Considerations for Preparing Your 2023 Form 10-K

December 1, 2023

Click for PDF

An annual update of observations on new developments and highlights of considerations for calendar-year filers preparing Annual Reports on Form 10-K.

Each year we offer our observations on new developments and highlight select considerations for calendar-year filers as they prepare their Annual Reports on Form 10-K. This alert touches upon recent rulemaking from the U.S. Securities and Exchange Commission (“SEC”), comment letters issued by the staff of the SEC’s Division of Corporation Finance (the “Staff”), and trends among reporting companies that have emerged throughout the last year.

An index of the topics described in this alert is provided below.

I. New Disclosure Requirements for 2023
A. Update on Repurchase Rule
B. Cybersecurity Risk Management, Strategy, and Governance Disclosures
1. Risk Management and Strategy
2. Governance
C. Rule 10b5-1 Plan Disclosures for Section 16 Officers and Directors
D. Compensation Clawback Disclosures
II. Disclosure Trends and Considerations
A. Climate Change
B. Human Capital
C. Generative Artificial Intelligence
D. Geopolitical Conflict
E. Potential Government Shutdown
F. Inflation and Interest Rate Concerns
III. SEC Comment Letter Trends
IV. Other Reminders and Considerations
A. Disclosure Controls and Procedures
B. Characterization of Legal Proceedings
D. Filing Requirement for “Glossy” Annual Report
E. Cover Page XBRL Disclosures

I. New Disclosure Requirements for 2023

Throughout 2023, the SEC has maintained the rapid pace of rulemaking we have seen since Chair Gary Gensler took office in 2021. New disclosure requirements that, for calendar year-end companies, will begin to apply for the first time with the 2023 Form 10-K consist of:

  • Cybersecurity risk management, strategy, and governance disclosures, which will be included under “Item 1C. Cybersecurity,” a new caption under Part I; and
  • Compensation clawback-related disclosures, which involve a new Exhibit 97, two new checkbox disclosures on the Form 10-K cover page, and disclosure in Part III, “Item 11. Executive Compensation,” which most companies will forward-incorporate by reference to their upcoming proxy statements.

Beginning with the 2024 Form 10-K next year, all of the new cybersecurity disclosure requirements will need to be tagged in Inline XBRL (“iXBRL”).

Rules that would have required new disclosures around company share repurchases and company Rule 10b5-1 plans were challenged in litigation and therefore appear unlikely to apply to companies’ 2023 Forms 10-K.

Set forth below are discussions of each of the new disclosure requirements.

A.    Update on Repurchase Rule

On November 22, 2023, the SEC announced[1] that it had issued an order indefinitely postponing the effectiveness of the Share Repurchase Disclosure Modernization rule (the “Repurchase Rule”), pending further SEC action. At the same time, the SEC asked the Fifth Circuit for additional time to respond to the court’s order, discussed below, requiring the SEC to correct deficiencies in the Repurchase Rule by November 30, 2023. The petitioners in the lawsuit that had challenged the Repurchase Rule opposed the SEC’s motion and requested instead vacatur of the Repurchase Rule. The court denied the SEC’s motion on November 26, 2023. We will provide further updates on the Repurchase Rule in the Gibson Dunn Securities Regulation Monitor.[2]

The Repurchase Rule, discussed in our client alert here[3], requires companies to: (i) disclose daily company share repurchase data in a new table filed as an exhibit to reports on Form 10-Q and Form 10-K, (ii) provide narrative disclosure in those filings about the company’s share repurchase program, including its objectives and rationale, and referencing the particular repurchases that correspond to that narrative, (iii) indicate by a checkbox whether any executives or directors traded in the company’s equity securities within four business days before or after the public announcement of the repurchase plan or program or the announcement of an increase of an existing share repurchase plan or program, and (iv) provide quarterly disclosure regarding the company’s adoption or termination of any Rule 10b5-1 trading arrangements. The Repurchase Rule was scheduled to go into effect beginning with the Form 10‑K or Form 10-Q filed for the first full fiscal quarter beginning on or after October 1, 2023, meaning that for calendar year-end companies, these disclosure requirements would have applied to the 2023 Form 10-K. While the Repurchase Rule is stayed, the pre-existing share repurchase disclosure rules, requiring information on share repurchase programs and quarterly repurchase disclosures presented on an aggregated, monthly basis, remain in effect. In addition, as discussed in Section I.C below, companies must continue to satisfy the Rule 10b5-1 plan disclosure requirements for Section 16 officers and directors.

B.    Cybersecurity Risk Management, Strategy, and Governance Disclosures

On July 26, 2023, the SEC adopted a suite of new cybersecurity disclosure requirements, which we discussed in our client alert available here.[4]  In addition to the incident disclosure requirements on Form 8-K, the final rule includes a number of new disclosure items on Form 10-K regarding cybersecurity risk management, strategy, and governance under new Item 106 of Regulation S-K.  Companies are required to comply with these disclosure requirements beginning with the Form 10-K for the first fiscal year ending on or after December 15, 2023, which for calendar year-end companies is the 2023 Form 10-K.

