Developments in Securities Regulation, Corporate Governance, Capital Markets, M&A and Other Topics of Interest. MORE

Erik Gerding, Director, SEC Division of Corporation Finance, issued a statement to clear up misconceptions following filing of an 8-K disclosing a cybersecurity incident.

According to Mr. Gerding, some companies are under the impression that if they experience a material cybersecurity incident, the SEC’s new rules prohibit them from discussing that incident beyond what was included in the Item 1.05 Form 8-K disclosing the incident.  Mr. Gerding added “That is not the case.”

According to the statement, nothing in Item 1.05 prohibits a company from privately discussing a material cybersecurity incident with other parties or from providing information about the incident to such parties beyond what was included in an Item 1.05 Form 8-K.

Mr. Gerding also addressed selective disclosure questions under Regulation FD.  As is well-known, Regulation FD requires public disclosure of any material nonpublic information that has been selectively disclosed to securities market professionals or shareholders, as specified in the regulation.  Depending on the information disclosed, and the persons to whom that information is disclosed, discussions regarding a cybersecurity incident may implicate Regulation FD.

“Nothing in Item 1.05 alters Regulation FD or makes it apply any differently to communications regarding cybersecurity incidents” according to Mr. Gerding.  There are several ways that a public company can privately share information regarding a material cybersecurity incident beyond what was disclosed in its Item 1.05 Form 8-K without implicating Regulation FD:

  • For example, the information that is being privately shared about the incident may be immaterial, or the parties with whom the information is being shared may not be one of the types of persons covered by Regulation FD.
  •  Further, even if the information being shared is material nonpublic information and the parties with whom the information is being shared are the types of persons covered by Regulation FD, an exclusion from the application of Regulation FD may apply.
  •  For example, if the information is being shared with a person who owes a duty of trust or confidence to the issuer (such as an attorney, investment banker, or accountant) or if the person with whom the information being shared expressly agrees to maintain the disclosed information in confidence (e.g., if they enter into a confidentiality agreement with the issuer), then public disclosure of that privately-shared information will not be required under Regulation FD.

Erik Gerding, Director, Division of Corporation Finance, released a statement on the preferred methods to disclose certain cybersecurity incidents.  Mr. Gerding noted “The cybersecurity rules that the Commission adopted on July 26, 2023 require public companies to disclose material cybersecurity incidents under Item 1.05 of Form 8-K.  If a company chooses to disclose a cybersecurity incident for which it has not yet made a materiality determination, or a cybersecurity incident that the company determined was not material, the Division of Corporation Finance encourages the company to disclose that cybersecurity incident under a different item of Form 8-K (for example, Item 8.01).  Although the text of Item 1.05 does not expressly prohibit voluntary filings, Item 1.05 was added to Form 8-K to require the disclosure of a cybersecurity incident “that is determined by the registrant to be material,” and, in fact, the item is titled “Material Cybersecurity Incidents.”  In addition, in adopting Item 1.05, the Commission stated that “Item 1.05 is not a voluntary disclosure, and it is by definition material because it is not triggered until the company determines the materiality of an incident.”  Therefore, it could be confusing for investors if companies disclose either immaterial cybersecurity incidents or incidents for which a materiality determination has not yet been made under Item 1.05.”

Mr. Gerding also noted “This clarification is not intended to discourage companies from voluntarily disclosing cybersecurity incidents for which they have not yet made a materiality determination, or from disclosing incidents that companies determine to be immaterial.  I recognize the value of such voluntary disclosures to investors, the marketplace, and ultimately to companies, and this statement is not intended to disincentivize companies from making those disclosures.”

Finally, Mr. Gerding indicates “in determining whether a cybersecurity incident is material, and in assessing the incident’s impact (or reasonably likely impact), companies should assess all relevant factors.  As the Commission noted in the Adopting Release, that assessment should not be limited to the impact on “financial condition and results of operation,” and “companies should consider qualitative factors alongside quantitative factors.”  For example, companies should consider whether the incident will “harm . . . [its] reputation, customer or vendor relationships, or competitiveness.”  Companies also should consider “the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and Federal Governmental authorities and non-U.S. authorities.””

In Macquarie Infrastructure Corp., et al., v. Moab Partners, L. P., et. al, a unanimous United States Supreme Court held that failure to make MD&A disclosures required by Item 303 of Regulation S-K does not violate Rule 10b-5(b).  The Court reiterated the tenet of Basic Inc. v. Levinson that “Silence, absent a duty to disclose, is not misleading under Rule 10b–5.”

The facts are straightforward. Macquarie owned a subsidiary that operateed terminals to store bulk liquid commodities, including No. 6 fuel oil, a byproduct of the refining process with a typical sulfur content close to 3%. In 2016, the United Nations’ International Maritime Organization formally adopted IMO 2020, a regulation capping the sulfur content of fuel oil used in shipping at 0.5% by 2020. In the ensuing years, Macquarie did not discuss IMO 2020 in its public offering documents. In February 2018, however, Macquarie announced a drop in the amount of storage contracted for use by its subsidiary due in part to the decline in the No. 6 fuel oil market. Macquarie’s stock price fell 41%.

