Speaking of cybersecurity incidents, this Covington memo provides some guidance on how companies can minimize their own risk of running into trouble with the SEC on cybersecurity issues. One recommendation is that companies review and update their list of “crown jewel” information and technology assets:
The SEC’s SolarWinds complaint, along with commentary in the Rules’ adopting release, make clear that companies are expected not only to identify their “crown jewels,” but to take appropriate action to protect them. Specifically, the SEC’s complaint faulted both SolarWinds and its CISO for not disclosing to the investing public known risks facing products and services that it had identified as among its “crown jewels.” Similarly, the Rules’ commentary suggests that if a cybersecurity incident impacts a company’s “crown jewels,” that information might be sufficient to make a materiality determination even before the company has “complete information” about the incident.
Consider identifying your organization’s “crown jewels” (or re-evaluating an existing list) to ensure the list is updated and not overly broad. Also consider prioritizing efforts to identify cybersecurity risks regarding crown jewels and the controls that protect them.
The SEC’s SolarWinds complaint also treated a company’s “crown jewels” as key assets and the company’s safeguards to protect against unauthorized access to those assets as part of the company’s internal accounting controls (which were alleged to be inadequate).
Other recommendations include updating cybersecurity risk governance disclosures in annual reports to ensure their accuracy, resolving documented cybersecurity “red flags” and providing training on best practices for internal documentation, assessing how existing incident response plans and disclosure control procedures should be integrated, and engaging in pre-incident testing of response procedures.
Earlier this month, former securities analyst Ray Dirks passed away at the age of 89. Dirks was the petitioner in the famous case of Dirks v. SEC, in which the SCOTUS overturned a censure issued against him by the SEC for violating Rule 10b-5’s prohibition on insider trading. The SEC contended that Dirks, who uncovered & alerted the SEC and The Wall Street Journal to potential corporate wrongdoing, violated the prohibition on insider trading by “tipping” his firm’s clients to what he uncovered.
The SCOTUS rejected that argument, but in overturning Dirks’ censure, it established a standard for tipper/tippee liability that turned on whether or not the tipper violated a fiduciary duty by sharing the information in question. In a recent blog on the occasion of Dirks’ passing, Gunster’s Bob Lamm points out that this standard has created a lot of confusion and uncertainty about the boundaries of insider trading liability:
I don’t blame the Court for coming up with this rather convoluted route to Dirks’s exoneration; after all, one of my law school professors used to beat us over the head with the notion that courts will sometimes bend over backwards to fashion a remedy where the strict letter of the law leads to an unjust result. That seems to me to be a good thing. Also, I know that I’m in the minority – possibly a very small minority – that believes that the goal of insider trading law should be to create a level playing field rather than to punish breaches of fiduciary duty.
Still, the Dirks case has resulted in decades of confusion over what is – and what is not – insider trading, and I believe that we’d have all been better off if the SEC had not engaged in overzealousness where Dirks was concerned – particularly given the agency’s non-response to the allegations he’d brought to its attention.
The latest issue of The Corporate Counsel has been sent to the printer. It is also available now online to members of The CorporateCounsel.net who subscribe to the electronic format. The issue includes the following articles:
– SEC Amends Section 13(d) and Section 13(g) Beneficial Ownership Reporting Rules
– Related Person Transactions: Item 404’s Requirements
Please email sales@ccrcorp.com to subscribe to this essential resource if you are not already receiving the important updates we provide in The Corporate Counsel newsletter.
The Standard Industrial Classification Codes that appear in a company’s EDGAR filings indicate the type of business a company engages in and are used by Corp Fin to assign review responsibility for the company’s filings. Sometimes, a company’s business may change sufficiently over time to result in a change in its primary SIC code – which raises the question, “How does a company request the SEC to change in its SIC code?” One of our members recently did this for a client, and shared with us the following roadmap for requesting a change:
We had occasion to look into changing an SIC code for a client, and the info on the SEC’s website is outdated. Here is the updated information we received:
You need to send an e-mail requesting the SIC code change to: EDGARFilingCorrections@sec.gov. The email needs to include:
o Name of company
o CIK
o Current SIC
o Requested new SIC
o See sample e-mail below
The request will be reviewed by the committee that reviews these requests periodically. Note: There is dated information on the Internet indicating the SEC only reviews these requests in June of each year but that is no longer the case. These requests are reviewed on a rolling basis.
