The SEC has adopted new rules that require reporting public companies to disclose cybersecurity incidents within four days after the company has determined that the incident was “material”. In addition, SEC registrants are required to annually disclose material information regarding their cybersecurity risk management, strategy, and governance.
“The new rules will require registrants to disclose on the new Item 1.05 of Form 8-K any cybersecurity incident they determine to be material and to describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant,” said the SEC in its press release.
The SEC added that disclosure may be delayed if “the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing.”
The SEC is not requiring Board members to have cyber expertise, as was originally proposed in March 2022. Leaving that expertise to management, the SEC said that registrants are required “to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats. These disclosures will be required in a registrant’s annual report on Form 10-K.”
Meanwhile, not everyone is happy with the new rules. On August 14, the US Chamber of Commerce sent a letter to the SEC urging a one-year delay in implementation, noting that the rules are both “vague and unworkable”, and “ignores the role of national security agencies, and establishes conflicting obligations on the part of the issuer leading to unclear enforcement standards.” It is seeking additional roundtable discussions among stakeholders and a longer comment period to allow for more input.
The Chamber added “The SEC has chosen speed over accuracy, ignored the role of nation-state actors, and is forcing businesses to choose between disclosure and national security. The rule as it stands will degrade investor protection, capital formation and competition.”
“Moreover, other federal agencies are typically the lead agencies regarding major cyber incidents, so DOJ may not be in the best position to determine whether a disclosure poses a national security risk. Indeed, if a business is attacked by a nation-state actor or proxy, businesses will often have to rely on the national security structure to address the immediate issues and ensure that the larger issues are addressed. The SEC dismissed, or ignored, these concerns in the adopting release without adequate justification,” wrote the Chamber.
Form 10-K cyber disclosures are due beginning with annual reports for fiscal years ending on or after December 15, 2023. Form 8-K disclosures are due beginning the later of 90 days after the publication of the Federal Register, or December 18, 2023. Smaller reporting companies will have an additional 180 days before they must begin providing the Form 8-K disclosure.
The Financial Accounting Standards Board (FASB) is asking for comment on new accounting rules that would require all public companies to provide a more detailed breakdown of certain company expenses in both annual and interim financial statements.
This Accounting Standards Update (ASU) would require “more detailed information about the types of expenses, including employee compensation, depreciation, amortization, and costs incurred related to inventory and manufacturing activities in income statement expense captions such as cost of sales; selling, general and administrative; and research and development,” said FASB.
The amendments in the proposed ASU do not change or remove existing expense disclosure requirements and do not change requirements for presentation of expenses on the face of the income statement. They would require public companies to include certain existing disclosures in the same tabular format disclosure as the other disaggregation requirements set forth in the proposed ASU, noted FASB.
The comment deadline is October 30. Those who submit a comment can register to participate in a public roundtable which currently is set for December 13, 2023.
A just released report from the Treasury Inspector General for Tax Administration (TIGTA) shows “significant deficiencies” with how the IRS manages, stores and protects its microfilm cartridges which contain “sensitive business and individual tax information.”
The Federal Records Act of 1950 requires the IRS to back up and store tax records. The IRS uses microfilm cartridges to store photographic records of sensitive business and individual tax information.
In its August 8 report entitled: Sensitive Business and Individual Tax Account Information Stored on Microfilm Cannot Be Located, the inspector said “The IRS is not in compliance with records management requirements.”
TIGTA conducted its inspection at the three current Tax Processing Centers (Austin, Texas; Kansas City, Missouri; and Ogden, Utah) that house microfilm backup cartridges and found that required annual inventories have not been performed.
“In fact, management could not provide a time frame of when the last required annual inventory was conducted”, said TIGTA. “The lack of adequate inventory controls also includes no reconciliation of the microfilm backup cartridges noted as being sent from closed Tax Processing Centers to what was physically shipped and received.”
TIGTA also found that microfilm cartridges stored at the Ogden center “are not being adequately safeguarded to limit access to this information,” noting that the microfilm cartridges are being stored on open shelving in the middle of the Files building, which is essentially a warehouse that is accessible to all files personnel, and “not within eyesight of the IRS personnel responsible for overseeing microfilm activities.”
And finally, TIGTA said “the IRS is not in compliance with microfilm destruction time frames. TIGTA identified individual microfilm cartridges stored at all three Tax Processing Centers that exceed the 30-year storage requirement.”
These deficiencies, said TIGTA, “result in the inability of the IRS to account for thousands of microfilm cartridges containing millions of sensitive business and individual tax account records,” adding “The sensitive business and individual taxpayer information stored on the unaccounted for cartridges are key information that can be used to commit tax refund fraud identity theft.”
The IRS responded by saying that it has no process in place for timely disposal of the microfilm.
Our firm provides the information in this e-newsletter for general guidance only, and does not constitute the provision of legal advice, tax advice, accounting services, investment advice, or professional consulting of any kind. The information provided herein should not be used as a substitute for consultation with professional tax, accounting, legal, or other competent advisers. Before making any decision or taking any action, you should consult a professional adviser who has been provided with all pertinent facts relevant to your particular situation. Tax articles in this e-newsletter are not intended to be used, and cannot be used by any taxpayer, for the purpose of avoiding accuracy-related penalties that may be imposed on the taxpayer. The information is provided “as is,” with no assurance or guarantee of completeness, accuracy, or timeliness of the information, and without warranty of any kind, express or implied, including but not limited to warranties of performance, merchantability, and fitness for a particular purpose.