In response, Moab Partners, L. P., sued Macquarie and various officer defendants. Moab alleged, among other things, that Macquarie violated SEC Rule 10b–5(b)—which makes it unlawful to omit material facts in connection with buying or selling securities when that omission renders “statements made” misleading—because it had a duty to disclose the IMO 2020 information under Item 303 of SEC Regulation S–K. Item 303 requires companies to disclose “known trends or uncertainties that have had or that are reasonably likely to have a material favorable or unfavorable impact on net sales or revenues or income from continuing operations” in periodic filings with the SEC. The District Court dismissed Moab’s complaint. The Second Circuit reversed, concluding in part that Moab’s allegations concerning the likely material effect of IMO 2020 gave rise to a duty to disclose under Item 303, and Macquarie’s Item 303 violation alone could sustain Moab’s §10(b) and Rule 10b–5 claim.

Reversing the Second Circuit, the Supreme Court held pure omissions are not actionable under Rule 10b–5(b). Rule 10b– 5(b) makes it unlawful “[t]o make any untrue statement of a material fact or to omit to state a material fact necessary in order to make the statements made, in the light of the circumstances under which they were made, not misleading.”  In addition to prohibiting “any untrue statement of a material fact”—i.e., false statements or lies—the Rule also prohibits omitting a material fact necessary “to make the statements made . . . not misleading.”  According to the Court, this case turned on whether this second prohibition bars only half-truths or instead extends to pure omissions.

The Court stated a pure omission occurs when a speaker says nothing, in circumstances that do not give any special significance to that silence. Half-truths, on the other hand, are “representations that state the truth only so far as it goes, while omitting critical qualifying information.” Rule 10b–5(b) requires disclosure of information necessary to ensure that statements already made are clear and complete. Logically and by its plain text, Rule 10b–5(b) therefore covers half-truths, not pure omissions, because it requires identifying affirmative assertions (i.e., “statements made”) before determining if other facts are needed to make those statements “not misleading.”

The Court bolstered its conclusion by comparing the foregoing analysis to the Section 11(a) of the Securities Act of 1933. Section 11(a) of the Securities Act of 1933 prohibits any registration statement that “omit[s] to state a material fact required to be stated therein.” By its terms, §11(a) creates liability for failure to speak. Neither §10(b) nor Rule 10b–5(b) contains language similar to §11(a), and according to the Court, that omission is telling.

Concluding the analysis, the Court looked to Basic Inc. v. Levinson, noting “Silence, absent a duty to disclose, is not misleading under Rule 10b–5.”  The Court noted a duty to disclose, however, does not automatically render silence misleading under Rule 10b–5(b). The failure to disclose information required by Item 303 can support a Rule 10b–5(b) claim only if the omission renders affirmative statements made misleading.

Moab and the SEC suggested that a plaintiff does not need to plead any statements rendered misleading by a pure omission because reasonable investors know that the Exchange Act requires issuers to file periodic informational statements in which companies must furnish the information required by Item 303. But that argument reads the words “statements made” out of Rule 10b–5(b) and shifts the focus of that Rule and §10(b) from fraud to disclosure.

What remains open after MacquarieMacquarie only addresses whether a pure omission violated Rule 10b-5(b).  The Court did not opine on issues that were either tangential to the question presented or were not passed upon by the lower courts, including what constitutes “statements made,” when a statement is misleading as a half-truth, or whether Rules 10b–5(a) and 10b–5(c) support liability for pure omissions.

The SEC adopted amendments to its rules under the Securities Act of 1933 and Securities Exchange Act of 1934 that will require registrants to provide certain climate related information in their registration statements and annual reports. The final rules will require information about a registrant’s climate-related risks that have materially impacted, or are reasonably likely to have a material impact on, its business strategy, results of operations, or financial condition. In addition, under the final rules, certain disclosures related to severe weather events and other natural conditions will be required in a registrant’s audited financial statements.

The final rules will become effective 60 days after publication in the Federal Register, and compliance will be phased in based on a registrant’s filing status.  For large accelerated filers (“LAF”), compliance starts with fiscal years beginning in 2025, for accelerated filers (“AF”) other than smaller reporting companies (“SRC”) and emerging growth companies (“EGC”), compliance starts with fiscal years beginning in 2026 and for other filers (including SRCs and EGCs) for fiscal years beginning in 2027.

