This Alert highlights the latest top trends and considerations for companies preparing to file their Form 10-K in 2025 for the fiscal year ending in December 2024, including: Lessons learned from recent U.S. Securities and Exchange Commission ("SEC") comment letters, guidance,
enforcement proceedings and litigation;
New SEC rules and applicable NYSE/Nasdaq corporate governance listing standards; and
Developments companies face stemming from regulatory, geopolitical and other events, including considerations relating to the new administration.
5. Part I, Item 3. Legal Proceedings 6. Part II, Item 7. Management's Discussion and
Analysis of Financial Condition and Results of Operations ("MD&A") 7. Part II, Item 8. Financial Statements and Supplementary Data
8. Part II, Item 9A. Controls and Procedures
9. Part III, Item 10. Directors, Executive Officers and Corporate Governance (can be deferred to and incorporated from proxy statement)
Must check boxes on the cover page to indicate (i) if there is an error correction of previously issued financial statements and (ii) whether any of those error corrections required a clawback recovery analysis
Review human capital management disclosures Include or review and update disclosures relating to AI Update climate-related and data privacy disclosures
Focus on AI, cybersecurity, climate/sustainability, inflation/interest rate, geopolitical/military conflict risks and government administration changes, in addition to company and industry specific risks
Consider updating disclosure/control processes, in light of learnings from recent SEC enforcement actions and comment letters; be consistent with risk factors and Form 8-K disclosures
Be wary of disclosing that a claim against the company is "without merit"
Focus on MD&A (trends/uncertainties, results of operations and liquidity) and nonGAAP measures, which continue to be key areas of SEC staff comment
Focus on AI trends disclosure, if applicable
New accounting segment reporting disclosure requirements apply to year-end financial statements
Be mindful that the SEC staff continues to focus on how companies have identified operating segments and aggregated them into reportable segments
Reassess controls and procedures in light of recent SEC enforcement actions, which extend beyond typical financial reporting
Review disclosure and internal controls around AI and sustainability disclosures
Include disclosure required by new Item 408(b) of Reg. S-K, relating to securities trading policies and procedures for insiders and the company itself, which must be tagged in Inline XBRL
File new Exhibit 19 Insider Trading Policies and Procedures, including trading policies and procedures applicable to the company itself, to be filed as one combined exhibit or as separate exhibits
Check Boxes for Financial Restatements and Clawback Analysis
Form 10-K includes two checkboxes for companies with securities listed on a U.S. stock exchange one of which must now be checked if the financial statements of the company included in the filing reflect the correction of an error to previously issued financial statements and the other must be checked if any of those error corrections are restatements that required a recovery (or clawback) analysis of incentive-based compensation received by the company's executive officers during the relevant recovery period. Checking the boxes was not previously required until companies were required to have a recoupment policy under applicable NYSE/Nasdaq listing standards/SEC Rule 10D-1(b) (which all NYSE/Nasdaq listed companies must now have since December 1, 2023 for incentive-based compensation earned on or after October 2, 2023). Checkbox covers both "Big "R" (which stems from an error that was material to previously issued financial statements, requiring a company to file an Item 4.02 Form 8-K) and "little r" restatements (which corrects errors that were not material to previously issued financial statements but that would result in a material misstatement in the current period if (i) the error was left uncorrected in the current period or (ii) the correction of the error was recognized only in the current period).
Item 402(w) of Reg. S-K now requires disclosure of actions to recover erroneously awarded compensation pursuant to the company's NYSE/Nasdaq mandated clawback policy. This disclosure is required to appear with and in the same format as the rest of the disclosure required by Item 402 of Reg. S-K (and tagged in Inline XBRL), so we expect it to be incorporated by reference from the proxy statement. However, the checkbox on the cover of the Form 10-K must still be checked.
