The latest issue of The Corporate Executive has been sent to the printer. It is also available now online to members of TheCorporateCounsel.net who subscribe to the electronic format. This issue tackles two timely topics, dealing with “grounded” moonshot awards and addressing the many issues arising with the use of corporate aircraft by adopting a comprehensive policy. On the topic of “grounded” moonshot awards, the issue notes:

We delve into the dynamics of moonshot awards again, and address the steps required when dealing with a grounded moonshot award. The first step is acceptance on the part of all parties involved that the goals and strategic vision associated with the moonshot award are not going to be achieved, and an understanding that the outstanding award is likely doing more harm than good. The second step is carefully considering the options, which could include modification or replacement, cancellation, forfeiture or maintaining the status quo. The third step is getting the governance right with respect to dealing with the grounded moonshot award. The fourth step is being transparent about moonshot awards and any subsequent changes to such awards, because it is important for a wide range of stakeholders to understand the rationale. Finally, it is important to consider the potential litigation risk when granting or subsequently changing moonshot awards.

On the topic of executive use of corporate aircraft, the May-June 2024 issue of The Corporate Executive notes that, with all of the focus on aircraft use right now by the SEC, the media and the general public, now is a good time to consider adopting a policy specifically addressing the use of corporate owned or leased aircraft. In the issue, we provide a form of policy that companies can adapt to their own circumstances. A key consideration when formulating an aircraft policy is the extent to which use of corporate aircraft is a very public endeavor, as noted in this excerpt:

When formulating a policy governing the use of corporate aircraft, companies should carefully consider that there is radical transparency around the flights that private aircraft take. As evidenced by reports of individuals tracking the private aircraft use of Taylor Swift and Elon Musk, and periodic coverage in business publications of where company aircraft is flying to and from, tracking the use of private aircraft is relatively easy based on publicly available information. Each aircraft is assigned a tail number that can be used to track the movement of the aircraft on websites such as FlightAware.com. Aircraft registration is generally considered to be public information in the U.S., which makes it relatively easy to find and track U.S.-registered aircraft by their unique tail number. It is possible for owners of aircraft to avoid this transparency by registering the aircraft in certain jurisdictions outside of the U.S. (e.g., Aruba, Bermuda, Cayman Islands, Isle of Man) or by disabling aircraft tracking for privacy purposes. European data privacy rules also prohibit the tracking of certain aircraft for privacy purposes.

Transparency around flight information can raise a number of considerations for companies using private aircraft travel for both business and personal purposes. For example, there are security considerations whenever an executive is traveling for either business or personal purposes, so the ability of the public to track a corporation’s aircraft can heighten security concerns when individuals or groups are able to determine that the executive is flying to a particular location. Further, it is conceivable that persons might use flight tracking information to try to gather business intelligence or information to inform trading decisions by identifying locations where the company aircraft is frequently flying to or from during specific periods in time. In the context of private use of corporate aircraft, back in 2011 the Wall Street Journal used tail numbers and information derived from Freedom of Information Act (“FOIA”) requests to create a database that tracked the use of corporate aircraft by particular companies, analyze patterns to identify where the planes were flying to and whether those locations had connections to the CEO or other executive officers (e.g., locations of homes, vacation destinations), and identify the potential costs associated with that travel based on industry estimates.

In formulating a policy concerning personal use of aircraft, the company should consider how such personal use will be perceived by investors and the public more broadly when identified in SEC filings and in potential news stories focused on executive perquisites, given the significant transparency surrounding the use of corporate aircraft and the fact that it is a frequent area of focus for the business media.

Please email sales@ccrcorp.com to subscribe to this essential resource if you are not already receiving the practical information that we provide in The Corporate Executive newsletter.

– Dave Lynn

This week I am highlighting the panels that I will be joining at the “2024 Proxy Disclosure & 21st Annual Executive Compensation Conferences” to give you a flavor for all of the interesting topics that we will be covering during an action-packed two days of in-person programming. On Tuesday, October 15, 2024, I will be on stage with yet another group of talented SEC All-Stars for a deep dive into executive compensation topics during the panel “The SEC All-Stars: Executive Pay Nuggets.” As I mentioned last year, this is my favorite panel at the Conferences solely by virtue of its title, given my long-standing relationship with a certain food item that gave me a life-long nickname which I can’t seem to shake.

I am very fortunate to be speaking with Sonia Barro, Mark Borges, Brian Breheny and Ron Mueller for this panel, and our plan is to cover pay versus performance disclosure, equity plan proposals, human capital disclosure, trends with executive compensation metrics and the latest developments with Rule 10b5-1 plans. This is a panel at the “21st Annual Executive Compensation Conference” that you do not want to miss!

