All posts by George Wilson

Enforcement for Cybersecurity Risk Disclosure Shortfalls

On October 22, 2024, the SEC announced settled enforcement actions against four companies focused on disclosures about cybersecurity risks and actual cybersecurity intrusions.  The four companies were Avaya Holdings Corp., Check Point Software Technologies Ltd, Mimecast Limited, and Unisys Corp.  All four of the cases have their roots in the SolarWind’s Orion software cybersecurity hack.

According to the SEC all four of the companies downplayed the impact of cybersecurity events.  In the SEC’s Press Release Jorge G. Tenreiro, Acting Chief of the Crypto Assets and Cyber Unit, stated, “In two of these cases, the relevant cybersecurity risk factors were framed hypothetically or generically when the companies knew the warned of risks had already materialized.”  This is a recurring issue in cybersecurity cases and SEC comments.  In another of the cases the company described a breach as having involved access to a limited number of email messages when in fact the company knew that 145 files, some of which involved sensitive company information, had been breached.  The Unisys Corp. case also focused on deficient disclosure controls and procedures.

You can read more details about each case and find links to each Order in the SEC’s Press Release.

All the companies entered into cease-and-desist orders and paid fines ranging from $990,000 to $4 million.

As always, your thoughts and comments are welcome!

SECI’s Period-End Reporting Programs – Register Now!

As we approach December 31, 2024, SECI is presenting several One-Hour Briefings focused on period-end reporting:

Eleventh Annual Form 10-K/Proxy Tune-Up – December 9, 2024

Tenth Annual Dealing With MD&A Hot Topics  – December 10, 2024

Fifth Annual Form 20-F Tune-Up – February 14, 2025

Fifth Annual Disclosure Committee Tune-Up – January 28, 2025

SECI’s Annual SEC Reporting and FASB Forum (the 40th edition!), is another great resource for keeping current with new rules and regulations emanating from the SEC, FASB, and PCAOB as you prepare for year end.  Attend in-person or view the webcasts scheduled for December 5-6, 2024, in San Francisco and December 19-20, 2024, in New York.

Also be sure to check out SECI’s One-Hour Briefing series focused on frequent SEC comment areas:

SEC Management’s Discussion and Analysis Comments (on-demand)

SEC Non-GAAP Measures and Metrics Comments (on-demand)

SEC Operating Segment Comments (on-demand)

SEC Revenue Recognition Comments (on-demand)

SEC Climate-Related Comments – December 2, 2024

Lastly, be sure to visit our Blog often as we will be exploring frequently encountered problems in Forms 10-K and 20-F in an upcoming series.

To view SECI’s full  curriculum, including our new Operating Segment Disclosures Workshop and our comprehensive two-day SEC Reporting Skills for Financial Professionals, visit us at: https://www.pli.edu/programs/seci

As always, your thoughts and comments are welcome!

SECI’s New Form 20-F Workshops – Register Now!

Don’t miss SEC Institute’s two new Form 20-F workshops for foreign private issuers.  To learn more and to register for these interactive virtual workshops click the links below:

Form 20-F (Part One): Key Information, Risk Factors & Part I Disclosures Essentials Workshop 2024

Form 20-F (Part Two): Parts II & III Disclosures Essentials Workshop 2024

You can find our entire curriculum of conferences and workshops here.

As always, your thoughts and comments are welcome!

CorpFin Updates SPAC Co-Registrant Details in FAQs for Voluntary Submission of Draft Registration Statements

On September 16, 2024, CorpFin updated its FAQs for companies that submit draft registration statements for nonpublic review. The JOBS Act provided this nonpublic review process for Emerging Growth Companies, and in 2017 CorpFin announced it would provide a nonpublic review option for many other companies.  The current update to the related FAQs makes a change for SPAC transactions.

The SECs Final Rules for SPACs created a requirement for companies acquired by a SPAC to be a co-registrant in a de-SPAC transaction registration statement.  The update addresses when a co-registrant’s CIK and related information should be included in the EDGAR process:

(19) Question:

If a registrant uses the confidential submission process to submit a draft registration statement in connection with a de-SPAC transaction, when should it include any co-registrant’s CIK and related submission information in the EDGAR Filing Interface?

Answer:

In EDGAR Release 24.3, EDGAR was enhanced to allow co-registrants on draft registration statement submissions. See Section 7.2.1 Accessing the EDGARLink Online Submission of the EDGAR Filer Manual. The primary registrant must include the co-registrant’s CIK and related submission information in EDGAR when it submits the draft registration statement. See Section 7.3.3.1 Entering Submission Information of the EDGAR Filer Manual. The draft registration statement must also contain the information required by the applicable registration statement form, including required information about the target company. Co-registrants do not need to separately submit the draft registration statements or related correspondence in EDGAR.

One interesting aspect of these FAQs is that finding them is a bit of a treasure hunt.  Beyond the “What’s New” notice on September 16, this Announcement, most recently updated on June 24, 2020, has a link to the FAQs.

As always, your thoughts and comments are welcome.