Content of the Climate-Related Disclosures

The final rules will create a new subpart 1500 of Regulation S-K and Article 14 of Regulation S-X. In particular, the final rules will require a registrant to disclose information about the following items:

  • Any climate-related risks identified by the registrant that have had or are reasonably likely to have a material impact on the registrant, including on its strategy, results of operations, or financial condition in the short-term (i.e., the next 12 months) and in the long-term (i.e., beyond the next 12 months);
  • The actual and potential material impacts of any identified climate-related risks on the registrant’s strategy, business model, and outlook, including, as applicable, any material impacts on a non-exclusive list of items;
  • If, as part of its strategy, a registrant has undertaken activities to mitigate or adapt to a material climate-related risk, a quantitative and qualitative description of material expenditures incurred and material impacts on financial estimates and assumptions that, in management’s assessment, directly result from such mitigation or adaptation activities;
  • If a registrant has adopted a transition plan to manage a material transition risk, a description of the transition plan, and updated disclosures in the subsequent years describing the actions taken during the year under the plan, including how the actions have impacted the registrant’s business, results of operations, or financial condition, and quantitative and qualitative disclosure of material expenditures incurred and material impacts on financial estimates and assumptions as a direct result of the disclosed actions;
  • If a registrant uses scenario analysis and, in doing so, determines that a climate-related risk is reasonably likely to have a material impact on its business, results of operations, or financial condition, certain disclosures regarding such use of scenario analysis;
  • If a registrant’s use of an internal carbon price is material to how it evaluates and manages a material climate-related risk, certain disclosures about the internal carbon price;
  • Any oversight by the board of directors of climate-related risks and any role by management in assessing and managing the registrant’s material climate-related risks;
  • Any processes the registrant has for identifying, assessing, and managing material climate-related risks and, if the registrant is managing those risks, whether and how any such processes are integrated into the registrant’s overall risk management system or processes;
  • If a registrant has set a climate-related target or goal that has materially affected or is reasonably likely to materially affect the registrant’s business, results of operations, or financial condition, certain disclosures about such target or goal, including material expenditures and material impacts on financial estimates and assumptions as a direct result of the target or goal or actions taken to make progress toward meeting such target or goal;
  • If a registrant is an LAF or an AF that is not otherwise exempted, and its Scope 1 emissions and/or its Scope 2 emissions metrics are material, certain disclosure about those emissions;
  • The capitalized costs, expenditures expensed, charges, and losses incurred as a result of severe weather events and other natural conditions, such as hurricanes, tornadoes, flooding, drought, wildfires, extreme temperatures, and sea level rise, subject to applicable one percent and de minimis disclosure thresholds;

Attestation Reports

In addition, under the final rules, a registrant that is required to disclose Scopes 1 and/or 2 emissions and is an LAF or AF must file an attestation report in respect of those emissions subject to phased in compliance dates. An AF must file an attestation report at the limited assurance level beginning the third fiscal year after the compliance date for disclosure of GHG emissions. An LAF must file an attestation report at the limited assurance level beginning the third fiscal year after the compliance date for disclosure of GHG emissions, and then file an attestation report at the reasonable assurance level beginning the seventh fiscal year after the compliance date for disclosure of GHG emissions. The final rules also require a registrant that is not required to disclose its GHG emissions or to include a GHG emissions attestation report pursuant to the final rules to disclose certain information if the registrant voluntarily discloses its GHG emissions in a Commission filing and voluntarily subjects those disclosures to third-party assurance.

Modifications From Proposed Rules

The final rules reflect a number of modifications to the proposed rules based on the comments the SEC received. The SEC revised the proposed rules in several respects, including by:

  • Adopting a less prescriptive approach to certain of the final rules, including, for example, the climate-related risk disclosure, board oversight disclosure, and risk management disclosure requirements;
  •  Qualifying the requirements to provide certain climate-related disclosures based on materiality, including, for example, disclosures regarding impacts of climate-related risks, use of scenario analysis, and maintained internal carbon price;
  • Eliminating the proposed requirement to describe board members’ climate expertise;
  • Eliminating the proposed requirement for all registrants to disclose Scope 1 and Scope 2 emissions and instead requiring such disclosure only for LAFs and AFs, on a phased in basis, and only when those emissions are material and with the option to provide the disclosure on a delayed basis;
  • Exempting SRCs and EGCs from the Scope 1 and Scope 2 emissions disclosure requirement;
  • Modifying the proposed assurance requirement covering Scope 1 and Scope 2 emissions for AFs and LAFs by extending the reasonable assurance phase in period for LAFs and requiring only limited assurance for AFs;
  • Eliminating the proposed requirement to provide Scope 3 emissions disclosure (which the proposal would have required in certain circumstances);
  • Removing the requirement to disclose the impact of severe weather events and other natural conditions and transition activities on each line item of a registrant’s consolidated financial statements;
  • Focusing the required disclosure of financial statement effects on capitalized costs, expenditures expensed, charges, and losses incurred as a result of severe weather events and other natural conditions in the notes to the financial statements;
  • Requiring disclosure of material expenditures directly related to climate-related activities as part of a registrant’s strategy, transition plan and/or targets and goals disclosure requirements under subpart 1500 of Regulation S-K rather than under Article 14 of Regulation S-X;
  • Extending a safe harbor from private liability for certain disclosures, other than historic facts, pertaining to a registrant’s transition plan, scenario analysis, internal carbon pricing, and targets and goals;
  • Eliminating the proposal to require a private company that is a party to a business combination transaction, as defined by Securities Act Rule 165(f), registered on Form S-4 or F-4 to provide the subpart 1500 and Article 14 disclosures;
  • Eliminating the proposed requirement to disclose any material change to the climate related disclosures provided in a registration statement or annual report in a Form 10-Q (or, in certain circumstances, Form 6-K for a registrant that is a foreign private issuer that does not report on domestic forms); and
  • Extending certain phase in periods.

