Emerging comment letter trends: a closer look at SEC comments on cybersecurity, clawbacks, and beneficial ownership
This article explores recent SEC comment letters, focusing on emerging patterns in response to newly adopted rules on cybersecurity disclosure, clawback provisions, and beneficial ownership filings.
In this piece, I want to shift the focus from analyzing specific companies or trends to highlighting several examples that elaborate on the emerging patterns in SEC comment letters.
SEC Director of Division of Corporation Finance Erik Gerding has noted in a speech that compliance with newly adopted rules is one of the priorities of the Corp Fin’s disclosure review program:
“We are also tracking how companies are navigating the disclosure requirements resulting from newly adopted rules including, clawbacks, SPACs, and cybersecurity.”
And also:
“On October 10, 2023, the Commission adopted amendments to modernize the rules governing beneficial ownership reporting. The Division staff is closely monitoring the implementation of these new rules.
The Division staff will review selected beneficial ownership reports to assess compliance with the new, shortened filing deadlines and issue comments as necessary to improve required disclosures.”
While we did not see a massive comment letter campaign related to cybersecurity, clawbacks or beneficial ownership, a few examples of SEC comments are already available on EDGAR. In my opinion, these examples would be helpful to practitioners trying to navigate the complexity, diversity in practice, and limited guidance associated with the new rules.
SEC comments on disclosure of material cybersecurity incidents
SEC rules mandate that companies report material cybersecurity incidents within four business days of the incident using Item 1.05 of Form 8-K. The disclosure should include:
“…the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.”
While disclosing immaterial cybersecurity incidents is not required, registrants may voluntarily report them using Item 8.01 of Form 8-K. Registrants should not use Item 1.05 to report immaterial incidents.
AT&T Inc (Ticker: T) filed Item 1.05 on July 12, 2024, warning investors that a material cybersecurity incident exposed records of calls and texts of millions of AT&T customers. Although Item 1.05 disclosure implies that the incident was material, the Company noted that the breach has not had a material impact on AT&T’s operations:
“As of the date of this filing, this incident has not had a material impact on AT&T’s operations, and AT&T does not believe that this incident is reasonably likely to materially impact AT&T’s financial condition or results of operations.”
Note an interesting difference in language: while AT&T’s 8-K states that there is no expected material impact on “financial condition or results of operations”, the requirements of Item 1.05 are broader and call for disclosure of material impact on “the registrant, including its financial condition and results of operations”.
A logical question: how would a material event not have a material impact on AT&T? And if the incident is not expected to have a material impact on the company, is it even material? The apparent contradiction triggered a regulatory scrutiny. The SEC issued comments to AT&T on July 26, 2024, seeking clarity about materiality of the incident:
“Please tell us whether or not this incident is a material cybersecurity incident under Item 1.05(a) of Form 8-K. If you determined the cybersecurity incident to be material, please describe all material impacts or reasonably likely material impacts on the company as required by Item 1.05(a), not just the impacts on “AT&T’s operations” and “financial condition or results of operations.” As the Commission noted in the adopting release, the rule’s inclusion of “financial condition and results of operations” is not exclusive; companies should consider qualitative factors alongside quantitative factors in assessing the material impact of an incident. For example, consider impacts on customer relationships, competitiveness, and potential reputational harm related to the cybersecurity incident. If you did not determine the cybersecurity incident to be material, please provide an analysis supporting your conclusion and advise us as to why you filed under Item 1.05 of Form 8-K rather than Item 8.01 of Form 8-K.”
AT&T addressed the SEC question by stating that “material” and “material impact” are two distinct concepts:
“In summary, “material” is not the same concept as “material impact”; it does not logically follow that a material incident must necessarily mean that there is a material impact. “Material” focuses on the reasonable investor and what such investor would consider important in making a voting or investment decision; in contrast, “material impact” focuses on the company and how the incident has affected the company.”
Generally, SEC closing letters include boilerplate language stating that the SEC completed the review. An inclusion of non-boilerplate language is uncommon.
However, while the SEC did not have follow-up questions, in its August 19, 2024, closing letter to AT&T, the agency noted that companies should consider a broader range of considerations – including potential reputational harm - in determining whether the incident had a material impact (emphasis added):
“We again call your attention to the Commission’s statement in the adopting release that Item 1.05’s inclusion of “financial condition and results of operations” is not exclusive; companies should consider qualitative factors alongside quantitative factors in assessing the material impact of an incident. For example, consider impacts on customer relationships, competitiveness, and potential reputational harm related to the cybersecurity incident.” It appears inconsistent to conclude that an incident is material because of “reputational and customer perception risks associated with the incident” but that the incident has not had, and is not reasonably likely to have, any material impacts on the company, including with respect to the company’s reputation and customer perception”.