Once approved, the change in SIC code will not take effect until you make your next required filing with the SEC (e.g., 8-K, 10-Q, 10-K, etc.). Note: The new SIC code will not be approved unless it is representative of your primary source of revenue.
Sample e-mail:
Subject: SIC Code update for [INSERT COMPANY NAME] (CIK [INSERT CIK])
We are respectfully requesting an update to the following SIC code:
CIK [INSERT CIK]
Company Name [INSERT COMPANY NAME]
Current SIC [INSERT CURRENT SIC]
Requested SIC [INSERT NEW SIC]
Writing this blog brought to mind one of my favorite examples of a corporation completely changing its business – a company called Mary Carter Paint, which in the late 1960s opted to get out of the paint business and into something else. When it did that, it changed its name to one you’re probably much more familiar with – “Resorts International.”
Check out our latest “Timely Takes” Podcast featuring Orrick’s J.T. Ho & his monthly update on securities & governance developments. In this installment, J.T. reviews:
– The status of the SEC’s Share Repurchase Disclosure Rule
– Glass Lewis’s 2024 Voting Guidelines
– The SEC’s Solar Winds Enforcement Proceedings
– New CDIs from Corp Fin
– No-Action Letter Processes
As always, if you have insights on a securities law, capital markets or corporate governance issue, trend or development that you’d like to share in a podcast, we’d love to hear from you. You can email us at john@thecorporatecounsel.net or mervine@ccrcorp.com.
Yesterday, Corp Fin added one more Form 8-K CDI addressing a company’s efforts to delay Item 1.05 disclosure of a material cyber incident on national security or public safety grounds:
Question 104B.04
Question: Would the sole fact that a registrant consults with the Department of Justice regarding the availability of a delay under Item 1.05(c) necessarily result in the determination that the incident is material and therefore subject to the requirements of Item 1.05(a)?
Answer: No. As the Commission stated in the adopting release, the determination of whether an incident is material is based on all relevant facts and circumstances surrounding the incident, including both quantitative and qualitative factors, and should focus on the traditional notion of materiality as articulated by the Supreme Court.
Furthermore, the requirements of Item 1.05 do not preclude a registrant from consulting with the Department of Justice, including the FBI, the Cybersecurity & Infrastructure Security Agency, or any other law enforcement or national security agency at any point regarding the incident, including before a materiality assessment is completed. [December 14, 2023]
Corp Fin Director Erik Gerding also issued a lengthy statement on the rationale underlying the SEC’s adoption of the cybersecurity disclosure and governance rules, the mechanics of the rules, the national security and public safety delay provisions, and Corp Fin’s next steps concerning implementation of the rules and review of disclosures. In the course of that discussion, he commented on the motivation behind the latest CDI:
I hope this [CDI] underscores that the rule does not create a disincentive for public companies to consult with law enforcement or national security agencies about cybersecurity incidents. Indeed, I would encourage public companies to work with the FBI, CISA, and other law enforcement and national security agencies at the earliest possible moment after cybersecurity incidents occur. I believe this timely engagement is in the interest of investors and the public. While this is not within the Commission staff’s purview, companies and government agencies may find that such timely engagement could assist them in a later determination of whether to seek a delay from the DOJ.
Director Gerding closed his statement by offering reassurance that in the first year of the rule’s implementation, Corp Fin isn’t looking to “make ‘gotcha’ comments or penalize foot faults,” and that to the extent appropriate, it may issue “future filings” comments or additional CDIs.
With apologies to Samuel Beckett, the SEC’s latest decision to kick its proposed climate change rules down the road has our editorial team starting to feel a bit like Vladimir & Estragon in Waiting for Godot. My colleagues and I may be able to languish in our existential crisis, but we don’t think companies can afford to wait for the SEC to act before preparing for heightened climate disclosure obligations.
