Late last month, FASB announced that it issued final ASU 2023-07 intended to improve segment reporting, which had been proposed in October of last year. The new guidance applies to annual periods ending after December 15, 2023, which means that calendar-year companies will first need to follow the new guidance for their Form 10-K filed in 2025, for the 2024 fiscal year. FASB’s press release lists the key amendments, which are generally consistent with the proposed ASU, apart from one transition disclosure requirement that FASB removed.
This Deloitte Heads Up reviews the new requirements in detail with illustrative examples. Entities with a single reportable segment should take particular note of this point from the alert:
Before adopting this ASU, entities with a single reportable segment were not explicitly required to provide segment disclosures beyond those provided on an entity-wide basis. Such entities will now be required to expand their segment footnote disclosures by providing all the disclosures currently required for multiple-segment entities as well as those required by the ASU. As part of this requirement, the entity’s segment revenue and profit or loss measure should be clearly disclosed and the entity must review information regularly provided to the [chief operating decision maker (CODM)] for significant segment expenses and other segment items.
Based on the alert and the spirited conversation during the Securities Registration Subcommittee Meeting at the Winter Meeting for the ABA Federal Regulation of Securities Committee, I think we’ll hear much more about this ASU as the accountants and auditors work through the changes. The issue that seems to be creating the most confusion is the following change and the interplay with MD&A disclosure and non-GAAP compliance.
Clarify that if the CODM uses more than one measure of a segment’s profit or loss in assessing segment performance and deciding how to allocate resources, a public entity may report one or more of those additional measures of segment profit. However, at least one of the reported segment profit or loss measures (or the single reported measure, if only one is disclosed) should be the measure that is most consistent with the measurement principles used in measuring the corresponding amounts in the public entity’s consolidated financial statements.
I love those one-page desktop reference guides to Form 8-K. I think they’re so handy for in-house corporate counsel, internal accounting folks, the disclosure committee — really anyone internally who plays a role in 8-K disclosure controls — and new law firm associates. This Desktop Reference: Form 8-K Filing Events from Latham is the first I’ve seen listing soon-to-be-effective Item 1.05 regarding material cybersecurity incidents.
As I poked around further, I saw that WilmerHale has released the 2023 update to its practical guide to Keeping Current With Form 8-K, and it’s been updated throughout to reflect that new Item 1.05 will be effective December 18, 2023 for companies other than smaller reporting companies. This is a longer-form resource and devotes a few pages to each triggering event, the required disclosure and related practice tips. It also discusses filing mechanics — like when to use “Titan” language that investors should not rely on reps and warranties in the exhibited agreement, which items contemplate a subsequent amendment and Form 8-K cover page considerations. Here are some of the guide’s “practice tips” for new Item 1.05:
– Because the definition of “information systems” covers electronic information resources “owned or used by the registrant,” a company is required to disclose a cybersecurity incident suffered by a third-party service provider’s system if that incident has a material impact on the company. Depending on the circumstances of a cybersecurity incident involving a third-party service provider, disclosures may be required by either or both of the service provider and its customer.
– Notwithstanding the obligation to report on third-party systems that experience a cybersecurity incident that materially impacts a company, the SEC noted in the adopting release that companies need only disclose information made available to them, and are generally not required to conduct additional inquiries beyond their regular communications with third-party service providers and in accordance with the company’s disclosure controls and procedures.
– While the materiality of a cybersecurity incident is being assessed, companies should consider whether trading windows should be closed.
– The SEC staff’s 2011 guidance (“2011 Staff Guidance”) and the Commission’s 2018 Interpretive Release (“2018 Interpretive Guidance”) remain applicable and should be used to inform potential disclosure obligations relating to cybersecurity incidents that are not specifically addressed by Item 1.05 or the new annual cybersecurity disclosures called for by Item 106 of Regulation S-K (which was added at the same time as Item 1.05).
Yesterday, the Fall 2023 Reg Flex Agenda was released. With two down and three to go, the list of rulemaking we’ve been tracking in the final rule stage is quite a bit shorter since the spring. All three have been pushed out to April. The proposed rulemaking we’ve been tracking is holding steady.
As a reminder, despite the title of this blog, these dates signify general timeframes! New final or proposed rules could come before the dates suggested in the agenda or be pushed out. This only gives insight into the priorities of the Chair as of the date it was submitted — it’s not a definitive guide for anyone trying to predict SEC rulemaking for purposes of specific board agendas, budget and workflow. But we’ll take any insight we can get!
The SEC’s Office of Chief Accountant recently released this statement with timely reminders for issuers and auditors. The gist of the announcement is that the OCA doesn’t think the statement of cash flows is getting the attention it deserves from either financial statement preparers or auditors. In support, it cites the SEC’s observations that the statement of cash flows is consistently a leading area for material weaknesses in ICFR and for financial restatements. A significant majority of these restatements are “little r” restatements, but the OCA sometimes finds the materiality analyses presented to be unpersuasive:
In certain instances, the staff in OCA have been presented with analyses that conclude an error in the statement of cash flows is not material because it is an error in classification only. We have not found such analyses and their corresponding arguments persuasive since classification itself is the foundation of the statement of cash flows. Accurately classifying cash flows as operating, investing, or financing activities is paramount to investors understanding the nature of the issuer’s activities that generated and used cash during the reporting period. Therefore, issuers and auditors must consider all relevant facts and circumstances to thoroughly and objectively evaluate the total mix of information and determine if such classification errors are material to a reasonable investor.