Presentation and Submission of the Climate-Related Disclosures

The final rules provide that a registrant (both domestic and foreign private issuer) must:

  • File the climate-related disclosure in its registration statements and Exchange Act annual reports;
  • Include the climate-related disclosures required under Regulation S-K, except for any Scopes 1 and/or 2 emissions disclosures, in a separate, appropriately captioned section of its filing or in another appropriate section of the filing, such as Risk Factors, Description of Business, or Management’s Discussion and Analysis of Financial Condition and Results of Operations (“MD&A”), or, alternatively, by incorporating such disclosure by reference from another Commission filing as long as the disclosure meets the electronic tagging requirements of the final rules;
  • If required to disclose its Scopes 1 and 2 emissions, provide such disclosure:
    • If a registrant filing on domestic forms, in its annual report on Form 10-K, in its quarterly report on Form 10-Q for the second fiscal quarter in the fiscal year immediately following the year to which the GHG emissions metrics disclosure relates incorporated by reference into its Form 10-K,or in an amendment to its Form 10-K filed no later than the due date for the Form 10-Q for its second fiscal quarter;
    • If a foreign private issuer not filing on domestic forms, in its annual report on Form 20-F, or in an amendment to its annual report on Form 20-F, which shall be due no later than 225 days after the end of the fiscal year to which the GHG emissions metrics disclosure relates; and
    • If filing a Securities Act or Exchange Act registration statement, as of the most recently completed fiscal year that is at least 225 days prior to the date of effectiveness of the registration statement;
  • If required to disclose Scopes 1 and 2 emissions, provide such disclosure for the registrant’s most recently completed fiscal year and, to the extent previously disclosed, for the historical fiscal year(s) included in the filing;
  • If required to provide an attestation report over Scope 1 and Scope 2 emissions, provide such attestation report and any related disclosures in the filing that contains the GHG emissions disclosures to which the attestation report relates;
  • Provide the financial statement disclosures required under Regulation S-X for the registrant’s most recently completed fiscal year, and to the extent previously disclosed or required to be disclosed, for the historical fiscal year(s) included in the filing, in a note to the registrant’s audited financial statements; and
  • Electronically tag both narrative and quantitative climate-related disclosures in Inline XBRL.

Safe Harbor for Certain Climate-Related Disclosures The final rules provide a safe harbor for climate-related disclosures pertaining to transition plans, scenario analysis, the use of an internal carbon price, and targets and goals, provided pursuant to Regulation S-K sections 1502(e), 502(f), 1502(g), and 1504. The safe harbor provides that all information required by the specified sections, except for historical facts, is considered a forward-looking statement for purposes of the Private Securities Litigation Reform Act safe harbors for forward-looking statements provided in section 27A of the Securities Act and section 21E of the Exchange Act.

The NYSE amended its shareholder approval rules to make it easier for listed companies to sell securities to passive existing shareholders without obtaining shareholder approval.  The SEC approved the change on an accelerated basis.

Section 312.03(b)(i) of the NYSE’s Listed Company Manual provides that shareholder approval is required prior to the issuance of common stock, or of securities convertible into or exercisable for common stock, in any transaction or series of related transactions, to a director, officer or substantial security holder of the company if the number of shares of common stock to be issued, or if the number of shares of common stock into which the securities may be convertible or exercisable, exceeds either one percent of the number of shares of common stock or one percent of the voting power outstanding before the issuance.

Section 312.04(e) of the Manual provides that an interest consisting of less than either five percent of the number of shares of common stock or five percent of the voting power outstanding of a company or entity is not to be considered a substantial interest or cause the holder of such an interest to be regarded as a substantial security holder.

The Manual provides an exception to the shareholder approval requirement if such transaction is a cash sale for a price that is at least the Minimum Price. Section 312.04(h) defines the Minimum Price as a price that is the lower of: (i) the Official Closing Price immediately preceding the signing of the binding agreement; or (ii) the average Official Closing Price for the five trading days immediately preceding the signing of the binding agreement. Section 312.04(i) defines the “Official Closing Price” of an issuer’s common stock as the official closing price on the NYSE as reported to the Consolidated Tape immediately preceding the signing of a binding agreement to issue the securities.

