Your 2023 Form 10-K roadmap
To help navigate what has been an active year of new SEC disclosure mandates, we have prepared an overview of key considerations for preparing your 2023 annual report on Form 10-K.
What’s new for the 2023 Form 10-K?
In July 2023, the SEC adopted final rules that mandate cybersecurity incident and risk management disclosures for public companies. These final rules require (1) domestic public companies to disclose on Form 8-K any material cybersecurity incident within four business days after determination of materiality (with limited exceptions) (see new item 1.05 in Form 8-K) and (2) all public companies to make annual disclosures in Form 10-K to describe the company’s (i) processes to assess, identify and manage cybersecurity risks, (ii) board oversight of such risks and (iii) management’s role and expertise in assessing and managing such risks (see new item 106 of Regulation S-K and new item 1C in Form 10-K).
The annual cybersecurity disclosure requirements begin with the 2023 10-K for companies on the calendar year, much earlier than is typical for new SEC rules.
The new cybersecurity risk management and governance disclosure is likely to be closely scrutinized by private plaintiffs and the SEC staff in the event of a material cybersecurity incident. As such, companies should ensure that their disclosure describes their actual existing processes, and take care not to overstate the company’s defenses, expertise, processes or readiness to address a cybersecurity threat.
The annual disclosure requirements begin with the 2023 10-K for companies on the calendar year, much earlier than is typical for new SEC rules.
In May 2023, the SEC adopted final rules to require expanded share repurchase narrative disclosure on a quarterly basis, including:
- Objectives or rationales for the company’s share repurchases and the process or criteria used to determine the amount of repurchases.
- Any policies and procedures relating to purchases and sales of the company’s securities by the company’s directors and officers during a repurchase program, including any restriction on such transactions.
- The number of shares purchased other than through a publicly announced plan or program (and the nature of how the purchases were effected), as well as details around publicly announced repurchase plans or programs.
The new rules also require quarterly disclosure of a company's 10b5-1 trading plans adopted, modified or terminated during the applicable quarterly period.
In addition, the new rules require an exhibit with detailed tabular disclosure of daily share repurchase activity. Previously, companies were required to disclose information about stock buybacks in their quarterly and annual reports aggregated on a monthly basis. Now, companies are required to:
- Provide tabular disclosure in their quarterly and annual reports of daily repurchase activity.
- Disclose in a footnote to the daily repurchase table the date on which any company 10b5-1 plan was adopted or terminated.
- Include a check box preceding the tabular disclosure in their annual and quarterly reports indicating whether any directors or officers purchased or sold shares that are the subject of an issuer share repurchase plan or program within four business days before or after the announcement of that plan or program (or the announcement of an increase in the size of an existing plan or program).
The new requirements discussed above will first impact disclosure starting with the fourth quarter of 2023 for companies on the calendar year, who will need to include the disclosure in their Form 10-K (see new items 408(d) and 601(b)(26) of Regulation S-K, revised item 703 of Regulation S-K and new paragraph (c) to item 5 and item 9B of Form 10-K).
The U.S. Chamber of Commerce challenged the share repurchase rules in federal court and prevailed in part. The Fifth Circuit’s opinion filed on October 31, 2023 gave the SEC 30 days to correct deficiencies in the rule, including requiring the SEC to “show that opportunistic or improperly motivated buybacks are a genuine problem,” leaving practitioners and public companies uncertain about the fate of the rule. As of the date of this client update, it is unclear what the precise ramifications of the Fifth Circuit’s opinion will be. Public companies should therefore be prepared to comply with the final rules as adopted and by the required deadlines until more information comes to light.
D&O 10b5-1 trading plans and insider trading policies
In December 2022, the SEC adopted final rules to add a quarterly disclosure requirement relating to both Rule 10b5-1 and non-Rule 10b5-1 trading plans adopted, modified or terminated by directors and officers during the applicable quarterly period. Companies on the calendar year began disclosing this information in their second quarter 10-Q filed in 2023, and should ensure they include the relevant disclosures for the fourth quarter of 2023 in their 2023 10-K, including disclosure relating to company 10b5-1 trading plans.
