After a few years of ballooning risk factor disclosure despite the SEC’s “modernization” rules, the length of risk factors seemed to stabilize in 2023, at least in the S&P 500. Deloitte and the USC Marshall Arkley Institute for Risk Management have analyzed S&P 500 risk factors since 2021 to understand how the SEC’s 2020 amendments impacted those disclosures. This HLS blog discusses the findings from their latest review, which covered 440 S&P 500 companies that have filed three annual reports between November 2020 and May 2023 and looked for trends in this third 10-K since the amended rules. Here are some stats on the risk factor disclosures generally:
– Risk factor length is holding stable after increasing in prior years, with average lengths of 13.5 pages and 31.5 risk factors
– Only about a quarter of the companies had to include a summary, which averaged 1.5 pages long
– Organization of the risk factors section hasn’t changed much during the period: – Average number of headings was five in all three years – Average number of risk factors per heading was six in all three years – 64% of companies used the same number of headings all three years – Contrary to the SEC’s advice, nearly one-third of the companies still used a general risk factors heading, which included an average of five risk factors
The blog has a few simple recommendations for making risk factors more digestible. It encourages the use of plain English and descriptive headings but has very specific suggestions on how to do that:
Shorten sentence length. We have now reviewed four reporting seasons of risk factor disclosures. The SEC’s amended risk factor disclosure requirements have overall not prompted our largest public companies to make their disclosures more readable, a key purpose of these requirements.[16] We believe the greatest salve to readability would be for companies to decrease the number of words in each sentence in line with Plain English standards for sentence length (no more than 20 words per sentence).[17] Companies could start this exercise by shortening their subcaptions.
Use risk taxonomies from ERM program for headings. Companies continue to use generic headings, such as “business” risks, “industry” risks, and “operations” risks. To bring more specificity to headings and enhance readability, companies could rely on their internal taxonomies used to catalogue risks for their ERM and risk reporting to management and boards of directors. This could lead to the more integrated external and internal reporting the SEC sought in the revised risk factor disclosure rules. Avoid generic risks. The SEC suggested in its amended requirements that companies avoid using a “General Risk Factors” heading. However, one-third of companies have used this heading in the past three reporting seasons.[18] If companies are disclosing these “general” risks to their management and boards, companies could use the more descriptive headings they use in their risk taxonomies for management and board reporting.
The latest risk factor review by Deloitte and the USC Marshall Arkley Institute for Risk Management also specifically considered cybersecurity risk factors in annual reports filed by S&P 500 companies between November 8, 2022 and May 10, 2023. While all of the companies addressed cybersecurity risk in at least one risk factor and over 80% addressed it in multiple risk factors, the data highlights how different — and difficult to compare — cyber incident disclosures in risk factors were in 2023:
– Over 40% of companies, 179 of the 440 companies in our review, disclosed explicitly that they had not experienced a material cybersecurity incident.
Over half of those companies stated they had not experienced a material cybersecurity incident “to date,” while most other companies did not include any time period. Eight companies did limit the disclosure to the past year or past three years. Two companies disclosed that they had not experienced a material cybersecurity incident since the date of a previous material cybersecurity incident. […]
Ten additional companies disclosed that they had not experienced a “significant” cybersecurity incident.
Over 50% of companies remained silent, not disclosing whether or not they had experienced a material cybersecurity incident.
Approximately 3% of companies disclosed that cybersecurity incidents in the aggregate were not material. […]
– About 10% of companies, 47 of the 440 companies in our review, discussed [that] they experienced specific cybersecurity incidents, all identifying the date of either the incident, the discovery of the incident, or the announcement of the incident.
Only four companies stated explicitly that the incident was “material.” Four noted the incident was “significant.” Thirteen companies stated the incident was not material, another noted the incident was not significant, another, “relatively modest.” The rest of the companies—just over half—discussed neither materiality nor significance.
A few companies discussed cybersecurity incidents impacting a specific industry or a broad group of companies, but not necessarily incidents which they directly experienced.
