Form 8-K and Cybersecurity Events

When a company experiences a cybersecurity incident it must make a complex materiality judgment to determine if an Item 1.05 Form 8-K is required. The Form 8-K instructions state:

Item 1.05 Material Cybersecurity Incidents.

      • If the registrant experiences a cybersecurity incident that is determined by the registrant to be material, describe the material aspect of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.

In many cases companies may want to make the breach public before a materiality determination is complete. This example is from a February 21, 2024, Form 8-K filed by UnitedHealth Group:

Item 1.05.  Material Cybersecurity Incidents.

On February 21, 2024, UnitedHealth Group (the “Company”) identified a suspected nation-state associated cyber security threat actor had gained access to some of the Change Healthcare information technology systems. Immediately upon detection of this outside threat, the Company proactively isolated the impacted systems from other connecting systems in the interest of protecting our partners and patients, to contain, assess and remediate the incident.

The Company is working diligently to restore those systems and resume normal operations as soon as possible, but cannot estimate the duration or extent of the disruption at this time. The Company has retained leading security experts, is working with law enforcement and notified customers, clients and certain government agencies. At this time, the Company believes the network interruption is specific to Change Healthcare systems, and all other systems across the Company are operational.

During the disruption, certain networks and transactional services may not be accessible. The Company is providing updates on the incident at https://status.changehealthcare.com/incidents/hqpjz25fn3n7. Please access that site for further information.

As of the date of this report, the Company has not determined the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.

How to make this essentially voluntary disclosure on Form 8-K is addressed in this May 21, 2024,  Announcement from CorpFin Director Erik Gerding titled “Disclosure of Cybersecurity Incidents Determined To Be Material and Other Cybersecurity Incidents.”  In the Announcement, Mr. Gerding suggests:

“If a company chooses to disclose a cybersecurity incident for which it has not yet made a materiality determination, or a cybersecurity incident that the company determined was not material, the Division of Corporation Finance encourages the company to disclose that cybersecurity incident under a different item of Form 8-K (for example, Item 8.01).”

He notes that Form 8-K Item 1.05 is actually titled “Material Cybersecurity Incidents” and disclosure of incidents where materiality is not determined could be confusing to investors.

When considering this voluntary disclosure, companies, however, may want to use Item 7.01 (rather than Item 8.01) of Form 8-K so that the information is deemed “furnished” rather than “filed.”  Importantly, from a potential liability standpoint, information that is “furnished” — as opposed to “filed”, is not (unless the company states otherwise):

    • subject to Section 18 of the Exchange Act;
    • incorporated by reference into a registration statement, proxy statement, or other report, which means that it will not be subject to potential liability under Securities Act Section 11.

Companies should use an Item 8.01 Form 8-K only if they want the information to be considered “filed” and thus, for example, incorporated by reference into 33 Act shelf registration statements.  And while some companies may use an 8.01 Form 8-K and include a statement that the information is to be considered furnished rather than filed, such language is a nullity and of no effect – an Item 8.01 Form 8-K is in fact “filed” and such language does not change that status.  It would be the same as including language on the cover of a Form 10-K indicating that “This Annual Report on Form 10-K shall be deemed “furnished” and shall not be deemed “filed” . . .  .” – that would clearly not work.

The Announcement makes the point that it is not intended to discourage companies from making  voluntary disclosures before a materiality determination is made.  In addition, a company that filed voluntarily under a different Form 8-K Item would need to file an Item 1.05 Form 8-K if it later determined that the incident, in fact, was material.  Helpfully, the Announcement also provides a discussion of various considerations in making materiality determinations.

As always, your thoughts and comments are welcome!

The Application of IFRS 19, Subsidiaries without Public Accountability in SEC Filings

Cheryl Linthicum, Associate Director at SEC Institute wrote this post.  You may want to check out the foreign private issuer workshops she and Gary Brown will be leading this year at https://www.pli.edu/programs/seci

IFRS 19, adopted in May 2024, permits financial statements of certain subsidiaries of reporting companies to provide reduced disclosures when applying recognition, measurement, and presentation requirements of IFRS.  On May 17, 2024, SEC Chief Accountant Paul Munter and Corporation Finance Division Director Erik Gerding issued a Statement for foreign private issuers (FPIs) to consider making additional disclosures when including financial statements that apply IFRS 19.

