Earlier this month, the PCAOB announced that it had issued for public comment a proposal regarding public reporting of standardized firm and engagement metrics and a separate proposal regarding the PCAOB framework for collecting information from audit firms .
The firm and engagement metrics proposal would, if adopted, require PCAOB-registered public accounting firms that audit one or more issuers that qualify as an accelerated filer or large accelerated filer to publicly report specified metrics relating to such audits and their audit practice. The PCAOB describes the rationale for the firm and engagement metrics proposal as follows:
Reliable, consistent information can improve investors’ ability to make informed decisions about investing their capital, ratifying the selection of auditors, and voting for members of the board of directors (including audit committee members). At the same time, it can improve audit committees’ ability to choose among and monitor the performance of auditors.
While some firms publicly disclose certain firm-level metrics today, the PCAOB’s staff has observed that the number of firms doing so is small.
Furthermore, the disclosures are inconsistent across firms — there are no common definitions or calculations allowing for consistent comparisons — and most of the disclosures are voluntary, so firms are free to revise or discontinue such reporting anytime. At the same time, there is a lack of incentive for firms, acting on their own or collectively, to provide accurate, standardized, and decision-relevant information about their firms and the engagements they perform.
The firm reporting proposal would, if adopted, amend the PCAOB’s annual and special reporting requirements “to facilitate the disclosure of more complete, standardized, and timely information by registered public accounting firms.” Consistent with current practice, much of the information would be disclosed publicly, while some would be available to the PCAOB only for oversight purposes. The PCAOB describes the rationale for the firm reporting proposal as follows:
The basic framework for the PCAOB’s annual and special reporting requirements has not been substantively reevaluated since its adoption in 2008. The Board has considered the experience of PCAOB staff, investors, and others with the current reporting framework. Informed by these considerations, the proposal seeks to update and improve the reporting requirements to facilitate more public disclosure that would be informative and useful to investors, audit committees, and other stakeholders.
Enhanced reporting requirements also have the potential to facilitate the PCAOB’s oversight functions and its ability to protect investors.
The deadline for public comment on both proposals is June 7, 2024.
I do not think that I am guilty of “AI washing” by stating that the generative AI revolution is most certainly going to change the landscape for the service providers who work with public companies, including lawyers and accountants.
The CAQ recently issued a report titled “Auditing in the Age of Generative AI“, which “explores some fundamental principles of genAI, new risks arising from its use in processes relevant to financial reporting (financial reporting processes) or internal control over financial reporting (ICFR), and related audit implications.” The report provides:
– An overview of generative AI technology;
– A description of the current regulatory environment;
– Audit considerations for companies deploying generative AI; and
– Example use cases
The CAQ report concludes:
The use of genAI in financial reporting processes or ICFR by companies introduces new risk considerations for auditors. It is important for auditors to be mindful of the risks and challenges that can arise from a company using genAI. Auditors are well-suited to apply and build on their expertise in identifying and assessing risks, exercising professional skepticism, and developing appropriate audit responses.
While generative AI offers significant benefits for the disclosure and financial reporting process, there is no doubt that lawyers and auditors will need to adapt their approach to address the unique risks and considerations presented by the use of generative AI.
As noted in this recent statement from PCAOB Chair Erica Williams, the PCAOB brought action against two accounting firms involving allegations of exam cheating. Since 2021, the PCAOB has sanctioned nine registered firms for exam cheating. Chair Williams stated:
I want to be very clear: The PCAOB will not tolerate exam cheating nor any other unethical behavior, period.
Impaired ethics erode trust and threaten the investor confidence our system relies on. The PCAOB will take action to hold firms accountable when they fail to enforce a culture of honesty and integrity.
This Board set a goal to strengthen PCAOB enforcement, and we are doing just that. As of today, the PCAOB has imposed $34 million in penalties this year alone, and it’s only April.
We set a record in 2022. We broke that record in 2023. And we are breaking it again today.
Let today’s news be a clear warning to those who break the rules – if you put investors at risk, there will be consequences.
These actions involved widespread answer sharing for internal training tests.
Last month, I blogged about the SEC’s recent focus on “AI Washing,” or the practice of making potentially false and misleading statements about artificial intelligence as the frenzy continues regarding the impact of the evolving technology. SEC Enforcement Director Gurbir Grewal has now weighed in on how companies can use “proactive compliance” to avoid AI washing problems, in a speech at the Program on Corporate Compliance and Enforcement Spring Conference 2024.