The blog discusses the SEC’s recent cybersecurity rulemaking and reminds companies that risk factor disclosure that predated the SEC rules will need to be carefully reviewed and vetted for alignment with any newly prepared disclosures.
The Winter Meeting for the ABA Federal Regulation of Securities Committee is happening today and tomorrow and, for Committee members attending or joining by phone, there are many opportunities to hear from members of the SEC Staff, including during a “Dialogue with the Director” program with Corp Fin Director Erik Gerding. Beyond that though, one of our members just alerted us (and the SEC announced) that Chair Gary Gensler’s fireside chat will be available to the public virtually. You can listen in from 9 to 10 am Eastern on Thursday, December 7th, to hear Chair Gensler’s discussion with ABA Committee and Subcommittee Chairs.
It’s hard to believe, but year-end is upon us! This means turning our attention to the annual reporting season and gearing up for the first few months of 2024 — rolling from the 10-K to the proxy statement and the first quarter 10-Q in rapid succession with zero breaks. And in this annual reporting season, public companies are tackling a host of new disclosure obligations.
Fortunately, the memos are rolling in — like these from Davis Polk, Debevoise, Gibson Dunn and Paul Hastings — with summaries of new requirements & Staff guidance and suggestions of prior year disclosures that are ripe for review. On new disclosure topics, you may want to reference this thorough list from the Paul Hastings memo:
For the fiscal year ending December 31, 2023, issuers should keep in mind the following pertinent matters, and flow any necessary changes in disclosure throughout their Form 10-K:
– Current geopolitical conditions, including the Israel-Hamas War, the ongoing Russia-Ukraine War and conflict between China and Taiwan;
– Effects of sustained high interest rates and inflation on the financial and capital markets and related implications on the issuer’s ability to borrow funds or refinance existing indebtedness;
– Choppiness in the capital markets and potential impacts on the issuer’s ability to raise funds in the public or private markets;
– Downgrading of the United States’ credit rating, and the issuer’s preparedness to manage the related political risk;
– Risks related to the upcoming U.S. presidential election;
– Lingering impacts of the turmoil in the banking and financial services sector;
– Continued evolution and use of machine learning and generative AI, including risks arising from insufficient human oversight of AI or a lack of controls and procedures monitoring the use of AI in day-to-day operations as well as from potential future competitive disadvantages related to a lack of investment in AI tools;
– Effects stemming from long-term reliance on hybrid work arrangements, including impacts on productivity and profitability, as well as on operating expenses and overhead costs and / or risks related to return to office programs, including their impact on workforce retention and issues stemming from non-compliance;
– Climate-related or natural disaster-related events like increases in the cost of insurance coverage for entities with operations in high fire, hurricane or flood risk areas;
– ESG-related matters, including the pending SEC rules on climate-related disclosures and the new International Financial Reporting Standards sustainability and climate-related disclosure standards;
– Effects of any potential federal government shutdown (if applicable); and
– Impacts on the issuer’s supply or distribution chains related to the above factors or otherwise.
Issuers should also consider industry-specific and geography-specific developments, for example:
– Issuers in the entertainment and media space should consider the impacts related to the recently resolved SAG-AFTRA and WGA strikes;
– Issuers in the transportation industry should consider the financial and other impacts stemming from the United Auto Workers strike and related salary increases;
– Issuers in the residential real estate space should consider the impacts of the challenging housing market;
– Issuers that do business in California should consider the potential effects of recently adopted Senate Bill 253, the Climate Corporate Data Accountability Act and Senate Bill 261, Greenhouse Gases: Climate-Related Financial Risk and the issuer’s ability to prepare the required disclosures; and
– Issuers in the banking industry should review their liquidity disclosures in their MD&A and their interest rate risk and sensitivity disclosures in their Quantitative and Qualitative Disclosures About Market Risk in light of the Division of Corporation Finance’s focus on these disclosures coming out of the bank failures earlier this year.
We’re posting these and other resources in our “Form 10-K” practice area.
