Client Update January 20, 2016 1 www.debevoise.com Client Update Disclosure Considerations for the 2016 Annual Reporting Season For many U.S. public companies, the beginning of a new year means the beginning of a busy season preparing annual reports and proxy statements. In addition to gathering and processing the information necessary to meet mandated disclosure requirements, companies are under increasing pressure from regulators, shareholders and other constituents to enhance disclosure and communication on myriad topics, including company strategy, board composition, auditor oversight, and executive compensation. In recent years, focus on “say-on-pay” and related compensation disclosures, corporate governance and shareholder engagement, among other issues, have put a spotlight on proxy statement disclosures. However, a company’s annual report on Form 10-K, which is frequently filed several weeks or months before the proxy statement, remains an important tool for communication with shareholders and the public regarding key business, financial and strategic issues. In this client update, we highlight certain issues public companies should consider during the 2016 annual reporting season in connection with the preparation of their Form 10-K. MD&A: TRENDS AND UNCERTAINTIES The MD&A, designed to elicit information with respect to a company’s financial condition, changes in financial condition and results of operations, including known material trends and uncertainties, is the heart of a company’s annual and periodic financial disclosure. Investors, analysts and other constituents use MD&A data, together with a company’s earnings releases, to assess and compare a company’s performance over time, as well as versus peers, and to obtain fundamental information about a company’s financial prospects. The SEC continues to scrutinize MD&A disclosure for quality and adherence to line item requirements of S-K Item 303. In addition, MD&A disclosure failures NEW YORK Matthew E. Kaplan email@example.com Peter J. Loughran firstname.lastname@example.org Paul M. Rodel email@example.com Steven J. Slutzky firstname.lastname@example.org Anne C. Meyer email@example.com Client Update January 20, 2016 2 www.debevoise.com have been cited in recent SEC enforcement actions. For example, in August 2014, Bank of America, as part of a broader $16.65 billion settlement with the DOJ to resolve federal and state claims over its sale of mortgage-backed securities, entered into a settlement with the SEC in which Bank of America admitted that it failed to disclose to investors known uncertainties potentially adversely affecting its future income arising from its exposure to repurchase claims on securitized mortgage loans. The SEC’s claim was predicated on a failure by Bank of America to include in its MD&A disclosure regarding known trends or uncertainties, as well as material changes to any such trends or uncertainties previously disclosed. Similarly, private litigants continue to challenge issuers’ MD&A disclosure. In particular, the recent NVIDIA and Stratte-McClure cases highlight the importance of updated disclosure reflecting known events, trends or uncertainties that have had (or are likely to have) a material effect on the company’s results of operations. The preparation of a robust MD&A is not a simple exercise of updating from the previous financial period, particularly for companies that have not recently given their MD&A disclosure a hard look. Companies should revisit and reinvigorate fundamental internal reporting processes and procedures to ensure they have evolved with the company’s business and remain designed to promote compliance with applicable MD&A rules and guidance. Recommended practices include, among other things: A bottom-up reporting process should be used, as the management of each business unit is best positioned to be cognizant of the trends and uncertainties likely to affect its business; Known trends and uncertainties should be identified by business units and surfaced to senior management who are responsible for preparing and reviewing the MD&A; and Senior management should provide substantive input and review of MD&A, as they will be better situated to identify macro trends that will have an effect on the overall company or to see how trends affect multiple business units. In addition to S-K Item 303 compliance, management should ensure that the MD&A is an effective written communication which clearly presents the information that is most salient to the company’s performance and long-term strategy. The scope of information discussed in the MD&A ranges from macroeconomic, industry and market trends that may impact a company’s financial performance to specific period-to-period changes in a line item for a particular business unit. Management can improve the presentation and impact of MD&A Client Update January 20, 2016 3 www.debevoise.com communication with the use of drafting tools such as executive overviews, summaries and layered disclosure, as well as charts, graphs and tables to highlight important information in a prominent and concise manner. AUDIT COMMITTEE OVERSIGHT AND DISCLOSURES The SEC’s Enforcement Division has disclosed a renewed focus on oversight of financial reporting. Internal control problems have been prominently featured in recent enforcement cases and the SEC has brought cases, even without accompanying charges of fraud, stating that such cases reflect their view that adequate internal controls are the building blocks for accurate financial reporting and can prevent fraudulent activity. Boards and audit committees in particular should remain focused on this fundamental oversight role. In addition, there has been a parallel movement prompting companies and audit committees to improve their reporting. The SEC’s Division of Corporation Finance, responding in part to initiatives of the PCAOB and Center for Audit Quality, issued a concept release in July 2015 requesting comment on a broad range of potential changes to existing SEC audit committee reporting requirements, with a focus on the audit committee’s reporting regarding its oversight of the independent auditor. A recent study by the EY Center for Board Matters, found that, since 2012, Fortune 100 companies have significantly increased the information available about audit firm selection, retention and oversight, and have included enhanced disclosure of noncontroversial items on a voluntary basis, including that: the audit committee is responsible for the appointment, compensation and oversight of the auditor; the selection of the outside auditor is in the best interests of the company and its shareholders; and the audit committee considers non-audit services and fees when assessing the independence of the external auditor. However, the study found that there has been little increased disclosure on more controversial items such as details with respect to topics discussed by audit committees with auditors. While it is unclear if the audit committee report is a priority issue for investors, the SEC has indicated that it may take into consideration market developments in audit committee reporting when determining what, if any, additional mandatory disclosures may be required. Audit committees that have not updated their report in recent years may wish to consider updates in