May 24, 2024

Audit Committees: Considerations for the 2024 Agenda

This HLS blog is authored by a UK-based KPMG team, but most of the nine matters it recommends for 2024 audit committee agendas are just as applicable for US-based companies. In addition to the continuing need to focus on financial reporting, internal controls and risk oversight, particularly given the current geopolitical, macroeconomic, and risk landscape, which can significantly impact forecasting and forward-looking disclosures and put stress on internal controls, the blog also highlights the following areas that need particular attention from audit committees this year:

– Committee bandwidth and skillsets as the audit committee’s areas of oversight further expand beyond its core responsibilities, particularly for new climate and sustainability reporting requirements

– Cybersecurity and data privacy as AI, geopolitical conflicts and ill-defined lines of responsibility cause cyber risk to intensify

– New climate & sustainability disclosures, with a particular focus on the quality and reliability of underlying data

– Audit quality by setting expectations with the external auditor regarding communications with the audit committee, including beyond what’s required, and by considering the results of inspections and efforts to address deficiencies

– Ensuring internal audit is focused on critical operational and technology risks and related controls — beyond just financial reporting and compliance risks

– Managing leadership and talent in the accounting and finance teams, given talent shortages, and overseeing digital strategies and transformations

– Closely monitoring the tone at the top to maintain a culture of ethics and compliance

– Oversight of generative AI, which may be focused on compliance and internal controls or may be broader depending on the audit committee’s mandate

The blog’s discussion of the audit committee’s role in audit quality is UK-focused, but audit quality is an issue that’s been getting a lot of attention from regulators here in the US as well. The suspension of BF Borgers showed one of the worst-case scenarios in terms of auditor issues creating complications for public company clients. At a minimum, audit committees should be heeding the advice in the February 2024 statement from the SEC’s Office of Chief Accountant, which suggested committees evaluate whether and how they consider things like results of PCAOB inspections, industry expertise of the engagement team, sufficient involvement and leadership by the audit partner, the appropriateness of time spent and staffing and any changes in hours or staffing from previous audits.

Meredith Ervine 

May 24, 2024

Adoption or Termination of Rule 10b5-1 Plans: Quarterly Disclosure

This spring, a number of questions have been posted on our “Q&A Forum” related to 10b5-1 plan disclosures. One common question, asked a few different ways, relates to whether public companies must disclose their 10b5-1 trading plans in periodic reports.

The Fifth Circuit has vacated the SEC’s Share Repurchase Disclosure Rule. That rulemaking added a paragraph (d) to Item 408 of Regulation S-K. Was that addition to Item 408 also vacated by the Fifth Circuit?

Do the new SEC rules requiring quarterly disclosure of the adoption or termination of 10b5-1 trading plans by directors or officers extend to the company itself? If so what precisely needs to be disclosed?

Current disclosure requirements are counterintuitive because “new” Item 408(a) of Regulation S-K was part of the SEC’s rulemaking related to insider trading & Rule 10b5-1 reform, while Item 408(d) was part of the SEC’s share repurchase disclosure amendments, which were vacated. This Debevoise memo concisely addresses this question:

Q: Is an issuer required to disclose its 10b5-1 trading plans in periodic reports?

A: No, an issuer is no longer required to comply with proposed Item 408(d) of Regulation S-K regarding disclosure of the adoption or termination of any of the issuer’s trading plans that are intended to satisfy the affirmative defense conditions of Rule 10b5-1(c) in its periodic reports. However, an issuer is required to continue to disclose the adoption, modification and termination of Rule 10b5-1 and other trading arrangements by directors and officers in its periodic reports under Item 408(a) of Regulation S-K.

As an aside, there’s now a bipartisan push to re-propose the SEC’s stock buyback rule! See this Cooley PubCo blog for more.

Programming Note: Our blogs will be off on Monday for the holiday. We wish each of you an enjoyable Memorial Day weekend. We’ll be back to celebrate “T+1 day” with you on Tuesday!

