Matters To Consider for the 2025 Annual Meeting and Reporting Season: Disclosure Developments

Brian V. BrehenyRaquel Fox, and Page Griffin are Partners at Skadden, Arps, Slate, Meagher & Flom LLP. This post is based on a Skadden memorandum by Mr. Breheny, Ms. Fox, Mr. Griffin, Marc S. GerberJoseph M. Yaffe, and Khadija L. Messina.

Assess Trends in Cybersecurity Disclosures

The Securities and Exchange Commission (SEC) adopted fnal rules in 2023 intended to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance and incident reporting by public companies, including foreign private issuers (FPIs). specifically, the SEC’s amendments require: (i) current reporting of material cybersecurity incidents on a new Item 1.05 of Form 8-K; and (ii) annual reporting on Forms 10-K and 20-F of company processes for identifying, assessing and managing material risks from cybersecurity threats; management’s role in assessing and managing the company’s material cybersecurity risks; and the board’s oversight of cybersecurity risks.

Guidance on Form 8-K Disclosure of Material Cybersecurity Incidents

Item 1.05 of Form 8-K requires disclosure within four business days after a company determines that a “cybersecurity incident” experienced by the company is material. This year, the SEC staff claried incident reporting requirements as outlined below.

FBI, DOJ and SEC Guidance on Delayed Reporting: The Form 8-K Item 1.05 cybersecurity incident reporting rules provide that companies may delay the required disclosure if such disclosure poses a substantial risk to national security or public safety. In December 2023, the Federal Bureau of Investigation (FBI), the U.S. Department of Justice (DOJ) and the SEC each released guidance on how companies may request this exception and how the agencies will make determinations.

  • The FBI issued a policy notice describing the process for requesting a delay in public reporting of a cybersecurity incident under the SEC rule. The notice states that companies must (i) make such requests to the FBI “concurrently” with the company’s materiality decision; and (ii) provide the date and time (including time zone) of the company’s materiality determination for the FBI to confirm that the request is made “immediately upon determination.” To request a delay, companies must contact the FBI through a dedicated email address: [email protected]. The FBI also published guidance that outlines the information companies must include in a delay request.
  • The DOJ issued guidelines on determinations for delayed public reporting of material cybersecurity incidents clarifying that such determinations hinge on whether the public disclosure of a cybersecurity incident threatens public safety or national security, and not whether the incident itself poses a substantial risk to public safety and national security.
  • The SEC staff published four Compliance and Disclosure Interpretations (C&DIs) regarding the national security and public safety exception and related FBI and DOJ guidance, highlighting circumstances where an Item 1.05 Form 8-K is due even if a delay is requested and emphasizing that consultation with a government agency is not conclusive for the company’s materiality determination.

Item 1.05 Disclosure for Material Incidents: In May 2024, the Director of the SEC’s Division of Corporation Finance issued a statement that claried, “[a]lthough the text of Item 1.05 does not expressly prohibit voluntary filings, Item 1.05 was added to Form 8-K to require the disclosure of a cybersecurity incident ‘that is determined by the registrant to be material’ and, in fact, the item is titled ‘Material Cybersecurity Incidents.’” Prior to this statement, many companies had issued Item 1.05 disclosure that stated either (i) the cybersecurity incident was not material or (ii) the company had not yet determined whether the incident was material.

The SEC statement discouraged companies from including voluntary disclosure under Item 1.05 and instead encouraged companies to use Item 8.01 to avoid investor confusion. If a company initially discloses a cybersecurity incident under Item 8.01 and later determines that the incident is material, the company should then issue an Item 1.05 Form 8-K within four days of such materiality determination.

Staff Comments on Cybersecurity Risk Management & Governance Disclosures

New Form 10-K “Item 1C. (Cybersecurity)” and Form 20-F “Item 16K. Cybersecurity” require certain new annual cybersecurity-related disclosures. Item 106(b) of Regulation S-K requires a description of the company’s processes, if any, for assessing, identifying and managing material risks from cybersecurity threats. Item 106(c) of Regulation S-K requires companies to disclose information related to the board’s and management’s roles relating to cybersecurity. To date, the SEC staff has issued comments on Item 106 disclosure related to the following:

  • Omitting Item 106 disclosure. For companies that did not include the new Regulation S-K Item 106 requirement in their Form 10-K or Form 20-F, the SEC staff issued comments reminding companies of the requirement to include the disclosure in their annual reports.
  • Enhancing disclosure of management expertise. For the Item 106(c)(2)(i) disclosure of the management position(s) responsible for cybersecurity risk management, the SEC staff has requested additional detail on the expertise of such person(s). Such detail may include the number of years spent in prior roles for each person disclosed as responsible for managing cybersecurity risk.
  • Clarifying the role of third parties. Pursuant to Item 106(b)(1) (ii), companies need to disclose whether they engage assessors, consultants or auditors in the company’s management of cybersecurity risk. If third parties are engaged for this purpose, companies should describe the third party’s role in assisting the company in identifying and managing cybersecurity risks.
  • Disclosing how cybersecurity risk management fits into a company’s overall risk management framework. Item 106(b) (1)(i) requires companies to specifically disclose whether and how the company’s processes, if any, for assessing, identifying and managing material risks from cybersecurity threats are integrated into the registrant’s overall risk management system. Companies should address this requirement with specificity, rather than, for example, describing how cybersecurity risk management ts into the company’s business strategy more broadly, which the SEC staff may view as insufficient disclosure.
  • Clearly stating management and board areas of responsibility. Pursuant to Item 106(b)(1), companies should explain the management’s and the board’s areas of cybersecurity risk management and oversight, and provide sufficient detail for a reasonable investor to understand each group’s respective processes for managing and overseeing cybersecurity risk.