That’s because even if the SEC does nothing, many US companies are soon going to find themselves confronting the rather daunting climate disclosure obligations imposed by the EU’s CSRD disclosure requirements, California’s recent climate disclosure legislation, and increasing stakeholder demands. So, what should companies do while they’re waiting for the SEC’s final rules? Matt Kelly offered up some advice over on his Radical Compliance blog:
You already know climate change disclosures are coming for your enterprise eventually, whether that’s from Europe, California, activist investors, or consumer pressures. Many large companies either already provide some climate change disclosure, or they’re preparing to do so in the immediate future. None of that is likely to change just because the SEC is stalling its final rule for another few months.
Indeed, just this week the Center for Audit Quality (a lobbying voice for large accounting firms) released its 2023 Audit Partner Pulse Survey, where it surveyed audit partners about the issues they see at the forefront of their client companies’ minds. Forty-five percent of respondents said they expect their client companies to disclose more information about environmental or climate issues in 2024, more than any other issue on the 2024 radar.
In other words, the SEC delay might give you more time to proceed down the path to greater disclosure of greenhouse gasses and other climate factors — but you’ll still need to go down that path. The same ESG disclosure and audit issues that have flummoxed companies already are still there.
Do you fully understand the climate change proposal in the first place, such as which gasses must be tracked and how other disclosure protocols fit into the SEC’s thinking?
Do you have an ESG reporting structure, and is that structure wise given all the other reporting and assurance duties you already have?
Have you considered any frameworks to guide your sustainability reporting, such as the framework COSO released earlier this year?
Matt closes by advising companies to “use your time wisely” – or as Vladimir put it in Waiting for Godot, “…Let us not waste our time in idle discourse! Let us do something, while we have the chance…”
Weil’s Howard Dicker reached out earlier this week to share an interesting and somber “Israeli Proxy Season Update” from ISS, which reviews how the war between Israel and Hamas is affecting Israeli public companies and their governance. This excerpt describes the conflict’s influence on executive compensation practices at some of those companies:
Some public companies have taken notable actions on executive compensation, with Hamashbir 365, Retailors Ltd, Castro Model, Brill Shoe Industries, and Golf & CO Group all announcing that their CEOs and Board Chairs will forgo part of their fixed compensation for 30 days or more. In addition, the CEO of Fox Wizel and certain officers are voluntarily reducing their fixed compensation for Q4 2023, with the possibility to extend based on the evolving conflict situation.
Other companies like Paz Oil have removed one-time bonus proposals from their EGMs (Paz Oil’s special meeting was held on November 14, 2023), while Idomoo has decided to remove several equity compensation items from its annual meeting (held on November 2, 2023). Several companies have announced a reduction in work hours, sending employees on unpaid leave or waiving paid vacation days.
This commentary about changes to executive compensation during a major conflict reminded me of a study on exec comp trends I saw a few years back that said during World War II, executive compensation at US public companies declined by 20%, and that most of that reduction was concentrated among companies’ most highly paid executives.
Yesterday, I blogged about guidance from the FBI about procedures companies should follow if they wish to defer Form 8-K disclosure of a cyber incident based on national security or public policy grounds. Well, the SEC has also chimed in by issuing the following three Form 8-K CDIs addressing various scenarios relating to efforts to defer Item 1.05 disclosure on these grounds:
Question 104B.01 Question: A registrant experiences a material cybersecurity incident, and requests that the Attorney General determine that disclosure of the incident on Form 8-K poses a substantial risk to national security or public safety. The Attorney General declines to make such determination or does not respond before the Form 8-K otherwise would be due. What is the deadline for the registrant to file an Item 1.05 Form 8-K disclosing the incident?
