The Standard Industrial Classification Codes that appear in a company’s EDGAR filings indicate the type of business a company engages in and are used by Corp Fin to assign review responsibility for the company’s filings. Sometimes, a company’s business may change sufficiently over time to result in a change in its primary SIC code – which raises the question, “How does a company request the SEC to change in its SIC code?” One of our members recently did this for a client, and shared with us the following roadmap for requesting a change:
We had occasion to look into changing an SIC code for a client, and the info on the SEC’s website is outdated. Here is the updated information we received:
You need to send an e-mail requesting the SIC code change to: EDGARFilingCorrections@sec.gov. The email needs to include:
o Name of company
o CIK
o Current SIC
o Requested new SIC
o See sample e-mail below
The request will be reviewed by the committee that reviews these requests periodically. Note: There is dated information on the Internet indicating the SEC only reviews these requests in June of each year but that is no longer the case. These requests are reviewed on a rolling basis.
Once approved, the change in SIC code will not take effect until you make your next required filing with the SEC (e.g., 8-K, 10-Q, 10-K, etc.). Note: The new SIC code will not be approved unless it is representative of your primary source of revenue.
Sample e-mail:
Subject: SIC Code update for [INSERT COMPANY NAME] (CIK [INSERT CIK])
We are respectfully requesting an update to the following SIC code:
CIK [INSERT CIK]
Company Name [INSERT COMPANY NAME]
Current SIC [INSERT CURRENT SIC]
Requested SIC [INSERT NEW SIC]
Writing this blog brought to mind one of my favorite examples of a corporation completely changing its business – a company called Mary Carter Paint, which in the late 1960s opted to get out of the paint business and into something else. When it did that, it changed its name to one you’re probably much more familiar with – “Resorts International.”
Check out our latest “Timely Takes” Podcast featuring Orrick’s J.T. Ho & his monthly update on securities & governance developments. In this installment, J.T. reviews:
– The status of the SEC’s Share Repurchase Disclosure Rule
– Glass Lewis’s 2024 Voting Guidelines
– The SEC’s Solar Winds Enforcement Proceedings
– New CDIs from Corp Fin
– No-Action Letter Processes
As always, if you have insights on a securities law, capital markets or corporate governance issue, trend or development that you’d like to share in a podcast, we’d love to hear from you. You can email us at john@thecorporatecounsel.net or mervine@ccrcorp.com.
Yesterday, Corp Fin added one more Form 8-K CDI addressing a company’s efforts to delay Item 1.05 disclosure of a material cyber incident on national security or public safety grounds:
Question 104B.04
Question: Would the sole fact that a registrant consults with the Department of Justice regarding the availability of a delay under Item 1.05(c) necessarily result in the determination that the incident is material and therefore subject to the requirements of Item 1.05(a)?
Answer: No. As the Commission stated in the adopting release, the determination of whether an incident is material is based on all relevant facts and circumstances surrounding the incident, including both quantitative and qualitative factors, and should focus on the traditional notion of materiality as articulated by the Supreme Court.
Furthermore, the requirements of Item 1.05 do not preclude a registrant from consulting with the Department of Justice, including the FBI, the Cybersecurity & Infrastructure Security Agency, or any other law enforcement or national security agency at any point regarding the incident, including before a materiality assessment is completed. [December 14, 2023]
Corp Fin Director Erik Gerding also issued a lengthy statement on the rationale underlying the SEC’s adoption of the cybersecurity disclosure and governance rules, the mechanics of the rules, the national security and public safety delay provisions, and Corp Fin’s next steps concerning implementation of the rules and review of disclosures. In the course of that discussion, he commented on the motivation behind the latest CDI:
I hope this [CDI] underscores that the rule does not create a disincentive for public companies to consult with law enforcement or national security agencies about cybersecurity incidents. Indeed, I would encourage public companies to work with the FBI, CISA, and other law enforcement and national security agencies at the earliest possible moment after cybersecurity incidents occur. I believe this timely engagement is in the interest of investors and the public. While this is not within the Commission staff’s purview, companies and government agencies may find that such timely engagement could assist them in a later determination of whether to seek a delay from the DOJ.
Director Gerding closed his statement by offering reassurance that in the first year of the rule’s implementation, Corp Fin isn’t looking to “make ‘gotcha’ comments or penalize foot faults,” and that to the extent appropriate, it may issue “future filings” comments or additional CDIs.
