Your 2024 Form 10-K roadmap

Trading policies

In December 2022, the SEC adopted final rules amending Form 10-K to require disclosure relating to whether a company has adopted (and if not, an explanation of why not) insider trading policies and procedures governing the purchase, sale and other dispositions of the company’s securities by insiders or the company itself, and for the company to file its insider trading policy as an exhibit to Form 10-K. The insider trading policy and related disclosure requirement apply beginning with the 2024 10-K filed in 2025 for companies on the calendar year (see Items 408(b) and Item 601(b)(19) of Regulation S-K). The trading policy must be filed as exhibit 19 to Form 10-K, and the Item 408(b) disclosure in the body of the 10-K must be tagged in Inline XBRL, as further discussed below.

The insider trading policy filing and related disclosure requirement apply beginning with the 2024 10-K filed in 2025 for companies on the calendar year.

Many companies have already filed their insider trading policy over the course of this year. A company on the calendar year that will first file its trading policy in 2025 should continue to consider and/or finalize any changes to its policy, including any updates relating to quarterly blackout periods, 10b5-1 plans, treatment of gifts, pre-clearance groups and the scope of the restriction on trading in other companies’ securities. In addition, a company should consider that the Item 408(b) disclosure requirement extends to policies and procedures governing trading by the company of its own securities, including, for example, share buybacks effected by the company.

The rules adopted in 2022 also added a quarterly disclosure requirement relating to both Rule 10b5-1 and non-Rule 10b5-1 trading plans adopted, modified or terminated by directors and officers during the applicable quarterly period. Companies on the calendar year began disclosing this information in 2023, and should ensure they include the relevant disclosures for the fourth quarter of this year in their 2024 10-K.

Read our client updates SEC adopts major changes for insider transactions for further detail, as well as Stock Buybacks Under 10b5-1 Plan Draw SEC Rebuke and Is everything an accounting control violation now? for a discussion of enforcement actions relating to policies and procedures around stock buyback authorizations and controls around company 10b5-1 plans.

Option grant disclosure

The final rules the SEC adopted in December 2022 on insider transactions also addressed option grant disclosure. A company on the calendar year will first be required in 2025 to provide narrative disclosure regarding the timing of option grants and the release of material nonpublic information, or MNPI, including how the board determines when to grant options and whether and how MNPI is taken into account. Companies will also be required to provide tabular disclosure of each award of stock options, stock appreciation rights or similar awards that the company granted during the prior year to its named executive officers made in the four business days before the filing of a periodic report or reporting of MNPI on Form 8-K and ending one business day after a triggering event (see Item 402(x) of Regulation S-K). Item 402(x) disclosure must be tagged in Inline XBRL as further discussed below.

The disclosure requirement around option grants will apply for the first time for most companies in 2025 with respect to grants made in 2024. This is Part III disclosure that we expect companies will include in their proxy statement and incorporate by reference into their Form 10-K.

The disclosure requirement around option grants will apply for the first time for most companies in 2025 with respect to grants made in 2024. This is Part III disclosure that we expect companies will include in their proxy statement and incorporate by reference into their Form 10-K.

Cybersecurity

In July 2023, the SEC adopted final rules that mandate cybersecurity incident and risk management disclosures for public companies. These final rules require (1) domestic public companies to disclose on Form 8-K any material cybersecurity incident within four business days after determination of materiality (with limited exceptions) (see Item 1.05 in Form 8-K) and (2) all public companies to make annual disclosures in Form 10-K to describe the company’s (i) processes to assess, identify and manage cybersecurity risks, (ii) board oversight of such risks and (iii) management’s role and expertise in assessing and managing such risks (see Item 106 of Regulation S-K and Item 1C in Form 10-K).

SEC continues to focus on risk factors using hypothetical wording after a company has seen the risk materialize. 

In last year’s 10-K roadmap, we foreshadowed that cybersecurity disclosure was likely to be closely scrutinized by private plaintiffs and the SEC staff in the event of a material cybersecurity incident. In October 2024, the SEC announced settled actions against four current and former public companies impacted by the 2020 SolarWinds Orion software hack, relating to actions that predate the new disclosure rules. The SEC alleged that the companies made materially misleading disclosures regarding cybersecurity risks and intrusions in response to the SolarWinds hack, and that one of the companies also had deficient disclosure controls and procedures.