Meredith Ervine 

May 23, 2024

Nasdaq Proposes Phase-In and Cure Period Changes and Clarifications

Yesterday, the SEC posted this notice & request for comment for a proposed Nasdaq rule change that would amend Rules 5605, 5615 and 5810 to make the following (and other non-substantive) changes:

– Clarify and modify the phase-in schedules to the independent director and committee requirements for IPOs by amending Rule 5615:

  • To include the text of the phase-in provisions of SEC Rule 10A-3 regarding the number of independent audit committee members required post-IPO (rather than simply referencing the rule)
  • To provide that companies may also phase in compliance with the three-member requirement for audit committees on a schedule that tracks Rule 10A-3 (i.e., at least one member by the listing date, at least two members within 90 days and at least three members within one year)
  • To allow companies to comply with the requirement to have one independent director on the compensation and nominations committees by appointing such director by the earlier of the date the IPO closes or five business days from the listing date (to avoid conflicting with a common practice of holding a meeting to appoint additional independent directors shortly after the listing date but prior to closing)


– Clarify and/or modify certain phase-in periods for companies emerging from bankruptcy, transferring from national securities exchanges, listing securities previously registered under Section 12(g), listing in connection with a carve-out or spin-off transaction or ceasing to qualify as a foreign private issuer or controlled company

– Codify its current positions that:

  • A company relying on the applicable phase-in period is not eligible for a cure period immediately following the expiration of the phase-in period unless it complied with the applicable audit committee, compensation committee or majority independent board requirement during the phase-in period but fell out of compliance, and
  • If a company demonstrated compliance but subsequently fell out of compliance before the end of the phase-in period, the cure period is calculated based on the event that caused the non-compliance (not the end of the phase-in period)


– Amend Rule 5810 to describe cure period procedures if a company fails to meet the compensation committee composition requirement due to one vacancy or one member ceasing to be independent: Nasdaq will notify the company and the company must cure by the earlier of its next annual meeting or one-year from the event (with a minimum of 180 days if the annual meeting is held sooner)

The SEC is seeking comments on the proposal.

Meredith Ervine 

May 23, 2024

Chair Gensler Issues Statement on Crypto Bill Pending in the House

Yesterday, Chair Gensler issued a statement regarding the crypto legislation pending in the House of Representatives — the Financial Innovation and Technology for the 21st Century Act — which, according to this Better Markets Fact Sheet “claims to seek to modernize the regulation of investment contracts by creating a new category called ‘investment contract assets,'” which “are excluded from the definition of a ‘security,’ likely eliminating SEC oversight.”

Chair Gensler believes the bill would “create new regulatory gaps and undermine decades of precedent regarding the oversight of investment contracts, putting investors and capital markets at immeasurable risk.” He identifies seven concerns in detail. Here are two:

[T]he bill’s regulatory structure abandons the Supreme Court’s long-standing Howey test that considers the economic realities of an investment to determine whether it is subject to the securities laws. Instead, the bill makes that determination based on labels and the accounting ledger used to record transactions. It is akin to determining the level of investor protection based on whether a transaction is recorded in a notebook or a software database. But it’s the economic realities that should determine whether an asset is subject to the federal securities laws, not the type of recordkeeping ledger. The bill’s result would be weaker investor protection than currently exists for those assets that meet the Howey test.

[T]he bill specifically excludes crypto asset trading systems from the definition of an exchange and thus removes, for investors on crypto asset trading platforms, the protections that benefit investors on registered exchanges. These crypto trading platforms would be able to legally comingle their functions in a way that fosters conflicts of interest, may allow trading against their customers, and reduces custody protections for their customers.

He then warns that the bill could undermine the broader capital markets “by providing a path for those trying to escape robust disclosures, prohibitions preventing the loss and theft of customer funds, enforcement by the SEC, and private rights of action for investors in the federal courts.” For example, if “perpetrators of pump and dump schemes and penny stock pushers” were to “contend that they’re outside of the securities laws by labeling themselves as crypto investment contracts or self-certifying that they are decentralized systems [as permitted by the bill].” The bill only allows the SEC 60 days to contest any self-certification.

Meredith Ervine 

May 23, 2024

Enforcement: NYSE and Other Intermediaries Dinged for Ultimately De Minimis Cyber Intrusion

Yesterday, the SEC announced cease-and-desist proceedings against the Intercontinental Exchange and nine affiliates, including the NYSE, for failing to notify the Commission about a cyber intrusion as required by Regulation SCI (Systems Compliance and Integrity). The settlement included a $10 million civil penalty.

