As the calendar year flips over to 2024, we want to remind registrants about several new rules that will impact disclosure for the 2023 Form 10-K and 2024 proxy season, update the status of some pending Securities and Exchange Commission (SEC) regulations, and highlight a few other potential disclosure issues and developments, including a December 2023 ruling from the United States Fifth Circuit Court of Appeals which vacated the SEC’s Share Purchase Disclosure Modernization Rule, adopted in May 2023, that would have required expanded narrative and quantitative disclosures in periodic reports filed by registrants with active share repurchase programs beginning with their Form 10-Ks (and any Form 10-Qs) filed for the period ending December 31, 2023.
New disclosure requirements
Cybersecurity
The annual cybersecurity risk management and governance disclosures adopted by the SEC in July 2023 will be required beginning with the upcoming Form 10-K filings. The new rules amend Form 10-K by adding new Item 1C, which will require registrants to add detailed disclosures describing their governance and risk management with respect to cybersecurity risks, including board oversight of cybersecurity risks.
Risk management. New Item 106(b) of Reg. S-K requires that the Form 10-K include a description of the registrant’s processes for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes. Among the matters that the disclosure should address are whether the registrant:
- integrates such cybersecurity processes into the registrant’s overall risk management system or processes and, if so, how;
- engages assessors, consultants, auditors, or other third parties in connection with any such processes; and
- has processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service providers.
In addition to this description of the registrant’s processes, Item 106(b) also requires a registrant to disclose whether, and if so how, any risks from cybersecurity threats or previous cybersecurity incidents have materially affected or are reasonably likely to materially affect the registrant. This disclosure must address any material effects on the registrant including effects on its business strategy, results of operations, or financial condition.
Governance. New Item 106(c) requires a governance-related discussion of the registrant’s oversight of cybersecurity risks at both the board and management levels. This must include a discussion of the extent to which the registrant’s board of directors oversees risks from cybersecurity threats and, if applicable, the identity of any board committee or subcommittee responsible for such oversight. The discussion should include the internal processes by which the board or committee is informed and manages such risks. In a notable departure from the proposed rules, Item 106(c) does not require disclosure as to the frequency of board discussions on cybersecurity. The adopting release nevertheless noted that, depending on context, some registrants’ descriptions of the processes by which their board or relevant committee is informed about cybersecurity risks may include the frequency of board or committee discussions.
Item 106(c) also requires a discussion of management’s role in assessing and managing the registrant's material risks from cybersecurity threats. This discussion should address:
- whether and which management positions or committees are responsible for assessing and managing such risks and the relevant expertise of such persons or members in such detail as is necessary to fully describe the nature of the expertise;
- the internal processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents; and
- whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors.
Impact on foreign private issuers (FPIs). A new Item 16K was added to Part II of Form 20-F which will require FPIs who file annual reports on that form to provide essentially the same information required by new Item 106 of Reg. S-K in Form 10-K annual reports for domestic issuers.
Form 8-K disclosures. Registrants also should be aware that, effective as of December 18, 2023, the new rules require that a Form 8-K be filed to report any material cybersecurity incidents. The 8-K will be due within four business days after the registrant determines that it has experienced a material cybersecurity event (rather than tying disclosure to the date of discovery of the incident itself). The SEC rejected comments arguing that disclosure should be delayed until companies mitigate, contain, remediate, or otherwise diminish the harm resulting from a cybersecurity incident. In doing so, the SEC stressed its belief that Item 1.05 of Form 8-K does not require disclosure of the types of details that have the potential to be exploited by threat actors, as the disclosure is intended to focus on the incident’s material impact or reasonably likely material impact on the registrant. Information regarding the Form 8-K filing obligations relating to cybersecurity incidents can be found in our August 2023 Legal Update. Subsequent to the date of our prior alert, the SEC issued several Compliance & Disclosure Interpretations (C&DIs) clarifying the circumstances involving potential delay of the Form 8-K filing obligations due to Attorney General determinations relating to national security implications. In C&DI 104B.04, the SEC indicated that the sole fact of discussions with the Department of Justice regarding the availability of a delay in filing does not necessarily mean that the incident should be deemed material. In C&DIs 104B.01 - .03, the SEC clarified that merely requesting a delay in filing does not change a registrant’s filing obligation. The notification from the Department of Justice granting the delay must be received before the filing due date.
Impact on foreign private issuers (FPIs). While less prescriptive than the requirements of new Item 1.05 of Form 8-K, the SEC amended General Instruction B to Form 6-K to require FPIs to furnish on that form any information concerning “material cybersecurity incidents” that they either (i) make or are required to make public pursuant to the law of their home jurisdiction, (ii) file or are required to file with any stock exchange on which their securities are traded (which was made public by that exchange) or (iii) otherwise distribute or are required to distribute to their security holders.
