On January 23, 2024, the FASB launched a redesigned website. According to the related Media Advisory from the Financial Accounting Foundation, the new website features “streamlined navigation, a simpler menu structure, more attractive and intuitive design, a more robust search algorithm, and more prominent placement of the most important information stakeholders are looking for.”
New websites are in process for the GASB and the FAF.
As always, your thoughts and comments are welcome.
On February 5, 2024, SEC Chief Accountant Dr. Paul Munter issued a Statement titled “An Investor Protection Call for a Commitment to Professional Skepticism and Audit Quality.” The Statement reminds auditors and audit committees that their ultimate responsibility is to investors.
In the introduction to the Statement Dr. Munter notes that the PCAOB inspection process has found an increase in audit deficiencies over the last several years:
“The Public Company Accounting Oversight Board (“PCAOB”) reported a troubling increase in deficiency rates found in its recent inspections. In its 2022 inspections of audits performed in 2021, the PCAOB inspections program found that insufficient audit evidence was obtained to support the auditor’s opinion in 40% of inspected audits. In its 2021 inspections, this same deficiency rate was 34%, up from 29% in its 2020 inspections. This is a troubling trendline in PCAOB inspections results.”
He then goes on to state:
“While we believe strongly that most auditors are talented professionals, dedicated to performing high-quality audits, the issues and trends identified in PCAOB inspections in recent years demand the attention and renewed commitment of the entire profession to deliver on its mission of protecting investors.”
The Statement then focuses on two principal areas:
Management’s Role and Auditors’ Exercise of Professional Skepticism in Response to Changing Conditions
After a discussion focused on several audit issues, including frequent inspection findings and the importance of professional skepticism, the Statement emphasizes that audits are not like other business services:
“Applying professional skepticism can sometimes come at a cost, whether it is budget overruns, conflicts with management, or pressure from within the audit firm to maintain client relationships. But the audit engagement is not a standard business relationship between service provider and client, with profit as the primary goal and indicator of success. Instead, as the Supreme Court recognized, the auditor’s ultimate responsibility is to the investing public.”
The Importance of the Audit Committee in Prioritizing and Promoting Audit Quality
In this section of the Statement Dr. Munter focuses on important aspects of audit committee oversight of the audit process:
“Academic studies highlight the risk that, in some cases, in executing their mandate, audit committees may look to protect the interests of the issuer and its management over the interests of investors. This risk can arise out of an audit committee’s association or coziness with the issuer or its management or through management’s influence over the audit committee’s supervision of the auditor. We remind audit committees of their role as critical gatekeepers for investor protection through oversight of a high-quality audit and the benefit of having an audit committee that is independent of management.”
As always, your thoughts and comments are welcome.
On December 19, 2023, the U.S. Court of Appeals for the Fifth Circuit vacated the SEC’s May 3, 2023, share repurchase disclosure rules (Chamber of Com. of the USA v. SEC, No. 23-60255 (5th Cir.). As a result of this decision, CorpFin issued this Announcement on February 9, 2024, clarifying that companies should follow the pre-amendment disclosure requirements in S-K Item 703 to provide monthly information about share repurchase transactions. The following example from Proctor and Gamble’s June 30, 2023 Form 10-K follows the prior rules:
Note that this disclosure is included in Item 5 of Form 10-K.
As always, your thoughts and comments are welcome.
On January 24, 2024, the SEC adopted final rules that create substantial reporting and process changes for SPACs. The rules were originally proposed on March 30, 2022. The new rules affect both SPAC IPO and de-SPAC transactions. (A de-SPAC transaction occurs when a SPAC merges with an operating company.) In his Statement on the final rules, Chair Gary Gensler said that the new rules would “better align the protections investors receive when investing in SPACs with those provided to them when investing in traditional IPOs.”
You can find an overview of the voluminous new rules, which create a new Subpart 1600 in Regulation S-K, in this Press Release and the related Fact Sheet. Highlights of the changes for SPAC IPOs include additional disclosures about SPAC sponsors, SPAC sponsor compensation, conflicts of interest and dilution. For de-SPAC transactions, new disclosures include additional details about the target company and information about whether the board of the SPAC determined the transaction was advisable for the company and shareholders. The new rules provide that the 1995 Private Securities Litigation Reform Act safe harbors for forward-looking statements will not be available for SPACs and also change underwriter liability in de-SPAC transactions.
The rules will be effective 125 days after publication in the Federal Register. Certain information will be tagged with Inline XBRL, but this requirement is not effective until 490 days after publication in the Federal Register.
On January 25, 2024, the day after adopting the new rules, the SEC announced settled charges against Northern Star Investment Corp II, a SPAC, for failing to disclose discussions with a potential acquisition target in its IPO registration statement and de-SPAC transaction Form S-4. As you can read in the SEC’s Order, the company entered into a cease and desist order and paid a fine of $1.5 million.