A Regulation FD Double Down – DraftKings

Back in April 2013, the SEC issued a Report of Investigation addressing dissemination of information via social media channels.  The report focused on a Netflix CEO’s use of social media to disclose information relevant to investors without previously telling investors that information would be released via social media.  In the report the SEC announced that social media disclosure of information was likely not public disclosure for purposes of Regulation FD, unless investors had previously been alerted that specific social media channels would be used to disseminate information to the public.

Unfortunately, on July 27, 2023, DraftKings’ public relations firm posted information about “really strong growth” on the personal X and LinkedIn accounts of the company’s CEO.  The company had not provided prior notice that social media accounts would be used to make information public.  DraftKings’ management instructed the public relations firm to remove the posts soon after they were published.  Given that the social media posts provided previously non-public information about growth and that the information was likely material, this was probably an inadvertent selective disclosure.

Regulation FD describes two types of selective disclosure, intentional and non-intentional.  Each type has a separate required time frame to make information public.  From Regulation FD:

(a) Whenever an issuer, or any person acting on its behalf, discloses any material nonpublic information regarding that issuer or its securities to any person described in paragraph (b)(1) of this section, the issuer shall make public disclosure of that information as provided in § 243.101(e):

(1) Simultaneously, in the case of an intentional disclosure; and

(2) Promptly, in the case of a non-intentional disclosure.

The term “promptly” is defined in the rule:

Promptly. “Promptly” means as soon as reasonably practicable (but in no event after the later of 24 hours or the commencement of the next day’s trading on the New York Stock Exchange) after a senior official of the issuer (or, in the case of a closed-end investment company, a senior official of the issuer’s investment adviser) learns that there has been a non-intentional disclosure by the issuer or person acting on behalf of the issuer of information that the senior official knows, or is reckless in not knowing, is both material and nonpublic.

If in fact the social media posts were non-intentional disclosures, “prompt” disclosure would have been appropriate.  Unfortunately, DraftKings did not make this information public until they did their regular earnings release seven days later.

The company entered into a cease-and-desist order and paid a civil money penalty of $200,000.

You can find more details, including discussion of the materiality of the information, how DraftKings’ policies related to the disclosures, and the impact of DraftKings’ cooperation during the investigation, in the SEC’s Press Release and the related Order.

As always, your thoughts and comments are welcome!

Insider Transaction and Beneficial Ownership Reporting – An Enforcement Reminder

On September 25, 2024, the Enforcement Division announced settled actions against 23 companies and individuals relating to Section 16 and Section 13 reporting.  The various actions involved:

Failure of individuals to file Section 16 reports;

Failure of companies to report delinquent Section 16 reports; and

Failure of companies to file Forms 13D, 13G, 13F, and Section 16 reports.

The companies and individuals involved paid fines totaling $3.8 million.  The Enforcement Division included a link to a September 27, 2023 announcement of a similar sweep involving 11 cases, making it clear that this continues to be a focus of their work.

As always, your thoughts and comments are welcome.

Still an Enforcement Focus – More Attempts to Limit Whistleblower Protections

On September 9, 2024, the SEC announced settled charges against seven companies for attempting to limit whistleblower rights through provisions in employment, separation and other agreements.  As you can read in the SEC’s Press Release and the related Orders, one  company tried to force employees to waive their right to whistleblower awards such as those the SEC pays to qualified whistleblowers.

This case is the latest in a litany of recent enforcement actions, including against J.P. Morgan for attempting to limit customers’ ability to blow the whistle and against D.E. Shaw and Co. L.P., Monolith Resources. and CBRE, Inc. for using employee agreements that violated whistleblower protection rules.

All these cases and the related civil penalties send direct and clear reminders to proactively review employment, termination and similar agreements to assure they do not run afoul of the whistleblower protection rules.

As always, your thoughts and comments are welcome!

A “Green” Enforcement Action

On September 10, 2024, the SEC announced a settled enforcement action against Keurig Dr Pepper, Inc. related to statements the company made in its 2019 and 2020 Form 10-Ks about the recyclability of its K-Cup coffee and tea pods.  In Item 1 of the company’s Form 10-K for the year ended December 31, 2020, the company said:

“In December 2020, we achieved our goal of making all K-Cup pods sold in the U.S. recyclable by the end of 2020, having converted all K-Cup pods sold in Canada to a recyclable format in 2018. The new pods are made of polypropylene #5 plastic, a material that is accepted curbside for recycling by many communities, and we have conducted extensive testing with municipal recycling facilities to validate that they can be effectively recycled. We continue to engage with municipalities and recycling facilities to advance the quantity and quality of recycled polypropylene and have committed $10 million toward the advancement of polypropylene recycling in the U.S. through the Polypropylene Recycling Coalition, an effort led by The Recycling Partnership and funded by leading brands, recyclers, converters and producers of polypropylene.”

According to the SEC’s Order what the company did not disclose in the 2019 and 2020 annual reports was that two large recycling companies “provided negative feedback concerning the commercial feasibility of curbside recycling of pods” and indicated that “they did not presently intend to accept pods for recycling.”

Without admitting or denying the findings Keurig Dr Pepper entered into a cease-and-desist order and paid a civil money penalty of $1,500,000.

