The SEC released a statement from Corp Fin Director Erik Gerding yesterday that reflected Gerding’s opening remarks and the matters discussed on a panel addressing Corp Fin’s Disclosure Review Program during the April 2024 SEC Speaks Conference in Washington, DC. The statement provides a comprehensive overview of recent developments in Corp Fin and observations gleaned from the review of filings.

– Dave Lynn

As I noted in my recent blog commemorating the SEC’s 90th Anniversary, if Future Me went back in time and told Teenage Me that, forty years from now, I would be appearing on two panels in front of hundreds of people where I am cast among the “SEC All-Stars,” I would have first asked “What is the SEC?” and then told Future Me to get back in my DeLorean and drive Back to the Future.

As it turns out, Future Me was right and I am incredibly fortunate to be joining my fellow SEC alums – Sonia Barros, Lily Brown, Alan Dye and Lona Nallengara – on the panel “The SEC All-Stars: Proxy Season Insights” at the Proxy Disclosure Conference, which is taking place on Monday, October 14, 2024 in San Francisco. During this panel, we will cover a wide range of proxy and annual reporting season topics, including cyber disclosures, disclosure controls & procedures, Rule 14a-8 no-action letter trends and rule amendments, Section 16 and Rule 144 developments and disclosure about transactions in company securities. With this line-up of All-Stars and topics, you do not want to miss this panel!

Don’t wait for Future You to register for the “2024 Proxy Disclosure & 21st Annual Executive Compensation Conferences” – do it today! You can register now by visiting our online store or by calling us at 800-737-1271. Our early bird in-person Single Attendee Price is $1,750, which is discounted from the regular $2,195 rate! This is a great deal that you do not want to miss. If you can’t make it in person, we also offer a virtual option so you won’t miss out on the practical takeaways our speaker lineup will share, and we offer discounted rate options for groups of virtual attendees.

– Dave Lynn

Earlier this month, Erica Williams was reappointed to a second term as Chair of the PCAOB. Her second term begins on October 25, 2024 and runs through October 24, 2029. It is clear that the PCAOB will continue to be active in modernizing its standards under the leadership of Chair Williams.

Recently, the PCAOB announced the adoption of amendments to two auditing standards to address the use of technology-assisted analysis. The amended standards are AS 1105, Audit Evidence, and AS 2301, The Auditor’s Responses to the Risks of Material Misstatement. The PCAOB’s announcement notes:

The changes adopted today bring greater clarity to auditor responsibilities in the following areas:

– Using reliable information in audit procedures: Technology-assisted analysis often involves analyzing vast amounts of information in electronic form. The adopting release emphasizes auditors’ responsibilities when evaluating the reliability of such information used as audit evidence. For example, when auditors test a company’s controls over electronic information, their testing should include, where applicable, controls over the company’s information technology general controls and automated application controls related to such information.

– Using audit evidence for multiple purposes: Technology-assisted analysis can be used to provide audit evidence for various purposes in an audit. For example, auditors may use technology-assisted analysis to analyze a population of transactions as part of identifying risks of material misstatement or to perform, after identifying such risks, substantive procedures on all items within a population. The adopting release specifies that if an auditor uses an audit procedure for more than one purpose, the auditor should achieve each objective of the procedure.

– Performing tests of details: When performing tests of details, auditors may use technology-assisted analysis to identify transactions and balances that meet certain criteria and warrant further investigation. For example, auditors may identify all transactions within an account exceeding a certain amount or processed by a certain individual. The adopting release clarifies that the auditor’s investigation of such items should include determining whether the identified items individually or in the aggregate indicate misstatements or control deficiencies.

The new standard will apply to all audits conducted under PCAOB standards. Subject to approval by the SEC, the new standard and related amendments will take effect for audits of financial statements for fiscal years beginning on or after December 15, 2025.

– Dave Lynn

As you may know, when the PCAOB was stood up over two decades ago, it adopted the then-existing auditing standards as its own, with the expectation that, over time, the PCAOB would replace those pre-existing auditing standards with its own PCAOB-adopted and SEC-approved auditing standards. The PCAOB’s authority in this regard was driven by concerns with auditing practices in the wake of the corporate scandals of the early 2000s such as Enron and WorldCom. Adopting new and replacement auditing standards is no easy task, so the PCAOB has spent the past twenty-two years working to update and modernize the standards that govern audits of public companies by independent registered public accountants.