XBRL tagging. All registrants must tag disclosures required under the final rules (for both 10-K and 8-K filings) in Inline XBRL beginning one year after initial compliance with the related disclosure requirement. Therefore, for annual report disclosures, companies must begin tagging in Inline XBRL starting with annual reports for fiscal years ending on or after December 15, 2024, and for Form 8-K disclosures, companies must begin tagging responsive disclosure starting on or after December 18, 2024.
Executive compensation clawbacks
In June 2023, the SEC approved the executive compensation clawback listing standards and relevant amendments proposed by the New York Stock Exchange (NYSE) and the Nasdaq Stock Market (Nasdaq). Listed companies had until December 1, 2023 (60 days after the effective date of October 2, 2023) to adopt a compliant clawback policy.
Form 10-K. As a result of the clawback rules, the cover page of the Form 10-K now contains a check box indicating whether or not the financial statements included in the filing reflect the correction of an error to previously issued financial statements and whether any of those error corrections are restatements that required analysis under the clawback policy. In addition, the new rules require that the clawback policy be filed as Exhibit 97 to the upcoming Form 10-K.
Proxy statement. If the registrant is required to prepare an accounting restatement that required recovery of erroneously awarded compensation pursuant to the registrant’s clawback policy, or there was an outstanding balance as of the end of the last completed fiscal year of erroneously awarded compensation to be recovered from the application of the policy to a prior restatement, the registrant must provide the following information in its proxy statement:
- the date on which the registrant was required to prepare an accounting restatement;
- the aggregate dollar amount of erroneously awarded compensation attributable to such accounting restatement, including an analysis of how the amount was calculated;
- if the financial reporting measure related to a stock price or total shareholder return metric, the estimates that were used in determining the erroneously awarded compensation attributable to such accounting restatement and an explanation of the methodology used for such estimates;
- the aggregate dollar amount of erroneously awarded compensation that remains outstanding at the end of the last completed fiscal year;
- if the aggregate dollar amount of erroneously awarded compensation has not yet been determined, disclose this fact, explain the reason(s), and disclose the information required in the above-bullets in the next filing that is required to include disclosure pursuant to Item 402 of Regulation S–K;
- if the registrant has determined recovery would be impracticable pursuant to one of the three criteria specified in Rule 10D-1(b)(1)(iv), for each current and former named executive officer and for all other current and former executive officers as a group, disclose the amount of recovery forgone and a brief description of the reason the registrant decided in each case not to pursue recovery; and
- for each current and former named executive officer from whom, as of the end of the last completed fiscal year, erroneously awarded compensation had been outstanding for 180 days or longer since the date the registrant determined the amount the individual owed, disclose the dollar amount of outstanding erroneously awarded compensation due from each such individual.
Insider trading and Rule 10b5-1 plans
In December 2022, the SEC adopted several amendments and new disclosure requirements to address what it viewed as potentially abusive practices associated with Rule 10b5-1 plans, grants of options and other equity instruments with similar features, and the gifting of securities. New Item 408(a) of Reg. S-K requires quarterly disclosure of the adoption, modification, or termination of a Rule 10b5-1 plan or a similar trading arrangement by any director or officer. This disclosure requirement does not extend to 10b5-1 plans adopted or terminated by registrants. In C&DI 133A.01, the SEC indicated that Item 408(a)(1) of Regulation S-K does not require disclosure of the termination of a plan that ends due to the expiration or completion of the plan in accordance with its terms, without any action by an individual. This quarterly disclosure of officer and director 10b5-1 plans was required in Form 10-Qs beginning with the June 30, 2023, fiscal quarter. Disclosure related to the fourth quarter (ended December 31, 2023) will be required in Item 9(b) of Form 10-K. The required quarterly disclosures must be tagged in Inline XBRL.
The required quarterly disclosure includes a description of the material terms of the Rule 10b5-1 trading arrangement or non-Rule 10b5-1 trading arrangement other than terms with respect to the price. Item 408(a) cites as examples of such disclosure:
- the name and title of the director or officer;
- the date of adoption or termination of the trading arrangement;
- the duration of the trading arrangement; and
- the aggregate number of securities to be sold or purchased under the trading arrangement.
The amendments also provide for annual disclosure of whether registrants have adopted insider trading policies and procedures governing the purchase, sale, and other dispositions (including gifts) of their securities by directors, officers, and employees, or the issuer itself that are reasonably designed to promote compliance with insider trading laws, rules, and regulations, and any listing standards applicable to the issuer (and to file such insider trading policies as Exhibit 19 to the Form 10-K). However, for calendar year registrants, these annual disclosure requirements will not be effective until the Form 10-K for 2024 (filed in 2025). Similarly, the amendments will require additional disclosure in proxy statements of practices regarding the timing of options in relation to the disclosure of material nonpublic information. This disclosure also will be required for 2025 proxy statements for calendar year registrants.
