Yes, it is that time of year again, and as our clients and friends know, Mintz provides a yearly analysis of the regulatory developments that impact public companies as they prepare for their fiscal year-end filings with the Securities and Exchange Commission (SEC) and their annual shareholder meetings. This memorandum discusses key considerations to keep in mind as you embark upon the year-end reporting process in 2025.
Although the SEC was not as active in adopting new rules in 2024 as the previous few years, this year public companies should continue to refine their disclosures and year-end process to address the SEC's earlier rule making activities. In particular, companies need to be aware of the developing landscape of cybersecurity disclosures and the required disclosure of insider trading policies and option awards made close in time to the release of material non-public information. Additionally, companies need to assess the impact artificial intelligence (AI) may have on their business and review their AI disclosures carefully and continue to update their Environmental, Social, and Governance (ESG) practices and disclosures.
In addition to summarizing these considerations, we address several other significant developments and considerations companies should focus on this year, including the need to thoughtfully review and refine risk factors and Management's Discussion and Analysis of Financial Condition (MD&A). We also provide an update on noteworthy U.S. Food and Drug Administration (FDA) regulatory developments and recent litigation impacting corporate governance and disclosure.
Updating Risk Factors and MD&A in 2025
Like every year, companies will need to review and update their MD&A and risk factors sections of their Form 10-K to reflect the key trends and risks facing the company. In accordance with Item 303 of Regulation S-K, among other requirements, public companies are required to describe in the MD&A any known trends or uncertainties that have had or that are reasonably likely to have a material favorable or unfavorable impact on net sales or revenues or income from continuing operations, as well as any known trends or demands, commitments, events or uncertainties that will result in or that are reasonably likely to result in the company's liquidity increasing or decreasing in any material way and any known material trends, favorable or unfavorable, in the company's capital resources.
Public companies are also required to include in the risk factor section of Form 10-K (under Item 105 of Regulation S-K) a discussion of the material factors that make an investment in the company speculative or risky. Importantly, risks that have begun to materialize should not be discussed in a hypothetical way. Instead, risk factors should describe how a risk has materialized and what the current risks are to the company. The SEC continues to focus on specific disclosures over hypothetical examples.
The SEC is also focused on ensuring that disclosures in the MD&A match what companies disclose in earnings releases and earnings calls. In particular, key performance indicators and other metrics that management uses to manage the business that are material to investors need to be disclosed in the MD&A. For example, if metrics such as samples tested per month, comparable store sales or other non-GAAP financial measures (e.g., non-GAAP financial measures provided as part of regular guidance) are used by management to make important business decisions and these metrics are disclosed in earnings releases or earnings calls, the SEC has asked companies to include these metrics in future filings. If non-GAAP financial measures are included in the MD&A or elsewhere in SEC filings, companies are reminded that they will need to comply with Regulation G and Item 10(e) of Regulation S-K.
In connection with closely reviewing and updating the MD&A and risk factors sections this year, below are a few important topics that companies should continue to consider to determine if and how they have affected or may affect the company's business:
Artificial Intelligence (AI)
As discussed in detail under "Navigating the Evolving AI Landscape" below and in our year-end memorandum last year, the SEC continues to be focused on company disclosures on the impact and risks of the use of AI on their business. As companies prepare their upcoming Form 10-K and Form 10-Qs, we recommend they continue to consider, to the extent applicable, the potential risks of AI on their business and add or update their AI-related risk factor to disclose potential risks.
China-Specific Risks
As discussed in our year-end memorandum last year, the SEC continues to focus on ensuring that companies are adequately disclosing material risks relating to operations in the People's Republic of China. In July 2021, in a statement by SEC Chair Gary Gensler, the SEC added to its November 2020 guidance for companies that are based in or that have a majority of their operations in China about disclosure of China-related risks, particularly since the SEC's ability to promote and enforce disclosure standards may be materially limited with respect to these companies. In July 2023, the SEC's Division of Corporation Finance issued an additional sample letter to companies regarding China-specific disclosures.
In connection with preparing for the upcoming Form 10-K and Form 10-Qs, we continue to recommend that, in addition to China-based companies, companies that have any operations in, manufacturing, or supply from, or otherwise do business in China revisit their China-related disclosures to ensure that material risks are disclosed. As the new Trump administration takes office in January 2025, the risks related to doing business in China may become heightened, especially if new tariffs or other trade restrictions are imposed by China and/or the United States.
Cybersecurity
As discussed below under "SEC Cybersecurity Disclosure Requirements," cybersecurity continues to present significant risks to many companies, as the consequences for cybersecurity events are significant and the risks continue to change as technology evolves. In addition to the cybersecurity disclosure section now required under Item 1C of Form 10-K (or Item 16K of Form 20-F) that addresses cybersecurity risk management and strategy and cybersecurity governance, companies should continue to review their cybersecurity-related disclosures to ensure that material risks are disclosed in their risk factors.