With apologies to Samuel Beckett, the SEC’s latest decision to kick its proposed climate change rules down the road has our editorial team starting to feel a bit like Vladimir & Estragon in Waiting for Godot. My colleagues and I may be able to languish in our existential crisis, but we don’t think companies can afford to wait for the SEC to act before preparing for heightened climate disclosure obligations.
That’s because even if the SEC does nothing, many US companies are soon going to find themselves confronting the rather daunting climate disclosure obligations imposed by the EU’s CSRD disclosure requirements, California’s recent climate disclosure legislation, and increasing stakeholder demands. So, what should companies do while they’re waiting for the SEC’s final rules? Matt Kelly offered up some advice over on his Radical Compliance blog:
You already know climate change disclosures are coming for your enterprise eventually, whether that’s from Europe, California, activist investors, or consumer pressures. Many large companies either already provide some climate change disclosure, or they’re preparing to do so in the immediate future. None of that is likely to change just because the SEC is stalling its final rule for another few months.
Indeed, just this week the Center for Audit Quality (a lobbying voice for large accounting firms) released its 2023 Audit Partner Pulse Survey, where it surveyed audit partners about the issues they see at the forefront of their client companies’ minds. Forty-five percent of respondents said they expect their client companies to disclose more information about environmental or climate issues in 2024, more than any other issue on the 2024 radar.
In other words, the SEC delay might give you more time to proceed down the path to greater disclosure of greenhouse gasses and other climate factors — but you’ll still need to go down that path. The same ESG disclosure and audit issues that have flummoxed companies already are still there.
Do you fully understand the climate change proposal in the first place, such as which gasses must be tracked and how other disclosure protocols fit into the SEC’s thinking?
Do you have an ESG reporting structure, and is that structure wise given all the other reporting and assurance duties you already have?
Have you considered any frameworks to guide your sustainability reporting, such as the framework COSO released earlier this year?
Matt closes by advising companies to “use your time wisely” – or as Vladimir put it in Waiting for Godot, “…Let us not waste our time in idle discourse! Let us do something, while we have the chance…”
Weil’s Howard Dicker reached out earlier this week to share an interesting and somber “Israeli Proxy Season Update” from ISS, which reviews how the war between Israel and Hamas is affecting Israeli public companies and their governance. This excerpt describes the conflict’s influence on executive compensation practices at some of those companies:
Some public companies have taken notable actions on executive compensation, with Hamashbir 365, Retailors Ltd, Castro Model, Brill Shoe Industries, and Golf & CO Group all announcing that their CEOs and Board Chairs will forgo part of their fixed compensation for 30 days or more. In addition, the CEO of Fox Wizel and certain officers are voluntarily reducing their fixed compensation for Q4 2023, with the possibility to extend based on the evolving conflict situation.
Other companies like Paz Oil have removed one-time bonus proposals from their EGMs (Paz Oil’s special meeting was held on November 14, 2023), while Idomoo has decided to remove several equity compensation items from its annual meeting (held on November 2, 2023). Several companies have announced a reduction in work hours, sending employees on unpaid leave or waiving paid vacation days.
This commentary about changes to executive compensation during a major conflict reminded me of a study on exec comp trends I saw a few years back that said during World War II, executive compensation at US public companies declined by 20%, and that most of that reduction was concentrated among companies’ most highly paid executives.
Yesterday, I blogged about guidance from the FBI about procedures companies should follow if they wish to defer Form 8-K disclosure of a cyber incident based on national security or public policy grounds. Well, the SEC has also chimed in by issuing the following three Form 8-K CDIs addressing various scenarios relating to efforts to defer Item 1.05 disclosure on these grounds:
Question 104B.01 Question: A registrant experiences a material cybersecurity incident, and requests that the Attorney General determine that disclosure of the incident on Form 8-K poses a substantial risk to national security or public safety. The Attorney General declines to make such determination or does not respond before the Form 8-K otherwise would be due. What is the deadline for the registrant to file an Item 1.05 Form 8-K disclosing the incident?
Answer: The registrant must file the Item 1.05 Form 8-K within four business days of its determination that the incident is material. Requesting a delay does not change the registrant’s filing obligation. The registrant may delay providing the Item 1.05 Form 8-K disclosure only if the Attorney General determines that disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing before the Form 8-K otherwise would be due. For further information on the Department of Justice’s procedures with respect to Item 1.05(c) of Form 8-K, please see Department of Justice Material Cybersecurity Incident Delay Determinations, Department of Justice (2023), at https://www.justice.gov/media/1328226/dl?inline [December 12, 2023]
Question 104B.02 Question: A registrant experiences a material cybersecurity incident, and requests that the Attorney General determine that disclosure of the incident on Form 8-K poses a substantial risk to national security or public safety. The Attorney General makes such determination and notifies the Commission that disclosure should be delayed for a time period as provided for in Form 8-K Item 1.05(c). The registrant subsequently requests that the Attorney General determine that disclosure should be delayed for an additional time period. The Attorney General declines to make such determination or does not respond before the expiration of the current delay period. What is the deadline for the registrant to file an Item 1.05 Form 8-K disclosing the incident?