Commissioners Peirce and Uyeda issued a joint statement calling the penalty “disproportionately large” given that the ICE subsidiaries ultimately determined the incident was de minimis. Toward the end of the statement, the Commissioners expressed their concerns about “imposing outsized penalties for minor violations” in Commission enforcement actions generally — worrying that public perception of the Commission’s regulatory agenda is harmed when “regulatory foot faults result in ever-steeper penalties that bear little to no relation to real-world harm.”

The SEC’s press release has this to say in a quote by Enforcement Director Gurbir Grewal:

Under Reg SCI, [intermediaries] have to immediately notify the SEC of cyber intrusions into relevant systems that they cannot reasonably estimate to be de minimis events right away. […] [T]hey instead took four days to assess its impact and internally conclude it was a de minimis event. When it comes to cybersecurity, especially events at critical market intermediaries, every second counts and four days can be an eternity.

Meredith Ervine 

May 22, 2024

Cyber Incidents: Corp Fin Director on Reporting Early or Immaterial Incidents

Yesterday, Corp Fin Director Erik Gerding released this statement (subject to the standard disclaimer) regarding new Item 1.05 of Form 8-K requiring public companies to disclose material cybersecurity incidents. In the statement, Director Gerding encourages companies that choose to voluntarily disclose an immaterial cybersecurity incident or choose to disclose early while a materiality determination is still being made to do so under a different item of Form 8-K — like 8.01 for Other Events. The statement notes that reporting immaterial incidents under Item 1.05 (“Material Cybersecurity Incidents”) could confuse investors.

Given the prevalence of cybersecurity incidents, this distinction between a Form 8-K filed under Item 1.05 for a cybersecurity incident determined by a company to be material and a Form 8-K voluntarily filed under Item 8.01 for other cybersecurity incidents will allow investors to more easily distinguish between the two and make better investment and voting decisions with respect to material cybersecurity incidents.  By contrast, if all cybersecurity incidents are disclosed under Item 1.05, then there is a risk that investors will misperceive immaterial cybersecurity incidents as material, and vice versa.

It stresses that this is not intended to discourage or disincentivize voluntary early reporting or reporting of immaterial incidents, which can be valuable to investors, the marketplace and companies. It also reminds companies that early reporting may mean two 8-Ks will be necessary:

If a company discloses an immaterial incident (or one for which it has not yet made a materiality determination) under Item 8.01 of Form 8-K, and then it subsequently determines that the incident is material, then it should file an Item 1.05 Form 8-K within four business days of such subsequent materiality determination. That Form 8-K may refer to the earlier Item 8.01 Form 8-K, but the company would need to ensure that the disclosure in the subsequent filing satisfies the requirements of Item 1.05.

Earlier this year, I shared a Cleary alert on the potential benefits of early reporting under Item 7.01 or 8.01 that is worth sharing again.

Meredith Ervine 

May 22, 2024

Cyber Incidents: Corp Fin Director on Assessing Impact and Materiality

Yesterday’s statement from Corp Fin Director Erik Gerding (subject to the standard disclaimer) also addresses materiality determinations for cyber incidents, stressing that companies should assess “all relevant factors” and not limit that assessment to the incident’s impact on the company’s financial condition and results of operation.

“[C]ompanies should consider qualitative factors alongside quantitative factors.” For example, companies should consider whether the incident will “harm . . . [its] reputation, customer or vendor relationships, or competitiveness.” Companies also should consider “the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and Federal Governmental authorities and non-U.S. authorities.”

Echoing a key comment from SEC Speaks, the statement also adds the following (which is contemplated by Instruction 2 to Item 1.05):

There also may be cases in which a cybersecurity incident is so significant that a company determines it to be material even though the company has not yet determined its impact (or reasonably likely impact).  In those cases, the company should disclose the incident in an Item 1.05 Form 8-K, include a statement noting that the company has not yet determined the impact (or reasonably likely impact) of the incident, and amend the Form 8-K to disclose the impact once that information is available.

The initial Form 8-K filing, however, should provide investors with information necessary to understand the material aspects of the nature, scope, and timing of the incident, notwithstanding the company’s inability to determine the incident’s impact (or reasonably likely impact) at that time.