The latest modernization efforts involves a recently announced proposal to replace the PCAOB’s existing auditing standard related to an auditor’s use of substantive analytical procedures with a new standard: AS 2305, Designing and Performing Substantive Analytical Procedures. The PCAOB notes that, if adopted, the proposed standard would “strengthen and clarify the auditor’s responsibilities when designing and performing substantive analytical procedures, increasing the likelihood that the auditor will obtain relevant and reliable audit evidence – ultimately improving overall audit quality and leaving investors better protected.” the proposed standard would do the following:

– Strengthen and clarify the requirements for determining whether the relationship(s) to be used in the substantive analytical procedure is sufficiently plausible and predictable;

– Specify that the auditor develops their own expectation and not use the company’s amount or information that is based on the company’s amount (so-called circular auditing);

– Strengthen and clarify existing requirements for determining when the difference between the auditor’s expectation and the company’s amount requires further evaluation;

– Strengthen and clarify existing requirements for evaluating the difference between the auditor’s expectation and the company’s amount. This includes determining if a misstatement exists as well as specifying requirements for certain situations the auditor may encounter when evaluating a difference;

– Clarify the factors that affect the persuasiveness of audit evidence obtained from a substantive analytical procedure;

– Clarify the elements of a substantive analytical procedure, including the distinction between substantive analytical procedures and other types of analytical procedures; and

– Modernize the standard by reorganizing the requirements and more explicitly integrating the standard with other Board-issued standards – ultimately making it easier for auditors to follow.

Along with proposed AS 2305, the proposal includes amendments to AS 1105, Audit Evidence, and AS 2301, The Auditor’s Responses to the Risks of Material Misstatement. Comment on the new standard and proposed amendments are due on August 12, 2024.

– Dave Lynn

I am not entirely sure where June went to, but I do know that we are now officially into the Summer, and that means we are just a few months away from our October conferences. The “2024 Proxy Disclosure & 21st Annual Executive Compensation Conferences” will be taking place in San Francisco on October 14th & 15th, and we are celebrating the fact that we will be returning to an in-person format this year. Not surprisingly, I am going to be spending my week on the blog reminding you of why you need to sign up for this big event today!

In today’s blog, I am going to focus on my first appearance on the agenda for the October conferences, and that will be my interview with Erik Gerding, Director of the SEC’s Division of Corporation Finance. If you have attended our conferences in the past, you know that for many years we have kicked things off with a discussion of the most important SEC issues straight from the source – the Director of Corp Fin. This is a great opportunity to hear what is on the SEC’s agenda for public companies and the latest trends that Corp Fin has been observing in public company disclosures. The discussion with the Director is always a great way to frame many of the topics that we will be addressing throughout the two days of conferences, so it is always a must-see event.

You can register now by visiting our online store or by calling us at 800-737-1271. Our early bird in-person Single Attendee Price is $1,750, which is discounted from the regular $2,195 rate! This is a great deal that you do not want to miss. If you can’t make it in person, we also offer a virtual option so you won’t miss out on the practical takeaways our speaker lineup will share, and we offer discounted rate options for groups of virtual attendees.

– Dave Lynn

Yesterday, Corp Fin Director Erik Gerding issued a statement addressing concerns expressed by some registrants that the SEC’s rules requiring disclosure of material cybersecurity incidents in an Item 1.05 Form 8-K preclude registrants from sharing information beyond that disclosed in the 8-K with others, including contractual counterparties. Director Gerding’s statement clarifies that this is not the case, and that Regulation FD offers various alternatives for sharing this information without raising selective disclosure concerns:

There are several ways that a public company can privately share information regarding a material cybersecurity incident beyond what was disclosed in its Item 1.05 Form 8-K without implicating Regulation FD. For example, the information that is being privately shared about the incident may be immaterial, or the parties with whom the information is being shared may not be one of the types of persons covered by Regulation FD.

