CORRESP 1 filename1.htm Unassociated Document
 
October 11, 2012
 
Mr. Larry Spirgel
Assistant Director
Division of Corporation Finance
Securities and Exchange Commission
100 F Street, N.E.
Washington, DC 20549
 
 
Re: 
Comcast Corporation
Form 10-K for the fiscal year ended December 31, 2011
Filed February 23, 2012
Response dated August 2, 2012
File No. 1-32871
 
Dear Mr. Spirgel:
 
We are writing this letter to respond to the comment letter of the Staff of the Securities and Exchange Commission (the “Staff”) dated September 7, 2012, relating to the review of our Form 10-K for the fiscal year ended December 31, 2011 (the “Form 10-K”).  For your convenience, we have reproduced the Staff’s comments preceding our responses below.  Please let us know if you have any questions or if we can provide additional information or otherwise be of assistance in expediting the review process.
 
Form 10-K for the fiscal year ended December 31, 2011
 
Risk Factors, page 28
 
We rely on network and information systems and other technologies, as well as…, page 34
 
 
1.  
In your response to prior comment one, you indicate that you have not to date experienced any significant degradation or disruption to your network or information systems. Based on your response, it appears that you may have experienced one or more cybersecurity attacks or incidents that did not result in a significant degradation or disruption to your network or information systems. If true, beginning with your next Form 10-Q, please confirm that you will simply state this fact so that investors are able to evaluate the risks in the appropriate context.

Response

We appreciated the opportunity to speak with the Staff about our cybersecurity disclosure.  As we discussed on the call, Item 1A of Form 10-Q only requires “material changes from risk factors as previously disclosed” in the Form 10-K.  We respectfully submit that:
 
 
·  
there have been no changes in our experience with cybersecurity attacks to date that warrant any changes in our existing risk factor;
 
 
·  
including a changed risk factor in our Form 10-Q would mislead investors into thinking that we had recently experienced a material breach to our network or information systems;
 
 
·  
our existing risk factor is responsive to the guidance set forth in the Division of Corporation Finance’s Disclosure Guidance Topic No. 2 at http://www.sec.gov/divisions/corpfin/guidance/-cfguidance-topic2.htm (the “Cybersecurity Disclosure Guidance”); and
 
 
 

 
Securities and Exchange Commission
October 11, 2012
 
 
 
·  
investors understand that all major companies, in fact all computer users, must contend daily with various forms of cybersecurity attacks and that a plain English reading of our existing risk factor clearly conveys that we have and will continue to experience attempted cybersecurity attacks.
 
We offer a variety of cable services over our cable distribution system to residential and business customers. As of June 30, 2012, our cable systems served 22.1 million video customers, 18.7 million high-speed Internet customers and 9.7 million voice customers and passed more than 52 million homes and businesses in 39 states and the District of Columbia.  Like all other major companies, we are frequently a target of attempted cybersecurity attacks.  Unlike recent high profile and successful attacks against companies like Amazon’s Zappos.com unit, Lockheed Martin, Northrop-Grumman, Sony, Google, Visa and Mastercard, however, to date we have been fortunate enough to have avoided any significant breaches to our network or data systems.
 
Accordingly, we do not believe that any change to our existing risk factor is warranted, particularly in a quarterly report on Form 10-Q.  In response to the Staff’s comment, however, we will state in the Risk Factors contained in our annual report on Form 10-K for the fiscal year ending December 31, 2012 that we regularly experience cybersecurity attacks that have not, to date, resulted in any significant degradation or disruption to our network or information systems.  In addition, as we have in the past, for example with respect to the impact of severe weather events, we would disclose in Management’s Discussion and Analysis of Financial Condition and Results of Operations and elsewhere as appropriate the occurrence of any events that have a material effect on our results of operations.
 
From our call, we understand the Staff may be concerned that an investor would fail to appreciate that we deal with cybersecurity attacks as a normal part of our business.  We respectfully disagree. The risks and issues related to cybersecurity attacks, and their particularly pervasiveness, are well described in the Commission’s Cybersecurity Disclosure Guidance.  Cybersecurity risks are so pervasive in fact that Senator John D. Rockefeller IV, as Chairman of the U.S. Senate Committee on Commerce, Science and Transportation has reportedly sent letters to each of the Fortune 500 companies asking what they have done to implement cybersecurity protections.
 
Given that we have not to date had any material instances of successful cyberattacks, we believe our existing disclosure is fully compliant with the Commission’s Cybersecurity Disclosure Guidance.  In particular, the guidance states (emphasis added):
 
“Depending on the registrant’s particular facts and circumstances, and to the extent material, appropriate disclosures may include:
 
 
·  
Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
 
 
·  
To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;
 
 
·  
Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
 
 
·  
Risks related to cyber incidents that may remain undetected for an extended period; and
 
 
·  
Description of relevant insurance coverage.
 