1.     Risk Management and Strategy

Under new Item 106, companies are required to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes.  The definitions of cybersecurity incident and cybersecurity threat extend to all information systems a company uses, not just those the company itself owns.  In providing such disclosure, a company should address, as applicable, the following non-exclusive list of disclosure items:

  • Whether and how any such processes have been integrated into the company’s overall risk management system or processes;
  • Whether the company engages assessors, consultants, auditors, or other third parties in connection with any such processes; and
  • Whether the company has processes to oversee and identify such risks from cybersecurity threats associated with its use of any third-party service provider.

Companies must also describe whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the company, including its business strategy, results of operations, or financial condition and if so, how.

While discussing the board’s role in company-wide risk oversight is familiar for public companies, this new requirement goes further and requires that companies delve more deeply into the company’s efforts to assess, identify and manage this one particular area of risk.  As such, compliance with the rules will require coordination with personnel responsible for day-to-day cybersecurity risk management.

2.     Governance

Companies must describe the board of directors’ oversight of risks from cybersecurity threats.  If applicable, companies must identify any board committee or subcommittee responsible for the oversight of risks from cybersecurity threats and describe the processes by which the board or such committee is informed about such risks.  In addition, companies must describe management’s role in assessing and managing the company’s material risks from cybersecurity threats, with such disclosure addressing, as applicable, the following non-exclusive list of disclosure items:

  • Whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise;
  • The processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents; and
  • Whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors.

With respect to management’s expertise, the instructions to Item 106 provide that it may include “[p]rior work experience in cybersecurity; any relevant degrees or certifications; any knowledge, skills, or other background in cybersecurity.”  Interestingly, with this requirement, the SEC is seeking a level of detail regarding cybersecurity executives’ backgrounds that is not even required for chief executive officers or chief financial officers.  Companies will need to think through how much detail is “necessary to fully describe the nature of the expertise” of its chief information security officer or other cybersecurity personnel.

As noted by the SEC, many companies currently address cybersecurity risks and incidents in the risk factor sections of their filings, and risk oversight and governance are often addressed in companies’ proxy statements.  However, the new rule requires disclosures to appear in a newly designated Item 1C in Part I of the Form 10-K and does not allow the disclosures to be incorporated from the proxy statement.  Companies should review their risk factor and proxy statement disclosures when drafting the new discussions of cybersecurity risk management, strategy, and governance in order to maintain consistency with the company’s past public statements regarding its cybersecurity risks governance and processes and to assess how those disclosures may be conformed or enhanced going forward.  We expect companies will continue to include disclosure of cybersecurity governance in their proxy statements, and therefore should confirm that they are using terminology consistently across the documents and should consider whether any details disclosed under the new requirements should be repeated in the proxy statement disclosure.

Companies should note that, beginning with the Form 10-K next year (2024 for calendar year-end companies), all of the new disclosure requirements will need to be tagged in iXBRL (block text tagging for narrative disclosures and detail tagging for quantitative amounts).

C.    Rule 10b5-1 Plan Disclosures for Section 16 Officers and Directors

On December 14, 2022, the SEC adopted a final rule introducing disclosure requirements with respect to the adoption or termination of Rule 10b5-1 plans by Section 16 officers and directors, which we discussed in more detail in our client alert available here.[6]  In Form 10-K and Form 10-Q, companies must disclose whether any Section 16 officer or director adopted or terminated a Rule 10b5-1 plan or a “non-Rule 10b5-1 trading arrangement” during the prior quarter.  Amended Rule 10b5-1 now specifically states that any modification or amendment to an existing trading plan to change the amount, price, or timing of the purchase or sale of the securities underlying the plan would be deemed termination of a plan and entry into a new plan, and would therefore trigger disclosure in the Form 10-K or Form 10-Q covering the quarter in which the plan was modified or amended.  For all companies but smaller reporting companies (“SRCs”), the requirement became effective with the filing covering the first full fiscal quarter that began on or after April 1, 2023.  SRCs are required to comply with the requirement beginning with the filing covering the first full fiscal quarter beginning on or after October 1, 2023, which for calendar year-end SRCs is the 2023 Form 10‑K. As noted above, the Repurchase Rule would have required disclosure of the same type of information regarding companies’ adoption or termination of Rule 10b5-1 plans, but the requirement has not taken effect.

For each trading arrangement that is adopted or terminated, the disclosure must identify whether the trading arrangement is a Rule 10b5-1 plan or a non-Rule 10b5-1 trading arrangement, and provide a brief description of the material terms (other than price), including (i) the name and title of the director or officer; (ii) the date of adoption or termination of the trading arrangement; (iii) the duration of the trading arrangement; and (iv) the aggregate number of securities to be sold or purchased under the trading arrangement (including pursuant to the exercise of any options).

As discussed in our previous post, the form of this disclosure is not prescribed by the final rule.[7]  While the vast majority of companies we surveyed have provided narrative disclosure in response to the requirement, a minority have provided tabular disclosure instead.  For an example of this narrative disclosure, please see our prior post regarding the new insider trading rules.[8]

While companies have taken a varied approach to this disclosure when no Section 16 officers or directors have adopted or terminated Rule 10b5-1 plans during the quarter, we note that the majority of companies we surveyed have chosen to include narrative disclosure that states there have been no such adoptions or terminations (e.g., “During the quarter ended [date], no director or officer (as defined in Rule 16a-1(f) under the Exchange Act) of the Company adopted or terminated any Rule 10b5-1 trading arrangements or non-Rule 10b5-1 trading arrangements (in each case, as defined in Item 408(a) of Regulation S-K).”).  Another approach some companies have taken is to simply state “None” under the applicable Item, and a small minority of the companies elected to make no disclosure and to omit the relevant Item from the periodic filing altogether (which is permissible under the instructions to Part II of Form 10-Q, but not permissible in the Form 10-K).