You can learn more about the new rules and SPACs in general at two upcoming programs:
A One-Hour Briefing about the final rules on February 14, 2024 – SPAC Developments: SEC Amendments to SPAC IPO and de-SPAC Related Rules, and
Our SPAC Life Cycle: Business, Legal, and Accounting Considerations Forum on April 15, 2024, will discuss the new rules in depth.
As always, your thoughts and comments are welcome.
On January 17, 2024, the SEC scheduled an Open Meeting on January 24, 2024, to consider finalizing its March 30, 2022, Proposed Rules for SPAC transactions. You can find the meeting agenda here.
PLI will present a One-Hour Briefing about the coming Final Rules on February 14, 2024. We will share a link to the briefing in a blog post when it is available.
In addition, our SPAC Life Cycle: Business, Legal, and Accounting Considerations Forum on April 15, 2024, will discuss the new rules in depth.
As always, your thoughts and comments are welcome.
On January 16, 2024, the SEC announced a settled enforcement action against J.P. Morgan Securities LLC (JPMS) for violating whistleblower protection laws. As you can read in this post, we have blogged on a number of occasions about companies that have violated these laws by trying to restrict current and former employees from blowing the whistle. JPMS’s case involves a very different situation, trying to restrict a customer’s ability to blow the whistle. When advisory clients and brokerage customers received a credit or settlement of over $1,000 from JPMS, the company required them to sign an agreement to keep the details of the settlement and other information confidential. While the agreements permitted clients to respond to SEC inquiries, they limited their ability to blow the whistle to the SEC.
In the Press Release announcing the settlement, Enforcement Division Director Gurbir S. Grewal noted:
“For several years, it (JPMS) forced certain clients into the untenable position of choosing between receiving settlements or credits from the firm and reporting potential securities law violations to the SEC.”
You can read more about the settlement, in which JPMS entered into a cease and desist order, paid a $18 million fine and was censured, in the related Press Release and Order.
As always, your thoughts and comments are welcome!
In 2019 and 2020, CorpFin modernized the process companies use to request confidential treatment. Prior to the modernization, companies essentially had to request and obtain permission from the staff to redact information from a filing. The modernized procedure allows companies to redact information in material contracts without specific staff approval if the information is immaterial and customarily and actually treated as private or confidential. This process is subject to staff review. While the new process is simpler for companies, the old process is still occasionally used today.
On January 8, 2024, CorpFin updated sections of Disclosure Guidance Topic No. 7 related to confidential treatment applications pursuant to the old guidance, which is in Rules 406 and 24b-2. In an explanatory note CorpFin explains:
This guidance has been generally updated, including with respect to options for confidential treatment orders that are about to expire. Different extension procedures apply depending on whether the order is greater or less than three years old. The prior version of this guidance referred to a fixed date rather than a rolling three-year period.
You can find the updated Disclosure Guidance Topic here.
As always, your thoughts and comments are welcome!
As we discussed in this blog post, one of the challenges in the SEC’s July 2023 cybersecurity disclosure rules is determining when an Item 1.05 Form 8-K to disclose a material cybersecurity incident will be required. The Instructions for the 1.05 Form 8-K state:
Item 1.05 Material Cybersecurity Incidents.
(a) If the registrant experiences a cybersecurity incident that is determined by the registrant to be material, describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.
The instructions also state:
A registrant need not disclose specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident.
On December 18, 2023, V.F. Corporation, a marketer of “Active-Lifestyle Brands,” filed an Item 1.05 Form 8-K. After a description of the cybersecurity breach and its impact on the company’s operations, the Form 8-K includes this language about materiality:
As the investigation of the incident is ongoing, the full scope, nature and impact of the incident are not yet known. As of the date of this filing, the incident has had and is reasonably likely to continue to have a material impact on the Company’s business operations until recovery efforts are completed. The Company has not yet determined whether the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.
As always, your thoughts and comments are welcome!
When the SEC issued its new cybersecurity disclosure Final Rule, it created the new Item 1.05 Form 8-K requiring disclosure of material cybersecurity incidents. You can read more about the Final Rule and the Form 8-K, along with the related implementation timing, in this blog post.
One of the complex issues in the 1.05 Form 8-K is this instruction:
(c) Notwithstanding General Instruction B.1. to Form 8-K, if the United States Attorney General determines that disclosure required by paragraph(a)of this Item1.05 poses a substantial risk to national security or public safety, and notifies the Commission of such determination in writing, the registrant may delay providing the disclosure required by this Item 1.05 for a time period specified by the Attorney General, up to 30 days following the date when the disclosure required by this Item 1.05 was otherwise required to be provided. Disclosure may be delayed for an additional period of up to 30 days if the Attorney General determines that disclosure continues to pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing. In extraordinary circumstances, disclosure may be delayed for a final additional period of up to 60 days if the Attorney General determines that disclosure continues to pose a substantial risk to national security and notifies the Commission of such determination in writing. Beyond the final 60-day delay under this paragraph, if the Attorney General indicates that further delay is necessary, the Commission will consider additional requests for delay and may grant such relief through Commission exemptive order.