Recent Cybersecurity Enforcement Actions

On October 22, 2024, the SEC announced enforcement actions against several technology companies for making materially misleading disclosures regarding cybersecurity risks and intrusions. One company was also charged with disclosure controls violations.

These charges are the result of the SEC’s investigation of public companies potentially impacted by the SolarWinds’ vulnerability. The enforcement penalties range from $990,000 to $4 million.

The alleged misleading disclosures fall into one of two categories: (i) the disclosures mentioned a cybersecurity incident but omitted material information; or (ii) the disclosures remained largely the same after the cybersecurity incident and did not reflect new and realized cybersecurity risks.

The enforcement actions reinforce that companies should:

  • Carefully consider updating disclosures in the wake of cybersecurity incidents, particularly when a company’s risk prole changes as a result of an incident.
  • Maintain policies and procedures to facilitate prompt escalation of cybersecurity incidents to disclosure decision-makers.
  • Understand the SEC’s view of materiality and avoid minimizing cybersecurity incidents in disclosures.

Notably, two Republican SEC commissioners issued a strong dissenting statement to these actions. As described below, we anticipate that a new SEC administration will take a different approach to cyber-related enforcement actions.

Takeaways: Companies should revisit existing disclosure controls and procedures (DCP) [1] for SEC filings and assess whether current controls are sufficient to make timely materiality determinations and to capture and report cybersecurity-related information accurately and comprehensively.

  • This process may include reviewing and enhancing internal processes and procedures to identify, escalate and disclose cybersecurity incidents to help ensure timely and accurate disclosures.
  • This review should also include an evaluation of (i) whether the company’s public disclosures are consistent across required filings and voluntary disclosures, (ii) whether statements about the company’s cybersecurity risk reflect the facts and circumstances known to the company at the time of disclosure, and (iii) whether any updates to existing disclosure may be required.

In light of the upcoming change in administration, the Republican commissioners’ views ae expected to help shape the SEC’s priorities in a new administration. As a result, companies should be aware that under the new administration, the SEC may (i) take a less expansive view of materiality in cybersecurity actions and return to a principle-based approach of assessing materiality based on market indicators and investor harm and (ii) focus less on leveraging its controls-based statutory authority to charge public companies for failure to maintain reasonable internal disclosure and accounting controls relating to cyber intrusions.

Review SEC Staff Comments: Areas of Focus

The Disclosure Review Program in the SEC’s Division of Corporation Finance has remained active over the past year. During the 12-month period ended June 30, 2024, the volume of SEC staff comment letters and the number of companies receiving comments were consistent with the prior year, but remained elevated compared to historical levels. [2]

Comment Trends

Non-GAAP financial measures and management’s discussion and analysis of financial condition and results of operations (MD&A) remained the most frequent areas generating SEC staff comments, and these topics are still the two most significant sources of staff comments by a wide margin. Segment reporting and revenue recognition ranked third and fourth, respectively, once again in the top four most frequent sources for comment.

Goodwill and intangible assets replaced climate-related disclosures as the fifth most frequent topic generating SEC staff comment, with climate-related disclosures dropping out of the staff’s top areas of comment, while business combinations became a frequent source of comment, ranking sixth overall.

Recent Areas of Focus

Below is a summary of the SEC staff’s noteworthy areas of focus:

Non-GAAP fifinancial measures. The SEC staff continues to focus on non-GAAP financial measures and compliance with the staff’s C&DIs on non-GAAP financial measures, in certain cases resulting in requests to remove or substantially modify non-GAAP financial measures. For example, SEC staff comments have addressed adjustments to non-GAAP measures that remove or exclude cash operating expenses that the staff views as “normal” or “recurring” in the operation of a company’s business, and in the staff’s view, presented a misleading measure under C&DI Question 100.01. Additionally, the SEC staff’s comments have focused on non-GAAP adjustments related to frequent restructuring and acquisition-related costs, where the staff’s comments have asked companies (i) to detail the facts and circumstances supporting an adjustment for what could be a recurring cost and (ii) to explain and quantify the components of these adjustments. Consistent with C&DI Question 102.10(a), SEC staff comments have also objected to companies presenting a full non-GAAP income statement as a form of reconciliation because such presentation gives the non-GAAP information undue prominence.

