Category Archives: Reporting

An Example Cybersecurity Event Form 8-K

Reporting

On April 12, 2025, Davita, Inc. reported a cybersecurity attack on Form 8-K.  Interestingly, and appropriately, the company did not report the event on Item 1.05.  The instructions for Item 1.05 begin with:

Item 1.05 Material Cybersecurity Incidents.

(a) If the registrant experiences a cybersecurity incident that is determined by the registrant to be material, describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.

As this instruction clearly states, this Form 8-K Item is for material cybersecurity incidents.  That said, many times a company will want to alert investors and others when a cybersecurity incident has occurred, but the company is still in the process of assessing the materiality of the event.  On May 21, 2024, CorpFin issued this Statement addressing how to report a cybersecurity event before a materiality assessment is complete.  In the Statement, CorpFin “encourages” companies to use a different Form 8-K Item, perhaps Item 8.01 or 7.01.

Davita’s Form 8-K was filed under Item 8.01 and includes this language:

Item 8.01. Other Events. 

On April 12, 2025, DaVita Inc. (the “Company” or “we”) became aware of a ransomware incident that has encrypted certain elements of our network. Upon discovery, we activated our response protocols and implemented containment measures, including proactively isolating impacted systems. We are actively working to assess and remediate the incident with the assistance of third-party cybersecurity professionals and have notified law enforcement of the matter.

We have implemented our contingency plans, and we continue to provide patient care. However, the incident is impacting some of our operations, and while we have implemented interim measures to allow for the restoration of certain functions, we cannot estimate the duration or extent of the disruption at this time.

Given the recency of the incident, our investigation and response are ongoing, and the full scope, nature, and potential ultimate impact on the Company are not yet known.

As a final note, remember that Form 8-K Item 8.01 is filed information and Item 7.01 is only furnished.  Careful consideration should be given as to whether a company wants this information to be furnished or filed.

As always, your thoughts and comments are welcome!

SECI’s Period-End Reporting Programs – Register Now!

Reporting, SECI News

As we approach December 31, 2024, SECI is presenting several One-Hour Briefings focused on period-end reporting:

Eleventh Annual Form 10-K/Proxy Tune-Up – December 9, 2024

Tenth Annual Dealing With MD&A Hot Topics  – December 10, 2024

Fifth Annual Form 20-F Tune-Up – February 14, 2025

Fifth Annual Disclosure Committee Tune-Up – January 28, 2025

SECI’s Annual SEC Reporting and FASB Forum (the 40th edition!), is another great resource for keeping current with new rules and regulations emanating from the SEC, FASB, and PCAOB as you prepare for year end.  Attend in-person or view the webcasts scheduled for December 5-6, 2024, in San Francisco and December 19-20, 2024, in New York.

Also be sure to check out SECI’s One-Hour Briefing series focused on frequent SEC comment areas:

SEC Management’s Discussion and Analysis Comments (on-demand)

SEC Non-GAAP Measures and Metrics Comments (on-demand)

SEC Operating Segment Comments (on-demand)

SEC Revenue Recognition Comments (on-demand)

SEC Climate-Related Comments – December 2, 2024

Lastly, be sure to visit our Blog often as we will be exploring frequently encountered problems in Forms 10-K and 20-F in an upcoming series.

To view SECI’s full  curriculum, including our new Operating Segment Disclosures Workshop and our comprehensive two-day SEC Reporting Skills for Financial Professionals, visit us at: https://www.pli.edu/programs/seci

As always, your thoughts and comments are welcome!

ICFR Reporting and Acquisitions

Reporting

In the year a company completes an acquisition, ICFR reporting for the combined business can be problematic.  If the acquired company has been private, or has not built an ICFR evaluation process, it may not be practicable to include the acquired business in the acquiror’s assessment of ICFR, and, if applicable, in the auditor’s attestation report over ICFR.  This is particularly true when an acquisition happens near year end.

Interestingly, this situation is addressed not in Regulation S-X, but in a Sarbanes-Oxley C&DI:

Question 3 

Q: If a registrant consummates a material purchase business combination during its fiscal year, must the internal control over financial reporting of the acquired business be included in management’s report on internal control over financial reporting for that fiscal year?

