Each year in our Annual Memo, White & Case's Public Company Advisory Group provides practical insights on preparing Annual Reports on Form 10-Ks, Annual Meeting Proxy Statements and, for FPIs, the Annual Report on Form 20-F. This installment of our Annual Memo will focus on preparations for your Form 10-K, divided into two sections: Annual Report on Form 10-K Housekeeping Considerations in Part I below, and Disclosure Considerations in Part II below.

Part I: Housekeeping Considerations

Our housekeeping reminders for preparing Annual Reports on Form 10-K are as follows:

1. Remember to add the two new check box disclosures to the Form 10-K cover page, and confirm whether or not to check these new boxes. Starting December 1, 2023, public companies were required to have in place a clawback policy compliant with stock exchange listing standards adopted pursuant to the SEC's new clawback rules. As explained in SEC C&DI 104.19, companies must now add two related check box disclosures to the cover page of their Form 10-Ks as follows:

New Check Box #1: Considerations for Box Checking. For New Check Box #1, companies need to confirm if their Form 10-K filing reflects the "correction of an error to previously issued financial statements." Three items of note for this analysis:

1) Exclude Adjustments Recorded in Current Period. An "error" is defined in Accounting Standards Codification Topic 250, Accounting Changes and Error Corrections,¹ but the error only requires a company to check the box if it relates to "previously issued" financial statements – not financial statements for the current period.²

2) Exclude Changes that are Not "Error Corrections". If a change to the financial statements does not represent an error correction under accounting standards (for example, the retrospective revision to reportable segment information, or the retrospective application of a change in accounting principle),³ then a company should not check this first box.

3) Exclude Errors Only Affecting Interim Periods. If an error only affects financial statements of interim periods (rather than annual periods), the Staff has indicated that it would not object to an issuer's decision not to check the box.⁴

New Check Box #2: Considerations for Box Checking. For New Check Box #2, companies need to confirm if an error correction resulted in a financial restatement that "required a recovery analysis of incentive-based compensation received by any of the [company's] executive officers during the relevant recovery period." A "Big R" or "little r" restatement can trigger the checking of this new box, although we believe appropriate exceptions may occur, such as when a company does not award incentive-based compensation to executive officers or a company is otherwise not "required" under applicable rules to perform a recovery analysis of incentive-based compensation received by executive officers.⁵

2. Review your exhibit list and remember to file your new clawback policy exhibit. For your exhibit, remember to (1) confirm inclusion of all required exhibits in accordance with Item 601 of Regulation S-K, including exhibits filed since last year's Form 10-K on Forms 8-K and 10-Q and the newly required clawback policy under Item 106(b)(97) of Regulation S-K;⁶ (2) remove outdated exhibits no longer required to be filed, such as material contracts that have been fully performed; and (3) confirm permissible redactions and omissions in filed exhibits under Item 601 of Regulation S-K (see our 2023 Annual Memo's Housekeeping Considerations for further information on these permissible redactions and omissions).

• New clawback policy exhibit. Since public companies are now required to have in place a clawback policy pursuant to stock exchange listing standards and SEC Rule 10D-1, remember to EDGARize and file this newly required clawback policy as Exhibit 97.1 to your Form 10-K. For the 10-K exhibit list, companies can use a description aligned with Item 601(b)(97), i.e., Policy relating to recovery of erroneously awarded compensation, as required by applicable listing standards adopted pursuant to 17 CFR 240.10D-1. In line with this description, the new clawback exhibit item only applies to the newly required clawback policy adopted pursuant to stock exchange and SEC rules, rather than any other type of clawback policy that a company voluntarily has in place (such as a discretionary clawback triggered by misconduct or reputational harm).

3. Confirm your Filing Status for 2024. As with every year, it is important to confirm your filing status and filing deadline. This year's Form 10-K is due on Thursday, February 29, 2024 for large accelerated filers, Friday, March 15, 2024 for accelerated filers, and Monday, April 1, 2024 for non-accelerated filers.⁷ To confirm your filing status, keep in mind that:

• Determining Public Float: Public float is central to calculating your filing status and is computed as of the last business day of the company's most recently completed second fiscal quarter (June 30, 2023 for calendar year end companies) by multiplying (a) the number of shares of common stock on that day held by non-affiliates⁸ by (b) the closing stock price on that day. As a result, confirming the identity and holdings of affiliates and subtracting out those shares is critical for an accurate calculation of "public float."
• Large Accelerated, Accelerated and Smaller Reporting Thresholds: The public float thresholds for initial qualifications are set forth in Rule 12b-2 of the Exchange Act, but if your company previously qualified as a "large accelerated filer" or an "accelerated filer", or did not qualify as a "smaller reporting company", the thresholds to now move into each respective status are different and lower than those required for the initial qualification (e.g., less than $560 million as opposed to $700 million for accelerated filer status, less than $60 million as opposed to $75 million for non-accelerated filer status, or for the smaller reporting company public float test, less than $200 million as opposed to $250 million).⁹
• Emerging Growth Company (EGC) Status Check. If your company is an EGC, remember to annually assess whether you have ceased to qualify as an EGC based on: (1) having total annual gross revenues of $1.235 billion or more, (2) the passage of time beyond the fifth anniversary of the first date common equity was sold pursuant to an effective registration statement, (3) the issuance of more than $1 billion in non-convertible debt in the previous three years, or (4) becoming a large accelerated filer. See the definition of "emerging growth company" in Rule 12b-2.

4. Stock Repurchase Table Reminder. The SEC's new repurchase rules have now been vacated by a Fifth Circuit court decision.¹⁰ Therefore, these rules are not in effect. However, companies are reminded that they must still comply with Item 703 of Regulation S-K to disclose, among other items, monthly information on their repurchases.¹¹

Appendix A provides additional reminders on form check items, considerations for outstanding registration statements and D&O questionnaire updates.

Part II: Disclosure Considerations

1. Cybersecurity: On July 26, 2023, the SEC adopted mandatory cybersecurity disclosure requirements, which must be provided in a new section (in Part I, Item 1C) of upcoming Form 10-Ks for calendar year end companies. The new disclosure is required for all Form 10-Ks filed for fiscal years ending on or after December 15, 2023. Below we discuss this new disclosure in more detail, including our guiding principles (in Part A below) and the specific disclosure requirements under Item 106 of Regulation S-K (in Part B below).

A. Guiding Principles for Preparing New Cybersecurity Section of Annual Reports. In preparing this new disclosure, guiding principles to consider are the following:

1) Take into Account Existing Cybersecurity Disclosures for Consistency. It will be crucial for SEC and website disclosures to be consistent and provide coherent information for investors about a company's cybersecurity risk management processes. As such, companies should consider and review their existing cybersecurity disclosure for consistency across their:

• SEC filings, including in Risk Factors, Business and MD&A sections of Form 10-Ks and proxy statements, including any descriptions of board oversight of cybersecurity risks.

• Sustainability reports posted on corporate websites, as well as any other relevant disclosures made on such websites, in press releases and at investor conferences.

2) Establish controls and vetting processes to confirm accuracy. The new cybersecurity disclosures in Form 10-Ks will need to be thoroughly vetted among responsible stakeholders internally to confirm accuracy and alignment with the company's own internal risk profile. The SEC's recent enforcement action against SolarWinds emphasizes the importance of aligning disclosures with a company's own internal documentation. For example, in the same month that SolarWinds disclosed only generic and hypothetical cybersecurity risk disclosures, the CISO wrote in an internal presentation that SolarWinds' "current state of security leaves us in a very vulnerable state for our critical assets." 

3) Collect and confirm disclosure sub-certifications. Sub-certifications signed by responsible internal stakeholders should cover this new section of the 10-K to support the CEO and CFO's Sarbanes Oxley certifications filed with the 10-K. In particular, the SolarWinds enforcement action highlights the importance of confirming that certifications are accurate when signed, as well as the involvement of the CISO in Disclosure Committee meetings.¹²

B. Disclosure Requirements for New Cybersecurity Section of Annual Reports. For their new cybersecurity section in Form 10-Ks, companies should confirm compliance with the new line item requirements in Item 106 of Regulation S-K, as summarized below.

Risk Management and Strategy. Under new Items 106(b)(1), companies must:

The SEC's purpose in adopting new disclosure items in Item 106(b)(1) was to "allow investors to ascertain a registrant's cybersecurity practices, such as whether they have a risk assessment program in place, with sufficient detail for investors to understand the registrant's cybersecurity risk profile," while at the same time avoiding details that "could increase a company's vulnerability to cyberattack."¹⁵ In recent remarks, SEC Corp Fin Director Erik Gerding also noted that, unlike the proposed rule, these requirements focus more broadly on a company's cybersecurity processes, providing companies with a non-exclusive list of disclosure items and recognizing that companies will have "diverse approaches to cybersecurity, based on their particular circumstances."¹⁶

Cybersecurity Threat Disclosure. Under new Item 106(b)(2), companies must:

This new requirement in Item 601(b)(2) was proposed in 2022 by the SEC to "equip investors to better comprehend the level of cybersecurity risk the company faces" and "assess the company's preparedness regarding such risk," but also aligns with the SEC's 2018 guidance, which encouragescompanies to address the impact of any prior cybersecurity incidents in their risk factors. We expect many companies to provide a cross reference to existing risk factor disclosure on this point and to consider, as appropriate, any additional disclosure to address and clarify whether or not any cybersecurity incidents experienced to date have constituted a material cybersecurity incident. As the SEC noted, companies should likewise consider whether they need to revisit or refresh any previous disclosure made about cybersecurity incidents as they prepare this disclosure, including during the process of investigating a cybersecurity incident.¹⁷

Governance Board Disclosure. Under new Item 106(c)(1), companies must:

For this requirement in Item 601(c)(1), although the SEC opted not to adopt a proposal to require disclosure of the frequency of board and committee discussions, the SEC specifically noted in the adopting release that the disclosure may include discussion of frequency, including the board or board committee's reliance on "periodic (e.g., quarterly) presentations by the registrant's chief information security officer to inform its consideration of risks from cybersecurity threats."¹⁸ Notably, the SEC also removed its proposed requirement that companies disclose whether any directors have cybersecurity expertise, noting that "effective cybersecurity processes are designed and administered largely at the management level and that directors with broad-based skills in risk management and strategy often effectively oversee management's efforts without specific subject matter expertise as they do with other sophisticated technical matters."¹⁹

Governance Management Disclosure. Under new Item 106(c)(2), companies must:

For this requirement in Item 106(c)(2), the SEC noted that this list is a "non-exclusive list" that companies should consider when describing management's role in cybersecurity oversight, and that this disclosure would "typically encompass identification of whether a registrant has a chief information security officer [(CISO)] or someone in a comparable position." The detailed information required about the CISO's background (including the CISO's prior work experience, knowledge, skills and degrees or certifications held) is notable in that it goes beyond current disclosure requirements regarding other members of company management.

2. Director and Officer 10b5-1 Plan Disclosure: Recently adopted amendments to Rule 10b5-1 require among other things²⁰ quarterly disclosure of (1) whether any director or officer adopted, modified, or terminated a Rule 10b5-1 or "non-Rule 10b5-1" trading plan, and (2) the material terms of the Rule 10b5-1 or non-Rule 10b5-1 trading arrangement (excluding pricing terms).²¹ The disclosure is required to be tagged in inline XBR, and the terms that should be disclosed include: the name and title of the director or officer; the date the plan was adopted, modified or terminated; the plan's duration; and the total amount of securities to be purchased or sold under the plan.

For calendar-year end companies, this disclosure was first required in Form 10-Qs for the quarter ended June 30, 2023 (under Part II, Item 5(c)) and required in each subsequent quarterly and annual reports on Form 10-K (under Part II, Item 9B).²² Companies should take steps to enhance disclosure controls and procedures to capture and report all of the new required information, including adoptions, modifications and terminations of 10b5-1 plans. Although there is no requirement to affirmatively indicate if no plans were adopted for a particular quarter, most S&P 500 companies are either stating "None" under a "Trading Plans" subheading for the relevant Part II item, or otherwise affirmatively stating that "During the quarter ended [date], no director or Section 16 officer adopted or terminated any Rule 10b5-1 trading arrangements or non-Rule 10b5-1 trading arrangements."

In August 2023, the SEC released five new C&DIs providing guidance on the nuances of these Rule 10b5-1 amendments (both with respect to the new conditions for the affirmative defense²³ and the new quarterly disclosure requirement in Item 408 of Regulation S-K²⁴). Among other items, the SEC clarified (in Question 133A.02) that the quarterly disclosure requirement applies to any trading plan covering securities in which an officer or director has a direct or indirect pecuniary interest that is reportable under Section 16, provided that the officer or director has made the decision to adopt or terminate the plan. In addition, in Question 133A.01, the SEC clarified that disclosure regarding termination of a plan is not required for a plan that ends due to its expiration or completion.

