Financial Reporting and Regulatory Update

First Quarter 2018

From the SEC

Technology and Cybersecurity Matters

Cybersecurity Disclosure Guidance

On Feb. 21, 2018, the SEC released interpretive guidance on cybersecurity disclosures, “Commission Statement and Guidance on Public Company Cybersecurity Disclosures,” which reiterates what is already included in Corp Fin’s Disclosure Guidance: Topic No. 2 issued in 2011. It expands upon Corp Fin’s existing guidance by emphasizing the need for disclosure controls and procedures for material cybersecurity events and for insider trading policies in the context of nonpublic cyber event information. The guidance is for both companies that have experienced cyberattacks and those that have not yet been the target of a cyberattack.

As an interpretive release, the guidance includes the SEC’s views on cybersecurity risk and incident disclosure obligations under existing securities laws, including on Forms 10-K, 10-Q, and 8-K. As an SEC interpretation, approved by the SEC commissioners, as compared to the previous Corp Fin disclosure guidance (which represents only Corp Fin’s views), it implicitly raises the bar on the authoritative nature of the guidance.

The interpretive release enumerates the applicable disclosure rules and related matters for public companies to consider as they evaluate their cybersecurity disclosures. It also includes the SEC’s expectations with regards to detailed, timely, accurate, and specific disclosure, as well as acceptable and unacceptable limitations of cybersecurity disclosures.

Disclosure matters addressed by the guidance include the following:

  • Examples of costs and negative consequences from cyberattacks or incidents (pages 3-4)
  • Disclosure obligations – materiality (pages 7-13)
    • Periodic reporting on Forms 10-K and 10-Q (page 8) Registration statements (page 9)
    • Current reports on Form 8-K (page 9)
    • Acceptable and unacceptable limitations of disclosure (pages 11-13)
      • Level of detail should not compromise cybersecurity (page 11)
      • Impact of ongoing internal/external investigations (page 12)
      • Correction of untrue statements (page 12)
      • Generic versus specific disclosure (page 13)
  • Risk factors (pages 13-15)
  • Management’s discussion and analysis (MD&A) (pages 15-16)
  • Description of business (page 16)
  • Legal proceedings (page 16)
  • Financial statement disclosure (page 17)
  • Board risk oversight (pages 17-18)
  • Disclosure controls and procedures (pages 18-20)
  • Insider trading laws and company policies (pages 21-22)
  • Regulation FD – when certain material nonpublic information is required to be publicly disclosed (pages 22-24)

Finally, according to the interpretive release and Chairman Jay Clayton’s statement, Corp Fin staff will remain focused on registrants’ disclosures in this area as part of their filing reviews.

Potentially Unlawful Online Platforms for Trading Digital Assets – Enforcement Statement

In a statement on March 7, 2018, the SEC’s Division of Enforcement and Division of Trading and Markets signaled to entities involved directly or indirectly in online trading of digital (or virtual) assets that they might be subject to a gamut of securities regulation. For example, a trading platform that operates as an “exchange,” as defined by the federal securities laws, is required to register as a national securities exchange unless an exemption applies, and a platform that is not an exchange but offers other trading-related services might be required to register under the securities laws as a broker-dealer, transfer agent, or clearing agency.

The statement also provides resources for investors and other participants in the digital asset markets.

Cybersecurity – Commissioner Robert J. Jackson Jr.

In a speech on March 15, 2018, Commissioner Robert Jackson Jr. covered cyberrisk and the limited amount of disclosure that is provided by public companies related to cyberattacks. He shared his recommendation to his colleagues that Form 8-K requirements governing cyber events should be re-evaluated. He also highlighted the need for policies and procedures to deter insider trading on nonpublic cybersecurity information as well as the risk of hackers profiting from their own cyberattacks. In addition, he covered the requirement to develop internal controls to address cybersecurity, which will require lawyers (and other professionals) to interact with IT experts.

RegTech Data Summit – Commissioner Michael S. Piwowar

In a speech on March 7, 2018, Commissioner Michael Piwowar addressed the 2018 RegTech Data Summit, providing his views on the SEC’s recent activity in the technology space. He covered the Enforcement Division’s report on decentralized autonomous organizations (the DAO report) that presented its view that the federal securities laws apply to virtual entities that issue securities by using distributed ledger or blockchain technology (see also the following section, “Offerings of Virtual Securities – Chairman Jay Clayton”). Piwowar also discussed the use of extensible business reporting language (XBRL) data by various market stakeholders, HyperText Markup Language (HTML) hyperlinks in the exhibit index of SEC filings, the SEC’s Electronic Data Gathering, Analysis, and Retrieval (EDGAR) redesign program, and various technologies used by the SEC to monitor the securities markets.

