The SEC's order highlighted that the company needed a robust system to ensure that access to its IT systems was strictly controlled by management, nor did it have adequate procedures to disclose cybersecurity risks and incidents.

The settlement is notable in two key respects:

• It departs from the traditional disclosure-related theories that have underpinned previous settlements related to cyber incidents and
• It extends the internal accounting controls provisions of Section 13(b)(2)(B) of the Exchange Act, which the SEC has already used to resolve other financial reporting and disclosure cases, to a company’s IT systems and related policies and procedures relating to cybersecurity.

The order reflects the Commission's stance regarding the scope of its authority. It articulates its belief that it can use its authorities relating to internal accounting controls to regulate public companies’ cyber-related procedures (including vendor management and incident response) even in the absence of unauthorized access to a company’s financial or accounting systems.

Access the press release on the SEC’s website.

Access the article from The D&O Diary

Erik Gerding provided updates at the Corp Fin Workshop, focusing on the Division's Disclosure Review Program. He emphasized the program’s role in protecting investors, facilitating capital formation, and maintaining orderly markets, noting that over 70% of the Division's 400+ professionals are dedicated to this task.

In 2024, the SEC's Division of Corporation Finance will emphasize enhanced disclosure requirements, focusing on several key areas. These include compliance with new U.S. GAAP disclosures effective from December 2023, adherence to non-GAAP regulations, and detailed reporting in management's discussion and analysis (MD&A) about critical accounting estimates and supplier finance programs. The Division will continue to prioritize disclosures from China-based companies, particularly concerning the risks from governmental interventions.

Additionally, disclosures related to commercial real estate will be scrutinized for detailed risk reporting and management strategies, especially considering the recent banking industry disruptions. The Division will also focus on the implications of artificial intelligence in business operations, ensuring that companies provide comprehensive, specific disclosures that reflect the actual and potential impacts on their business. Cybersecurity will remain a critical area, with the Division assessing compliance with the newly adopted rules for reporting material cybersecurity incidents and related risk management strategies. Furthermore, implementing other new laws, such as those concerning clawbacks and universal proxies, will also be closely monitored to ensure accurate and timely disclosures that meet the evolving standards set forth by regulatory changes.

Access the speech on the SEC’s website.

CSA in Ontario, Québec, British Columbia and Alberta (the participating jurisdictions) issued a multilateral staff notice reminding market participants that the Canadian Dollar Offered Rate (CDOR) will cease to be published after a final publication on Friday, June 28, 2024.

If market participants have not already adopted appropriate transition arrangements for existing securities, derivatives, or loan agreements that use CDOR as a reference rate, they should do so immediately. The Canadian Alternative Reference Rate Working Group has issued guidance to assist such participants.

Access the press release on the CSA’s website.

Under U.S. GAAP, entities must display both basic and diluted EPS prominently on the income statement in their annual and interim reports, using the taxonomy elements us-gaap: EarningsPerShareBasic and us-gaap: EarningsPerShareDiluted. If both EPS values are identical and shown only once, the amount should be tagged with both elements.

Staff in the Commission’s Division of Economic and Risk Analysis has observed the following incorrect tagging practices by filers in certain Forms 10-Q or 10-K submitted during 2024:

• Creating custom tags such as BasicAndDilutedEarningsPerShare to tag this amount;
• Tagging this amount only once using one of the two standard tags and
• Tagging this amount using a standard tag that was deprecated in 2022.

Incorrect tagging for EPS would negatively impact the data's usability (for example, tagging the amount only once will lose either basic or diluted EPS information). Filers are encouraged to review their tagging on EPS data and make necessary corrections.

Access the announcement on the SEC’s website.

The Staff also identified the financial statements, disclosure controls and procedures and the board’s role in risk oversight as other areas where AI-related disclosures may be required under existing rules.

The staff highlighted the following considerations:

• Whether the use of AI exposes the company to additional operational or regulatory risks, including risks related to data privacy, discriminatory results or bias, IP, consumer protection, regulatory compliance and macroeconomic conditions.
• Whether the company’s disclosure on its use and development of AI and material AI risks are tailored to its facts and circumstances.
• Whether the company has support for its claims when disclosing AI opportunities.
• Whether disclosure of the board’s role in AI oversight is warranted.
• Whether investors would benefit from disclosure of the company’s use of any AI risk management framework—like NIST or any industry-specific guidance (similar to cybersecurity disclosures).
• Whether the company faces risks related to the EU AI Act and whether current general disclosure, if any, should be more tailored to address how a company will be impacted based on its particular facts and circumstances.