Insider Trading Policy Exhibit for Next Year's (Not This Year's) Form 10-K: As a reminder, the requirement to annually disclose information about insider trading policies, including filing the insider trading policy as an exhibit to the Form 10-K, is only required starting with Form 10-Ks filed in 2025 for fiscal year 2024 for calendar year-end companies (and not with upcoming Form 10-Ks filed in 2024).²⁵

3. Review your XBRL Disclosures for Consistency: In September 2023, Corp Fin Staff published a Sample Comment Letter Regarding XBRL Disclosures, which highlights XBRL tagging issues and errors on which the SEC is focusing. The sample comments focus on inconsistent disclosures including:

(i) outstanding shares reported on the cover page and balance sheet being tagged with materially different values; and

(ii) using different XBRL elements to tag the same line item from period to period, without including an analysis as to how the company concluded that the results reported necessitated the change in the element.

The SEC's sample also address custom tagging and pay versus performance tagging issues.²⁶ The Staff emphasized the importance of providing consistent and accurate information throughout a registrant's filings, and cautioned that companies may be asked to amend or revise their disclosures if they failed to comply with the EDGAR Filer Manual.²⁷ Companies should therefore review the required XBRL data to confirm they are tagging information appropriately. This could include designating members of the financial reporting team to receive technical training on XBRL so they can review tagging for accuracy and consistency.

4. Remember to Update Risk Factors. Risk factor disclosure is a critical part of the Form 10-K, and there were many developments in 2023 that companies should consider as they draft their risk factors. These considerations include developments with respect to (1) cybersecurity, (2) artificial intelligence, (3) macroeconomic considerations, (4) international geopolitics, (5) climate and (6) internal controls. For a discussion of these developments and important tips for drafting risk factors, see our recent client alert Key Considerations for Updating 2023 Annual Report Risk Factors.

5. MD&A Considerations. MD&A remained one of the top targets of SEC Staff comments, with the majority of this year's comments focused on disclosures about results of operations. Many comments related to a company's lack of sufficiently detailed disclosures about the reasons for material period-to-period changes in the financial statement line items.²⁸ These included comments reminding companies that if two or more factors contributed to a material period-to-period change in a financial statement line item or subtotal, Item 303 of Regulation S-K requires disclosure of the reasons for material changes, in quantitative and qualitative terms, for each factor.²⁹ Comments have also asked about the effects of macroeconomic factors, such as inflation, interest rates and supply chain issues.³⁰ Companies should review their MD&A disclosures to confirm the reasons for material changes are disclosed with sufficient specificity to avoid these types of comments.

6. Artificial Intelligence Considerations for your Annual Report. New artificial intelligence ("AI") technologies present both significant opportunities and significant risks for companies. In addition to risk factor disclosure, companies should consider whether it is necessary or advisable to make disclosures about ways in which AI might impact their strategy, productivity, competition or product demand, which might be appropriately included in the Business section of their Annual Report on Form 10-K or trends sections of the MD&A. When discussing the potential impact of AI, it is important not to "AI" wash, or mislead investors as to your true artificial intelligence capabilities, which SEC Chair Gary Gensler cautioned companies against in a statement in early December. For information on addressing AI in risk factors see our recent client alert Key Considerations for Updating 2023 Annual Report Risk Factors.

7. Mind the Non-GAAP. The SEC Staff continues to focus on non-GAAP financial measures in its comment letters, following the release of updated non-GAAP C&DIs in December 2022³¹ (for a summary of these recent updates, see our "Five Key Reminders on Non-GAAP Compliance" in our 2023 Annual Memo.

In 2023, many of the Staff's comment letters focused on compliance with its C&DIs. For example, the Staff asked registrants whether operating expenses are "normal" or "recurring" and, therefore, whether their exclusion from a non-GAAP financial measure could be misleading based on C&DI Question 100.01.³² The Staff also commented on non-GAAP adjustments to revenue and expenses that could have the effect of changing the recognition and measurement principles required by GAAP, thereby rendering them "individually tailored" and potentially resulting in a misleading measure, based on C&DI Question 100.04.³³ In addition, the Staff continues to focus on whether non-GAAP financial measures comply with Item 10(e) of Regulation S-K, including whether certain performance metrics should have been identified as non-GAAP measures and whether identified non-GAAP measures are presented with the most directly comparable GAAP financial measure at the appropriate prominence level. It is important that companies review any non-GAAP disclosures against SEC requirements and guidance to ensure that non-GAAP measures are appropriately used and compliant with regulatory requirements.

The scrutiny on non-GAAP financial measures also came in the form of an SEC enforcement action in 2023. In March 2023, the SEC issued a cease-and-desist order to DXC Technology Company based on misleading non-GAAP disclosures in its periodic reports and earnings releases.³⁴ According to the SEC's order, DXC materially increased its reported non-GAAP net income by misclassifying tens of millions of dollars of unrelated expenses as transaction related costs and improperly excluded them from its non-GAAP net income, non-GAAP EPS, and other non-GAAP measures. In its order, the SEC specifically noted that the absence of a non-GAAP policy and specific disclosure controls and procedures resulted in subjective determinations made by employees about whether such misclassified expenses were related to an actual or contemplated transaction.

