All posts by George Wilson

Cybersecurity Event Disclosures – New C&DIs and an Announcement Addressing Selective Disclosure Concerns

On June 24, 2024, CorpFin issued five new C&DIs addressing cybersecurity incident reporting on Form 8-K Item 1.05.  The C&DIs focus on situations where a company has experienced an attack such as a ransomware attack.  For example, C&DI 104B.05 states that if a company experiences an attack and makes a ransomware payment before a materiality determination is made, it must still make a materiality determination, and if the incident is material report it on Form 8-K Item 1.05.  New C&DI 104B.07 states that if insurance provides a recovery of all or a substantial portion of the payment, a materiality assessment based on both quantitative and qualitative considerations must still be made. And C&DI 104B.08 makes the point that the size of a ransomware payment is not the only factor in making a materiality determination.  Qualitative aspects such as potential reputational harm could make a cybersecurity incident material even in breaches where the financial impact is relatively small.

In another cybersecurity event disclosure development, on June 20, 2024, Erik Gerding, CorpFin Division Director, issued an Announcement titled “Selective Disclosure of Information Regarding Cybersecurity Incidents.”  In the Announcement Mr. Gerding states:

“Apparently, some companies are under the impression that if they experience a material cybersecurity incident, the Commission’s new rules prohibit them from discussing that incident beyond what was included in the Item 1.05 Form 8-K disclosing the incident.  That is not the case.”

Mr. Gerding notes that:

“Nothing in Item 1.05 prohibits a company from privately discussing a material cybersecurity incident with other parties or from providing information about the incident to such parties beyond what was included in an Item 1.05 Form 8-K.”

The Announcement then summarizes various concerns companies may have surrounding how Regulation FD may apply to disclosures to third parties such as vendors, customers or other companies that could be impacted by a similar incident.  After a brief review of applicable Regulation FD considerations, he then explores ways to avoid selective disclosure concerns, including a reminder that Regulation FD applies only to certain parties outside a company and that the use of confidentiality agreements can mitigate selective disclosure concerns.

As always, your thoughts and comments are welcome!

inSecurities Podcast Explores Recent U.S. Supreme Court Decisions

Recent U.S Supreme Court decisions have addressed how the SEC can use its administrative court processes for fraud cases and ended the Chevron doctrine, which had created a presumption that courts must rely on an agency’s interpretations of ambiguous statutes.  In this episode of the inSecurities podcast, hosts Chris Ekimoff and Kurt Wolfe provide an understandable, inciteful and thorough discussion of the issues in both these areas and how the Court’s decisions may affect practice.

As always, your thoughts and comments are welcome!

Loops Do Close

Several years ago, on May 3, 2021, the SEC announced a settled enforcement action against Under Armour, Inc.  The starting point for this case was a 23% stock price drop when Under Armour disclosed that their revenue growth rate, historically over 20%, had fallen to 12% for the fourth quarter of 2016.  According to the SEC’s Accounting and Auditing Enforcement Release, the company used sales “pull forwards” to hide this slowing revenue growth rate from mid-2015 to the end of 2016.  The company paid a $9 million civil penalty and entered into a cease-and-desist order.

In this kind of case the SEC’s enforcement is usually only part of the story.  In a Form 8-K filed on June 20, 2024, more than three years after the SEC action, the company reported a settlement in related class action litigation:

Item 8.01. Other Events.

As previously disclosed, since early 2017 Under Armour, Inc. (the “Company”) has been engaged in securities class action litigation in the United States District Court for the District of Maryland (the “District Court”) under the caption In re Under Armour Securities Litigation, Case No. 17-cv-00388-RDB (the “Consolidated Securities Action”). The complaint asserted claims regarding the Company’s disclosures and accounting practices in connection with its sales between the third quarter of 2015 and the fourth quarter of 2016, specifically asserting claims under Sections 10(b) and 20(a) of the Securities Exchange Act of 1934, as amended (the “Exchange Act”), against the Company and Mr. Plank and under Section 20A of the Exchange Act against Mr. Plank.

On June 20, 2024, the Company and Mr. Plank entered into a Memorandum of Understanding (the “MOU”) with plaintiffs containing the material terms of a settlement resolving the Consolidated Securities Action. The parties intend to prepare a formal stipulation of settlement describing the terms of the proposed settlement, which will be presented to the District Court for preliminary approval in the coming weeks. Following preliminary approval of the proposed settlement by the District Court and a notice and review period for Class members, plaintiffs will seek final approval of the proposed settlement from the District Court. The settlement is not an admission of fault or wrongdoing by the Company or Mr. Plank.

