Updating Annual Report Risk Factors: Key Developments and Drafting Considerations for Public Companies
20 min read
The Annual Report season will soon be upon us, and it is important to assess a company's risk factors at the outset and whether recent developments, including those relating to macroeconomic, geopolitical, and public health conditions, have had (or are expected to have) a material impact on a company's business, financial condition and results of operations.1 Although each company will need to assess its own material risks and tailor its risk factor disclosure to its unique circumstances, this alert provides a list of 10 key developments in Part I and four important drafting considerations in Part II that all public companies should consider as they update their risk factors.
I. Ten Key Developments to Consider when Updating Annual Report Risk Factor Disclosures
Market Conditions: Changes in global economic conditions, including volatile equity capital markets, may adversely affect a company's business, revenues, and earnings. Such conditions could impact a company’s plans for growth and ability to access the capital markets to raise funds for general corporate purposes or as consideration for mergers and acquisitions. A company should assess any material risks related to these developments and whether they should be disclosed in its risk factors.
Inflation and Interest Rates: Companies should consider whether to disclose or update any risks related to inflation and rising interest rates, including their impact on revenues or earnings. These risks could include current and future increases in operating costs, such as fuel and energy, transportation and shipping, materials, and wages and labor costs, as well as a negative impact to revenue as a result of decreased consumer confidence and discretionary spending. Additionally, rising interest rates could impact a company through changes in financing availability, the cost of debt, and exchange rate fluctuations.2
Impact of COVID-19: As we enter the third year of the pandemic, it may still be too early to entirely eliminate COVID-19 specific risk factors, but companies may be able to significantly streamline their disclosures. Companies should take a fresh look at their existing COVID-19 risk factor disclosure and update it to account for the current risks they face, including eliminating or de-emphasizing risks that are no longer expected to be material. For example, all companies face the risk of the emergence of new virus strains, availability of effective treatment, and potential regulatory and macroeconomic effects stemming from such impacts. However, outside of China, lockdowns, shelter-in-place restrictions, and vaccine mandates, prevalent during the initial stages of the pandemic, have been lifted for most companies. Companies should assess how the relevant risks impact their businesses and prospects in particular, rather than rely on hypothetical, generalized COVID-19 disclosure.
Environmental, ESG and Sustainability Issues: Issues such as climate change continue to receive significant attention from the SEC and investors. On September 22, 2021, the SEC posted a sample comment letter to companies,3 nearly six months (to the day) prior to issuing its proposed climate change disclosure rules that would require public companies to disclose extensive climate-related information in their SEC filings.4
The SEC’s sample comment letter on climate change contained illustrative comments regarding companies' climate-related disclosure or the absence of such disclosure, including comments requesting information on the material effects of climate change-related transition risks.5 Following this sample comment letter, our review of recent SEC comment letters between March 2021 and August 2022 found that the SEC issued 334 climate-change related comments to over 100 companies during this period, with over 50 of these comments (15%) related to risk factor disclosure.6 These SEC comments included requests to describe the material effects of transition risks,7 material litigation risks related to climate change,8 and a description of the consideration given to including information and risks disclosed in sustainability reports.9 Moreover, our survey of the 2022 Form 10-Ks of 50 companies in the Fortune 100 found that 30% (or 15 companies) added entirely new risk factors devoted to climate-related impacts, and an additional 28% (or 14 companies) increased references to climate-related impacts in their existing risk factors.10
Risk factor disclosure related to environmental issues should be tailored to the company's specific circumstances and address a company's own material risks. Topics can include risks related to the impact of climate change on a company's business, such as risks of increased costs or reduced demand for products; physical risks related to severe weather events, sea level rise, and other natural conditions; climate change transition risks attributable to regulatory, technological, and market or pricing changes; risk of legal liability and defense costs; reputational risks, including those related to scrutiny from stakeholders on ESG issues or the risk of failing to meet announced goals and targets; and/or inadequate internal controls related to the disclosure of ESG data. Companies should also consider whether any additional risks should be disclosed in light of the SEC's proposed climate change rules, including considering climate related risks over the short, medium, and long term, and impacts to their upstream and downstream operations.