In addition to crafting well-supported disclosure in response to the July 2023 risk management and governance disclosure mandate, companies should bear in mind that the SEC continues to focus on risk factors using hypothetical wording after a company has seen the risk materialize. For example, a statement that highlights the risk that a company could be a victim of a cyberattack could be viewed as misleading if that company has already experienced a cyberattack, as was illustrated in a recent SEC settled order. As a result, companies should review their risk factors in light of recent experiences and consider whether updates are warranted (a takeaway that extends beyond just risks relating to cybersecurity).

Read our client updates SEC adopts cybersecurity disclosure mandates for public companies and SEC charges public companies with inadequate disclosures in aftermath of the SolarWinds cyberattack for further detail.

Clawback rule

The SEC adopted final rules in October 2022 that directed U.S. stock exchanges to adopt listing standards requiring all listed companies, including emerging growth companies, or EGCs, and smaller reporting companies, or SRCs, to adopt and comply with a written clawback policy. The NYSE and Nasdaq adopted listing standards relating to clawbacks requiring listed companies to have a compliant clawback policy by December 1, 2023 (and that policy must be filed as exhibit 97 to the Form 10-K). We have seen instances of proxy advisory firms commenting on certain companies’ now-filed clawback policies and noting they are “weak (restatement-dependent only)”. There have also been discussions on panels where proxy advisory firms have stated that they do not view Dodd-Frank-mandated policies as sufficiently “robust” for their purposes as they do not cover misconduct (among other reasons).

We believe companies should be aware of these views but tailor their response (if any) as appropriate depending on their facts and circumstances. Some companies already go beyond what Dodd-Frank requires, and others may be considering doing so (some in response to proxy advisory firm views, and others for reasons independent of those views). But there is not a one-size-fits-all approach and while it may be appropriate for some companies’ clawback policies to go beyond what Dodd-Frank requires, this may not be the case for all companies.

Form 10-K was also amended to add check boxes indicating (1) whether the company’s financial statements included in the filing reflect correction of any error to previously issued financial statements, and (2) whether any of those error corrections are restatements that required recovery analysis of incentive compensation. The 2024 10-K will mark the second year for which the requirement to check applicable check boxes relating to a correction or restatement (and include any responsive disclosure) will apply.

Read our client updates Final clawback rule adopted by SEC and NYSE and Nasdaq delay effective date of clawback rule to October 2, 2023 for more detailed information about the rule and listing standards.

Climate disclosure rules

After nearly two years and over 24,000 comment letters, in March 2024, the SEC adopted final rules for public companies that mandate significant new disclosures relating to climate-related risks, Scope 1 and Scope 2 greenhouse gas (GHG) emissions and climate-related financial metrics. The commentary in the 886-page adopting release and lively debate among SEC commissioners during the open meeting highlighted the challenges faced by the SEC, which adopted the final rules in a 3-2 vote along party lines. Legal challenges were filed soon after the rules were adopted. Only a month later in April 2024, the SEC issued an order staying the rules pending resolution of the legal challenges.

The outcome of the 2024 presidential election will significantly impact the future of these rules. President-elect Trump strongly opposes the Biden administration’s climate agenda and we expect his administration will take steps to undo these rules. Once a Trump-appointed SEC commissioner is confirmed by the Senate (resulting in a Republican-controlled SEC), we expect the SEC will commence the process of repealing the climate disclosure rules by initiating notice and comment rulemaking. We also expect the SEC to seek to maintain the administrative stay in place—or otherwise delay implementation or enforcement of the rules—until a repeal rule is finalized.

Companies should nonetheless take note of disclosure mandates adopted in the European Union that will impact U.S. companies that conduct business in the EU, as well as the recently enacted series of climate-related legislation in California. Proposals to delay compliance deadlines in the Climate Corporate Data Accountability Act and the Climate-Related Financial Risk Act failed to pass during the state’s recently concluded legislative session and as a result, in-scope companies will be required to report under those laws as early as 2026 (unless pending legal challenges succeed). Legislation amending the Voluntary Carbon Market Disclosures Act, or VCMDA, failed to get a final vote before the legislature adjourned and became effective on January 1, 2024.

The VCMDA is intended to address “greenwashing” by requiring detailed disclosure of the methodology for tracking and verifying claims made within California by entities operating within California regarding net zero, carbon neutrality or significant greenhouse gas emissions reductions, as well as disclosure regarding voluntary carbon offsets purchased, used, marketed or sold within California. The VCMDA will require any covered disclosures to be updated at least annually, and companies should consider carefully how these disclosure requirements might affect their disclosures in SEC filings, including their 10-K.