The FBI has established a process to request such disclosure delays on this webpage: FBI Guidance to Victims of Cyber Incidents on SEC Reporting Requirements. Interestingly, the guidance suggests that companies establish a relationship with the cyber squad at their local field office. It also notes that “delay requests won’t be processed unless they are received by the FBI immediately upon a company’s determination to disclose a cyber incident via 8k.”
On December 14, 2023, CorpFin issued four new Compliance and Disclosure Interpretations in Section 104B (C&DIs) that address questions about the delay process. The new C&DIs address issues including what a company should do if it contacts the Attorney General, but a determination is not made by the original due date for the Form 8-K. In this situation, the 8-K must be filed by its original due date. The C&DIs also clarify that consulting with the Department of Justice about a cyber security incident does not create a presumption that the incident is material.
To provide additional support for companies as they work to provide required cyber security disclosures, on December 14, 2023, CorpFin Director Eric Gerding published this Speech providing an overview of the new rules and specific thoughts about the cybersecurity incident disclosures on Form 8-K and the cybersecurity governance and risk management disclosures required in new Item 1C for Form 10-K. In his speech Director Gerding states:
“But I want to reassure companies and their representatives that our Division does not seek to make ‘gotcha’ comments or penalize foot faults. To the extent appropriate, we may issue forward-looking comments to companies or additional CDIs.”
As always, your thoughts and comments are welcome!
SolarWinds Corporation, a provider of IT infrastructure management software products, completed its IPO in the fall of 2018. In its IPO registration statement and periodic reporting, the company disclosed lengthy cybersecurity risk factors. For example, in its December 31, 2019 Form 10-K, the company included this risk factor:
If we sustain system failures, cyberattacks against our systems or against our products, or other data security incidents or breaches, we could suffer a loss of revenue and increased costs, exposure to significant liability, reputational harm and other serious negative consequences.
We are heavily dependent on our technology infrastructure to sell our products and operate our business, and our customers rely on our technology to help manage their own IT infrastructure. Our systems and those of our third-party service providers are vulnerable to damage or interruption from natural disasters, fire, power loss, telecommunication failures, traditional computer “hackers,” malicious code (such as viruses and worms), employee or contractor theft or misuse, and denial-of-service attacks, as well as sophisticated nation-state and nation-state-supported actors (including advanced persistent threat intrusions). The risk of a security breach or disruption, particularly through cyberattacks or cyber intrusion, including by computer hacks, foreign governments, and cyber terrorists, has generally increased the number, intensity and sophistication of attempted attacks, and intrusions from around the world have increased. In addition, sophisticated hardware and operating system software and applications that we procure from third parties may contain defects in design or manufacture, including “bugs” and other problems that could unexpectedly interfere with the operation of our systems.
Because the techniques used to obtain unauthorized access or to sabotage systems change frequently and generally are not identified until they are launched against a target, we may be unable to anticipate these techniques or to implement adequate preventative measures. We may also experience security breaches that may remain undetected for an extended period and, therefore, have a greater impact on the products we offer, the proprietary data contained therein, and ultimately on our business.
The foregoing security problems could result in, among other consequences, damage to our own systems or our customers’ IT infrastructure or the loss or theft of our or our customers’ proprietary or other sensitive information.
(Note: Balance of the risk factor is omitted.)
This risk factor provides a general discussion of cybersecurity risk. It does not address the nature and extent of actual cybersecurity risks facing the company, any specific steps the company is taking to address cybersecurity risk, or the strengths and weaknesses of the company’s cybersecurity defenses.
After the company experienced a major cybersecurity breach, these issues were at the center of the SEC’s charges against the company and, interestingly, the company’s Chief Information Security Officer (“CISO”). According to the SEC’s Press Release and the related Complaint, the company was aware that its defenses against cybersecurity attacks were weak and that the company was extremely vulnerable to cyberattack.
The Press Release states:
“SolarWinds’ public statements about its cybersecurity practices and risks were at odds with its internal assessments, including a 2018 presentation prepared by a company engineer and shared internally, including with Brown (The CISO), that SolarWinds’ remote access set-up was ‘not very secure’ and that someone exploiting the vulnerability ‘can basically do whatever without us detecting it until it’s too late,’ which could lead to ‘major reputation and financial loss’ for SolarWinds.”
Similarly, as described in the Press Release and Complaint, in 2018 and 2019 the CISO made presentations that stated the “current state of security leaves us in a very vulnerable state for our critical assets” and that “[a]ccess and privilege to critical systems/data is inappropriate.”
SolarWinds’ public statements about its cybersecurity practices and risks were very different from its internal discussions and documentation. As companies implement the SEC’s new cybersecurity disclosures, there are clear lessons in this case.
The Press Release and Complaint provide more details and discussion.
As always, your thoughts and comments are welcome!