Form 10-K was also amended to require disclosure relating to whether a company has adopted (and if not, an explanation of why not) insider trading policies and procedures governing the purchase, sale, and other dispositions of the company’s securities, and for the company to file its insider trading policy as an exhibit to Form 10-K. The insider trading policy and related disclosure requirement only apply beginning with the 2024 10-K filed in 2025 for companies on the calendar year (see new items 408(a), (b) and (c), and item 601(b)(19) of Regulation S-K and item 9B and revised item 10 of Form 10-K).
The insider trading policy and related disclosure requirement only apply beginning with the 2024 10-K filed in 2025 for companies on the calendar year.
The SEC adopted final rules in October 2022 that directed U.S. stock exchanges to adopt listing standards requiring all listed companies, including emerging growth companies, or EGCs, and smaller reporting companies, or SRCs, to adopt and comply with a written clawback policy.
In June 2023, the NYSE and Nasdaq amended their proposed listing standards relating to clawbacks setting October 2, 2023 as the effective date for the new listing standards, which means that listed companies must have a compliant clawback policy by December 1, 2023. The clawback policy will apply to compensation “received” from and after the October 2, 2023 effective date and must be filed as an exhibit to the Form 10-K (NYSE-listed companies are required to confirm via Listing Manager either that they have adopted a clawback policy or that they are relying on an applicable exemption by December 31, 2023).
Form 10-K was amended to include check boxes indicating (1) whether the financial statements of the company included in the filing reflect correction of any error to previously issued financial statements, and (2) whether any of those error corrections are restatements that required recovery analysis of incentive compensation.
The requirement to check the applicable checkboxes relating to a restatement or recovery analysis of incentive compensation will apply beginning with the 2023 Form 10-K.
Disclosure focus areas
Non-GAAP financial measures
In December 2022, the SEC’s Division of Corporation Finance posted new and updated C&DIs on non-GAAP financial measures that companies should review, in particular if they present non-GAAP measures in their Form 10-K. Non-GAAP measures feature prominently in SEC comment letters and could benefit from careful review for compliance with the relevant rules and guidance.
As a reminder, Item 10(e) of Regulation S-K applies to Form 10-K filings. It requires:
- Presentation of the most directly comparable GAAP metric “with equal or greater prominence.”
- A quantitative reconciliation of the differences between the non-GAAP and GAAP metrics “by schedule or other clearly understandable method.”
- Explanation of the reasons management believes the non-GAAP metric provides useful information to investors.
- Explanation of the additional purposes, if any, for which management uses the non-GAAP metric.
Item 10(e) of Regulation S-K prohibits:
- Excluding any charge or liability that requires cash settlement from a non-GAAP liquidity measure, other than EBIT and EBITDA.
- Adjusting a non-GAAP performance measure to omit an item identified as “non-recurring,” “infrequent” or “unusual,” if the item is reasonably likely to recur within two years or there was a similar item in the past two years.
- Presenting a non-GAAP metric on the face of the GAAP financial statements or in the accompanying notes, or on the face of any required pro forma financial statements.
- Using titles or descriptions that are the same as, or confusingly similar to, titles or descriptions for GAAP financial measures.
SEC staff have informally indicated that the lack of “equal or greater prominence” (which generally means GAAP discussion should precede non-GAAP discussion) continues to be a top area where they identify non-compliance with the rules.
Refresh forward-looking statements, MD&A trends and risk factors
Forward-looking statements. Companies can gain protection from liability by taking advantage of the safe harbor for forward-looking statements. But to do so, the cautionary language relating to any forward-looking statement should identify important factors that could cause actual results to differ materially from those in the forward-looking statements and be specifically tailored to the particular forward-looking statements. General boilerplate warnings are not sufficient. Consider whether the factors identified in last year’s 10-K continue to apply, and whether others might be added.
Management’s discussion and analysis. Companies are required to describe in their management’s discussion and analysis of financial condition and results of operations, or MD&A, any known trends or uncertainties that have had or that are reasonably likely to have a material favorable or unfavorable impact on net sales or revenues or income from continuing operations, as well as any known trends or demands, commitments, events or uncertainties that will result in or that are reasonably likely to result in the company’s liquidity increasing or decreasing in any material way and any known material trends, favorable or unfavorable, in the company’s capital resources.