Read our client updates Amid storm of controversy, SEC adopts final climate disclosure rules for a detailed discussion of the rules, and California lawmakers fail to delay compliance deadlines in landmark climate-related disclosure laws for a discussion of California’s climate-related disclosure laws.

Amended segment-reporting standard

In November 2023, the Financial Accounting Standards Board, or FASB, issued a final Accounting Standards Update, or ASU, relating to disclosures about a public entity’s reportable segments in response to investor requests for more detailed information about a reportable segment’s expenses. Among other changes, the amendments:

• Require disclosure of significant segment expenses that are regularly provided to the chief operating decision maker, or CODM, and included within each reported measure of segment profit or loss.
• Clarify that disclosure of additional measures of a segment’s profit or loss that are used by the CODM in assessing segment performance and deciding how to allocate resources is permitted, so long as disclosure of the measure that is most consistent with GAAP is also included.
• Require disclosure of the title and position of the CODM and an explanation of how the CODM uses the reported measure(s) of segment profit or loss in assessing segment performance and deciding how to allocate resources.
• Require that a company that has a single segment provide all the disclosures required by these amendments and all existing segment disclosures required under Topic 280 (which addresses segment reporting).

The ASU applies to all public entities that are required to report segment information in accordance with Topic 280, and these public entities will be required to report segment information in accordance with the new guidance starting in annual periods beginning after December 15, 2023. FASB has posted the amendment, including a summary of the changes, on its website, and Division of Corporation Finance Director Erik Gerding recently highlighted segment disclosure (among other matters) as a focus area in a June 2024 statement on disclosure review.

Artificial intelligence

The SEC has been increasingly focused on disclosure around artificial intelligence, or AI, including “AI washing,” or making potentially false or misleading AI-related claims. And this has been reiterated in several instances and venues, including in speeches by the Chair and the directors of the Division of Enforcement and the Division of Corporation Finance. On April 15, 2024, the then-SEC Director for the Division of Enforcement gave a speech focusing on ways companies can use “proactive compliance” to avoid AI washing problems – emphasizing education on AI risk areas, engagement with relevant employees within a company and updates to policies and controls.

The SEC has been increasingly focused on disclosure around artificial intelligence, or AI, including “AI washing,” or making potentially false or misleading AI-related claims.

Director Gerding also highlighted AI in a June 2024 statement as a disclosure priority, noting that an increasing number of companies have mentioned AI in their periodic reports, often in the risk factors or business descriptions, or both, in addition to MD&A. He stated that existing rules or regulations may require disclosure about how a company uses AI and the risks related to its use (including disclosure in the business section, risk factors, MD&A and financials) and the board’s role in risk oversight.

Director Gerding indicated that the staff would consider whether a company:

• Clearly defines what it means by AI and how it could improve the company’s results of operations, financial condition and future prospects.
• Provides tailored (and not boilerplate) disclosures around AI, commensurate with how material AI is to the company, about material risks and the impact of AI on the company’s business and financial results.
• Focuses on the company’s current or proposed use of AI rather than “generic buzz” unrelated to its business.
• Has a reasonable basis for claims around AI prospects.

Companies should also consider the EU AI Act, which became effective on August 1, 2024, and update their AI-related disclosures to the extent they are impacted by this legislation.

Read our client update European Parliament approves AI Act for a discussion of the AI Act and its implications.

Commercial real estate

Director Gerding also highlighted commercial real estate, or CRE, as a new disclosure priority in his June 2024 statement. He indicated that banks and other entities with significant CRE exposure are subject to several related risks, including heightened vacancy rates, elevated interest rates, extended loan maturities and increased loan delinquencies. He encouraged companies to consider these and other risk areas in their disclosure where more granular information could be provided to improve investors’ understanding of the attendant risks and how companies are addressing them.

Discrepancy between earnings calls and periodic filings

In comment letters related to customary 10-K reviews over the past year, SEC staff focused on discrepancies between disclosure in the MD&A section and statements made in an earnings call. The SEC questioned, among other matters, why a company strategy referenced in an earnings call is not discussed in MD&A, whether metrics discussed on an earnings call are key performance indicators that also ought to be included in periodic filings, or whether a revenue stream discussed on an earnings call deriving from certain activities that do not consistently fall within a particular segment should be broken out in the notes to the financials included in periodic filings.