The SEC staff has also continued to issue comments to determine whether certain key performance indicators (KPIs) are in fact non-GAAP measures and to request that companies present the most directly comparable GAAP financial measure with equal or greater prominence relative to the non-GAAP measure. Although most of these comments address the use of non-GAAP measures in earnings releases and SEC filings, the SEC staff also reviews other materials, including company websites and investor presentations. Accordingly, companies should ensure that any public disclosures of non-GAAP financial measures comply with applicable SEC rules and staff guidance.

MD&A. The SEC staff continues to raise questions about MD&A disclosures, most commonly about results of operations. The SEC staff’s comments on results of operations have continued to request that companies explain MD&A disclosures with greater specificity, including identifying and quantifying the impact of each positive or negative factor that had a material effect on results of operations. The SEC staff also continued to highlight the presentation of KPIs and operating metrics, including how they are calculated and period-over-period comparisons. SEC staff comments regularly scrutinized KPIs discussed in earnings releases and investor presentations and questioned how these compare to the information disclosed in MD&A.

SEC staff comments also focused on (i) liquidity and capital resources and (ii) critical accounting estimates. Staff comments on liquidity and capital resources often requested enhanced disclosures of the drivers contributing to changes in cash flows and the trends and uncertainties related to meeting known or reasonably likely future cash requirements. Staff comments regarding critical accounting estimates frequently noted that companies’ disclosures were too general, and requested that companies provide a more robust analysis, consistent with the requirements set forth in Item 303(b)(3) of Regulation S-K. The staff often emphasized that critical accounting estimates disclosures should supplement, not duplicate, the disclosures in footnotes to financial statements.

Staff comments on MD&A reporting also addressed known trends or uncertainties, particularly those related to current or emerging trends in the macroeconomic environment such as inflation, interest rates, geopolitical conflicts and supply chain issues. Comments often requested additional disclosures to enhance an investor’s understanding of the impact of these trends on the company and the company’s response to those trends. As inflation and interest rates moderate and other trends emerge, companies will need to provide transparent, company-specific disclosures about the anticipated impact of such trends to help investors understand how and when companies may be affected by these changing macroeconomic factors. Companies should:

  • Regularly reassess and update their MD&A disclosures to include current or emerging trends and uncertainties in the macroeconomic environment.
  • Continue to consider CF Disclosure Guidance Topic No. 9 and No. 9A related to COVID-19 and supply chains as well as the SEC staff’s Sample Letter to Companies Regarding Disclosures Pertaining to Russia’s Invasion of Ukraine and Related Supply Chain Issues issued in May 2022, as much of the guidance in these materials could apply to other macroeconomic trends.

Expected Areas of Focus in 2025

In 2025, we expect SEC staff comments to continue to focus on the reporting areas discussed above. Consistent with public statements from the current director of the SEC’s Division of Corporation Finance, the SEC staff may also expand the scope of its comments to address artificial intelligence, cybersecurity and clawbacks.

As noted in the “Assess Trends in Cybersecurity Disclosures — Staff Comments on Cybersecurity Risk Management & Governance Disclosures” section of this checklist, the SEC staff has issued comments on the annual cybersecurity disclosures required by Item 106 of Regulation S-K. While the SEC staff has only issued a few comments on Item 106 cybersecurity disclosures to date, we expect the volume of comments on cybersecurity to expand, with an initial priority on compliance with the Item 106 disclosure requirements.

We also expect that SEC staff comments on clawback disclosures may appear more frequently, including reminders to le a clawback policy and assessments of disclosures when a recovery analysis is triggered, in accordance with the nal rules adopted by the SEC in October 2022.

For more information regarding the SEC’s focus on artificial intelligence, cybersecurity and clawbacks, see the “Consider Artificial Intelligence Disclosure,” “Assess Trends in Cybersecurity Disclosures” and “Review Clawback Policies” sections of this checklist.

In addition, the SEC staff may review and issue comments regarding companies’ compliance with the SEC’s recently adopted disclosure rules on insider trading policies and procedures and on option grant practices. For additional considerations regarding these disclosure requirements, see the “Prepare to File Insider Trading Policies” and “Prepare for New Option Grant Practice Disclosures” sections of this checklist.

Prepare for Compliance with Climate-Related Disclosure Rules

The regulatory landscape for climate-related disclosures continues to evolve. The future of the SEC’s climate disclosure rules adopted in March 2024 [3] (SEC Climate Rules) remains uncertain given the pending litigation challenging the rules and the upcoming change in administration. In April 2024, the SEC voluntarily stayed the effectiveness of the SEC Climate Rules pending judicial review. The SEC made clear, however, that its 2010 climate guidance, [4] which provided the basis for the sample comment letter issued in September 2021 by the SEC’s Division of Corporation Finance [5] and subsequent comment letters to companies, remains applicable.