In light of the impending change in administration, the SEC is not likely to propose specific rules on human capital management ("HCM"), despite the proposal's inclusion in the SEC's April 2024 Rulemaking Agenda. However, many institutional and other investors and stakeholders seek enhanced HCM disclosure. As such, when considering HCM disclosures in the Form 10-K, in the sustainability report or on the corporate website, companies should review the SEC's Investor Advisory Committee recommendations to the SEC, which would have required companies to provide the following disclosures:
the number of people employed by the company, broken down by whether those people are full-time, parttime, or contingent workers;
turnover or comparable workforce stability metrics; the total cost of the company's workforce, broken down into major components of compensation; and
workforce demographic data sufficient to allow investors to understand the company's efforts to access and develop new sources of talent, and to evaluate the effectiveness of these efforts.
Although companies already include many of the aforementioned disclosures in response to Item 101(c) of Reg. S-K, they should consider the continuing materiality and accuracy of prior statements and goals, and ensure go-forward consistency across various public facing documents, including the Form 10-K, sustainability (or similar) reports and/or the corporate website.
AI Products and Uses. Companies should describe (particularly if previously highlighted in earnings releases and on earnings calls) AI-related products and initiatives; AI research and development efforts; the impact of AI on the company's products, services, relationships with customers or suppliers; and AI competitive conditions.
AI Washing. Companies must carefully consider whether their public filings accurately reflect their artificial intelligence and machine learning (collectively, "AI") capabilities and usage. Recent SEC enforcement actions reflect the SEC staff's focus on AI disclosures and overstatement of AI capabilities, uses or impacts. See In re Delphia (USA) Inc. Mar. 18, 2024) (SEC enforcement action alleging that the company did not actually utilize the AI tools the company touted in marketing materials); In re Global Predictions, Inc. (Mar. 18, 2024) (same).
AI Regulatory Developments. Companies should discuss, to the extent relevant to their business, recent AI regulatory updates, including the European Union's Artificial Intelligence and Data Act, President Biden's Executive Order on AI and the Colorado Artificial Intelligence Act.
Climate and Data Privacy
Greenwashing. Companies should ensure that sustainability-related disclosures are up to date and accurate, including around targets and goals. For example, a recent SEC enforcement action focused on omissions in Form 10-K disclosures around recyclability of a company's packaging (In re Keurig Dr Pepper Inc. (Sept. 10, 2024)).
SEC Climate-Related Disclosure. On April 4, 2024, the SEC voluntarily stayed its previously adopted climaterelated disclosure rules, pending judicial review by the U.S. Court of Appeals for the Eight Circuit. If the new rules survive judicial review and are not effectively rescinded by the SEC under its new leadership, it would remain with the new Trump-era SEC to enforce those rules, which is expected to be unlikely. Companies should continue to monitor the status of these rules and other sustainability-related regulations that may impact the company. Many institutional investors and other stakeholders have requested companies to disclose climaterelated information, which is typically included in a sustainability report that is separate to the Form 10-K, and supported by disclosure controls and procedures.
Other Climate-Related Disclosure. Moreover, aside from the SEC climate-related rules, there a number of other climate and sustainability-related regulations to be mindful of when preparing this year's Form 10-K, including disclosures around relevant regulations and risk factors. In September 2024, the California state legislature passed SB 219, which will make changes to SB 253 (disclosure of greenhouse gas ("GHG") emissions, first disclosures for in-scope entities due in 2026 on a date to be determined by the California Air Resources Board ("CARB")) and SB 261 (disclosure of a climate-related financial risk report, first disclosures for in-scope entities due on or before January 1, 2026), including extending the deadline for CARB to adopt regulations from January 1, 2025 to July 1, 2025. SB 219 will also allow entities to use consolidated reporting at the parent company level, rather than disclosing entity-by-entity. Additionally, the EU Corporate Sustainability Reporting Directive, which passed in late 2022 and is in the process of being implemented by EU Member States, may also require U.S. companies to provide extensive sustainability-related disclosures if they have large EU subsidiaries (with first disclosures due in 2026) and if the U.S. parent company meets certain size thresholds (with first disclosures due in 2029). Companies should also review if other regulations may apply to subsidiaries and/or the parent company, including requirements based on the International Sustainability Standards Board standards that are being implemented in many countries.