In my view, a broader takeaway from SEC comments to AT&T is that companies must consider both qualitative and quantitative factors in accessing materiality.
SEC comments on disclosure of cybersecurity threats
Item 106 of Regulation S-K requires companies to provide annual disclosure about the process for:
“…assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents”.
Based on my review of 10-K disclosures, companies took different approaches to disclosure, with a significant variation in the level of detail (more on that in a separate piece later). According to Director Gerding, the SEC recognizes that companies may have “diverse approaches to cybersecurity” and “does not seek to make “gotcha” comments or penalize foot faults”. Yet, omitting the required disclosure altogether may end in a comment letter.
The SEC requested on June 14, 2024, that Scientific Industries, Inc (Ticker: SCND) explain why the Cybersecurity disclosure required by Item 106 of Regulation S-K was missing from the annual 10-K report for the fiscal year ended December 31, 2023. The Company agreed to rectify the issue by providing the omitted disclosure in an amended 10-K filing:
“Item 1C. Cybersecurity, page 13
1. We note you do not include Item 1C. Cybersecurity. Please revise or advise us why you do not provide disclosure as applicable under Item 106 of Regulation S-K. We remind you that the company and its management are responsible for the accuracy and adequacy of their disclosures, notwithstanding any review, comments, action or absence of action by the staff.
RESPONSE:
The Company will amend the Annual Report on Form 10-K for the fiscal year ended December 31, 2023 to reflect the addition of Item 1C. Cybersecurity.”
SEC comments on clawback provisions
I’ve already discussed SEC comments on clawbacks in a broader context of the new rule’s implementation challenges, but let me provide a short recap.
In its June 27, 2024, comment letter to AEON Biopharma (Ticker: AEON), the SEC was seeking clarity about the company's clawback disclosure following an accounting error. Under Rule 402(w) of Regulation S-K, companies must disclose the impact of a restatement and any related compensation recovery decisions. AEON had stated in its 10-K that no compensation was tied to the restated metrics, so no recovery was necessary. The SEC requested a more detailed explanation, particularly since executive bonuses were based on Key Performance Indicators (KPIs).
AEON clarified that its bonuses were tied to non-financial KPIs, with no financial metrics affected by the restatement. The SEC was satisfied with this explanation, and the issue was resolved after one round of comments. AEON also committed to complying with the Interactive Data format for future filings.
SEC comments on beneficial ownership rules
In July, I noted that the SEC issued comments to Kimmeridge Energy Management Company LLC, seeking clarity about why the Company did not file a Schedule 13D within ten business days after delivery of an acquisition term sheet to SilverBow Resources Inc. I also wondered whether we should expect more Schedule 13D comments.
Once is a chance, twice is a coincidence, and three times is a pattern. Recently, the SEC publicly released on EDGAR comments to at least three additional companies questioning timeliness of Schedule 13D disclosures.
Meredith Irvine of TheCorporateCounsel, citing Barnes and Thornburg, discussed SEC comments to Vida Ventures LLC, in which the SEC inquired why Vida Ventures did not report the beneficial ownership of Kyverna Therapeutics’ securities within five days after the ownership acquisition date.
“We note the date of the event reported as requiring the filing of the Statement was February 12, 2024. Rule 13d-1(a) of Regulation 13D-G requires the filing of a Schedule 13D within five business days after the date beneficial ownership of more than five percent of a class of equity securities specified in Rule 13d-1(i)(1) was acquired. Based on the February 12, 2024 event date, the Schedule 13D submitted on May 3, 2024 was not timely filed. Please advise us why the Schedule 13D was not filed within the required five business days after the date of the acquisition.
The Company respectfully advises the Staff that the Schedule 13D was not filed within five business days after the February 12, 2024 event date because the Company initially considered itself eligible to file on Schedule 13G with respect to its holdings in Kyverna Therapeutics, Inc. (“Kyverna”).