Registrants may want to include a question in their annual director and officer questionnaires (responsive to Item 408(a) of Regulation S-K) regarding any adoption of, or changes to, any 10b5-1 plan or trading arrangement.
Updating risk factor disclosure
Every year in connection with the filing of the Form 10-K, each registrant should review their risk factors to ensure that they continue to capture the material risks faced in light of evolving regulatory, technological, economic, and industry developments.
Cybersecurity
The cybersecurity disclosure rules discussed above will lead to additional cybersecurity-related disclosure in the Form 10-K, and registrants should ensure that their risk-factor disclosure is consistent with the new disclosure. In addition, if they have not done so already, registrants should be mindful of the 2018 interpretive release in which the SEC provided additional guidance on cybersecurity disclosures, recent SEC staff comment letters, and the SEC’s October 2023 complaint against SolarWinds and ensure that their risk factors do not describe the risk of a “potential” incident if, in fact, the registrant has already experienced such an incident. The SolarWinds action raises the specter of enforcement actions directly against information officers for alleged “fraudulent” cyber disclosures. In that case, the SEC alleges that SolarWinds’ disclosures included “misstatements, omissions, and schemes that concealed both the company’s poor cybersecurity practices and its heightened—and increasing—cybersecurity risks. SolarWinds’ public statements about its cybersecurity practices and risks painted a starkly different picture from internal discussions and assessments about the company’s cybersecurity policy violations, vulnerabilities, and cyberattacks.”
Artificial intelligence
As artificial intelligence (AI) technologies—including large language models and other generative AI tools like ChatGPT—become ever more pervasive, some registrants have begun to include standalone risk factors addressing AI risks, including risks to reputation. AI may impact company affairs in a variety of ways and across different areas, including corporate governance; labor and employment; consumer protection and relations; product liability; privacy; data protection and cybersecurity; intellectual property ownership and rights; insurance; and government laws, regulations, and policies. Companies should consider ways in which the company’s strategy, productivity, market competition, reputation, investments, and demand for the company’s products, as well as legal and regulatory risks, could be affected by the continued emergence of AI.
Climate
As discussed in more detail below, even while SEC climate-related disclosure rules are pending, the SEC has continued to issue comment letters for insufficient climate-related disclosures, including insufficient disclosure about the risks, including transition risks, to the registrants’ operations. In particular, the SEC has continued to press registrants as to why their corporate social responsibility reports have more information about climate-related risks than their SEC reports.
Inflation and interest rates
Registrants should consider updating their annual report risk factors to include any risks related to inflation and/or rising interest rates, tailored to the registrant’s specific circumstances.
In recent comment letters relating to inflation, the SEC staff has focused on how current inflationary pressures have materially impacted a registrant’s operations, including by pointing to statements regarding inflation made in earnings materials, and sought disclosure on any mitigation efforts implemented with respect to inflation. If inflation is identified as a significant risk, the SEC staff has asked registrants to quantify, where possible, the principal factors contributing to inflationary pressures and the extent to which revenues, expenses, profits, and capital resources were impacted by inflation.
In recent comment letters relating to interest rates, the SEC staff has asked registrants to expand their discussion of rising interest rates in the Risk Factors and MD&A sections to specifically identify the actual impact of recent rate increases on the business’s operations and how the business has been affected.
Pending disclosure rule changes not yet effective
Issuer share repurchase disclosure – SEC’s 2023 rule vacated for now
In May 2023, the SEC adopted amendments to the disclosure requirements relating to issuers’ repurchases of their equity securities. The amendments would have (i) required additional narrative disclosures in periodic reports regarding the structure of a registrant’s repurchase program, (ii) required the filing of daily quantitative repurchase data on a quarterly or semiannual basis, and (iii) required new disclosures in periodic reports related to a registrant’s adoption and termination of certain trading arrangements (similar to the new disclosure requirements adopted in December 2022 for directors and executive officers). However, in December 2023 the United States Fifth Circuit Court of Appeals vacated the rules following a legal challenge that asserted, among other things, that the SEC acted arbitrarily and capriciously by failing to respond to comments and failing to conduct a proper cost-benefit analysis.
This means that, until such time (if any) as the SEC acts to re-adopt some or all of these provisions in a manner that would address the deficiencies that formed the basis for this challenge, registrants will be required to continue disclosing share repurchase activity in their periodic reports aggregated on a monthly basis under the SEC’s pre-existing rules, and to disclose any other material information concerning such programs in response to the SEC’s existing requirements for MD&A and other narrative disclosures.