You know the drill by now – sign up today by using our online store or by calling us at 800-737-1271. Keep in mind that our early bird registration deadline has been extended to July 26th, so be sure to take advantage of the in-person Single Attendee Price of $1,750, which is discounted from the regular $2,195 rate. If you can’t be in San Francisco for the live show, there is also a virtual option.

– Dave Lynn

The SEC’s cybersecurity disclosure requirements remain in the spotlight, as yesterday the Staff published its latest guidance interpreting Item 1.05 of Form 8-K. The Staff updated the Exchange Act Form 8-K Compliance and Disclosure Interpretations with five new CDIs, adding to the interpretations of Item 1.05 that were published back in December 2023. The new CDIs are as follows:

Question 104B.05

Question: A registrant experiences a cybersecurity incident involving a ransomware attack. The ransomware attack results in a disruption in operations or the exfiltration of data. After discovering the incident but before determining whether the incident is material, the registrant makes a ransomware payment, and the threat actor that caused the incident ends the disruption of operations or returns the data. Is the registrant still required to make a materiality determination regarding the incident?

Answer: Yes. Item 1.05 of Form 8-K requires a registrant that experiences a cybersecurity incident to determine whether that incident is material. The cessation or apparent cessation of the incident prior to the materiality determination, including as a result of the registrant making a ransomware payment, does not relieve the registrant of the requirement to make such materiality determination.

Further, in making the required materiality determination, the registrant cannot necessarily conclude that the incident is not material simply because of the prior cessation or apparent cessation of the incident. Instead, in assessing the materiality of the incident, the registrant should, as the Commission noted in the adopting release for Item 1.05 of Form 8-K, determine “if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have significantly altered the total mix of information made available,” notwithstanding the fact that the incident may have already been resolved. Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release Nos. 33-11216; 34-97989 (July 26, 2023) [88 FR 51896, 51917 (Aug. 4, 2023)] (quoting Matrixx Initiatives v. Siracusano, 563 U.S. 27, 38-40 (2011); Basic Inc. v. Levinson, 485 U.S. 224, 240 (1988); TSC Indus. v. Northway, 426 U.S. 438, 449 (1976)) (internal quotation marks omitted). [June 24, 2024]

Question 104B.06

Question: A registrant experiences a cybersecurity incident that it determines to be material. That incident involves a ransomware attack that results in a disruption in operations or the exfiltration of data and has a material impact or is reasonably likely to have a material impact on the registrant, including its financial condition and results of operations. Subsequently, the registrant makes a ransomware payment, and the threat actor that caused the incident ends the disruption of operations or returns the data. If the registrant has not reported the incident pursuant to Item 1.05 of Form 8-K before it made the ransomware payment and the threat actor has ended the disruption of operations or returned the data before the Form 8-K Item 1.05 filing deadline, does the registrant still need to disclose the incident pursuant to Item 1.05 of Form 8-K?

Answer: Yes. Because the registrant experienced a cybersecurity incident that it determined to be material, the subsequent ransomware payment and cessation or apparent cessation of the incident does not relieve the registrant of the requirement to report the incident under Item 1.05 of Form 8-K within four business days after the registrant determines that it has experienced a material cybersecurity incident. [June 24, 2024]

Question 104B.07

Question: A registrant experiences a cybersecurity incident involving a ransomware attack, and the registrant makes a ransomware payment to the threat actor that caused the incident. The registrant has an insurance policy that covers cybersecurity incidents and is reimbursed for all or a substantial portion of the ransomware payment. Is the incident necessarily not material as a result of the registrant being reimbursed for the ransomware payment under its insurance policy?

Answer: No. The standard that the Commission articulated for assessing the materiality of a cybersecurity incident under Item 1.05 of Form 8-K is set forth in the adopting release for the rule and is reiterated in Question 104B.05. Further, as the Commission noted in the adopting release for Item 1.05 of Form 8-K, when assessing the materiality of cybersecurity incidents, registrants “should take into consideration all relevant facts and circumstances, which may involve consideration of both quantitative and qualitative factors” including, for example, “consider[ing] both the immediate fallout and any longer term effects on its operations, finances, brand perception, customer relationships, and so on, as part of its materiality analysis.” Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release Nos. 33-11216; 34-97989 (July 26, 2023) [88 FR 51896, 51917 (Aug. 4, 2023)]. Under the facts described in this question, such consideration also may include an assessment of the subsequent availability of, or increase in cost to the registrant of, insurance policies that cover cybersecurity incidents. [June 24, 2024]

Question 104B.08

Question: A registrant experiences a cybersecurity incident involving a ransomware attack. Is the size of the ransomware payment, by itself, determinative as to whether the cybersecurity incident is material? For example, would a ransomware payment that is small in size necessarily make the related cybersecurity incident immaterial?