The NYSE believes there are significant benefits from the protection provided to a listed company’s investors by the shareholder approval requirements in Section 312.03(b)(i) when a purchaser of the securities in a transaction is an officer or director or other control person of the company. In such cases, the potential exists for a related party purchaser to use their influence within the company to obtain superior terms from the company to the detriment of the company’s shareholders as a whole. However, the current definition of substantial security holder used in the rule also applies to holders of a company’s common stock who do not participate in the governance or management of the company through board or management representation. The NYSE believes that transactions with these kinds of shareholders who do not participate in the governance or management of the company generally do not give rise to the potential conflicts of interest in the determination of transaction terms that exist where the purchaser has a role in the listed company’s board or management. The NYSE believes that these shareholders that do not participate actively in the company in this way generally do not have the same ability to participate in and influence decision making as is the case with a related party that directly participates in the governance or management of the company.

In light of the foregoing, the NYSE amended Section 312.03(b)(i) to limit its application to related parties whose interest in the company is not passive in nature. As amended, Section 312.03(b)(i) would be limited in application to sales to a director, officer, controlling shareholder or member of a control group or any other substantial security holder of the company that has an affiliated person who is an officer or director of the company (each an “Active Related Party”). For purposes of determining the existence of a group, the NYSE will rely on the filings on Schedule 13D or Schedule 13G disclosing the existence of a group as determined under Section 13(d)(3) or Section 13(g)(3) of the NYSE Act, along with any additional follow-up inquiry that is needed. The NYSE amended Section 312.04 to include new definitions for purposes of Section 312.03, providing that: (i) a “group” means a group as determined under Section 13(d)(3) or Section 13(g)(3) of the NYSE Act; and (ii) “control” has the same meaning as defined in Rule 12b-2 of Regulation 12B under the NYSE Act. The NYSE intends to revise its internal procedures in reviewing proposed transactions to the extent necessary to obtain the necessary information to make determinations with respect to whether shareholders participating in transactions are Active Related Parties.

In addition to the new definition of Active Related Party in the amended version of Section 312.03(b)(i), the NYSE proposes for purposes of Section 312.03(b)(ii) to retain the broader definition of a Related Party included in the current rule (i.e., “a director, officer or substantial security holder of the company”). Consequently, this proposal would not have any substantive effect on the application of Section 312.03(b)(ii) and a listed company selling securities to a Related Party under the circumstances set forth in the rule as amended remains subject to the shareholder approval requirements in that provision.

Under the proposal the NYSE will continue to require shareholder approval for below market sales (i.e., below the Minimum Price) over one percent to Active Related Parties.  However, as a consequence of the proposed amendment, below market sales over one percent to substantial securityholders who are not Active Related Parties will be permitted without shareholder approval under 312.03(b)(i), but will continue to be subject to all the other applicable shareholder approval requirements under 312.03.

It appears the lone ISS policy update for the US will be to Severance Agreements for Executives/Golden Parachutes.

ISS will vote on a case-by-case basis  on shareholder proposals requiring that executive severance (including change-in-control related) arrangements or payments be submitted for shareholder ratification.

Factors that will be considered include, but are not limited to:

  • The company’s severance or change-in-control agreements in place, and the presence of problematic features (such as excessive severance entitlements, single triggers, excise tax gross-ups, etc.);
  • Any existing limits on cash severance payouts or policies which require shareholder ratification of severance payments exceeding a certain level;
  • Any recent severance-related controversies; and
  • Whether the proposal is overly prescriptive, such as requiring shareholder approval of severance that does not exceed market norms.

The SEC issued a staff report on the accredited investor definition. The Dodd-Frank Wall Street Reform and Consumer Protection Act directs the Commission to review the accredited investor definition as it relates to natural persons every four years to determine whether the definition should be modified or adjusted.  The Staff previously reviewed the definition in 2015 and in 2019 (as part of the Concept Release on Harmonization of Securities Offering Exemptions). Staff from the Divisions of Corporation Finance and Economic and Risk Analysis prepared the report in connection with this third review of the definition.

The report examines the current status of the accredited investor pool and concludes with a review of frequently suggested revisions to the accredited investor definition received from a variety of sources, including public commenters, the Investor Advisory Committee, and the Small Business Capital Formation Advisory Committee.

The report does not make any recommendations.  Much of the report seems to discuss how little information the SEC staff has to evaluate the definition.

The SEC adopted final rules requiring registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.

Form 8-K Item 1.05 – Material Cybersecurity Incidents

Required Disclosure

Form 8-K, Item 1.05 provides that if a registrant experiences a cybersecurity incident that is determined by the registrant to be material, the registrant must describe in Form 8-K the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.

A “cybersecurity incident” is defined to mean an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.   “Information systems” is defined to mean electronic information resources, owned or used by the registrant, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of the registrant’s information to maintain or support the registrant’s operations.

The required information must be provided in an Interactive Data File in accordance with Rule 405 of Regulation S-T and the EDGAR Filer Manual.

A report pursuant to Item 1.05 must be filed within four business days after the registrant determines that it has experienced a material cybersecurity incident.  A registrant’s materiality determination regarding a cybersecurity incident must be made without unreasonable delay after discovery of the incident.

To the extent that the information called for in Item 1.05 is not determined or is unavailable at the time of the required filing, the registrant must include a statement to that effect in the filing and then must file an amendment to its Form 8-K filing under this Item 1.05 containing such information within four business days after the registrant, without unreasonable delay, determines such information or within four business days after such information becomes available.

