Yesterday, the SEC announced cease-and-desist proceedings against the Intercontinental Exchange and nine affiliates, including the NYSE, for failing to notify the Commission about a cyber intrusion as required by Regulation SCI (Systems Compliance and Integrity). The settlement included a $10 million civil penalty.
Commissioners Peirce and Uyeda issued a joint statement calling the penalty “disproportionately large” given that the ICE subsidiaries ultimately determined the incident was de minimis. Toward the end of the statement, the Commissioners expressed their concerns about “imposing outsized penalties for minor violations” in Commission enforcement actions generally — worrying that public perception of the Commission’s regulatory agenda is harmed when “regulatory foot faults result in ever-steeper penalties that bear little to no relation to real-world harm.”
The SEC’s press release has this to say in a quote by Enforcement Director Gurbir Grewal:
Under Reg SCI, [intermediaries] have to immediately notify the SEC of cyber intrusions into relevant systems that they cannot reasonably estimate to be de minimis events right away. […] [T]hey instead took four days to assess its impact and internally conclude it was a de minimis event. When it comes to cybersecurity, especially events at critical market intermediaries, every second counts and four days can be an eternity.
Yesterday, Corp Fin Director Erik Gerding released this statement (subject to the standard disclaimer) regarding new Item 1.05 of Form 8-K requiring public companies to disclose material cybersecurity incidents. In the statement, Director Gerding encourages companies that choose to voluntarily disclose an immaterial cybersecurity incident or choose to disclose early while a materiality determination is still being made to do so under a different item of Form 8-K — like 8.01 for Other Events. The statement notes that reporting immaterial incidents under Item 1.05 (“Material Cybersecurity Incidents”) could confuse investors.
Given the prevalence of cybersecurity incidents, this distinction between a Form 8-K filed under Item 1.05 for a cybersecurity incident determined by a company to be material and a Form 8-K voluntarily filed under Item 8.01 for other cybersecurity incidents will allow investors to more easily distinguish between the two and make better investment and voting decisions with respect to material cybersecurity incidents. By contrast, if all cybersecurity incidents are disclosed under Item 1.05, then there is a risk that investors will misperceive immaterial cybersecurity incidents as material, and vice versa.
It stresses that this is not intended to discourage or disincentivize voluntary early reporting or reporting of immaterial incidents, which can be valuable to investors, the marketplace and companies. It also reminds companies that early reporting may mean two 8-Ks will be necessary:
If a company discloses an immaterial incident (or one for which it has not yet made a materiality determination) under Item 8.01 of Form 8-K, and then it subsequently determines that the incident is material, then it should file an Item 1.05 Form 8-K within four business days of such subsequent materiality determination. That Form 8-K may refer to the earlier Item 8.01 Form 8-K, but the company would need to ensure that the disclosure in the subsequent filing satisfies the requirements of Item 1.05.
Earlier this year, I shared a Cleary alert on the potential benefits of early reporting under Item 7.01 or 8.01 that is worth sharing again.
Yesterday’s statement from Corp Fin Director Erik Gerding (subject to the standard disclaimer) also addresses materiality determinations for cyber incidents, stressing that companies should assess “all relevant factors” and not limit that assessment to the incident’s impact on the company’s financial condition and results of operation.
“[C]ompanies should consider qualitative factors alongside quantitative factors.” For example, companies should consider whether the incident will “harm . . . [its] reputation, customer or vendor relationships, or competitiveness.” Companies also should consider “the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and Federal Governmental authorities and non-U.S. authorities.”
Echoing a key comment from SEC Speaks, the statement also adds the following (which is contemplated by Instruction 2 to Item 1.05):
There also may be cases in which a cybersecurity incident is so significant that a company determines it to be material even though the company has not yet determined its impact (or reasonably likely impact). In those cases, the company should disclose the incident in an Item 1.05 Form 8-K, include a statement noting that the company has not yet determined the impact (or reasonably likely impact) of the incident, and amend the Form 8-K to disclose the impact once that information is available.
The initial Form 8-K filing, however, should provide investors with information necessary to understand the material aspects of the nature, scope, and timing of the incident, notwithstanding the company’s inability to determine the incident’s impact (or reasonably likely impact) at that time.