…when drafting MD&A or other disclosure in periodic filings, a company should consider whether the disclosure in its periodic filings, including the Form 10-K, captures material information discussed or to be discussed on earnings calls…

Given the scope of the SEC’s review process and focus on statements made by companies in earnings calls, when drafting MD&A or other disclosure in periodic filings, a company should consider whether the disclosure in its periodic filings, including the Form 10-K, captures material information discussed or to be discussed on earnings calls so that there are no material discrepancies between statements made on those calls and disclosure in SEC filings.

Non-GAAP financial measures

In December 2022, the SEC’s Division of Corporation Finance posted new and updated C&DIs on non-GAAP financial measures that companies should review, in particular if they present non-GAAP measures in their Form 10-K. Non-GAAP measures continue to feature prominently in SEC comment letters and were also referenced as an area of focus in Director Gerding’s recent statement on disclosure review. They could therefore benefit from careful review for compliance with the relevant rules and guidance.

Non-GAAP measures continue to feature prominently in SEC comment letters and were also referenced as an area of focus in Director Gerding’s recent statement on disclosure review.

As a reminder, Item 10(e) of Regulation S-K applies to Form 10-K filings. It requires:

• Presentation of the most directly comparable GAAP metric “with equal or greater prominence.”
• A quantitative reconciliation of the differences between the non-GAAP and GAAP metrics “by schedule or other clearly understandable method.”
• Explanation of the reasons management believes the non-GAAP metric provides useful information to investors.
• Explanation of the additional purposes, if any, for which management uses the non-GAAP metric.

Item 10(e) of Regulation S-K prohibits:

• Excluding any charge or liability that requires cash settlement from a non-GAAP liquidity measure, other than EBIT and EBITDA.
• Adjusting a non-GAAP performance measure to omit an item identified as “non-recurring,” “infrequent” or “unusual,” if the item is reasonably likely to recur within two years or there was a similar item in the past two years.
• Presenting a non-GAAP metric on the face of the GAAP financial statements or in the accompanying notes, or on the face of any required pro forma financial statements.
• Using titles or descriptions that are the same as, or confusingly similar to, titles or descriptions for GAAP financial measures.

SEC staff have informally indicated that the lack of “equal or greater prominence” (which generally means GAAP discussion should precede non-GAAP discussion) continues to be a top area where they identify non-compliance with the rules.

Refresh risk factors, forward-looking statements and MD&A trends

Risk factors. Companies are required to include a discussion of the material factors that make an investment in the company speculative or risky. Risks that have begun to materialize should not be described as hypothetical, as was highlighted by recent SEC enforcement actions. This means companies should take care not to say certain events “could” or “may” occur if they have already occurred. Instead, risk factors should describe how a risk has materialized and what the impact has been on the company.

The risk factors disclosure could benefit from a fresh review to ensure material risks facing the company are appropriately disclosed, including risks stemming from emerging areas like artificial intelligence discussed above (such as risks and opportunities relating to using or not using generative AI), as well as any risks facing a company from the broadening or escalation of the current conflict in the Middle East.

Forward-looking statements. Companies can gain protection from liability by taking advantage of the safe harbor for forward-looking statements. But to do so, the cautionary language relating to any forward-looking statement should identify important factors that could cause actual results to differ materially from those in the forward-looking statements and be specifically tailored to the particular forward-looking statements. General boilerplate warnings are not sufficient. Consider whether the factors identified in last year’s 10-K continue to apply (or apply in the same way), and whether others might be added.

Management’s discussion and analysis. Companies are required to describe in their MD&A any known trends or uncertainties that have had or that are reasonably likely to have a material favorable or unfavorable impact on net sales or revenues or income from continuing operations, as well as any known trends or demands, commitments, events or uncertainties that will result in or that are reasonably likely to result in the company’s liquidity increasing or decreasing in any material way and any known material trends, favorable or unfavorable, in the company’s capital resources.

Refer to our client update SEC issues disclosure guidance on key performance indicators and metrics in MD&A for a discussion of the SEC’s 2020 interpretive guidance on MD&A.

Middle East conflict

While the Division of Corporation Finance has not yet published a sample comment letter on the conflict in the Middle East, the staff has issued comments on registration statements relating to the conflict and its impact on a company’s business similar to comments it issued in relation to the impact of the war in Ukraine. If a company has any business exposure in Israel or in the Middle East more broadly, it should consider including disclosure of the potential (or actual) impact on its business and related risks stemming from the escalation or broadening of the conflict.

