I was in San Francisco this week, and that got me thinking about our upcoming 2024 Proxy Disclosure & 21st Annual Executive Compensation Conferences, which are coming up on October 14-15. While October seems like a long time from now, it will be here before you know it and you will definitely want to be part of our big return to in-person conferences!
If you act now, you can take advantage of our early bird pricing. You can register now by one of two methods: by visiting our online store or by calling us at 800-737-1271.
It has been four months since new Item 1.05 of Form 8-K went into effect, requiring current disclosure of material cybersecurity incidents. Item 1.05 of Form 8-K specifies that, if a company experiences a cybersecurity incident that is determined by the company to be material, the company must describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the issuer, including its financial condition and results of operations. An Item 1.05 Form 8-K must be filed within four business days of determining that an incident is material, subject to limited exceptions.
The experience with Item 1.05 of Form 8-K in its very short life has been somewhat confusing. As this very helpful Debevoise memo notes, a few clear takeaways have emerged in the first 100 days of current reporting of material cybersecurity incidents:
– On December 18, 2023, the SEC’s rule requiring disclosure of material cybersecurity incidents became effective. To date, 11 companies have reported a cybersecurity incident under the new Item 1.05 of Form 8-K and in this article we examine the early results of the SEC’s new disclosure requirement.
– A clear trend toward rapid disclosure has emerged, outpacing the analysis of financial impacts that the SEC believed most companies would include when determining materiality.
– Notwithstanding this trend toward speed, companies experiencing a cybersecurity incident would be well advised to exercise caution before disclosing in the early innings of incident response.
Now, granted, eleven Form 8-K filings is not a particularly robust sample size from which to draw conclusions, but the early compliance experience with a new disclosure requirement often sets the trends for future reporting, so the early filers certainly cannot be ignored. What has left a lot of observers scratching their head is the nature of the cybersecurity incidents that have been reported, given that on their face the incidents do not strike anyone as the sort of material cybersecurity incident that we were all expecting to be reported. The Debevoise memo notes:
Of the 11 companies that have filed Forms 8-K to report a cybersecurity incident under Item 1.05, one identified a material operational disruption in its initial filing, and another identified a material impact on its results of operations in an amended filing made three weeks after the initial filing. The other nine companies did not expressly identify a material impact. They generally included an affirmative statement that the incident had not materially impacted operations, and they typically stated that they had not determined the incident was reasonably likely to materially impact the Company’s financial conditions or results of operations. The latter statement tracks Item 1.05’s line-item requirement to disclose whether the incident materially impacts the company’s financial condition and results of operations.
This trend has led to speculation that companies are voluntarily reporting immaterial cybersecurity incidents under Item 1.05 of Form 8-K or failing to adequately respond to Item 1.05’s requirements. Alternatively, these nine companies may believe that the combined characteristics of the incident—such as operational disruption, data loss or scope and length of intrusion—comprise the material impacts, in that these or other factors considered together render the cybersecurity incident material, even where no one impact is considered independently material. It is also possible that the SEC’s mandatory disclosure rule has caused a reassessment of when a cybersecurity incident could be considered material—especially incidents with possible qualitative material impact (e.g., reputational or legal) but no quantitative material impact—potentially lowering the bar for disclosure.
Another striking aspect of the early cybersecurity incident reporting experience is the speed with which companies have filed their Form 8-Ks. For this first batch of 11 filers, the average number of days between discovery and filing was 5.45 days, which I think everyone would agree is a very short time in which to identify, investigate and evaluate the materiality of a cybersecurity incident. In this regard, the Debevoise memo notes:
Item 1.05 requires an issuer to file a Form 8-K disclosing specified information about a cybersecurity incident within four business days of determining that the cybersecurity incident is material. This four-business-day deadline runs from the materiality determination, rather than the occurrence or detection of the incident, and the SEC has acknowledged that “[i]n the majority of cases, the registrant will likely be unable to determine materiality the same day the incident is discovered.” In practice, however, companies have disclosed incidents more quickly than the SEC may have anticipated. In the first 100 days, the average time from detection of a cybersecurity incident to the disclosure of the incident on a Form 8-K under Item 1.05 has been 5.45 business days. Eight companies (i.e., over 70% of the sample) have filed Forms 8-K under Item 1.05 within four business days of detecting the cybersecurity incident.
