Public Companies Update

July One-Minute Reads

July 31, 2023

SEC Adopts Final Rules on Cybersecurity Disclosure

On July 26, 2023, the Securities and Exchange Commission voted at an open meeting to adopt final rules to enhance and standardize cybersecurity disclosures by public companies. 

The final rules will:

  • Require a company to disclose specified material information about a material cybersecurity incident under new Item 1.05 of Form 8-K within four business days of the company making the determination that the cybersecurity incident was material, subject to a narrow exception for disclosures that would pose a substantial risk to national security or public safety. An instruction to Item 1.05 will require a company to make their materiality determinations “without unreasonable delay,” while an additional instruction will require a company to include a statement identifying any required information that is not determined or unavailable at the time of the filing and then file an amendment to the initial Item 1.05 Form 8-K containing such information within four business days after the information becomes available.
  • Require annual disclosure in reports on Form 10-K pursuant to Item 106 of Regulation S-K regarding:
    • A company’s processes, if any, for assessing, identifying and managing material risks from cybersecurity threats.
    • Whether any risks from cybersecurity threats – including as a result of any previous cybersecurity incidents – have materially affected or are reasonably likely to materially affect a company’s business strategy, results of operations or financial condition.
    • The board of directors’ oversight of risks from cybersecurity threats.
    • Management’s role in assessing and managing material risks from cybersecurity threats.

The final rules will become effective 30 days after publication in the Federal Register.

Companies other than smaller reporting companies will be required to comply with the incident disclosure requirements in Item 1.05 of Form 8-K on the later of 90 days after the date of publication in the Federal Register or December 18, 2023. Smaller reporting companies will have an additional 180 days and will be required to comply with Item 1.05 on the later of 270 days from publication of the adopting release in the Federal Register or June 15, 2024. All companies will be required to comply with the annual disclosure requirements in Item 106 of Regulation S-K, beginning with annual reports for fiscal years ending on or after December 15, 2023. Therefore, for calendar year-end companies, the first report requiring compliance with Item 106 will be the annual report for the 2023 fiscal year filed in 2024. For more information on the final rules, refer to this July 31 PubCo post.

SEC enforcement director speaks on cyber resiliency

Leading up to the adoption of the final rules, the SEC’s enforcement director spoke on June 22 about cyber resilience, which he defined as a concept recognizing “that breaches and cyber incidents are likely going to happen, and that firms must be prepared to respond appropriately when they do.” In his comments, Grewal cited a recent poll in which more than a third of executives reported that their organization’s accounting and financial data was targeted by cyber adversaries last year. He then shared five principles that the SEC has been using to “ensure that registrants take their cybersecurity and disclosure obligations seriously,” including that:

  1. The SEC considers the investing public to also be potential victims of cyberattacks on publicly traded companies or other market participants; therefore, in addition to ensuring the target responds appropriately, the SEC’s goal is to “prevent additional victimization by ensuring that investors receive timely and accurate required disclosures.”
  2. Having generic “check the box” cybersecurity policies is not sufficient – firms need to design and implement policies that work in the real world.
  3. Companies need to regularly review and update all cybersecurity policies to keep up with constantly evolving threats.
  4. When a cyber incident occurs, the relevant information must be reported up the chain to those making disclosure decisions; otherwise, it doesn’t matter how robust the cybersecurity policies are.
  5. The SEC has “zero tolerance” for instances where decision-makers prioritize concerns of reputational damage over informing customers and shareholders.

In outlining these principles, Grewal cited recent SEC enforcement actions as pertinent examples and as information companies should look to when determining what good cybersecurity compliance looks like. Grewal also reiterated the potential benefits to companies if they meaningfully cooperate with SEC investigations, a theme he has discussed often and that has resulted in no civil penalties being levied against charged companies – including a California-based manufacturer of “smart” windows and the manufacturing company in the case mentioned below – in recent actions. For more information on Grewal’s speech, refer to this July 5 PubCo post.

SEC brings another executive perks case

On June 20, 2023, the SEC announced settled charges against a manufacturing company for failing to disclose perquisites it provided to certain executives, in the latest of a string of perks cases brought by the SEC. As in some other recent cases, the perquisites were mainly expenses associated with the executives’ use of a corporate aircraft. Notably, no civil penalty was imposed against the company, which “self-reported the perquisite disclosure failures and other conduct potentially implicating the federal securities laws, cooperated with the SEC’s investigation, and implemented remedial measures.” To learn more about the charges, refer to the SEC’s order.