In addition, a growing number of jurisdictions in the U.S. and abroad are requiring climate-related disclosures, and for many companies, some form of climate disclosure will become mandatory regardless of the future of the SEC Climate Rules. For example, for many companies that “do business” in California, California’s sweeping climate disclosure rules will phase in beginning with fiscal year 2025. [6] While the European Union’s disclosure rules under the Corporate Sustainability Reporting Directive (CSRD) initially will apply only to EU-incorporated companies, for fiscal years starting on or after January 1, 2028, non-EU companies must report if they have a significant presence in the EU (defined by minimum EU revenues and asset thresholds). [7]

Preparing for Compliance

In this evolving landscape, companies should stay apprised of the applicability of various climate disclosure rules and proactively consider the necessary steps to comply with current and expected climate-related disclosure rules in the jurisdictions in which they operate. Additionally, maintaining a practice of preparing for compliance with the expected climate rules aligns with broader investor and other stakeholder expectations for robust voluntary climate-related disclosures.

Climate-related disclosures included in SEC filings “led” with the SEC are subject to potential liability under Section 18 of the Securities Exchange Act of 1934, as amended (Exchange Act) and Section 11 of the Securities Act of 1933, as amended (Securities Act) (if included in or incorporated by reference into a Securities Act registration statement). These provisions impose liability on issuers for making false or misleading statements in SEC filings with respect to any material fact relied on by investors. As companies add or expand climate-related disclosures in their SEC filings, they are likely to face increased potential liability from expanded disclosures.

Moreover, as discussed in detail in our client alert “The Informed Board, Summer 2023 – The EU’s New ESG Disclosure Rules Could Spark Securities Litigation in the US,” climate-related disclosures provided in response to other jurisdictions’ regulatory requirements may be subject to the anti-fraud provisions of U.S. securities laws and potential scrutiny by U.S. investors looking for statements that could be the basis for a lawsuit.

Thus, companies should consider taking a proactive and methodical approach to climate-related DCP to minimize exposure to liability based on inaccurate or incomplete disclosures. At the same time, in light of the growing focus on, and demand for, climate-related disclosures and the uncertainty around the SEC Climate Rules, companies should consider an approach that balances risk tolerance, climate disclosure readiness and competition for compliance resources. Considerations for enhancing climate-related DCP include the following:

  • Internal oversight. Companies should assess whether their current disclosure oversight structure is set up to manage climate-related disclosures, including whether the company’s disclosure committee regularly reviews climate-related disclosures and includes the appropriate personnel. Alternatively, a company that has separate disclosure committees for SEC reporting and sustainability disclosures should consider whether there is sufficient coordination and communication, including overlapping members, between the two committees.
  • Materiality considerations. Disclosures required under existing SEC rules, as well as under the SEC Climate Rules, are based on materiality determinations under the traditional materiality standard — i.e., whether a reasonable investor would likely consider information important when deciding to buy, sell or vote securities. Companies should assess the impact of climate-related risks on their business as a whole and should consider designing a materiality assessment process that can capture and present for consideration all significant and applicable aspects of the company’s climate-related risks and strategies for disclosure. Companies should develop and consistently apply criteria for assessing materiality, taking into account quantitative and qualitative factors as well as industry norms, regulatory guidance, and stakeholder expectations. This process should involve input from cross-functional teams, such as legal, nance, sustainability, and operations, to produce a comprehensive view of the company’s climate-related risks and opportunities. Companies that are subject to multiple climate disclosure regimes also should be mindful of differing “materiality” standards under other disclosure frameworks — for example, the EU’s CSRD incorporates a “double materiality” standard. [8]
  • Subcertification process. Enhancing or adopting subcertification processes can help ensure that climate-related information is accurately captured and reported. subcertifications involve designating personnel in the relevant departments certify the accuracy and completeness of the information they provide in order to increase accountability and reduce the risk of errors or omissions.
  • External engagements and assurance. Engaging external advisers with expertise in compiling climate-related data and preparing related disclosures can provide valuable insights and enhance DCP. A company’s team of external advisers may include consultants, legal advisers and third-party attestation providers (which, under the SEC Climate Rules, may be the company’s independent auditor for financial reporting purposes). A company that is required to retain an attestation provider under the CSRD or other regulatory mandates may want to consider whether that provider qualifies as independent under the SEC Climate Rules. In addition, companies should confer with their auditors when implementing controls to track climate-related impacts on the financial statements.
  • Board and committee oversight. Thoughtful assignment of board and committee oversight responsibilities is necessary for tracking, assessing and reporting climate risk. While in some cases environmental, social and governance (ESG) oversight may fall within the purview of the board more generally, boards may consider delegating responsibility for more detailed review of climate-related disclosures to a board committee.
  • Coordinated public disclosures. Stand-alone ESG or sustainability reports and other climate-related disclosures outside of SEC filings, including in response to state or other countries’ disclosure requirements, should be consistent with SEC filings to avoid discrepancies. While companies may include certain disclosures in voluntary reporting that are not included in SEC filings, companies should make clear (i) why they are presenting such voluntary disclosures and (ii) that such voluntary disclosures are not material. Companies may choose to include such voluntary disclosures in their SEC filings with an explanation of why the information is provided (e.g., if the information is not material but provides helpful context).

