Former high-level staff of the Securities and Exchange Commission spent an hour answering live questions in front of nearly 400 people who attended the SEC Professionals Group Q3 national meeting in Nashville during the Workiva Amplify conference. Pro Group chapters across the country also tuned in.
In the hot seat answering questions on trends in SEC reporting:
Christina Thomas, Partner at Kirkland & Ellis LLP and former senior advisor at the SEC, serving most recently as Counsel to Commissioner Elad L. Roisman
Kyle Moffatt, Partner at PwC and former Chief Accountant and Disclosure Program Director in the SEC’s Division of Corporation Finance
Patrick Gilmore, Partner at Deloitte and former Deputy Chief Accountant in the Division of Corporation Finance’s Office of Chief Accountant
They discussed the SEC’s new rules on cybersecurity and clawbacks, SEC Chief Accountant Paul Munter’s recent statement on risk assessments, and iXBRL disclosures.
Companies were required to disclose material cybersecurity incidents before the SEC adopted its cybersecurity rule this summer, but the new rule aims to bring more rigor to those disclosures.
“This is top of mind for every company right now,” Kyle said. Companies will be required to disclose a cyber incident within four business days of determining the incident is material, but that determination can be challenging in the context of a cybersecurity incident.
Companies will have to evaluate a mix of factors, Christina said, which could include:
What data was compromised
Scope, such as the duration of disruptions or unauthorized access, or the number of employees or customers affected
History of incidents or number of incidents by the same bad actor
Past enforcement actions related to cybersecurity incidents can be informative. "With almost all of them, there was very much a focus on failure to maintain effective disclosure controls and procedures with respect to reporting,” Christina said.
Recent regulations and enforcement actions have underscored the importance of cross-functional collaboration so companies can assess risk holistically, Kyle said. "You can't really have your head in the sand anymore and say, ‘Well, that's not ours. We don't have to deal with that. Or that's a legal call.’ No, it's not. These things are across functions,” Kyle said.
Responses to cybersecurity will probably involve IT teams, the chief security officer, chief information officer, general counsel, outside counsel, and auditors, he said.
Assessing materiality will be an ongoing process, especially since impacts of future litigation or reputational damage might not be known right away. Consider training so that, for example, an IT leader knows when to escalate an issue to a cross-functional team that can assess materiality.
"It's not going to be easy,” Pat said. “It makes it look like financial statement errors and materiality are a cakewalk compared to this.”
The sleeper will be reassessing previously immaterial events if the same bad actor infiltrates multiple times or if the same vulnerability has been exploited multiple times, triggering the need for disclosure.
Christina suggested running tabletop exercises to plan for crises and identify which stakeholders should be included in your cross-functional team. You may discover, for example, that investor relations or communications teams should be involved early on as they may be receiving related inbound inquiries from third parties.
SEC staff are also available to answer questions—though if you reach out, be prepared to deal with an answer you may not necessarily agree with.
Companies have until Dec. 1, 2023, to adopt a policy for recovering erroneously awarded incentive-based compensation to Section 16 officers in the case of a restatement of previously filed financial statements.
Craft a policy, even if executive compensation isn’t tied to financial statements, and include this policy as an exhibit to annual reports. Christina said she’s seeing companies already adopt policies during their most recent board meetings, well before Dec. 1.
Companies will want to think through how a restatement might affect metrics that determine compensation, as well as how to quantitatively and qualitatively identify which errors would trigger a restatement.
Companies will need to check a box on annual reports if the financial statements reflect a “little r” or “big R” restatement of previously issued financial statements. (Think of a big R restatement as the thing everyone wants to avoid and the little R as essentially an immaterial correction that you’re not able to fix in the current period.)
Pat anticipates the Big 4 are not going to ask the SEC staff to clarify whether even a correction to an immaterial error in prior year financial statements or footnotes would require a checked box, but may they provide some guidance on it anyway. Otherwise, an unintended consequence may be some companies deciding to leave small errors in prior years uncorrected to avoid having to check the box on the 10-K indicating a restatement.
You may wonder whether a relatively small correction would become material if it would trigger a clawback. Oftentimes, a correction will indeed affect what compensation an executive should’ve received, but that is just one factor you’ll consider in determining materiality of the error. Kyle suggested not merging the materiality assessment of an error with following the steps in your clawback policy. “Do the assessment of materiality on its own, and then you walk through the clawback policy,” he said.
Take note of compliance and disclosure interpretations (C&DIs) issued in December 2022 (and watch the recording of the session for chatter offering a glimpse behind the scenes on the CD&Is).
One the panelists noted was C&DI 100.01 warning against classifying too many items as a normal, recurring cash operating expenses.
“Some companies are throwing a lot of things in there,” Pat said. “It's not that you can't adjust for those items, but you have to label them correctly. Disclosure is key.”
Kyle added, “Ensure you're actually complying with your disclosure controls and procedures as it relates to non-GAAP.”
A trend Christina is now seeing is companies wanting to specifically reference non-GAAP in their disclosure controls and procedures.
Christina noted the “Reg Flex” agenda that listed an October time frame for a final SEC climate disclosure rule is not a commitment by the SEC to adopt a rule by the end of October.
Could the SEC press “pause” on its own rule and see how the market reacts to legislation in California and the European Commission’s Corporate Sustainability Reporting Directive (CSRD)?
Either way, gather your cross-functional team to determine which requirements would apply to your company and then assess gaps between the data you have and what you’d be required to report, Kyle said.
A cross-functional team will also have to collaborate to compile those disclosures and prepare them for assurance too.
"When we worked under both Republican and Democratic administrations, what we were trying to do was shrink the 10-K, make it more concise, make it more readable, just highlighting specifically what's material to an investor,” Pat said. "It's a big shift now ... I feel like you're going have to squint to find the financial statements in there.”
Chief Accountant Paul Munter consistently talks about materiality and the responsibilities of management and gatekeepers. In August, he released a statement on the importance of a comprehensive risk assessment by auditors and management.
What Kyle took away from it is the need for to understand all risks to a company, how they’re related or not related, and potential impacts, both quantitatively and qualitatively.
“My conversations with boards, specifically audit committees, have really focused on taking a holistic view of the organization and thinking about all of these risks in the collective. But at some point you have to prioritize. You have to say, ‘what really is the risk that impacts us most? Let's go through that analysis.’”
The SEC’s sample letter on eXtensible Business Reporting Language (XBRL®) disclosures is a sign the commission will start issuing comments to companies in different industries if there are mistakes in XBRL tagging, Pat said.
“Just make sure you have everything up to snuff on XBRL,” he said.