The MOU provides that the Company will pay or will cause to be paid an amount equal to $434 million to the members of the class in the Consolidated Securities Action, which includes all persons and entities who purchased or otherwise acquired Class A and Class C common stock of Under Armour between September 16, 2015 and November 1, 2019(subject to certain exclusions) (the “Class”). As of March 31, 2024, the Company reported $858.7 million of cash and cash equivalents on its consolidated balance sheets, and no drawings on its $1.1 billion revolving credit facility.

As always, your thoughts and comments are welcome!

Yet Another Cybersecurity Enforcement Action

On June 18, 2024, the SEC announced a settled enforcement action against R.R. Donnelly & Sons Co. focused on both ICFR and disclosure controls and procedures related to cybersecurity risk.  As you can read in the related Order, the company used an outside service provider to help monitor cybersecurity matters.  The service provider notified the company’s security personnel about a “network ransomware intrusion.”  Based in part on input from the service provider, R.R. Donnelly did not take further action or conduct a deeper investigation.  In this case the SEC maintains that R.R. Donnelly did not maintain effective ICFR related to cybersecurity risk because the company did not have appropriate controls to respond to these warnings.  In addition, the Order maintains that the company’s disclosure controls and procedures did not appropriately inform management responsible for making disclosure decisions about cybersecurity incidents.

The company, which cooperated with the SEC in the investigation, entered into a cease-and-desist order and paid a $2.125 million civil penalty.

In reaction to this enforcement, Commissioners Hester M. Peirce and Mark T. Uyeda gave a Statement titled “Hey, look, there’s a hoof cleaner! Statement on R.R. Donnelley & Sons, Co.,” which provides an interesting discussion of administrative versus accounting controls related to cybersecurity issues.

You can read about earlier cybersecurity related enforcement actions in this post which involves a CISO and this post which also mentions disclosure controls and procedures.

As always, your thoughts and comments are welcome!

CorpFin Director Provides Review Program Update

On June 24, 2024, Corporation Finance Director Eric Gerding gave an Announcement titled “The State of Disclosure Review,” and stated that “[t]his is part of an initiative to be more transparent and communicate with the marketplace about what is going on in the Disclosure Review Program.”

In his remarks Mr. Gerding describes the objectives of the review program and provides an overview of the review process.  He notes that approximately 3,300 companies were reviewed in 2023.  He enumerates frequent comment areas including China-related matters, non-GAAP measures, MD&A, revenue recognition, and financial statement presentation.  He also discusses disclosure priorities including artificial intelligence, disclosures by China-based companies, and commercial real estate as well as how CorpFin will address recently issued rules.

The announcement provides a very thorough and comprehensive discussion that will inform all professionals in the reporting process about the priorities and approach of the filing review process.

As always, your thoughts and comments are welcome.

The SEC’s Enhanced Webpage

On June 29, 2024, the SEC “made enhancements to sec.gov to improve compliance with federal statutes and standards as well as the site’s functionality.”

The appearance and organization of the new sec.gov are very different.  The “About” link in the top menu line provides paths to several reporting tools.

You can find the new CorpFin section here.  This part of the webpage still has links to the forms, regulations and statutes.

As always, your thoughts and comments are welcome.

Focus on SEC Comments – Another Common Non-GAAP Comment

Levi Strauss & Co. included the following “schedule” to reconcile various non-GAAP measures to the most directly comparable GAAP measures in its Form 10-K for the year ended November 27, 2022:

As you review this schedule (also take note of the very last line, it has a sort of hidden non-GAAP measure problem), it is apparent that the company did not follow a long-standing position of the staff as stated in this Compliance and Disclosure Interpretation (C&DI):

Question 102.10

Question 102.10(a): Item 10(e)(1)(i)(A) of Regulation S-K requires that when a registrant presents a non-GAAP measure it must present the most directly comparable GAAP measure with equal or greater prominence. This requirement applies to non-GAAP measures presented in documents filed with the Commission and also earnings releases furnished under Item 2.02 of Form 8-K. Are there examples of disclosures that would cause a non-GAAP measure to be more prominent?

Answer: Yes. This requirement applies to the presentation of, and any related discussion and analysis of, a non-GAAP measure. Whether a non-GAAP measure is more prominent than the comparable GAAP measure generally depends on the facts and circumstances in which the disclosure is made. The staff would consider the following to be examples of non-GAAP measures that are more prominent than the comparable GAAP measures:

      • Presenting an income statement of non-GAAP measures. See Question 102.10(c).

(Note:  Balance of the C&DI is omitted)

The above C&DI works in tandem with this incremental discussion of what is considered a non-GAAP income statement:

Question 102.10(c): The staff considers the presentation of a non-GAAP income statement, alone or as part of the required non-GAAP reconciliation, as giving undue prominence to non-GAAP measures. What is considered to be a non-GAAP income statement?

