Yesterday, I discussed the implementation of Item 1.05 of Form 8-K, which is the new item for reporting material cybersecurity incidents. Someone always must be first, and this filing appeared to be the first Form 8-K filed under the new reporting regime.
In the Form 8-K, the company is reporting a cybersecurity incident that was detected just last week and is disrupting the company’s business operations. The company reports that the full nature, scope and impact of the breach are not yet known.
It is that time of year again when lights are twinkling on the trees, the stockings are hung with care by the fire and the stores are jammed with shoppers, which can only mean it is time for the SEC’s Office of the Advocate for Small Business Capital Formation to issue its 2023 Annual Report to Congress and the Commission. The SEC’s announcement of the 2023 Annual Report notes:
The report is a comprehensive resource on the dynamics of capital raising in communities across the country. Its contents include:
– Data on small business capital formation, broken down by:
> Small and emerging businesses
> Mature and later-stage businesses
> Initial public offerings and small public companies
> Women founders and investors
> Diverse founders and investors
> Natural disaster areas
> Rural communities
– Policy recommendations from the Office
– Highlights of the Office’s advocacy work and public engagements from fiscal year 2023
– Small Business Capital Formation Advisory Committee’s fiscal year 2023 summary of activities
The independent advocacy Office works to help advance the interests of small businesses and their investors. Based on feedback received through the team’s continuous public outreach, the Office has developed educational resources to help equip small businesses and their investors with tools to navigate capital raising. Throughout its activities, the Office proactively works to identify and address unique challenges faced by diverse founders and their investors.
One of the statistics that always blows me away in this report is that the amount of capital raised using Rule 506(b) private placements is $2.7 trillion, which is consistently more than the amount raised through any other exempt offering alternative or registered offerings. Despite the proliferation of offering exemptions over the past decade, Rule 506(b) is still where the action is!
It is that time of year when some companies are trying to get year-end deals completed before December 31, so it is important to keep in mind the SEC’s calendar over the next couple of weeks. The SEC will be closed for the Federal holidays on Monday, December 25 and Monday, January 1, which means no EDGAR filings on those days.
Note that the latest Continuing Resolution signed into law on November 16th contemplates funding the government until January 19, 2024, so we have a few weeks into the new year before we have to potentially roll out the SEC shutdown blogs. But maybe Congress will get its act together in 2024! One can always dream.
Three weeks ago, I started a new chapter of my career at Goodwin. I often analogize moving from one law firm to another to the process of jumping from one speeding train to another speeding train – it is a difficult maneuver that is not without some risk! I am getting settled into my new work home, where I serve as chair of the firm’s Public Company Advisory practice. I am looking forward to all the opportunities that I will have at my new firm.
Today is the effective date for new Item 1.05 of Form 8-K, which requires companies to disclose, within four business days after determining that an incident is material, any cybersecurity incident that a company experiences that is determined to be material, describing the material aspects of its: (i) nature, scope, and timing; and (ii) the impact or reasonably likely impact of the incident on the company, including on the company’s financial condition and results of operations. But don’t expect a flood of Item 1.05 Form 8-Ks starting this morning, because the materiality qualifier is the critical element of Item 1.05. And when I think about materiality in the Form 8-K context, I always go back to the Commission’s characterization of the items selected for disclosure in Form 8-K in the 2004 adopting release (which brought us a significantly expanded Form 8-K), and that is the notion that Form 8-K is intended to address the “unquestionably or presumptively material events” that a company faces. The most difficult part that I think we can all acknowledge is assessing whether a particular cybersecurity event is in fact material. To that end, I share with you some of my experiences from the “trenches” of determining whether cybersecurity events are material:
1. Beware of the Titanic Effect – When I was in college, I decided to drive my VW Rabbit up one of those enormous snow mounds that accumulate in parking lots during the winter (an astute reader/listener might ask themselves why I was driving a VW Rabbit, but that is a whole other story). My friend tried to discourage me from this endeavor, but I said to him something to the effect of “What could go wrong, it is only a little snow?” In response, he delivered the deadpan line “Tell that to the Titanic.” I proceeded to try to drive into (not up) the snow mound, and it turned out to be rock hard ice that ripped the front bumper and driving lights off the Rabbit. The moral of the story, other than that no one in their right mind should have ever given me a driver’s license, is that nothing is ever quite as it seems, particularly in the context of cybersecurity breaches. The Titanic effect is real in many cybersecurity breaches, in that one can easily misperceive that the giant iceberg lurking under the surface is just some harmless floating ice. In many of the situations that I have observed over the years, the breach appears to be innocuous in the beginning, and then, as more investigation occurs, a much wider threat is identified, including situations where threat actors may still be active in a company’s systems. These evaluations do not happen overnight, so the materiality assessment must be ongoing as new facts come in. Parties involved in the evaluation – including management, directors and outside advisors – need to make objective assessments of the risks associated with the breach and the potential consequences, and do so as quickly as possible. The last thing anyone wants to have happen is that a material cybersecurity incident is disclosed too late in the SEC’s eyes, simply because the Titanic effect clouded everyone’s judgment as to the size and scope of the breach.