Ukraine Conflict: As the conflict between Ukraine and Russia continues, companies should consider their potential additional disclosure obligations related to direct or indirect impacts that Russia's ongoing actions in Ukraine and the international response have or may have on their business and how it has changed since the conflict began. Notably, the SEC may require disclosures even by companies that have no operations in Russia, Ukraine, or Belarus. On May 10, 2022, the SEC posted a sample letter to companies emphasizing companies' potential disclosure obligations related to direct or indirect impacts that Russia’s actions in Ukraine and the international response have or may have on their business.11 The SEC specifically noted that, to the extent material, companies should provide detailed disclosure regarding risks related to actual or potential disruptions in supply chains and new or heightened risks of potential cyberattacks by state actors or others. Our review of comment letters found that the SEC issued 117 Ukraine related comments to over 60 companies between March and September 2022. These comments included requests to add risk factor disclosure about operations in Ukraine and material impacts related to the conflict,12 requests to specifically disclose any increased risk of cyberattacks,13 risks related to potential supply chain disruptions14 and requests to disclose potential reputational risks related to the company's operations in Russia.15 Additional disclosures that companies should consider include Russian sanctions; increases in commodity prices; impacts on the availability and cost of energy; vendor and supplier impacts; reputational impacts; and ongoing impacts on global economic condition.
Cybersecurity: As cybersecurity incidents, data misuse, and ransomware attacks continue to proliferate and become more sophisticated, the SEC staff has been focusing on, and providing comments regarding, cybersecurity and privacy disclosures. The SEC issued guidance in 2018 that included considerations for evaluating cybersecurity risk factor disclosure,16 and in March 2022, the SEC proposed mandatory cybersecurity disclosure rules related to material incidents, governance, and risk strategy.17 The SEC also issued guidance in December 2019 specifically calling on companies to assess risks related to the potential theft or compromise of their technology, data, or intellectual property ("IP") in connection with their international operations and disclose them where material.18 The SEC is expected to continue to be aggressive in reviewing public company disclosure of cybersecurity incidents, and in May 2022 the SEC nearly doubled the size of the unit responsible for monitoring companies' disclosures.19 In addition, the SEC has filed enforcement actions against public companies related to the timing and content of cybersecurity incident disclosures.20 These follow other high-profile enforcement actions for alleged inadequate or misleading disclosures,21 all of which signal the SEC's continued focus on how public companies respond to and disclose material cybersecurity incidents and risks. Moreover, in 2021, the Ninth Circuit found that a major tech company's disclosure that cybersecurity risks "may" or "could" occur was misleading when the company was allegedly already aware of a cybersecurity breach.22 Most companies already include cybersecurity risk factor disclosure, but companies should consider updates to these disclosures, including whether there are any increased cyber-related risks due to pandemic-related technologies that they may have adopted to enable remote working or in connection with the ongoing conflict in Ukraine (see above).23
Supply Chain Disruptions: Shortages of supplies or shipping delays may need to be disclosed as a risk, particularly as these continue to be common due to the lingering impact of COVID-19 or the conflict in Ukraine, as well as a worldwide economic slowdown. Companies should assess whether they have, or may experience in the future, supply chain disruptions that should be disclosed as a material risk. This includes any risks related to the ongoing global semiconductor chip shortage, which could impact software development, production, and manufacturing, among other things, depending on the company's industry.
Human Capital and Labor Issues: Material risks that companies may face with respect to human capital include risks related to the ability to attract and retain skilled employees, employee health and safety issues, increases in labor costs, and increased employee turnover. Although the job market has slowed and several Fortune 100 companies have begun to announce layoffs, shortages of qualified labor may need to be disclosed as a material risk for some companies, as these issues continue to be common due to COVID-19-related impacts as well as the fallout from "the Great Resignation." In addition, a company's stock price volatility could negatively impact the value of employees' equity awards and a company's ability to retain key employees and executives. Companies should assess whether they have, or may experience in the future, issues related to labor shortages, increased labor costs, or employee retention that should be disclosed as a risk factor, including as a result of any ongoing personnel absences or issues with return-to-office transition plans.
Regulatory: Changes and potential changes in law, regulation, policy, and/or political leadership, including the regulatory agenda of the Biden administration, may necessitate modifications to risk factor disclosure for certain companies. One such regulatory change that companies should consider is the Inflation Reduction Act (the “IRA”), which includes several potentially impactful provisions, such as: (i) a 1% excise tax on corporate stock buybacks, which may affect corporate decisions with respect to capital markets and M&A transactions, among other items,24 (ii) a corporate alternative minimum tax (applicable to companies with an average adjusted financial statement income over $1 billion for the past three years) equal to the excess of 15% of a corporation's adjusted financial statement income, and (iii) energy related tax credits, which create tax incentives for green energy. Companies should consider whether the IRA creates any risks that warrant disclosure. Other examples include current and potential changes to immigration policies, minimum wage, tariffs, taxes, environmental policies, health care, and other political developments.