Answer: The registrant must file the Item 1.05 Form 8-K within four business days of the expiration of the delay period provided by the Attorney General. For further information on the Department of Justice’s procedures with respect to Item 1.05(c) of Form 8-K, please see Department of Justice Material Cybersecurity Incident Delay Determinations, Department of Justice (2023), at https://www.justice.gov/media/1328226/dl?inline [December 12, 2023]
Question 104B.03 Question: A registrant experiences a material cybersecurity incident and disclosure of the incident on Form 8-K is delayed pursuant to Form 8-K Item 1.05(c) for a time period of up to 30 days, as specified by the Attorney General. Subsequently, during the pendency of the delay period, the Attorney General determines that disclosure of the incident no longer poses a substantial risk to national security or public safety. The Attorney General notifies the Commission and the registrant of this new determination. What is the deadline for the registrant to file an Item 1.05 Form 8-K disclosing the incident?
Answer: The registrant must file the Item 1.05 Form 8-K within four business days of the Attorney General’s notification to the Commission and the registrant that disclosure of the incident no longer poses a substantial risk to national security or public safety. See also “Changes in circumstances during a delay period” in Department of Justice Material Cybersecurity Incident Delay Determinations, Department of Justice (2023), at https://www.justice.gov/media/1328226/dl?inline [December 12, 2023]
I’m sure you saw a reference to DOJ guidance on delay of Item 1.05 disclosure in that last CDI. Here’s the DOJ’s announcement of that guidance and here’s the guidance document itself.
This recent blog from Barnes & Thornburgh’s Jay Knight has the skinny on some informal guidance from SEC Staff members who participated in AICPA and ABA conferences last week concerning how companies should decide whether they need to check the new Form 10-K checkbox. Based on the statements made by Staff members & Jay’s subsequent conversations with them, he identifies a two-step process that companies should engage in to make the decision:
Step 1: Were there any revisions made to the “previously issued financial statements”? For example, with respect to a 10-K for FY23, “previously issued financial statements” would be the 2021 and 2022 periods (for most issuers). This would cover ANY revisions to those previously issued financials (e.g., “Big R,” “little r,” as well as any others (such as a $2 error)).
If NO revisions were made to those previously issued financials ➔ the analysis stops and the box is NOT checked.
If YES ➔ move to step 2
Step 2: Were the revisions made to the previously issued financial statements the result of accounting errors under ASC 250? Importantly, not all revisions are because of accounting errors. Examples of a revision that is not an accounting error is the adoption of a new accounting principle that is pushed back into prior periods. Examples of revisions that are an accounting error are 1) corrections of mistakes in the application of US GAAP and 2) corrections of mathematical mistakes.
While we’re on the topic of whether or not to check the box, here’s another scenario to keep in mind: Would a company that restated interim results in Form 10-Q/A filings be required to check the new box on the Form 10-K cover page? As Meredith blogged back in September, the Staff informally advised that if financial statements included in the 10-K are not required to disclose the correction of an error because the error only existed in interim periods, it would not object to an issuer’s decision not to check the box on the Form 10-K.
In the most shocking discovery since Claude Rains learned that gambling was going on in Humphrey Bogart’s cafe in Casablanca, the WSJ recently reported that there are a whole bunch of stocks trading on Nasdaq that are currently trading below the $1 delisting threshold. Concerned investors are. . . well . . . concerned:
Companies with a share price below $1 can stay listed more than a year before Nasdaq kicks them off. Largely owing to the pileup of stocks below $1, around one in six Nasdaq-listed companies is running afoul of the exchange’s rules, Nasdaq data show.
“Exchanges are supposed to be gatekeepers and list only bona fide companies that have investor interest,” said Rick Fleming, a former SEC investor advocate. “If a bunch of companies aren’t really meeting those standards, it undermines the seal of approval that the exchanges are supposed to be imparting.”
Well, yeah, but Nasdaq and the NYSE are in the listing business, not the delisting business, so it isn’t surprising or even remotely scandalous that after they begin the delisting process, they give companies some time to come into compliance with the minimum listing standards. Not surprisingly, the WSJ says that most of the companies that find themselves in this boat are the product of the SPAC craze – which seems to me to be a better target for investor ire than the delisting process.