Answer: No. The standard that the Commission articulated for assessing the materiality of a cybersecurity incident under Item 1.05 of Form 8-K is set forth in the adopting release for the rule and reiterated in Question 104B.05. Under that standard, the size of any ransomware payment demanded or made is only one of the facts and circumstances that registrants should consider in making its materiality determination regarding the cybersecurity incident. Further, in the adopting release for Item 1.05 of Form 8-K, the Commission declined “to use a quantifiable trigger for Item 1.05 because some cybersecurity incidents may be material yet not cross a particular financial threshold.”

Any ransomware payment made is only one of the various potential impacts of a cybersecurity incident that a registrant should consider under Item 1.05. As the Commission further stated in Item 1.05’s adopting release:

“[T]he material impact of an incident may encompass a range of harms, some quantitative and others qualitative. A lack of quantifiable harm does not necessarily mean an incident is not material. For example, an incident that results in significant reputational harm to a registrant . . . may not cross a particular quantitative threshold, but it should nonetheless be reported if the reputational harm is material.”

Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release Nos. 33-11216; 34-97989 (July 26, 2023) [88 FR 51896, 51906 (Aug. 4, 2023)]. [June 24, 2024]

Question 104B.09

Question: A registrant experiences a series of cybersecurity incidents involving ransomware attacks over time, either by a single threat actor or by multiple threat actors. The registrant determines that each incident, individually, is immaterial. Is disclosure of those cybersecurity incidents nonetheless required pursuant to Item 1.05 of Form 8-K?

Answer: Disclosure of those cybersecurity incidents may, depending on the particular facts and circumstances, be required pursuant to Item 1.05 of Form 8-K. In these circumstances, the registrant should consider whether any of those incidents were related, and if so, determine whether those related incidents, collectively, were material. The definition of “cybersecurity incident” under Item 106(a) of Regulation S-K (which, as noted in Instruction 3 to Item 1.05, is the definition that applies to Item 1.05 of Form 8-K) includes “a series of related unauthorized occurrences.” In the adopting release for Item 1.05, the Commission noted:

“[W]hen a company finds that it has been materially affected by what may appear as a series of related cyber intrusions, Item 1.05 may be triggered even if the material impact or reasonably likely material impact could be parceled among the multiple intrusions to render each by itself immaterial. One example was provided in the Proposing Release: the same malicious actor engages in a number of smaller but continuous cyberattacks related in time and form against the same company and collectively, they are either quantitatively or qualitatively material. Another example is a series of related attacks from multiple actors exploiting the same vulnerability and collectively impeding the company’s business materially.”

Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release Nos. 33-11216; 34-97989 (July 26, 2023) [88 FR 51896, 51910 (Aug. 4, 2023)]. [June 24, 2024]

The new round of guidance no doubt reflects the challenges that companies are facing in figuring out how to comply with the new disclosure requirements in new Item 1.05 of Form 8-K and the Staff’s observations of disclosure practices to date. Given how difficult this disclosure item has turned out to be, I suspect that this is not the last time we will hear from the Corp Fin Staff on the topic.

– Dave Lynn

The SEC released a statement from Corp Fin Director Erik Gerding yesterday that reflected Gerding’s opening remarks and the matters discussed on a panel addressing Corp Fin’s Disclosure Review Program during the April 2024 SEC Speaks Conference in Washington, DC. The statement provides a comprehensive overview of recent developments in Corp Fin and observations gleaned from the review of filings.

– Dave Lynn

As I noted in my recent blog commemorating the SEC’s 90th Anniversary, if Future Me went back in time and told Teenage Me that, forty years from now, I would be appearing on two panels in front of hundreds of people where I am cast among the “SEC All-Stars,” I would have first asked “What is the SEC?” and then told Future Me to get back in my DeLorean and drive Back to the Future.

As it turns out, Future Me was right and I am incredibly fortunate to be joining my fellow SEC alums – Sonia Barros, Lily Brown, Alan Dye and Lona Nallengara – on the panel “The SEC All-Stars: Proxy Season Insights” at the Proxy Disclosure Conference, which is taking place on Monday, October 14, 2024 in San Francisco. During this panel, we will cover a wide range of proxy and annual reporting season topics, including cyber disclosures, disclosure controls & procedures, Rule 14a-8 no-action letter trends and rule amendments, Section 16 and Rule 144 developments and disclosure about transactions in company securities. With this line-up of All-Stars and topics, you do not want to miss this panel!