Climate disclosure
In March 2022, the SEC proposed rule amendments that would require a registrant to include certain climate-related information in its registration statements and periodic reports, such as on Form 10-K, including:
- climate-related risks and their actual or likely material impacts on the registrant’s business, strategy, and outlook;
- the registrant’s governance of climate-related risks and relevant risk management processes;
- the registrant’s direct greenhouse gas (GHG) emissions (Scope 1) and indirect GHG emissions from purchased electricity and other forms of energy (Scope 2);
- indirect emissions from upstream and downstream activities in a registrant’s value chain (Scope 3), if material;
- the registrant’s GHG emissions, which, for accelerated and large accelerated filers and with respect to certain emissions, would be subject to assurance;
- certain climate-related financial statement metrics and related disclosures in a note to its audited financial statements (including an attestation report from an independent attestation service provider covering Scope 1 and Scope 2 emissions); and
- information about climate-related targets and goals, and transition plan, if any.
The proposed rules have been somewhat controversial, particularly the disclosure of Scope 3 emissions and the attestation report. The comment period was reopened (and subsequently closed) and the final rules have yet to be issued. The most recent regulatory agenda of the SEC reflects a target of April 2024 for issuance of the final rules. Until any final rule is adopted, however, registrants should continue to refer to the SEC’s Sample Comment Letter to Companies Regarding Climate Change Disclosures (discussed below) for guidance regarding climate change disclosures currently expected by the SEC staff.
Human resources
The most recent regulatory agenda of the SEC reflects a target of April 2024 for issuance of proposed rule amendments “to enhance registrant disclosures regarding human capital management.” When the existing human capital management rules were adopted in August 2020, Commissioners Lee and Jackson, Jr. issued a joint statement that the principles-based disclosure requirement related to human capital management did not go far enough and they supported specific line-item disclosures that would provide more comparability across registrants. It is possible that the SEC could be taking up the issue of human capital management again to explore more prescriptive (i.e., specific line-item) disclosure, particularly regarding workforce composition.
Board diversity
The most recent regulatory agenda of the SEC reflects a target of October 2024 for issuance of proposed rule amendments “to enhance registrant disclosures about the diversity of board members and nominees.” Beyond that statement, it is not clear what is intended, although it could be along the lines of the statistical and narrative disclosures Nasdaq currently requires for its listed companies (which the SEC had approved in August 2021).
Comment letters
Topics producing highest volume of comments
The frequency of publicly issued SEC comment letters and the number of registrants receiving SEC comment letters related to periodic reports in the 12 months ended June 30, 2023, substantially increased, surpassing the number of letters issued in each of the past four years. The topics which have produced the highest volume of comments include, among others, (1) non-GAAP measures, (2) management’s discussion and analysis, and (3) segment reporting. Comments issued on two other emerging topics of particular interest, first-year compliance with the SEC’s Pay Versus Performance disclosure rule and Climate-Related Disclosures, may be summarized as follows.
Pay versus performance
Pay versus performance disclosure was required for the first time during the 2023 proxy season. The SEC issued a handful of comments related to the first round of disclosures. As can probably be expected, most of the comments focused on improper or incomplete application of the rules. Among the most frequent comments were the following:
- identify each named executive officer included in the calculation of average non-PEO named executive officer compensation and the fiscal years in which such persons are included;
- it appears that the index you use for purposes of your total shareholder return comparison is a broad equity market index and not the required published industry or line-of-business index, or selected peer issuers;
- it appears that you have not provided the full relationship disclosures required by Regulation S-K Item 402(v)(5). Although the information graphically, narratively, or a combination of the two, this disclosure must be separate from the pay versus performance table and must provide a clear description of each separate relationship; and
- ensure that you provide disclosure showing how your non-GAAP company-selected measure is calculated from your audited financial statements, as required by Regulation S-K Item 402(v)(2)(v).
Climate-related disclosure
In September 2021, the Division of Corporation Finance published a Sample Comment Letter to Companies Regarding Climate Change Disclosures. Then, as discussed above, in March 2022, the SEC proposed rule amendments that would require a registrant to include certain climate-related information in its periodic reports. While those amendments have yet to be adopted, the SEC has continued to issue comment letters related to climate-related disclosures along the lines of the sample comments in the September 2021 sample comment letter. In particular, the comments have focused on:
- registrants having more expansive disclosure in their corporate social responsibility report than their SEC filings;
- the lack of disclosure of the risks, trends, and impact of climate change for the registrant and its business; and
- the lack of disclosure related to pending or existing climate-related legislation and regulations that could have a material impact on a registrant’s business
Contact us
If you have questions regarding the new SEC rules that will impact disclosure for the 2023 Form 10-K and 2024 proxy season or any of the pending SEC regulations, please contact Robert Joseph, Andrew Spector, Steve Barrett, Victoria Sitz, Craig Adoor, or your Husch Blackwell attorney.