While we celebrate the unofficial start of summer and observe Memorial Day this weekend, U.S. securities markets will transition to securities settlements of T+1, returning us, as Chair Gensler noted, to “the settlement cycle that we had in the United States most of the first 50 years of Memorial Days.” Yesterday, Chair Gensler issued a statement on the upcoming implementation date touting the immediate benefit to everyday investors — if they “sell their stock on a Monday, shortening the settlement cycle will allow them to get their money on Tuesday” — and highlighting the SEC staff’s efforts to monitor and facilitate this transition:
Since the SEC voted to establish a T+1 settlement cycle in the U.S., SEC staff has been monitoring on a continuous basis the efforts of market participants to prepare for the shorter settlement cycle and coordinating with regulatory authorities in North America, Europe, Asia, and other jurisdictions around the world. In March, to help market participants prepare for the upcoming move to T+1, SEC staff published a risk alert, responses to frequently asked questions, and an Investor Bulletin.
As the compliance date of May 28, 2024 approaches, the Commission will continue its efforts to help facilitate a successful transition.
For issuers and offerings, this Wilson Sonsini alert reminds us that parties can still agree to a longer settlement cycle for firm commitment underwritten offerings under Rule 15c6-1 — traditionally used for debt capital markets transactions rather than equity. And despite the T+2 timeframe for offerings that price after 4:30 p.m. ET, “the majority of equity transactions, including IPOs and follow-on offerings, will close one day after trading begins.”
As John shared in early May, the Division of Enforcement recently announced enforcement proceedings against the BF Borgers CPA PC accounting firm and its sole partner that included a permanent suspension of the firm and its owner. That suspension has significant and unfortunate, to say the least, implications for the firm’s public company audit clients.
Yesterday evening, the SEC announced an exemptive order providing an extension to certain companies affected by the suspension. The order provides that, for any reporting company that notified the Commission between May 3 and May 16 pursuant to Rule 12b-25 of its inability to timely file a quarterly or transition report on Form 10-Q due to the BF Borgers suspension order, the Form 10-Q will be deemed to be filed on its prescribed due date as long as it is filed no later than the 30th calendar day (instead of the 5th calendar day) following the due date.
While it may not be a familiar name, BF Borgers has been a fairly significant player for small-cap issuers — ranking 8th in overall market share for public company audits last year & 6th in market share for non-SPAC initial public offerings. The order recognized that these impacted companies need to hire new, qualified, independent, PCAOB-registered public accountants and that any replacement firm will have to review the included financial information and potentially re-review comparable interim financial information, which may be practically impossible with the limited extension permitted by Rule 12b-25.
This recent Barnes & Thornburg blog gives a timely reminder that one of the audiences listening to your earnings calls is regulators. It discusses the SEC’s continued focus on consistency among various disclosures and its use of earnings calls to comment on SEC filings.
The blog highlights a spring 2024 comment letter focused on known trends or uncertainties disclosures in MD&A and company comments on a fourth-quarter earnings call regarding the company’s refinancing strategy. The company’s response to the comment called out business section and related MD&A quantitative disclosures but also agreed to further address the strategy in MD&A by adding a new narrative paragraph.
Other recent comment letters address the importance of “synchronizing what will be said on the earnings call with what will be disclosed in a company’s SEC filings.”
This follows two other recent comment letters from SEC staff related to earnings calls: A January 2024 letter and response that discussed whether metrics mentioned by a company’s CEO on earnings calls two quarters in a row were key performance indicators for the business and another from the same month that asked whether refurbishment revenue that was discussed on the past two quarters’ earnings calls should be broken out separately in the notes to a company’s financial statements.
The blog suggests that the folks who prepare MD&A pull recent earnings call transcripts when drafting. I’d also add that someone needs to review the earnings call script and MD&A disclosures for consistency — possibly twice each quarter to ensure it’s done on nearly final versions. The script, prior call transcripts, and analyst reports are also helpful resources for outside counsel to add value by doing a holistic review. Sometimes it may also be appropriate to add language to the 10-Q or 10-K before filing if senior management responds to a question or adds color on the earnings call that the financial reporting team deems worthy of including.
It may have a frightening headline — “500+ proxy statements contain up to multi-million dollar XBRL tagging errors” — but don’t be scared away! This Toppan Merrill blog details common PvP tagging errors, with examples, and the first step in avoiding these problems is understanding how they happen!
One common issue involves incorrectly tagging the adjustments necessary to calculate “compensation actually paid.” Multiple numbers in the PvP table must be tagged as reductions to SCT total compensation, not additions, despite being presented in the table as non-negative numbers:
To ensure the XBRL tagging presents the exact same information, the XBRL preparer must know to enter values in column b and d as ‘negative’ (as deductions), even though the values in these two columns are shown as ‘positive’ (with no parentheses) in the table.
When XBRL preparers erroneously entered the values in column b and d as positive, the XBRL calculated value (machine-readable value) of the executive compensation actually paid would be a+b+c+d+e+f+g = $161,425,424 versus the value $120,865,280 as shown in the table.