Russia-Ukraine conflict

In May 2022, the Division of Corporation Finance published a sample comment letter, stating that companies may have disclosure obligations under the federal securities laws related to the direct or indirect impact that Russia’s invasion of Ukraine and the international response thereto have had or may have on their business.

Since Russia’s invasion of Ukraine, many companies have experienced heightened cybersecurity risks, increased or ongoing supply chain challenges and volatility related to the trading prices of commodities (regardless of whether they have operations in Russia, Belarus, or Ukraine) that may warrant disclosure.

Inflation and interest rates

Inflation has affected and continues to affect companies in different industries. While inflationary pressures appear to have eased, current economic conditions might require additional disclosure beyond what has historically been provided in a more steady-state economic environment. Director Gerding noted in his June 2024 statement that “…this is not the time for issuers to revert to boilerplate disclosures. Any material ongoing impacts should be disclosed and we ask companies to not just note high level trends, but discuss the more particularized risks and impacts on their specific company.” Companies should consider additional disclosure in MD&A trends, or otherwise in the period-on-period discussion, focused for example on how these trends have affected results of operations, sales, profits, capital expenditures or a company’s business and pricing strategy in the face of rising costs.

In addition, the cost of borrowing continues to be high for many companies relative to what it was for several years before 2023. Companies should consider updating disclosure (particularly in risk factors and MD&A) to reflect any continuing impact they are experiencing from high interest rates and their ability to access capital markets.

China-specific disclosure

In July 2023, the Division of Corporation Finance published a sample comment letter regarding the disclosure obligations of companies based in or with a majority of their operations in the People’s Republic of China. The comment letter focuses on three areas of disclosure related to China-specific matters:

• Reminding companies of their disclosure obligations under the Holding Foreign Companies Accountable Act, or HFCAA. Public companies identified as Commission-Identified Issuers under the HFCAA must comply with the submission and disclosure requirements under the HFCAA and SEC rules for each year in which they are identified.
• Seeking more specific and prominent disclosure about material risks related to the role of the government of the People’s Republic of China in the operations of China-based companies.
• Noting that companies may need to make disclosures related to material impacts of certain statutes, such as the Uyghur Forced Labor Prevention Act.

Director Gerding reiterated in June of this year that the staff would continue to focus on these topics and to elicit disclosure from affected companies on the material risks they face from the Chinese government intervening in their operations in China.

Crypto assets disclosure

In December 2022, the Division of Corporation Finance published a sample comment letter to companies regarding crypto asset market-related disclosure obligations. The letter includes non-exhaustive sample comments the Division of Corporation Finance may issue to companies about their disclosures (or the lack thereof) generally, as well as in the business description, risk factors and MD&A sections. Companies should evaluate whether their business experienced or may be affected by recent developments in crypto assets and update their disclosures accordingly.

Sanctions

In past years, the SEC has sent comment letters to public companies seeking more detail about disclosures related to dealings in countries that are the subject of U.S. sanctions enforced by the Treasury Department’s Office of Foreign Assets Control, or OFAC. To the extent a company is doing business in sanctioned countries or territories or with sanctioned persons (even if permissible without violating applicable U.S. law), the company should consider whether disclosure of such activities is appropriate.

Nasdaq Board diversity rules

In August 2021, the SEC approved Nasdaq’s proposed diversity rules defining diversity objectives and requiring all companies subject to Nasdaq rules to publicly disclose in matrix form information on directors’ voluntary self-identified gender and racial characteristics, and LGBTQ+ status. The rules became effective in August 2022 (with simplified compliance deadlines adopted in December 2022).

A Nasdaq-listed company currently must have, or explain why it does not have, at least one diverse director (two diverse directors by December 31, 2025), subject to differing deadlines depending on a company’s listing date and Nasdaq market tier. The rules also require annual disclosure of a company’s diversity matrix by December 31. The compliance deadlines vary based on transition and phase-in accommodations for companies listed on or after August 6, 2021 as detailed in a Nasdaq listing center summary.

Disclosure under the rules must be provided in a proxy statement (or, if the company does not file a proxy, in its Form 10-K). Alternatively, the information may be provided on the company’s website, provided the company posts the disclosure concurrently with its annual SEC filing and submits a URL link to the disclosure via email (drivingdiversity@nasdaq.com) or through the Nasdaq Listing Center, within one business day after such posting.