Meredith Ervine 

May 22, 2024

T+1: Next Tuesday Is the Day

While we celebrate the unofficial start of summer and observe Memorial Day this weekend, U.S. securities markets will transition to securities settlements of T+1, returning us, as Chair Gensler noted, to “the settlement cycle that we had in the United States most of the first 50 years of Memorial Days.” Yesterday, Chair Gensler issued a statement on the upcoming implementation date touting the immediate benefit to everyday investors — if they “sell their stock on a Monday, shortening the settlement cycle will allow them to get their money on Tuesday” — and highlighting the SEC staff’s efforts to monitor and facilitate this transition:

Since the SEC voted to establish a T+1 settlement cycle in the U.S., SEC staff has been monitoring on a continuous basis the efforts of market participants to prepare for the shorter settlement cycle and coordinating with regulatory authorities in North America, Europe, Asia, and other jurisdictions around the world. In March, to help market participants prepare for the upcoming move to T+1, SEC staff published a risk alert, responses to frequently asked questions, and an Investor Bulletin.

As the compliance date of May 28, 2024 approaches, the Commission will continue its efforts to help facilitate a successful transition.

For issuers and offerings, this Wilson Sonsini alert reminds us that parties can still agree to a longer settlement cycle for firm commitment underwritten offerings under Rule 15c6-1 — traditionally used for debt capital markets transactions rather than equity. And despite the T+2 timeframe for offerings that price after 4:30 p.m. ET, “the majority of equity transactions, including IPOs and follow-on offerings, will close one day after trading begins.”

Meredith Ervine

May 21, 2024

SEC Provides 30-Day Extension for Certain BF Borgers Audit Clients

As John shared in early May, the Division of Enforcement recently announced enforcement proceedings against the BF Borgers CPA PC accounting firm and its sole partner that included a permanent suspension of the firm and its owner. That suspension has significant and unfortunate, to say the least, implications for the firm’s public company audit clients.

Yesterday evening, the SEC announced an exemptive order providing an extension to certain companies affected by the suspension. The order provides that, for any reporting company that notified the Commission between May 3 and May 16 pursuant to Rule 12b-25 of its inability to timely file a quarterly or transition report on Form 10-Q due to the BF Borgers suspension order, the Form 10-Q will be deemed to be filed on its prescribed due date as long as it is filed no later than the 30th calendar day (instead of the 5th calendar day) following the due date.

While it may not be a familiar name, BF Borgers has been a fairly significant player for small-cap issuers — ranking 8th in overall market share for public company audits last year & 6th in market share for non-SPAC initial public offerings. The order recognized that these impacted companies need to hire new, qualified, independent, PCAOB-registered public accountants and that any replacement firm will have to review the included financial information and potentially re-review comparable interim financial information, which may be practically impossible with the limited extension permitted by Rule 12b-25.

Meredith Ervine 

May 21, 2024

Earnings Calls: The SEC Continues to Listen In

This recent Barnes & Thornburg blog gives a timely reminder that one of the audiences listening to your earnings calls is regulators. It discusses the SEC’s continued focus on consistency among various disclosures and its use of earnings calls to comment on SEC filings.

The blog highlights a spring 2024 comment letter focused on known trends or uncertainties disclosures in MD&A and company comments on a fourth-quarter earnings call regarding the company’s refinancing strategy. The company’s response to the comment called out business section and related MD&A quantitative disclosures but also agreed to further address the strategy in MD&A by adding a new narrative paragraph.

Other recent comment letters address the importance of “synchronizing what will be said on the earnings call with what will be disclosed in a company’s SEC filings.”

This follows two other recent comment letters from SEC staff related to earnings calls: A January 2024 letter and response that discussed whether metrics mentioned by a company’s CEO on earnings calls two quarters in a row were key performance indicators for the business and another from the same month that asked whether refurbishment revenue that was discussed on the past two quarters’ earnings calls should be broken out separately in the notes to a company’s financial statements.

The blog suggests that the folks who prepare MD&A pull recent earnings call transcripts when drafting. I’d also add that someone needs to review the earnings call script and MD&A disclosures for consistency — possibly twice each quarter to ensure it’s done on nearly final versions. The script, prior call transcripts, and analyst reports are also helpful resources for outside counsel to add value by doing a holistic review. Sometimes it may also be appropriate to add language to the 10-Q or 10-K before filing if senior management responds to a question or adds color on the earnings call that the financial reporting team deems worthy of including.

Meredith Ervine