FDA Regulatory Developments
As discussed below under "FDA Regulatory Developments," we recommend that public companies that develop medical or consumer products that may be regulated by the U.S. Food and Drug Administration (FDA) or do business directly with FDA-regulated entities consider whether any recent legal or regulatory developments prompt the need for new or updated disclosures in their Form 10-K. Among other developments discussed below, key FDA actions during 2024 included the publication of guidance covering Diversity Action Plans (DAPs) for pivotal clinical studies of investigational medical products, issuance of FDA's final rule phasing out enforcement discretion for laboratory developed tests and the creation of the FDA Rare Disease Innovation Hub. Uncertainty regarding the priorities of the agency and proposals for reform suggested by the incoming Trump administration may also have an impact on businesses in the coming year.
Inflation and Market Conditions
Although inflation has not been as significant a factor in 2024 as in the previous few years, during the 12 months from June 2023 to June 2024, the U.S. Consumer Price Index rose approximately 3.0% (as reported by the U.S. Bureau of Labor Statistics), which remains higher than increases since March 2021. As a result of inflation, many companies have experienced and continue to experience increased costs for the supply of product components and raw materials, and companies may or may not be able to offset these cost increases by increasing the prices of their own products. To the extent companies increase their product pricing, it may result in fewer products sold. All these factors may have an impact on revenues and earnings. Interest rates and the increased cost of capital associated with higher rates than have been seen in many years may have similar impacts on businesses and consideration of these impacts should be factored in as companies update their risk factors and MD&A.
Ukraine and Middle East Conflicts
As the war in the Ukraine closes in on its third anniversary and the current conflicts in the Middle East enter their second year, companies need to continually assess the impact and risks on their business from each of these conflicts. The conflicts have adversely affected many aspects of business in the regions and the current and potential impact on your business should be fully disclosed.
SEC Cybersecurity Disclosure Requirements
Looking Back to 2023
As we noted in last year's memorandum, significant changes occurred in 2023 when the SEC adopted the final cybersecurity disclosure rule, which requires both (1) annual disclosures on Form 10-K (or Form 20-F) regarding cybersecurity risk management, strategy, and governance practices, and (2) current reporting on Form 8-K (or Form 6-K) of cybersecurity incidents.
Under this rule, public companies are required to include a cybersecurity disclosure section under Item 1C of Form 10-K (or Item 16K of Form 20-F), which must include the disclosure required by Item 106 of Regulation S-K. In that section, public companies are required to address both (1) cybersecurity risk management and strategy and (2) cybersecurity governance. This new disclosure was mandated for all public companies in their annual reports for fiscal years ending on or after December 15, 2023.
Beyond the annual disclosure of cybersecurity risk management, strategy and governance, the cybersecurity disclosure rule also requires current disclosure of material cybersecurity incidents under new Item 1.05 of Form 8-K (or on Form 6-K). Specifically, if the company experiences a cybersecurity incident that the company determines to be material, the company must describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the company, including its financial condition and results of operations.
The Form 8-K (and Form 6-K) disclosures for all registrants other than smaller reporting companies began on December 18, 2023, and smaller reporting companies were required to begin complying with the Form 8-K (and Form 6-K) disclosure requirements on June 15, 2024.
For detailed information about guidance on these disclosures, please see last year's memorandum.
For additional information about the SEC cybersecurity disclosure rule, please see our Mintz advisory titled SEC Adopts Final Cybersecurity Rules for Public Companies (August 1, 2023).
Developments in 2024
2024 saw fewer cybersecurity-related developments than 2023. On May 21, 2024, Erik Gerding, the Director of the SEC's Division of Corporation Finance issued a statement seeking to clarify disclosure requirements under Item 1.05 of Form 8- K.
The SEC's clarification followed an initial flurry of "voluntary" disclosures of cybersecurity incidents under Item 1.05 of Form 8-K by reporting companies that did not appear to have made any determination related to the materiality of the reported incidents at the time of filing the Item 1.05 Form 8-K.
As noted in the statement, if a company chooses to disclose a cybersecurity incident for which it has not yet made a materiality determination, or a cybersecurity incident that the company determined was not material, the SEC encourages the company to disclose that cybersecurity incident under a different item of Form 8-K, such as, for example, Item 8.01. The statement notes, "Although the text of Item 1.05 does not expressly prohibit voluntary filings, Item 1.05 was added to Form 8-K to require the disclosure of a cybersecurity incident "that is determined by the registrant to be material," and, in fact, the item is titled "Material Cybersecurity Incidents." In addition, in adopting Item 1.05, the Commission stated that "Item 1.05 is not a voluntary disclosure, and it is by definition material because it is not triggered until the company determines the materiality of an incident." Therefore, it could be confusing for investors if companies disclose either immaterial cybersecurity incidents or incidents for which a materiality determination has not yet been made under Item 1.05."