Consistency is essential to maintain stakeholder trust and avoid potential regulatory scrutiny. To help ensure consistent and accurate public disclosures across platforms for both required and voluntary disclosures, companies should consider:

  • Regularly reviewing and reconciling public statements made in SEC filings, in other regulatory filings and through other media to confirm all climate-related information is accurate and aligned across disclosures.
  • Analyzing appropriate differences between nonmaterial climate-related statements for noninvestor stakeholder audiences and reporting material climate-related risks and impacts for investors.
  • Maintaining a calendar of climate-related disclosure activities, disclosures and deadlines, which can help build a cadence of internal processes and facilitate consistent disclosures over time.
  • Assembling and regularly communicating with cross-functional teams and external advisers to coordinate a comprehensive and harmonized approach.

Note Changes in Beneficial Ownership Reporting Rules

Overview

On October 10, 2023, the SEC adopted amendments to its beneficial ownership rules. Pursuant to the amendments, Schedules 13D and 13G are now required to be led on a more accelerated basis. The new beneficial ownership rules became effective beginning on February 5, 2024, and companies had until September 30, 2024, to begin complying with the new Schedule 13G accelerated ling deadlines. Under the old rules, except in certain situations, Schedule 13G filings were required to be amended within 45 days after the end of the calendar year for any changes to the previous disclosure. The amended rules require that all Schedule 13G filings be amended within 45 days after the end of the calendar quarter in which any material change occurred.

The first Schedule 13G amendments under the new rules were required to be led by November 14, 2024. Filers should continue to assess whether any material change in the information previously reported has occurred during each quarter. The SEC declined to define what constitutes a material change for these purposes and instead pointed to the general concept of materiality (as defined in Exchange Act Rule 12b-2). The SEC signaled that any acquisitions or dispositions of 1% or more of the outstanding class of securities should be deemed material for Schedule 13G amendment purposes, based on the 1% threshold prescribed under Rule 13d-2(a) for Schedule 13D amendment purposes.

For initial filers, the amended rules require the ling of an initial Schedule 13G within 45 days after the end of the quarter in which a qualied institutional investor or exempt investor crosses the 5% threshold at quarter-end, or within five business days of crossing the threshold for passive investors.

Recent SEC Enforcement Actions

In September 2024, the SEC announced another enforcement sweep involving Section 13/16 beneficial ownership reporting. The SEC previously took broad-reaching actions in this area, including in 2014, 2015 and 2023.

As part of the 2024 sweep, the SEC settled charges against 23 entities and individuals for failures to timely report information about their holdings and transactions, including in multiple Section 16(a) reports (primarily Forms 4 and 5) and/or Schedule 13D filings required under the Exchange Act. Two public companies were charged for contributing to ling failures by their officers and directors and failing to report the companies’ insiders’ filing delinquencies in their proxy statements. Although individual insiders are ultimately responsible for complying with the Section 16(a) disclosure requirements, many companies voluntarily take on the obligation to prepare and le Section 16 reports on behalf of their officers and directors. In its orders, the SEC noted that “issuers who voluntarily accept certain responsibilities and then act negligently in the performance of those tasks may be liable as a cause of Section 16(a) violations by insiders.”

One entity was also charged for failing to timely le Form 13F reports, which are required to be led by any institutional investment manager that exercises investment discretion over certain publicly traded securities with a fair market value of at least $100 million.

While beneficial ownership reporting investigations often result in charges against individuals and smaller companies that may not have robust disclosure controls, among the charged entities were a large technology company and leading global investment bank. The SEC’s settlement order with the investment bank noted, among other things, that the bank and some of its affiliates failed to timely le multiple required Section 16 reports, with the SEC documenting at least 28 instances of violations. The order cited failures of the bank’s systems and controls, misapplication of policy exceptions to the bank’s restricted lists, failures to timely identify when the bank became a 10% beneficial owner (which would trigger a Form 3 ling and future Form 4 ling obligations), and internal delays in gathering or verifying information for filings.

Without admitting or denying the findings, the entities and individuals agreed to cease and desist from violations of the respective charged provisions and to pay civil penalties ranging from $10,000-$200,000 for the individuals and $40,000- $750,000 for the entities. The two public companies charged with contributing to insiders’ reporting failures and not disclosing such delinquencies agreed to pay a civil penalty of $200,000 each.

Considerations

The SEC’s announcement of the settled charges described above serves as a timely reminder for companies to ensure adequate systems and controls for beneficial ownership reporting obligations, especially given the new Schedule 13G accelerated ling deadlines. 

  • Ensuring compliance with obligations under Sections 13 and 16 is particularly important for companies that have undertaken commitments, whether formal or informal, to assist their insiders with required filings.
  • Companies should also confirm that the relevant employees and directors understand their reporting obligations under Sections 13 and 16 (including Form 13F filings by certain institutional investment managers and Form 13H filings for certain large traders). 
  • Finally, companies should carefully review the disclosures required by Item 405 of Regulation S-K in their annual reports on Form 10-K or proxy statements to help ensure accurate descriptions of any delinquent Section 16 filings or failures to file.

Recent statements from the SEC staff indicate that Section 13 and 16 matters will continue to be a priority in 2025. We expect that the staff will (i) use new technology to identify late Schedule 13D and Schedule 13G filings and (ii) comment more frequently on Schedule 13D filings where material deficiencies have been identified.