The Fifth Circuit is considering a challenge to the SEC’s decision to approve Nasdaq’s board diversity rules. The court heard oral arguments en banc in May 2024, and a decision could come soon. In the meantime, companies should continue to comply with the rules.

Read our client update Nasdaq board diversity rules approved by SEC for more information on the topic, as well as Nasdaq’s FAQs.

10-K filing deadlines for calendar year companies

Large Accelerated Filer: March 3, 2025 (or 60 days after fiscal year end)

Accelerated Filer: March 17, 2025 (or 75 days after fiscal year end)

Non-Accelerated Filers: March 31, 2025 (or 90 days after fiscal year end)

Confirm your filer status

Confirm your filer status – whether large accelerated, accelerated, non-accelerated, EGC and/or SRC. Note that in March 2020, the SEC adopted amendments to the accelerated filer and large accelerated filer definitions in Rule 12b-2 under the Securities Exchange Act of 1934, or the Exchange Act. A summary of the amendments is available here.

Public companies need to consider their public float as of the end of their second fiscal quarter (June 30 for calendar year-end companies) as part of their filing status test. The public float on June 30, 2024 (and other criteria) in turn will determine a company’s 2025 filer status, which impacts, among other things, the due dates for periodic reports next year.

Mind your XBRL disclosure

Check with your financial printer to confirm how much lead-time will be required to complete XBRL tagging. The SEC has been expanding the scope and types of disclosure that require XBRL and/or Inline XBRL tagging, including, for example, the rules on clawbacks as well as for cybersecurity and 10b5-1 plans disclosure. Here is a snapshot of requirements that will first apply to annual filings in 2025:

• Trading policy disclosure and option grants. Disclosure required under Item 408(b) (relating to trading policies and procedures) and Item 402(x) (relating to timing of equity award grants) must be tagged in Inline XBRL beginning with the 10-K (or proxy statement, as applicable) filed in 2025 for companies on the calendar year.
• Cybersecurity. Annual disclosures must be tagged in Inline XBRL beginning with the 10-K filed in 2025 for companies on the calendar year.

Companies should continue to tag their 10b5-1 (or Item 408(a)) disclosures as they currently do in Inline XBRL. The Division of Corporation Finance posted a sample comment letter regarding companies’ XBRL and Inline XBRL disclosure obligations. Among other things, the letter reminds companies to properly tag their disclosure in Inline XBRL. The letter goes on to flag other XBRL requirements that companies may have overlooked in their filings.

Separately, the SEC’s Office of Structured Disclosure posted a statement which noted that some companies are incorrectly tagging basic and diluted earnings-per-share data and reminded issuers to review their tagging of EPS data and make necessary corrections.

Check for broken links

The SEC’s EDGAR Communications Office posted an announcement (updated in June 2024) reminding companies to confirm that the internal links (including links in exhibits) in their EDGAR filings are working properly before submitting filings on EDGAR. In addition, the announcement emphasized that companies should check whether existing filings have broken links and that they should fix these links. It is an often-missed point in the flurry to meet filing deadlines, so companies should work with their financial printer or other filing agent handling their filings to check internal links once there is an advanced proof to avoid any errors or a last-minute rush.

Item 405 and disclosure of late beneficial ownership reports

Regulation S-K Item 405 requires disclosure of any late filing or known failure by an insider to file a report required by Section 16. This is Part III disclosure that companies are likely to include in their annual proxy statement and incorporate it by reference into their Form 10-K. We include the requirement here to highlight that the SEC does pay attention to compliance with this disclosure requirement, as evidenced by the recent SEC enforcement sweep. Companies should closely track delinquent filings, if any, to ensure compliance with Item 405 disclosure requirements whether in their Form 10-K or their proxy statement.

Read our client update SEC announces enforcement sweep targeting late beneficial ownership and insider transaction reports for more detail on the recent enforcement sweep.

Description of registrant’s securities

Confirm that the description required to be included as an exhibit to Form 10-K accurately reflects the underlying documents (such as the charter, bylaws and certificate of designations) and that it is current. Many companies have adopted amendments to their bylaws over the past year (including advance notice bylaw provisions and other changes), which may require an update to their existing disclosure.

