United States: Preparation For 2023 Fiscal Year-End SEC Filings And 2024 Annual Shareholder Meetings

As our clients and friends know, each year Mintz provides an analysis of the regulatory developments that impact public companies as they prepare for their fiscal year-end filings with the Securities and Exchange Commission (SEC) and their annual shareholder meetings. This memorandum discusses key considerations to keep in mind as you embark upon the year-end reporting process in 2024.

In 2023, the SEC adopted its final rule on cybersecurity disclosure, which requires disclosure of cybersecurity risk management, strategy, and governance in the Annual Report on Form 10-K and disclosure of material cybersecurity incidents in a Current Report on Form 8-K. Many public companies have been reviewing their cybersecurity programs, updating their incident response plans, and preparing company-specific disclosure to comply with the new disclosure requirements in the upcoming Form 10-K, as well as updating their disclosure controls and procedures to address the new Form 8-K disclosure requirements. In addition, many companies that are not already subject to the new quarterly disclosure requirements with respect to Rule 10b5-1 trading plans will need to begin including this disclosure in their upcoming Form 10-K. Listed companies are now required to have clawback policies for compliance with new Nasdaq and NYSE rules, while public companies still have one more year to prepare for the new annual disclosure obligations relating to insider trading policies.

Like every year, companies will also need to review and update their MD&A and risk factors sections of their Form 10-K to reflect the key trends and risks facing the company. In this memorandum, we discuss a few key topics, including inflation, artificial intelligence, China-related risks, weather-related risks, and environmental, social and governance (ESG) risks, for companies to consider when updating their MD&A and risk factors.

In preparing for their 2024 annual shareholder meetings, public companies will need to consider early in their annual meeting preparations whether they will be pursuing a reverse stock split to address, for example, compliance with Nasdaq's minimum bid price requirements, and, for companies incorporated in Delaware that took a wait-and-see approach last year, whether they will seek to amend their charter documents to provide for the exculpation of officers for breaches of the fiduciary duty of care, following the success of many companies in obtaining such stockholder approval in 2023.

Throughout 2023, many public companies and their advisers have been anticipating that the SEC would issue its final rule on climate change disclosure, which the SEC's current timetable indicates will be finalized by April 2024. Beyond the SEC's climate change disclosure rule, during 2023, there has been a steady increase in government enforcement of ESG-related activities, California passed its own landmark ESG legislation requiring climate-related disclosure, and companies continue to review ESG priorities and prepare for anticipated disclosure requirements. In the coming year, the SEC has also indicated plans to propose rules relating to corporate board diversity and human capital management disclosure, among other things. Mintz is a leader in assisting companies and their boards in addressing the ESG movement, and the Mintz ESG Practice continues to work with clients on these important issues.

Other developments we discuss in this memorandum include trends in pay-versus-performance disclosure, proxy advisor voting guidelines, and recent litigation impacting corporate governance and disclosure.

SEC Cybersecurity Disclosure Requirements

In July 2023, the SEC adopted the final cybersecurity disclosure rule.¹ The new rule, which was initially proposed in March 2022, is designed to enhance and standardize public company disclosures regarding cybersecurity risk management, strategy, governance, and incident disclosures. The rule requires both (1) annual disclosures on Form 10-K (or Form 20-F) regarding cybersecurity risk management, strategy, and governance practices, and (2) current reporting on Form 8-K (or Form 6-K) of cybersecurity incidents. To prepare for the additional disclosures required by the new rule, many public companies have been enhancing their cybersecurity and related reporting policies and practices.

Previous SEC Cybersecurity Guidance.

Until the adoption of the new rule, public companies were not required to comply with comprehensive cybersecurity disclosure requirements, but the SEC has issued important cybersecurity disclosure-related guidance for over a decade. For example, in its 2011 interpretative guidance, the SEC's Division of Corporation Finance indicated that "[a]lthough no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents. In addition, material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading," including, for example, disclosure in the risk factors, management's discussion and analysis of financial condition and results of operations, description of the business, legal proceedings, disclosure controls and procedures, and financial statement sections of a public company's periodic reports.² More recently, in its 2018 guidance, the SEC indicated that "[g]iven the frequency, magnitude and cost of cybersecurity incidents, the Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack" and that "[c]rucial to a public company's ability to make any required disclosure of cybersecurity risks and incidents in the appropriate timeframe are disclosure controls and procedures that provide an appropriate method of discerning the impact that such matters may have on the company and its business, financial condition, and results of operations, as well as a protocol to determine the potential materiality of such risks and incidents."³ To address this guidance, many public companies have been focusing on cybersecurity matters, including risk management and assessing the materiality of cybersecurity incidents, for a number of years. The new rule's comprehensive disclosure requirements, however, are driving many public companies to develop enhanced policies and procedures to ensure the disclosure requirements are met in a timely manner. In addition to focusing on the new rule, it would be prudent for public companies to review the 2011 and 2018 guidance, which continues to provide important direction for required cybersecurity-related disclosure.

