Key Takeaways:
- In this client update, we highlight key considerations public companies should keep in mind this annual reporting season when preparing their annual reports on Form 10-K or Form 20-F, including a number of new line-item requirements and disclosure topics in the spotlight.
- New requirements for the 2023 annual reporting season include:
- Disclosures related to cybersecurity risk management processes and cybersecurity governance;
- Expanded narrative disclosures and daily repurchase information for share repurchases; and
-
Filing a compliant compensation clawback policy as an exhibit.
- Other disclosure considerations for the 2023 annual reporting season include:
- AI adoption;
Non-GAAP financial measures;
- Climate-related disclosures;
- Geopolitical conflict disclosures;
- Disclosures by China-based companies;
- Crypto assets disclosures; and
- Rule 10b5-1 and other trading arrangements by directors and officers.
For many U.S. public companies, the Thanksgiving holiday marks the beginning of a busy annual reporting and proxy season. In this client update, we highlight key considerations public companies should keep in mind this year when preparing their annual reports on Form 10-K or Form 20-F, including a number of new line-item requirements and disclosure topics in the spotlight. For an issuer checklist covering these considerations, see the Annex to this update. We will publish a companion client update in the upcoming weeks with key considerations for the 2024 proxy season.
Recent Rule Changes Applicable to Annual Reports
Cybersecurity Disclosures
On July 26, 2023, the U.S. Securities and Exchange Commission (“SEC”) adopted final rules on cybersecurity risk management, strategy, governance, and incident disclosure for issuers. The rules introduce two new types of annual disclosure requirements – relating to cybersecurity risk management processes and cybersecurity governance – which take effect beginning with Forms 10-K or 20-F relating to fiscal years ending on or after December 15, 2023. Related Inline XBRL tagging requirements begin one year after initial compliance (i.e., beginning with annual reports for fiscal years ending on or after December 15, 2024).
Cybersecurity Risk Management Processes
Issuers are required to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats, including (1) whether and how the issuer assesses, identifies and manages material risks, (2) whether the issuer engages any third-parties, auditors or consultants in connection with such processes and (3) whether the issuer has processes in place to oversee and identify third-party risk. Issuers must also describe whether any risks from cybersecurity threats, including previous cybersecurity incidents, have materially affected or are likely to materially affect their business strategy, operations or financial conditions.
Cybersecurity Governance
Issuers are required to describe the board’s oversight of, and management’s role and expertise in, assessing and managing material risks posed by cybersecurity threats. With respect to management’s role, issuers must address, to the extent applicable, which management positions or subcommittees are responsible for assessing and managing such risks, including the relevant expertise of such persons; the process by which management or those committees are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity incidents; and whether such person or committees report information about such risks to the board or a subcommittee of the board. Issuers are also required to disclose whether members of management involved in cybersecurity risk management have prior work experience, education, or knowledge, skills or other background in cybersecurity. If applicable, issuers will be required to identify the board committee or subcommittee responsible for overseeing cybersecurity risks and describe the process by which they are informed of cybersecurity risks.
For a detailed discussion of the adopted final rules, please see our Debevoise Update—SEC Adopts New Cybersecurity Rules for Issuers. For a discussion of best practices regarding cybersecurity disclosures, please see our Debevoise In Depth—SEC Adopts New Cybersecurity Rules for Issuers—Part 2 Key Takeaways.
Proxy Advisor Guidance
Issuers should also note that Glass Lewis included cybersecurity risk oversight in its voting guidelines that will apply to shareholder meetings held after January 1, 2024. In the absence of material cybersecurity incidents, Glass Lewis generally will not make voting recommendations based on a company’s oversight of cybersecurity-related issues. However, in instances where a company has been materially impacted by a cyber-attack, Glass Lewis’ recommendations will depend on their evaluation of the board’s response concerning cybersecurity-related issues. For more details, see Glass Lewis’ 2024 US Benchmark Policy Guidelines.
Share Repurchase Disclosures
On May 3, 2023, the U.S. Securities and Exchange Commission adopted new rules mandating increased disclosure by issuers engaged in repurchases of equity securities registered under Section 12 of the Securities Exchange Act of 1934 (the “Exchange Act”). For most issuers, the rules begin to apply with the first periodic report on Form 10-Q, Form 10-K or Form 20-F in respect of the first full fiscal quarter that begins on or after October 1, 2023.
