This week I am telling you about a number of the panels that I will join at the “2024 Proxy Disclosure & 21st Annual Executive Compensation Conferences” with the hope that you will get a sense of the range of topics that will be addressed at the Conferences.

On Monday, October 14th at the Proxy Disclosure Conference, I will join Ning Chiu, J.T. Ho, Rose Pierson and Beth Sasfai on a panel titled “Climate Disclosures: Your New Action Items.” I look forward to speaking with this esteemed group about the status of the SEC’s rules, the interpretive issues that are coming up under the SEC’s rules, assessing materiality, getting the control environment right and navigating multiple reporting regimes. This will undoubtedly be a lively discussion of a topic that is very much on everyone’s mind as we consider how to comply with the SEC’s climate disclosure requirements.

As I have pointed out, now is a great time to sign up for our October conferences, whether for the live program or the virtual option. The process is easy, just check out our online store or pick up the phone and call us at 800-737-1271. Take advantage of our early bird rate while you still can!

– Dave Lynn

If you have been in this game for a while, you know that there are some “truisms” when it comes to the Disclosure Review Program administered by the SEC’s Division of Corporation Finance. One of those truisms is that, in general, the Corp Fin Staff does not typically monitor or review Form 8-K filings in real time, with the exception of Section 4 Form 8-Ks, which are monitored and reviewed in real time by the accounting Staff. Instead, the Staff will typically review Form 8-K filings during the course of reviewing a company’s periodic reports, with that review usually conducted on a periodic basis after the company files its Form 10-K. Based on recent experience, it appears that the Staff has modified its procedures so that we are now seeing comments on Item 1.05 Form 8-Ks in real time.

It is perhaps no surprise that the Staff is reviewing and commenting on Item 1.05 Form 8-K filings, given all of the recent focus on current disclosure of material cybersecurity incidents. As Meredith noted back in May and as John noted last week, Corp Fin Director Erik Gerding has issued statements concerning the filing obligation under Item 1.05 and selective disclosure considerations regarding material cybersecurity incidents. As I noted yesterday, the Staff has updated its Exchange Act Form 8-K Compliance and Disclosure Interpretations to address when companies are required to disclose information on a current basis under Item 1.05 and how the materiality determination is made when assessing that disclosure obligation.

The Staff’s comments on Item 1.05 Form 8-Ks appear to be focused on why a company filed under Item 1.05 of Form 8-K, and in particular whether the company considered the reported cybersecurity incident to be material. The Staff’s comments have focused on situations where companies indicate in their Item 1.05 Form 8-K disclosure that the company does not believe that the incident has had a material impact on the company’s operations or financial condition, and/or the incident is not anticipated to have a material impact on the company’s financial condition and results of operations going forward. Given these sorts of statements, it appears that the Staff is trying to understand the rationale for filing the Form 8-K under Item 1.05, which requires current disclosure of “a cybersecurity incident that is determined by the registrant to be material.”

The Staff’s recent comments on these filings highlights the need for companies to conduct a carefully considered analysis of the materiality of a cybersecurity incident before deciding to report that incident in an Item 1.05 Form 8-K, and to have a thoroughly documented rationale for the materiality determination at the ready in the event that the Staff raises a comment on the Form 8-K filing.

– Dave Lynn

The latest issue of The Corporate Executive has been sent to the printer. It is also available now online to members of TheCorporateCounsel.net who subscribe to the electronic format. This issue tackles two timely topics, dealing with “grounded” moonshot awards and addressing the many issues arising with the use of corporate aircraft by adopting a comprehensive policy. On the topic of “grounded” moonshot awards, the issue notes:

We delve into the dynamics of moonshot awards again, and address the steps required when dealing with a grounded moonshot award. The first step is acceptance on the part of all parties involved that the goals and strategic vision associated with the moonshot award are not going to be achieved, and an understanding that the outstanding award is likely doing more harm than good. The second step is carefully considering the options, which could include modification or replacement, cancellation, forfeiture or maintaining the status quo. The third step is getting the governance right with respect to dealing with the grounded moonshot award. The fourth step is being transparent about moonshot awards and any subsequent changes to such awards, because it is important for a wide range of stakeholders to understand the rationale. Finally, it is important to consider the potential litigation risk when granting or subsequently changing moonshot awards.