The SEC also announced charges against a former executive for causing the manufacturing company to violate proxy solicitation and books and records provisions of the federal securities laws. In addition to being another perks case, this case is another recent example of the SEC rewarding self-reporting and cooperation, SEC Division of Enforcement Director Gurbir S. Grewal noted that this decision reaffirms the division’s commitment “to incentivizing self-reporting and cooperation when entities and individuals discover violations of the federal securities laws.”

SEC continues enforcing revenue recognition, insider trading

Grewal’s division also has brought recent actions targeting two of the SEC’s other focus areas: revenue recognition and insider trading. On June 27, the SEC announced charges against numerous executives for engaging in improper revenue recognition practices to achieve revenue growth that was demanded by their former CEO. Per the revenue recognition complaint, the executives fraudulently and prematurely recognized revenue for orders that remained in the company’s control. The complaint also alleged that another executive should have known that the company prematurely recognized certain revenues and overstated other revenue by misclassifying customer credits as advertising expenses.

On June 29, the SEC separately announced insider trading charges against five individuals arising from trading before the announcement of a tender offer by a pharmaceutical company to acquire another company. Per the insider trading complaint, a vice president at the offering company tipped confidential information about the acquisition to his friend, who then tipped others, with the recipients of the tips purchasing stock and/or call options of the target company prior to the announcement based on the information received. Once the acquisition was announced, the target company’s stock price increased more than 130%.

The SEC also announced another insider trading action against a former Pfizer employee and his friend for trading in advance of the company’s announcement that a clinical trial of its COVID-19 antiviral treatment was successful.

FW Cook publishes findings on pay-versus-performance disclosures

On July 13, FW Cook published an alert on its findings from a review of the pay-versus-performance disclosures in proxy statements filed by S&P 500 companies as of June 1. Key findings from the report include:

  • Profit (56%), revenue (17%) and shareholder returns (12%) were the most common financial performance measures that companies chose as their company-selected measure in the required tabular disclosure.
  • Most companies included profit (88%), total shareholder return (55%) and revenue (51%) in their tabular list of most important financial measures they use, while only 21% included nonfinancial performance measures.
  • 76% of companies used their Form 10-K industry or line-of-business index as their total shareholder return peer group.
  • Most companies included additional financial performance measures beyond the tabular list’s minimum requirement of three.
  • 91% of companies used graphs for the description requirements, with the remaining 9% using a narrative-only description.

For more information on these results, refer to this July 6 PubCo post.

PCAOB issues audit committee resource

On June 21, the Public Company Accounting Oversight Board issued a new resource for audit committees, which includes questions that may be relevant to audit committee members to consider or discuss with their independent auditors in light of today’s economic and geopolitical landscape. The publication divides the questions by topic and includes questions relating to risk of fraud, risk assessment and internal controls, auditing and accounting risks, digital assets, merger & acquisition activities, using the work of other auditors, talent and its impact on audit quality, independence, critical audit matters, and cybersecurity.

Court concludes Disney board within business judgment rule when speaking out on social issues

On June 27, the Delaware Chancery Court published a decision that concluded the Disney board had made a business decision in its determination to publicly oppose Florida’s “Don’t Say Gay” bill. The case involved a books and records demand from a stockholder who asserted there was a potential breach of fiduciary duty by the board when speaking out on the bill. In its decision, the court denied the plaintiff’s request, holding that he had not provided a credible claim of wrongdoing, and he “had not demonstrated a proper purpose to inspect books and records.”

Under Delaware law, directors have significant discretion in making business decisions to guide the company – and the court confirmed here that the board’s decision was within the scope of the business judgment rule. In reaching this finding, the court asserted that choosing to publicly speak on policy issues is an ordinary business decision. Importantly, the court also concluded that a board may consider the interests of nonstockholder stakeholders where those interests are “rationally related” to building long-term stockholder value. For more information on the decision, refer to this July 10 PubCo post.

This content is provided for general informational purposes only, and your access or use of the content does not create an attorney-client relationship between you or your organization and Cooley LLP, Cooley (UK) LLP, or any other affiliated practice or entity (collectively referred to as “Cooley”). By accessing this content, you agree that the information provided does not constitute legal or other professional advice. This content is not a substitute for obtaining legal advice from a qualified attorney licensed in your jurisdiction and you should not act or refrain from acting based on this content. This content may be changed without notice. It is not guaranteed to be complete, correct or up to date, and it may not reflect the most current legal developments. Prior results do not guarantee a similar outcome. Do not send any confidential information to Cooley, as we do not have any duty to keep any information you provide to us confidential. This content may be considered Attorney Advertising and is subject to our legal notices.