A registrant may need to disclose known or threatened cyber incidents to place the discussion of cybersecurity risks in context.  For example, if a registrant experienced a material cyber-attack in which malware was embedded in its systems and customer data was compromised, it likely would
 
 
2

 
Securities and Exchange Commission
October 11, 2012
 
 
not be sufficient for the registrant to disclose that there is a risk that such an attack may occur. Instead, as part of a broader discussion of malware or other similar attacks that pose a particular risk, the registrant may need to discuss the occurrence of the specific attack and its known and potential costs and other consequences.”
 
Implicit in the Commission’s Cybersecurity Disclosure Guidance is that companies face cyberattacks as part of the ordinary course of their business and the guidance is explicit in its focus on registrants disclosing the increasing risks of attack as the dependence on digital technologies increases:
 
“For a number of years, registrants have migrated toward increasing dependence on digital technologies to conduct their operations.  As this dependence has increased, the risks to registrants associated with cybersecurity have also increased, resulting in more frequent and severe cyber incidents.”
 
We respectfully submit that our current risk factor disclosure is responsive to the Cybersecurity Disclosure Guidance and that revising our risk factor as the Staff requests in a Form 10-Q would not result in a material change to our existing risk factor.  First, we describe the areas of our business for which our network and information systems are critical to our business.  Second, we describe the type and nature of potential attacks, as well as other events, that could affect our systems.  Third, we describe the effects on our business that successful attacks could have.  Forth, we note that the risks of breaches occurring has intensified.  And, last, we caution that while we develop and maintain our systems to prevent problems from occurring, we cannot provide assurances that we will be successful.  Throughout the language of the risk factor, it is clear that we are currently subject to cyberattacks.
 
Item 8: Financial Statements and Supplementary Data
 
Consolidated Statement of Income, page 78

 
2.  
We note your response to prior comment three. As discussed with you in our telephone call on September 5, 2012, we continue to believe that your current presentation is not in compliance with Rule 5-03 of Regulation S-X. Please revise your presentation accordingly.

Response

We appreciated the opportunity to obtain the Staff’s insights on our Consolidated Statement of Income presentation.  On our telephone call, the Staff asked us to consider including on the face of the income statement the expense captions that we currently have in our Supplemental Financial Information Note to our consolidated financial statements. After careful consideration, we believe that the following presentation is consistent with our discussion:

Consolidated Statement of Income (excerpt):
   
Twelve Months Ended
December 31
 
(in millions)
 
2012
   
2011
   
2010
 
Programming and production
  $ xxx       xxx     $ xxx  
Other operating and administrative
 
xxx
   
xxx
   
xxx
 
Advertising, marketing and promotion
 
xxx
   
xxx
   
xxx
 
Depreciation
 
xxx
   
xxx
   
xxx
 
Amortization
 
xxx
   
xxx
   
xxx
 
Operating costs and expenses
  $ xxx     $ xxx     $ xxx  

 
3

 
Securities and Exchange Commission
October 11, 2012
 
 
We believe that the above presentation complies with Rule 5-03, as it provides the reader of the financial statements an understanding of our material operating and selling related expenses.  More specifically, we considered the following factors in coming to this conclusion:

 
·  
“Programming and production” is our most significant operating expense.

 
·  
“Other operating and administrative” would be composed primarily of operating expenses and, as such, we do not believe it is necessary to further separate into additional line items.  This line item would include amounts related to Cable Communications Technical Labor and Cable Communications Customer Service, which were separately presented in our Supplemental Financial Information Note.  We believe that presenting separate line items for Cable Communications Technical Labor and Cable Communications Customer Service, which are specific to only one segment, would not be meaningful to a reader of our consolidated income statement.  In addition, no single expense category included in this line item is greater than 10% of total operating costs and expenses.  If at any time, such an expense category were to represent greater than 10%, we undertake to separately disclose such category as a separate line item on the face of the income statement.

 
·  
“Advertising, marketing and promotion” captures our primary selling related expenses.

 
·  
These three captions are already consistent with those currently presented in the NBCUniversal Supplemental Financial Information Note.   However, NBCUniversal’s current caption “Other” would be replaced with “Other operating and administrative” to be consistent with the above.

We will revise our disclosure beginning with our Form 10-K for the fiscal year ending December 31, 2012.

*           *           *
 
Please do not hesitate to call me at (215) 286-8514 with any questions you may have with respect to the foregoing.
 
 
Sincerely,
 
/s/ Lawrence J. Salva
 
Lawrence J. Salva
Senior Vice President, Chief Accounting Officer and Controller
Comcast Corporation
 



cc:
Brian L. Roberts, Chairman of the Board and Chief Executive Officer
Michael J. Angelakis, Chief Financial Officer
Arthur R. Block, Senior Vice President, General Counsel and Secretary
J. Michael Cook, Director and Chairman of Audit Committee
Bruce K. Dallas, Davis Polk & Wardwell LLP
Michael Titta, Deloitte &Touche LLP
 
 
4