D.    Compensation Clawback Disclosures

On October 26, 2022, the SEC adopted final rules that require listed companies to implement policies for recovery (i.e., “clawback”) of erroneously awarded incentive compensation.[9]  In addition to disclosures related to the application of the clawback policies, which for most companies will be included in the proxy statement,[10] there are two disclosure components specific to the Form 10-K that companies must comply with beginning with any Form 10-K filed on or after December 1, 2023, the date by which companies must have adopted the clawback policies.  The first component is the addition of two new checkboxes to the Form 10-K cover page, which requires companies to indicate whether (i) the financial statements included in the filing reflect the correction of an error to previously issued financial statements and (ii) any such corrections are restatements that required a recovery analysis pursuant to Rule 10D-1(b).  We expect a number of interpretive questions to arise with respect to the applicability of the checkboxes in various contexts.  For example, the Staff has informally confirmed that the first checkbox would not need to be checked if the annual financial statements included in the Form 10-K reflect the correction of a material error to interim financial statements and where that error only affected the interim periods (but not any annual periods).[11]However, the first box may need to be checked if the 10-K reflects even an immaterial correction to previously issued annual financial statements. The second checkbox only needs to be checked for material error corrections (i.e., a “little r” restatement or “Big R” restatement) that triggered a clawback recovery analysis.  The second component is the requirement for companies to file their clawback policy as Exhibit 97 to the Form 10-K.

II.   Disclosure Trends and Considerations

A.    Climate Change

The landscape of climate change disclosure requirements continues to evolve with the adoption of the Corporate Sustainability Reporting Directive (“CSRD”) by the European Council in November 2022, which impacts both EU and U.S. companies, and three new laws in California, which impact both public and private companies doing business or operating in California.[12]  Final SEC rules on climate-related disclosure are still pending,[13] but the SEC has continued to issue Form 10-K comment letters regarding companies’ climate-related disclosures under existing requirements.

For companies reviewing their existing climate-related disclosures in their Form 10-K, a few items to consider in light of Staff comments made since the issuance of the SEC’s sample comment letter related to climate change disclosure that it issued in 2021[14] include:

  • Tailor climate-related disclosures to the company’s business and financial condition, rather than generic discussions on climate change. For example, the Staff may ask a company to provide specific disclosure, if material, as to the impact on the company’s business of climate change risks disclosed in the risk factor section.  Overly broad statements may also inadvertently create future reporting obligations as legislation, such as California’s Assembly Bill No. 1305, begins to tie disclosure requirements to the making of certain sustainability-related claims.
  • Consider whether certain climate-related matters should be disclosed not only qualitatively, but also quantitatively. For example, if climate-related capital projects have become a significant portion of overall capital expenditures spending, the comment letters indicate that quantitative disclosure may be warranted.
  • For any climate-related disclosure included in the Form 10-K, take steps to adequately substantiate those disclosures. This involves, among other things, assessing the methodology and assumptions underlying climate-related disclosures.  Companies should be mindful that disclosures made today can carry liability for years to come and give sufficient attention to these disclosures now to avoid liability down the road.  Frameworks such as COSO’s “Achieving Effective Internal Control Over Sustainability Reporting” and related guidance can be helpful when building or expanding ESG-related internal controls.
  • As part of the disclosure controls and procedures for the 2023 Form 10-K filing, review the company’s publicly disclosed ESG materials, such as the company’s sustainability report, to determine whether any of the information is or may become material under federal securities laws. Based on Staff comments, the Staff has gone outside a company’s SEC filings to review ESG-related statements made elsewhere and ask what consideration was given to including such disclosures in the Form 10-K.  To the extent information disclosed in sustainability reports is not material for purposes of SEC rules (often, it is not), appropriate disclaimers to that effect should be provided as we previously advised in our prior client alert, “Considerations for Climate Change Disclosures in SEC Reports.”[15]

B.    Human Capital

Since 2021, companies have been required to include in their Form 10-K[16] a description of the company’s human capital resources, to the extent material to an understanding of the business taken as a whole, including the number of persons employed by the company and any human capital measures or objectives that the company focuses on in managing the business (such as, depending on the nature of the company’s business and workforce, measures or objectives that address the development, attraction and retention of personnel).