A: As discussed above, we would typically expect management’s report on internal control over financial reporting to include controls at all consolidated entities. However, we acknowledge that it might not always be possible to conduct an assessment of an acquired business’s internal control over financial reporting in the period between the consummation date and the date of management’s assessment. In such instances, we would not object to management referring in the report to a discussion in the registrant’s Form 10-K or 10-KSB regarding the scope of the assessment and to such disclosure noting that management excluded the acquired business from management’s report on internal control over financial reporting. If such a reference is made, however, management must identify the acquired business excluded and indicate the significance of the acquired business to the registrant’s consolidated financial statements. Notwithstanding management’s exclusion of an acquired business’s internal controls from its annual assessment, a registrant must disclose any material change to its internal control over financial reporting due to the acquisition pursuant to Exchange Act Rule 13a-15(d) or 15d-15(d), whichever applies (also refer to the last two sentences in the answer to question 7). In addition, the period in which management may omit an assessment of an acquired business’s internal control over financial reporting from its assessment of the registrant’s internal control may not extend beyond one year from the date of acquisition, nor may such assessment be omitted from more than one annual management report on internal control over financial reporting.

On February 28, 2023, Lamb Weston Holdings, Inc., a global producer, distributor, and marketer of frozen potato products, acquired LW EMEA, an entity previously accounted for using the equity method.  Item 9A in the company’s Form 10-K for their fiscal year ended May 28, 2023, included this disclosure about the exclusion of the acquired company from the ICFR evaluation:

Our management, under the supervision and with the participation of our Chief Executive Officer and Chief Financial Officer and oversight of the Board of Directors, assessed the effectiveness of our internal control over financial reporting as of May 28, 2023. Management based this assessment on criteria for effective internal control over financial reporting described in Internal Control – Integrated Framework (2013) issued by the Committee of Sponsoring Organizations of the Treadway Commission. Management’s assessment included evaluation of elements such as the design and operating effectiveness of key financial reporting controls, process documentation, accounting policies, and our overall control environment. Management’s assessment of internal control over financial reporting as of May 28, 2023 excludes internal control over financial reporting related to LW EMEA (acquired February 28, 2023), which accounted for 7% of consolidated net sales and 30% of consolidated total assets as of and for the year ended May 28, 2023. Based on this assessment, management concluded that, as of May 28, 2023, our internal control over financial reporting was effective to provide reasonable assurance regarding the reliability of financial reporting and the preparation of consolidated financial statements for external reporting purposes in accordance with GAAP. We reviewed the results of management’s assessment with the Audit and Finance Committee of our Board of Directors.

As always, your thoughts and comments are welcome!

SEC Enforcement for Deficient Disclosures About Related Person Transactions

Enforcement, Hot Topic, Reporting

On March 7, 2024, the SEC announced settled charges against Skechers U.S.A., Inc. for failure to disclose related person transactions in its proxy statements and Part III of Form 10-K.  The Enforcement Order details several instances where family members and persons sharing the same household as directors and executive officers received compensation from Skechers in excess of the $120,000 disclosure threshold specified in Regulation S-K Item 404.  In addition, two executives had loans from the company related to unreimbursed personal expenses paid by the company in excess of $120,000.

This case has a proxy focus similar to the many cases the SEC has brought relating to inadequate perks disclosures.

The company entered into a cease and desist order and paid a fine of $1.25 million.

As always, your thoughts and comments are welcome.

Form 8-K and Cybersecurity Events

Hot Topic, Reporting

When a company experiences a cybersecurity incident it must make a complex materiality judgment to determine if an Item 1.05 Form 8-K is required. The Form 8-K instructions state:

Item 1.05 Material Cybersecurity Incidents.

      • If the registrant experiences a cybersecurity incident that is determined by the registrant to be material, describe the material aspect of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.

In many cases companies may want to make the breach public before a materiality determination is complete. This example is from a February 21, 2024, Form 8-K filed by UnitedHealth Group:

Item 1.05.  Material Cybersecurity Incidents.