Risk Factors. Companies are required to include a discussion of the material factors that make an investment in the company speculative or risky. Risks that have begun to materialize should not be described as hypothetical. This means companies should take care not to say certain events “could” or “may” occur if they have already occurred. Instead, risk factors should describe how a risk has materialized and what the impact has been on the company. The risk factors disclosure could benefit from a fresh review to ensure material risks facing the company are appropriately disclosed, including risks stemming from emerging areas like artificial intelligence (such as risks and opportunities relating to using or not using generative AI), as well as any risks facing a company from the potential broadening or escalation of the current conflict in the Middle East.
Risks that have begun to materialize should not be described as hypothetical.
In September 2021, the Division of Corporation Finance published a sample comment letter that it may issue to companies regarding their climate-related disclosure (or lack thereof). Among others, the SEC reiterated that a number of its rules may require disclosure related to climate change-related risks and opportunities in a company’s description of business, legal proceedings, risk factors and MD&A.
In March 2022, the SEC proposed a sweeping climate disclosure regime requiring disclosure of climate-related risks, greenhouse gas emissions and climate-related financial metrics not previously required by the SEC. According to the SEC’s Spring 2023 regulatory agenda, adoption of final rules was expected in October 2023, and it is unclear as of the date of this client update when final rules will be adopted. Pending adoption of final rules, companies should heed existing SEC guidance on climate disclosure, including guidance stemming from the September 2021 sample comment letter discussed above, as SEC staff continue to issue comments relating to climate disclosure.
In addition, companies are considering how an SEC climate disclosure mandate will coexist with disclosure mandates adopted in the European Union that will impact U.S. companies that conduct business in the EU, as well the recently enacted series of climate-related legislation in California. Unlike the Climate Corporate Data Accountability Act and the Climate-Related Financial Risk Act, the Voluntary Carbon Market Disclosures Act, or VCMDA, does not require additional rulemaking and becomes effective on January 1, 2024. The VCMDA is intended to address “greenwashing” by requiring detailed disclosure of the methodology for tracking and verifying claims made within California by entities operating within California regarding net zero, carbon neutrality or significant greenhouse gas emissions reductions, as well as disclosure regarding voluntary carbon offsets purchased, used, marketed or sold within California. The VCMDA will require any covered disclosures to be updated at least annually, and companies should consider carefully how these disclosure requirements might affect their disclosures in SEC filings, including their 10-K.
In May 2022, the Division of Corporation Finance published a sample comment letter, stating that companies may have disclosure obligations under the federal securities laws related to the direct or indirect impact that Russia’s invasion of Ukraine and the international response thereto have had or may have on their business.
Since Russia’s invasion of Ukraine, many companies have experienced heightened cybersecurity risks, increased or ongoing supply chain challenges and volatility related to the trading prices of commodities (regardless of whether they have operations in Russia, Belarus, or Ukraine) that may warrant disclosure.
While the Division of Corporation Finance has not yet published a sample comment letter on the conflict in Israel, the staff has issued comments on registration statements relating to the conflict and its impact on a company’s business similar to comments it issued in relation to the impact of the war in Ukraine. If a company has any business exposure in Israel or in the Middle East more broadly, it should consider including disclosure of the potential (or actual) impact on its business and related risks stemming from any escalation or broadening of the conflict.
Inflation and interest rates
Inflation has affected and continues to affect companies in different industries. While news reports suggest inflationary pressures have eased somewhat, current economic conditions might require additional disclosure beyond what has historically been provided in a more steady-state economic environment. Companies should consider additional disclosure in MD&A trends, or otherwise in the period-on-period discussion, focused for example on how these trends have affected results of operations, sales, profits, capital expenditures or a company’s business and pricing strategy in the face of rising costs.
In addition, as interest rates have risen, the cost of borrowing has increased for many companies. The current environment continues to present challenges for companies seeking to raise funds through the capital markets, which may lead companies to pursue strategies that may be less capital-intensive in the near term. Companies should consider updating disclosure (particularly in risk factors and MD&A) to reflect any impact that the company is experiencing from high interest rates and its ability to access capital markets.