The rule adopted by the SEC did not define “human capital” or elaborate on the expected content of the disclosures beyond the few examples provided in the rule text.  This principles-based approach has resulted in significant variation among companies’ disclosures.  With three years of human capital disclosure now available, we recently conducted a survey of the substance and form of human capital disclosures made by the S&P 100 in their Forms 10-K for their three most recently completed fiscal years.  While company disclosures continued to vary widely, we saw companies continuing to tailor the length of their disclosure and the range of topics covered and also noted a slight increase in the amount of quantitative information provided in some areas.  For a more detailed summary of our findings from this survey, which looked at eight primary categories of human capital disclosure, please see our prior client alert, “Form 10-K Human Capital Disclosures Continue to Evolve.”[17]

While we anticipate that human capital disclosure will continue to evolve under the existing principles-based requirements, the SEC is expected to propose more prescriptive rules that could significantly change the landscape.  At its meeting on September 21, 2023, the SEC’s Investor Advisory Committee approved subcommittee recommendations to expand required human capital management disclosures, which include prescriptive disclosure requirements (such as headcount of full-time versus part-time and contingent workers, turnover metrics, the total cost of the issuer’s workforce broken down into components of compensation, and demographic data of diversity across gender, race/ethnicity, age, disability, and/or other categories) as well as narrative disclosure in management’s discussion and analysis of how the company’s “labor practices, compensation incentives, and staffing fit within the broader firm strategy.”[18]

C.    Generative Artificial Intelligence

Recent developments in artificial intelligence (“AI”), including generative AI, may accelerate or exacerbate potential risks related to technological developments.  Companies should consider ways in which the company’s strategy, productivity, market competition and demand for the company’s products, investments and the company’s reputation, as well as legal and regulatory risks could be affected by AI.  Companies should also consider any impacts related to cybersecurity and social or ethical challenges.  These updates may affect existing risk factors or merit a new standalone risk factor or mention in the forward-looking statement disclaimer, depending on the importance of AI to the company’s business.  Further consideration should be given to discussing AI in the business section and trends section of the MD&A, as applicable.

D.    Geopolitical Conflict

Public companies need to consider the recent and evolving developments in the Middle East in their Form 10-K, including as to whether risks associated with these developments are adequately discussed in the risk factors, as well as their direct and indirect impacts on their operations and financial condition.  While the SEC has not published specific disclosure guidance related to the Middle East, the Staff’s “Sample Comment Letter Regarding Disclosures Pertaining to Russia’s Invasion of Ukraine and Related Supply Chain Issues”[19] may provide guidance as to the types of disclosure that may be necessary.  Companies should consider whether disclosure should be provided, to the extent material, regarding any material impacts or risks related to (i) direct or indirect exposure due to operations or investments in affected countries, securities trading in affected countries, sanctions imposed or legal or regulatory uncertainty associated with operating in or existing in the Middle East, (ii) direct or indirect reliance on goods or services sourced in the Middle East, (iii) actual or potential disruptions in the company’s supply chain, or (iv) business relationships, connections to, or assets in the Middle East.

Companies should undertake similar disclosure analyses to determine whether direct or indirect impacts of or material risks from the continued conflict between Russia and Ukraine or emerging geopolitical conflicts, such as rising tensions between China and Taiwan and China and the United States, should be discussed in any sections of the upcoming Form 10-K.  Companies with operations in the People’s Republic of China should review the Division of Corporation Finance’s recent sample comment letter[20] highlighting three focus areas for periodic disclosures related to China-specific matters, including those arising from the Holding Foreign Companies Accountable Act (the “HFCAA”), the Uyghur Forced Labor Prevention Act, and specific government-related operational risks.  In addition to posing questions regarding HFCAA disclosures, the sample letter includes comments directed at risk factors and MD&A disclosure.

E.    Potential Government Shutdown

Companies should continue to monitor the potential for a shutdown of the U.S. federal government and consider whether any looming prospect of a shutdown poses new risks for the business.  In particular, companies trading in U.S. government securities or other securities with values derived from U.S. government securities should revisit any risk factors or other disclosures related to potential default by the federal government, including discussing any material losses in MD&A or elsewhere.  As noted in the SEC Division of Corporation Finance’s announcement in September regarding the anticipated impacts of a potential government shutdown, EDGAR will continue to accept filings during a shutdown, so filing Forms 10-K should not be affected.[21]

F.    Inflation and Interest Rate Concerns

With the rise of inflation and relatively high interest rates, companies should consider whether their disclosures regarding inflation impacts and risks as well as recent rate increases and uncertainty regarding future rate changes are adequately discussed.  Depending on the effect on a company’s operations and financial condition, additional disclosure of risk factors, MD&A, or the financial statements may be necessary.

In recent comment letters relating to inflation, the Staff has focused on how current inflationary pressures have materially impacted a company’s operations, including by pointing to statements regarding inflation made in a company’s earnings materials, and sought disclosure on any mitigation efforts implemented with respect to inflation.  If inflation is identified as a significant risk, the Staff asked companies to quantify, where possible, the principal factors contributing to inflationary pressures and the extent to which revenues, expenses, profits, and capital resources were impacted by inflation.

In recent comment letters relating to interest rates, the Staff has asked companies to expand their discussion of rising interest rates in the Risk Factors and MD&A sections to specifically identify the actual impact of recent rate increases on the business’s operations and how the business has been affected.

It is also critical that companies confirm that their disclosures in “Item 7A. Quantitative and Qualitative Disclosures About Market Risk” are up-to-date and responsive to the requirements of Item 305 of Regulation S-K.

III.  SEC Comment Letter Trends

In 2023, comment letters from the SEC Staff continued an emphasis on addressing disclosures in management’s discussion and analysis (“MD&A”) as well as the use of non-GAAP measures.  In addition, although the SEC’s proposed climate change rules are still in flux, in 2023, the Staff continued to issue comment letters regarding companies’ climate-related disclosures under the current disclosure regime, continuing the trend that started in the fall of 2021.