The SEC’s cyber disclosure rules mandating Form 8-K disclosure of material cybersecurity incidents go into effect on December 18th. New Item 1.05 of Form 8-K allows companies to defer disclosure for a time if the Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the SEC of such determination in writing. The rules don’t specify how companies are supposed to bring this issue to the Attorney General’s attention, but the FBI has recently weighed in with guidance to public companies on how to do that.
The guidance provides that written notice be delivered to the FBI or another appropriate agency through a dedicated email address that will be established soon, and says that the notice must address the following questions:
1. What is the name of your company?
2. When did the cyber incident occur?
3. When did you determine the cyber incident is material, per 88 Fed. Reg. 51896? Include the date, time, and time zone. (Note: Failure to report this information immediately upon determination will cause your delay-referral request to be denied.)
4. Are you already in contact with the FBI or another U.S. government agency regarding this incident? If so, provide the names and field offices of the FBI points of contact or information regarding the U.S. government agency with whom you’re in contact.
5. Describe the incident in detail. Include the following details, at minimum:
a. What type of incident occurred?
b. What are the known or suspected intrusion vectors, including any identified vulnerabilities if known?
c. What infrastructure or data were affected (if any) and how were they affected?
d. What is the operational impact on the company, if known?
6. Is there confirmed or suspected attribution of the cyber actors responsible?
7. What is the current status of any remediation or mitigation efforts?
8. Where did the incident occur? Provide the street address, city, and state where the incident occurred.
9. Who are your company’s points of contact for this matter? Provide the name, phone number, and email address of personnel you want the FBI to contact to discuss this request.
10. Has your company previously submitted a delay referral request or is this the first time? If you have previously submitted a delay request, please include details about when DOJ made its last delay determination(s), on what grounds, and for how long it granted the delay (if applicable).
In an announcement accompanying the guidance, the FBI urges all public companies to establish a relationship with the cyber squad at their local FBI office. The FBI also “strongly encourages” companies to contact it directly or through the Secret Service, CISA, or another sector risk management agency soon after it believes disclosure of a newly discovered incident may pose a substantial risk to national security or public safety. The FBI says that this early outreach will enable it to familiarize itself with the relevant facts & circumstances before a materiality determination is made by the company.
I’m sure that it isn’t news to any of our readers that this year’s SEC rulemaking, enforcement actions and legislative, judicial, and regulatory developments have created a lot of new requirements and risks for public companies to consider as the new year approaches. This recent Sidley memo offers a dozen recommended action items for public companies to consider for 2024 in light of those developments. Here’s an excerpt with several of those recommendations:
– Proactively prepare for shareholder activism; confirm there are no illegal director interlocks. Particularly given the current universal proxy rules, companies are well advised to review director biographies in proxy statements and on corporate websites to ensure they reflect the strengths, qualifications, and relevant experience of individual directors. Before any activist situation arises, companies should also assess their vulnerabilities and ask experienced proxy contest counsel to review their corporate bylaws to ensure that they reflect current best practices. See the Sidley article here. Companies should also confirm that they have no interlocking directorates in violation of the Clayton Act – enforcement by the Federal Trade Commission and the Department of Justice resulted in more than a dozen director resignations in 2023, as discussed in the Sidley article here.
– Ensure that the board understands the impact of artificial intelligence (AI) on corporate strategy and risk. Corporate boards need to understand and stay apprised of AI-related legislative and regulatory initiatives in the U.S. and abroad and oversee the company’s compliance, as well as the development of relevant policies, information systems, and internal controls, to ensure that AI use is consistent with legal, regulatory, and ethical obligations, with appropriate safeguards to protect against risks. See the Sidley articles here and here and listen to the Sidley webinar on the EU AI Act here.
– Refresh policies on corporate statements about high-profile social and political issues. Companies may face negative consequences to their business or reputation whether they speak or stay silent. Accordingly, companies may wish to consider adopting policies and processes for determining what issues to speak out on and when, who has authority to speak, and which types of statements (if any) require board notification or prior approval. These decisions should align with a company’s core values and take into account the potential benefits and risks associated with taking a position. See the Sidley article here.
Other action items addressed in the memo include amending corporate charters to provide for officer exculpation, implementing systems to ensure compliance with new cyberdisclosure regulations, staying apprised of EU and California climate disclosure rules and pending SEC climate disclosure rulemaking, and preparing for compliance with the new EU subsidies regulation.