Answer: The registrant must file the Item 1.05 Form 8-K within four business days of its determination that the incident is material. Requesting a delay does not change the registrant’s filing obligation. The registrant may delay providing the Item 1.05 Form 8-K disclosure only if the Attorney General determines that disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing before the Form 8-K otherwise would be due. For further information on the Department of Justice’s procedures with respect to Item 1.05(c) of Form 8-K, please see Department of Justice Material Cybersecurity Incident Delay Determinations, Department of Justice (2023), at https://www.justice.gov/media/1328226/dl?inline [December 12, 2023]
Question 104B.02 Question: A registrant experiences a material cybersecurity incident, and requests that the Attorney General determine that disclosure of the incident on Form 8-K poses a substantial risk to national security or public safety. The Attorney General makes such determination and notifies the Commission that disclosure should be delayed for a time period as provided for in Form 8-K Item 1.05(c). The registrant subsequently requests that the Attorney General determine that disclosure should be delayed for an additional time period. The Attorney General declines to make such determination or does not respond before the expiration of the current delay period. What is the deadline for the registrant to file an Item 1.05 Form 8-K disclosing the incident?
Answer: The registrant must file the Item 1.05 Form 8-K within four business days of the expiration of the delay period provided by the Attorney General. For further information on the Department of Justice’s procedures with respect to Item 1.05(c) of Form 8-K, please see Department of Justice Material Cybersecurity Incident Delay Determinations, Department of Justice (2023), at https://www.justice.gov/media/1328226/dl?inline [December 12, 2023]
Question 104B.03 Question: A registrant experiences a material cybersecurity incident and disclosure of the incident on Form 8-K is delayed pursuant to Form 8-K Item 1.05(c) for a time period of up to 30 days, as specified by the Attorney General. Subsequently, during the pendency of the delay period, the Attorney General determines that disclosure of the incident no longer poses a substantial risk to national security or public safety. The Attorney General notifies the Commission and the registrant of this new determination. What is the deadline for the registrant to file an Item 1.05 Form 8-K disclosing the incident?
Answer: The registrant must file the Item 1.05 Form 8-K within four business days of the Attorney General’s notification to the Commission and the registrant that disclosure of the incident no longer poses a substantial risk to national security or public safety. See also “Changes in circumstances during a delay period” in Department of Justice Material Cybersecurity Incident Delay Determinations, Department of Justice (2023), at https://www.justice.gov/media/1328226/dl?inline [December 12, 2023]
I’m sure you saw a reference to DOJ guidance on delay of Item 1.05 disclosure in that last CDI. Here’s the DOJ’s announcement of that guidance and here’s the guidance document itself.
This recent blog from Barnes & Thornburgh’s Jay Knight has the skinny on some informal guidance from SEC Staff members who participated in AICPA and ABA conferences last week concerning how companies should decide whether they need to check the new Form 10-K checkbox. Based on the statements made by Staff members & Jay’s subsequent conversations with them, he identifies a two-step process that companies should engage in to make the decision:
Step 1: Were there any revisions made to the “previously issued financial statements”? For example, with respect to a 10-K for FY23, “previously issued financial statements” would be the 2021 and 2022 periods (for most issuers). This would cover ANY revisions to those previously issued financials (e.g., “Big R,” “little r,” as well as any others (such as a $2 error)).
If NO revisions were made to those previously issued financials ➔ the analysis stops and the box is NOT checked.
If YES ➔ move to step 2
Step 2: Were the revisions made to the previously issued financial statements the result of accounting errors under ASC 250? Importantly, not all revisions are because of accounting errors. Examples of a revision that is not an accounting error is the adoption of a new accounting principle that is pushed back into prior periods. Examples of revisions that are an accounting error are 1) corrections of mistakes in the application of US GAAP and 2) corrections of mathematical mistakes.
While we’re on the topic of whether or not to check the box, here’s another scenario to keep in mind: Would a company that restated interim results in Form 10-Q/A filings be required to check the new box on the Form 10-K cover page? As Meredith blogged back in September, the Staff informally advised that if financial statements included in the 10-K are not required to disclose the correction of an error because the error only existed in interim periods, it would not object to an issuer’s decision not to check the box on the Form 10-K.
