Matters to Consider for the 2019 Annual Meeting and Reporting Season

Brian Breheny and Joseph Yaffe are partners and Caroline Kim is an associate at Skadden, Arps, Slate, Meagher & Flom LLP. This post is based on a Skadden memorandum Mr. Breheny, Mr. Yaffe, Ms. Kim, Hagen GanemAndrew Brady and Josh LaGrange.

Companies have important decisions to make as they prepare for the 2019 annual meeting and reporting season.

We have compiled the following overview of key corporate governance, executive compensation and disclosure matters on which we believe companies should focus as they plan for the upcoming season. As always, we welcome any questions you have on any of these topics or other areas related to annual meeting and reporting matters.

Comply With Updated SEC Filing Requirements

The U.S. Securities and Exchange Commission (SEC) has adopted new rules that companies should consider as they prepare year-end reports and other filings.

Disclosure Simplification

On August 17, 2018, the SEC adopted amendments to streamline disclosure requirements as part of an ongoing disclosure effectiveness review. [1] These rule changes went into effect on November 5, 2018, and target disclosure requirements that were outdated, superseded or already covered by disclosures under U.S. Generally Accepted Accounting Principles (GAAP), International Financial Reporting Standards (IFRS) or other SEC rules. While the amendments generally are technical in nature, the following changes should be considered when preparing annual reports on Form 10-K:

  • Ratio of Earnings to Fixed Charges. Companies are no longer required to disclose the historical and pro forma ratios of earnings to fixed charges and/or historical and pro forma ratios of combined fixed charges and preference dividends to earnings.
  • Historical Stock Price Disclosure. Companies are no longer required to disclose the high and low prices of common equity traded on an established public trading market, although companies must disclose their trading symbols.
  • Historical Dividend Disclosure. Companies are no longer required to disclose the frequency and amount of cash dividends in the body of the Form 10-K, as such information already should be included in the financial statements. Disclosure of the restrictions that currently, or are likely to, materially limit a company’s ability to pay dividends on its common equity also should be found in its financial statements.
  • Segment Financial Information. Companies are no longer required to disclose segment financial information and financial information by geographic area in the body of the Form 10-K, as such information already should be included in the financial statements.
  • Research and Development Disclosure. Companies are no longer required to disclose the amount spent on research and development activities for all years presented.

Form Cover Pages

For yet another year, rules recently adopted by the SEC have resulted in changes to the cover pages of many SEC forms. As noted in our September 21, 2018, client alert “Reminders of Recent Updates for Upcoming SEC Filings,” companies should revise their Form 10-K cover pages as reflected in the following mark-up:

These revisions address the following two technical changes:

  • In connection with the new Inline XBRL rules adopted in June 2018, [2] the SEC eliminated the website-posting requirement, which is no longer referenced on the cover page of Forms 10-Q and 10-K. Previously, issuers were required to submit their XBRL data as exhibits and were also required to post XBRL data files on their websites. While the new Inline XBRL requirement does not apply to upcoming annual reports on Form 10-K for calendar year 2018, the SEC nonetheless has implemented changes to the Form 10-K cover page.
  • As discussed below, the SEC approved amendments to the definition of a “smaller reporting company” (SRC), expanding the number of registrants that qualify as SRCs. In connection with this, the SEC revised Form 10-K and other Exchange Act and Securities Act form cover pages to remove the instruction informing filers to not check the “non-accelerated filer” box if the issuer is an SRC. After these amendments, issuers will now be able to check multiple boxes on the cover page related to their filer status (e.g., both the accelerated filer and SRC boxes).

SRC Amendments

As noted above and discussed in our July 9, 2018, client alert “SEC Expands ‘Smaller Reporting Company’ Definition,” the SEC approved amendments to the definition of SRC under the rules and regulations of the Securities Act and the Exchange Act on June 28, 2018. [3] These amendments went into effect on September 10, 2018. Under the new definition, a company will qualify as an SRC if it has either (i) a public float of less than $250 million as of the last business day of its most recently completed second fiscal quarter, or (ii) annual revenues of less than $100 million during the most recently completed fiscal year with less than $700 million public float (or no public float).

