Category Archives: Hot Topic

Insider Transaction and Beneficial Ownership Reporting – An Enforcement Reminder

On September 25, 2024, the Enforcement Division announced settled actions against 23 companies and individuals relating to Section 16 and Section 13 reporting.  The various actions involved:

Failure of individuals to file Section 16 reports;

Failure of companies to report delinquent Section 16 reports; and

Failure of companies to file Forms 13D, 13G, 13F, and Section 16 reports.

The companies and individuals involved paid fines totaling $3.8 million.  The Enforcement Division included a link to a September 27, 2023 announcement of a similar sweep involving 11 cases, making it clear that this continues to be a focus of their work.

As always, your thoughts and comments are welcome.

Still an Enforcement Focus – More Attempts to Limit Whistleblower Protections

On September 9, 2024, the SEC announced settled charges against seven companies for attempting to limit whistleblower rights through provisions in employment, separation and other agreements.  As you can read in the SEC’s Press Release and the related Orders, one  company tried to force employees to waive their right to whistleblower awards such as those the SEC pays to qualified whistleblowers.

This case is the latest in a litany of recent enforcement actions, including against J.P. Morgan for attempting to limit customers’ ability to blow the whistle and against D.E. Shaw and Co. L.P., Monolith Resources. and CBRE, Inc. for using employee agreements that violated whistleblower protection rules.

All these cases and the related civil penalties send direct and clear reminders to proactively review employment, termination and similar agreements to assure they do not run afoul of the whistleblower protection rules.

As always, your thoughts and comments are welcome!

Yet Another Cybersecurity Enforcement Action

On June 18, 2024, the SEC announced a settled enforcement action against R.R. Donnelly & Sons Co. focused on both ICFR and disclosure controls and procedures related to cybersecurity risk.  As you can read in the related Order, the company used an outside service provider to help monitor cybersecurity matters.  The service provider notified the company’s security personnel about a “network ransomware intrusion.”  Based in part on input from the service provider, R.R. Donnelly did not take further action or conduct a deeper investigation.  In this case the SEC maintains that R.R. Donnelly did not maintain effective ICFR related to cybersecurity risk because the company did not have appropriate controls to respond to these warnings.  In addition, the Order maintains that the company’s disclosure controls and procedures did not appropriately inform management responsible for making disclosure decisions about cybersecurity incidents.

The company, which cooperated with the SEC in the investigation, entered into a cease-and-desist order and paid a $2.125 million civil penalty.

In reaction to this enforcement, Commissioners Hester M. Peirce and Mark T. Uyeda gave a Statement titled “Hey, look, there’s a hoof cleaner! Statement on R.R. Donnelley & Sons, Co.,” which provides an interesting discussion of administrative versus accounting controls related to cybersecurity issues.

You can read about earlier cybersecurity related enforcement actions in this post which involves a CISO and this post which also mentions disclosure controls and procedures.

As always, your thoughts and comments are welcome!

Focus on SEC Comments – Another Common Non-GAAP Comment

Levi Strauss & Co. included the following “schedule” to reconcile various non-GAAP measures to the most directly comparable GAAP measures in its Form 10-K for the year ended November 27, 2022:

As you review this schedule (also take note of the very last line, it has a sort of hidden non-GAAP measure problem), it is apparent that the company did not follow a long-standing position of the staff as stated in this Compliance and Disclosure Interpretation (C&DI):

Question 102.10

Question 102.10(a): Item 10(e)(1)(i)(A) of Regulation S-K requires that when a registrant presents a non-GAAP measure it must present the most directly comparable GAAP measure with equal or greater prominence. This requirement applies to non-GAAP measures presented in documents filed with the Commission and also earnings releases furnished under Item 2.02 of Form 8-K. Are there examples of disclosures that would cause a non-GAAP measure to be more prominent?

Answer: Yes. This requirement applies to the presentation of, and any related discussion and analysis of, a non-GAAP measure. Whether a non-GAAP measure is more prominent than the comparable GAAP measure generally depends on the facts and circumstances in which the disclosure is made. The staff would consider the following to be examples of non-GAAP measures that are more prominent than the comparable GAAP measures:

      • Presenting an income statement of non-GAAP measures. See Question 102.10(c).

(Note:  Balance of the C&DI is omitted)

The above C&DI works in tandem with this incremental discussion of what is considered a non-GAAP income statement:

Question 102.10(c): The staff considers the presentation of a non-GAAP income statement, alone or as part of the required non-GAAP reconciliation, as giving undue prominence to non-GAAP measures. What is considered to be a non-GAAP income statement?