Data Privacy Regulatory Developments. Companies that include disclosure regarding state and foreign data protection laws and compliance programs in relation to such laws should review their disclosures and update as necessary to reflect the new states that have adopted these laws, including in Kentucky, New Hampshire, New Jersey, and others.
Companies should ensure that risk factors are current, tailored, and consistent with disclosure in the remainder of the Form 10-K, including business, MD&A, market risks and the forward-looking statements disclaimer, as well as in earnings materials.
Artificial Intelligence
AI usage is rapidly evolving, with more companies developing, using and/or competing against AI tools every year. Companies that are or may be impacted by AI should prepare tailored risk factors that are specific to the company and the particular AI tool at issue, and avoid relying on boilerplate AI risk factors. For example, a recent SEC comment letter asked the following: "This risk factor discusses risks related to AI, but does not clarify if you currently utilize AI in operating your business, or if your key vendors utilize AI in providing their services to you or in processing your client or transaction data. Please revise this risk factor to clarify the extent to which this addresses risks related to how you operate your business at present."
Cybersecurity
Companies should review their cybersecurity risk factors to ensure consistency with the disclosure required by Item 106 of Reg. S-K (see discussion below in Part I, Item 1C Cybersecurity) and related SEC guidance.
Consistent with the SEC's long-standing position, companies should make sure cybersecurity risk factors acknowledge not only that a potential vulnerability exists but also when a cyber event has occurred (for example, if the company already has experienced a breach as a result of the identified vulnerability risk and/or has filed an Item 1.05 Form 8-K disclosing the same). See discussion below re Facebook, Inc. v. Amalgamated Bank.
Reminder that the SEC remains focused on cybersecurity risks and incidents. For example, in May 2024, Erik Gerding, Director of the SEC's Division of Corporate Finance, noted that although the text of recently adopted Item 1.05 of Form 8-K, which requires prompt disclosure of material cybersecurity incidents, does not expressly prohibit voluntary disclosures, reporting immaterial cybersecurity incidents may lead to investor confusion or dilute the value of Item 1.05. Thus, if a company chooses to disclose a cybersecurity incident for which it has not yet made a materiality determination, or a cybersecurity incident that the company determined was not material, Mr. Gerding encourages companies to disclose that cybersecurity incident under a different item of Form 8-K (for example, Item 8.01. Other Events).
Climate and Sustainability
Companies should review their previously announced climate and sustainability-related goals and consider whether risk factors related to the inability to reach such goals need to be updated to reflect any progress (or lack thereof) towards reaching such goals. Updating these risk factors to reflect current climate and sustainability expectations should help mitigate against allegations of "greenwashing" if the previously announced goals are not met or are delayed (see, e.g., New York Attorney-General's February 2024 lawsuit against JBS USA Food Company involving commitments to be "Net Zero by 2040" but with "no viable plan" to meet this commitment).
As uncertainty remains around inflation and interest rates, including as a result of future U.S. government debt ceiling negotiations, interest rate cuts by the U.S. federal reserve and/or the uncertainty around planned spending and tax cuts by the Trump administration, companies should review these risk factors to ensure they appropriately account for the latest, specific inflation and interest rate risks to a company's business, results of operations and liquidity.
Geopolitics and Military Conflicts
Companies should consider whether disclosures of risks relating to the incoming Trump administration and Republican-controlled Congress are warranted, including, for example, any potential impact from promised tax cuts, increased deregulation, increased defense spending, shifts in energy and immigration policy, increased tariffs, and changes in foreign policy (with China, Russia, Europe and/or the Middle East).
Companies should continue to include risks relating to ongoing global wars, especially if the company does business with parties in impacted regions (for example, as a result of attacks on shipping vessels in key shipping routes by Yemen's Houthi rebels).