The Company was a stockholder of Kyverna since prior to its initial public offering (the “IPO”), which closed on February 12, 2024. At the closing of the IPO, based on its holding of an aggregate of 4,523,924 shares of common stock underlying shares of Series A-1 convertible preferred stock, all of which converted into shares of Kyverna’s common stock at the closing of the IPO, the Company believed that it is entitled to report its beneficial ownership of Kyverna’s equity securities on a Schedule 13G on a later date.
As disclosed in the Schedule 13D, Vida Ventures III, L.P. and Vida Ventures III-A, L.P., funds separately managed from, but affiliated with, the Company acquired a total of 253,136 shares of Kyverna’s common stock at the closing of the IPO. The Company disclosed its beneficial ownership of shares of Kyverna’s common stock, together with such affiliated entities, on a Form 4 promptly following the closing of the IPO, on February 14, 2024. However, the Company was not aware at the time that it was obligated to report such beneficial ownership on a Schedule 13D. Following a review of the affiliated position, including review of Staff guidance with respect to Section 13 filings, the Company determined a 13D was appropriate and filed the Schedule 13D on May 3, 2024. The Company respectfully advises the Staff that future filings by the Company with respect to its beneficial ownership in equity securities of Kyverna will be timely made in accordance with Rule 13d-1(a) of Regulation 13D-G.”
SEC comments to Greenhaven Road Investment Management, LP used similar language to question the lag between the acquisition date of the beneficial ownership and the disclosure date of the 13D filing:
“We note the date of the event reported as requiring the filing of the Statement was March 29, 2024. Rule 13d-1(a) of Regulation 13D-G requires the filing of a Schedule 13D within five business days after the date beneficial ownership of more than five percent of a class of equity securities specified in Rule 13d-1(i)(1) was acquired. Based on the March 29, 2024 event date, the Schedule 13D submitted on May 17, 2024 was not timely filed. Please advise us why the Schedule 13D was not filed within the required five business days after the date of the acquisition.
The Schedule 13D was not filed within the required five business days after the date of the acquisition due to an oversight on the part of the Reporting Persons. Upon the Reporting Persons becoming aware of the oversight, they caused the Schedule 13D to be filed promptly. The failure to meet the deadline was not deliberate on the part of the Reporting Persons, and the Reporting Persons do not believe they gained any advantage as a result of the filing of the Schedule 13D past the deadline. The Reporting Person have reminded their relevant employees of the Reporting Persons’ policies and procedures regarding Section 13(d) filings and the importance of compliance with the same.”
SEC comments regarding Schedule 13D filed by Libertas Trust et al., questioned why the cover page of Schedule 13D did not include the date of the event, and whether the beneficial ownership was reported timely:
“We note that the cover page of the Schedule 13D does not include the date of the event requiring the filing of the Schedule 13D. Please revise to specify the reported event date. Rule 13-1(a) of Regulation 13D-G requires the filing of a Schedule 13D within five business days after the date of beneficial ownership of more than five percent of a class of equity securities specified in Rule 13d-1(i)(1) was acquired. If the Schedule 13D was not filed within the required five business days after the date of the acquisition, please advise us why the Schedule 13D was not timely filed.
The disclosure has been revised to clearly specify the reported event date of March 8, 2024. Prior to the merger on March 8, 2024, the filing persons have not been a more than 5% holder in a 12g reporting company requiring edgar codes and Section 16 filings. The filings persons obtained the required codes and filed the required Form 13D as soon as practicable upon fully understanding their responsibilities under the Securities Exchange Act.”
Let’s compare and contrast the responses.
Vida Ventures admitted in its response to the SEC that the company did not file the prescribed Schedule 13D within five business days because “the Company was not aware at the time that it was obligated to report such beneficial ownership on a Schedule 13D”, and promised to be timely with future 13D and 13G filings.
Greenhaven Road Investment Management acknowledged that the “ failure to meet the deadline was not deliberate” and noted that the reporting persons did not appear to gain advantage from the delinquent filings.
Libertas Trust responded that the reporting company filed Schedule 13D as soon as practicable.
In all three cases, the comments appeared to be resolved in one round of back-and-forth comments, with no follow-up comments issued.
SEC comments signal that compliance with the beneficial ownership deadlines is a priority for the Corp Fin. The takeaway is that companies must understand the requirements of the revised 13D and 13G rules. Investors, on the other hand, may pay closer attention to delinquent 13D filings.
For questions and data inquiries please contact olga@deepquarry.com.
Disclaimer: This newsletter does not provide an investment advice. The view expressed in this newsletter are personal views of the authors based on their interpretation of publicly available information.