Foreign private issuers are permitted to file financial statements in accordance with either U.S. GAAP or IFRS as issued by the IASB.  A reporting FPI would not be allowed to apply IFRS 19.  However, it is possible in some situations, such as an acquisition of a subsidiary of another company where the subsidiary applies IFRS 19, that financial statements subject to the reduced disclosure requirements of IFRS 19 could be included in an SEC filing.

The SEC’s statement reminds foreign private issuers that in such a situation:

    • The scope of IFRS 19 is limited to entities that do not have public accountability;
    • There may be situations where financial statements that apply IFRS 19 are included in filings with the SEC;
    • In these situations, the staff believes that the requirements of IFRS 19 and the SEC’s disclosure requirements are likely to necessitate additional disclosure in financial statements filed with the SEC; and
    • SEC staff in the Office of the Chief Accountant and in the Division of Corporation Finance are committed to assisting registrants and are available for consultation.

Further Relief for Former BF Borgers Clients

In this blog post we discussed an enforcement action against BF Borgers CPA PC and its owner barring them from public company auditing, along with a Statement to help former clients navigate the impact of this situation.  On May 20, 2024, the SEC provided additional assistance in this Order which allows former clients of BF Borgers 30 days of deadline relief for Form 10-Q, rather than the 5 days specified in Form 12b-25, for filings delayed because of issues in retaining a new auditor.

As always, your thoughts and comments are welcome!

Tone at the Top for Auditors and Companies and a Next Step

On May 3, 2024, the SEC announced a settled enforcement case against an audit firm and its owner charging them with “deliberate and systemic failures to comply with Public Company Accounting Oversight Board (PCAOB) standards” in more than 1,500 SEC filings.

In June 2023, the SEC announced a settled enforcement case against another audit firm for accepting so many new SPAC clients that it overloaded its underlying quality control process.  “[I]n hundreds of SPAC audits, [the firm] failed to comply with audit standards related to audit documentation, engagement quality reviews, risk assessments, audit committee communications, engagement partner supervision and review, and due professional care.”

Over the last several years the PCAOB has enforced against nine audit firms and the SEC has enforced against two other firms for creating environments that encouraged and even required cheating on CPE and ethics exams.

Addressing what appears to be a common theme in all these cases, on May 15, 2024, Chief Accountant Paul Munter issued a Statement titled “Fostering a Healthy ‘Tone at the Top’ at Audit Firms.”  In the Statement Dr. Munter starts by acknowledging that audit firms, like other businesses, have a legitimate interest in earning a profit.  He then emphasizes an overriding issue for auditors:

“But audit firms have also been entrusted to be essential gatekeepers in maintaining the integrity of our capital markets. The leaders of audit firms, and the tone that they set, play a central role in ensuring that professionals within audit firms do not sacrifice integrity and professionalism for profit and growth.”

The Statement discusses a hypothetical situation focused on how a firm might handle a partner who has violated the profession’s independence requirements and the implications alternative treatments may have on firm culture and personnel.  He then discusses why tone at the top matters for public accounting firms and ways of instilling a positive tone at the top.

Tone at the top is an important issue not just for auditors but also for company directors and managers.  As an example financial reporting case, you can read Item 9A of this Chemours Form 10-K which states:

“We did not design and maintain an effective control environment as senior management failed to set an appropriate tone at the top resulting in a material weakness.”

When financial reporting and auditing problems are discovered, tone at the top weaknesses are almost always a root cause.  For audit firms and companies that are focused or want to focus on tone at the top considerations, this assessment tool from the Anti-Fraud Collaboration can be helpful.

As always, your thoughts and comments are welcome!