Further, even if the information being shared is material nonpublic information and the parties with whom the information is being shared are the types of persons covered by Regulation FD, an exclusion from the application of Regulation FD may apply. For example, if the information is being shared with a person who owes a duty of trust or confidence to the issuer (such as an attorney, investment banker, or accountant)or if the person with whom the information being shared expressly agrees to maintain the disclosed information in confidence (e.g., if they enter into a confidentiality agreement with the issuer), then public disclosure of that privately-shared information will not be required under Regulation FD.

The statement notes that while companies may be reluctant to share additional information about cybersecurity incidents with third parties, companies that follow the scope and requirements of the selective disclosure rules in Reg FD should not face undue impediments to mutually beneficial sharing of information regarding material cybersecurity incidents with third parties.

– John Jenkins

I recently saw a report quoting an OpenAI insider who estimates that there’s a 70% chance that artificial intelligence will destroy humanity. I guess that would worry me more if I didn’t put the odds of us doing that to ourselves without AI’s help at around 75% – and if the current iterations of AI didn’t have more in common with ’80s icon Max Headroom than with the HAL 9000 from “2001: A Space Odyssey.”

That being said, I’ve recently learned about one emerging use for AI that really does terrify me. Apparently, people are starting to use generative AI tools to prepare board minutes. A recent article in “The Boardroom Insider” flags this emerging practice, and this excerpt lays out some of the things that could go very wrong with relying on AI tools in this setting:

Potential downsides of this trend are apparent (and some are still to be realized). Recording of board meetings are always a legal bomb waiting to go off. The more it becomes a standard practice, the more likely someone will neglect to wipe all copies once minutes are finalized. While AI minuting apps note that their draft is only that — a draft for further human processing — what it retains and ignores can prove worrisome.

Further, once you get comfortable with letting AI do the minuting, you’re more likely to just send its digital take out for quick approval. AI “hallucinations” sneaking into the draft could be hard to spot. Finally, what if everyone on the board uses a recording to create their own AI summaries? This Tower of Babel approach could be a nightmare.

If you’re still willing to take the plunge, the article goes on to identify some AI tools that you might use to help generate board minutes. If you’re up for that, well, Godspeed! As for me, when it comes to the use of generative AI for board minutes, I’m firmly in Colonel Kurtz’s camp.

– John Jenkins

There’s some big Wu-Tang Clan-related crypto news that I’d like to share to close out the week. A few years ago, I blogged about how a “digital autonomous organization” or “DAO” named PleasrDAO had acquired the sole copy of the group’s legendary “Once Upon a Time in Shaolin” album that the feds grabbed from its original owner, fraudster Martin Shkreli.

PleasrDAO had big plans for the album, but those plans depended on its ability to persuade The RZA and Cilveringz to sign off on them. That sign-off was necessary because RZA opted to impose a unique restriction on any owner of Once Upon a Time in Shaolin when the album was announced in 2015 – whoever bought it would not be able to release it until 2103, 88 years following its release.

Well, it looks like PleasrDAO was successful, because according to this Bloomberg BusinessWeek article, it recently sponsored swanky listening sessions in NYC where attendees could hear selections from the album while “sipping artisanal cocktails.”  If you missed the New York sessions, don’t despair – all you have to do is travel to New Zealand to catch the sessions being held at a Tasmanian museum through June 24th (in case you’re on the fence, they’re getting rave reviews).

So why is PleasrDAO holding these events?  Well, this is where the tenuous connection to the federal securities laws that allows me to periodically blog about The Wu-Tang Clan comes into play. Here’s an excerpt from the article:

Perhaps not surprisingly, these exclusive sessions have coincided with the start of a campaign to wring more money from the album. On June 13, PleasrDAO started selling digital ownership stakes in Once Upon a Time in Shaolin for $1, entitling buyers to a short sampler from the album along with an encrypted file of the music that will remain locked—but maybe not until 2103, as originally promised. The collective says each sale will reduce the time it takes to make the entire album publicly available by 88 seconds. In short, the decades-long restriction is more fungible than most people might have assumed.