The statement suggests specific improvements in disclosure, presentation and internal controls related to the statement of cash flows. The OCA also has a reminder for the auditors:
The risks of material misstatement related to the statement of cash flows, such as inaccurate classification of cash flows and incomplete supplemental disclosure of noncash items, are distinct from those in the other financial statements. We expect auditors to design and implement audit procedures that are specifically responsive to those risks in the statement of cash flows, rather than simply reconciling reported cash flows to the balance sheet or income statement.
The November-December Issue of the Deal Lawyers newsletter was just posted and sent to the printer. This month’s issue includes the following articles:
– Delaware Court Addresses Ability to Sue Buyers for Lost Premiums in M&A Deals
– Delaware Chancery Addresses Section 271 of DGCL’s ‘Substantially All of the Assets’ Requirement
The Deal Lawyers newsletter is always timely & topical – and something you can’t afford to be without in order to keep up with the rapid-fire developments in the world of M&A. If you don’t subscribe to Deal Lawyers, please email us at sales@ccrcorp.com or call us at 800-737-1271.
After a few years of ballooning risk factor disclosure despite the SEC’s “modernization” rules, the length of risk factors seemed to stabilize in 2023, at least in the S&P 500. Deloitte and the USC Marshall Arkley Institute for Risk Management have analyzed S&P 500 risk factors since 2021 to understand how the SEC’s 2020 amendments impacted those disclosures. This HLS blog discusses the findings from their latest review, which covered 440 S&P 500 companies that have filed three annual reports between November 2020 and May 2023 and looked for trends in this third 10-K since the amended rules. Here are some stats on the risk factor disclosures generally:
– Risk factor length is holding stable after increasing in prior years, with average lengths of 13.5 pages and 31.5 risk factors
– Only about a quarter of the companies had to include a summary, which averaged 1.5 pages long
– Organization of the risk factors section hasn’t changed much during the period: – Average number of headings was five in all three years – Average number of risk factors per heading was six in all three years – 64% of companies used the same number of headings all three years – Contrary to the SEC’s advice, nearly one-third of the companies still used a general risk factors heading, which included an average of five risk factors
The blog has a few simple recommendations for making risk factors more digestible. It encourages the use of plain English and descriptive headings but has very specific suggestions on how to do that:
Shorten sentence length. We have now reviewed four reporting seasons of risk factor disclosures. The SEC’s amended risk factor disclosure requirements have overall not prompted our largest public companies to make their disclosures more readable, a key purpose of these requirements.[16] We believe the greatest salve to readability would be for companies to decrease the number of words in each sentence in line with Plain English standards for sentence length (no more than 20 words per sentence).[17] Companies could start this exercise by shortening their subcaptions.
Use risk taxonomies from ERM program for headings. Companies continue to use generic headings, such as “business” risks, “industry” risks, and “operations” risks. To bring more specificity to headings and enhance readability, companies could rely on their internal taxonomies used to catalogue risks for their ERM and risk reporting to management and boards of directors. This could lead to the more integrated external and internal reporting the SEC sought in the revised risk factor disclosure rules. Avoid generic risks. The SEC suggested in its amended requirements that companies avoid using a “General Risk Factors” heading. However, one-third of companies have used this heading in the past three reporting seasons.[18] If companies are disclosing these “general” risks to their management and boards, companies could use the more descriptive headings they use in their risk taxonomies for management and board reporting.
The latest risk factor review by Deloitte and the USC Marshall Arkley Institute for Risk Management also specifically considered cybersecurity risk factors in annual reports filed by S&P 500 companies between November 8, 2022 and May 10, 2023. While all of the companies addressed cybersecurity risk in at least one risk factor and over 80% addressed it in multiple risk factors, the data highlights how different — and difficult to compare — cyber incident disclosures in risk factors were in 2023:
– Over 40% of companies, 179 of the 440 companies in our review, disclosed explicitly that they had not experienced a material cybersecurity incident.
Over half of those companies stated they had not experienced a material cybersecurity incident “to date,” while most other companies did not include any time period. Eight companies did limit the disclosure to the past year or past three years. Two companies disclosed that they had not experienced a material cybersecurity incident since the date of a previous material cybersecurity incident. […]
Ten additional companies disclosed that they had not experienced a “significant” cybersecurity incident.
Over 50% of companies remained silent, not disclosing whether or not they had experienced a material cybersecurity incident.
Approximately 3% of companies disclosed that cybersecurity incidents in the aggregate were not material. […]
– About 10% of companies, 47 of the 440 companies in our review, discussed [that] they experienced specific cybersecurity incidents, all identifying the date of either the incident, the discovery of the incident, or the announcement of the incident.