Double counting is also common in tagging “compensation actually paid” adjustments. The blog recommends that companies develop new processes to ensure that there are no tagging errors in their proxy statements, if they haven’t already, and confirm that the XBRL-tagged data tells the same story as the human-readable information.
As a reminder, we know this is a focus area for the Staff from a “Dear Issuer” letter posted after the 2023 proxy season and that the Staff is using XBRL tagging to identify PVP disclosures that appeared to be lacking, which the Staff reiterated in recent comments at SEC Speaks and the ABA Business Law Section Spring Meeting.
Last Friday, SEC Corp Fin Director Erik Gerding and Chief Accountant Paul Munter issued a joint statement on the application of IFRS 19 in SEC filings by foreign private issuers. The statement follows a May 9 announcement by the IASB regarding the issuance of a new Accounting Standard IFRS 19 — Subsidiaries without Public Accountability: Disclosures — which permits eligible subsidiaries to “provide reduced disclosures when applying recognition, measurement, and presentation requirements of IFRS Accounting Standards.”
The statement acknowledges that IFRS 19 is limited to entities that do not have public accountability at the end of their reporting period, but notes that financial statements that apply IFRS 19 may be included in SEC filings in certain situations. When that’s the case, the statement says IFRS 19 will necessitate additional disclosures to meet the needs of the intended audience. They point to the requirement in IFRS 19 to consider whether additional disclosures are necessary to provide an understanding of particular events or circumstances.
As just one example, if a foreign private issuer files documents with the SEC related to a merger with a foreign business that qualifies for and elects to apply IFRS 19, and the registrant is required to provide financial statements of the foreign business, the foreign business is required by IFRS 19 to consider whether additional material disclosures need to be included in its financial statements to enable investors to understand the impact of transactions, other events, and conditions on the foreign business’s financial position and financial performance.
The purpose of including the foreign business’s financial statements in the SEC filing at the time of the transaction is to help investors better understand the nature and extent of the business being acquired and the resulting combined entity when making their voting or investment decisions. Given the purpose of inclusion of the foreign business’s financial statements in the registration statement, the needs of investors would likely be similar to the needs of investors in an entity with public accountability.
In such a scenario, even though the foreign business may be eligible to and has elected to apply IFRS 19 in order to benefit from reduced disclosures, it should carefully consider whether it is nevertheless required to include additional material disclosures from other IFRS Accounting Standards to achieve the objectives of financial reporting given the use of those financial statements in a filing with the SEC.
The statement concludes with a reminder that the Division of Corporation Finance and the Office of the Chief Accountant are “available for consultation,” including on the application of IFRS 19 in SEC filings.
In case you missed it, meme stocks are having a moment again — so much so that the WSJ speculated that “online subcultures might have a permanent influence on the market.” But a number of factors are different this time around. Among them is the looming shift to T+1 settlement, which was motivated in part by the original meme-stock craze and should address the increased margin requirements that caused Robinhood to block purchases of meme stocks.
But that doesn’t lessen the extreme volatility meme stock attention can cause for a “mid-cap” company’s stock. This AP article notes that, despite no change in Game Stop’s prospects:
GameStop’s share price was swinging so sharply after the opening bell Monday that trading in the stock was halted nine times in just over an hour. On Tuesday, the movements for AMC Entertainment were even wilder, and its trading was halted 18 times by early afternoon.
This King & Spalding alert from the time of the original meme-stock craze in 2021 noted that affected companies responded in varied ways. It also addresses key considerations for issuers of meme stocks, including when public disclosure is advisable, what might happen at the annual meeting, the impact on equity incentive plans and, of course, important questions for capital raises or when insiders want to trade.
Last week, the SEC announced that Corey Klemmer, most recently the Corporation Finance Counsel to Chair Gary Gensler, has been appointed as Policy Director. She succeeds Heather Slavkin Corzo, who is leaving the agency. The press release highlights their contributions to the SEC:
Ms. Slavkin Corzo was one of Chair Gensler’s first appointments to his senior staff. She joined the SEC in April 2021 and led a team of policy experts who advise Chair Gensler on SEC rulemakings and other regulatory issues. She oversaw the proposal and adoption of nearly 40 rulemakings relating to market structure, issuer disclosure, fund oversight, and other areas critical to investor protection and capital formation. […]
Ms. Klemmer joined the SEC in July of 2021. Since then, she has supported the Chair in proposing and adopting rules implementing the Holding Foreign Companies Accountable Act and outstanding Dodd-Frank mandates, as well as updating insider trading rules, beneficial ownership disclosures, and the regulation of special purpose acquisition companies. For the last two years, Ms. Klemmer has worked in a project management capacity across the policy agenda.