A company that newly qualifies as an SRC has the option to take advantage of the scaled disclosure accommodations beginning with its next periodic or current report due on or after, or in any registration or proxy filing or amended filing made on or after, September 10, 2018. For example, a calendar year-end company that became an SRC in 2018 could use scaled disclosures in its upcoming Form 10-K. Under the SEC’s rules and regulations, issuers must reflect SRC status starting with the first Form 10-Q for the year after it becomes an SRC but may begin taking advantage of the scaled disclosure accommodations beginning in the third quarter of the year it enters SRC status. [4] As a reminder, SRC status is determined separately from accelerated filer status, which occurs at fiscal year-end.

Changes to a company’s filer status also may affect proxy statements. The information required in a proxy statement generally is tied to the company’s filer status at the time of its Form 10-K filing. As a result, a company reporting as an SRC in its 2018 Form 10-K may provide SRC-level disclosures in its annual proxy statement. The timing of the annual meeting does not affect the analysis. [5]

Consider SEC Cybersecurity Guidance and Enforcement Actions

During 2018, there have been a number of actions by the SEC related to cybersecurity matters
impacting public companies. These actions, which we summarize below, have included two
pieces of helpful guidance and a few key enforcement matters. We recommend that companies
consider these actions in connection with year-end reporting and as part of any periodic
review of company policies and procedures.

SEC Guidance

As discussed in our February 23, 2018, client alert “SEC Issues Interpretive Guidance on Cybersecurity Disclosures,” the SEC issued an interpretive release [6] providing guidance for public companies relating to disclosures of cybersecurity risks and incidents, disclosure controls and procedures, and insider trading policies. The key takeaways from this guidance are summarized below.

Material Risks and Incidents. Companies should consider whether there are material cybersecurity risks and incidents that should be disclosed in registration statements, periodic reports and other filings with the SEC as part of the disclosure of risk factors, management’s discussion and analysis of financial condition and results of operations, descriptions of the company’s business and legal proceedings, and financial statements and accompanying notes. The guidance confirmed that the materiality of cybersecurity risks and incidents will depend on their nature, extent, potential magnitude and range of harm that an incident could cause.

Board Risk Oversight. Companies should consider the requirement to disclose in proxy statements the board’s role in risk oversight. In light of the guidance, as well as investor calls for such information, companies may wish to take a fresh look at their proxy statement disclosure regarding board oversight of risk and consider addressing or enhancing disclosures regarding board oversight of cybersecurity risks.

Disclosure Controls and Procedures. Companies should evaluate whether their disclosure controls and procedures are sufficient to ensure that relevant information pertaining to cybersecurity risks and incidents is collected, processed and reported up the chain on a timely basis to allow for management to assess and analyze whether cybersecurity risks and incidents should be disclosed. Companies should also review protocols for reporting cybersecurity incidents to ensure that persons having familiarity with, and responsibility for, a company’s SEC disclosure decisions are included in the information flow regarding cybersecurity matters that have the potential to be material to investors.

Insider Trading Policies. Companies should evaluate whether their insider trading policies are designed to prevent insider trading on the basis of material nonpublic information relating to cybersecurity incidents and risks. Companies also should consider whether restrictions on trading need to be imposed during periods when they are investigating and assessing the significance of a cybersecurity incident.

Regulation FD Policies. Companies should review any Regulation FD policies to ensure it is made clear that material nonpublic information could involve cybersecurity risks and incidents.

SEC Report of Investigation

On October 16, 2018, the SEC issued a Report of Investigation detailing the SEC Enforcement Division’s consideration of the internal accounting controls of nine companies that were victims of “business email compromises,” a form of cyberfraud. [7] The companies described in the report lost a combined $100 million after their internal accounting controls failed to protect against two types of fraudulent email schemes. The SEC issued the report, forgoing a traditional enforcement action, to communicate the SEC’s view that this issue is problematic and to put companies and individuals on notice that the SEC intends to pursue enforcement actions concerning similar conduct in the future.