A registrant need not disclose specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident.

Materiality Assessment

The SEC declined to provide additional guidance regarding the application of a materiality determination to cybersecurity and declined to replace materiality with a significance standard. The SEC expects that registrants will apply materiality considerations as would be applied regarding any other risk or event that a registrant faces. According to the SEC, carving out a cybersecurity-specific materiality definition would mark a significant departure from current practice, and would not be consistent with the intent of the final rules. Accordingly, the SEC reiterated, consistent with the standard set out in the cases addressing materiality in the securities laws, that information is material if “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision, or if it would have “significantly altered the ‘total mix’ of information made available.” Because materiality’s focus on the total mix of information is from the perspective of a reasonable investor, companies assessing the materiality of cybersecurity incidents, risks, and related issues should do so through the lens of the reasonable investor. The evaluation should take into consideration all relevant facts and circumstances, which may involve consideration of both quantitative and qualitative factors. Thus, for example, when a registrant experiences a data breach, it should consider both the immediate fallout and any longer term effects on its operations, finances, brand perception, customer relationships, and so on, as part of its materiality analysis. The SEC also noted that, given the fact-specific nature of the materiality determination, the same incident that affects multiple registrants may not become reportable at the same time, and it may be reportable for some registrants but not others.

Form 10-K, Item 1C

Registrants will be required to disclose the information required by Item 106 in Form 10-K.  The information required by this Item must be disclosed in an Interactive Data File in accordance with Rule 405 of Regulation S-T and the EDGAR Filer Manual. The information includes:

Risk management and strategy

 A description of the registrant’s processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes. In providing such disclosure, a registrant should address, as applicable, the following non-exclusive list of disclosure items:

  • Whether and how any such processes have been integrated into the registrant’s overall risk management system or processes;
  • Whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any such processes; and
  • Whether the registrant has processes to oversee and identify such risks from cybersecurity threats associated with its use of any third-party service provider.

Registrants must also describe whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations, or financial condition and if so, how.

A “cybersecurity threat” is defined to mean any potential unauthorized occurrence on or conducted through a registrant’s information systems that may result in adverse effects on the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.

Governance

Registrant’s are also required to describe the board of directors’ oversight of risks from cybersecurity threats. If applicable, the registrant must identify any board committee or subcommittee responsible for the oversight of risks from cybersecurity threats and describe the processes by which the board or such committee is informed about such risks.

Management’s role in assessing and managing the registrant’s material risks from cybersecurity threats must also be disclosed. In providing such disclosure, a registrant should address, as applicable, the following non-exclusive list of disclosure items:

  • Whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise;
  • The processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents; and
  • Whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors.

Board of Directors’ Cybersecurity Expertise

The SEC declined to adopt disclosures regarding cybersecurity expertise of directors in the final rules.

S-3 Eligibility

General Instruction I.A.3.(b) of Form S-3 was amended so that the untimely filing of an Item 1.05 Form 8-K will not result in the loss of Form S-3 eligibility.

Implementation Deadlines The final rules will become effective 30 days following publication of the adopting release in the Federal Register. With respect to Regulation S-K Item 106, all registrants must provide such disclosures beginning with annual reports for fiscal years ending on or after December 15, 2023. With respect to compliance with the incident disclosure requirements in Form 8-K Item 1.05, all registrants other than smaller reporting companies must begin complying on the later of 90 days after the date of publication in the Federal Register or December 18, 2023. Smaller reporting companies will have an additional 180 days and must begin complying with Form 8-K Item 1.05 on the later of 270 days from the effective date of the rules or June 15, 2024. With respect to compliance with the structured data requirements, all registrants must tag disclosures required under the final rules in Inline XBRL beginning one year after initial compliance with the related disclosure requirement.

The SEC has adopted final amendments requiring disclosures related to issuers’ share repurchases. The amendments will require domestic issuers to:

  • Disclose daily repurchase activity quarterly;
  • Check a box indicating if certain directors or officers traded in the relevant securities within four business days before or after the public announcement of an issuer’s repurchase plan or program;
  • Provide narrative disclosure about the issuer’s repurchase programs and practices in its periodic reports; and
  • Provide quarterly disclosure in an issuer’s periodic reports on Forms 10-K and 10-Q related to an issuer’s adoption and termination of 10b5-1 trading arrangements.

Disclosure of Share Repurchases

The final amendments require corporate issuers that file on domestic forms to disclose the total repurchases made each day for the quarter in an exhibit to their Form 10-Q and Form 10-K (for the fourth fiscal quarter).  The final amendments also:

  • Require the daily repurchase data to be filed instead of furnished;
  • Eliminate the requirement in current Item 703(a) of Regulation S-K that issuers disclose their monthly quantitative repurchase data in their periodic reports as the information will be included in an exhibit;
  • Require disclosure of purchases that were “intended to qualify for” the Rule 10b-18 safe harbor; and
  • Require issuers to disclose, in tabular form, the number of shares purchased daily in reliance on Rule 10b-18 or intended to qualify for the affirmative defense provisions of Rule 10b5-1(c).