8. Restatements, Internal Controls and Disclosure Controls. Restatements, internal control over financial reporting ("ICFR") and disclosure controls and procedures ("DCPs") are a recent focus of the SEC, including in recent comments made that challenge and question management of public companies regarding the following:

• a company's materiality assessment following a company's disclosure of a "little r" restatement;³⁵
• the effectiveness of ICFR and DCPs when a company corrects a prior-period error;³⁶
• management's judgment when it attributes a material error to a control deficiency but does not conclude that the deficiency is a material weakness;³⁷ and
• disclosure stating that ICFR was ineffective (e.g., when a material weakness was identified) while simultaneously disclosing that DCPs were effective.³⁸

In December 2023, SEC Chief Accountant Paul Munger issued a statement referencing the fact that the statement of cash flows has consistently been a leading source of "little r" restatements and emphasizing the importance of performing an "objective analysis from the perspective of a reasonable investor" when evaluating the materiality of both the financial statement and ICFR impacts of an error in the statement of cash flows.³⁹ In light of the SEC's focus, companies should ensure they have adequate ICFR and DCPs in place and thoroughly evaluate their financial statement procedures, particularly with respect to their statement of cash flows.

9. Climate Change and Sustainability Disclosure. Climate change remains a particularly strong focus of both the SEC and investors. In March 2022, the SEC proposed extensive climate-related disclosure requirements that, if adopted, would require U.S. public companies to dramatically expand the climate-related disclosures in their SEC filings. While these rules are pending (potential action has been delayed until spring 2024), companies should continue to consider their existing climate-related disclosure in light of the SEC's 2010 climate change disclosure guidance.

Companies should also review their disclosures in light of the SEC's sample comment letter on climate disclosure, issued in September 2021, with which the Staff's recent comments on climate-related disclosures continue to align, including comments on:

• Indirect consequences of climate-related business trends, such as decreased demands for goods or services that produce significant greenhouse gas emissions;⁴⁰
• The physical effects of climate change on operations and results;
• Material expenditures for climate-related projects and compliance costs; and
• Whether information contained in sustainability reports is material and therefore required to be included in the Form 10-K⁴¹

In 2023, the Staff continued to issue multiple rounds of letters on climate-related disclosures, particularly if the company's initial response does not address each of the items in the initial comment letter. In several example comment letters, when a company asserted that the effects or costs of climate-related matters was not material, the Staff would ask the company to quantify the effects or costs and explain its analysis of materiality. As a result, climate-related comments had the highest average number of rounds of comments than any other comment type, and companies should carefully consider their disclosures in light of these types of comments. In addition, companies should confirm they have appropriate controls around climate disclosures to ensure that climate-related disclosures are properly supported and documented, and are consistent throughout all the company's publicly-available disclosures.

10. Consider your Human Capital Management (HCM) Disclosures.⁴² The fiscal year 2023 Form 10-K is the fourth annual report in which US public companies must comply with amended Item 101 of Regulation S-K, which requires a description of human capital resources and human capital measures or objectives that the company focuses on in managing its business, to the extent material to the company as whole.⁴³

Based on White & Case survey information of Fortune 50 companies' disclosure in recent years, companies have covered a broad range of topics in their HCM disclosure, including employee engagement, employee health and wellness, flexible work arrangements, pay equity and diversity, equity and inclusion ("DEI").⁴⁴ Although there have been substantial differences between companies' disclosures in terms of the length of their disclosure and the range of topics covered, there is a trend towards companies increasing their HCM-related disclosures, including in some cases an increase in quantitative information.

For upcoming Form 10-Ks, companies should consider which human capital measures or objectives the board and senior management focused on during fiscal 2023, and how these should be discussed in the company's disclosure. Companies should also consider whether recent developments in their operations and industry warrant updates to their HCM disclosures, such as in light of labor inflation or cost-cutting measures in light of macroeconomic pressures.

The following White & Case attorneys authored this alert: Maia Gez, Scott Levi, Melinda Anderson, Danielle Herrick and Sarah Hernandez.