Building on the concepts from a speech last year that articulated his concept of “proactive compliance,” Director Grewal noted that the practice requires three things: education, engagement, and execution. He explained:
First, educate yourselves about emerging and heightened AI risk areas as they relate to your businesses. That means reading the AI-related enforcement actions I mentioned. It means reviewing any future enforcement actions that may follow in this space.
It also means reviewing speeches like Chair Gensler’s recent speech on AI, which highlighted multiple other ways in which a firm’s AI use may heighten risk or implicate the federal securities laws. He specifically discussed the conflicts of interests raised by AI for advisers, the problems presented by AI hallucinations, and the threat that AI could pose to the stability of our markets.
And it means staying abreast of how potential AI-related issues are actually impacting companies in the real world. Take for example, the recent reporting around an airline’s chatbot offering a customer incorrect information about its refund policy.
Second, take what you’ve learned from our orders and public pronouncements, and your own research, and engage with personnel inside your company’s different business units to learn how AI intersects with their activities, strategies, risks, financial incentives, and so on.
Ask: what public statements are we making about our incorporation of AI into our business operations? Are they accurate, or are they aspirational? Does AI present a material risk to our business operations in some way?
Now, is the time to engage.
And third, execute. Does your use of AI require updating policies and procedures and internal controls? If so, are those policies and procedures bespoke to your company? And here, let me be clear: it’s not enough to go to ChatGPT or a similar tool and ask it to produce an AI policy for you.
And then, have you taken the steps necessary to implement those policies and procedures? As we have seen time and again, adoption is only part of the battle; effective execution is equally important and that’s where many firms fall short.
With respect to potential personal liability in connection with AI greenwashing, Director Grewal noted:
Here, I would look to our approach to cybersecurity disclosure failures generally: we look at what a person actually knew or should have known; what the person actually did or did not do; and how that measures up to the standards of our statutes, rules, and regulations. And as I’ve said before in the context of CCO and CISO liability, and I will say it again in the context of AI-related risk disclosures: folks who operate in good faith and take reasonable steps are unlikely to hear from us.
Director Grewal’s speech provides some practical guidance that companies can follow in drafting their AI disclosures, which will no doubt continue to evolve as the technology develops and companies pursue a variety of ways in which to deploy the technology.
Zach Barlow recently noted in the PracticalESG.com blog that the U.S. Chamber of Commerce has moved to intervene in The Sierra Club’s challenge to the SEC’s climate disclosures rules. Zach notes:
If the intervention is allowed by the court, this would mean that the Chamber of Commerce is both challenging the rule and defending it in the consolidated litigation. Cooley explains the confusion stating:
“The Chamber of Commerce has moved for leave to intervene in the cases brought by the Sierra Club and the NRDC ‘to defend those portions of the final rule that refrained from imposing the additional disclosure requirements the environmental groups would have this Court require the SEC to impose. ‘The Sierra Club, the motion contends, ‘intends to argue that the SEC should have required public companies to disclose not only their own greenhouse-gas emissions, but also the emissions from the ‘use of [their] products’ and across their ‘supply chains’’; that is, that the SEC failed to impose a requirement to disclose Scope 3 GHG emissions.”
The Chamber of Commerce isn’t exactly pro-disclosure – they are just arguing against the Sierra Club’s position that the rule didn’t go far enough. The memo goes on to say that the Chamber of Commerce is attempting to intervene because they do not believe that the SEC adequately represents their interests in the litigation. The litigation is becoming increasingly complicated as large cases often do. Understanding where the battle lines are drawn and who is on whose side can be difficult in a case like this and just points to the size and complexity of the knot the 8th Circuit must untie. With moves like these abounding, it is unlikely that we’ll get any sort of resolution on the salient questions of the litigation anytime soon.
I think this development is just the beginning of how this messy litigation situation is going to play out, so grab your popcorn, it will no doubt be quite a show!
I was in San Francisco this week, and that got me thinking about our upcoming 2024 Proxy Disclosure & 21st Annual Executive Compensation Conferences, which are coming up on October 14-15. While October seems like a long time from now, it will be here before you know it and you will definitely want to be part of our big return to in-person conferences!
If you act now, you can take advantage of our early bird pricing. You can register now by one of two methods: by visiting our online store or by calling us at 800-737-1271.
It has been four months since new Item 1.05 of Form 8-K went into effect, requiring current disclosure of material cybersecurity incidents. Item 1.05 of Form 8-K specifies that, if a company experiences a cybersecurity incident that is determined by the company to be material, the company must describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the issuer, including its financial condition and results of operations. An Item 1.05 Form 8-K must be filed within four business days of determining that an incident is material, subject to limited exceptions.