SOX certifications

Confirm that the CEO’s and CFO’s SOX certifications track the certification language required by Sections 302 and 906 of the Sarbanes-Oxley Act.

Signatures

The SEC allows use of electronic (rather than manual) signatures, including for Form 10-K. But there are attestation requirements for the first use of an electronic signature and specific procedures that must be followed afterwards, which are set forth in Rule 302(b) of Regulation S-T. The company must keep the manual signature page or authentication document, as applicable, for five years and furnish to it to the SEC staff on request as required under Rule 12b-11 of the Exchange Act.

Read our client update SEC to permit electronic signatures in filings for more information on the requirements relating to electronic signatures. 

In its Spring 2024 regulatory agenda, among other rulemaking priorities, the SEC had indicated October 2024 as the expected timing to propose new human capital management disclosure rules (proposed rules relating to corporate board diversity were slated for April 2025). However, the outcome of the 2024 presidential election is expected to significantly impact the SEC’s rulemaking agenda. It is unclear precisely how a Republican-controlled SEC will shape the agency’s priorities, other than with respect to the climate disclosure rules discussed above. 

Like last year, 2024 was an active year for SEC enforcement against public companies. The SEC continued to focus on traditional financial reporting and accounting issues but also scrutinized corporate disclosures in hot-button areas, such as cybersecurity and ESG. The SEC also filed enforcement sweeps addressing whistleblower protection and beneficial ownership reporting. The SEC also asserted aggressive claims involving internal controls requirements and displayed its willingness to litigate, while also messaging the benefits of cooperation.

The outcome of the 2024 presidential election is likely to impact the SEC’s enforcement posture over the next four years. Although enforcement may be less aggressive, such as in the form of lower corporate penalties and less aggressive controls theories, enforcement cases against public companies are a mainstay of the SEC’s enforcement program. We expect that the SEC will continue to bring enforcement actions involving disclosure, accounting and control violations.

Cybersecurity

In October 2024, the SEC instituted settled actions against four current and former public companies impacted by the 2020 SolarWinds software hack. The SEC alleged that the companies made materially misleading disclosures regarding cybersecurity risks and intrusions relating to the SolarWinds hack, and that one of the companies also had deficient disclosure controls and procedures. According to the SEC, some of the companies failed to disclose certain details regarding cybersecurity intrusions—such as the identity of a threat actor or the number of customers impacted—while others described cybersecurity risks in generic or hypothetical terms.

SEC Commissioners Hester Peirce and Mark Uyeda dissented from the settled proceedings on the grounds that the companies, in their view, had provided sufficient material information to investors, and criticized the SEC’s approach as “playing Monday morning quarterback” and unfairly engaging in a “hindsight review” of the disclosure decisions. But these actions highlight that companies crafting cybersecurity disclosures should expect the SEC to second-guess their materiality judgments and to scrutinize their risk factor disclosures.

Earlier in the year, a June 2024 settled action stemmed from a significant data breach when a company’s systems were infiltrated by ransomware, leading to unauthorized access and exfiltration of sensitive customer data. In addition to a disclosure controls violation, the SEC alleged that the company did not have adequate internal accounting controls to protect its information assets. This continues the novel use by the SEC of Section 13(b)(2)(B)’s internal accounting controls provision. Here, the SEC reasoned that the “assets” that are covered under the rule were the company’s “information technology systems and networks.” Commissioners Peirce and Uyeda again issued a dissenting statement, calling this use of the internal accounting controls rules inappropriate in this fact pattern and noting that the SEC has treated Section 13(b)(2)(B)’s internal accounting controls provision like a “Swiss Army Statute” to force companies to adopt policies and procedures that the SEC deems prudent.

This case highlights the SEC’s continuing use of internal accounting controls as a hook for their enforcement actions and this time, to regulate public companies’ cybersecurity practices. One key takeaway from this case is that the SEC expects public companies to have robust controls and procedures that provide for the appropriate escalation of cybersecurity incidents, so that appropriate remedial measures can be taken quickly, and presumably so that any disclosure implications can be considered.