A.    Management’s Discussion and Analysis

Many of the comment letters addressing MD&A focused on disclosures relating to results of operations, with the Staff often requesting that registrants explain related disclosures with more specificity.  The Staff has focused on disclosures regarding material period-to-period changes in quantitative and qualitative terms as prescribed by Item 303(b) of Regulation S-K.  For example, the Staff has commented on disclosures about factors contributing to gross profit and revenue, to request that registrants provide both quantitative detail regarding the extent to which certain factors have impacted gross profit, as well as qualitative factors like which factors contribute to certain business sectors having a greater effect on gross product.  The Staff has also requested that registrants make disclosures about known trends and uncertainties affecting their results of operations.  Another area that the Staff has focused on is ensuring that key performance indicators (“KPIs”) are properly contextualized so that they are not misleading.  The Staff has, in certain circumstances, requested that registrants provide additional disclosures about why KPIs are useful to investors, how they are used by management, and if there are any estimates or assumptions being used to calculate the various metrics.  The Staff has also often asked registrants to quantify and provide additional disclosure regarding significant components of financial condition and results of operations that have affected segment results.  Two other key areas of MD&A that the Staff focused on were critical accounting estimates and liquidity and capital resources.  The Staff frequently noted that registrants’ disclosures regarding critical accounting estimates were too general, and requested that registrants provide a more robust analysis, consistent with the requirement now set forth in Item 303(b)(3) of Reg S-K.  The Staff indicated that these disclosures should supplement, not duplicate, the disclosures in footnotes to financial statements.

B.    Non-GAAP Financial Measures

The Staff expressed concerns regarding the improper use of non-GAAP measures in filings and issued several comments aligned with the Compliance and Disclosure Interpretations (“C&DIs”) released last December.  Comments related to the latest C&DIs included a focus on whether operating expenses are “normal” or “recurring” (and therefore, whether exclusion from non-GAAP financial measures might be misleading).  The Staff has also asked registrants about whether certain non-GAAP adjustments to revenue or expenses have made the adjustments “individually tailored.”  In addition to a focus on the topics covered under the C&DIs, the Staff focused on a number of other matters relating to compliance with Item 10(e) of Regulation S-K, including prominence of non-GAAP measures, reconciliations, usefulness and purpose of particular measures, the exclusion of normal, recurring cash operating expenses (Non-GAAP C&DI 100.01), and the use of individually tailored accounting principles (Non-GAAP C&DI 100.04).

C.    Segment Reporting

The Staff has also commented on a number of segment reporting disclosures.  Examples of common comments include whether a registrant’s operating segments are properly categorized and the reasoning behind the aggregation of similar segments (and the factors used to identify different segments).  Of particular note, the SEC has taken issue with registrations disclosing multiple measures of segment profit or loss in the notes to the financial statements and has indicated that registrants should not attempt to circumvent non-GAAP requirements when taking this approach.

D.    Climate-Related Disclosures

As discussed in Part II.A above, climate-related disclosures continue to be a focus of the Staff.  The Staff has often issued multiple rounds of letters on these types of disclosures, particularly when the initial response asserts that a category of climate-related disclosures is not material to its business (with the Staff frequently requesting the registrant to quantify the effects or costs or provide a materiality analysis).

IV.  Other Reminders and Considerations

A.    Disclosure Controls and Procedures

In light of the new cybersecurity disclosure rules and the end of the year for calendar companies, now is a good time for companies to take an opportunity to review their disclosure controls and procedures, which are intended to help companies collect pertinent information for review for purposes of their public disclosure obligations.  The SEC has demonstrated a willingness to bring enforcement action on disclosure controls as they relate to issues it sees as priorities, including recent hot-button topics such as cybersecurity and workplace misconduct.

SolarWinds (Cybersecurity)

In October 2023, the SEC brought charges against SolarWinds Corporation, a software company, and its Chief Information Security Officer (the “CISO”) in connection with the cyberattack more commonly known as “SUNBURST,” which occurred in December 2020.  Notably, this is the first time the SEC has brought a cybersecurity enforcement action against an individual.  The SEC alleged that SolarWinds and the CISO made materially misleading statements and omissions about the company’s cybersecurity practices and risks in disclosures made on the company’s website and in public filings, which the SEC claims ultimately led to a drop in the company’s stock price following the subsequent disclosure of the SUNBURST cyberattack.  Specifically, the complaint alleges that SolarWinds made a number of false statements relating to: (1) compliance with the National Institute of Standards and Technology (NIST) Cybersecurity Framework; (2) using a secure development lifecycle when creating software for customers; (3) having strong password protection; and (4) maintaining good access controls.

The SEC’s complaint also states that SolarWinds had deficient disclosure controls, alleging that at the time the company was touting its cybersecurity practices in its public disclosures, the CISO and other employees knew that the company had serious cybersecurity deficiencies, with internal documents “describ[ing] numerous known material cybersecurity risks, control issues, and vulnerabilities.”  In doing so, the company was concealing from the public known poor cybersecurity practices that were ultimately exploited during the SUNBURST cyberattack.  The complaint seeks permanent injunctive relief, disgorgement of profits, civil penalties, and an officer and director bar against the CISO.