Annual Disclosure of Cybersecurity Risk Management, Strategy, and Governance.

Under the new rule, public companies are required to include a new cybersecurity disclosure section under Item 1C of Form 10-K (or Item 16K of Form 20-F), which must include the disclosure required by Item 106 of Regulation S-K. In that section, public companies are required to address both (1) cybersecurity risk management and strategy and (2) cybersecurity governance. This new disclosure is mandated for all public companies in their annual reports for fiscal years ending on or after December 15, 2023. This means that for public companies with a December 31 fiscal year-end, the new disclosure will be required in their upcoming Form 10-K (or Form 20-F) for the fiscal year ending December 31, 2023.

Cybersecurity Risk Management and Strategy.

First, public companies are required to describe the company's processes for assessing, identifying, and managing material risks from cybersecurity threats.⁴ These processes must be described in sufficient detail for a reasonable investor to understand them. The SEC has provided a non-exclusive list of disclosure topics that should be addressed in this disclosure, including: (1) whether and how any such processes have been integrated into the company's overall risk management system or processes; (2) whether the company engages assessors, consultants, auditors or other third parties in connection with any such processes; and (3) whether the company has processes to oversee and identify such risks from cybersecurity threats associated with its use of any third-party service provider. In addition, companies are required to describe whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents,⁵ have materially affected or are reasonably likely to materially affect the company, including its business strategy, results of operations, or financial condition, and if so, how.

Cybersecurity Governance.

Public companies are also required to describe both the board of directors' and management's roles in cybersecurity governance.⁶ With respect to the board of directors, the company must include a description of the board of directors' oversight of risks from cybersecurity threats, including, if applicable, identifying any board committee or subcommittee responsible for the oversight of risks from cybersecurity threats and describing the processes by which the board or such committee is informed about such risks. With respect to management, the company must describe management's role in assessing and managing the company's material risks from cybersecurity threats. The SEC has provided a non-exclusive list of items to be disclosed, including (1) whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise, such as prior work experience in cybersecurity, any relevant degrees or certifications or any knowledge, skills, or other background in cybersecurity; (2) the processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents; and (3) whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors. The requirement to disclose board-level cybersecurity expertise was removed in the final rule.

Recommendations for Preparing for Annual Cybersecurity Disclosure.

As companies continue to prepare to make these disclosures in their upcoming Form 10-K or Form 20-F filings, companies should consider focusing on the following compliance steps to enhance their risk management processes, strategy, board oversight, and management's role in addressing cybersecurity risks:

• Complete a self-assessment of the company's cybersecurity risk management program to identify gaps and prepare for disclosure requirements under the new rule.
• Assess the company's current cybersecurity governance structure, including whether the oversight responsibility of the audit committee or other appropriate committee is sufficiently clear in the committee's charter, the frequency of reporting by management to the appropriate committee or the board on cybersecurity matters, whether the committee's or board's oversight is being appropriately documented, and whether appropriate resources and personnel are being devoted to cybersecurity management, including third-party resources, based on the company's size, industry, and other factors.
• Engage a working group that includes the company's cybersecurity professionals and members of the disclosure committee or other personnel involved in preparing disclosure for the company's SEC filings to prepare disclosure that is appropriately tailored to reflect the company's cybersecurity practices, policies, and governance structure, and to help ensure the company's cybersecurity program is appropriately documented to support the disclosures being made.
• Develop a timetable that allows for improvements in the company's cybersecurity risk management, strategy, and governance to be implemented in advance of the required disclosure.
• Periodically revisit and refine the process and scope for board and management oversight of cybersecurity risks and processes for addressing cybersecurity threats.

To view the full article, click here.

Footnotes

1. SEC, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release Nos. 33- 11216, 34-97989, July 26, 2023.

2. SEC, CF Disclosure Guidance: Topic No. 2 – Cybersecurity, October 13, 2011.

3. SEC, Commission Statement and Guidance on Public Company Cybersecurity Disclosures, Release Nos. 33- 10459, 34-82746, February 21, 2018.

4. See Item 106(b) of Regulation S-K, 17 CFR § 229.106(b). Under Item 106 of Regulation S-K, "cybersecurity threat" means "any potential unauthorized occurrence on or conducted through a registrant's information systems that may result in adverse effects on the confidentiality, integrity, or availability of a registrant's information systems or any information residing therein." "Information systems" means "electronic information resources, owned or used by the registrant, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of the registrant's information to maintain or support the registrant's operations."

5. Under Item 106 of Regulation S-K, 17 CFR § 229.106, "cybersecurity incident" means "an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant's information systems that jeopardizes the confidentiality, integrity, or availability of a registrant's information systems or any information residing therein."

6. See Item 106(c) of Regulation S-K, 17 CFR § 229.106(c).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.