While all disclosure decisions will necessarily be driven by the facts and circumstances surrounding the incident, including regulatory or contractual notification requirements, companies should take care not to rush disclosure in the “fog of war.” In adopting Item 1.05, the SEC acknowledged that registrants will need to “develop information after discovery until it is sufficient to facilitate a materiality analysis.” The Rule, therefore, allows companies to undertake a reasonable investigation and an informed and deliberative materiality analysis, provided companies do not “unreasonabl[y] delay” the required determination. In most instances, we believe companies are well-advised to exercise caution before rushing to disclose early in the course of an incident investigation. Still, sometimes the incident will have public ramifications which may merit very quick disclosure.
My take on these early trends reflects the fact that I am a “traditionalist” on these kind of disclosure matters, even when approaching a new Form 8-K disclosure item. I advise companies that they should only file an Item 1.05 Form 8-K when the have to, because the incident is material as contemplated by the rule. Disclosing a material cybersecurity incident is very likely to attract attention from the SEC and others who are looking at this new disclosure frontier as an opportunity for Enforcement and litigation actions, so discretion is the better part of valor in these situations. In terms of speed, I do think that, in most cybersecurity incidents, it takes time to investigate the incident and to make a materiality determination, so companies should take that time and avoid jumping the gun on an SEC disclosure decision.
With Form 10-K season for December 31 year-end filers now wrapped up, we can now get a sense of how things went with the cybersecurity disclosure required in Item 106 of Regulation S-K. I don’t know about you, but preparing these disclosures proved to be a hard slog over the past few months, as is often the case when preparing new and unfamiliar disclosures from scratch. A DLA memo from earlier this year identified some early filer trends in the Form 10-K cybersecurity disclosure:
A recent study by DLA Piper Corporate Data Analytics of Item 1C disclosures filed by Russell 3000 companies as of January 31, 2024 found:
– 85 percent of registrants disclosed that the company has a Chief Information Security Officer (CISO) or other role responsible for information security.
– 62 percent of registrants disclosed a CISO or similar role focused solely on information security.
– 23 percent disclosed a Vice President, Chief Technology Officer, or other employee with responsibility over information security and other technology-related matters.
– 69 percent of registrants discussed conducting employee training regarding cybersecurity as well as conducting internal tests or simulations.
– While no registrants discussed a specific cyber incident in Item 1C disclosures, 69 percent discussed past breaches generally and 62 percent discussed past threats generally.
In addition to the registrants who have disclosed new Item 1C, some registrants with fiscal year ends prior to December 15, 2023 have been voluntarily including cybersecurity-related disclosures in their recently filed Form 10-Ks. Generally, such registrants have included information related to individuals who manage the registrant’s security program and who provide periodic reports to the board of directors, CEO, and other senior management.
For example, filers in the technology sector have disclosed that:
– IT teams regularly monitor and generate reports regarding cyber risks and threats, the status of projects to strengthen information security systems, assessments of information security programs, the emerging threat landscape, and related matters
– Such cybersecurity-related reports are provided to the Chief Information Security Officer
– Overall cyber programs are regularly evaluated by internal and external experts
– The company conducts engagement with key vendors, industry participants, and intelligence and law enforcement communities as part of continuing efforts to evaluate and enhance the effectiveness of its information security policies and procedures
– The company maintains internal procedures, such as establishing a confidentiality framework, adhering to document management regulations, and all-employee confidentiality agreement requirements
Generally, my observations have been that the Form 10-K cybersecurity disclosures were shorter than I expected and tended to include less detail than one might have expected about the overall cybersecurity risk management approach. As we digest this year’s disclosure in anticipation of next year’s disclosures, I think companies will be revisiting their disclosure approach to get in line with their peers and general disclosure practices. We also may also get the benefit of the Staff’s observations on the new disclosure, either through the comment process or through further interpretive guidance.
The latest issue of The Corporate Counsel has been sent to the printer. It is also available now online to members of The CorporateCounsel.net who subscribe to the electronic format. The issue includes the following articles:
– SEC Adopts Climate Disclosure Rules – What Should You Do Now?