Offerings of Virtual Securities – Chairman Jay Clayton

In a testimony on distributed ledger technologies including cryptocurrencies and initial coin offerings (ICOs), SEC Chairman Jay Clayton emphasized the role and responsibilities of professional gatekeepers to protect Main Street investors in the securities markets. Speaking before the Senate Committee on Banking, Housing, and Urban Affairs on Feb. 6, 2018, Clayton said that to the extent that ICOs represent an offer and sale of securities (and he believes most do), they are subject to the securities laws. However, many ICOs are not currently being conducted under the securities laws, and, therefore, investors in those offerings are not benefiting from the protections offered by those laws. The SEC is seeking to enforce the securities laws for ICOs as evidenced by recent enforcement actions referenced in Clayton’s testimony. Cryptocurrencies, on the other hand, are more akin to money than a security and are not under the SEC’s jurisdiction.

Prior to testifying before the Senate committee, Clayton delivered opening remarks at the Securities Regulation Institute on Jan. 22, 2018, where he provided his expectations for market professionals in the ICO space.

Corp Fin Matters

Director’s Speech on Corp Fin’s Agenda

On Feb. 1, 2018, William Hinman, director of Corp Fin, delivered the keynote address at the Practising Law Institute’s Seventeenth Annual Institute on Securities Regulation in Europe. In his address, Hinman covered recent Corp Fin actions that reflect efforts to facilitate capital formation in the public markets, such as these:

  • Expanding the confidential review process to all issuers conducting initial public offerings, initial Securities Act and Exchange Act registrations, and certain follow-on offerings within a year of initial registration
  • Allowing non-EGCs (non-emerging growth companies), in addition to EGCs, to omit annual and interim financial information that they reasonably believe will not be required when the registration statement is filed publicly
  • Assisting companies with the pay ratio disclosure by providing guidance for the calculation and use of statistical sampling
  • Clarifying certain Form 8-K filing requirements related to implementing recent tax reform
  • Reminding entities of the option to submit requests to Corp Fin under Rule 3-13 of Regulation S-X for modified financial statements

As for future Corp Fin actions, Hinman signaled that the following are on the agenda:

  • Disclosure guidance for cybersecurity risks and incidents (see the previous “Cybersecurity Disclosure Guidance” section)
  • Rulemaking recommendations to raise the smaller reporting company (SRC) threshold, which potentially would allow more companies to qualify as SRCs
  • Rulemaking recommendations for disclosure simplification across a broad array of existing SEC rules and guidance
  • Proposal recommendations for financial statements of other entities, such as Rule 3-05 (for significant acquired entities) and Rule 3-10 (for guarantors) of Regulation S-X
  • Recommendations to update Industry Guide 3 for financial institutions

New Corp Fin Chief Accountant

On Feb. 15, 2018, the SEC announced that Kyle Moffatt is the new Corp Fin chief accountant. He has been the acting chief accountant since January, and prior to that, he was an associate director in Corp Fin’s disclosure review program.

Other SEC Matters

Mandatory Arbitration Provisions for Shareholders – Investor Advocate Rick Fleming and Commissioner Jackson

In a speech on Feb. 24, 2018, Rick Fleming, Investor Advocate, presented his views on the risks and potential consequences of including mandatory arbitration provisions in IPO issuers’ articles of incorporation or corporate bylaws.

Subsequently, in a speech on Feb. 26, 2018, Commissioner Jackson shared his views and concerns on the topic of requiring investors to rely on mandatory private arbitration rather than public courts.

Investment Product Complexity – Commissioner Kara M. Stein

In a speech on Feb. 23, 2018, Commissioner Kara Stein shared her views on the increasing complexity of certain investment products. She addressed the difficulty in understanding the complex products as well as recommendations for exchanges and professional gatekeepers to consider.

Perpetual Dual-Class Stock – Commissioner Robert J. Jackson Jr.

In a speech on Feb. 15, 2018, Commissioner Jackson covered his views on dual- class capital structures. He discussed inherent risks and historical performance of certain entities with dual-class stock ownership, as well as considerations for limitations on those capital structures in stock index requirements and exchange listing standards.

Relationships Between Corporations and Shareholders – Commissioner Kara M. Stein

In a speech on Feb. 13, 2018, Commissioner Stein discussed the relationship between investors and the companies they own. She covered the topics of cybersecurity, board composition and diversity, shareholder activism, and dual-class capital structures, sharing her views on the need to restore mutualism (which she defined as “a symbiotic relationship between individuals ... in which both benefit from the association”) to the corporation-shareholder relationship.