2018, the stock dropped, prompting securities fraud actions against the company and its executives. Shareholder plaintiffs argued that a reasonable investor would have been misled by the company’s statement in its Form 10-Qs that there were no material changes to its risk factors. Also, the company failed to disclose the data breach on related earnings calls. Plaintiffs argued that these actions suggested there were no cybersecurity issues.
It took a few years, but the lawsuit ultimately paid off for the plaintiffs’ firms to the tune of a $350 million settlement.
Provide Investors with More Transparent Risk Factor Disclosure
One of the arguments against restating risk factors in a Form 10-Q is that it makes the document unnecessarily long. I get it, but investors rely on risk factor disclosures to evaluate the true risk profile of a company. By repeating and refining risk factors in every Form 10-Q, companies enhance investor access to consistent and current risk information. This can be especially valuable during periods of economic volatility or when company-specific risks are evolving quickly. Tariffs, anyone?
Rather than assuming investors will revisit a prior 10-K or piece together risks from past filings, restating risk factor disclosure in Form 10-Qs consolidates risk information in one place each quarter. This type of transparent and frequent disclosure can help foster trust in management’s ability to identify and communicate risk.
Besides, if there is a concern that adding more length to a Form 10-Q or more process to the filing generally isn’t desirable, re-read the section above for 350 million reasons why you may want to evaluate and restate risk factors quarterly.
Target Becomes a Target: A Case of Missing Risk Disclosures?
Target has long been recognized for its diversity, equity, and inclusion (DEI) initiatives, but the company has become a lightning rod for controversies relating to certain of those initiatives. While critics have been taking issue with several DEI initiatives, the one that is arguably the most relevant to risk factor disclosure is Target’s 2023 Pride Campaign and the customer backlash that followed.
In 2023, in the leadup to Pride Month in June, Target launched a Pride Month collection in its stores. This wasn’t anything new. It had done similar things in the past. The difference this time was related to some swimwear that was described as “tuck friendly.” Misinformation spread on social media that the swimwear was being marketed to children. It wasn’t, but the damage was done. Republican leaders and conservative media outlets made Target a topic of discussion, boycotts followed, and Target’s stock dropped $10 billion in market value in just 10 days. About $25 billion in shareholder value was erased over the course of the next six months.
As you might have guessed, securities class action lawsuits followed, one in August 2023 and another in February 2025. The general argument in the lawsuits is that Target failed to disclose known risks of customer backlash to its DEI initiatives and environmental, social, and governance (ESG) mandates. While the Form 10-K that Target filed in early 2023 included risk factor disclosure that identified ESG and DEI commitments as potentially adversely affecting the company, the lawsuits allege that Target framed these risks only in the context of negative responses from “stakeholders” to Target’s failure to achieve the ESG and DEI mandates that it adopted. That is, there wasn’t a reference to risks arising from these mandates in the first place.
| One of the complaints pointed to the following risk factor disclosure from State Street Corp.’s 2022 Form 10-K as an example of the discussion Target should have included in its risk disclosures: |
| “Views on ESG practices . . . have also become political issues [emphasis added], which can amplify the reputational risks associated with such allegations. . . . are, therefore, subject to related risks of non-compliance with relevant legal requirements, including fines, penalties, lawsuits, regulatory sanctions, difficulties in obtaining governmental approvals, limitations on our business activities or reputational harm, any of which may be significant. . . . Moreover, aside from any governmental enforcement or litigation activity, public criticism levelled at ESG investing practices could result in reduced investor demand for ESG-related products, which could in turn negatively effect [sic] our assets under management and resulting fee revenues.” |
Target has historically not restated risk factor disclosures in its Form 10-Qs. After the fallout from the 2023 Pride Month campaign, it didn’t update its existing ESG- and DEI-related risk factor disclosures in its Form 10-Qs. Instead, those Form 10-Qs said that there were no material changes to the risk factors described in their prior Form 10-K.