An interesting aspect of this case is that it was brought under Section 13(a) of the 1934 Act and related Exchange Act Rule 13a-1, which relate to complete and accurate annual reports.

As always, your thoughts and comments are welcome.

FASB’s Conceptual Framework and a Related Chief Accountant Statement

On July 12, 2024, the FASB issued the final chapter of its Conceptual Framework, finishing a process that has spanned decades.  The Conceptual Framework does not establish authoritative guidance.  In fact, all references to the Conceptual Framework were removed from the Codification in ASU 2024-02.  That said, the Conceptual Framework is a foundational part of the standard-setting process.

As you can read on the Concepts Statement section of the FASB’s webpage:

“The FASB Concepts Statements are intended to serve the public interest by setting the objectives, qualitative characteristics, and other concepts that guide selection of economic phenomena to be recognized and measured for financial reporting and their display in financial statements or related means of communicating information to those who are interested. Concepts Statements guide the Board in developing sound accounting principles and provide the Board and its constituents with an understanding of the appropriate content and inherent limitations of financial reporting.”

In this August 12, 2024, Statement, SEC Chief Accountant Dr. Paul Munter emphasized the importance of the Conceptual Framework in assuring that standard setting serves the public interest.  In the Statement Dr. Munter notes:

“Now that the updates to the Conceptual Framework are complete, it is important that the Board use it to guide its agenda-setting process and standard-setting deliberations, including to assist Board members in asking the right questions and objectively evaluating whether their views are consistent with the principles laid out in the Conceptual Framework.”

The Statement concludes with an emphasis on who the standard-setting process should serve:

“With the Conceptual Framework complete, the FASB’s focus on the guiding principles described in the Conceptual Framework can help it continue to develop high-quality accounting standards coupled with robust disclosures to best serve the needs of investors and protect the public interest.”

As always, your thoughts and comments are welcome.

ICFR Reporting and Acquisitions

In the year a company completes an acquisition, ICFR reporting for the combined business can be problematic.  If the acquired company has been private, or has not built an ICFR evaluation process, it may not be practicable to include the acquired business in the acquiror’s assessment of ICFR, and, if applicable, in the auditor’s attestation report over ICFR.  This is particularly true when an acquisition happens near year end.

Interestingly, this situation is addressed not in Regulation S-X, but in a Sarbanes-Oxley C&DI:

Question 3 

Q: If a registrant consummates a material purchase business combination during its fiscal year, must the internal control over financial reporting of the acquired business be included in management’s report on internal control over financial reporting for that fiscal year?

A: As discussed above, we would typically expect management’s report on internal control over financial reporting to include controls at all consolidated entities. However, we acknowledge that it might not always be possible to conduct an assessment of an acquired business’s internal control over financial reporting in the period between the consummation date and the date of management’s assessment. In such instances, we would not object to management referring in the report to a discussion in the registrant’s Form 10-K or 10-KSB regarding the scope of the assessment and to such disclosure noting that management excluded the acquired business from management’s report on internal control over financial reporting. If such a reference is made, however, management must identify the acquired business excluded and indicate the significance of the acquired business to the registrant’s consolidated financial statements. Notwithstanding management’s exclusion of an acquired business’s internal controls from its annual assessment, a registrant must disclose any material change to its internal control over financial reporting due to the acquisition pursuant to Exchange Act Rule 13a-15(d) or 15d-15(d), whichever applies (also refer to the last two sentences in the answer to question 7). In addition, the period in which management may omit an assessment of an acquired business’s internal control over financial reporting from its assessment of the registrant’s internal control may not extend beyond one year from the date of acquisition, nor may such assessment be omitted from more than one annual management report on internal control over financial reporting.

On February 28, 2023, Lamb Weston Holdings, Inc., a global producer, distributor, and marketer of frozen potato products, acquired LW EMEA, an entity previously accounted for using the equity method.  Item 9A in the company’s Form 10-K for their fiscal year ended May 28, 2023, included this disclosure about the exclusion of the acquired company from the ICFR evaluation:

Our management, under the supervision and with the participation of our Chief Executive Officer and Chief Financial Officer and oversight of the Board of Directors, assessed the effectiveness of our internal control over financial reporting as of May 28, 2023. Management based this assessment on criteria for effective internal control over financial reporting described in Internal Control – Integrated Framework (2013) issued by the Committee of Sponsoring Organizations of the Treadway Commission. Management’s assessment included evaluation of elements such as the design and operating effectiveness of key financial reporting controls, process documentation, accounting policies, and our overall control environment. Management’s assessment of internal control over financial reporting as of May 28, 2023 excludes internal control over financial reporting related to LW EMEA (acquired February 28, 2023), which accounted for 7% of consolidated net sales and 30% of consolidated total assets as of and for the year ended May 28, 2023. Based on this assessment, management concluded that, as of May 28, 2023, our internal control over financial reporting was effective to provide reasonable assurance regarding the reliability of financial reporting and the preparation of consolidated financial statements for external reporting purposes in accordance with GAAP. We reviewed the results of management’s assessment with the Audit and Finance Committee of our Board of Directors.

As always, your thoughts and comments are welcome!