On the topic of executive use of corporate aircraft, the May-June 2024 issue of The Corporate Executive notes that, with all of the focus on aircraft use right now by the SEC, the media and the general public, now is a good time to consider adopting a policy specifically addressing the use of corporate owned or leased aircraft. In the issue, we provide a form of policy that companies can adapt to their own circumstances. A key consideration when formulating an aircraft policy is the extent to which use of corporate aircraft is a very public endeavor, as noted in this excerpt:

When formulating a policy governing the use of corporate aircraft, companies should carefully consider that there is radical transparency around the flights that private aircraft take. As evidenced by reports of individuals tracking the private aircraft use of Taylor Swift and Elon Musk, and periodic coverage in business publications of where company aircraft is flying to and from, tracking the use of private aircraft is relatively easy based on publicly available information. Each aircraft is assigned a tail number that can be used to track the movement of the aircraft on websites such as FlightAware.com. Aircraft registration is generally considered to be public information in the U.S., which makes it relatively easy to find and track U.S.-registered aircraft by their unique tail number. It is possible for owners of aircraft to avoid this transparency by registering the aircraft in certain jurisdictions outside of the U.S. (e.g., Aruba, Bermuda, Cayman Islands, Isle of Man) or by disabling aircraft tracking for privacy purposes. European data privacy rules also prohibit the tracking of certain aircraft for privacy purposes.

Transparency around flight information can raise a number of considerations for companies using private aircraft travel for both business and personal purposes. For example, there are security considerations whenever an executive is traveling for either business or personal purposes, so the ability of the public to track a corporation’s aircraft can heighten security concerns when individuals or groups are able to determine that the executive is flying to a particular location. Further, it is conceivable that persons might use flight tracking information to try to gather business intelligence or information to inform trading decisions by identifying locations where the company aircraft is frequently flying to or from during specific periods in time. In the context of private use of corporate aircraft, back in 2011 the Wall Street Journal used tail numbers and information derived from Freedom of Information Act (“FOIA”) requests to create a database that tracked the use of corporate aircraft by particular companies, analyze patterns to identify where the planes were flying to and whether those locations had connections to the CEO or other executive officers (e.g., locations of homes, vacation destinations), and identify the potential costs associated with that travel based on industry estimates.

In formulating a policy concerning personal use of aircraft, the company should consider how such personal use will be perceived by investors and the public more broadly when identified in SEC filings and in potential news stories focused on executive perquisites, given the significant transparency surrounding the use of corporate aircraft and the fact that it is a frequent area of focus for the business media.

Please email sales@ccrcorp.com to subscribe to this essential resource if you are not already receiving the practical information that we provide in The Corporate Executive newsletter.

– Dave Lynn

This week I am highlighting the panels that I will be joining at the “2024 Proxy Disclosure & 21st Annual Executive Compensation Conferences” to give you a flavor for all of the interesting topics that we will be covering during an action-packed two days of in-person programming. On Tuesday, October 15, 2024, I will be on stage with yet another group of talented SEC All-Stars for a deep dive into executive compensation topics during the panel “The SEC All-Stars: Executive Pay Nuggets.” As I mentioned last year, this is my favorite panel at the Conferences solely by virtue of its title, given my long-standing relationship with a certain food item that gave me a life-long nickname which I can’t seem to shake.

I am very fortunate to be speaking with Sonia Barro, Mark Borges, Brian Breheny and Ron Mueller for this panel, and our plan is to cover pay versus performance disclosure, equity plan proposals, human capital disclosure, trends with executive compensation metrics and the latest developments with Rule 10b5-1 plans. This is a panel at the “21st Annual Executive Compensation Conference” that you do not want to miss!

