As we look forward to the upcoming 2014 10-K and proxy season, I like to take a look back at the crop of comment letters issued by the Securities and Exchange Commission staff in 2013. While there were a number of trends, following are two that caught my attention.
In 2012, the SEC staff commented heavily on registrant’s disclosure regarding computer security and related topics. While the number of comment letters issued in 2013 relating to cybersecurity was significantly lower than in 2012, the SEC staff continues to issue comment letters focusing on cybersecurity and related risks. From my review of the comment letters and other materials:
- Expect continued SEC focus. SEC Chairman Mary Jo White, in her May 1, 2013 letter responding to an inquiry from Senator John D. (Jay) Rockefeller, IV, stated that she has asked the SEC staff to provide her a “briefing of the current disclosure practices and overall compliance with” the SEC’s cybersecurity guidance, as well as any recommendations regarding further action they may have.
- If your company suffered some form of cybersecurity breach and it was reported in the media, evaluate whether the consequences of the breach were material so as to warrant disclosure in your SEC filings and be prepared to discuss with the SEC staff why disclosure is not required if the disclosure is not provided.
- Consider discussing cybersecurity issues in your MD&A. Simply providing risk factor disclosure may not be sufficient. If cybersecurity issues could have a material adverse effect on your results of operations or if cybersecurity risks may constitute a material known trend or uncertainty, discussion in your MD&A may be appropriate.
The SEC staff has been focusing on executive compensation for quite some time and there is no reason to expect 2014 to be any different. Benchmarking and performance targets continued to draw a significant number of comments from the SEC staff in 2013.
- If your company’s discussion of compensation mentions “compensation survey”, “peer group” or “market data” and does not indicate that the company engages in benchmarking and provide all of the disclosure relating to benchmarking called for by Item 402(b)(2)(xiv) of Regulation S-K (such as identifying the benchmark, its components and peer companies), be prepared to defend the non-disclosure as the SEC staff is likely to comment.
- The SEC staff also continues to focus on disclosure relating to performance targets and frequently requests additional disclosure regarding performance targets or objectives. While a formal request for confidential treatment is not required when omitting disclosure of performance target levels or other factors or criteria pursuant to Instruction 4 of Item 402(b) of Regulation S-K, consider preparing a file memo at the time the proxy disclosure is being prepared to support the decision to omit the information. A contemporaneous file memo (or other contemporaneous record, such as a self-addressed e-mail) should simplify responding to any SEC inquiry about the omitted information.