As 2023 comes to an end, we reflect on how active the Securities and Exchange Commission’s rulemaking agenda was throughout the year. As companies prepare for their annual reports and proxy statements, we summarize new disclosure requirements that now apply. In this Snapshot, we review the new disclosure requirements effective this quarter and share the SEC’s proposed gift-giving agenda for 2024.
Cybersecurity Incident Disclosure: New Item 1.05 of Form 8-K and Guidance on Delayed Disclosure Applicability
New Item 1.05 of Form 8-K Disclosure Requirement
The SEC’s new cybersecurity incident reporting rule became effective on December 18, 2023. The final rule adds a new Item 1.05 to Form 8-K, which requires the disclosure of certain information following a material cybersecurity incident (as defined in Item 106 of Regulation S-K). The disclosure is required to contain: (i) the material aspects of the nature, scope, and timing of the incident; and (ii) the material impact or reasonably likely material impact on the registrant, including on the registrant’s financial condition and results of operations following a material cybersecurity incident.
The deadline for filing an Item 1.05 Form 8-K is within four business days of the registrant determining the cybersecurity incident is material, rather than the registrant’s discovery of the incident. The rule provides that the company must determine the materiality of a cybersecurity incident without unreasonable delay following discovery. An exception was added permitting delayed disclosure if the United States Attorney General determines that the disclosure of a cybersecurity incident poses a substantial risk to national security or public safety and notifies the SEC of such determination in writing. However, this determination is likely going to be rare given the guidance provided by the United States Department of Justice and the Federal Bureau of Investigation, as discussed below.
As of the date of this report, only two Item 1.05 disclosures have been filed. Both companies disclosed the existence of a cyber incident but deferred whether the incident had a material effect on the companies’ financial operations. In both disclosures, the companies acknowledge the materiality of the incident but state that the effects of the incident on the companies’ overall financial or operational condition are still unknown or unable to be determined.
SEC Guidance on the Delayed Disclosure Exemption for National Security Threats
In response to the time-limited exception to the Item 1.05 Form 8-K disclosure requirement for material cybersecurity incidents, the SEC, DOJ, and FBI all issued guidelines outlining the processes and procedures companies should follow if they wish to defer Form 8-K disclosures of a cyber incident based on national security or public policy grounds.
According to the guidelines, consulting the Attorney General regarding the availability of a delay under Item 1.05(c) of Form 8-K for national security or public safety grounds does not automatically deem a cyber incident as material, and does not, in turn, trigger the disclosure requirements of Item 1.05(a) of Form 8-K.
Additionally, merely requesting a delay to disclose a cyber incident does not relieve a company from its obligation to file an Item 1.05 Form 8-K within four business days of its determination that the cyber incident was determined to be material. So, if the Attorney General does not confirm that a disclosure of the cyber incident poses either a substantial risk to national security or public safety before the deadline to file the Form 8-K, the company is still required to make such a disclosure within four business days of its determination that the cyber incident was material. A company may only delay the disclosure if the Attorney General notifies the SEC in writing before the Form 8-K is otherwise due of its determination that a delay is justified.
If a company is granted a delay and seeks to extend the previously granted delay period, but the Attorney General either rejects or does not respond before the end of the delay period, the company is required to disclose the cyber incident in Item 1.05(a) of Form 8-K within four business days of the end of the previously granted delay period.
Finally, if the Attorney General, during a granted 30-day delay, concludes that disclosure of a cyber incident no longer poses a substantial risk to national security or public safety, the company is required to file an Item 1.05(a) Form 8-K within four business days of the Attorney General’s notification of its determination.
For additional information on the new Item 1.05 to Form 8-K and the new cybersecurity reporting requirements, please see our publication linked here.
Annual Updates for Form 10-K Filings in 2024
The end of the year means it is time for calendar year companies to start thinking about their Form 10-Ks. There are several new disclosure and exhibit requirements effective this year.
Cybersecurity Disclosure
The SEC’s much anticipated cybersecurity risk management, strategy, and governance disclosure will need to be included under Part I, Item 1C under the heading “Cybersecurity”. Pursuant to Item 106 of Regulation S-K, companies must disclose company processes, if any, for assessing, identifying, and managing material risk from cybersecurity threats, as well as whether any risks, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the company. Additionally, Regulation S-K Item 106 requires disclosure of the board’s oversight of risks from cybersecurity threats and, to the extent applicable, any board committee responsible for such oversight.
Clawback Disclosure
There are also new disclosure requirements on this year’s Form 10-K relating to the new compensation recovery (“Clawback”) rule. The Clawback rule updates the cover page on the Form 10-K to include two new checkboxes disclosing: (i) whether the financial statements included in the filings reflect correction of an error to previously issued financial statements; and (ii) whether any of those error corrections are restatements that required a recovery analysis. Additionally, the Clawback rule requires disclosure of actions taken pursuant to the company’s compensation recovery policy for erroneously awarded compensation to be included in Part III, Item 11. Finally, the Clawback rule adds a new Exhibit 97, which requires companies to file the company’s Clawback policy with the Form 10-K.