Don’t wait for Future You to register for the “2024 Proxy Disclosure & 21st Annual Executive Compensation Conferences” – do it today! You can register now by visiting our online store or by calling us at 800-737-1271. Our early bird in-person Single Attendee Price is $1,750, which is discounted from the regular $2,195 rate! This is a great deal that you do not want to miss. If you can’t make it in person, we also offer a virtual option so you won’t miss out on the practical takeaways our speaker lineup will share, and we offer discounted rate options for groups of virtual attendees.

– Dave Lynn

Earlier this month, Erica Williams was reappointed to a second term as Chair of the PCAOB. Her second term begins on October 25, 2024 and runs through October 24, 2029. It is clear that the PCAOB will continue to be active in modernizing its standards under the leadership of Chair Williams.

Recently, the PCAOB announced the adoption of amendments to two auditing standards to address the use of technology-assisted analysis. The amended standards are AS 1105, Audit Evidence, and AS 2301, The Auditor’s Responses to the Risks of Material Misstatement. The PCAOB’s announcement notes:

The changes adopted today bring greater clarity to auditor responsibilities in the following areas:

– Using reliable information in audit procedures: Technology-assisted analysis often involves analyzing vast amounts of information in electronic form. The adopting release emphasizes auditors’ responsibilities when evaluating the reliability of such information used as audit evidence. For example, when auditors test a company’s controls over electronic information, their testing should include, where applicable, controls over the company’s information technology general controls and automated application controls related to such information.

– Using audit evidence for multiple purposes: Technology-assisted analysis can be used to provide audit evidence for various purposes in an audit. For example, auditors may use technology-assisted analysis to analyze a population of transactions as part of identifying risks of material misstatement or to perform, after identifying such risks, substantive procedures on all items within a population. The adopting release specifies that if an auditor uses an audit procedure for more than one purpose, the auditor should achieve each objective of the procedure.

– Performing tests of details: When performing tests of details, auditors may use technology-assisted analysis to identify transactions and balances that meet certain criteria and warrant further investigation. For example, auditors may identify all transactions within an account exceeding a certain amount or processed by a certain individual. The adopting release clarifies that the auditor’s investigation of such items should include determining whether the identified items individually or in the aggregate indicate misstatements or control deficiencies.

The new standard will apply to all audits conducted under PCAOB standards. Subject to approval by the SEC, the new standard and related amendments will take effect for audits of financial statements for fiscal years beginning on or after December 15, 2025.

– Dave Lynn

As you may know, when the PCAOB was stood up over two decades ago, it adopted the then-existing auditing standards as its own, with the expectation that, over time, the PCAOB would replace those pre-existing auditing standards with its own PCAOB-adopted and SEC-approved auditing standards. The PCAOB’s authority in this regard was driven by concerns with auditing practices in the wake of the corporate scandals of the early 2000s such as Enron and WorldCom. Adopting new and replacement auditing standards is no easy task, so the PCAOB has spent the past twenty-two years working to update and modernize the standards that govern audits of public companies by independent registered public accountants.

The latest modernization efforts involves a recently announced proposal to replace the PCAOB’s existing auditing standard related to an auditor’s use of substantive analytical procedures with a new standard: AS 2305, Designing and Performing Substantive Analytical Procedures. The PCAOB notes that, if adopted, the proposed standard would “strengthen and clarify the auditor’s responsibilities when designing and performing substantive analytical procedures, increasing the likelihood that the auditor will obtain relevant and reliable audit evidence – ultimately improving overall audit quality and leaving investors better protected.” the proposed standard would do the following:

– Strengthen and clarify the requirements for determining whether the relationship(s) to be used in the substantive analytical procedure is sufficiently plausible and predictable;

– Specify that the auditor develops their own expectation and not use the company’s amount or information that is based on the company’s amount (so-called circular auditing);

– Strengthen and clarify existing requirements for determining when the difference between the auditor’s expectation and the company’s amount requires further evaluation;

– Strengthen and clarify existing requirements for evaluating the difference between the auditor’s expectation and the company’s amount. This includes determining if a misstatement exists as well as specifying requirements for certain situations the auditor may encounter when evaluating a difference;

– Clarify the factors that affect the persuasiveness of audit evidence obtained from a substantive analytical procedure;

– Clarify the elements of a substantive analytical procedure, including the distinction between substantive analytical procedures and other types of analytical procedures; and

– Modernize the standard by reorganizing the requirements and more explicitly integrating the standard with other Board-issued standards – ultimately making it easier for auditors to follow.