Consider Artificial Intelligence Disclosure

Evaluating Trends

The development, use and potential impact of artificial intelligence (AI) is a key focus for market participants, including investors and the SEC. [9] In an analysis of annual reports on Form 10-K led by S&P 500 companies for the fiscal year ended 2023, over 40% of Forms 10-K included disclosures about AI. [10] Also, more than 40% of S&P 500 companies cited “AI” during earnings calls in the second quarter of 2024. [11] Furthermore, 46% of Fortune 100 companies included AI-related risk disclosures in their annual reports on Form 10-K, with such disclosures falling broadly into one of the following categories: (1) cybersecurity risk; (2) regulatory risk; (3) ethical and reputational risk; (4) operational risk; and (5) competition risk. [12]

In light of these trends, companies should evaluate the role of AI in their business and consider incorporating new or updated AI disclosures in Exchange Act reports, if applicable.

SEC Guidance

In June 2024, the SEC’s Division of Corporation Finance announced that AI was a disclosure priority. The division will consider (i) how companies are defining “artificial intelligence” and how the technology could improve their business; (ii) whether companies are providing tailored, rather than boilerplate, disclosures discussing the materiality to the companies’ business, material risks, and impact on the business and financial results; (iii) whether a company’s business involves AI or if companies are merely using “buzz” words; and (iv) whether companies have a reasonable basis for their claims when discussing AI prospects.

More recently, in September 2024, SEC Chair Gensler stated that companies must ensure that their statements about AI capabilities and risks have a reasonable basis and are specific to the company, rather than relying on vague or generic language.

Disclosure Considerations

Currently, there are no specific SEC disclosure requirements related to AI. However, as with other factors that impact a company’s business, disclosures related to AI may be required when responding to item requirements in periodic reports. For instance, companies may be required to address AI when describing the company’s business, the impact of regulations on the company’s business and the risk factors associated with an investment in the company.

  • Given the SEC’s focus on AI disclosures, companies that determine to include AI disclosures in their reports should confirm that those disclosures accurately detail the company’s AI capabilities and the impact or potential impact of AI on the company’s business.
  • If AI development at a company is in early stages and the potential impact of AI is uncertain, the company should clearly describe the process and steps that may be required to realize the expected impact.
  • Companies should also consider describing (i) whether they are developing their own AI capabilities or relying on third-party service providers and (ii) whether there are material risks to the company from its use of AI or from the development of AI by competitors or others in the market.

Prepare To File Insider Trading Policies

In December 2022, the SEC adopted several amendments to Exchange Act Rule 10b5-1 and new disclosure requirements relating to Rule 10b5-1 trading plans, certain equity awards and gifts of securities. [13] Among other things, the rules require companies to le a copy of their insider trading policies and procedures as an exhibit to their annual reports on Form 10-K. [14] For calendar-year companies, this exhibit ling requirement applies to the Form 10-K for the fiscal year ending December 31, 2024. [15] As the deadline approaches, companies should consider if updates to their insider trading policies are necessary for compliance with the amendments. Below are primary insider trading policy provisions for companies to revisit before ling their policies as exhibits.

Rule 10b5-1 Plans

To the extent companies permit the use of Rule 10b5-1 plans by directors, executive officers or other employees, their insider trading policies should be updated to ensure such plans comply with the requirements of Rule 10b5-1, as amended, including: 

  • Minimum cooling-off periods. 
  • Director and officer representations regarding the adoption and operation of a Rule 10b5-1 plan.
  • The expanded “good faith” requirement.
  • Prohibitions against multiple, overlapping plans. 
  • Limitations on single-trade arrangements.

Companies also should consider requiring preclearance for all Rule 10b5-1 plan adoptions and modifications to help ensure that proposed plans comply with Rule 10b5-1. Although Rule 10b5-1 does not restrict the early termination of a plan, such a termination could call into question whether the plan was adopted and operated in good faith, which could impact the availability of the Rule 10b5-1 affirmative defense for transactions that occurred under the terminated plan. Companies should therefore consider requiring advance notice to their legal departments prior to terminating a Rule 10b5-1 plan.

Blackout Periods

Because the announcement of a company’s quarterly financial results almost always has the potential to materially impact the market for the company’s securities, companies should consider implementing a quarterly blackout period during which persons subject to the blackout may not trade in the company’s securities. In setting a blackout period, companies must consider both the appropriate time frame and scope of individuals to include.

The blackout period should begin when the company’s quarterly results become both sufficiently certain and visible internally. Based on insider trading policies led to date by companies in the S&P 500 index, companies commonly start their quarterly blackout periods on or between the first and 15th day of the last month of the quarter, and commonly open the trading window after the first or second trading day following release of the company’s earnings.

Blackout periods typically apply to (i) directors, (ii) officers subject to Section 16 of the Exchange Act and (iii) designated employees who frequently have access to material nonpublic information about the company. However, applying quarterly blackout periods to all employees may be appropriate — this is common where there is broad access internally to financial information or the company has a small number of employees.

