Former high-level staff of the Securities and Exchange Commission recently answered questions during a meeting of the SEC Professionals Group on trends and challenges in SEC reporting.
In the hot seat:
- Christina Thomas, Partner at Kirkland & Ellis LLP and former senior advisor at the SEC, serving most recently as Counsel to Commissioner Elad L. Roisman
- Kyle Moffatt, Partner at PwC and former Chief Accountant and Disclosure Program Director in the SEC’s Division of Corporation Finance
- Patrick Gilmore, Partner at Deloitte and former Deputy Chief Accountant in the Division of Corporation Finance’s Office of Chief Accountant
They discussed the new SEC rule on cybersecurity, SEC Chief Accountant Paul Munter’s recent statement on risk assessments, and more.
Cybersecurity
Under the SEC’s new cybersecurity rule, companies will be required to disclose a cyber incident within four business days of determining the incident is material.
Companies will have to evaluate a mix of factors to determine materiality, Christina said, which could include:
- What data was compromised
- Scope, such as the duration of disruptions or unauthorized access, or the number of employees or customers affected
- History of incidents or number of incidents by the same bad actor
- Litigation/regulatory impacts
Past enforcement actions related to cybersecurity incidents can be informative. “With almost all of them, there was very much a focus on failure to maintain effective disclosure controls and procedures with respect to reporting,” Christina said.
Recent regulations and enforcement actions have underscored the importance of cross-functional collaboration so companies can assess risk holistically, Kyle said. Responses to cybersecurity will probably involve IT teams, the chief security officer, chief information officer, general counsel, outside counsel, and auditors, he said.
Assessing materiality will be an ongoing process, especially since impacts might not be known right away. Consider training so that, for example, an IT leader knows when to escalate an issue to a cross-functional team that can assess materiality.
“It's not going to be easy,” Pat said. “It makes it look like financial statement errors and materiality are a cakewalk compared to this.”
Reassess previously immaterial events if the same bad actor infiltrates multiple times or if the same vulnerability has been exploited multiple times, triggering the need for disclosure.
Christina suggested running tabletop exercises to plan for crises and identify which stakeholders should be included in your cross-functional team. You may discover, for example, that corporate communications teams should be involved early as they may be receiving related inbound inquiries from third parties.
Clawbacks
Companies have until Dec. 1, 2023, to adopt a policy for recovering erroneously awarded incentive-based compensation to Section 16 officers in the case of a restatement of previously filed financial statements. Craft a policy, even if executive compensation isn’t tied to financial statements, and include this policy as an exhibit to annual reports.
Companies will want to think through how a restatement might affect metrics that determine compensation, as well as how to identify which errors would trigger a restatement.
Companies will need to check a box on annual reports if the financial statements reflect a “little r” or “big R” restatement of previously issued financial statements. (Think of a “big R” restatement as the thing everyone wants to avoid and the “little r” as essentially an immaterial correction that you’re not able to fix in the current period.)
Pat anticipates the SEC staff will clarify whether even a correction to an immaterial error in prior year financial statements or footnotes would require a checked box. Otherwise, an unintended consequence may be some companies deciding to leave small errors in prior years uncorrected to avoid having to check the box on the 10-K indicating a restatement.
You may wonder whether a relatively small correction would become material if it would trigger a clawback. Oftentimes, a correction will indeed affect what compensation an executive should’ve received, but that is just one factor you’ll consider in determining materiality of the error. Kyle suggested not merging the materiality assessment of an error with following the steps in your clawback policy. “Do the assessment of materiality on its own, and then you walk through the clawback policy,” he said.
Non-GAAP
Take note of compliance and disclosure interpretations (C&DIs) issued in December 2022, including C&DI 100.01 warning against classifying too many items as a normal, recurring cash operating expense.
“Some companies are throwing a lot of things in there,” Pat said. “It’s not that you can't adjust for those items, but you have to label them correctly. Disclosure is key.”
Kyle added, “Ensure you're actually complying with your disclosure controls and procedures as it relates to non-GAAP.”
A trend Christina is now seeing is companies wanting to specifically reference non-GAAP in their disclosure controls and procedures.
Climate
Christina noted the “Reg Flex” agenda that listed an October time frame for a final SEC climate disclosure rule is not a commitment by the SEC to adopt a rule by the end of October.
Could the SEC wait and see how the market reacts to legislation in California and the European Commission’s Corporate Sustainability Reporting Directive (CSRD)?
Either way, gather your cross-functional team to determine which requirements would apply to your company, and then assess gaps between the data you have and what you’d be required to report, Kyle said. A cross-functional team will have to collaborate to compile those disclosures and prepare them for assurance too.
Risk assessments
In August, Paul Munter released a
statement on the importance of a comprehensive risk assessment by auditors and management.
What Kyle took away from it is the need to understand all risks to a company, how they’re related or not related, and potential impacts.
“My conversations with boards, specifically audit committees, have really focused on taking a holistic view of the organization and thinking about all of these risks in the collective,” he said. “But at some point you have to prioritize. You have to say, ‘What really is the risk that impacts us most? Let's go through that analysis.’”
XBRL
The SEC’s sample letter on eXtensible Business Reporting Language (XBRL®) disclosures is a sign the commission will start issuing comments to companies in different industries if there are mistakes in XBRL tagging, Pat said.
“Just make sure you have everything up to snuff on XBRL,” he said.
Join the SEC Professionals Group to be a part of more conversations like this one. Learn more.
XBRL® is a trademark of XBRL International, Inc. All rights reserved. The XBRLTM/® standards are open and freely licensed by way of the XBRL International License Agreement.