Category Archives: Hot Topic

SEC Enforcement for Deficient Disclosures About Related Person Transactions

Enforcement, Hot Topic, Reporting

On March 7, 2024, the SEC announced settled charges against Skechers U.S.A., Inc. for failure to disclose related person transactions in its proxy statements and Part III of Form 10-K.  The Enforcement Order details several instances where family members and persons sharing the same household as directors and executive officers received compensation from Skechers in excess of the $120,000 disclosure threshold specified in Regulation S-K Item 404.  In addition, two executives had loans from the company related to unreimbursed personal expenses paid by the company in excess of $120,000.

This case has a proxy focus similar to the many cases the SEC has brought relating to inadequate perks disclosures.

The company entered into a cease and desist order and paid a fine of $1.25 million.

As always, your thoughts and comments are welcome.

Form 8-K and Cybersecurity Events

Hot Topic, Reporting

When a company experiences a cybersecurity incident it must make a complex materiality judgment to determine if an Item 1.05 Form 8-K is required. The Form 8-K instructions state:

Item 1.05 Material Cybersecurity Incidents.

      • If the registrant experiences a cybersecurity incident that is determined by the registrant to be material, describe the material aspect of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.

In many cases companies may want to make the breach public before a materiality determination is complete. This example is from a February 21, 2024, Form 8-K filed by UnitedHealth Group:

Item 1.05.  Material Cybersecurity Incidents.

On February 21, 2024, UnitedHealth Group (the “Company”) identified a suspected nation-state associated cyber security threat actor had gained access to some of the Change Healthcare information technology systems. Immediately upon detection of this outside threat, the Company proactively isolated the impacted systems from other connecting systems in the interest of protecting our partners and patients, to contain, assess and remediate the incident.

The Company is working diligently to restore those systems and resume normal operations as soon as possible, but cannot estimate the duration or extent of the disruption at this time. The Company has retained leading security experts, is working with law enforcement and notified customers, clients and certain government agencies. At this time, the Company believes the network interruption is specific to Change Healthcare systems, and all other systems across the Company are operational.

During the disruption, certain networks and transactional services may not be accessible. The Company is providing updates on the incident at https://status.changehealthcare.com/incidents/hqpjz25fn3n7. Please access that site for further information.

As of the date of this report, the Company has not determined the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.

How to make this essentially voluntary disclosure on Form 8-K is addressed in this May 21, 2024,  Announcement from CorpFin Director Erik Gerding titled “Disclosure of Cybersecurity Incidents Determined To Be Material and Other Cybersecurity Incidents.”  In the Announcement, Mr. Gerding suggests:

“If a company chooses to disclose a cybersecurity incident for which it has not yet made a materiality determination, or a cybersecurity incident that the company determined was not material, the Division of Corporation Finance encourages the company to disclose that cybersecurity incident under a different item of Form 8-K (for example, Item 8.01).”

He notes that Form 8-K Item 1.05 is actually titled “Material Cybersecurity Incidents” and disclosure of incidents where materiality is not determined could be confusing to investors.

When considering this voluntary disclosure, companies, however, may want to use Item 7.01 (rather than Item 8.01) of Form 8-K so that the information is deemed “furnished” rather than “filed.”  Importantly, from a potential liability standpoint, information that is “furnished” — as opposed to “filed”, is not (unless the company states otherwise):

    • subject to Section 18 of the Exchange Act;
    • incorporated by reference into a registration statement, proxy statement, or other report, which means that it will not be subject to potential liability under Securities Act Section 11.

Companies should use an Item 8.01 Form 8-K only if they want the information to be considered “filed” and thus, for example, incorporated by reference into 33 Act shelf registration statements.  And while some companies may use an 8.01 Form 8-K and include a statement that the information is to be considered furnished rather than filed, such language is a nullity and of no effect – an Item 8.01 Form 8-K is in fact “filed” and such language does not change that status.  It would be the same as including language on the cover of a Form 10-K indicating that “This Annual Report on Form 10-K shall be deemed “furnished” and shall not be deemed “filed” . . .  .” – that would clearly not work.