The report highlighted the need for companies to design and maintain internal accounting control systems that adequately address the cybersecurity risks they face. The persons undertaking the alleged cyber-related frauds covered in the report were able to identify vulnerabilities in the issuers’ controls over, for instance, payment authorization and verification procedures. The report also noted that the alleged perpetrators succeeded in the frauds in large part because employees were unaware of, or did not understand, the internal controls of their employers and failed to recognize multiple red flags indicating that a fraudulent scheme was underway.

We recommend that companies consider the findings in this report and confirm that internal accounting controls properly address the risks of cyber-related threats and safeguard company assets from those risks. In particular, companies should ensure that their internal accounting controls are tailored to address, among other things, human vulnerabilities with respect to cyber-related risks.

SEC Enforcement Focus

Cybersecurity incidents have also led to a number of noteworthy recent SEC enforcement actions. In March 2018, the SEC initiated an action against a former chief information officer, alleging that he avoided significant losses by trading on material nonpublic information regarding a massive data breach at his company. [8] In April 2018, the SEC settled charges with a technology company based on the SEC’s view that the company misled investors by failing to properly disclose information regarding a significant data breach. [9] And in September 2018, the SEC settled charges against a financial advisory firm related to a cyber intrusion that compromised the personal information of thousands of customers. [10]

In the matter involving the technology company, the SEC’s order stated that it believed that the company’s disclosures in its public filings were misleading because they omitted known trends or uncertainties presented by the data breach, the company failed to establish or implement internal controls around the evaluation and disclosure of cyber incidents, and the company’s risk factor disclosures in its public filings were misleading because they claimed the company only faced the risk of potential future data breaches without disclosing that a data breach had in fact already occurred.

The SEC’s enforcement actions involving cybersecurity matters follow the announcement in September 2017 that the SEC had established a Cyber Unit to consolidate the expertise of the SEC’s Division of Enforcement and enhance its ability to identify and investigate cyber-related threats. At the time the Cyber Unit was launched, Stephanie Avakian, co-director of the SEC’s Enforcement Division, identified cyber-related threats as “among the greatest risks facing investors and the securities industry.”

We believe that the SEC’s growing emphasis on cyber issues provides further support for the need for companies to remain focused on cybersecurity disclosures and policies.

Assess Impact of SEC Staff Comments and Statements

Although the staff of the SEC’s Division of Corporation Finance reviews a large number of Form 10-K filings and other disclosures made by companies each year, the majority of these reviews do not result in a comment letter being issued to the company. A recent study by Ernst & Young (EY) indicates the annual number of comment letters issued by the SEC staff has decreased by approximately 25 percent compared to last year, or over 40 percent since 2014. [11]

This continuing downward trend is consistent with recent remarks from senior members of the SEC staff reiterating their focus on disclosures that would be material to investors. Below is a summary of the key focus areas in recent SEC staff comment letters, as well as SEC staff remarks, that companies should consider in preparing their upcoming annual reports and other SEC filings.

Non-GAAP Financial Measures

According to the EY report, about half of the decrease in comments since last year is attributed to a drop in the number of comments relating to non-GAAP financial measures that previously had seen an uptick following the release of updated SEC staff guidance in May 2016. Nevertheless, non-GAAP financial measures still remained one of the top areas of SEC staff focus during the 12-month period ended June 30, 2018.

The SEC staff recently also expressed a continuing focus on individually tailored performance measures, especially those that are unusual and complex, such as “adjusted revenues,” which companies should ensure comply with the applicable requirements under Item 10(e) of Regulation S-K and Regulation G. Companies should continue to revisit their non-GAAP disclosures in SEC filings, including earnings releases, as well as other public disclosures, such as investor presentations and information posted on company websites.

Revenue Recognition

Companies should consider the impact on their disclosures of the new revenue recognition accounting standard, ASC 606, which went into effect in December 2017. ASC 606 replaced prescriptive industry-specific rules with a principles-based model to standardize revenue booking for comparable transactions across industries. The new standard may require management to make significant judgments on how to classify transactions and when revenues should be booked.