The SEC’s actions in SolarWinds should be viewed in light of the new incident disclosure requirements on Form 8-K and recent prior enforcement cases (Pearson PLC 2021 and First American Financial Corporation in 2019).  In these recent enforcement cases, the SEC focused on the importance of carefully assessing the materiality of a cyber incident and found incidents to be material even when there was not an adverse impact on the companies’ businesses.

Activision Blizzard (Workplace Misconduct)

Early in 2023, the SEC charged Activision Blizzard Inc., a video game development and publishing company (recently acquired by Microsoft Corporation) (“Activision Blizzard”), with a failure to maintain disclosure controls.  Specifically, the SEC alleged that Activision Blizzard “lacked controls and procedures designed to ensure that information related to employee complaints of workplace misconduct would be communicated to [company] disclosure personnel to allow for timely assessment on its disclosures.”  The SEC’s order stated that management “lack[ed] sufficient information to understand the volume and substance of employee complaints of workplace misconduct,” and therefore “management was unable to assess related risks to the company’s business, whether material issues existed that warranted disclosure to investors, or whether the disclosures it made to investors in connection with these risks were fulsome and accurate.”  Activision Blizzard agreed to a cease-and-desist order and to pay a $35 million penalty to settle the charges.

DXC Technology (Non-GAAP Financial Measures)

In March 2023, the SEC settled charges against DXC Technology Company, an IT services company, for making misleading disclosures about its non-GAAP financial performance in multiple reporting periods from 2018 until 2020.  Specifically, the SEC alleged that the company materially increased its non-GAAP earnings by negligently misclassifying tens of millions of dollars of expenses as transaction, separation and integration-related (“TSI”) costs and improperly excluding these expenses as non-GAAP adjustments.  The SEC noted that “[t]he absence of a non-GAAP policy and specific disclosure controls and procedures caused employees within the [company] to make subjective determinations about whether expenses were related to an actual or contemplated transaction, regardless of whether the costs were actually consistent with the description of the adjustment included in the company’s public disclosures.”  The order went on to explain that the company’s controller group and disclosure committee “negligently failed to evaluate the company’s non-GAAP disclosures adequately” and even failed to recognize that for years the company did not have a non-GAAP policy and adequate disclosure controls and procedures in place.  Ultimately, the company’s negligence led to misstating the nature and scope of its TSI costs resulting in materially misleading statements.  The company agreed to pay an $8 million penalty and to undertake to develop and implement appropriate non-GAAP policies and disclosure controls and procedures.

Charter Communications Inc. (Internal Accounting Controls)

In November 2023, the SEC charged Charter Communications Inc., a telecommunications company, for failure to establish internal accounting controls to provide reasonable assurances that its trading plans were conducted in accordance with the board of directors’ authorization, which required the use of trading plans in conformity with Rule 10b5-1.  Under Rule 10b5-1, a trading plan intended to satisfy the rule may not permit the person who entered into the plan to exercise any subsequent influence over how, when, or whether to effect transactions under the plan.  According to the SEC order in Charter Communications, many of the company’s trading plans contained “accordion” provisions allowing for increases to the amount of share repurchases if the company opted to conduct certain debt offerings.  The SEC asserted that, since these debt offerings were available at the company’s discretion, this feature effectively gave the company the ability to increase trading activity after adoption of its trading plans—in violation of Rule 10b5-1 and, as a result, inconsistent with the board’s authorization.  The SEC order explained that “the company did not have reasonably designed controls to analyze whether the discretionary element of the accordion provisions was consistent with the [b]oard’s authorizations” and Charter ultimately paid $25 million to settle the claims.[22]

In light of these recent enforcement actions, it is important for companies to regularly review their disclosure controls and procedures to identify and stay apprised of key risks that are relevant to the company.

B.    Characterization of Legal Proceedings

Public companies often characterize legal proceedings in their securities filings as “without merit.”  However, companies may want to reconsider relying on this boilerplate phrase in their legal proceedings disclosures following a decision in the fall of 2023 from the United States District Court for the District of Massachusetts.

In City of Fort Lauderdale Police and Firefighters’ Retirement System v. Pegasystems Inc.,[23] plaintiff shareholders initiated a class action against Pegasystems Inc. (“Pegasystems”) after it was ordered to pay over $2 billion in damages in a prior lawsuit regarding trade secret misappropriation.  Although it did not initially disclose the trade secret matter in its securities filings when the lawsuit was first initiated in May 2020, Pegasystems eventually disclosed the matter in its Form 10-K in February 2022 stating its belief that “the claims brought against the defendants are without merit,” it had “strong defenses to these claims,” and “any alleged damages claimed by Appian are not supported by the necessary legal standard.”  Pegasystems’ stock price dropped by about 16% the following day and, in May 2022, the jury returned a unanimous verdict in favor of the plaintiff in the trade secret matter.