Expanded Narrative Disclosure
The new rules amend Item 703 of Regulation S-K to require additional narrative disclosure by issuers in periodic reports on Forms 10-Q, 10-K and 20-F, as applicable, regarding share repurchase programs and policies. This narrative disclosure must include:
- the objectives or rationale for the issuer’s share repurchases, and the process or criteria employed to determine the amount of repurchases;
- any policies or procedures relating to purchases and sales of the issuer’s securities by its directors and officers during a repurchase program, including any restrictions on such transactions; and
- the number of shares purchased other than through a publicly announced plan or program, and the nature of the repurchase transactions (e.g., whether the purchases were made in open market transactions, tender offers, etc.).
Daily Repurchase Disclosure
The new rules require issuers to disclose daily share repurchase information on a quarterly basis (or semiannually for listed, close-end funds). For domestic issuers, the daily repurchase information will be presented in an exhibit to Forms 10-Q and 10-K. For FPIs that file annual reports on Form 20-F, the information is to be disclosed on a new Form F-SR, due 45 days after each fiscal quarter of the issuer.
The repurchase data to be aggregated daily and disclosed quarterly must include the following, in tabular format:
the number of shares repurchased by or on behalf of the issuer or any affiliated
purchaser;
the average price per share paid;
total number of shares purchased as part of publicly announced plans or programs;
the maximum number (or approximate dollar value) of shares that may yet be repurchased under the publicly announced plans or program;
the number of shares purchased on the open market;
the number of shares intended to qualify for the Rule 10b-18 non-exclusive safe harbor; and
the number of shares repurchased pursuant to a Rule 10b5-1 plan.
In addition, issuers are required to disclose, by footnote to the daily repurchase table, the adoption or termination date of any plan that is intended to satisfy the affirmative defense conditions of Rule 10b5-1(c) and pursuant to which shares were repurchased. The tabular repurchase disclosure must be filed with, rather than furnished to, the SEC.
Checkbox Disclosure for Director and Officer Trades
Issuers are now also required to disclose on the cover of periodic reports (by checking a box) whether any of their directors or Section 16 officers purchased or sold equity securities of any class registered under Section 12 of the Exchange Act that are part of an issuer share repurchase plan or program (whether or not conducted pursuant to Rule 10b5-1, Rule 10b-18 or otherwise) within four business days before or after the announcement of a repurchase plan or program or the announcement of an increase of an existing share repurchase plan or program. Issuers may rely on Section 16 reports filed by their officers and directors to determine whether the box should be checked, unless the issuer knows or has reason to believe that a filing was not accurately or timely made. For FPIs, the checkbox requirement applies to any director or senior management member who is identified in Item 1 of Form 20-F.
For a more detailed discussion on the amendments to the share repurchase disclosure rules, please see our Debevoise Update—SEC Adopts Share Repurchase Disclosure Rules. For a discussion of SEC enforcement activity relevant to the share repurchase disclosure rules, see our Debevoise Debrief—SEC Settles Stock Repurchase charges for $25 Million.
Compensation Clawback Policy & Disclosure
In October 2022, the SEC adopted final rules on clawbacks of executive compensation as required by the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010. The final clawback rules directed the national securities exchanges to adopt listing standards that require most exchange-listed issuers to adopt and comply with written clawback policies, and to provide disclosure regarding those clawback policies and amounts recovered. Accordingly, the NYSE and Nasdaq amended their listing standards to require listed issuers to adopt a compliant clawback policy by December 1, 2023.
Exhibit Filing Requirement
The final rules add to Item 601 of Regulation S-K a requirement that the clawback policy be filed as an exhibit to the issuer’s annual report on Form 10-K or 40-F.
Cover Page Checkboxes
In addition, the final rules also add checkboxes to the cover pages of Forms 10-K, 20-F, and 40-F to indicate:
- whether the financial statements included in the filing reflect correction of an error to previously issued financial statements, and
- whether any of those error corrections are restatements that require a recovery analysis of incentive-based compensation received by any of the applicable executive officers during the relevant recovery period.
For a more detailed discussion, please see our Debevoise In Depth—SEC Adopts Final Clawback Rules. To assist issuers, we have prepared a model clawback policy that complies with Section 303A.14 of the NYSE Listed Company Manual and Nasdaq’s Listing Rule 5608.
Reminder: Other Recent Rule Changes
10b5-1 Trading Plans and Insider Trading Policies
In December 2022, the SEC adopted amendments to Rule 10b5-1 and new disclosure requirements regarding (1) the adoption, modification and termination of Rule 10b5-1 and other trading arrangements by directors and officers, (2) insider trading policies and procedures of issuers and (3) the timing of option awards to named executive officers made in close proximity to the issuer’s release of material nonpublic information. Calendar year end companies began including information on trading arrangements by directors and officers in the second quarter of 2023 (third quarter of 2023 for smaller reporting companies). Disclosures regarding insider trading policies and option grant policies will be required in a company’s Form 10-K or Form 20-F for the first full fiscal year starting after April 1, 2023 (i.e., for a calendar year end company, the Form 10-K or Form 20-F to be filed in 2025). Issuers should consider changes to their option grant policies and procedures and insider trading policies in anticipation of these new disclosure requirements.