Risk Factor Disclosure Litigation
In Facebook, Inc. v. Amalgamated Bank, a private plaintiff class action, at issue is whether risk disclosure can be treated as false or misleading when it does not reveal that a warned-of risk has already occurred, even if that past event presents no known risk to the company's ongoing or future business. The district court had dismissed the shareholders' claims, and the U.S. Court of Appeals for the Ninth Circuit reversed. Although the United States Supreme Court recently heard oral arguments in the case, on November 22, 2024, the court remanded the case back to the California federal district court without ruling on the merits (finding that the writ of certiorari was "improvidently granted"). As this case proceeds, it could prove instructive on disclosure practices concerning an array of risks ranging from cybersecurity to climate change to products liability.
4. Part I, Item 1C. Cybersecurity
Companies should thoroughly review the descriptions of their cybersecurity processes and procedures and confirm that they are sufficiently detailed to comply with each provision of Item 106 of Reg. S-K. Attention should be given to disclosure regarding the capabilities and responsibilities of those overseeing cybersecurity threats (including updating expertise as needed such as years of service and qualifications, particularly where a different person is serving in the role as compared to last year) and actions taken in response to prior incidents. The SEC has laser-focused in comment letters on missing Item 106 disclosure, including, for example: "We note your disclosure that both your executive management team and your board of directors are responsible for oversight of risks from cybersecurity threats. Please confirm that in future filings you will expand upon the executive management team's and the board of directors' areas of responsibility to describe their respective processes in sufficient detail for a reasonable investor to understand as required by Item 106(b)(1) of Regulation S-K." "Please revise future filings to disclose whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect you, including your business strategy, results of operations, or financial condition and if so, how. Refer to Item 106(b)(2) of Regulation S-K."
"We note that leaders from your information security, compliance and legal team oversee cybersecurity risk management. Please revise future filings to provide the relevant expertise of such persons or members in such detail as is necessary to fully describe the nature of the expertise as required by Item 106(c)(2)(i) of Regulation S-K."
The process disclosed in Item 1C of Form 10-K should be consistent with the company's process for assessing, identifying, and managing material risks from a cybersecurity incident. If disclosed Reg. S-K Item 106 processes are not followed, the SEC may bring enforcement actions both to challenge the prior disclosures and to allege insufficient internal disclosure and accounting controls surrounding an incident (see our discussion on In re R.R. Donnelley & Sons Co. below under "Part II, Item 9A Controls and Procedures").
Reminder that Item 106 of Reg. S-K disclosure must be tagged in Inline XBRL.
5. Part I, Item 3. Legal Proceedings
Characterizing Legal Claims Against the Company
Companies should be wary of disclosing that a claim against them is "without merit." In City of Fort Lauderdale Police & Firefighters' Retirement Sys. v. Pegasystems, Inc. (D. Mass. July 24, 2023) (available here), the plaintiffs argued that the defendants knowingly engaged in the conduct underlying a certain action but falsely stated in the Form 10-K that claims regarding such actions were "without merit." The court denied the company's motion to dismiss on the basis that the disclosure that the claims were "without merit" was misleading when the defendants possessed substantial information about the viability of those claims. In contrast, the court observed that an issuer could disclose that it had "substantial defenses" to a claim if it reasonably believes that to be true.
6. Part II, Item 7. Management's Discussion and Analysis of Financial Condition and Results of Operations (and Non-GAAP Measures)
Recent SEC Focus. The SEC staff continues to focus and comment on companies' MD&A disclosures, with a particular focus on the discussion and analysis of results of operations, known trends or uncertainties, critical accounting estimates, and liquidity and capital resources. The staff also continues to comment on non-GAAP measures, focusing on the prominence of the non-GAAP measures compared to the GAAP measures, reconciliation between the non-GAAP and comparable GAAP measure, and lack of disclosure as to why the company believes the non-GAAP measures disclosed are useful to investors. For example, the following is a sample of recent SEC comments:
"You cite various factors to explain changes in your results but have not quantified their impact, most notably for sales and gross margin rate. Please quantify cited factors so investors may better understand their relative impact."