Access the workshop video by the SEC.

Gensler explained three tenants behind the historical drive for mandatory disclosure:

• the public good nature of securities information
• misalignment between management and shareholder interests; and
• the imperative for efficient valuation

He also stressed the necessity of regulatory intervention to ensure consistent, comparable, and reliable information dissemination, drawing parallels between historical debates over mandatory versus voluntary disclosure.

Throughout his speech, Gensler emphasized the pivotal role of mandatory disclosure in fostering efficient markets, facilitating capital formation, and engendering investor trust. He also reaffirmed the SEC's commitment to upholding rigorous disclosure standards grounded in materiality, including enhanced disclosures on climate, cybersecurity, SPACs, and executive compensation.

Access the speech on the SEC’s website.

This follows concerns raised by shareholders about limitations in exercising their rights and participating effectively in such meetings. The guidance aims to help companies comply with regulations and ensure better engagement and access to information for shareholders during virtual meetings.

In order for reporting issuers to fulfill their obligations under securities legislation, it is important that reporting issuers provide clear and comprehensive disclosure in management information circulars and associated proxy-related materials with respect to the logistics for accessing, participating and voting at a virtual meeting.

Reporting issuers can facilitate shareholder participation at virtual shareholder meetings by:

• simplifying registration and authentication procedures
• providing shareholders with opportunities to make motions or raise points of order
• ensuring shareholders have the ability to raise questions and provide direct feedback to management in any question-and-answer segment of the meeting
• indicating where shareholder proposals will be presented and voted on at the meeting, coordinating with proponents of those proposals in advance of the meeting, and ensuring proponents are given a reasonable opportunity to speak to the proposal and respond to any questions that arise from the proposal
• ensuring any virtual platform used by an issuer has functionality permitting shareholder participation to the fullest extent possible; and
• ensuring the Chair is experienced and knowledgeable in the technological platform being used for the virtual meeting.

CSA Staff will continue to monitor the practice of virtual shareholder meetings, including reviewing disclosure in proxy-related materials during the upcoming proxy season. Further guidance and updates may be issued, as required.

Access the updated guidance on the CSA’s website.

Similar to his speech delivered in December 2023, Gensler once again highlighted the SEC's role in ensuring transparency and preventing fraud in AI-related disclosures, emphasizing the need for companies to provide accurate information about their AI usage and associated risks to investors.

Moreover, Gensler discussed the broader implications of AI in finance, highlighting its potential benefits in efficiency and user experience, as well as its challenges such as unexplainable decisions, biases, and inaccuracies. He warned against the systemic risks posed by the widespread adoption of AI models in financial institutions, citing concerns about herding behavior and network interconnectedness. He also stressed about the importance of accountability and responsible governance in deploying AI models, urging companies to implement appropriate safeguards and disclose material risks to investors.

Access Gary Gensler’s speech on the SEC’s website

The primary objectives of the proposals are to provide greater regulatory clarity on permitted crypto asset investment activities, to prohibit the use of crypto assets in securities lending and (reverse) repurchase transactions and to confirm custodial expectations.

The most significant updates to the existing public crypto asset fund practices include:

• explicit limitations on Non-Fungible Tokens ;
• mandates for investing solely in crypto assets (or derivatives with crypto asset underliers) that are traded on recognized exchanges while continuing to allow purchases on crypto asset trading platforms;
• requiring crypto custodians to obtain, and deliver to public crypto asset funds, SOC 2 Type 2-like reports

The Notice represents the second phase of the CSA’s ongoing effort to establish a comprehensive regulatory framework for public crypto asset funds in Canada. Following their initial guidance document (CSA Staff Notice 81-336 Guidance on Crypto Asset Investment Funds), these amendments aim to further clarify existing securities regulations and refine expectations for how such funds operate under National Instrument 81-102 Investment Funds.

Access the notice on Ontario Securities Commission’s website.

The report highlights key risks  and other considerations, that auditors should be focused on when planning and performing audit procedures. It notes that the PCAOB will continue to prioritize inspections of financial-services sector audits and, digital assets.

Among the PCAOB’s inspection enhancements in 2024 will be the creation of a PCAOB team that will evaluate culture across the largest domestic audit firms. This initiative will include interviewing firm personnel and evaluating other documentation, with the aim of using this information to enhance the PCAOB’s understanding of how audit firm cultures may be affecting audit quality.

Chair Williams has encouraged audit committees to ask questions to hold firms accountable to performing high-quality audits.

Access the spotlight report on PCAOB’s website