In August 2023, the staff of the Division of Corporation Finance released several new and updated C&DIs regarding amended Rule 10b5-1 and related reporting requirements. The SEC confirmed that Item 408(a)(1) of Regulation S-K does not require disclosure of the termination of a plan that ends due to its expiration or completion. The staff also clarified that Item 408(a) applies to any trading arrangement covering securities in which the officer or director has a direct or indirect pecuniary interest reportable under Section 16 that the officer or director has made the decision to adopt or terminate. See C&DI 133A.01 and 133A.02.
For a detailed discussion on amendments to Rule 10b5-1 and insider trading activity disclosure requirements, please see our Debevoise Update—SEC Adopts Significant Amendments Regarding 10b5-1 Trading Plans and Augmented Trading-Related Disclosure Requirements. For more details on recent C&DIs, please see our Debevoise Update—SEC Releases New and Updated Guidance on Amended Rule 10b5-1.
XBRL Format
Since 2009, the SEC’s rules have required companies to provide the information contained in the financial statements in their registration statements and periodic and current reports in machine-readable format using eXtensible Business Reporting Language (“XBRL”). In connection with the SEC’s recent rulemaking, the SEC requires XBRL and/or Inline XBRL tagging for clawbacks, share repurchase, cybersecurity and Rule 10b5-1 plan disclosure. In September 2023, the Division of Corporation Finance published a sample comment letter to guide companies in their compliance with the XBRL structured data filing requirements.
Note that Inline XBRL tagging for cybersecurity disclosures begins one year after initial compliance with the related disclosure requirement (i.e. beginning with annual reports for fiscal years ending on or after December 15, 2024). The Inline XBRL tagging requirement for compensation clawbacks, share repurchase and Rule 10b5-1 plan disclosure begins when the related disclosure requirement becomes effective. All issuers are required to use Inline XBRL to tag their pay versus performance disclosure in the relevant proxy or information statement for any shareholder meetings for fiscal years ending on or after December 16, 2022.
“Glossy” Annual Reports
Effective January 11, 2023, reporting companies are required to furnish their “glossy” annual reports electronically on EDGAR in PDF format no later than the date on which the report is first sent or given to stockholders. For more details, please see our Debevoise Debrief—“Glossy” Annual Reports Must be Furnished to the SEC via EDGAR.
Other Disclosure Hot Topics
AI Adoption
The pace of Artificial Intelligence (“AI”) adoption by companies has increased rapidly in the last year—and the SEC has taken notice. In July 2023, SEC Chairman Gary Gensler delivered remarks on salient opportunities and risks of emerging AI technologies. Gensler named explainability, bias, robustness, conflicts of interest, rent extraction, deceptive capabilities, as well as privacy, financial stability and intellectual property concerns as risks presented by widespread AI adoption. Nine days later, the SEC proposed new rules to address conflicts of interests risks for advisers and brokers related to the use of AI technologies.
Issuers should expect more examination, regulation, and enforcement activity—with an emphasis on the risk areas that Chair Gensler listed in his remarks—on the SEC’s agenda in the upcoming year, and should consider including AI-related disclosure addressing such risks in their annual reports. In the absence of SEC guidance or rulemaking on AI disclosure, issuers should apply classical materiality and disclosure principles when considering whether new or revised disclosure is prudent, with a particular emphasis on risk management, governance and reasonably foreseeable material impacts on future operations.
For more information on common AI use cases and adoption best practices, please see our Comparative Guide on Artificial Intelligence and Debevoise Update—The Top Eight AI Adoption Failures and How to Avoid Them. We regularly write about AI on the Debevoise Data Blog, which you can read and subscribe to here.
Continued Focus on Non-GAAP Financial Measures
Non-GAAP financial measures remain a significant focus of the SEC, exemplified by new and revised Compliance and Disclosure Interpretations (“C&DIs”) issued in December 2022, frequent SEC staff comment letters in recent years and enforcement actions, including one settled in March 2023.
Recent SEC staff comments in relation to non-GAAP financial measures most frequently address the following points:
- presenting the most directly comparable GAAP financial measure with “equal or greater prominence” as the non-GAAP financial measure;
- providing an appropriate reconciliation of the non-GAAP measure to the most directly comparable GAAP financial measure;
- disclosing why management believes the non-GAAP financial measure provides useful information to investors and the additional purposes, if any, for which management uses such measure;
- identifying and clearly labeling non-GAAP financial measure; and
- ·non-GAAP measures that the SEC staff believes are based on individually tailored accounting principles.