Along with proposed AS 2305, the proposal includes amendments to AS 1105, Audit Evidence, and AS 2301, The Auditor’s Responses to the Risks of Material Misstatement. Comment on the new standard and proposed amendments are due on August 12, 2024.

– Dave Lynn

I am not entirely sure where June went to, but I do know that we are now officially into the Summer, and that means we are just a few months away from our October conferences. The “2024 Proxy Disclosure & 21st Annual Executive Compensation Conferences” will be taking place in San Francisco on October 14th & 15th, and we are celebrating the fact that we will be returning to an in-person format this year. Not surprisingly, I am going to be spending my week on the blog reminding you of why you need to sign up for this big event today!

In today’s blog, I am going to focus on my first appearance on the agenda for the October conferences, and that will be my interview with Erik Gerding, Director of the SEC’s Division of Corporation Finance. If you have attended our conferences in the past, you know that for many years we have kicked things off with a discussion of the most important SEC issues straight from the source – the Director of Corp Fin. This is a great opportunity to hear what is on the SEC’s agenda for public companies and the latest trends that Corp Fin has been observing in public company disclosures. The discussion with the Director is always a great way to frame many of the topics that we will be addressing throughout the two days of conferences, so it is always a must-see event.

You can register now by visiting our online store or by calling us at 800-737-1271. Our early bird in-person Single Attendee Price is $1,750, which is discounted from the regular $2,195 rate! This is a great deal that you do not want to miss. If you can’t make it in person, we also offer a virtual option so you won’t miss out on the practical takeaways our speaker lineup will share, and we offer discounted rate options for groups of virtual attendees.

– Dave Lynn

Yesterday, Corp Fin Director Erik Gerding issued a statement addressing concerns expressed by some registrants that the SEC’s rules requiring disclosure of material cybersecurity incidents in an Item 1.05 Form 8-K preclude registrants from sharing information beyond that disclosed in the 8-K with others, including contractual counterparties. Director Gerding’s statement clarifies that this is not the case, and that Regulation FD offers various alternatives for sharing this information without raising selective disclosure concerns:

There are several ways that a public company can privately share information regarding a material cybersecurity incident beyond what was disclosed in its Item 1.05 Form 8-K without implicating Regulation FD. For example, the information that is being privately shared about the incident may be immaterial, or the parties with whom the information is being shared may not be one of the types of persons covered by Regulation FD.

Further, even if the information being shared is material nonpublic information and the parties with whom the information is being shared are the types of persons covered by Regulation FD, an exclusion from the application of Regulation FD may apply. For example, if the information is being shared with a person who owes a duty of trust or confidence to the issuer (such as an attorney, investment banker, or accountant)or if the person with whom the information being shared expressly agrees to maintain the disclosed information in confidence (e.g., if they enter into a confidentiality agreement with the issuer), then public disclosure of that privately-shared information will not be required under Regulation FD.

The statement notes that while companies may be reluctant to share additional information about cybersecurity incidents with third parties, companies that follow the scope and requirements of the selective disclosure rules in Reg FD should not face undue impediments to mutually beneficial sharing of information regarding material cybersecurity incidents with third parties.

– John Jenkins

I recently saw a report quoting an OpenAI insider who estimates that there’s a 70% chance that artificial intelligence will destroy humanity. I guess that would worry me more if I didn’t put the odds of us doing that to ourselves without AI’s help at around 75% – and if the current iterations of AI didn’t have more in common with ’80s icon Max Headroom than with the HAL 9000 from “2001: A Space Odyssey.”

That being said, I’ve recently learned about one emerging use for AI that really does terrify me. Apparently, people are starting to use generative AI tools to prepare board minutes. A recent article in “The Boardroom Insider” flags this emerging practice, and this excerpt lays out some of the things that could go very wrong with relying on AI tools in this setting:

Potential downsides of this trend are apparent (and some are still to be realized). Recording of board meetings are always a legal bomb waiting to go off. The more it becomes a standard practice, the more likely someone will neglect to wipe all copies once minutes are finalized. While AI minuting apps note that their draft is only that — a draft for further human processing — what it retains and ignores can prove worrisome.

Further, once you get comfortable with letting AI do the minuting, you’re more likely to just send its digital take out for quick approval. AI “hallucinations” sneaking into the draft could be hard to spot. Finally, what if everyone on the board uses a recording to create their own AI summaries? This Tower of Babel approach could be a nightmare.

If you’re still willing to take the plunge, the article goes on to identify some AI tools that you might use to help generate board minutes. If you’re up for that, well, Godspeed! As for me, when it comes to the use of generative AI for board minutes, I’m firmly in Colonel Kurtz’s camp.

– John Jenkins