If your director orientation program could use a refresh, this PwC resource is a great quick reference guide on the basics. In two pages, it covers:
– A list of people a new director should meet with as part of the board orientation process, including executives, other directors, and key individuals in various functional areas
– Best practices for board orientation and onboarding, including site visits and assigning a “board buddy”
– Customizing the orientation for the director (for example, a deep dive on the company’s industry may not be necessary for a director with significant industry experience)
– Documents that should be included in any director orientation manual
– Since directed at PwC audit clients, the alert describes PwC’s involvement in the process (but could be applicable to any auditor), including scheduling a meeting between the new director and lead engagement partner and ensuring the director receives relevant publications
Join us tomorrow at 2 pm Eastern for the webcast “Related Party Transactions: Refresher & Lessons Learned from Enforcement Focus” to hear Deloitte’s William Calder, Maynard Nexsen’s Bob Dow, White & Case’s Maia Gez, and Vinson & Elkins’s Zach Swartz discuss why and how to enhance your controls and procedures surrounding related party transactions.
We have a packed agenda! This program will cover:
Overview of Disclosure Requirements
– Transactions & time periods covered by Item 404 of Regulation S-K – Definitional issues – Where disclosure may be required – Exhibit filing requirements – Special considerations for SRCs
Common Types of RPTs & Computing Transaction Amounts
– Family member employees – Participation in a public offering – Leases & aircraft – Loans – Charitable gifts
– Treatment under GAAP and Regulation S-X – Role of the auditor & communications to the Audit Committee
Related Party Transaction Due Diligence and Process
– D&O questionnaires, process & technology – AS 18 questionnaires – Company books & records – Audit Committee approval requirements & policies
Interplay with Other Considerations
– Director independence – Conflicts of interest
Wrap-Up & Recent Enforcement Focus
Members of this site are able to attend this critical webcast at no charge. If you’re not yet a member, try a no-risk trial now. Our “100-Day Promise” guarantees that during the first 100 days as an activated member, you may cancel for any reason and receive a full refund. The webcast cost for non-members is $595. You can sign up by credit card online. If you need assistance, send us an email at info@ccrcorp.com – or call us at 800.737.1271.
We will apply for CLE credit in all applicable states (with the exception of SC and NE, which require advance notice) for this 1-hour webcast. You must submit your state and license number prior to or during the program using this form. Attendees must participate in the live webcast and fully complete all the CLE credit survey links during the program. You will receive a CLE certificate from our CLE provider when your state issues approval, typically within 30 days of the webcast. All credits are pending state approval.
Just before Thanksgiving, the SEC announced an order officially staying the share repurchase disclosure rule and filed a motion with the 5th Circuit requesting more time to remedy deficiencies in the rule. Both the order and request followed the Court’s October ruling that the share repurchase rulemaking was “arbitrary & capricious” — requiring that the Commission fix it by November 30. As Liz shared last week, the Court denied that motion, which left the SEC only a few days to comply.
On December 1, following the expiration of the remand deadline, the SEC’s Office of General Counsel submitted a letter to the Court acknowledging the Commission was unable “to correct the defects in the rule” within the required 30-day period. Cooley’s Cydney Posner addressed the expected next steps in this blog:
Presumably, the Court will now vacate the rule and it will be up to the SEC to decide whether to appeal the decision or to try again with a new share repurchase proposal—this time one that addresses the defects identified by the Court.
John and Dave have blogged about FinCEN’s rules for reporting beneficial ownership information under the Corporate Transparency Act, which are effective January 1, 2024 and create new filing requirements applicable to a wide range of entities. As Dave shared when the final rules were issued, reporting companies created or registered before January 1, 2024 will have one year (until January 1, 2025) to file their initial reports, but under FinCEN’s original rule, reporting companies created or registered after January 1, 2024 would have had only 30 days after receiving notice of their creation or registration to file their initial reports. Last week, as reported by this McGuireWoods blog, FinCEN extended this original deadline:
On November 29, 2023, FinCEN extended the 30-day deadline to 90 calendar days for Reporting Companies created or registered on or after January 1, 2024 in order to give Reporting Companies more time to understand FinCEN’s reporting requirements and submit their BOI reports.