2. The Benefit of Hindsight – As has become evident from the cybersecurity enforcement cases that the SEC has brought over the years and those investigations that remain ongoing, the SEC looks at the current disclosure of cybersecurity incidents with the benefit of 20-20 hindsight. The timing of disclosure decisions can invariably raise eyebrows when evaluating the situation two or three years later, after everyone has already observed what happened next after the breach was discovered. Therefore, I think it is always important to conduct a materiality assessment through this lens, trying to evaluate how this disclosure decision will look to future investigators under the range of possible scenarios. I recognize that this is a departure from focusing on the pure materiality considerations that we are all familiar with, but it is just a practical reality of where we are with this issue today.
3. Do Your Homework – I believe that one of the most important things that a company can do now to prepare itself for a potential Item 1.05 of Form 8-K disclosure situation is to draft a materiality framework that is specific to the company and can be applied to any potentially material cybersecurity breach that comes along. I have seen this approach work successfully in the past, because often it is difficult in the heat of a cybersecurity incident to come up with an approach to assessing materiality that works for that particular company. This does not have to be a lengthy policy or procedure – what I envision is a few pages of questions that can be asked to objectively assess the materiality of the circumstances.
4. Process is Critical – It has been drilled into our heads from the SEC’s cybersecurity enforcement efforts that controls are king. This is an area where the SEC Staff expects to see robust disclosure and internal controls that are designed to get to the right result, i.e., timely and accurate disclosure of material cybersecurity incidents. I am by no means suggesting that companies go to extreme lengths to establish these controls – in a way, I think it is a mistake to treat Item 1.05 differently than any other Form 8-K disclosure item. Rather, I believe it is important to have in place measured and demonstrable controls that are designed to surface potentially material cybersecurity incidents to the decision-makers within the organization and to provide those decision-makers with the information they need to make correct disclosure decisions. This is something we have been doing with the many other Form 8-K items for the almost two decades now since the SEC substantially expanded current reporting on Form 8-K.
5. Human, All Too Human – In my experience, perhaps the biggest impediment to timely and accurate cybersecurity incident disclosure is human nature. I am not trying to blame anyone here, but time and time again I have come across scenarios where folks in the IT function tend to want to downplay or delay telling anyone about a cybersecurity incident, because they have an honest belief that it is not so bad and that they can fix it before any harm is done. This approach is not surprising, given that the cybersecurity staff is inundated with attacks from all manner of threat actors all day, every day, so their natural reaction is to just deal with them and not overreact to the situation. It is this natural impulse that the disclosure controls need to overcome, so that information can “bubble up” through the organization about potentially material cybersecurity incidents. This is not an easy thing to solve for, and it takes and top-down, organization-wide approach to try to overcome the human nature element that threatens your timely material cybersecurity incident reporting.
I hope these tips are helpful to you as we move forward under the new current reporting requirements – and whatever you do, avoid those parking lot snow mounds this winter, they are dangerous to drive into!
On Friday, the SEC announced that it had issued a Staff Report on the accredited investor definition. The Dodd-Frank Act directs the SEC to review the accredited investor definition as it relates to natural persons every four years to determine whether the definition should be modified or adjusted. The Staff previously reviewed the definition in 2015 and 2019, and now the Staff from Corp Fin and the Division of Economic and Risk Analysis prepared this report in connection with a third review of the accredited investor definition. The SEC notes in its announcement:
The report examines the current status of the accredited investor pool and concludes with a review of frequently suggested revisions to the accredited investor definition received from a variety of sources, including public commenters, the Investor Advisory Committee, and the Small Business Capital Formation Advisory Committee.