The experience with Item 1.05 of Form 8-K in its very short life has been somewhat confusing. As this very helpful Debevoise memo notes, a few clear takeaways have emerged in the first 100 days of current reporting of material cybersecurity incidents:
– On December 18, 2023, the SEC’s rule requiring disclosure of material cybersecurity incidents became effective. To date, 11 companies have reported a cybersecurity incident under the new Item 1.05 of Form 8-K and in this article we examine the early results of the SEC’s new disclosure requirement.
– A clear trend toward rapid disclosure has emerged, outpacing the analysis of financial impacts that the SEC believed most companies would include when determining materiality.
– Notwithstanding this trend toward speed, companies experiencing a cybersecurity incident would be well advised to exercise caution before disclosing in the early innings of incident response.
Now, granted, eleven Form 8-K filings is not a particularly robust sample size from which to draw conclusions, but the early compliance experience with a new disclosure requirement often sets the trends for future reporting, so the early filers certainly cannot be ignored. What has left a lot of observers scratching their head is the nature of the cybersecurity incidents that have been reported, given that on their face the incidents do not strike anyone as the sort of material cybersecurity incident that we were all expecting to be reported. The Debevoise memo notes:
Of the 11 companies that have filed Forms 8-K to report a cybersecurity incident under Item 1.05, one identified a material operational disruption in its initial filing, and another identified a material impact on its results of operations in an amended filing made three weeks after the initial filing. The other nine companies did not expressly identify a material impact. They generally included an affirmative statement that the incident had not materially impacted operations, and they typically stated that they had not determined the incident was reasonably likely to materially impact the Company’s financial conditions or results of operations. The latter statement tracks Item 1.05’s line-item requirement to disclose whether the incident materially impacts the company’s financial condition and results of operations.
This trend has led to speculation that companies are voluntarily reporting immaterial cybersecurity incidents under Item 1.05 of Form 8-K or failing to adequately respond to Item 1.05’s requirements. Alternatively, these nine companies may believe that the combined characteristics of the incident—such as operational disruption, data loss or scope and length of intrusion—comprise the material impacts, in that these or other factors considered together render the cybersecurity incident material, even where no one impact is considered independently material. It is also possible that the SEC’s mandatory disclosure rule has caused a reassessment of when a cybersecurity incident could be considered material—especially incidents with possible qualitative material impact (e.g., reputational or legal) but no quantitative material impact—potentially lowering the bar for disclosure.
Another striking aspect of the early cybersecurity incident reporting experience is the speed with which companies have filed their Form 8-Ks. For this first batch of 11 filers, the average number of days between discovery and filing was 5.45 days, which I think everyone would agree is a very short time in which to identify, investigate and evaluate the materiality of a cybersecurity incident. In this regard, the Debevoise memo notes:
Item 1.05 requires an issuer to file a Form 8-K disclosing specified information about a cybersecurity incident within four business days of determining that the cybersecurity incident is material. This four-business-day deadline runs from the materiality determination, rather than the occurrence or detection of the incident, and the SEC has acknowledged that “[i]n the majority of cases, the registrant will likely be unable to determine materiality the same day the incident is discovered.” In practice, however, companies have disclosed incidents more quickly than the SEC may have anticipated. In the first 100 days, the average time from detection of a cybersecurity incident to the disclosure of the incident on a Form 8-K under Item 1.05 has been 5.45 business days. Eight companies (i.e., over 70% of the sample) have filed Forms 8-K under Item 1.05 within four business days of detecting the cybersecurity incident.
While all disclosure decisions will necessarily be driven by the facts and circumstances surrounding the incident, including regulatory or contractual notification requirements, companies should take care not to rush disclosure in the “fog of war.” In adopting Item 1.05, the SEC acknowledged that registrants will need to “develop information after discovery until it is sufficient to facilitate a materiality analysis.” The Rule, therefore, allows companies to undertake a reasonable investigation and an informed and deliberative materiality analysis, provided companies do not “unreasonabl[y] delay” the required determination. In most instances, we believe companies are well-advised to exercise caution before rushing to disclose early in the course of an incident investigation. Still, sometimes the incident will have public ramifications which may merit very quick disclosure.