In July 2023, the Division of Corporation Finance published a sample comment letter regarding the disclosure obligations of companies based in or with a majority of their operations in the People’s Republic of China.
The comment letter focuses on three areas of disclosure related to China-specific matters:
- Reminding companies of their disclosure obligations under the Holding Foreign Companies Accountable Act, or HFCAA. Public companies identified as Commission-Identified Issuers under the HFCAA must comply with the submission and disclosure requirements under the HFCAA and SEC rules for each year in which they are identified.
- Seeking more specific and prominent disclosure about material risks related to the role of the government of the People’s Republic of China in the operations of China-based companies.
- Noting that companies may need to make disclosures related to material impacts of certain statutes, such as the Uyghur Forced Labor Prevention Act.
Crypto assets disclosure
In December 2022, the Division of Corporation Finance published a sample comment letter to companies regarding crypto asset market-related disclosure obligations.
The letter includes non-exhaustive sample comments the Division of Corporation Finance may issue to companies about their disclosures (or the lack thereof) generally, as well as in the business description, risk factors and MD&A sections. Companies should evaluate whether their business experienced or may be affected by recent developments in crypto assets, and update their disclosures accordingly.
In past years, the SEC has sent comment letters to public companies seeking more detail about disclosures related to dealings in countries that are the subject of U.S. sanctions enforced by the Treasury Department’s Office of Foreign Assets Control, or OFAC. To the extent a company is doing business in sanctioned countries or territories or with sanctioned persons (even if permissible without violating applicable U.S. law), the company should consider whether disclosure of such activities is appropriate.
Human capital management
In August 2020, the SEC adopted amendments to Item 101 of Regulation S-K to require that companies describe—to the extent such disclosure would be material—their human capital resources, including human capital measures or objectives that the company focuses on in conducting business (such as, depending on the nature of the company’s business and workforce, measures or objectives that address the development, attraction and retention of personnel).
In its Spring 2023 regulatory agenda, the SEC had indicated October 2023 as the expected timing to propose new human capital management disclosure rules, but these are not out yet as of the date of this client update.
Nasdaq board diversity rules
In August 2021, the SEC approved Nasdaq’s proposed diversity rules defining diversity objectives and requiring all companies subject to Nasdaq rules to publicly disclose in matrix form information on directors’ voluntary self-identified gender and racial characteristics, and LGBTQ+ status. The new rules became effective in August 2022 (with simplified compliance deadlines adopted in December 2022).
Each listed company must have, or explain why it does not have, at least one diverse director by December 31, 2023 and two diverse directors by December 31, 2025 (December 31, 2026 for the Nasdaq Capital Market). The rules also require annual disclosure of a company’s diversity matrix by December 31. The compliance deadlines are subject to transition and phase-in accommodations for companies listed on or after August 6, 2021 as detailed in a Nasdaq listing center summary.
Disclosure under the rules must be provided in a proxy statement or information statement (or, if the company does not file a proxy, in its Form 10-K). Alternatively, the information may be provided on the company’s website, provided the company posts the disclosure concurrently with its annual SEC filing and submits a URL link to the disclosure via email (email@example.com) or through the Nasdaq Listing Center, within one business day after such posting.
10-K filing deadlines for calendar year companies
Large Accelerated Filer: February 29, 2024 (or 60 days after fiscal year end)
Accelerated Filer: March 15, 2024 (or 75 days after fiscal year end)
Non-Accelerated Filers: April 1, 2024 (or 90 days after fiscal year end)
Confirm your filer status
Confirm your filer status – whether large accelerated, accelerated, non-accelerated, EGC and/or SRC. Note that in March 2020, the SEC adopted amendments to the accelerated filer and large accelerated filer definitions in Rule 12b-2 under the Securities Exchange Act of 1934, or the Exchange Act. A summary of the amendments is available here.