– The Presumptive Underwriter Doctrine Rears Its Ugly Head
Please email sales@ccrcorp.com to subscribe to this essential resource if you are not already receiving the important updates we provide in The Corporate Counsel newsletter.
I am sure that, at this point, your level of anticipation is off the charts for the rollout the new T+1 settlement timeframe, which will be implemented over the Memorial Day holiday weekend across securities markets. As of this morning, we are just 40 days away from the transition to T+1, and certainly nothing focuses the mind like an impending deadline. As questions inevitably arise regarding the transition to T+1, the Securities Industry and Financial Markets Association (SIFMA) has provided comprehensive resources for market participants.
In addition to a handy countdown clock for the U.S. and Canadian transition to T+1, SIFMA has posted the T+1 Securities Settlement Industry Implementation Playbook, which “outlines a detailed approach to identifying the impacts, implementation activities, implementation timelines, dependencies, and risk impacts, that market participants should consider in order to prepare for the impending transition to a shortened settlement cycle.” On April 8, 2024, SIFMA, ICI, DTCC and Deloitte hosted a virtual briefing to discuss what financial services organizations are focusing on between now and the upcoming deadlines, a replay of which is available on SIFMA’s website. I encourage you to check out the resources that SIFMA has made available and carefully consider the implications of the T+1 transition in anticipation of the end-of-May rollout.
The SEC’s Rule 10b5-1 and insider trading disclosure rulemaking from back in December 2022 included a long transition period for the periodic disclosures concerning insider trading policies and procedures and option grant timing practices, with much of the focus being on December 31 year-end companies that do not have to comply until their filings made in 2025. For companies (other than smaller reporting companies) with a fiscal year ending on or after March 31, 2024, the new requirements will be in effect for their upcoming annual report and proxy statement filings, so it is time to pay attention to what needs to be disclosed when.
New paragraph (x) of Item 402 of Regulation S-K is one of the disclosure items that March 31 companies will need to pay attention to now that the transition period has run. Item 402(x) requires disclosure of a company’s policies and practices on the timing of awards of options, stock appreciation rights and similar instruments with option-like features, as well as certain tabular disclosure of awards of options, SARs and instruments with option-like features to named executive officers that occur close in time to the company’s disclosure of material nonpublic information. The disclosure required by Item 402(x) of Regulation S-K must be tagged using Inline XBRL. Foreign private issuers are not required to provide this disclosure.
Companies will also need to comply with Item 408(b) of Regulation S-K, which requires companies to disclose whether they have adopted insider trading policies and procedures governing the purchase, sale and other dispositions of their securities by directors, officers and employees, or the issuer itself, that are reasonably designed to promote compliance with insider trading laws, rules and regulations, and any listing standards applicable to the issuer. If an issuer has not adopted such insider trading policies and procedures, it must explain why it has not done so. Domestic companies must provide this disclosure in both annual reports on Form 10-K pursuant and in proxy and information statements, while foreign private issuers will be required to provide the disclosure pursuant to Item 16J in Form 20-F. This disclosure also must be tagged using Inline XBRL.
Finally, companies with a March 31 fiscal year-end will need to file, as an exhibit to their annual report on Form 10-K or Form 20-F, any insider trading policies and procedures, or amendments thereto, that are the subject of the disclosure required by Item 408(b) of Regulation S-K. This exhibit is not required to be tagged using Inline XBRL.
Smaller reporting companies get some extra time to comply with these new disclosure requirements. They must begin complying in filings with respect the first full fiscal period that begins on or after October 1, 2023, so these disclosures will be required in annual reports and proxy statements for fiscal years ending on or after September 30, 2024.
We have posted the transcript for our recent webcast, “The SEC’s Climate Disclosure Rules: Preparing for the New Regime,” during which I was joined by J. T. Ho, Partner, Orrick, Herrington & Sutcliffe LLP, Rose Pierson, Assistant Secretary and Senior Counsel, Chevron and Kristina Wyatt, Deputy General Counsel and Chief Sustainability Officer, Persefoni for a discussion of the SEC’s new climate disclosure rules. The webcast covered the following topics:
– Overview of the SEC’s Final Rules and Key Changes from the Original Proposal
– Developing and Implementing an Effective Compliance Plan
– Navigating Multiple Climate Reporting Regimes
– Legal Challenges to the SEC’s Rules
This was a great webcast to be a part of – we covered a lot of ground and the panelists provided insights on a number of the key implementation challenges that companies will face with these new rules.