In the subsequent class action, plaintiff shareholders alleged that Pegasystems made a number of false statements and falsely reassured investors that the claims in the trade secret matter were “without merit,” in light of the fact that its CEO was allegedly aware of the corporate espionage campaign.  The court found that this was an actionable opinion statement explaining that “a reasonable investor could justifiably have understood [the CEO]’s message that [the trade secret] claims were ‘without merit’ as a denial of the facts underlying [the] claims—as opposed to a mere statement that Pega[systems] had legal defenses against those claims.”  The court went on to say that Pegasystems was not required to admit any wrongdoing in its disclosure and that “[a]n issuer may legitimately oppose a claim against it, even when it possesses subjective knowledge that the facts underlying the claims against it are true.  When it decides to do so, however, it must do so with exceptional care, so as not to mislead investors.  For example, an issuer may validly assert its intention to oppose the lawsuit. . . .  It also may state that it has ‘substantial defenses’ against it, if it reasonably believes that to be true. . . .  An issuer may not, however, ‘make misleading substantive declarations regarding its beliefs about the merits of the litigation.’”

The court’s decision provides a cautionary tale against using boilerplate disclosure language when describing a company’s litigation matters, particularly where those disclosures are contradictory to the actual prospect of an adverse result.  Going forward, companies should avoid relying on boilerplate language such as “without merit” to describe claims in a lawsuit; often times, there is at least some merit to litigation even if a defendant has a strong legal defense.  Instead, statements like “we intend to contest this matter vigorously” or “we have substantial defenses” (if supportable) might be appropriate alternatives.  Counsel for companies should carefully evaluate their legal proceedings disclosures—even for those matters that have previously been disclosed—and consider seeking input from management in assessing any allegations asserted against the company.

C.    EDGAR Next

On September 13, 2023, the SEC proposed amendments to Rules 10 and 11 of Regulation S-T and Form ID regarding potential technical changes to EDGAR filer access and account management (referred to by the SEC as “EDGAR Next”).  EDGAR Next would require filers to authorize designated account administrators to manage the filers’ accounts and make filings on the filers’ behalf and would require these account administrators and any other authorized users to have their own individual account credentials to access EDGAR Next.  For details on the proposed amendments, see our prior post on this topic.[24]

In connection with the proposed amendments, the SEC opened a public beta environment that is available until March 15, 2024 for filers to test and provide feedback on the technical functionality of the changes contemplated by EDGAR Next.  Details regarding how to access the EDGAR Next beta environment and related resources are available at the SEC’s dedicated EDGAR Next website.[25]

D.    Filing Requirement for “Glossy” Annual Report

As discussed in last year’s alert, in June 2022 the SEC adopted amendments requiring that annual reports sent to shareholders pursuant to Exchange Act Rule 14a-3(c), otherwise known as “glossy” annual reports, must also be submitted to the SEC in the electronic format in accordance with the EDGAR Filer Manual.  These annual reports will be in PDF format, and filed using EDGAR Form Type ARS.  In its final rule, the SEC noted that electronic submissions in PDF format of the glossy annual report should capture the graphics, styles of presentation, and prominence of disclosures (including text size, placement, color, and offset, as applicable) contained in the reports.  As noted in our report last year, this may cause technical concerns with file sizes when filing through EDGAR, and companies should be mindful of the file size of their glossy annual report and conduct test runs in advance of filing.

E.    Cover Page XBRL Disclosures

On September 7, 2023, the SEC published a sample comment letter regarding XBRL disclosures.[26]  Contained in this sample comment letter was a comment regarding how common shares outstanding are reported on the cover page as compared to on the company’s balance sheet.  The sample comment addresses instances in which companies “present the same data using different scales (presenting the whole amount in one instance and the same amount in thousands in the second).”  Companies thus should consider presenting their outstanding share data consistently throughout their Form 10-K.

*          *          *          *          *

The 2023 Form 10-K will require a number of new disclosures for the first time.  Companies should start drafting their disclosures earlier rather than later, particularly where disclosures will require coordination with a number of teams, such as with the new cybersecurity disclosure requirements.

Looking ahead, there are several rules the SEC is expected to enact that have the potential to significantly impact future filings, including the highly anticipated climate disclosure rules, which have been pending since March 2022 and may require public companies to disclose their greenhouse gas emissions, those of their suppliers, and their downstream emissions.  The latest Reg Flex agenda suggested that these rules would be finalized in October 2023, though this target has moved several times.

Additionally, the Financial Accounting Standards Board (FASB) has finalized rules related to enhanced tax disclosures and segment reporting that apply starting with the 2024 10-K[27],[28] and is considering rules regarding the disaggregation of expenses[29], each of which may require a significant amount of preparation.


[1] See “Announcement Regarding Share Repurchase Disclosure Modernization Rule” (Nov. 22, 2023), available at

[2] Gibson Dunn’s Securities Regulation Monitor is a blog site that provides frequent updates on securities law and corporate governance developments and is available at

[3] For a further discussion on the share repurchase requirements, please see our prior client alert “SEC Adopts Amendments to Enhance Company Stock Repurchase Disclosure Requirements” (May 5, 2023), available at

[4] See “SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies” (July 26, 2023), available at

[6] See “SEC Adopts Amendments to Modernize Rule 10b5-1 Insider Trading Plans and Related Disclosures” (Dec. 14, 2023), available at

[7] Available at

[8] Available at

[9] See “SEC Adopts Compensation Recovery Listing Standards and Disclosure Rules” (Oct. 26, 2022), available at