Insider Trading Disclosure
The disclosure requirement of Item 408(a) of Regulation S-K requires companies to include in their Form 10-K whether any of their officers or directors have adopted, terminated or modified any trading arrangements intending to qualify for the affirmative defense conditions of Rule 10b5-1. Disclosure pursuant to Item 408(a) is required for a company’s Form 10-K regarding adoptions, modifications, and terminations made during the fourth quarter of 2023. This will also be the first filing where smaller reporting companies are required to include the disclosure because the delayed compliance period has now passed. Item 408(b) of Regulation S-K also requires companies to disclose whether they have adopted insider trading policies and procedures and, if so, to file their insider trading policy as new Exhibit 19. If a company has not adopted insider trading policies and procedures, it must provide disclosure explaining why it has not.
Corporate Transparency Act: Public Company Exemption and Subsidiary Applicability
On January 1, 2024, the Corporate Transparency Act (the “CTA”) became effective. The CTA requires reporting companies to disclose certain information regarding the company, its Beneficial Owners and Company Applicants (each as defined in the CTA) with the Financial Crimes Enforcement Network (“FinCEN”). If an entity is formed by filing documentation with a Secretary of State, then the company likely must comply with the CTA unless it meets an exemption.
Most of the exemptions apply to entities already subject to federal or state regulation by a governmental entity. Most notably, companies registered with the SEC are exempt from CTA reporting requirements. However, such public company’s subsidiaries may not meet the subsidiary exemption if the public company does not, directly or indirectly, own or control such entity.
Non-exempt companies formed before January 1, 2024 will have until January 1, 2025 to make the required filings. For any non-exempt entities formed after January 1, 2024, a report must be filed with FinCEN within 90 days of formation. For additional information, please see our previous post linked here.
Fourth Quarter Round-Up: Other Rule Adoptions and Disclosure Requirements
Share Repurchase Disclosure Modernization
On December 19, 2023, the United States Court of Appeals for the Fifth Circuit vacated the SEC’s share repurchase disclosure modernization rule. Companies do not have to comply with the requirements in the new rule in the upcoming periodic reports as was originally anticipated. Although the new requirements are vacated, the previous requirements are still in effect and companies must comply with these rules. Under the old rule, companies are required to disclose the monthly aggregate of their share repurchases in a tabular format. Domestic companies are required to disclose this information on a quarterly basis, listed closed-end funds are required to disclose this information on a semi-annual basis, and foreign private issuers are required to disclose this information on an annual basis.
For additional information regarding the share repurchase disclosure modernization rule, see our blog post linked here. For information regarding the subsequent legal developments, please see our previous publications linked here and here.
Modernization of Beneficial Ownership Reporting
On October 10, 2023, the SEC adopted certain changes to modernize rules governing beneficial ownership reporting. The adopted rule amendments: (i) shorten the deadlines for initial and amended Schedule 13D and 13G filings; (ii) require that Schedule 13D and 13G filings be made using a structured, machine-readable data language; and (iii) clarify the Schedule 13D disclosure requirements with respect to derivative securities. The current and amended filing requirements for Schedules 13D and 13G are summarized in the following tables:
Schedule 13D:
Schedule 13G for Qualified Institutional Investors:
Schedule 13G for Passive Investors:
For additional information, please refer to our previous publication linked here.
Additional SEC Guidance on Pay vs. Performance Calculations
The SEC provided new C&DIs on the pay versus performance disclosures required by Item 402(v) or Regulation S-K. As a reminder, the pay versus performance rule requires companies to quantify and describe, in both tabular and narrative formats, the relationship between compensation actually paid to executives and company financial performance for multiple metrics.
The most recent C&DIs provide clarity on the final pay versus performance rule and help companies with calculations – including topics related to equity awards, vesting conditions, determination of the peer group and named executive officers, and changes in issuer status. The C&DIs discuss:
- The treatment of awards granted prior to an equity restructuring and how to handle their inclusion in the calculation of compensation actually paid (C&DI 128D.14);
- The treatment of the fair value of awards granted prior to an IPO (C&DI 128D.15);
- The meaning of “vesting” of awards with regards to market conditions and how to handle their calculation (C&DI 128D.16);
- The meaning of when awards “fail to vest” and how to handle their calculation and impact on compensation actually paid (C&DI 128D.17);
- Awards that have vesting conditioned on retirement eligibility and how to handle the calculation and impact on compensation actually paid (C&DI 128D.18);
- How to account for awards where vesting is determined by certain certification requirements (C&DI 128D.19);
- Appropriate equity valuation methodologies with regards to fair value (C&DI 128D.20 and 128D.21); and
- Guidance on details with regards to the disclosure of awards in the required pay versus performance footnote, to the extent that such disclosure would result in competitive harm to the issuer, and sets forth guidelines for alternative disclosure required in that scenario (C&DI 128D.22).
The link to the pay versus performance C&DIs can be found here.
2024 SEC Expected Rulemaking Agenda:
Additionally, the following anticipated key rules are slated for initial proposal on the Reg Flex Agenda, which we will continue to monitor and advise on proposed rules issued related thereto:
Should you have any questions or need assistance, please contact us.
James C. Kennedy
513.579.6599
[email protected]
F. Mark Reuter
513.579.6469
[email protected]
Allison A. Westfall
513.579.6987
[email protected]
Olivia M. King
513.579.6988
[email protected]