On Friday, the Supreme Court issued its decision in Macquarie Infrastructure Corp. v. Moab Partners, L.P., a case from the Second Circuit addressing the ability to rely on a failure to disclose certain information in accordance with the requirements of Item 303 of Regulation S-K as a basis to state a securities fraud claim under SEC Rule 10b-5. A unanimous Supreme Court held that “pure omissions” are not actionable under Rule 10b–5(b). The opinion, authored by Justice Sotomayor, states:
Securities and Exchange Commission (SEC) Rule 10b–5(b) makes it unlawful to omit material facts in connection with buying or selling securities when that omission renders “statements made” misleading. Separately, Item 303 of SEC Regulation S–K requires companies to disclose certain information in periodic filings with the SEC. The question in this case is whether the failure to disclose information required by Item 303 can support a private action under Rule 10b–5(b), even if the failure does not render any “statements made” misleading. The Court holds that it cannot. Pure omissions are not actionable under Rule 10b–5(b).
As a result of the Supreme Court’s decision, the judgment of the Court of Appeals for the Second Circuit is vacated, and the case is remanded for further proceedings consistent with the Supreme Court’s opinion.
The Court explained, “A pure omission occurs when a speaker says nothing, in circumstances that do not give any particular meaning to that silence.” By contrast, a half-truth occurs when a speaker says something, but “state[s] the truth only so far as it goes, while omitting critical qualifying information.” The Court held that Rule 10b-5(b) prohibits half-truths but not pure omissions, noting that the text of Rule 10b5-1(b) prohibits omitting information from a public disclosure that is “necessary in order to make the statements made … not misleading.” Liability under that provision turns on there being “statements made” that were misleading. While other provisions of the securities laws, such as Section 11 of the Securities Act, prohibit pure omissions, neither Rule 10b-5(b) nor Section 10(b) contains this express prohibition. The Court made clear that it was not opining on other issues not presented to it, such as “what constitutes ‘statements made’” and “when a statement is misleading as a half-truth.”
The Forum is a unique event where members of the public and private sectors gather to provide feedback to improve capital-raising policy. The event will feature appearances by each of the Commissioners and an exciting lineup of speakers with fresh perspectives on capital raising. Sessions will focus on the following topics:
– Tuesday, April 16: Amplifying Early-Stage Stories
– Wednesday, April 17: Opening the Dialogue on Investing
– Thursday, April 18: Catching up with Small Caps
At the end of each day’s session, registered participants will have the opportunity to prioritize capital-raising policy recommendations to the Commission and Congress. After the event, a report with the recommendations will be delivered to Congress.
Participants must register for the Forum and will be able to attend the virtual sessions, prioritize policy recommendations and ask questions. The SEC also accepted policy recommendations through last Friday.
As Meredith recently noted on the Advisors’ Blog on CompensationStandards.com, the 2024 update to Skadden’s Compensation Committee Handbook is now available — now in its 10th edition, it reflects key developments since last spring, including updates for the clawback rules and developments in pay-versus-performance disclosures. In the discussion of clawbacks, it briefly touches on the interplay with other legal requirements, including SOX and state laws:
Committees should keep in mind that certain states, such as California, have laws that generally prohibit the recovery of wages that have already been paid. While the Dodd-Frank clawback rules are currently expected to preempt conflicting state law, litigation activity may be on the horizon to definitively confirm this.
CEOs and chief financial officers (CFOs) remain subject to the clawback provisions of the Sarbanes-Oxley Act of 2002 (SOX), which provide that if a company is required to prepare an accounting restatement because of “misconduct,” the CEO and CFO are required to reimburse the company for any incentive or equity-based compensation and profits from selling company securities received during the year following issuance of the inaccurate financial statements. To the extent that a Dodd-Frank Clawback Policy and SOX cover the same recoverable compensation, the CEO or CFO would not be subject to duplicative reimbursement. Recovery under the Dodd-Frank Clawback Policy will not preclude recovery under SOX to the extent any applicable amounts have not been reimbursed to the issuer.