On February 21, 2024, UnitedHealth Group (the “Company”) identified a suspected nation-state associated cyber security threat actor had gained access to some of the Change Healthcare information technology systems. Immediately upon detection of this outside threat, the Company proactively isolated the impacted systems from other connecting systems in the interest of protecting our partners and patients, to contain, assess and remediate the incident.

The Company is working diligently to restore those systems and resume normal operations as soon as possible, but cannot estimate the duration or extent of the disruption at this time. The Company has retained leading security experts, is working with law enforcement and notified customers, clients and certain government agencies. At this time, the Company believes the network interruption is specific to Change Healthcare systems, and all other systems across the Company are operational.

During the disruption, certain networks and transactional services may not be accessible. The Company is providing updates on the incident at https://status.changehealthcare.com/incidents/hqpjz25fn3n7. Please access that site for further information.

As of the date of this report, the Company has not determined the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.

How to make this essentially voluntary disclosure on Form 8-K is addressed in this May 21, 2024,  Announcement from CorpFin Director Erik Gerding titled “Disclosure of Cybersecurity Incidents Determined To Be Material and Other Cybersecurity Incidents.”  In the Announcement, Mr. Gerding suggests:

“If a company chooses to disclose a cybersecurity incident for which it has not yet made a materiality determination, or a cybersecurity incident that the company determined was not material, the Division of Corporation Finance encourages the company to disclose that cybersecurity incident under a different item of Form 8-K (for example, Item 8.01).”

He notes that Form 8-K Item 1.05 is actually titled “Material Cybersecurity Incidents” and disclosure of incidents where materiality is not determined could be confusing to investors.

When considering this voluntary disclosure, companies, however, may want to use Item 7.01 (rather than Item 8.01) of Form 8-K so that the information is deemed “furnished” rather than “filed.”  Importantly, from a potential liability standpoint, information that is “furnished” — as opposed to “filed”, is not (unless the company states otherwise):

    • subject to Section 18 of the Exchange Act;
    • incorporated by reference into a registration statement, proxy statement, or other report, which means that it will not be subject to potential liability under Securities Act Section 11.

Companies should use an Item 8.01 Form 8-K only if they want the information to be considered “filed” and thus, for example, incorporated by reference into 33 Act shelf registration statements.  And while some companies may use an 8.01 Form 8-K and include a statement that the information is to be considered furnished rather than filed, such language is a nullity and of no effect – an Item 8.01 Form 8-K is in fact “filed” and such language does not change that status.  It would be the same as including language on the cover of a Form 10-K indicating that “This Annual Report on Form 10-K shall be deemed “furnished” and shall not be deemed “filed” . . .  .” – that would clearly not work.

The Announcement makes the point that it is not intended to discourage companies from making  voluntary disclosures before a materiality determination is made.  In addition, a company that filed voluntarily under a different Form 8-K Item would need to file an Item 1.05 Form 8-K if it later determined that the incident, in fact, was material.  Helpfully, the Announcement also provides a discussion of various considerations in making materiality determinations.

As always, your thoughts and comments are welcome!

The Application of IFRS 19, Subsidiaries without Public Accountability in SEC Filings

Reporting,

Cheryl Linthicum, Associate Director at SEC Institute wrote this post.  You may want to check out the foreign private issuer workshops she and Gary Brown will be leading this year at https://www.pli.edu/programs/seci

IFRS 19, adopted in May 2024, permits financial statements of certain subsidiaries of reporting companies to provide reduced disclosures when applying recognition, measurement, and presentation requirements of IFRS.  On May 17, 2024, SEC Chief Accountant Paul Munter and Corporation Finance Division Director Erik Gerding issued a Statement for foreign private issuers (FPIs) to consider making additional disclosures when including financial statements that apply IFRS 19.

Foreign private issuers are permitted to file financial statements in accordance with either U.S. GAAP or IFRS as issued by the IASB.  A reporting FPI would not be allowed to apply IFRS 19.  However, it is possible in some situations, such as an acquisition of a subsidiary of another company where the subsidiary applies IFRS 19, that financial statements subject to the reduced disclosure requirements of IFRS 19 could be included in an SEC filing.