Narrative Revisions to Item 703 of Regulation S-K

The final amendments require an issuer to disclose:

  • The objectives or rationales for each repurchase plan or program and process or criteria used to determine the amount of repurchases;
  • Any policies and procedures relating to purchases and sales of its securities by its officers and directors during a repurchase program, including any restriction on such transactions; and
  • Whether any of its directors and officers subject to the reporting requirements under Exchange Act Section 16(a) purchased or sold shares or other units of the class of the issuer’s equity securities that are registered pursuant to section 12 of the Exchange Act and subject of a publicly announced repurchase plan or program within four business days before or after the issuer’s announcement of such repurchase plan or program or the announcement of an increase of an existing share repurchase plan or program by checking a box before the tabular disclosure of issuer purchases of equity securities.

Additionally, the final amendments require disclosure of the number of shares (or units) purchased other than through a publicly announced plan or program, and the nature of the transaction (e.g., whether the purchases were made in open-market transactions, tender offers, in satisfaction of the issuer’s obligations upon exercise of outstanding put options issued by the issuer, or other transactions), and certain disclosures for publicly announced repurchase plans or programs, including:

  • The date each plan or program was announced;
  • The dollar amount (or share or unit amount) approved;
  • The expiration date (if any) of each plan or program;
  • Each plan or program that has expired during the period covered by the table; and
  • Each plan or program the issuer has determined to terminate prior to expiration, or under which the issuer does not intend to make further purchases.

New Item 408(d)

New Item 408(d) will require an issuer to disclose whether, during its most recently completed fiscal quarter (the issuer’s fourth fiscal quarter in the case of an annual report), the issuer adopted or terminated a contract, instruction, or written plan to purchase or sell its securities intended to satisfy the affirmative defense conditions of Rule 10b5-1(c). Issuers are also required to provide a description of the material terms of the contract, instruction, or written plan (other than terms with respect to the price at which the party executing the respective trading arrangement is authorized to trade), such as:

  • The date on which the registrant adopted or terminated the Rule 10b5-1 trading arrangement;
  • The duration of the Rule 10b5-1 trading arrangement; and
  •  The aggregate number of securities to be purchased or sold pursuant to the Rule 10b5-1 trading arrangement.

New Item 408(d) does not require disclosure of the price at which the party executing the trading arrangement is authorized to trade.

Although there may be some overlap in the disclosure provided pursuant to new Item 408(d) and the disclosure provided pursuant to the amendment to Item 703 of Regulation S-K about an issuer’s Rule 10b5-1(c) trading arrangements adopted during the prior fiscal quarter, new Item 408(d) is intended to complement the new Item 703 disclosure. The disclosure requirement in Item 703 will be triggered only if an issuer had conducted a share repurchase in the prior fiscal quarter. In contrast, Item 408(d) will require disclosure if a Rule 10b5-1 plan was adopted or terminated, regardless of whether a share repurchase transaction pursuant to that plan actually occurred during the prior fiscal quarter that is covered in the Form 10-Q or Form 10-K (for the issuer’s fourth fiscal quarter). To prevent potential duplicative disclosures, the SEC included a note to Item 408(d)(1), which states that, if the disclosure provided pursuant to Item 703 contains disclosure that would satisfy the requirements of Item 408(d)(1), a cross-reference to that disclosure will satisfy the Item 408(d)(1) requirements.

Structured Data Requirement

The final amendments require issuers to tag the information disclosed pursuant to Items 601 and 703 of Regulation S-K in a structured, machine-readable data language in accordance with Rule 405 of Regulation S-T and the EDGAR Filer Manual. The final amendments require detail tagging of the quantitative amounts disclosed within the required tabular disclosures and block text tagging and detail tagging of required narrative and quantitative information.

Compliance Date

Domestic issuers will be required to comply with the new disclosure and tagging requirements in their Exchange Act periodic reports on Forms 10-Q and 10-K (for their fourth fiscal quarter) beginning with the first filing that covers the first full fiscal quarter that begins on or after October 1, 2023.

Both the NYSE and Nasdaq have issued proposed clawback rules in connection with SEC Rule 10D-1.

NYSE

The NYSE proposes to comply with Rule 10D-1 by adopting proposed new Section 303A.14 of the Listed Company Manual. Proposed Section 303A.14 is designed to conform closely to the applicable language of Rule 10D-1 and requires an issuer to adopt a Recovery Policy.

The issuer’s Recovery Policy must apply to all incentive-based compensation received by a person:

  • After beginning service as an executive officer;
  • Who served as an executive officer at any time during the performance period for that incentive-based compensation;
  • While the issuer has a class of securities listed on a national securities exchange or a national securities association; and
  • During the three completed fiscal years immediately preceding the date that the issuer is required to prepare an accounting restatement as described in proposed Section 303A.14.