Risks Related to Doing Business with Companies in Regions Subject to Trade Sanctions: Companies should disclose any material risks related to business dealings with companies in regions subject to trade sanctions or prohibitions. For example, any companies receiving goods produced in the Xinjiang Uyghur Autonomous Region of China, or by certain identified entities, should disclose risks related to the fact that, for purposes of the Uyghur Forced Labor Prevention Act, which strengthens available measures to enforce an existing preventative measure in Section 307 of the Tariff Act of 1930, such goods are presumed to have been made with forced labor, and are therefore subject to an import prohibition in the US. US Customs & Border Protection may therefore detain, exclude, or seize goods and assess monetary penalties, unless "clear and convincing evidence" shows that no forced labor, situated anywhere in the supply chain, produced any part of the goods (and importers comply with other requirements specified in published agency guidance). Importantly, the statute contains no de minimis exception and there is no assurance that a company will be able to prove the absence of forced labor throughout the supply chain. Any potential supply chain or other impacts from these developments that are material for a company should be disclosed.
II. Four Important Drafting Considerations when Updating Annual Memo Risk Factor Disclosures
A Note on Hypotheticals. It is crucial for companies to review the hypothetical statements in their existing risk factor disclosures (e.g., the statements that an event "could" or "may" occur rather than "has" or "did" occur in the past). The SEC has instituted enforcement actions and shareholders have filed claims under Section 10(b) of the Securities Exchange Act of 1934, as amended, alleging that statements in a company's risk factors were materially misleading because a company stated that an event only "may" or "could" occur, when the event was no longer hypothetical at the time of the disclosure. Accordingly, a company should carefully review its hypothetical risk factor language and clarify whether a potential disclosed risk has in fact occurred to some degree.26
A Note on Forward-Looking Statements. Beyond being legally required, well-drafted risk factors can protect a company from liability for its forward-looking statements and serve as a form of free liability insurance to protect a company when disclosing both projections as they relate to financial information and non-financial information, including ESG related goals and targets. In particular, companies should take into account financial models that support their projections and confirm that material risks related to these projections, including financial models, bases and assumptions that support them, are sufficiently disclosed. Moreover, in the case of ESG net zero targets and other ESG related goals and transition plans, companies should consider whether their risk factor disclosure should include disclosure related to the potential challenges in meeting these goals and plans, including the inability to develop technologies to achieve them.
A Note on the Presentation of Risks. Although Item 105 of Regulation S-K does not require that risk factors be ordered in terms of which is most important or has the greatest potential impact, it is considered a good practice to do so.27 Item 105 does state that risks should be "organized logically," so companies should consider the order that makes the most sense for investors. In addition, companies are required to organize risk factors into groups of related risk factors under "relevant headings" and provide sub-captions for each risk factor. Further, for any risk factors that apply generically to any registrant or offering, the company must either (i) tailor these risk factors to emphasize the specific relationship of the risk to the company, or (ii) disclose the generic risk factors at the end of the risk factor section under the caption "General Risk Factors." These requirements have been in effect since 2020, and companies should annually review their groupings and headings to confirm any updates or changes to their risk factor section's organization.28
A Note on Risk Factor Summaries. If a company's risk factor section exceeds 15 pages, it must include a series of concise, bulleted, or numbered statements that is no more than two pages summarizing the principal risk factors and place this summary at the "forepart" or at the beginning of the Form 10-K or Form 20-F. A number of companies have opted to combine this disclosure with their forward-looking statement legends in order to avoid repetition, and companies may consider this approach so long as the legend is titled to reflect its dual purposes (i.e., "Cautionary Note Regarding Forward-Looking Statements and Risk Factor Summary").
Given the number of headwinds companies may face in this challenging economic and geopolitical environment, as well as new and evolving regulatory requirements, scrutiny, and enforcement activity, companies would benefit from getting a head start on updating their Annual Report's risk factors now. It is key for companies to disclose how they are specifically impacted by macro trends, rather than rely on generic disclosure. In addition, companies should not lose sight of updating their risk factors to account for the unique risks they face beyond these macro trends that could adversely impact their business, financial condition, and results of operations.
1. See Item 105 of Regulation S-K, available here.
2. For more information, see our prior alert, "Inflation and increasing interest rates reshape US leveraged finance markets."