You know the drill by now – sign up today by using our online store or by calling us at 800-737-1271. Keep in mind that our early bird registration deadline has been extended to July 26th, so be sure to take advantage of the in-person Single Attendee Price of $1,750, which is discounted from the regular $2,195 rate. If you can’t be in San Francisco for the live show, there is also a virtual option.

– Dave Lynn

The SEC’s cybersecurity disclosure requirements remain in the spotlight, as yesterday the Staff published its latest guidance interpreting Item 1.05 of Form 8-K. The Staff updated the Exchange Act Form 8-K Compliance and Disclosure Interpretations with five new CDIs, adding to the interpretations of Item 1.05 that were published back in December 2023. The new CDIs are as follows:

Question 104B.05

Question: A registrant experiences a cybersecurity incident involving a ransomware attack. The ransomware attack results in a disruption in operations or the exfiltration of data. After discovering the incident but before determining whether the incident is material, the registrant makes a ransomware payment, and the threat actor that caused the incident ends the disruption of operations or returns the data. Is the registrant still required to make a materiality determination regarding the incident?

Answer: Yes. Item 1.05 of Form 8-K requires a registrant that experiences a cybersecurity incident to determine whether that incident is material. The cessation or apparent cessation of the incident prior to the materiality determination, including as a result of the registrant making a ransomware payment, does not relieve the registrant of the requirement to make such materiality determination.

Further, in making the required materiality determination, the registrant cannot necessarily conclude that the incident is not material simply because of the prior cessation or apparent cessation of the incident. Instead, in assessing the materiality of the incident, the registrant should, as the Commission noted in the adopting release for Item 1.05 of Form 8-K, determine “if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have significantly altered the total mix of information made available,” notwithstanding the fact that the incident may have already been resolved. Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release Nos. 33-11216; 34-97989 (July 26, 2023) [88 FR 51896, 51917 (Aug. 4, 2023)] (quoting Matrixx Initiatives v. Siracusano, 563 U.S. 27, 38-40 (2011); Basic Inc. v. Levinson, 485 U.S. 224, 240 (1988); TSC Indus. v. Northway, 426 U.S. 438, 449 (1976)) (internal quotation marks omitted). [June 24, 2024]

Question 104B.06

Question: A registrant experiences a cybersecurity incident that it determines to be material. That incident involves a ransomware attack that results in a disruption in operations or the exfiltration of data and has a material impact or is reasonably likely to have a material impact on the registrant, including its financial condition and results of operations. Subsequently, the registrant makes a ransomware payment, and the threat actor that caused the incident ends the disruption of operations or returns the data. If the registrant has not reported the incident pursuant to Item 1.05 of Form 8-K before it made the ransomware payment and the threat actor has ended the disruption of operations or returned the data before the Form 8-K Item 1.05 filing deadline, does the registrant still need to disclose the incident pursuant to Item 1.05 of Form 8-K?

Answer: Yes. Because the registrant experienced a cybersecurity incident that it determined to be material, the subsequent ransomware payment and cessation or apparent cessation of the incident does not relieve the registrant of the requirement to report the incident under Item 1.05 of Form 8-K within four business days after the registrant determines that it has experienced a material cybersecurity incident. [June 24, 2024]

Question 104B.07

Question: A registrant experiences a cybersecurity incident involving a ransomware attack, and the registrant makes a ransomware payment to the threat actor that caused the incident. The registrant has an insurance policy that covers cybersecurity incidents and is reimbursed for all or a substantial portion of the ransomware payment. Is the incident necessarily not material as a result of the registrant being reimbursed for the ransomware payment under its insurance policy?