[10] Item 402 of Regulation S-K now requires companies to disclose how they have applied their recovery policies.  If, during its last completed fiscal year, the company either completed a restatement that required recovery or there was an outstanding balance of excess incentive-based compensation relating to a prior restatement, the company must disclose (i) the date which the company was required to prepare each accounting restatement, the aggregate dollar amount of excess, and an analysis of how it was calculated; (ii) if the compensation is related to a stock price or TSR metric, the estimates used to determine the amount of erroneously awarded compensation; (iii) the aggregate dollar amount of excess incentive-based compensation that remained outstanding at the end of the company’s last completed fiscal year; (iv) the amount of recovery foregone under any impracticability exception used; and (v) for each current and former named executive officer, the amounts of incentive-based compensation that are subject to a clawback but remain outstanding for more than 180 days since the date the company determined the amount owed.

[11] Center for Audit Quality SEC Regulations Committee Highlights, Joint Meeting with SEC Staff (June 15, 2023), available at (Section III.D.).

[12] For background on the CSRD, see “European Union’s Corporate Sustainability Reporting Directive—What Non-EU Companies with Operations in the EU Need to Know,” Gibson Dunn (Nov. 2022), available at, and “European Corporate Sustainability Reporting Directive (CSRD): Key Takeaways from Adoption of the European Sustainability Reporting Standards,” Gibson Dunn (Aug. 2023), available at

For background on California’s recently enacted climate disclosure laws, see “California Passes Climate Disclosure Legislation,” Gibson Dunn (Sept. 2023), available at, and “UPDATE: California Governor Signs Climate Legislation Into Law, Bug Signals Changes to Come,” Gibson Dunn (Oct. 2023), available at

[13] For more information on the SEC’s proposed rules on climate-related disclosure, see “The Enhancement and Standardization of Climate-Related Disclosures for Investors,” SEC (Apr. 2022), available at, and “Summary of and Considerations Regarding the SEC’s Proposed Rules on Climate Change Disclosure,” Gibson Dunn (Apr. 2022), available at

[14] For a discussion of the 2021 and 2022 comment letters, see “SEC Staff Scrutiny of Climate Change Disclosures Has Arrived: What to Expect And How to Respond,” Gibson Dunn (Sept. 2021), available at and “Considerations for Preparing Your 2022 Form 10-K,” Gibson Dunn (Jan. 2023), available at

[15] Available at

[16] See “Modernization of Regulation S-K Items 101, 103, and 105, Release No. 33-10825” (Aug. 26, 2020), available at

[17] Available at

[18] Available at

[19] See “Sample Letter to Companies Regarding Disclosures Pertaining to Russia’s Invasion of Ukraine and Related Supply Chain Issues” (May 3, 2021), available at

[20] Available at

[21] Available at

[22] SEC Commissioners Hester Peirce and Mark Uyeda dissented from this decision.  Commissioners Peirce and Uyeda argued that this application of the rule went too far by using Section 13(b)(2)(B)(i)’s requirement that companies “devise and maintain a system of internal accounting tools” to require that Charter Communications had sufficient systems in place to answer the legal question of whether its trading plans were in compliance with Rule 10b5-1.

[23] No. CV 22-11220-WGY, 2023 WL 4706741 (D. Mass. July 24, 2023).

[24] Available at

[25] Available at

[26] Available at

[27] Available at

[28] Available at

[29] Available at

The following Gibson Dunn attorneys assisted in preparing this update: Ron Mueller, Elizabeth Ising, Mike Scanlon, Mike Titera, Julia Lapitskaya, Matthew Dolloff, David Korvin, Meghan Sherley, Victor Twu, Maggie Valachovic, and Nathan Marak.

Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these developments. To learn more about these issues, please contact the Gibson Dunn lawyer with whom you usually work in the firm’s Securities Regulation and Corporate Governance or Capital Markets practice groups, or any of the following practice leaders and members:

Securities Regulation and Corporate Governance:
Elizabeth Ising – Co-Chair, Washington, D.C. (+1 202.955.8287, [email protected])
James J. Moloney – Co-Chair, Orange County (+1 949.451.4343, [email protected])
Lori Zyskowski – Co-Chair, New York (+1 212.351.2309, [email protected])
Brian J. Lane – Washington, D.C. (+1 202.887.3646, [email protected])
Ronald O. Mueller – Washington, D.C. (+1 202.955.8671, [email protected])
Thomas J. Kim – Washington, D.C. (+1 202.887.3550, [email protected])
Michael A. Titera – Orange County (+1 949.451.4365, [email protected])
Aaron Briggs – San Francisco (+1 415.393.8297, [email protected])
Julia Lapitskaya – New York (+1 212.351.2354, [email protected])

Capital Markets:
Andrew L. Fabens – New York, NY (+1 212.351.4034, [email protected])
Hillary H. Holmes – Houston, TX (+1 346.718.6602, [email protected])
Stewart L. McDowell – San Francisco, CA (+1 415.393.8322, [email protected])
Peter W. Wardle – Los Angeles, CA (+1 213.229.7242, [email protected])

© 2023 Gibson, Dunn & Crutcher LLP.  All rights reserved.  For contact and other information, please visit us at

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials.  The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel.  Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.