Only four companies stated explicitly that the incident was “material.” Four noted the incident was “significant.” Thirteen companies stated the incident was not material, another noted the incident was not significant, another, “relatively modest.” The rest of the companies—just over half—discussed neither materiality nor significance.
A few companies discussed cybersecurity incidents impacting a specific industry or a broad group of companies, but not necessarily incidents which they directly experienced.
The blog discusses the SEC’s recent cybersecurity rulemaking and reminds companies that risk factor disclosure that predated the SEC rules will need to be carefully reviewed and vetted for alignment with any newly prepared disclosures.
The Winter Meeting for the ABA Federal Regulation of Securities Committee is happening today and tomorrow and, for Committee members attending or joining by phone, there are many opportunities to hear from members of the SEC Staff, including during a “Dialogue with the Director” program with Corp Fin Director Erik Gerding. Beyond that though, one of our members just alerted us (and the SEC announced) that Chair Gary Gensler’s fireside chat will be available to the public virtually. You can listen in from 9 to 10 am Eastern on Thursday, December 7th, to hear Chair Gensler’s discussion with ABA Committee and Subcommittee Chairs.
It’s hard to believe, but year-end is upon us! This means turning our attention to the annual reporting season and gearing up for the first few months of 2024 — rolling from the 10-K to the proxy statement and the first quarter 10-Q in rapid succession with zero breaks. And in this annual reporting season, public companies are tackling a host of new disclosure obligations.
Fortunately, the memos are rolling in — like these from Davis Polk, Debevoise, Gibson Dunn and Paul Hastings — with summaries of new requirements & Staff guidance and suggestions of prior year disclosures that are ripe for review. On new disclosure topics, you may want to reference this thorough list from the Paul Hastings memo:
For the fiscal year ending December 31, 2023, issuers should keep in mind the following pertinent matters, and flow any necessary changes in disclosure throughout their Form 10-K:
– Current geopolitical conditions, including the Israel-Hamas War, the ongoing Russia-Ukraine War and conflict between China and Taiwan;
– Effects of sustained high interest rates and inflation on the financial and capital markets and related implications on the issuer’s ability to borrow funds or refinance existing indebtedness;
– Choppiness in the capital markets and potential impacts on the issuer’s ability to raise funds in the public or private markets;
– Downgrading of the United States’ credit rating, and the issuer’s preparedness to manage the related political risk;
– Risks related to the upcoming U.S. presidential election;
– Lingering impacts of the turmoil in the banking and financial services sector;
– Continued evolution and use of machine learning and generative AI, including risks arising from insufficient human oversight of AI or a lack of controls and procedures monitoring the use of AI in day-to-day operations as well as from potential future competitive disadvantages related to a lack of investment in AI tools;
– Effects stemming from long-term reliance on hybrid work arrangements, including impacts on productivity and profitability, as well as on operating expenses and overhead costs and / or risks related to return to office programs, including their impact on workforce retention and issues stemming from non-compliance;
– Climate-related or natural disaster-related events like increases in the cost of insurance coverage for entities with operations in high fire, hurricane or flood risk areas;
– ESG-related matters, including the pending SEC rules on climate-related disclosures and the new International Financial Reporting Standards sustainability and climate-related disclosure standards;
– Effects of any potential federal government shutdown (if applicable); and
– Impacts on the issuer’s supply or distribution chains related to the above factors or otherwise.
Issuers should also consider industry-specific and geography-specific developments, for example:
– Issuers in the entertainment and media space should consider the impacts related to the recently resolved SAG-AFTRA and WGA strikes;
– Issuers in the transportation industry should consider the financial and other impacts stemming from the United Auto Workers strike and related salary increases;
– Issuers in the residential real estate space should consider the impacts of the challenging housing market;
– Issuers that do business in California should consider the potential effects of recently adopted Senate Bill 253, the Climate Corporate Data Accountability Act and Senate Bill 261, Greenhouse Gases: Climate-Related Financial Risk and the issuer’s ability to prepare the required disclosures; and
– Issuers in the banking industry should review their liquidity disclosures in their MD&A and their interest rate risk and sensitivity disclosures in their Quantitative and Qualitative Disclosures About Market Risk in light of the Division of Corporation Finance’s focus on these disclosures coming out of the bank failures earlier this year.
We’re posting these and other resources in our “Form 10-K” practice area.
If your director orientation program could use a refresh, this PwC resource is a great quick reference guide on the basics. In two pages, it covers:
– A list of people a new director should meet with as part of the board orientation process, including executives, other directors, and key individuals in various functional areas
– Best practices for board orientation and onboarding, including site visits and assigning a “board buddy”
– Customizing the orientation for the director (for example, a deep dive on the company’s industry may not be necessary for a director with significant industry experience)
– Documents that should be included in any director orientation manual
– Since directed at PwC audit clients, the alert describes PwC’s involvement in the process (but could be applicable to any auditor), including scheduling a meeting between the new director and lead engagement partner and ensuring the director receives relevant publications