The Announcement makes the point that it is not intended to discourage companies from making  voluntary disclosures before a materiality determination is made.  In addition, a company that filed voluntarily under a different Form 8-K Item would need to file an Item 1.05 Form 8-K if it later determined that the incident, in fact, was material.  Helpfully, the Announcement also provides a discussion of various considerations in making materiality determinations.

As always, your thoughts and comments are welcome!

Tone at the Top for Auditors and Companies and a Next Step

Hot Topic, Role of the Audit Committee

On May 3, 2024, the SEC announced a settled enforcement case against an audit firm and its owner charging them with “deliberate and systemic failures to comply with Public Company Accounting Oversight Board (PCAOB) standards” in more than 1,500 SEC filings.

In June 2023, the SEC announced a settled enforcement case against another audit firm for accepting so many new SPAC clients that it overloaded its underlying quality control process.  “[I]n hundreds of SPAC audits, [the firm] failed to comply with audit standards related to audit documentation, engagement quality reviews, risk assessments, audit committee communications, engagement partner supervision and review, and due professional care.”

Over the last several years the PCAOB has enforced against nine audit firms and the SEC has enforced against two other firms for creating environments that encouraged and even required cheating on CPE and ethics exams.

Addressing what appears to be a common theme in all these cases, on May 15, 2024, Chief Accountant Paul Munter issued a Statement titled “Fostering a Healthy ‘Tone at the Top’ at Audit Firms.”  In the Statement Dr. Munter starts by acknowledging that audit firms, like other businesses, have a legitimate interest in earning a profit.  He then emphasizes an overriding issue for auditors:

“But audit firms have also been entrusted to be essential gatekeepers in maintaining the integrity of our capital markets. The leaders of audit firms, and the tone that they set, play a central role in ensuring that professionals within audit firms do not sacrifice integrity and professionalism for profit and growth.”

The Statement discusses a hypothetical situation focused on how a firm might handle a partner who has violated the profession’s independence requirements and the implications alternative treatments may have on firm culture and personnel.  He then discusses why tone at the top matters for public accounting firms and ways of instilling a positive tone at the top.

Tone at the top is an important issue not just for auditors but also for company directors and managers.  As an example financial reporting case, you can read Item 9A of this Chemours Form 10-K which states:

“We did not design and maintain an effective control environment as senior management failed to set an appropriate tone at the top resulting in a material weakness.”

When financial reporting and auditing problems are discovered, tone at the top weaknesses are almost always a root cause.  For audit firms and companies that are focused or want to focus on tone at the top considerations, this assessment tool from the Anti-Fraud Collaboration can be helpful.

As always, your thoughts and comments are welcome!

A Different Twist in Whistleblower Protection Enforcement

Enforcement News, Hot Topic

On January 16, 2024, the SEC announced a settled enforcement action against J.P. Morgan Securities LLC (JPMS) for violating whistleblower protection laws.  As you can read in this post, we have blogged on a number of occasions about companies that have violated these laws by trying to restrict current and former employees from blowing the whistle.  JPMS’s case involves a very different situation, trying to restrict a customer’s ability to blow the whistle.  When advisory clients and brokerage customers received a credit or settlement of over $1,000 from JPMS, the company required them to sign an agreement to keep the details of the settlement and other information confidential.  While the agreements permitted clients to respond to SEC inquiries, they limited their ability to blow the whistle to the SEC.

In the Press Release announcing the settlement, Enforcement Division Director Gurbir S. Grewal noted:

“For several years, it (JPMS) forced certain clients into the untenable position of choosing between receiving settlements or credits from the firm and reporting potential securities law violations to the SEC.”

You can read more about the settlement, in which JPMS entered into a cease and desist order, paid a $18 million fine and was censured, in the related Press Release and Order.