1 See Footnote 72 of the SEC adopting release on the clawback rules.
2 As the SEC adopting release on the clawback rules notes, "sometimes the correction of an error is recorded instead in the current period financial statements – commonly referred to as an out-of-period adjustment – when the error is immaterial to the previously issued financial statements, and the correction of the error is also immaterial to the current period. We agree with that commenter that an out-of-period adjustment should not trigger a compensation recovery analysis under the final rules, because it is not an accounting restatement."
3 For a list of retrospective changes that do not represent an error correction, see pages 37 to 38 of the SEC adopting release on the clawback rules, and the text accompanying footnotes 112 through 116, available here.
4 The Center for Audit Quality posted this in its highlights from a meeting with SEC staff, in which it stated: "For example, assume a registrant presents (in an unaudited note to the financial statements for the fiscal year ended 20X3 in Form 10-K) the correction of material misstatements in its financial statements for the interim periods ended 03/31/X3, 06/30/X3, and 09/30/X3. The error only affected those interim periods. The annual periods presented in the 20X3 Form 10-K were not impacted by the errors…The staff indicated that in the above scenario, it would not object if the checkbox referred to above was not checked."
5 For companies that have a "Big R" or "little r" restatement but do not check this box, we would recommend considering a brief explanation to disclose why checking the box was not applicable or appropriate under the facts and circumstances.
6 This includes the description of securities for securities registered under Section 12 of the Exchange Act. See Item 601(b)(4)(iv) of Regulation S-K.
7 See the SEC's helpful information on filing deadlines.
8 "Holdings" only includes shares of common stock that are outstanding. Thus, "holdings" excludes shares of common stock that have not yet been issued but are still considered "beneficially owned" under Rule 13d-3 insofar as they can be acquired within 60 days (e.g., shares underlying exercisable options). The term "affiliate" is defined under Rule 12b-2 of the Exchange Act as "a person that directly, or indirectly through one or more intermediaries, controls, or is controlled by, or is under common control with, the person specified." An individual or entity's status as an "affiliate" is a fact-specific inquiry which must be determined by considering all relevant facts and circumstances; however, the Commission has indicated that status as an officer, director or 10% stockholder is one fact which must be taken into consideration in such inquiry. See American-Standard, SEC No-Action Letter (October 11, 1972).
9 See Rule 12b-2 of the Exchange Act for the definitions of "large accelerated filer", "accelerated filer" and "smaller reporting company," and the SEC's helpful guides for determining filing status and smaller reporting company status. Each issuer should run this calculation as facts and circumstances vary depending on prior qualifications. For example, if a company had previously been a large accelerated filer, the subsequent qualification thresholds to become an accelerated filer are less than $560 million but $60 million or more, or to become a non-accelerated filer, less than $60 million, in each case, in public float. In addition, for the revenue test to qualify as an SRC, as opposed to the public float test, the lower thresholds also differ and are 80 percent of the prior thresholds that were failed (i.e., less than $560 million in public float (if it previously had more than $700 million in public float under the public float prong of the revenue test) and less than $80 million in revenue (if it previously had more than $100 million in revenue under the revenue prong of the revenue test)).
10 The Court's opinion is available here.
11 For this purpose, keep in mind that the withholding of restricted stock (or the tendering of outstanding shares owned by an employee) to pay taxes due upon vesting must be disclosed under Item 703 because the issuer is acquiring its own outstanding shares. However, if the equity at issue was never outstanding (for example, in the case of withholdings of restricted stock units, or forfeitures of restricted stock when vesting conditions have not yet been satisfied), then no such disclosure is required. See Regulation S-K Compliance and Disclosure Interpretations, Questions 149.01 and 149.02.
12 For example, the complaint notes that SolarWinds failed to follow its own certification controls "including failing to use and document a list of controls in connection with certifications by Company officials" and while the CISO certified to the effectiveness of the Company's controls, he was unable to identify the relevant controls and instead "certified based on his general sense of the quality of those controls, while failing to identify the Company's extensive shortcomings in areas such as access controls" (see page 60 of the complaint). Further, despite being aware of issues and deficiencies, "[the CISO] signed sub-certifications relied on by senior executives, confirming that all material incidents had been disclosed to the executives responsible for the Company's securities filings" (see page 51 of the complaint).
13 The SEC noted that it added a "materiality qualifier" here and that the types of risks that registrants may face include the following: "intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy laws and other litigation and legal risk; and reputational risk." See page 62 of SEC cybersecurity adopting release, available at Final Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.