Shadow Trading

In April 2024, a jury in federal court found a former executive civilly liable for insider trading. In the first-of-its kind case, the SEC argued that the executive engaged in “shadow trading.” More specifically, the SEC argued that the executive used material nonpublic information about the not-yet-public acquisition of his employer to trade in securities of another company with which he had no relationship, on the assumption that the acquisition of his employer would increase the stock price of the other company. In September 2024, a federal court upheld the jury’s verdict. (Some members of the legal community anticipate that the former executive will appeal the case.)

In light of this shadow trading case, companies should consider addressing in their insider trading policies trading in other companies’ securities on the basis of material nonpublic information obtained in the course of an individual’s position with the company. In doing so, companies should consider whether such a prohibition should apply to all other companies or a narrower set, such as the company’s business partners and competitors.

Treatment of Gifts

In connection with amending Rule 10b5-1, the SEC cited concerns with potentially problematic practices involving gifts of securities, such as making stock gifts while in possession of material nonpublic information or backdating stock gifts to maximize the associated tax benefits. The SEC noted that a scenario in which an insider gifts stock while aware of material nonpublic information and the recipient sells the gifted securities while the information remains nonpublic and material is economically equivalent to a scenario in which the insider trades on the basis of material nonpublic information and gifts the trading proceeds to the recipient.

Accordingly, companies should consider including specific parameters on gifts in their insider trading policies. For example, companies can require advance clearance for gifts by directors, executive officers and certain employees who are subject to quarterly blackout periods, since those individuals are generally more likely to be in possession of material nonpublic information. As a more conservative option, a company can treat gifts the same way it treats ordinary open market purchases and sales, which would prohibit gifts of securities by anyone subject to the policy while subject to a blackout period or in possession of material nonpublic information.

Confirm Requirements for Resource Extraction and Conflict Minerals Form SD Disclosures

Companies should continue to confirm the applicability of the requirements for resource extraction and conflict minerals reporting on Form SD and, if applicable, prepare to provide the requisite disclosures. Key considerations regarding the resource extraction and conflict minerals requirements on Form SD are summarized below.

Resource Extraction Form SD Disclosures

As discussed in more detail in our August 27, 2024, client alert “New Resource Extraction Payment Disclosures Due September 26, 2024,” in December 2020, the SEC adopted final rules requiring “resource extraction issuers,” — which includes any company engaged in the commercial development of oil, natural gas or minerals — to annually report certain payments made to foreign governments or the U.S. federal government on Form SD. These requirements had a two-year transition period, with initial Form SD filings required to be led with the SEC for the first time in 2024.

The next Form SD filing for resource extraction issuers with a December 31 fiscal year-end is required to be led with the SEC for fiscal year ending December 31, 2024, by September 27, 2025. [16] A resource extraction issuer with a noncalendar fiscal year-end is required to le its next Form SD with the SEC no later than 270 days following the end of the issuer’s most recently completed fiscal year.

Conflict Minerals Form SD Disclosures

The next Form SD ling under the conflict minerals disclosure rules is required to be led with the SEC no later than May 31, 2025.

The conflict minerals disclosure rules and related guidance have remained at a practical standstill for the past few years following legal challenges to the rules and a remand to the SEC for further action. As a result, there have been no notable regulatory updates since the April 2017 no-action relief statement by the SEC’s Division of Corporation Finance. In that statement, the division indicated it would not recommend enforcement action against companies for not complying with Item 1.01(c) of Form SD — the provision requiring companies to conduct due diligence to determine the source and custody of conflict minerals in their supply chains and to prepare a “conflict minerals report” describing their efforts and findings. [17]

Companies are still required to comply with the requirements of Items 1.01(a) and (b) of Form SD. This means companies that determine conflict minerals are necessary to the functionality or production of their products must make a good faith effort to determine the country of origin of those minerals and to briefly describe their efforts and findings in a Form SD led with the SEC and made available on the company’s website. [18]

Prepare for EDGAR Filer Access and Account Management Changes

On September 27, 2024, the SEC adopted rule and form amendments to improve the Electronic Data Gathering, Analysis and Retrieval (EDGAR) system’s filer access and account management. The new system, called EDGAR Next, will impact all public companies, Section 16 officers and directors, any other person who needs to make SEC filings (collectively, “Filers”) and their ling agents. All Filers need to take steps to confirm their existing EDGAR ling and account information in order to enroll when the process starts in March 2025.

Unlike the current system, where anyone with the CIK and CCC EDGAR codes of a Filer can make SEC filings on behalf of the Filer without further verification, only people who are specifically designated in the new account system as of September 2025 will be allowed to make SEC filings in EDGAR Next. Therefore, each Filer must set up an account and designate who can make filings on their behalf. EDGAR Next requires all individuals responsible for making SEC filings or managing related accounts on behalf of Filers to obtain account credentials from Login.gov and complete a two-factor authentication to access EDGAR accounts and make filings. The two-factor authentication requires (i) a password and (ii) verification on the phone or an app.