As always, your thoughts and comments are welcome!

A Cybersecurity Incident Form 8-K

Hot Topic, Reporting

As we discussed in this blog post, one of the challenges in the SEC’s July 2023 cybersecurity disclosure rules is determining when an Item 1.05 Form 8-K to disclose a material cybersecurity incident will be required.  The Instructions for the 1.05 Form 8-K state:

Item 1.05 Material Cybersecurity Incidents. 

(a) If the registrant experiences a cybersecurity incident that is determined by the registrant to be material, describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.

The instructions also state:

A registrant need not disclose specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident.

On December 18, 2023, V.F. Corporation, a marketer of “Active-Lifestyle Brands,” filed an Item 1.05 Form 8-K.  After a description of the cybersecurity breach and its impact on the company’s operations, the Form 8-K includes this language about materiality:

As the investigation of the incident is ongoing, the full scope, nature and impact of the incident are not yet known. As of the date of this filing, the incident has had and is reasonably likely to continue to have a material impact on the Company’s business operations until recovery efforts are completed. The Company has not yet determined whether the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.

As always, your thoughts and comments are welcome!

Cybersecurity Disclosures – SEC and FBI Guidance

Hot Topic, Reporting

When the SEC issued its new cybersecurity disclosure Final Rule, it created the new Item 1.05 Form 8-K requiring disclosure of material cybersecurity incidents.  You can read more about the Final Rule and the Form 8-K, along with the related implementation timing, in this blog post.

One of the complex issues in the 1.05 Form 8-K is this instruction:

(c) Notwithstanding General Instruction B.1. to Form 8-K, if the United States Attorney General determines that disclosure required by paragraph(a)of this Item1.05 poses a substantial risk to national security or public safety, and notifies the Commission of such determination in writing, the registrant may delay providing the disclosure required by this Item 1.05 for a time period specified by the Attorney General, up to 30 days following the date when the disclosure required by this Item 1.05 was otherwise required to be provided. Disclosure may be delayed for an additional period of up to 30 days if the Attorney General determines that disclosure continues to pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing. In extraordinary circumstances, disclosure may be delayed for a final additional period of up to 60 days if the Attorney General determines that disclosure continues to pose a substantial risk to national security and notifies the Commission of such determination in writing. Beyond the final 60-day delay under this paragraph, if the Attorney General indicates that further delay is necessary, the Commission will consider additional requests for delay and may grant such relief through Commission exemptive order.

The FBI has established a process to request such disclosure delays on this webpage: FBI Guidance to Victims of Cyber Incidents on SEC Reporting Requirements.  Interestingly, the guidance suggests that companies establish a relationship with the cyber squad at their local field office.  It also notes that “delay requests won’t be processed unless they are received by the FBI immediately upon a company’s determination to disclose a cyber incident via 8k.”

On December 14, 2023, CorpFin issued four new Compliance and Disclosure Interpretations in Section 104B (C&DIs) that address questions about the delay process.  The new C&DIs address issues including what a company should do if it contacts the Attorney General, but a determination is not made by the original due date for the Form 8-K.  In this situation, the 8-K must be filed by its original due date.  The C&DIs also clarify that consulting with the Department of Justice about a cyber security incident does not create a presumption that the incident is material.

To provide additional support for companies as they work to provide required cyber security disclosures, on December 14, 2023, CorpFin Director Eric Gerding published this Speech providing an overview of the new rules and specific thoughts about the cybersecurity incident disclosures on Form 8-K and the cybersecurity governance and risk management disclosures required in new Item 1C for Form 10-K.  In his speech Director Gerding states:

“But I want to reassure companies and their representatives that our Division does not seek to make ‘gotcha’ comments or penalize foot faults.  To the extent appropriate, we may issue forward-looking comments to companies or additional CDIs.”

As always, your thoughts and comments are welcome!