14 Per the SEC adopting release, the rationale for this requirement regarding assessors and consultants is that the SEC understands that many registrants rely on third-party service providers for some portion of their cybersecurity and believes it "important for investors to know a registrant's level of in-house versus outsourced cybersecurity capacity," but that registrants are not required to name the third parties. See pages 63 to 64 of SEC cybersecurity adopting release, available at Final Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.
15 See page 61 of SEC cybersecurity adopting release, available at Final Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.
16 See Erik Gerding, Director Division of Corporation Finance, December 14, 2023 speech, available here; also see page 61 of SEC cybersecurity adopting release, available at Final Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.
17 See footnote 229 of the SEC adopting release, available at Final Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.
18 See page 69 of the SEC adopting release, available at Final Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.
19 See page 85 of the SEC adopting release, available at Final Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, and Erik Gerding, Director Division of Corporation Finance, December 14, 2023 speech, available here.
20 The new rules also: (i) add five new conditions to the availability of the affirmative defense under Rule 10b5-1 (as further discussed below) (ii) update Forms 4 and 5 to require filers to identify transactions made pursuant to a plan that is intended to satisfy the affirmative defense conditions of Rule 10b5-1(c), and (iii) require all bona fide gifts of securities be reported on Form 4 within two business days. 
21 See new Item 408(a) of Regulation S-K. New CDI 113A.01 explains that this requirement does not include termination of a plan due to its expiration or completion. 
22 Starting with the Form 10-K for fiscal year 2024, companies will also be required to disclose annually, in Form 10-K and proxy and information statements on Schedules 14A and 14C whether they have adopted insider trading policies and procedures, or explain why they have not done so, and to file a copy of their insider trading policies and procedures as an exhibit to Form 10-K. These disclosures will be subject to the certifications required by Section 302 of the Sarbanes-Oxley Act of 2002, including the attestation as to the accuracy of the statements.
23 See SEC Compliance & Disclosure Interpretations 120.29, 120.30 and 120.31, available here.
24 See SEC Compliance & Disclosure Interpretations 133A.01 and 133A.02, available here.
25 In light of the increased focus on insider trading policies, companies may want to take this opportunity to reassess their policies in light of the amendments and also to consider any appropriate updates to such policies to align with the new rule requirements, as well as current market practice.
26 The illustrative comments provided in the sample letter, which are not an exhaustive list, addressed the following topics: (i) compliance with Inline XBRL presentation requirements; (ii) outstanding shares reported on the cover page and balance sheet that are tagged with materially different values (i.e., where one value is presented in a whole amount and the other value is presented in thousands); (iii) inline XBRL tagging requirements for pay versus performance disclosures; (iv) separate Inline XBRL tags for each required data point in pay versus performance relationship disclosure presentations under Regulation S-K Item 402(v)(5), even if combined in one graph, table or other format; (v) different XBRL elements used to tag the same reported line item on the income statement from period to period; and (vi) using a custom tag instead of an XBRL element consistent with current U.S. GAAP in the income statement.
27 The manual is available here.
28 For example: "Please expand your discussion and analysis to address changes in revenues with reference to both volumes and prices to comply with Item 303(b)(2)(iii) of Regulation S-K. For example, quantify the volumes sold for each period, address the reasons for material changes in volumes, and provide similar commentary on the effects of material changes in unit prices as may pertain to revenues reported for both of your reportable segments."
29 For example: "In your analysis of "gross profit" for each period presented, you state sales growth is a factor for gross profit increases. Please explain to us and disclose the extent of this effect. Since, presumably, cost of sales also increases with sales increases, discuss the relative impact of each on your gross profit margins. Also, please explain to us and disclose the reasons why gross profit margins changed in the periods presented. If product mix contributes to gross profit margin changes, discuss the extent and the products that are the primary contributors and why (e.g., "product A provides more/less margin because ..."). If inflation has affected your costs and margins, explain the relative effect of each. Refer to Item 303 of Regulation S-K and Section III.B.4 of Release No. 33-8350 for guidance."
30 For example: "You disclose you have been impacted by negative macroeconomic trends, including a condensed labor market, wage inflation, global supply chain issues and inflation affecting your revenues and underwriting. Please expand your disclosure to identify the principal factors contributing to these issues and clarify the resulting impact on you. Additionally, disclose any known trends or uncertainties regarding these issues that are reasonably likely to have a material impact on your cash flows, liquidity, capital resources, cash requirements, financial position or results of operations. Refer to Item 303(b)(2)(ii) of Regulation S-K."
31 Specifically, the SEC updated Non-GAAP Financial Measures C&DIs Questions 100.01, 100.04-100.06, and 102.10(a), (b) and (c), which can be found here. 