Public companies need to consider their public float as of the end of their second fiscal quarter (June 30 for calendar year-end companies) as part of their filing status test. The public float on June 30, 2023 (and other criteria) in turn will determine a company’s 2024 filer status, which impacts, among other things, the due dates for periodic reports next year.
Mind your XBRL disclosure
Check with your financial printer to confirm how much lead-time will be required to complete XBRL tagging. The SEC has been expanding the scope and types of disclosure that require XBRL and/or inline XBRL tagging, including, for example, the new rules on clawbacks as well as for share repurchase, cybersecurity and 10b5-1 plans disclosure. The Division of Corporation Finance recently posted a sample comment letter regarding companies’ XBRL and Inline XBRL disclosure obligations. Among other things, the letter reminds companies to properly tag their disclosure in Inline XBRL. The letter goes on to flag other XBRL requirements that companies may have overlooked in their filings.
Description of registrant’s securities
Confirm that the description required to be included as an exhibit to Form 10-K accurately reflects the underlying documents (such as the charter, bylaws and certificate of designations) and that it is current.
Confirm that the CEO’s and CFO’s SOX certifications track the certification language required by Sections 302 and 906 of the Sarbanes-Oxley Act.
The SEC allows use of electronic (rather than manual) signatures, including for Form 10-K. But there are attestation requirements for the first use of an electronic signature and specific procedures that must be followed afterwards, which are set forth in Rule 302(b) of Regulation S-T. The company must keep the manual signature page or authentication document, as applicable, for five years and furnish to it to the SEC staff on request as required under Rule 12b-11 of the Exchange Act.
Disclosure mandates on the horizon
In March 2022, the SEC proposed a sweeping climate disclosure regime requiring disclosure of climate-related risks, greenhouse gas emissions and climate-related financial metrics not previously required by the SEC. According to the SEC’s Spring 2023 regulatory agenda, adoption of final rules was expected in October 2023, but it is unclear as of the date of this client update when final rules will be adopted. The SEC and staff of the Division of Corporation Finance have indicated that they continue to consider the thousands of comment letters they received in response to the rule proposal.
Human capital management
As discussed above, in its Spring 2023 regulatory agenda, the SEC had indicated October 2023 as the expected date to propose new human capital management disclosure rules, but these are not out yet as of the date of this client update, and current timing for any new rule proposal is unclear. But it is an area on which the SEC is focused and was the subject of discussion and a recent recommendation by the SEC’s Investor Advisory Committee.
Resource extraction rules
In December 2020, the SEC adopted amendments that would require resource extraction companies to disclose payments made to foreign governments or to the U.S. federal government for the commercial development of oil, natural gas or minerals. By requiring disclosure at the national and major subnational political jurisdiction levels, rather than the contract level, this version of the final rules mandates less disclosure than the SEC’s previous resource extraction disclosure rules. The initial compliance date for a company with a December 31 fiscal year-end is September 30, 2024 (270 days after its fiscal year ending December 31, 2023).
Enforcement actions and litigation
The SEC’s Division of Enforcement has had an active year in 2023.
A key recurring theme in SEC enforcement actions that is relevant to the preparation of this year’s Form 10-K relates to inadequate disclosure controls.
Enforcement actions have focused both on disclosure and disclosure controls and procedures, including in areas such as human capital, non-GAAP measures, share buybacks, related party transactions and cybersecurity, and the SEC Climate and ESG Task Force entered into its first settlement with a mining company a few months ago.
There is not a one size fits all takeaway from these enforcement actions since companies should evaluate the implications of each case in light of their existing internal processes and procedures, and their related disclosure. But because the SEC is likely to continue to focus on areas such as climate, cybersecurity, and increasingly, human capital, companies should consider whether any of their own disclosure controls in these and other areas need revisiting.
In addition, a growing number of lawsuits have been filed against companies and their boards relating to ESG disclosures and policies. Securities lawsuits have targeted statements made in ESG disclosures on a variety of issues, including “greenwashing,” workplace culture, and diversity, equity and inclusion, or DEI disclosure. Companies should review carefully their ESG-related disclosures (whether in the 10-K, other SEC filings or public statements, such as sustainability reports) to ensure the accuracy and consistency of, and appropriate basis for, ESG-related statements.