Reporting Companies created or registered prior to January 1, 2024, still have a calendar year from the Act’s effective date – until January 1, 2025 – to file their initial BOI reports.
For Reporting Companies created or registered on or after January 1, 2025, their initial BOI reports must be filed within 30 calendar days of receiving actual or public notice of their creation or registration becoming effective.
As a reminder, FinCEN will not accept BOI reports from Reporting Companies until January 1, 2024.
Proxy season is right around the corner! If you missed all or part of our “2023 Proxy Disclosure Conference” or “20th Annual Executive Compensation Conference” – or even if you didn’t — don’t forget that our conference sessions are archived for your continued reference as you navigate challenging proxy season issues! If you registered to attend, replays and transcripts are currently available on-demand and will be accessible until September 20, 2024. If you didn’t register, you can purchase access to the archives online or by emailing sales@ccrcorp.com or calling 1-800-737-1271.
And you may be able to earn CLE credit for watching replays! We are now offering on-demand credit for the session replays in states where that is available. There are some nuances to receiving that credit, so check out the on-demand CLE FAQs to take advantage of that.
Yesterday, the Center for Audit Quality announced the publication of its 10th annual “Audit Committee Transparency Barometer.” The report is compiled by the CAQ and Audit Analytics to measure disclosures about financial oversight and other audit committee responsibilities. This year’s report also takes a look back at big-picture changes to audit committee disclosures over the past decade. Here’s an excerpt:
After a decade of analyzing audit committee disclosures, we have seen disclosure rates increase across the majority of the questions and topics being tracked. In the current environment of economic uncertainty, geopolitical crises, and new ways of working, it remains as important as ever for audit committees to tell their story through tailored disclosures in the proxy statement. Investors and other stakeholders use these disclosures to understand how the audit committee is exercising oversight to navigate the challenges of this current environment.
This environment provides an opportunity for audit committees to revisit their disclosures to ensure that they are up to date and tailored to the specific events and circumstances that the audit committee currently faces. Providing detailed and relevant disclosures, instead of relying on boilerplate language, provides investors with useful information about the processes, considerations, and decisions made by the audit committee. Every year, each audit committee has a unique story to tell, and detailed disclosures in the proxy statement relay the extent of engagement of the audit committee, which contributes to audit quality.
However, while audit committees & disclosure teams have overall earned a “gold star,” the report notes that there is always room for improvement. To support that effort, the appendices to the report include disclosure examples and questions for consideration. Among other suggestions, the CAQ suggests that companies could consider discussing not just “what they do” but also “how they do it,” and enhancing disclosure about audit fees in the upcoming year:
Another area where we continue to see lower rates of disclosure is the discussion around audit fees, particularly disclosures about the connection between audit fees and audit quality (Q3) and explanation for a change in fees paid to the external auditor (Q6). For audit committees to enhance their disclosures, they should provide more robust disclosures about how the audit committee considers the appropriateness of the audit fee, including key factors affecting changes to the audit fee year over year. For example, it may be helpful for stakeholders to understand efficiencies achieved, such as the auditor’s use of new technologies, or changes in the scope, such as a major transaction during the year, that could lead to changes in the audit fee.
Audit fees can be an indicator of audit quality for stakeholders because abnormally low fees may indicate that not enough time or resources are spent on the audit engagement, which could contribute to low audit quality. On the other hand, abnormally high audit fees could indicate inefficiencies, which may also be a red flag for stakeholders. In selecting, retaining, and evaluating the independent auditor, the audit committee should always be focused, in the first instance, on audit quality. Describing the audit committee’s views on the audit fee’s appropriateness can help stakeholders understand what contributes to the audit fee and can provide stakeholders further insights into how the audit committee considers audit quality throughout its engagement with the external auditor.
The report concludes with this encouragement to keep moving onward & upward:
We applaud audit committees for their efforts to increase disclosures over the past 10 years and continue to encourage audit committees to consider how their disclosures can be enhanced to provide further transparency for investors regarding the critical oversight work that audit committees perform.