The SEC’s statement reminds foreign private issuers that in such a situation:

    • The scope of IFRS 19 is limited to entities that do not have public accountability;
    • There may be situations where financial statements that apply IFRS 19 are included in filings with the SEC;
    • In these situations, the staff believes that the requirements of IFRS 19 and the SEC’s disclosure requirements are likely to necessitate additional disclosure in financial statements filed with the SEC; and
    • SEC staff in the Office of the Chief Accountant and in the Division of Corporation Finance are committed to assisting registrants and are available for consultation.

Further Relief for Former BF Borgers Clients

Reporting, SEC News

In this blog post we discussed an enforcement action against BF Borgers CPA PC and its owner barring them from public company auditing, along with a Statement to help former clients navigate the impact of this situation.  On May 20, 2024, the SEC provided additional assistance in this Order which allows former clients of BF Borgers 30 days of deadline relief for Form 10-Q, rather than the 5 days specified in Form 12b-25, for filings delayed because of issues in retaining a new auditor.

As always, your thoughts and comments are welcome!

SEC Clarifies Current Share Repurchase Disclosure Requirements

Reporting, SEC News

On December 19, 2023, the U.S. Court of Appeals for the Fifth Circuit vacated the SEC’s May 3, 2023, share repurchase disclosure rules (Chamber of Com. of the USA v. SEC, No. 23-60255 (5th Cir.).   As a result of this decision, CorpFin issued this Announcement on February 9, 2024, clarifying that companies should follow the pre-amendment disclosure requirements in S-K Item 703 to provide monthly information about share repurchase transactions.  The following example from Proctor and Gamble’s June 30, 2023 Form 10-K follows the prior rules:

Note that this disclosure is included in Item 5 of Form 10-K.

As always, your thoughts and comments are welcome.

CorpFin Updates Disclosure Guidance for Certain Confidential Treatment Applications

Reporting, SEC News

In 2019 and 2020, CorpFin modernized the process companies use to request confidential treatment.  Prior to the modernization, companies essentially had to request and obtain permission from the staff to redact information from a filing.  The modernized procedure allows companies to redact information in material contracts without specific staff approval if the information is immaterial and customarily and actually treated as private or confidential.  This process is subject to staff review.  While the new process is simpler for companies, the old process is still occasionally used today.

On January 8, 2024, CorpFin updated sections of Disclosure Guidance Topic No. 7 related to confidential treatment applications pursuant to the old guidance, which is in Rules 406 and 24b-2.  In an explanatory note CorpFin explains:

This guidance has been generally updated, including with respect to options for confidential treatment orders that are about to expire. Different extension procedures apply depending on whether the order is greater or less than three years old. The prior version of this guidance referred to a fixed date rather than a rolling three-year period.

You can find the updated Disclosure Guidance Topic here.

As always, your thoughts and comments are welcome!

A Cybersecurity Incident Form 8-K

Hot Topic, Reporting

As we discussed in this blog post, one of the challenges in the SEC’s July 2023 cybersecurity disclosure rules is determining when an Item 1.05 Form 8-K to disclose a material cybersecurity incident will be required.  The Instructions for the 1.05 Form 8-K state:

Item 1.05 Material Cybersecurity Incidents. 

(a) If the registrant experiences a cybersecurity incident that is determined by the registrant to be material, describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.

The instructions also state:

A registrant need not disclose specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident.

On December 18, 2023, V.F. Corporation, a marketer of “Active-Lifestyle Brands,” filed an Item 1.05 Form 8-K.  After a description of the cybersecurity breach and its impact on the company’s operations, the Form 8-K includes this language about materiality:

As the investigation of the incident is ongoing, the full scope, nature and impact of the incident are not yet known. As of the date of this filing, the incident has had and is reasonably likely to continue to have a material impact on the Company’s business operations until recovery efforts are completed. The Company has not yet determined whether the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.

As always, your thoughts and comments are welcome!