Answer: No. The standard that the Commission articulated for assessing the materiality of a cybersecurity incident under Item 1.05 of Form 8-K is set forth in the adopting release for the rule and is reiterated in Question 104B.05. Further, as the Commission noted in the adopting release for Item 1.05 of Form 8-K, when assessing the materiality of cybersecurity incidents, registrants “should take into consideration all relevant facts and circumstances, which may involve consideration of both quantitative and qualitative factors” including, for example, “consider[ing] both the immediate fallout and any longer term effects on its operations, finances, brand perception, customer relationships, and so on, as part of its materiality analysis.” Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release Nos. 33-11216; 34-97989 (July 26, 2023) [88 FR 51896, 51917 (Aug. 4, 2023)]. Under the facts described in this question, such consideration also may include an assessment of the subsequent availability of, or increase in cost to the registrant of, insurance policies that cover cybersecurity incidents. [June 24, 2024]

Question 104B.08

Question: A registrant experiences a cybersecurity incident involving a ransomware attack. Is the size of the ransomware payment, by itself, determinative as to whether the cybersecurity incident is material? For example, would a ransomware payment that is small in size necessarily make the related cybersecurity incident immaterial?

Answer: No. The standard that the Commission articulated for assessing the materiality of a cybersecurity incident under Item 1.05 of Form 8-K is set forth in the adopting release for the rule and reiterated in Question 104B.05. Under that standard, the size of any ransomware payment demanded or made is only one of the facts and circumstances that registrants should consider in making its materiality determination regarding the cybersecurity incident. Further, in the adopting release for Item 1.05 of Form 8-K, the Commission declined “to use a quantifiable trigger for Item 1.05 because some cybersecurity incidents may be material yet not cross a particular financial threshold.”

Any ransomware payment made is only one of the various potential impacts of a cybersecurity incident that a registrant should consider under Item 1.05. As the Commission further stated in Item 1.05’s adopting release:

“[T]he material impact of an incident may encompass a range of harms, some quantitative and others qualitative. A lack of quantifiable harm does not necessarily mean an incident is not material. For example, an incident that results in significant reputational harm to a registrant . . . may not cross a particular quantitative threshold, but it should nonetheless be reported if the reputational harm is material.”

Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release Nos. 33-11216; 34-97989 (July 26, 2023) [88 FR 51896, 51906 (Aug. 4, 2023)]. [June 24, 2024]

Question 104B.09

Question: A registrant experiences a series of cybersecurity incidents involving ransomware attacks over time, either by a single threat actor or by multiple threat actors. The registrant determines that each incident, individually, is immaterial. Is disclosure of those cybersecurity incidents nonetheless required pursuant to Item 1.05 of Form 8-K?

Answer: Disclosure of those cybersecurity incidents may, depending on the particular facts and circumstances, be required pursuant to Item 1.05 of Form 8-K. In these circumstances, the registrant should consider whether any of those incidents were related, and if so, determine whether those related incidents, collectively, were material. The definition of “cybersecurity incident” under Item 106(a) of Regulation S-K (which, as noted in Instruction 3 to Item 1.05, is the definition that applies to Item 1.05 of Form 8-K) includes “a series of related unauthorized occurrences.” In the adopting release for Item 1.05, the Commission noted:

“[W]hen a company finds that it has been materially affected by what may appear as a series of related cyber intrusions, Item 1.05 may be triggered even if the material impact or reasonably likely material impact could be parceled among the multiple intrusions to render each by itself immaterial. One example was provided in the Proposing Release: the same malicious actor engages in a number of smaller but continuous cyberattacks related in time and form against the same company and collectively, they are either quantitatively or qualitatively material. Another example is a series of related attacks from multiple actors exploiting the same vulnerability and collectively impeding the company’s business materially.”

Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release Nos. 33-11216; 34-97989 (July 26, 2023) [88 FR 51896, 51910 (Aug. 4, 2023)]. [June 24, 2024]

The new round of guidance no doubt reflects the challenges that companies are facing in figuring out how to comply with the new disclosure requirements in new Item 1.05 of Form 8-K and the Staff’s observations of disclosure practices to date. Given how difficult this disclosure item has turned out to be, I suspect that this is not the last time we will hear from the Corp Fin Staff on the topic.