| Fast forward to the present, and here is an excerpt from Target’s 2024 Form 10-K risk factors in which it finally updated the final risk factor (updates in italics): |
| “Our shareholders, guests, team members, vendors, and other third parties (including governmental entities and officials and non-governmental organizations) have evolving, varied, and sometimes conflicting expectations regarding many aspects of our business, including our operations, product and service offerings, and environmental, social, and governance matters. Some of these individuals and organizations have expectations that Target offer or not offer certain products and services or pursue or not pursue certain environmental, social, and governance initiatives, including with respect to diversity, equity, and inclusion. We have previously been unable to meet some of those conflicting expectations, which has led to negative publicity and adversely affected our reputation. For example, we experienced adverse reactions from some of our shareholders, guests, team members, and others related to our assortment of Pride Month products in 2023 and other positions we have taken with respect to social issues, including LGBTQIA+ matters, which have previously resulted in consumer boycotts and litigation. We may in the future take actions that do not meet the conflicting expectations of some or all of our shareholders, guests, team members, vendors, and other third parties (including governmental entities and officials and non-governmental organizations) regarding various aspects of our business, including our operations, product and service offerings, and environmental, social, and governance matters. As a result, we may experience adverse perceptions of our business, consumer boycotts, litigation, investigations, and regulatory proceedings [emphasis added]. Any of these outcomes could negatively impact our reputation, results of operations, and financial condition.” |
Envision a world where Target was in the habit of restating its risk factor disclosures in its Form 10-Qs. Target may have been more likely to enhance and/or build out its risk factor disclosures to account for the fallout from the 2023 Pride Month campaign and similar ones related to its ESG and DEI efforts.
Yes, it’s easy to play Monday morning quarterback when it comes to disclosures, but I would be surprised if Target didn’t discuss how and whether to address the fallout from the 2023 Pride Month campaign in the Form 10-Q that followed immediately thereafter. The risk factor section is an obvious place for this discussion.
Having been a member of disclosure teams at other companies that didn’t restate risk factor disclosures quarterly, I can confess there is a reluctance to add new language in this section of Form 10-Q. Updates would have been much easier to stomach if we were simply making updates to risk factor disclosures that we had been restating in our Form 10-Qs.
Takeaways for Boards and Executive Teams
For public companies, the quality and cadence of risk factor disclosures are increasingly under the microscope—not only by regulators but also by plaintiffs’ firms and institutional investors. Just ask SolarWinds, Alphabet, and Target. As disclosure expectations evolve, so too should the processes that support them. This means that only disclosing what you are required to disclose may not always be the best option to mitigate risk, especially when it comes to risk disclosures.
The following takeaways offer actionable guidance for boards and executive teams seeking to enhance their disclosure controls, particularly as they relate to risk factors. These steps can help to strengthen governance, reduce legal exposure, and improve transparency with stakeholders.
- Enhance Disclosure Controls: Ensure the company’s quarterly and annual disclosure controls and procedures include a specific focus on risk factors. Ideally, this should involve mapping internal risk assessments to disclosure timelines and elevating materiality reviews to include operational, financial, and legal perspectives. As a reminder, it’s always a good idea to periodically kick the tires on these controls not only to improve accuracy but also to help serve as a critical defense in the event of regulatory scrutiny or litigation.
- Consider Restating and Repeating Risk Factors on a Quarterly Basis: Rather than relying solely on the Form 10-K as the definitive place to find company risk disclosures, companies may want to consider restating and repeating their risk factors in each Form 10-Q. Even when there are no material changes, repeating these disclosures may help support transparency, reinforce internal accountability, and reduce the risk of inadvertent omissions.
- Monitor Emerging Risks: Boards and management teams should establish processes for surfacing emerging risks in real time. This includes monitoring geopolitical shifts, regulatory developments, and technological disruptions that could have a material impact on the company’s business. Proactive inclusion of emerging risks—even if their likelihood or impact is still uncertain—can demonstrate prudence and foresight in a company’s risk oversight framework.
Parting Thoughts
Risk factor disclosures may not be the flashiest part of a company’s public filings, but neglecting them can invite unwanted attention—from both regulators and plaintiffs’ attorneys. Whether it’s tariffs turning up the heat on global operations or AI reshaping entire industries overnight, emerging risks aren’t waiting for your next Form 10-K. Yes, refreshing your disclosures quarterly can feel a bit taxing, but it's a small price to pay for limiting litigation risk and reinforcing sound governance. As always, a little diligence today can save you from a deposition tomorrow.
Author
Table of Contents
