©gorodenkoff/iStock/Getty Images Plus
Annual reporting season will soon be here, and public companies have several new requirements to follow. For U.S. public companies whose fiscal years follow the calendar year, here are some of the more significant changes that the Securities and Exchange Commission is asking you to report in your 10-K since last year.
Cybersecurity
If your fiscal year ends December 15, 2023, or later, the SEC has new requirements for you in terms of what to disclose around hacks or breaches and your company’s attempts to prevent, detect, and address them.
- The SEC is requiring disclosures of strategies and steps for assessing, identifying, and managing cybersecurity risks.
- You’ll also have to disclose management’s role and expertise in assessing cyberthreats that pose material risks.
- The 10-K must include a description of the board of directors’ oversight as well.
Eventually, these disclosures will need to include iXBRLTM tagging to make them more easily consumed by both machines and humans, but that requirement won’t kick in for another year.
If your company is the victim of a hack, breach, or cyber incident, an 8-K must be filed within four business days of determining the incident is material. Assessing the materiality of a cybersecurity incident should be somewhat similar to the process for determining the materiality of a non-financial matter, such as human capital factors or climate risk under today’s SEC rules. But accountants shouldn’t necessarily take on this assessment on their own. They’ll have to lean heavily on other teams such as IT and risk, and will have to consider both quantitative and qualitative data.
Read more here.
iXBRL reminders
Speaking of iXBRL requirements, the SEC published a sample letter of comments it may send securities issuers with disclosures that must be presented in eXtensible Business Reporting Language (XBRL®).
One or a few of your SEC reporting team members with those specialized skills may own XBRL tagging, or perhaps it’s a task you outsource. For those who are not in the weeds of tagging, Workiva has published a list of questions to ask before filing to reduce the risk of an iXBRL error in light of the sample letter. Check it out.
While this topic may not be top of mind, it shouldn’t be forgotten either. XBRL data quality issues, such as the ones addressed in the SEC’s letter, may mean that your XBRL tags are telling a different story to your investors than the one you carefully crafted elsewhere in your earnings release and financial statements.
Clawbacks in executive compensation
New for upcoming annual reports is a requirement for exchanged-listed issuers to disclose policies for recovering erroneously awarded compensation and how the policies have been applied. That disclosure would come in an exhibit filed with the annual report.
iXBRL tagging is required for compensation recovery disclosures too. Clawbacks come into play when a restatement changes whether an executive would have qualified for bonuses or other pay if quarterly or annual reports had been reported correctly the first time. A new checkbox on the cover of the 10-K puts any such restatements front and center.
Find more details from the SEC.
Changing risks
Your last 10-K may have noted the effects of the war in Ukraine, supply chain challenges, labor shortages, COVID-19, or inflation. If any of those issues have dissipated or worsened, be sure to update your risk factors and management discussion and analysis.
On that note, if a hypothetical situation, say the threat of rising interest rates, has affected your business in a very real way, that situation is no longer just a risk. It’s time to review disclosures to make sure they are up to date. The SEC will want investors to know what your leadership knows so they can view the business in the same way.
Climate
It’s been months since the initial proposed timeline for when the SEC thought it might have adopted a final rule on climate-related disclosures. In the meantime, international bodies have adopted standards and regulations of their own that the SEC was probably keen to review.
We wouldn’t be surprised to see the SEC back off some of its proposals given feedback from companies about how they’d compile information on greenhouse gas emissions, especially for Scope 3 emissions. There have also been questions about whether a final rule will still include the 1% materiality threshold for reporting impacts on financial statement line items. (The proposal would require disclosure of the financial statement impacts of huge storms or natural disasters, climate transition activities, and material climate-related risks unless the impact is less than 1% of a line item)
Pro tip: The proposal is an eye-watering 500+ pages. Download a summary here.
Looking globally
Of course, SEC rules aren’t the only regulations affecting U.S. companies. In some cases, companies have chosen to supply information to bodies like CDP, which helps organizations or government bodies disclose environmental impacts, or to ratings agencies. In other cases, ratings agencies or rankers may be crawling your public disclosures to come up with ratings and rankings of your company on their own.
One giant regulation to have on your radar is the Corporate Sustainability Reporting Directive (CSRD). While it was adopted by the European Commission, some U.S. companies—even private ones—may be subject to its requirements.
It’s a bit much to get into here, but Workiva offers a CSRD content hub where you can dig in at your own pace.
Learn how finance executives' teams use Workiva!