Filers will need to authorize at least two individuals as account administrators to manage the Filer’s EDGAR account (at least one account administrator for individuals and single-member companies). The account administrator is responsible for adding other administrators (up to 20) and removing other administrators. EDGAR Next additionally requires annual confirmation by an account administrator to ensure the accuracy of certain account-related information. The account administrator may delegate authority to make SEC filings on behalf of the Filer to another person or entity.

On March 24, 2025, the EDGAR Next system will go live, and existing Filers can start transitioning to the new system. Compliance with the amended Form ID is required to obtain new Filer credentials. On September 15, 2025, compliance with EDGAR Next is required.

While the deadline for existing Filers to enroll is December 19, 2025, such Filers will not be able to make any SEC filings until they enroll. After this date, Filers will be required to submit an amended Form ID in order to request access to their existing accounts. In addition, Filers not in compliance will not be able to le with EDGAR legacy codes. However, during the transition period from March 24 to September 15, 2025, Filers will be allowed to use either their traditional EDGAR or EDGAR Next accounts.

Existing Filers should confirm their EDGAR ling codes before March 24, 2025, to streamline the onboarding process. Filers should decide who or which account administrator will be responsible for managing accounts, making SEC filings and providing annual confirmations on behalf of the Filer. Individuals who will be responsible for managing accounts and making SEC filings on behalf of a Filer should obtain Login.gov credentials before March 24, 2025.

A link to the full report can be found here.


1SEC rules define DCPs as controls and other procedures designed to ensure that information required to be disclosed in all SEC filings is (i) recorded, processed, summarized and reported within the time periods specified in the SEC’s rules and forms; and (ii) accumulated and communicated to the company’s management as appropriate to allow timely decisions regarding required disclosures. See Securities Exchange Act of 1934, as amended, Rules 13a-15(e) and 15d-15(e).(go back)

2See Ernst & Young’s SEC Reporting Update “Highlights of Trends in 2024 SEC Staff Comment Letters” (Sept. 12, 2024).(go back)

3See our March 8, 2024, client alert “SEC Adopts New Rules for Climate-Related Disclosures.” In April 2024, in response to multiple legal challenges, the SEC voluntarily stayed the effectiveness of the climate disclosure rules pending judicial review.(go back)

4See Commission Guidance Regarding Disclosure Related to Climate Change, Rel. Nos. 33-9106; 34-61469 (Feb. 2, 2010), 75 Fed. Reg. 6290 (Feb. 8, 2010).(go back)

5See Sample Letter to Companies Regarding Climate Change Disclosures, SEC Staff Guidance (Sept. 2021).(go back)

6See our October 28, 2024, client alert “State of Play: California Amends Climate Disclosure Rules.”(go back)

7See our October 9, 2023, client alert “Q&A: The EU Corporate Sustainability Reporting Directive – To Whom Does It Apply and What Should EU and Non-EU Companies Consider?”(go back)

8Under the CSRD, companies must assess (i) how their business is impacted by sustainability-related factors (fifinancial materiality) and (ii) how their activities impact society and the environment through emissions and employment creation (impact materiality).(go back)

9See PwC’s Global Investor Survey 2024 (Dec. 4, 2024).(go back)

10See Bloomberg Law, “AI Disclosures to SEC Jump as Agency Warns of Misleading Claims” (Feb. 8, 2024).(go back)

11See FactSet, “More Than 40% of S&P 500 Companies Cited ‘AI’ on Earnings Calls for Q2” (Sept. 13, 2024).(go back)

12See Alston Bird’s Securities Litigation Advisory, “Navigating AI-Related Disclosure Challenges: Securities Filing, SEC Enforcement, and Shareholder Litigation Trends” (July 26, 2024).(go back)

13See our December 2022 client alert “SEC Amends Rules for Rule 10b5-1 Trading Plans and Adds New Disclosure Requirements.”(go back)

14FPIs are required to file a copy of their insider trading policies and procedures as an exhibit to their annual reports on Form 20-F, beginning with the annual report covering the first full fiscal year beginning on or after April 1, 2023.(go back)

15The exhibit filing requirement applies to annual reports covering fiscal years that began on or after April 1, 2023, except for smaller reporting companies (SRCs). For SRCs, the exhibit filing requirement applies to annual reports covering fiscal years that began on or after October 1, 2023.(go back)

16Because September 27, 2025, falls on a Saturday, the deadline is the next business day (i.e., Monday, September 29, 2025).(go back)

17See our April 11, 2017, client alert “SEC Staff Provides Relief From Conflict Minerals Rule.”(go back)

18For additional information concerning the conflict minerals disclosure rules, see our September 5, 2012, client alert “SEC Adopts Conflict Minerals Rules”; June 3, 2013, client alert “SEC Staff Issues Conflict Minerals & Resource Extraction Payments Disclosure Guidance”; April 30, 2014, client alert “SEC Staff Issues Statement on Conflict Minerals Ruling”; and May 2, 2024, client alert “Conflict Minerals Disclosures Due May 31, 2024.”(go back)

Trackbacks are closed, but you can post a comment.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>