Auditor Fraud and the Related Client Impact

On May 3, 2024, the SEC announced charges against a Colorado audit firm, BF Borgers CPA PC and its owner, Benjamin F. Borgers.  The SEC’s Accounting and Auditing Enforcement Release’s extensive charges include:

“…the deliberate and systematic failure to audit and review public company and SEC-registered broker-dealer clients’ financial statements in accordance with Public Company Accounting Oversight Board (“PCAOB”) standards … and their fraudulent issuance of audit reports falsely representing that they had done so from at least January 2021 through at least June 2023.”

These failures affected over 350 clients and more than 1,500 SEC filings.

The firm and its owner will pay civil money penalties of $12 million and $2 million respectively.  They are also denied the privilege of appearing or practicing before the Commission and censured.

This case is eerily similar to a 2009 case against Moore & Associates Chartered and Michael J. Moore.  That case involved over 300 clients and also resulted in fines and bars.  (Mr. Moore’s violations actually continued, as you can read in this 2015 Litigation Release.)

Both these cases were brought by the SEC rather than the PCAOB, perhaps because of the structure of the PCAOB’s enforcement activities imposed by the Sarbanes Oxley Act.  Another interesting aspect of these two cases is the difference in the magnitude of the penalties.  In the Moore case the firm paid disgorgement of $179,500 and Moore paid a penalty of $130,000, amounts significantly less than the BF Borgers penalties.

You can find the PCAOB’s 2022 inspection report for BF Borgers CPA PC here.

Companies and their audit committees should be conscious of the issues created when an audit firm does not perform appropriately.  Because of the magnitude and complexity of the issues former BF Borgers clients face, CorpFin and the Office of the Chief Accountant issued this Statement addressing issues including the requirement to file a change in auditor Form 8-K and the impact on annual and quarterly reporting.

As always, your thoughts and comments are welcome.

SEC Climate-Related Disclosure One-Hour Briefings

In this blog post we overviewed the SEC’s new climate-related disclosure rules and mentioned that we would be providing two One-Hour Briefings delving into the details of the rules.  Those briefings, both scheduled for April 18, 2024, are now available for registration:

The SEC’s Revolutionary New Climate Disclosure Requirements – A Deep Dive Into Governance, Strategy, and Risk Disclosures – April 18, 2024 – 1:00 PM EDT

The SEC’s Revolutionary New Climate Disclosures – New Greenhouse Gas Disclosure, Attestation, and Financial Statement Disclosure Requirements– April 18, 2024 – 3:00 PM EDT

As always, your thoughts and comments are welcome.

SEC Adopts Final Rules for Climate-Related Disclosures

In a long-anticipated development, on March 6, 2024, the SEC adopted final rules requiring climate-related disclosures.  The rules add:

    • Non-financial disclosures about climate-related risks, how such risks are managed and related board oversight;
    • Scope 1 and Scope 2 greenhouse gas (GHG) emission disclosures along with phased-in attestation requirements for large-accelerated and accelerated filers;
    • Financial statement disclosures about “capitalized costs, expenditures expensed, and losses incurred as a result of severe weather events and other natural conditions, such as hurricanes, tornadoes, flooding, drought, wildfires, extreme temperatures, and sea level rise, subject to applicable one percent and de minimis disclosure thresholds”;
    • Disclosures about carbon offsets and renewable energy credits or certificates (RECs) if material; and
    • Information about the impact on the estimates and assumptions used to produce the financialstatements from risks and uncertainties associated with severe weather events and other natural conditions and other related issues, if material.

To help companies and advisors implement these new requirements, PLI’s SEC Institute will offer several programs.

We will present two One-Hour Briefings delving into the final rules at 1 p.m. and 3 p.m. on April 18, 2024.  The first briefing will focus on governance related disclosures and the second briefing will focus on GHG emission and financial statement disclosures.  We will put links to the briefings in this blog as soon as they are available.

Our Midyear Forums will include in-depth discussion of the details of the rules.

We will also have a special conference in the early fall focused on understanding and implementing these extensive new disclosures.  We will put a link to this conference in this blog as soon as it is available.

You can read more in the related Fact Sheet and the Final Rule Release.

As always, your thoughts and comments are welcome.