– Dave Lynn

The SEC released a statement from Corp Fin Director Erik Gerding yesterday that reflected Gerding’s opening remarks and the matters discussed on a panel addressing Corp Fin’s Disclosure Review Program during the April 2024 SEC Speaks Conference in Washington, DC. The statement provides a comprehensive overview of recent developments in Corp Fin and observations gleaned from the review of filings.

– Dave Lynn

As I noted in my recent blog commemorating the SEC’s 90th Anniversary, if Future Me went back in time and told Teenage Me that, forty years from now, I would be appearing on two panels in front of hundreds of people where I am cast among the “SEC All-Stars,” I would have first asked “What is the SEC?” and then told Future Me to get back in my DeLorean and drive Back to the Future.

As it turns out, Future Me was right and I am incredibly fortunate to be joining my fellow SEC alums – Sonia Barros, Lily Brown, Alan Dye and Lona Nallengara – on the panel “The SEC All-Stars: Proxy Season Insights” at the Proxy Disclosure Conference, which is taking place on Monday, October 14, 2024 in San Francisco. During this panel, we will cover a wide range of proxy and annual reporting season topics, including cyber disclosures, disclosure controls & procedures, Rule 14a-8 no-action letter trends and rule amendments, Section 16 and Rule 144 developments and disclosure about transactions in company securities. With this line-up of All-Stars and topics, you do not want to miss this panel!

Don’t wait for Future You to register for the “2024 Proxy Disclosure & 21st Annual Executive Compensation Conferences” – do it today! You can register now by visiting our online store or by calling us at 800-737-1271. Our early bird in-person Single Attendee Price is $1,750, which is discounted from the regular $2,195 rate! This is a great deal that you do not want to miss. If you can’t make it in person, we also offer a virtual option so you won’t miss out on the practical takeaways our speaker lineup will share, and we offer discounted rate options for groups of virtual attendees.

– Dave Lynn

Earlier this month, Erica Williams was reappointed to a second term as Chair of the PCAOB. Her second term begins on October 25, 2024 and runs through October 24, 2029. It is clear that the PCAOB will continue to be active in modernizing its standards under the leadership of Chair Williams.

Recently, the PCAOB announced the adoption of amendments to two auditing standards to address the use of technology-assisted analysis. The amended standards are AS 1105, Audit Evidence, and AS 2301, The Auditor’s Responses to the Risks of Material Misstatement. The PCAOB’s announcement notes:

The changes adopted today bring greater clarity to auditor responsibilities in the following areas:

– Using reliable information in audit procedures: Technology-assisted analysis often involves analyzing vast amounts of information in electronic form. The adopting release emphasizes auditors’ responsibilities when evaluating the reliability of such information used as audit evidence. For example, when auditors test a company’s controls over electronic information, their testing should include, where applicable, controls over the company’s information technology general controls and automated application controls related to such information.

– Using audit evidence for multiple purposes: Technology-assisted analysis can be used to provide audit evidence for various purposes in an audit. For example, auditors may use technology-assisted analysis to analyze a population of transactions as part of identifying risks of material misstatement or to perform, after identifying such risks, substantive procedures on all items within a population. The adopting release specifies that if an auditor uses an audit procedure for more than one purpose, the auditor should achieve each objective of the procedure.

– Performing tests of details: When performing tests of details, auditors may use technology-assisted analysis to identify transactions and balances that meet certain criteria and warrant further investigation. For example, auditors may identify all transactions within an account exceeding a certain amount or processed by a certain individual. The adopting release clarifies that the auditor’s investigation of such items should include determining whether the identified items individually or in the aggregate indicate misstatements or control deficiencies.

