crvl-corresp.htm

Securities and Exchange Commission

100 F Street, N.E.

Washington, D.C. 20549

Attn: Ms. Bonnie Baynes and Mr. Mark Brunhofer

Re:

CorVel Corporation
Form 10-K for the Fiscal Year Ended March 31, 2019
Filed June 7, 2019
Form 10-Q for the Quarterly Period Ended December 31, 2019
Filed February 7, 2020
File No. 000-19291

We are in receipt of the comments of the Staff of the Securities and Exchange Commission (the “Staff”) set forth in your letter dated February 20, 2020 (the “SEC Comment Letter”) regarding the above-referenced Form 10-K for the Fiscal Year Ended March 31, 2019 (“Form 10-K”) and Form 10-Q for the Quarterly Period Ended December 31, 2019 (“Form 10-Q”) of CorVel Corporation, a Delaware corporation (the “Company”). The responses set forth below contain each of the Staff’s comments in total highlighted in bold type and correspond to the numbered comments contained in the SEC Comment Letter. Capitalized terms not otherwise defined herein have the meaning given to them in the Form 10-K and Form 10-Q, as applicable.

1.In the second table in this section you disclose that you recognized $16,372,000 of revenue in fiscal 2019 from the beginning of the period. Please address the following:

•

Tell us how you could recognize $16,372,000 of revenue from the beginning of the period when your deferred revenue at that time was only $15,316,000.

•

Tell us how your disclosure complies with the guidance in ASC 606-10-50-8b.

•

Tell us whether the difference in the first bullet above relates to a cumulative catchup adjustment or to a change in transaction price and, if so, your consideration for disclosing this information under ASC 606-10-50-10b or 50-12A, respectively.

We re-evaluated the calculations included in the disclosure referred to in your comment and agree with the inconsistency noted. Based on our re-evaluation, some items were misclassified between the “recognized revenue associated from beginning of period” vs. “recognized revenue from additions” categories. The correction has no change to the beginning balance, additions, and ending balance. The second table in Note 2: Revenue Recognition should reflect the following information:


	March 31, 2019
Beginning balance at April 1, 2018 (Note 5)	$ 15,316,000
Additions	28,938,000
Revenue recognized from beginning of period	(15,180,000)
Revenue recognized from additions	(12,174,000)
Ending balance at March 31, 2019 (Note 5)	$ 16,900,000

Our disclosure complies with the guidance in ASC 606-10-50-8b as revenue recognized in the reporting period that was included in the contract liability balance at the beginning of the period was disclosed. As explained above, this is neither a cumulative catchup adjustment nor a change in transaction price.

Management assessed the qualitative and quantitative impact of this error and determined that it did not materially misstate the Company’s consolidated financial statements taken as a whole. Management also assessed the impact of this error on the Company’s disclosure controls and procedures, including its internal control over financial reporting, and management determined that it did not significantly impact its previous assessments.

2.You disclose that your remaining performance obligations of $34.7 million at March 31, 2019 consist of your deferred revenues as well as certain unbilled receivables that are considered contract assets. As by definition, contract assets represent the right to consideration in exchange for goods or services already transferred to a customer, please tell us how your "certain unbilled receivables" can relate to remaining incomplete performance obligations at any given time. In

your response describe for us which unbilled receivables are included in your remaining performance obligations.

We revisited the ASC 606 definition of “contract assets” and agree with the Staff’s comment that contract assets do not represent remaining performance obligations. We have also revisited the disclosure requirements of ASC 606-10-50-13 and 14 and agree with the Staff’s comment that contract assets should not be disclosed pursuant to this guidance. Thus, we will prospectively remove disclosure of contract assets from the second table in Note 2: Revenue Recognition.

Management assessed the qualitative and quantitative impact of this correction and determined that it did not materially misstate the Company’s consolidated financial statements taken as a whole. Management also assessed the impact of this correction on the Company’s disclosure controls and procedures, including its internal control over financial reporting, and management determined that it did not significantly impact its previous assessments.

"A cybersecurity attack or other disruption to our information technology systems...", page 27

3.We note that you have greatly expanded this risk factor from that provided on page 17 of your 2019 Form 10-K and that you specifically removed the statement that cybersecurity breaches through the date of your Form 10-K filing did not have a material impact on your business while acknowledging that you have experienced and are continually at risk of cybersecurity attacks and incidents. We also note that you “have invested in and continue to expend significant resources on information technology and data security tools, measures, processes, initiatives, policies and employee training designed to protect our information technology systems, as well as the personal, confidential or sensitive information stored on or transmitted through those systems, and to ensure an effective response to any cyber-attack or data security incident” and “there can be no assurance that the security measures we employ will effectively prevent cybersecurity breaches or otherwise prevent unauthorized persons from obtaining access to our systems and information.” In light of the security incident in July 2019 that appears to have resulted in continuing impacts to both your revenue and costs at least through December 31, 2019, it appears that

cybersecurity risk may be material to your business. Please provide us the following:

•

Tell us the nature of your July 2019 security incident. In your response, tell us:

The actions you took to cure the breach;

The impact on revenue related to the breach in each of your second and third quarters of fiscal 2020;

The costs incurred during each of your second and third quarters of fiscal 2020 to cure the breach; and

The actions and costs incurred to prevent similar breaches in the future.