ESG: Inaccurate statements regarding recyclability

In September 2024, the SEC charged a public company with making inaccurate statements regarding the recyclability of its single use beverage pods. According to the SEC’s order, the company had stated in its annual reports that its testing with recycling facilities confirmed its pods can be “effectively recycled”. But the company did not disclose that two large recycling companies had expressed significant concerns to the company regarding the commercial feasibility of the pods’ recycling and indicated that they did not intend to accept them for recycling. The SEC alleged that the company’s statements were not adequately qualified by providing the negative feedback the company had received from the recycling companies. SEC Commissioner Peirce argued in her dissent that the SEC misread the company’s “statement that the pods could be recycled as an implicit assertion that the pods would be recycled” and that the decision of the two recycling companies not to recycle the pods did not make the fact that they could be recycled false or misleading – and she also questioned the materiality of the statements.

While the facts in the case are very specific, companies should consider whether ESG-related claims in their disclosures are reasonably supported to mitigate the risk of second-guessing by the SEC.

Pledge disclosure

In August 2024, the SEC announced charges against a company and its controlling shareholder for failing to disclose on Form 10-K (and Schedule 13D) information relating to the shareholder’s pledges of company securities as collateral to secure personal margin loans worth billions of dollars under agreements with various lenders. Pledge disclosures are required pursuant to Regulation S-K Item 403(b).

Related person transaction disclosures

In March 2024, the SEC announced a settlement in connection with violations by a company of related person transaction disclosure requirements. The SEC’s order stated that from 2019 to 2022, the company failed to make disclosures in its 10-Ks and proxy statements regarding employment of two relatives of its executive officers and a consulting relationship with a person who shared a household with an executive officer. In addition, the company failed to disclose that at least two executive officers owed money to the company in the form of personal expenses that had been paid by the company but not yet reimbursed by the executives. The case is a reminder that the SEC scrutinizes Regulation S-K Item 404 disclosures, and companies should consider whether they have appropriate processes in place to capture this information.

Close personal friendship with executive relevant to director independence

In September 2024, the SEC announced settled charges against the former CEO, chairman and board member of a company for standing for election as an independent director without informing the board of his close personal friendship with a high-ranking company executive, which relationship included paying for joint international vacations and sharing confidential details about steps to better position the executive for succession. As a result, the proxy statement of the company contained materially misleading statements and violated proxy disclosure rules (among others since the disclosure identified the director as independent).

Although the D&O questionnaire itself was not the issue here (as the SEC alleged that the director concealed the relationship and knew, or should have known, that the relationship was relevant and significant to the company’s independence determination), companies should consider whether the catchall question addressing any relationships that may impact a director’s independence in the form D&O questionnaire they use to elicit information required for disclosure in their Form 10-K and/or proxy statement is framed sufficiently broadly.

Item 303 pure omissions claims are not actionable under Rule 10b-5

Regulation S-K Item 303 requires companies to disclose as part of their MD&A “known trends or uncertainties that have had or that are reasonably likely to have a material favorable or unfavorable impact on net sales or revenues or income from continuing operations.” Rule 10b-5(b) makes it unlawful “[t]o make any untrue statement of a material fact or to omit to state a material fact necessary in order to make the statements made, in the light of the circumstances under which they were made, not misleading.”

In April 2024, the Supreme Court, in a unanimous decision overturning the Second Circuit, held that securities fraud claims cannot be based solely on alleged Item 303 omissions. This decision made plain that Section 10(b) and Rule 10b-5 do not cover pure omissions that are untethered to a company’s actual statements. Rather, plaintiffs must identify an affirmative statement that the omission allegedly made misleading. The Court distinguished Rule 10b-5 from Section 11, which does impose liability for pure omissions.

This case resolves the disagreement among courts of appeals on whether a failure to make a disclosure required by Item 303 can support a claim under Rule 10b-5(b) in the absence of an otherwise-misleading statement. That said, companies should continue to carefully deliberate internally and if needed, consult their counsel, on what disclosure under Item 303 is or is not required or otherwise appropriate based on particular facts and circumstances.

What are the disclosure implications?

There is not a one-size-fits-all takeaway from these enforcement actions and litigation, and companies should evaluate the implications of each case in light of their existing internal controls and procedures, and their related disclosure. While these cases may prompt companies to reassess certain internal processes, companies may also reasonably conclude that their processes are appropriate and determine not to effect any changes.

Read our client updates SEC charges public companies with inadequate disclosures in aftermath of the SolarWinds cyberattack, SEC announces enforcement sweep targeting late beneficial ownership and insider transaction reports, Supreme Court holds that Item 303 pure omissions claims are not actionable under Rule 10b-5 and Is everything an accounting control violation now? for more detailed analyses of recent enforcement actions and litigation.