According to a recent report by Intelligize Inc., only 32 of the roughly 4,000 U.S. publicly listed companies chose to apply the new rules early, and nearly one-third of those early adopters received SEC staff comments on their compliance with the revenue recognition standard. Three-quarters of the comment letters included questions about how companies arrived at their decisions for performance obligations measurements. [12]

Other Recent Developments

Senior members of the SEC staff have emphasized that companies
should also consider the following disclosure topics:

  • Cybersecurity. Companies should align their disclosure practices with the SEC’s February 2018 interpretive guidance, as discussed above in the section titled “Consider SEC Cybersecurity Guidance and Enforcement Actions.” In particular, companies should consider cybersecurity in their board risk oversight disclosures in their annual proxy statements and
    assess their disclosure controls and procedures, as well as insider trading policies.
  • Brexit. Companies should assess the associated risks of the ongoing uncertainty and potential impact of the U.K.’s pending exit (Brexit) from the European Union. In recent statements, the SEC staff has advised that it will continue to monitor company disclosures related to Brexit leading up to the March 2019 deadline to reach an agreement.
  • LIBOR Phase-Out. Companies with financial instruments that rely on the benchmark interest rate LIBOR (the London Interbank Offered Rate), which British financial regulators are phasing out, should consider the implications of transitioning to another benchmark. The SEC staff has noted that there are significant uncertainties surrounding legacy financial instruments that rely on LIBOR and how replacing it with another benchmark would impact a company’s hedge accounting. To the extent the LIBOR phase-out is material, companies should disclose that fact and the implications of the phase-out, including any associated risks and uncertainties.

Endnotes

1The SEC’s press release “SEC Adopts Amendments to Simplify and Update Disclosure Requirements” (Aug. 17, 2018) and adopting release are available here.(go back)

2The SEC’s press release “SEC Adopts Inline XBRL for Tagged Data” (June 28, 2018) and adopting release are available here.(go back)

3The SEC’s press release “SEC Expands the Scope of Smaller Public Companies That Qualify for Scaled Disclosures” (June 28, 2018) and adopting release are available here.(go back)

4See 17 C.F.R. § 229.10(f)(2)(i)(C) (Item 10 of Regulation S-K); 17 C.F.R. § 230.405 (Securities Act Rule 405 definition of “smaller reporting company” paragraph (3)(i)(C)); 17 C.F.R. § 240.12b-2 (Exchange Act Rule 12b-2 definition of “smaller reporting company” paragraph (3)(i)(C)).(go back)

5See Question 104.13, the SEC’s Compliance and Disclosure Interpretations “Questions and Answers of General Applicability” (Nov. 7, 2018), available here.(go back)

6The SEC’s press release “SEC Adopts Statement and Interpretive Guidance on Public Company Cybersecurity Disclosures” (Feb. 21, 2018) and related guidance are available here.(go back)

7The SEC’s press release “SEC Investigative Report: Public Companies Should Consider Cyber Threats When Implementing Internal Accounting Controls” (Oct. 16, 2018) and the Section 21(a) Report of Investigation are available here. Our October 19, 2018, summary of the report, “SEC Investigative Report on Cybersecurity Emphasizes Internal Controls,” is available here.(go back)

8The SEC’s press release “Former Equifax Executive Charged With Insider Trading” (Mar. 4, 2018) and related SEC complaint are available here.(go back)

9The SEC’s press release “Altaba, Formerly Known as Yahoo!, Charged With Failing to Disclose Massive Cybersecurity Breach; Agrees to Pay $35 Million” (Apr. 24, 2018) and related SEC order are available here.(go back)

10The SEC’s press release “SEC Charges Firm With Deficient Cybersecurity Procedures” (Sept. 26, 2018) and related SEC order are available here.(go back)

11EY’s SEC Reporting Update “2018 Trends in SEC Comment Letters” (Sept. 24, 2018) is available here.(go back)

12Intelligize’s report “Impact of New Revenue Recognition Standards on Public Companies” (Nov. 5, 2018) is available here.(go back)

Trackbacks are closed, but you can post a comment.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

  • Subscribe or Follow

  • Supported By:

  • Program on Corporate Governance Advisory Board

  • Programs Faculty & Senior Fellows