•

Tell us your consideration for disclosing the information requested above in your filings. In your response tell us why you addressed the security breach in your prepared remarks of your earnings conference calls for each of your quarterly earnings conference calls for fiscal 2020 but do not provide any specific disclosures in the related Forms 10-Q. If you believe the impact of this incident is not material, tell us why you removed the related statement from your risk factor disclosure.

•

On page 19 you attribute your increase in general and administrative expenses primarily to an increase in legal costs. Tell us the nature of these legal costs and whether they relate to this security breach. In any regard, represent to us that you will disclose the underlying cause for the increase in legal costs in your upcoming Form 10-K.

•

Tell us how you considered the potential impact of operational risks on your controls testing and your evaluation of disclosure controls and procedures.

The Company acknowledges the Staff’s comment and advises the Staff that the Company does not believe that the July 2019 security incident was material or that it had a material impact on the Company’s business. The Company is familiar with and considered Corporation Finance Disclosure Guidance Topic No. 2 (October 2011), and respectfully notes that, with respect to disclosure of past security incidents in risk factors, the mandate of that guidance is to describe past incidents solely that are material: “Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material . . .” (emphasis added). Likewise, in the Staff’s updated guidance in Commission Statement and Guidance on Public Company Cybersecurity Disclosures Release No. 33-10459 (February 2018) suggesting

that registrants should contextualize the risk factor discussion by disclosing previous security incidents, the disclosure example used by the Staff is “if a company previously experienced a material cybersecurity incident” (emphasis added). The Company respectfully submits that the information requested by the Staff about the nature of the July 2019 security incident goes against the grain of the Commission’s guidance in Release No. 33-10459 that a registrant is not expected to “make detailed disclosures that could compromise its cybersecurity efforts”. If the Staff still believes that this information is necessary despite its guidance, however, the Company would be willing to furnish it upon the Staff’s request that it be provided as supplemental information.

Promptly after discovering the security incident in July 2019, the Company informed the public of the fact of the incident in its July 30, 2019 earnings press release for the June 2019 quarter. At the time of the earnings press release and related earnings conference call, the Company was still internally investigating and evaluating the impact of the security incident and could not at such an early stage reasonably assess whether that impact would or would not be material. Out of an abundance of caution, however, the Company felt it appropriate to mention the fact of the incident in the press release and conference call. The Company based this decision, in part, on the Staff’s guidance in Release No. 33-10459 which states that “Understanding that some material facts may be not available at the time of the initial disclosure, we recognize that a company may require time to discern the implications of a cybersecurity incident . . . However, an ongoing internal . . . investigation – which often can be lengthy – would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.” Not knowing whether its internal investigation would uncover a material impact, the Company opted to make the disclosures it made in the press release and earnings conference call despite not knowing whether the impact ultimately would or would not be material.

Prior to the start of the December 2019 quarter, the Company completed its internal investigation and evaluation of the security incident and concluded that it was immaterial. Therefore, based on this conclusion, there was no obligation to disclose the details of that security incident in filings for the September 2019 quarter and beyond.

In re-evaluating and updating the Company’s cybersecurity risk factor in its Form 10-Q, the Company removed the language that had been in its 2019 Form 10-K stating that security incidents “to date have not had a material impact on our business” because in the Company’s view such a statement (even though objectively factual) is mitigating language that reduces the magnitude of the risk factor, and it frequently has been the Staff’s position that registrants should generally avoid positive or risk-mitigating language in risk factor discussions (see, e.g., Staff Observations in the Review of Smaller Reporting Company IPOs). The Company respectfully submits to the Staff that a statement that past security incidents have not had a material impact is the opposite of cautionary, lessens the impact of the identified risk and might give investors a misimpression that history is an indication of how any future security incidents would impact our business.

The Company advises the Staff that the increase in legal costs disclosed in the Form 10-Q was primarily due to resolving customer contract issues and to a much lesser extent the July

2019 security incident. The Company will disclose these underlying causes for the increase in legal costs in its upcoming Form 10-K.

The Company further advises the Staff that there was no impact from the July 2019 security incident on the Company’s controls testing or the Company’s evaluation of disclosure controls and procedures, and in fact the controls worked exactly as they were supposed to in connection with timely processing, assessing and reporting information about the security incident.

Please contact Sharon O’Connor at the Company at (949) 851-1473 if you have any questions with respect to this letter.


Via EDGAR