The article says that PleasrDAO raised $250K selling these NFTs in just four days, and cites a NY Times report as indicating that it would need to raise a total of $28 million to release the album to the public. It looks like PleasrDAO has attempted to structure this NFT to avoid having it classified as a security. Of course, that’s what all the NFT folks have said – and the SEC hasn’t always agreed. So, PleasrDAO would be wise to take some advice from the Wu-Tang Clan and “watch your step, kid, watch your step, kid, protect ya neck, kid!”

– John Jenkins

On Tuesday, the SEC announced an enforcement action against RR Donnelley & Sons arising out of alleged disclosure and internal controls violations associated with a series of cyber incidents occurring in November and December 2021 that resulted in a hacker obtaining information belonging to 29 of the company’s clients. This excerpt from the SEC’s press release explains the basis for the action:

According to the SEC’s order, data integrity and confidentiality were critically important to RRD’s business. Because client data was stored on RRD’s network, its information security personnel and the third-party service provider RRD hired were responsible for monitoring the network’s security. However, according to the order, RRD failed to design effective disclosure controls and procedures to report relevant cybersecurity information to management with the responsibility for making disclosure decisions, and failed to carefully assess and respond to alerts of unusual activity in a timely manner.

The order further finds that RRD failed to devise and maintain a system of cybersecurity-related internal accounting controls sufficient to provide reasonable assurances that access to RRD’s assets – its information technology systems and networks – was permitted only with management’s authorization.

Under the terms of the SEC’s order in the case, the company consented, on a neither admit nor deny basis, to the entry of a C&D enjoining future violations of Exchange Act Section 13(b)(2)(B) and Rule 13a-15(a). In addition, the company agreed to pay a civil monetary penalty of $2.125 million.

In a dissenting statement, Commissioners Peirce and Uyeda again challenged the SEC’s use of Section 13(b)(2)(B) in a setting not involving accounting controls:

The Commission’s order faulting RRD’s internal accounting controls breaks new ground with its expansive interpretation of what constitutes an asset under Section 13(b)(2)(B)(iii). By treating RRD’s computer systems as an asset subject to the internal accounting controls provision, the Commission’s Order ignores the distinction between internal accounting controls and broader administrative controls. This distinction, however, is essential to understanding and upholding the proper limits of Section 13(b)(2)(B)’s requirements.

If this objection to an expansive interpretation of Section 13(b)(2)(B) sounds familiar, that’s because it’s one that these same two commissioners raised in response to two prior enforcement actions – the SEC’s 2020 enforcement action against Andeavor and its 2024 enforcement action against Charter Communications.

– John Jenkins

Here’s the final installment in our series of guest blogs on AI Related Disclosures by Orrick’s J.T. Ho, Bobby Bee and Hayden Goudy:

AI-related Business and MD&A Disclosure.  Several companies in the S&P 500 mentioned AI in the Business or MD&A sections of their most recent 10-K, tying AI to their main products and services or to key business updates. While less common than an AI-related risk factor, 40% of the S&P 500 had an AI-related disclosure in the Business or MD&A sections of their most recent 10-K, an increase from 30% in the previous period.

AI-related disclosure in the Business or MD&A sections of the 10-K varied significantly by industry. For instance, 85% of companies in the information technology sector made an AI-disclosure in the Business or MD&A sections, compared to 56% of companies in the financial sector and 38% of companies in health care.

As more companies adopt AI in their operations, products and services, we expect more references to AI in the Business and MD&A sections of 10-Ks across the S&P 500.

Limited Disclosure in the Proxy Statement.  AI-related disclosure in the proxy statement across the S&P 500 was limited. While more than 39% of companies in the S&P 500 mentioned AI in their most recent proxy statement, a significant proportion of references were to new AI-related products or the role that AI was playing as part of a business transformation. Additionally, 24% of the S&P 500 disclosed director-level AI-related expertise or experience in their most recent proxy statement.

However, a much smaller percentage of companies in the S&P 500, approximately 9%, disclosed the role of the board or its committees in overseeing AI-related risks.

For companies that disclosed board or committee oversight, the allocation of that responsibility varied.

The most common approach was at the full board level – 18 companies in the S&P 500 disclosed a clear role for the full board in overseeing AI-related risks. The second most common approach was for the Audit Committee to oversee AI-related risk.

– John Jenkins