"We note there are . . . long-term debt maturities due in 2024 that are expected to be refinanced at higher interest rates. Please discuss the expected effects of this known trend or uncertainty on your future financial position, results of operations, and cash flows."
"We note your disclosure of critical accounting estimates appear to relate to estimates in connection with the allowance for credit losses, securities valuation, and income taxes; however, your disclosure appears to only refer to disclosure of information within the financial statement footnotes."
"Please provide a more informative discussion and analysis of cash flows from operating activities. . ."
"You present free cash flow, a non-GAAP financial measure, without disclosing its most directly comparable GAAP measure, net cash provided by operating activities, with equal or greater prominence."
"Please tell us how you determined it is appropriate to exclude normal, recurring, cash operating expenses from your non-GAAP measures or revise to remove these measures from your annual and periodic filings, Form 8-K earnings releases, and earnings presentations on your website. . ."
Artificial Intelligence. One particular trend disclosure to focus on, to the extent applicable, is foreseeable AI issues and opportunities that could materially affect a company's performance and that may be material to an investor's understanding of the company's business and financial condition.
7. Part II, Item 8. Financial Statements and Supplementary Data
Segment Reporting
There are new segment reporting disclosure requirements this year. The FASB's Accounting Standards Update 2023-07, Segment Reporting Improvements to Reportable Segment Disclosures, is first effective for calendar year public entities in 2024 year-end financial statements and are to be adopted retrospectively unless impracticable. The SEC staff has been providing informal guidance concerning the new requirements, including, for example, with its interplay with non-GAAP financial measure requirements.
The SEC staff continues to focus on segment reporting, including commenting on how registrants identify operating segments and aggregate them into reportable segments. Companies should therefore be prepared to defend their segment reporting decisions if challenged by the SEC staff, including maintaining robust documentation that was used to support management's reporting conclusions and coordinating closely with their public accounting firms.
Reminder that financial information (e.g., profit or loss for each reportable segment) that must be disclosed under GAAP is not a non-GAAP measure. However, disclosure of total segment profit or loss on a consolidated basis outside of the financial statements (e.g., in the MD&A) would be considered a non-GAAP disclosure that should comply with the SEC's non-GAAP rules.
This year, the SEC continued to bring actions emphasizing that the evaluation of the effectiveness of a company's internal control over financial reporting ("ICFR") goes beyond the information and risks that directly impact financial reporting. As public companies assess the effectiveness of their ICFR for the current year, they should look beyond financial reporting, as illustrated by the following recent SEC enforcement actions:
Cybersecurity: In re R.R. Donnelley & Sons Co. (June 18, 2024). The SEC announced settled charges against R.R. Donnelley following a ransomware attack against the company for, among other things, its alleged failure to maintain effective disclosure controls due to design defects in the process by which relevant cybersecurity information (i.e., cybersecurity alerts and incidents) was reported to management with the responsibility for making disclosure decisions. The SEC also alleged that the company failed to implement sufficient internal accounting controls to provide reasonable assurances that access to company assets (in this case, its information technology systems and networks, which contained sensitive business and client data) was permitted only with management's general or specific authorization. Specifically, the company's cybersecurity alert review and incident response processes allegedly failed to adequately establish a prioritization scheme and to provide clear guidance to personnel on procedures for responding to incidents (personnel allegedly failed to adequately review internal alerts and take adequate investigative and remedial measures until a company with shared access to the company's network notified it of the cybersecurity incidents). R.R. Donnelley agreed to pay over $2.1 million to settle the charges.
In re National Energy Services Reunited Corp. (Aug. 28, 2024). The SEC announced settled charges against National Energy for numerous accounting errors and internal control deficiencies. The SEC investigation found, in part, that the company relied on deficient legacy practices of two acquired companies for financial reporting without conducting an adequate assessment. National Energy agreed to pay a $400,000 and a "springing" penalty of $1.2 million if the company fails to complete its controls remediation in a timely manner acceptable to the SEC.