32 For example: "Refer to your non-GAAP financial measures: net income from continuing operations excluding special items, earnings per share from continuing operations excluding special items, and operating income excluding special items. It appears that the reconciliations for these non-GAAP financial measures include an adjustment for "restructuring expense," which you have incurred every year since 2012. Please tell us your consideration as to whether these charges represent normal, recurring cash operating expenses necessary for your core operations. Refer to Question 100.01 of the Compliance and Disclosure Interpretations on Non-GAAP Financial Measures. Please note that this comment also applies to the non-GAAP measures presented in your Form10-Q and Item 2.02, Form 8-K."
33 For example: "Your non-GAAP adjustment for deferred tax valuation allowance removes the effects of the valuation allowance from your GAAP tax provision and appears to change your income taxes recognition method, resulting in an individually tailored accounting. Please remove this adjustment from your reconciliation of Net Income (Loss) Attributable to XXX Corp. Shareholders. Refer to Question 100.04 of the Non-GAAP Financial Measures Compliance and Disclosure Interpretations."
34 The SEC's cease-and-desist order is available here.
35 For example, the SEC staff has questioned whether all qualitative and quantitative factors have been considered when a registrant concluded the error is not material to previously issued financial statements, pursuant to the guidance in Staff Accounting Bulletin (SAB) 99, Materiality, and ASC 250.
36 The SEC staff may request additional information such as: a detailed description of the error, including who identified the error, when and how it was identified, and whether it was the result of a control deficiency; and a description of any control deficiency identified, including the registrant's evaluation of the severity of the deficiency and any remediation plans or the rationale for the registrant's conclusion that there was not a material weakness.
37 For example: "With regard to your assessment of [ICFR], explain to us the specific nature and design of the control or controls that you believe had failed regarding this error, and describe in further detail your evaluation of the severity of the control deficiencies and how you considered whether it was reasonably possible that such control deficiencies would fail to prevent or detect a material misstatement. In this regard, it is unclear how you would be able to support a conclusion that it was not reasonably possible that the control deficiencies that led to the errors could not have resulted in a material misstatement in some future period, considering the scenarios where earnings were unusually low, and the error percentages were significantly higher, as you have shown for the second quarters of 2022 and 2021."
38 For example: "We note the disclosure that your disclosure controls and procedures were effective as of September 30, 2022. We also note your disclosure of your remediation plans for material weaknesses over internal controls. Please clarify and disclose the nature of any material weakness, its impact on your financial reporting and ICFR, and management's current plans, if any, or actions already undertaken, for remediating the material weakness. Additionally, please clarify how you can have effective disclosure controls and procedures if a material weakness does exist. We refer you to Item 308(a)(3) of Regulation S-X and 2007 interpretive guidance issued by the SEC in Release No. 34–55929. Please advise or revise."
39 See The Statement of Cash Flows: Improving the Quality of Cash Flow Information Provided to Investors.
40 For example: "To the extent material, discuss the indirect consequences of climate-related regulation or business trends, such as the following: decreased demand for goods or services that produce significant greenhouse gas emission or are related to carbon-based energy sources; increased demand for goods that result in lower emissions than competing products; increased competition to develop innovative new products that result in lower emissions; increased demand for generation and transmission of energy from alternative energy sources; and any anticipated reputational risks resulting from operations or products that produce material greenhouse gas emissions."
41 For example: "We note that you provided more expansive disclosure in your corporate social responsibility report (CSR report) than you provided in your SEC filings. Please advise us what consideration you gave to providing the same type of climate-related disclosure in your SEC filings as you provided in your CSR report." 
42 For more information, see our alert, "SEC Adopts Amendments to Modernize Disclosures and Adds Human Capital Resources as a Disclosure Topic: Key Action Items and Considerations for US Public Companies." 
43 SRCs are not technically required to provide HCM disclosures, but some may do so for investor relations purposes. 
44 In light of affirmative action and other DEI-related litigation and activism, including the Students for Fair Admissions Supreme Court cases, companies should carefully review disclosures regarding employment and other human capital topics, including DEI metrics used in compensation programs. Following the decision, thirteen Republican state attorneys general issued a letter to Fortune 100 companies reminding them of their "obligations as an employer under federal and state law to refrain from discriminating on the basis of race, whether under the label of 'diversity, equity, and inclusion' or otherwise. Treating people differently because of the color of their skin, even for benign purposes, is unlawful and wrong." The letter further asks the companies to "comply with race-neutral principles in [their] employment and contracting practices." Democratic attorneys general from 20 states and the District of Columbia then issued a letter in response.