line with the emerging market practices discussed above during the 2016 reporting season. Client Update January 20, 2016 4 www.debevoise.com CYBERSECURITY RISK Cybersecurity has garnered significant attention from investors, regulators and boards of directors in recent years and the increasing frequency and sophistication of cyber attacks appears to be unrelenting. The fallout from the Sony cyber attack at the end of 2014 was a tabloid-ready reminder for public companies that cybersecurity, including the adequacy of preparedness, communication and execution of response strategies, can pose a serious risk to a company’s business and reputation. When preparing disclosure for the 2016 reporting season, companies should be aware that cybersecurity disclosures are receiving heightened scrutiny from investors and the SEC in evaluating whether a company has identified and is appropriately managing material cybersecurity risk. Under the SEC’s existing 2011 guidance, cybersecurity-related disclosure may be required in a company’s Risk Factors, MD&A, Business and/or Litigation sections. Members of management responsible for overseeing cybersecurity risk should be involved in preparing and vetting disclosure in the company’s Form 10-K. In addition, companies should consider addressing board oversight of cybersecurity risk in the required disclosures with respect to the role of the board of directors in risk oversight. EFFECTIVE RISK FACTOR DISCLOSURE Risk factors, together with safe harbor language regarding forward-looking statements, can provide meaningful protection for disclosure of forward-looking information, such as expectations and business plans, and against the adverse effects of future negative events. Properly drafted risk factors can act as a strong defense in the face of shareholder litigation should a material risk associated with investing in the company’s securities come to pass. The SEC has for many years issued guidance and review comments on risk factors, urging companies to tailor them to the company’s particular facts and circumstances and to eliminate “boilerplate” or over-inclusive “kitchen sink” risk factor disclosures. However, whether due to conservative legal advice, fear of litigation or simple drafting inertia, many companies remain hesitant to streamline or eliminate unnecessary risk factor language. Companies should consider the following drafting tips when preparing risk factors for their upcoming Form 10-Ks: Be diligent in considering updates to reflect, among other things, legal, regulatory, business and geopolitical developments that materially impact the company’s risk profile. Emerging risks such as cybersecurity and the Client Update January 20, 2016 5 www.debevoise.com impact of global environmental changes should be given appropriate consideration; and Engage appropriate members of management, as well as the company’s legal team, in tailoring and fine-tuning risk disclosure to concisely articulate those risks that are truly material to the company in line with the requirements of S-K Item 503(c) and related guidance. In particular, be wary of risk factors that may have been copied from another company’s disclosure as a matter of convenience; what appears to be boilerplate disclosure could be not only vague but wrong when applied to a particular company’s facts and circumstances. DISCLOSURE EFFECTIVENESS: ANSWERING THE SEC’S CALL TO ACTION As part of the SEC’s ongoing disclosure effectiveness project, the SEC staff is actively reviewing the requirements of both Regulation S-K and Regulation S-X to identify ways to reduce costs and burdens of reporting while still requiring companies to provide material information to investors. However, SEC staff members are encouraging companies and their advisors to proactively enhance public disclosures rather than wait for formal SEC rulemaking or guidance. In particular, the SEC staff has invited companies to reduce repetition, tailor disclosure to focus on material information and eliminate outdated and immaterial information. This guidance has been well-publicized, but the following recommendations bear repeating as companies are putting pen to paper and drafting their upcoming Form 10-K and proxy statement: Eliminate duplicative disclosures and use cross-references where appropriate; Use graphs, charts and tables where they can highlight or present information more clearly and concisely; Eliminate immaterial disclosures that are not otherwise required, such as descriptions of business conditions or events that are no longer material to understanding the company’s financial condition; Use executive overviews, summaries and other “layering” techniques to highlight the most important information for readers in such sections as MD&A and Business; Review Risk Factors and other sections for boilerplate language; eliminate immaterial risk factors and customize generic risk factors for the company’s circumstances; and Reduce redundancies between financial statement footnotes and other disclosures, such as legal proceedings and critical accounting estimates. Client Update January 20, 2016 6 www.debevoise.com CONFLICT MINERALS AND RESOURCE EXTRACTION DISCLOSURE While not part of the Form 10-K disclosure, companies should be considering their annual Form SD filings relating to conflict minerals, which are next due on May 31, 2016. The SEC’s conflict minerals rule has been the subject of ongoing litigation. Most recently, in August 2015, a D.C. Circuit Court panel reaffirmed its initial judgment in connection with National Association of Manufacturers, Inc. v. SEC that the requirements in the conflict minerals statute and related rule compelling companies to report to the SEC and to state on their website that any of their products have “not been found to be ‘DRC conflict free’” violates companies’ First Amendment rights. As a result of the ongoing litigation, the guidance issued in an April 2014 statement by the SEC’s Director of Corporation Finance Keith Higgins remains in effect. Under this guidance, no company is required to describe its products as “DRC conflict free,” having “not been found to be ‘DRC conflict free,’” or “DRC conflict undeterminable,” and an independent private sector audit is not required unless a company voluntarily elects to describe a product as “DRC conflict free” in its Conflict Minerals Report. Resource extraction issuers that are required to file annual reports with the SEC will not be required to file disclosures on Form SD relating to resource extraction until 2017 at the earliest. In December 2015, the SEC proposed rules, mandated by the Dodd-Frank Wall Street Reform and Consumer Protection Act, that would require resource extraction issuers to disclose payments made to the U.S. federal government or foreign governments for the commercial development of oil, natural gas or minerals. Initial comments on the proposed rules are due by January 25, 2016. Resource extraction issuers generally would be required to comply with the rules starting with their fiscal year ending no earlier than one year after the effective date of the adopted rules. The SEC’s initial resource extraction rule, adopted in 2012, was vacated by a federal judge in 2013 on the grounds that it was “arbitrary and capricious.” * * * Please do not hesitate to contact us with any questions.