Answer: The staff considers a non-GAAP income statement to be one that is comprised of non-GAAP measures and includes all or most of the line items and subtotals found in a GAAP income statement. [December 13, 2022]

As you would expect, the prominence of this information in Levi Strauss and Co.’s Form 10-K resulted in a comment based on the above C&DIs:

Form 10-K for the Fiscal Year Ended November 27, 2022

Management’s Discussion and Analysis of Financial Condition and Results of Operations Non-GAAP Financial Measures

Adjusted Gross Profit, Adjusted SG&A, Adjusted Net Income and Adjusted Diluted Earnings per Share, page 58

    1. We note that you appear to present full income statements to reconcile your non-GAAP measures on pages 58 and 59. Please tell us your consideration of Questions 102.10(a), 102.10(b), and 102.10(c) of the Compliance and Disclosure Interpretations on Non-GAAP Financial Measures and Item 10(e)(1)(i)(A) of Regulation S-K. This comment also applies to your Form 10-Q for the quarter ended February 26, 2023 and Exhibit 99.1 to Form 8-K furnished on January 25, 2023.

The company’s response was direct and to the point, but unfortunately did not address the presentation of the last line in the schedule above:

The Company respectfully acknowledges the Staff’s comment and confirms that in future filings it will reconcile its non-GAAP measures to the most directly comparable GAAP measures without presenting a non-GAAP income statement. The Company expects that this will be substantially similar to the reconciliation included in Appendix A, which has been illustratively amended for the Staff’s reference.

Appendix A provided individual reconciliations for the non-GAAP measures in the original non-GAAP income statement.  Here is an example of one of the schedules:

However, this was not the end of the comment process.  Because the information presented by Levi Strauss includes a non-GAAP EPS amount, the SEC issued this follow-on comment:

  1. We note that on the last page of Appendix A, you disclose Adjusted Diluted Earnings Per Share at the bottom of your reconciliation of net income to Adjusted Net Income. Please revise to present a reconciliation of diluted EPS to Adjusted Diluted EPS. Additionally, wherever you present a Non GAAP margin measure in Appendix A, please revise to disclose the most comparable margin presented in accordance with GAAP.

The company’s response included an appropriate reconciliation:

The Company respectfully acknowledges the Staff’s comment and confirms that the Company will present a reconciliation of diluted EPS to Adjusted Diluted EPS and include comparable margins presented in accordance with GAAP whenever we present a non-GAAP margin measure in future periodic filings. The Company expects that this will be substantially similar to the reconciliation included in Appendix A, which has been illustratively amended for the Staff’s reference.

After this response the staff sent Levi Strauss and Co. a closing letter.

As always, your thoughts and comments are welcome!

SEC Enforcement for Deficient Disclosures About Related Person Transactions

On March 7, 2024, the SEC announced settled charges against Skechers U.S.A., Inc. for failure to disclose related person transactions in its proxy statements and Part III of Form 10-K.  The Enforcement Order details several instances where family members and persons sharing the same household as directors and executive officers received compensation from Skechers in excess of the $120,000 disclosure threshold specified in Regulation S-K Item 404.  In addition, two executives had loans from the company related to unreimbursed personal expenses paid by the company in excess of $120,000.

This case has a proxy focus similar to the many cases the SEC has brought relating to inadequate perks disclosures.

The company entered into a cease and desist order and paid a fine of $1.25 million.

As always, your thoughts and comments are welcome.

Form 8-K and Cybersecurity Events

When a company experiences a cybersecurity incident it must make a complex materiality judgment to determine if an Item 1.05 Form 8-K is required. The Form 8-K instructions state:

Item 1.05 Material Cybersecurity Incidents.

      • If the registrant experiences a cybersecurity incident that is determined by the registrant to be material, describe the material aspect of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.

In many cases companies may want to make the breach public before a materiality determination is complete. This example is from a February 21, 2024, Form 8-K filed by UnitedHealth Group:

Item 1.05.  Material Cybersecurity Incidents.

On February 21, 2024, UnitedHealth Group (the “Company”) identified a suspected nation-state associated cyber security threat actor had gained access to some of the Change Healthcare information technology systems. Immediately upon detection of this outside threat, the Company proactively isolated the impacted systems from other connecting systems in the interest of protecting our partners and patients, to contain, assess and remediate the incident.

The Company is working diligently to restore those systems and resume normal operations as soon as possible, but cannot estimate the duration or extent of the disruption at this time. The Company has retained leading security experts, is working with law enforcement and notified customers, clients and certain government agencies. At this time, the Company believes the network interruption is specific to Change Healthcare systems, and all other systems across the Company are operational.