My take on these early trends reflects the fact that I am a “traditionalist” on these kind of disclosure matters, even when approaching a new Form 8-K disclosure item. I advise companies that they should only file an Item 1.05 Form 8-K when the have to, because the incident is material as contemplated by the rule. Disclosing a material cybersecurity incident is very likely to attract attention from the SEC and others who are looking at this new disclosure frontier as an opportunity for Enforcement and litigation actions, so discretion is the better part of valor in these situations. In terms of speed, I do think that, in most cybersecurity incidents, it takes time to investigate the incident and to make a materiality determination, so companies should take that time and avoid jumping the gun on an SEC disclosure decision.
With Form 10-K season for December 31 year-end filers now wrapped up, we can now get a sense of how things went with the cybersecurity disclosure required in Item 106 of Regulation S-K. I don’t know about you, but preparing these disclosures proved to be a hard slog over the past few months, as is often the case when preparing new and unfamiliar disclosures from scratch. A DLA memo from earlier this year identified some early filer trends in the Form 10-K cybersecurity disclosure:
A recent study by DLA Piper Corporate Data Analytics of Item 1C disclosures filed by Russell 3000 companies as of January 31, 2024 found:
– 85 percent of registrants disclosed that the company has a Chief Information Security Officer (CISO) or other role responsible for information security.
– 62 percent of registrants disclosed a CISO or similar role focused solely on information security.
– 23 percent disclosed a Vice President, Chief Technology Officer, or other employee with responsibility over information security and other technology-related matters.
– 69 percent of registrants discussed conducting employee training regarding cybersecurity as well as conducting internal tests or simulations.
– While no registrants discussed a specific cyber incident in Item 1C disclosures, 69 percent discussed past breaches generally and 62 percent discussed past threats generally.
In addition to the registrants who have disclosed new Item 1C, some registrants with fiscal year ends prior to December 15, 2023 have been voluntarily including cybersecurity-related disclosures in their recently filed Form 10-Ks. Generally, such registrants have included information related to individuals who manage the registrant’s security program and who provide periodic reports to the board of directors, CEO, and other senior management.
For example, filers in the technology sector have disclosed that:
– IT teams regularly monitor and generate reports regarding cyber risks and threats, the status of projects to strengthen information security systems, assessments of information security programs, the emerging threat landscape, and related matters
– Such cybersecurity-related reports are provided to the Chief Information Security Officer
– Overall cyber programs are regularly evaluated by internal and external experts
– The company conducts engagement with key vendors, industry participants, and intelligence and law enforcement communities as part of continuing efforts to evaluate and enhance the effectiveness of its information security policies and procedures
– The company maintains internal procedures, such as establishing a confidentiality framework, adhering to document management regulations, and all-employee confidentiality agreement requirements
Generally, my observations have been that the Form 10-K cybersecurity disclosures were shorter than I expected and tended to include less detail than one might have expected about the overall cybersecurity risk management approach. As we digest this year’s disclosure in anticipation of next year’s disclosures, I think companies will be revisiting their disclosure approach to get in line with their peers and general disclosure practices. We also may also get the benefit of the Staff’s observations on the new disclosure, either through the comment process or through further interpretive guidance.
The latest issue of The Corporate Counsel has been sent to the printer. It is also available now online to members of The CorporateCounsel.net who subscribe to the electronic format. The issue includes the following articles:
– SEC Adopts Climate Disclosure Rules – What Should You Do Now?
– The Presumptive Underwriter Doctrine Rears Its Ugly Head
Please email sales@ccrcorp.com to subscribe to this essential resource if you are not already receiving the important updates we provide in The Corporate Counsel newsletter.
I am sure that, at this point, your level of anticipation is off the charts for the rollout the new T+1 settlement timeframe, which will be implemented over the Memorial Day holiday weekend across securities markets. As of this morning, we are just 40 days away from the transition to T+1, and certainly nothing focuses the mind like an impending deadline. As questions inevitably arise regarding the transition to T+1, the Securities Industry and Financial Markets Association (SIFMA) has provided comprehensive resources for market participants.
In addition to a handy countdown clock for the U.S. and Canadian transition to T+1, SIFMA has posted the T+1 Securities Settlement Industry Implementation Playbook, which “outlines a detailed approach to identifying the impacts, implementation activities, implementation timelines, dependencies, and risk impacts, that market participants should consider in order to prepare for the impending transition to a shortened settlement cycle.” On April 8, 2024, SIFMA, ICI, DTCC and Deloitte hosted a virtual briefing to discuss what financial services organizations are focusing on between now and the upcoming deadlines, a replay of which is available on SIFMA’s website. I encourage you to check out the resources that SIFMA has made available and carefully consider the implications of the T+1 transition in anticipation of the end-of-May rollout.