In re Deere & Company (Sept. 10, 2024). The SEC announced settled charges against Deere for, among other things, the failure to adequately integrate a newly-acquired foreign company into its system of internal controls, which allowed the subsidiary to continue making unlawful payment to foreign officials. Deere agreed to pay $9.9 million in disgorgement and fines.
Hedging Transactions. In re Portland General Electric Company (Sept. 4, 2024). The SEC announced settled charges against Portland General, which after shifting its energy hedging trading activity from normal practices, incurred $127 million in trading losses that were unrecoverable. The SEC took issue with the company's alleged failure to implement controls to ensure that management had access to information relevant to ensure accurate derivative market risk disclosures. Because of the company's cooperation and remediation, the SEC did not impose a penalty.
Artificial Intelligence
Companies should also review and update their disclosure and internal controls around AI-related public disclosures to ensure the company can establish a reasonable basis for all AI-related statements on usage and capabilities.
Sustainability
Companies should review disclosure controls and procedures to ensure that sustainability-related disclosures are appropriately covered, and review effectiveness of related internal controls.
9. Part III, Item 10. Directors, Executive Officers and Corporate Governance
Insider Trading Policies and Procedures
Disclosure under new Item 408(b) of Reg. S-K is now required for the first time. A company must disclose whether it has adopted insider trading policies and procedures governing the purchase, sale and/or other dispositions (such as gifts) of the company's securities by directors, officers, and employees, or the company itself, that are reasonably designed to promote compliance with insider trading laws and applicable listing standards, and, if the company has no such policies, explain why not. It is expected that companies will comply with this requirement through disclosure in the proxy statement that is to be incorporated into the Form 10-K (because such disclosure also is required independently in a proxy statement that has an item to elect directors).
This disclosure also must be tagged in Inline XBRL as required by 17 CFR 232.405 in accordance with the EDGAR Filer Manual.
Companies are also required for the first time to file their insider trading policies and procedures as exhibits (#19) to Form 10-K. Consider a fresh look at existing policies and procedures and making changes (or redactions of personally sensitive information) in light of public disclosure. Companies also should consider the following:
Shadow trading. In SEC v. Panuwat, a federal civil jury found on April 5, 2024, a former executive liable for insider trading when the executive, knowing nonpublic information about his own company (Medivation) being acquired by Pfizer, purchased stock in a peer company in the same industry (Incite) that was not involved in the acquisition (so called, "shadow trading"). In light of Panuwat, companies should revisit their insider trading policies and the language around the prohibition on trading in other companies' securities, particularly those that have a market connection.
Company-specific policy. Because Item 408(b) of Reg. S-K requires disclosure of the insider trading policies and procedures applicable to the company itself, consider adopting a separate policy or updating existing insider trading policies to cover the company's securities trading practices. If there are no trading policies and procedures applicable to the company itself, the company must explain why no such policies exist. The company specific policy must be included as an exhibit, with some companies filing it as separate standalone exhibit and others filing all policies together as one exhibit (see 10. Part IV, Item 15 Exhibits below).
10. Part IV, Item 15. Exhibits
Reminder to file new Exhibit 19 Insider Trading Policies and Procedures (including policies and procedures that apply to the company itself).
***
If you have questions concerning the contents of this Alert, or would like more information, please speak to your regular contact at Weil or to any of the following authors:
2024 Weil, Gotshal & Manges LLP. All rights reserved. Quotation with attribution is permitted. This publication provides general information and should not be used or taken as legal advice for specific situations that depend on the evaluation of precise factual circumstances. The views expressed in these articles reflect those of the authors and not necessarily the views of Weil, Gotshal & Manges LLP. If you would like to add a colleague to our mailing list, please click here. If you need to change or remove your name from our mailing list, send an email to [email protected].