An executive officer is the issuer’s president, principal financial officer, principal accounting officer (or if there is no such accounting officer, the controller), any vice-president of the issuer in charge of a principal business unit, division, or function (such as sales, administration, or finance), any other officer who performs a policy-making function, or any other person who performs similar policy making functions for the issuer.  Policy-making function is not intended to include policy making functions that are not significant. Identification of an executive officer for purposes of Section 303A.14 would include at a minimum executive officers identified pursuant to Regulation S-K Item 401(b).

 The amount of incentive-based compensation that must be subject to the issuer’s recovery policy (“erroneously awarded compensation”) is the amount of incentive-based compensation received that exceeds the amount of incentive[1]based compensation that otherwise would have been received had it been determined based on the restated amounts, and must be computed without regard to any taxes paid. For incentive-based compensation based on stock price or total shareholder return, where the amount of erroneously awarded compensation is not subject to mathematical recalculation directly from the information in an accounting restatement:

  • The amount must be based on a reasonable estimate of the effect of the accounting restatement on the stock price or total shareholder return upon which the incentive-based compensation was received; and
  • The issuer must maintain documentation of the determination of that reasonable estimate and provide such documentation to the Exchange.

The issuer must recover erroneously awarded compensation in compliance with its Recovery Policy except to the extent that the conditions in one of the three bullets set forth below are met, and the issuer’s committee of independent directors responsible for executive compensation decisions, or in the absence of such a committee, a majority of the independent directors serving on the board, has made a determination that recovery would be impracticable.

  • The direct expense paid to a third party to assist in enforcing the policy would exceed the amount to be recovered. Before concluding that it would be impracticable to recover any amount of erroneously awarded compensation based on expense of enforcement, the issuer must make a reasonable attempt to recover such erroneously awarded compensation, document such reasonable attempt(s) to recover, and provide that documentation to the Exchange.
  • Recovery would violate home country law where that law was adopted prior to November 28, 2022.
  • Recovery would likely cause an otherwise tax-qualified retirement plan, under which benefits are broadly available to employees of the registrant, to fail to meet the requirements of 26 U.S.C. 401(a)(13) or 26 U.S.C. 411(a) and regulations thereunder.

Proposed Section 802.01F(a) would provide that in any case where the Exchange determines that a listed issuer has not recovered erroneously-awarded compensation as required by its Recovery Policy reasonably promptly after such obligation is incurred, trading in all listed securities of such listed issuer would be immediately suspended and the Exchange would immediately commence delisting procedures with respect to all such listed securities. Rule 10D-1 does not specify the time by which the issuer must complete the recovery of excess incentive-based compensation, NYSE would however determine whether the steps an issuer is taking constitute compliance with its compensation Recovery Policy.

Nasdaq

As required by Rule 10D-1, Nasdaq proposes to adopt Listing Rule 5608, titled recovery of erroneously awarded compensation.

Under the proposed Rule, listed companies will be required to recover the amount of incentive-based compensation received by an executive officer that exceeds the amount the executive officer would have received had the incentive-based compensation been determined based on the accounting restatement. Incentive-based compensation is deemed received in the fiscal period during which the financial reporting measure specified in the incentive-based compensation award is attained, even if the grant or payment of the incentive-based compensation occurs after the end of that period. For incentive-based compensation based on stock price or total shareholder return, companies can use a reasonable estimate of the effect of the restatement on the applicable measure to determine the amount to be recovered.

Nasdaq defines “executive officer” in a manner similar to the NYSE proposal.

Equity awards that vest exclusively upon completion of a specified employment period, without any performance condition, and bonus awards that are discretionary or based on subjective goals or goals unrelated to financial reporting measures, do not constitute incentive-based compensation.

Nasdaq proposes to provide that a company is required to recover compensation in compliance with its recovery policy, except to the extent that pursuit of recovery would be impracticable in a manner similar to the NYSE proposal. Before concluding that pursuit is impracticable, a company must first make a reasonable attempt to recover the incentive-based compensation and provide that documentation to Nasdaq.

Nasdaq proposes to require that a company will be subject to delisting if it does not adopt a compensation recovery policy that complies with the applicable listing standard, disclose the policy in accordance with Commission rules or comply with the policy’s recovery provisions. Rule 10D-1 requires that a listed company recover the amount of erroneously awarded incentive-based compensation reasonably promptly, but does not specify the time by which the issuer must complete the recovery of excess incentive-based compensation; rather, Nasdaq would determine whether the steps an issuer is taking constitute compliance with its compensation recovery policy. The issuer’s obligation to recover erroneously awarded incentive-based compensation reasonably promptly will be assessed on a holistic basis with respect to each such accounting restatement prepared by the issuer. In evaluating whether an issuer is recovering erroneously awarded incentive-based compensation reasonably promptly, the Exchange will consider whether the issuer is pursuing an appropriate balance of cost and speed in determining the appropriate means to seek recovery, and whether the issuer is securing recovery through means that are appropriate based on the particular facts and circumstances of each executive officer that owes a recoverable amount.