Answer: The staff considers a non-GAAP income statement to be one that is comprised of non-GAAP measures and includes all or most of the line items and subtotals found in a GAAP income statement. [December 13, 2022]

As you would expect, the prominence of this information in Levi Strauss and Co.’s Form 10-K resulted in a comment based on the above C&DIs:

Form 10-K for the Fiscal Year Ended November 27, 2022

Management’s Discussion and Analysis of Financial Condition and Results of Operations Non-GAAP Financial Measures

Adjusted Gross Profit, Adjusted SG&A, Adjusted Net Income and Adjusted Diluted Earnings per Share, page 58

    1. We note that you appear to present full income statements to reconcile your non-GAAP measures on pages 58 and 59. Please tell us your consideration of Questions 102.10(a), 102.10(b), and 102.10(c) of the Compliance and Disclosure Interpretations on Non-GAAP Financial Measures and Item 10(e)(1)(i)(A) of Regulation S-K. This comment also applies to your Form 10-Q for the quarter ended February 26, 2023 and Exhibit 99.1 to Form 8-K furnished on January 25, 2023.

The company’s response was direct and to the point, but unfortunately did not address the presentation of the last line in the schedule above:

The Company respectfully acknowledges the Staff’s comment and confirms that in future filings it will reconcile its non-GAAP measures to the most directly comparable GAAP measures without presenting a non-GAAP income statement. The Company expects that this will be substantially similar to the reconciliation included in Appendix A, which has been illustratively amended for the Staff’s reference.

Appendix A provided individual reconciliations for the non-GAAP measures in the original non-GAAP income statement.  Here is an example of one of the schedules:

However, this was not the end of the comment process.  Because the information presented by Levi Strauss includes a non-GAAP EPS amount, the SEC issued this follow-on comment:

  1. We note that on the last page of Appendix A, you disclose Adjusted Diluted Earnings Per Share at the bottom of your reconciliation of net income to Adjusted Net Income. Please revise to present a reconciliation of diluted EPS to Adjusted Diluted EPS. Additionally, wherever you present a Non GAAP margin measure in Appendix A, please revise to disclose the most comparable margin presented in accordance with GAAP.

The company’s response included an appropriate reconciliation:

The Company respectfully acknowledges the Staff’s comment and confirms that the Company will present a reconciliation of diluted EPS to Adjusted Diluted EPS and include comparable margins presented in accordance with GAAP whenever we present a non-GAAP margin measure in future periodic filings. The Company expects that this will be substantially similar to the reconciliation included in Appendix A, which has been illustratively amended for the Staff’s reference.

After this response the staff sent Levi Strauss and Co. a closing letter.

As always, your thoughts and comments are welcome!

Enforcement Timing – Company Versus Auditor Time Lag

In this blog post we explored the almost two-year time lag between an SEC enforcement against a company and a related enforcement against the company’s auditor.  In a pair of more recent cases this time lag is much shorter.  In this August 15, 2023, Accounting and Auditing Enforcement Release, the SEC enumerates a number of material misstatements in the financial statements of Ault Alliance, Inc. (Ault). Issues involved included failure to disclose interests in related person transactions, improper recording of purported consulting services and erroneous accounting for investments.  Ault made multiple restatements.  The Release also asserts that Ault failed to maintain accounting and disclosure controls.

On January 18, 2024, only five months later, the SEC brought an Administrative Proceeding against the company’s auditor.  The case against the auditor is complex, involving Ault and several other engagements.  In addition, it is interesting that this action was brought using the SEC’s internal administrative court processes.  Even with these complexities, the time lag between the company enforcement and the administrative proceeding against the auditor is notably shorter.

As always, your thoughts and comments are welcome!

Tagging EPS and the Office of Structured Disclosure

Data tagging using XBRL has been a part of SEC reporting since 2009, with Inline XBRL phasing in starting in 2018.  Several uses for XBRL have evolved over this period.  The SEC staff utilizes this information in many ways, including uncovering issues during the CorpFin review process.  Some service providers use the database to provide analysis and benchmarking tools.  Software is available to access XBRL data for tasks such as peer group analysis.

As use of XBRL data evolves, assuring the integrity of this information is key.  The Office of Structured Disclosure (OSD) within the Division of Economic and Risk Analysis oversees this process.  Even though tagging has been required for over 15 years OSD periodically discovers problems.

This May 30, 2024, Announcement addresses an EPS tagging problem discovered by DERA staff.  When a company’s basic and diluted EPS are the same and this information is presented in a single amount they should apply two tags, one for basic EPS and a second for diluted EPS, to this single amount.

You can find more of this kind of guidance from the Office of Structured Disclosure  on this webpage providing Staff Observations, Guidance, and Trends.

As always, your thoughts and comments are welcome!