The new standard will apply to all audits conducted under PCAOB standards. Subject to approval by the SEC, the new standard and related amendments will take effect for audits of financial statements for fiscal years beginning on or after December 15, 2025.

– Dave Lynn

As you may know, when the PCAOB was stood up over two decades ago, it adopted the then-existing auditing standards as its own, with the expectation that, over time, the PCAOB would replace those pre-existing auditing standards with its own PCAOB-adopted and SEC-approved auditing standards. The PCAOB’s authority in this regard was driven by concerns with auditing practices in the wake of the corporate scandals of the early 2000s such as Enron and WorldCom. Adopting new and replacement auditing standards is no easy task, so the PCAOB has spent the past twenty-two years working to update and modernize the standards that govern audits of public companies by independent registered public accountants.

The latest modernization efforts involves a recently announced proposal to replace the PCAOB’s existing auditing standard related to an auditor’s use of substantive analytical procedures with a new standard: AS 2305, Designing and Performing Substantive Analytical Procedures. The PCAOB notes that, if adopted, the proposed standard would “strengthen and clarify the auditor’s responsibilities when designing and performing substantive analytical procedures, increasing the likelihood that the auditor will obtain relevant and reliable audit evidence – ultimately improving overall audit quality and leaving investors better protected.” the proposed standard would do the following:

– Strengthen and clarify the requirements for determining whether the relationship(s) to be used in the substantive analytical procedure is sufficiently plausible and predictable;

– Specify that the auditor develops their own expectation and not use the company’s amount or information that is based on the company’s amount (so-called circular auditing);

– Strengthen and clarify existing requirements for determining when the difference between the auditor’s expectation and the company’s amount requires further evaluation;

– Strengthen and clarify existing requirements for evaluating the difference between the auditor’s expectation and the company’s amount. This includes determining if a misstatement exists as well as specifying requirements for certain situations the auditor may encounter when evaluating a difference;

– Clarify the factors that affect the persuasiveness of audit evidence obtained from a substantive analytical procedure;

– Clarify the elements of a substantive analytical procedure, including the distinction between substantive analytical procedures and other types of analytical procedures; and

– Modernize the standard by reorganizing the requirements and more explicitly integrating the standard with other Board-issued standards – ultimately making it easier for auditors to follow.

Along with proposed AS 2305, the proposal includes amendments to AS 1105, Audit Evidence, and AS 2301, The Auditor’s Responses to the Risks of Material Misstatement. Comment on the new standard and proposed amendments are due on August 12, 2024.

– Dave Lynn

I am not entirely sure where June went to, but I do know that we are now officially into the Summer, and that means we are just a few months away from our October conferences. The “2024 Proxy Disclosure & 21st Annual Executive Compensation Conferences” will be taking place in San Francisco on October 14th & 15th, and we are celebrating the fact that we will be returning to an in-person format this year. Not surprisingly, I am going to be spending my week on the blog reminding you of why you need to sign up for this big event today!

In today’s blog, I am going to focus on my first appearance on the agenda for the October conferences, and that will be my interview with Erik Gerding, Director of the SEC’s Division of Corporation Finance. If you have attended our conferences in the past, you know that for many years we have kicked things off with a discussion of the most important SEC issues straight from the source – the Director of Corp Fin. This is a great opportunity to hear what is on the SEC’s agenda for public companies and the latest trends that Corp Fin has been observing in public company disclosures. The discussion with the Director is always a great way to frame many of the topics that we will be addressing throughout the two days of conferences, so it is always a must-see event.

You can register now by visiting our online store or by calling us at 800-737-1271. Our early bird in-person Single Attendee Price is $1,750, which is discounted from the regular $2,195 rate! This is a great deal that you do not want to miss. If you can’t make it in person, we also offer a virtual option so you won’t miss out on the practical takeaways our speaker lineup will share, and we offer discounted rate options for groups of virtual attendees.

– Dave Lynn