This report could potentially serve as a basis for future rulemaking on the always difficult topic of accredited investor status for natural persons.
Yesterday, Corp Fin added one more Form 8-K CDI addressing a company’s efforts to delay Item 1.05 disclosure of a material cyber incident on national security or public safety grounds:
Question 104B.04
Question: Would the sole fact that a registrant consults with the Department of Justice regarding the availability of a delay under Item 1.05(c) necessarily result in the determination that the incident is material and therefore subject to the requirements of Item 1.05(a)?
Answer: No. As the Commission stated in the adopting release, the determination of whether an incident is material is based on all relevant facts and circumstances surrounding the incident, including both quantitative and qualitative factors, and should focus on the traditional notion of materiality as articulated by the Supreme Court.
Furthermore, the requirements of Item 1.05 do not preclude a registrant from consulting with the Department of Justice, including the FBI, the Cybersecurity & Infrastructure Security Agency, or any other law enforcement or national security agency at any point regarding the incident, including before a materiality assessment is completed. [December 14, 2023]
Corp Fin Director Erik Gerding also issued a lengthy statement on the rationale underlying the SEC’s adoption of the cybersecurity disclosure and governance rules, the mechanics of the rules, the national security and public safety delay provisions, and Corp Fin’s next steps concerning implementation of the rules and review of disclosures. In the course of that discussion, he commented on the motivation behind the latest CDI:
I hope this [CDI] underscores that the rule does not create a disincentive for public companies to consult with law enforcement or national security agencies about cybersecurity incidents. Indeed, I would encourage public companies to work with the FBI, CISA, and other law enforcement and national security agencies at the earliest possible moment after cybersecurity incidents occur. I believe this timely engagement is in the interest of investors and the public. While this is not within the Commission staff’s purview, companies and government agencies may find that such timely engagement could assist them in a later determination of whether to seek a delay from the DOJ.
Director Gerding closed his statement by offering reassurance that in the first year of the rule’s implementation, Corp Fin isn’t looking to “make ‘gotcha’ comments or penalize foot faults,” and that to the extent appropriate, it may issue “future filings” comments or additional CDIs.
With apologies to Samuel Beckett, the SEC’s latest decision to kick its proposed climate change rules down the road has our editorial team starting to feel a bit like Vladimir & Estragon in Waiting for Godot. My colleagues and I may be able to languish in our existential crisis, but we don’t think companies can afford to wait for the SEC to act before preparing for heightened climate disclosure obligations.
That’s because even if the SEC does nothing, many US companies are soon going to find themselves confronting the rather daunting climate disclosure obligations imposed by the EU’s CSRD disclosure requirements, California’s recent climate disclosure legislation, and increasing stakeholder demands. So, what should companies do while they’re waiting for the SEC’s final rules? Matt Kelly offered up some advice over on his Radical Compliance blog:
You already know climate change disclosures are coming for your enterprise eventually, whether that’s from Europe, California, activist investors, or consumer pressures. Many large companies either already provide some climate change disclosure, or they’re preparing to do so in the immediate future. None of that is likely to change just because the SEC is stalling its final rule for another few months.
Indeed, just this week the Center for Audit Quality (a lobbying voice for large accounting firms) released its 2023 Audit Partner Pulse Survey, where it surveyed audit partners about the issues they see at the forefront of their client companies’ minds. Forty-five percent of respondents said they expect their client companies to disclose more information about environmental or climate issues in 2024, more than any other issue on the 2024 radar.
In other words, the SEC delay might give you more time to proceed down the path to greater disclosure of greenhouse gasses and other climate factors — but you’ll still need to go down that path. The same ESG disclosure and audit issues that have flummoxed companies already are still there.
Do you fully understand the climate change proposal in the first place, such as which gasses must be tracked and how other disclosure protocols fit into the SEC’s thinking?
Do you have an ESG reporting structure, and is that structure wise given all the other reporting and assurance duties you already have?
Have you considered any frameworks to guide your sustainability reporting, such as the framework COSO released earlier this year?