During the disruption, certain networks and transactional services may not be accessible. The Company is providing updates on the incident at https://status.changehealthcare.com/incidents/hqpjz25fn3n7. Please access that site for further information.

As of the date of this report, the Company has not determined the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.

How to make this essentially voluntary disclosure on Form 8-K is addressed in this May 21, 2024,  Announcement from CorpFin Director Erik Gerding titled “Disclosure of Cybersecurity Incidents Determined To Be Material and Other Cybersecurity Incidents.”  In the Announcement, Mr. Gerding suggests:

“If a company chooses to disclose a cybersecurity incident for which it has not yet made a materiality determination, or a cybersecurity incident that the company determined was not material, the Division of Corporation Finance encourages the company to disclose that cybersecurity incident under a different item of Form 8-K (for example, Item 8.01).”

He notes that Form 8-K Item 1.05 is actually titled “Material Cybersecurity Incidents” and disclosure of incidents where materiality is not determined could be confusing to investors.

When considering this voluntary disclosure, companies, however, may want to use Item 7.01 (rather than Item 8.01) of Form 8-K so that the information is deemed “furnished” rather than “filed.”  Importantly, from a potential liability standpoint, information that is “furnished” — as opposed to “filed”, is not (unless the company states otherwise):

    • subject to Section 18 of the Exchange Act;
    • incorporated by reference into a registration statement, proxy statement, or other report, which means that it will not be subject to potential liability under Securities Act Section 11.

Companies should use an Item 8.01 Form 8-K only if they want the information to be considered “filed” and thus, for example, incorporated by reference into 33 Act shelf registration statements.  And while some companies may use an 8.01 Form 8-K and include a statement that the information is to be considered furnished rather than filed, such language is a nullity and of no effect – an Item 8.01 Form 8-K is in fact “filed” and such language does not change that status.  It would be the same as including language on the cover of a Form 10-K indicating that “This Annual Report on Form 10-K shall be deemed “furnished” and shall not be deemed “filed” . . .  .” – that would clearly not work.

The Announcement makes the point that it is not intended to discourage companies from making  voluntary disclosures before a materiality determination is made.  In addition, a company that filed voluntarily under a different Form 8-K Item would need to file an Item 1.05 Form 8-K if it later determined that the incident, in fact, was material.  Helpfully, the Announcement also provides a discussion of various considerations in making materiality determinations.

As always, your thoughts and comments are welcome!

Tone at the Top for Auditors and Companies and a Next Step

On May 3, 2024, the SEC announced a settled enforcement case against an audit firm and its owner charging them with “deliberate and systemic failures to comply with Public Company Accounting Oversight Board (PCAOB) standards” in more than 1,500 SEC filings.

In June 2023, the SEC announced a settled enforcement case against another audit firm for accepting so many new SPAC clients that it overloaded its underlying quality control process.  “[I]n hundreds of SPAC audits, [the firm] failed to comply with audit standards related to audit documentation, engagement quality reviews, risk assessments, audit committee communications, engagement partner supervision and review, and due professional care.”

Over the last several years the PCAOB has enforced against nine audit firms and the SEC has enforced against two other firms for creating environments that encouraged and even required cheating on CPE and ethics exams.

Addressing what appears to be a common theme in all these cases, on May 15, 2024, Chief Accountant Paul Munter issued a Statement titled “Fostering a Healthy ‘Tone at the Top’ at Audit Firms.”  In the Statement Dr. Munter starts by acknowledging that audit firms, like other businesses, have a legitimate interest in earning a profit.  He then emphasizes an overriding issue for auditors:

“But audit firms have also been entrusted to be essential gatekeepers in maintaining the integrity of our capital markets. The leaders of audit firms, and the tone that they set, play a central role in ensuring that professionals within audit firms do not sacrifice integrity and professionalism for profit and growth.”

The Statement discusses a hypothetical situation focused on how a firm might handle a partner who has violated the profession’s independence requirements and the implications alternative treatments may have on firm culture and personnel.  He then discusses why tone at the top matters for public accounting firms and ways of instilling a positive tone at the top.

Tone at the top is an important issue not just for auditors but also for company directors and managers.  As an example financial reporting case, you can read Item 9A of this Chemours Form 10-K which states:

“We did not design and maintain an effective control environment as senior management failed to set an appropriate tone at the top resulting in a material weakness.”

When financial reporting and auditing problems are discovered, tone at the top weaknesses are almost always a root cause.  For audit firms and companies that are focused or want to focus on tone at the top considerations, this assessment tool from the Anti-Fraud Collaboration can be helpful.

As always, your thoughts and comments are welcome!