The statement goes on to note that the clarification above is not intended to discourage companies from voluntarily disclosing cybersecurity incidents for which they have not yet made a materiality determination, or from disclosing incidents that companies determine to be immaterial, and instead, clarifies that the SEC encourages the filing of such voluntary disclosures in a manner that does not result in investor confusion or dilute the value of Item 1.05 disclosures.
Further, if a company discloses an immaterial incident (or one for which it has not yet made a materiality determination) under Item 8.01 of Form 8-K, and then subsequently determines that the incident is material, then it should file an Item 1.05 Form 8-K within four business days of the determination.
Finally, the statement provides guidance on determining whether a cybersecurity incident is "material." As the SEC initially made clear in the Adopting Release for Item 1.05 of Form 8-K, the materiality assessment should not be limited to the impact on "financial condition and results of operation," and "companies should consider qualitative factors alongside quantitative factors." The statement cites the following factors:
- Consider whether the incident will harm the company's reputation, customer or vendor relationships, or competitiveness.
- Consider the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and Federal Governmental authorities and non-U.S. authorities.
In cases where a cybersecurity incident is so significant that a company determines it to be material even though the company has not yet determined its impact (or reasonably likely impact), the company should disclose the incident in an Item 1.05 Form 8-K and include a statement noting that the company has not yet determined the impact (or reasonably likely impact) of the incident, then amend the Form 8-K to disclose the impact once that information is available.
Foreign private issuers filing on Form 6-K would not be impacted by the statement. Unlike Form 8-K, Form 6-K does not have an equivalent to Item 1.05. Instead, Form 6-K requires foreign private issuers to disclose material cybersecurity incidents that have been publicized in a foreign jurisdiction, to any stock exchange or to securityholders. However, there is no mandatory location specified within Form 6-K for these disclosures.
Disclosure of Insider Trading Policies
In December 2022, the SEC finalized amendments to Rule 10b5-1 under the Securities Exchange Act of 1934 (the "Exchange Act"), introducing new disclosure requirements for Rule 10b5-1 trading plans and insider trading policies and practices. The annual disclosure obligations for insider trading policies took effect in 2024, with the first set of disclosures required in the first filing that covers the first full fiscal year starting on or after April 1, 2023. For smaller reporting companies, the timeline extended to filings covering the first full fiscal year beginning on or after October 1, 2023. Companies with a fiscal year ending on December 31 will need to include these disclosures in their Form 10-K for the year ending December 31, 2024.
Under Item 408(b) of Regulation S-K, companies are required to disclose whether they have established insider trading policies and procedures that govern the purchase, sale, or other dispositions of the company's securities by directors, officers, and employees, or by the registrant itself, and are designed to be in compliance with insider trading laws. In situations where a company has not adopted such policies and procedures, an explanation for this absence must be provided. As part of the Form 10-K, Part III disclosure, disclosure regarding the insider trading policies and procedures can be incorporated by reference from the company's proxy statement. However, if the registrant has implemented insider trading policies and procedures, these documents must be filed as an exhibit to the Form 10-K. For additional information about the amendments to Rule 10b5-1, please see our Mintz Insights advisory, SEC Adopts Amendments to Rule 10b5-1 Insider Trading Arrangements.
Close-in-Time Equity Awards
The new disclosure obligations pursuant to Item 402(x) to Regulation S-K, which requires executive compensation disclosure of public companies' policies and practices related to granting certain equity awards close in time to the release of material nonpublic information, took effect in 2024. Companies with a fiscal year ending on December 31 will need to include these disclosures in their Form 10-K for the year ending December 31, 2024, which can be incorporated by reference into the Form 10-K by reference from the company's proxy statement.
Under Item 402(x) of Regulation S-K, each registrant must provide narrative disclosure in Form 10-K and in any proxy or information statement describing its policies and practices on the timing of option and stock appreciation right grants in relation to the release of material non-public information (MNPI), including how the board determines when to grant such awards, whether the board or compensation committee takes MNPI into account when determining the timing and terms of an award and whether the registrant has timed the disclosure of MNPI for the purpose of affecting the value of executive compensation. The narrative disclosure is required regardless of whether grants were made in close proximity to the release of MNPI during the last completed fiscal year.
If, during the last completed fiscal year, the registrant granted options to a named executive officer in a period beginning four business days before and ending one business day after the filing or furnishing of a Form 10-Q, 10-K or 8-K that discloses MNPI (excluding a Form 8-K disclosing only a material new option award grant under Item 5.02(e) of that form), the registrant must provide the following information in a table:
- grant date of the award;
- number of the securities underlying the award;
- exercise price of the award (per share);
- grant date fair value of the award; and
- the percentage change in the closing market price of the securities underlying the award between the trading day ending immediately prior to the disclosure of MNPI and the trading day beginning immediately following the disclosure of MNPI.
Companies and their compensation committees should continue to evaluate their grant practices, assess procedures for tracking awards that will be subject to the new disclosure requirements, and consider establishing grant schedules for awards to executive officers.
To view the full article click here
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.