Matt closes by advising companies to “use your time wisely” – or as Vladimir put it in Waiting for Godot, “…Let us not waste our time in idle discourse! Let us do something, while we have the chance…”
Weil’s Howard Dicker reached out earlier this week to share an interesting and somber “Israeli Proxy Season Update” from ISS, which reviews how the war between Israel and Hamas is affecting Israeli public companies and their governance. This excerpt describes the conflict’s influence on executive compensation practices at some of those companies:
Some public companies have taken notable actions on executive compensation, with Hamashbir 365, Retailors Ltd, Castro Model, Brill Shoe Industries, and Golf & CO Group all announcing that their CEOs and Board Chairs will forgo part of their fixed compensation for 30 days or more. In addition, the CEO of Fox Wizel and certain officers are voluntarily reducing their fixed compensation for Q4 2023, with the possibility to extend based on the evolving conflict situation.
Other companies like Paz Oil have removed one-time bonus proposals from their EGMs (Paz Oil’s special meeting was held on November 14, 2023), while Idomoo has decided to remove several equity compensation items from its annual meeting (held on November 2, 2023). Several companies have announced a reduction in work hours, sending employees on unpaid leave or waiving paid vacation days.
This commentary about changes to executive compensation during a major conflict reminded me of a study on exec comp trends I saw a few years back that said during World War II, executive compensation at US public companies declined by 20%, and that most of that reduction was concentrated among companies’ most highly paid executives.
Yesterday, I blogged about guidance from the FBI about procedures companies should follow if they wish to defer Form 8-K disclosure of a cyber incident based on national security or public policy grounds. Well, the SEC has also chimed in by issuing the following three Form 8-K CDIs addressing various scenarios relating to efforts to defer Item 1.05 disclosure on these grounds:
Question 104B.01 Question: A registrant experiences a material cybersecurity incident, and requests that the Attorney General determine that disclosure of the incident on Form 8-K poses a substantial risk to national security or public safety. The Attorney General declines to make such determination or does not respond before the Form 8-K otherwise would be due. What is the deadline for the registrant to file an Item 1.05 Form 8-K disclosing the incident?
Answer: The registrant must file the Item 1.05 Form 8-K within four business days of its determination that the incident is material. Requesting a delay does not change the registrant’s filing obligation. The registrant may delay providing the Item 1.05 Form 8-K disclosure only if the Attorney General determines that disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing before the Form 8-K otherwise would be due. For further information on the Department of Justice’s procedures with respect to Item 1.05(c) of Form 8-K, please see Department of Justice Material Cybersecurity Incident Delay Determinations, Department of Justice (2023), at https://www.justice.gov/media/1328226/dl?inline [December 12, 2023]
Question 104B.02 Question: A registrant experiences a material cybersecurity incident, and requests that the Attorney General determine that disclosure of the incident on Form 8-K poses a substantial risk to national security or public safety. The Attorney General makes such determination and notifies the Commission that disclosure should be delayed for a time period as provided for in Form 8-K Item 1.05(c). The registrant subsequently requests that the Attorney General determine that disclosure should be delayed for an additional time period. The Attorney General declines to make such determination or does not respond before the expiration of the current delay period. What is the deadline for the registrant to file an Item 1.05 Form 8-K disclosing the incident?
Answer: The registrant must file the Item 1.05 Form 8-K within four business days of the expiration of the delay period provided by the Attorney General. For further information on the Department of Justice’s procedures with respect to Item 1.05(c) of Form 8-K, please see Department of Justice Material Cybersecurity Incident Delay Determinations, Department of Justice (2023), at https://www.justice.gov/media/1328226/dl?inline [December 12, 2023]
Question 104B.03 Question: A registrant experiences a material cybersecurity incident and disclosure of the incident on Form 8-K is delayed pursuant to Form 8-K Item 1.05(c) for a time period of up to 30 days, as specified by the Attorney General. Subsequently, during the pendency of the delay period, the Attorney General determines that disclosure of the incident no longer poses a substantial risk to national security or public safety. The Attorney General notifies the Commission and the registrant of this new determination. What is the deadline for the registrant to file an Item 1.05 Form 8-K disclosing the incident?
Answer: The registrant must file the Item 1.05 Form 8-K within four business days of the Attorney General’s notification to the Commission and the registrant that disclosure of the incident no longer poses a substantial risk to national security or public safety. See also “Changes in circumstances during a delay period” in Department of Justice Material Cybersecurity Incident Delay Determinations, Department of Justice (2023), at https://www.justice.gov/media/1328226/dl?inline [December 12, 2023]
I’m sure you saw a reference to DOJ guidance on delay of Item 1.05 disclosure in that last CDI. Here’s the DOJ’s announcement of that guidance and here’s the guidance document itself.