Issuers should regularly review their use of non-GAAP measures for compliance with guidance issued by the staff of the Division of Corporation Finance. Issuers should also establish and maintain effective disclosure controls and procedures that address their use of non-GAAP financial measures.
Please see our Debevoise In Depth—SEC Maintains Its Focus on Non-GAAP Financial Measures and Debevoise Debrief—SEC Releases New and Updated Guidance on Non-GAAP Financial Measures for more details.
Board Diversity
In August 2021, the SEC approved Nasdaq’s proposed listing rules that require all companies listed on Nasdaq’s U.S. exchange to publicly disclose diversity statistics regarding their boards of directors. The rules also require most Nasdaq-listed companies to have, or explain why they do not have, at least two diverse directors, including one who self-identifies as female and one who self-identifies as either an “underrepresented minority” or “LGBTQ+”. Note that, according to its Spring 2023 regulatory agenda, the SEC is expected to consider requiring expanded board diversity disclosure by all public companies.
By August 7, 2023, each Nasdaq listed company was required to have at least one diverse director or provide an explanation of why it did not have such a director. For a company listed on the Nasdaq Global Select or Global Markets, it must have two diverse directors by August 6, 2025 or provide the requisite explanation.
In October 2023, the Fifth Circuit upheld Nasdaq’s board diversity rule. The court reasoned that, because Nasdaq is not a state actor, the Nasdaq rule is not a state action subject to such constitutional challenges, and that the SEC therefore did not exceed its authority in approving the rule.
For a more detailed discussion on the rule, please see our Governance Update—Nasdaq Board Diversity Listing Rule Approved. For more information on the Fifth Circuit decision, see our post on the CLS Blue Sky blog—Debevoise & Plimpton Discusses Fifth Circuit Decision to Uphold Nasdaq Board Diversity Rule.
Climate-Related Disclosure
In March 2022, the SEC proposed expansive new climate-related disclosure requirements including disclosure of an issuer’s greenhouse gas emissions. While the adoption of final rules was expected in the fourth quarter of 2023, according to the SEC’s Spring 2023 regulatory agenda, it is unclear as of the date of this client update when final rules will be adopted. Pending the adoption of the final rules, companies can refer to existing guidance from the SEC on climate-related disclosures, including a sample comment letter published by the Division of Corporation Finance in September 2021.
For a detailed discussion on the SEC’s proposed climate-related disclosure requirements, please see our Debevoise In Depth—An In-Depth Review of the SEC’s Proposed Climate Change Disclosure Rule. For a discussion on other recently enacted climate-related legislation, see our client updates—California Climate Disclosure Bills Expected to Become Law and California Climate Disclosure Bills Signed Into Law.
Geopolitical Conflict Disclosure
In May 2022, the SEC published a sample comment letter stating that companies may have disclosure obligations related to the direct or indirect impact of Russia’s invasion of Ukraine. The comment letter states that companies should provide detailed disclosure regarding any direct or indirect exposure to Russia or Ukraine through the companies’ supply chains, operations, investments, assets or business relationships.
The Division of Corporation Finance has not published a sample comment letter on the Israel-Hamas conflict as of the date of this client update. Issuers that have direct or indirect exposure to the Israel-Hamas conflict, operations, investments or assets in the conflict area, or business relationships with companies that do, should evaluate any material impacts or risks of future impacts related to the Israel-Hamas conflict.
Disclosures by China-Based Companies
In July 2023, the SEC published a sample comment letter stating that companies based in or with a majority of their operations in the People’s Republic of China may have disclosure obligations relating to the reliability of their financial reporting, the regulatory environment in China and corporate governance matters. The SEC primarily (1) reminded companies of existing disclosure obligations under the Holding Foreign Companies Accountable Act (HFCAA); (2) sought disclosure about material risks related to the role of the government of the People’s Republic of China in the operations of China-based companies; and (3) noted that companies should evaluate their disclosure to provide investors with disclosure about the material impacts of certain statutes such as the Uyghur Forced Labor Prevention Act (UFLPA).
Crypto Assets Disclosure
In December 2022, the SEC published a sample comment letter regarding recent developments in crypto asset markets. The release of the letter represents an increased focus on crypto asset activities of public companies, especially with regard to risks implicated by bankruptcies in the industry, FTX being the most prominent. In the sample comment letter, the SEC focused on material impacts from the price and industry volatility of the crypto asset market, including whether the company has experienced any material change in financial condition or results of operation as a result of disruptions in the crypto asset market.
For a more detailed discussion, please see our Debevoise Update—FTX Collapse Causes SEC to Request Additional Crypto Asset Disclosures.