3. For more information, see our prior alert, "SEC Issues Sample Comment Letter as it Ramps Up Scrutiny of Climate Disclosures."
4. For more information, see our prior alert, "SEC Proposes Long-Awaited Climate Change Disclosure Rules." On October 7, 2022, the SEC reopened the comment period for 11 rulemaking proposals, including the proposed climate change disclosure rules, with comments due by November 1, 2022.
5. Climate change transition risks relate to developments such as policy and regulatory changes that could impose operational and compliance burdens and market or pricing trends that may alter business opportunities, credit risks, and technological changes.
6. For example, "[i]t appears that you have identified your "electrification strategy" as a transition risk related to climate change. Tell us how you considered providing expanded disclosure regarding the factors that may affect your intention to bring additional electrification to your … portfolio (e.g., the availability of necessary materials, the pace of technological changes, etc.) and the potential effect on your business, financial condition, and results of operations. In addition, describe other transition risks related to climate change you have considered, such as those related to your environmental policies, and how you considered addressing them in your Form 10-K."
7. For example, "Disclose the material effects of transition risks related to climate change that may affect your business, financial condition, and results of operations, such as policy and regulatory changes that could impose operational and compliance burdens, market trends that may alter business opportunities, credit risks, or technological changes."
8. For example, "Disclose any material litigation risks related to climate change and explain the potential impact to the company."
9. For example, "We note that you provided more expansive disclosure in your CSR report than you provided in your SEC filings. Please advise us what consideration you gave to providing the same type of climate-related disclosure in your SEC filings as you provided in your CSR report."
10. For more information, see our prior alert, "ESG Disclosure Trends in SEC Filings – Annual Survey 2022."
11. For more information, see our prior alert, "SEC Issues Sample Comment Letter on Disclosure Obligations Related to Russia's Actions in Ukraine."
12. For example, "To the extent material, please disclose any known trends or uncertainties that have had or are reasonably likely to have a material impact on your liquidity, financial position, or results of operations arising from the conflict between Russia and Ukraine."
13. For example, "[t]o the extent material, disclose any new or heightened risk of potential cyberattacks by state actors or others since Russia's invasion of Ukraine."
14. For example, "[p]lease disclose whether and how your business segments, products, lines of service, projects, or operations are materially impacted by supply chain disruptions, especially in light of Russia's invasion of Ukraine. For example, discuss whether you have or expect to…be exposed to supply chain risk in light of Russia's invasion of Ukraine and/or related geopolitical tension."
15. For example, "[i]n future filings, please revise to address the following as it relates to your business in Russia and Ukraine: Disclose any material reputational risks that may negatively impact your business associated with your response to the Russian invasion of Ukraine, for example in connection with action or inaction arising from or relating to the conflict."
16. For more information, see our prior alert, "SEC Issues Interpretive Guidance on Public Company Cybersecurity Disclosures: Greater Engagement Required of Officers and Directors."
17. For more information, see our prior alert, "SEC Proposes Mandatory Cybersecurity Disclosure Rules."
18. The SEC's guidance encourages companies to consider a range of questions when assessing these risks, including whether they are operating in foreign jurisdictions where the ability to enforce rights over IP is limited as a statutory or practical matter, and whether they have controls and procedures in place to adequately protect technology and IP. The Staff also emphasized that disclosure of material risks should be specifically tailored, and that where a company's technology, data, or IP is being (or previously was) materially compromised, hypothetical disclosure of potential risks is not sufficient to satisfy the company's reporting obligations. Accordingly, companies should continue to consider this evolving area of risk and update disclosure on an ongoing basis to reflect current circumstances to the extent material.
19. See the SEC's press release, "SEC Nearly Doubles Size of Enforcement's Crypto Assets and Cyber Unit."
21. In August 2021, the SEC settled with an educational publishing and services company over its failure to adequately disclose a material cybersecurity breach and for making misleading statements in its SEC filings. Specifically the SEC found that: (i) several months after the breach, the company issued a Form 6-K that referenced a general risk of data breach/cybersecurity incident, but did not specifically reference the breach that had occurred; and (ii) the company’s press statement referred only to "unauthorized access" and "expos[ure of] data" which "may [have] include[d]" birthdates and emails, even though the company knew that significant personal data had been downloaded, and made no mention of the volume of breached data nor of the other critical vulnerabilities in the system.
In June 2021, the SEC settled with a real estate settlement services company for its alleged failure to adequately disclose a security vulnerability that could be used to compromise the company's computer systems. In May 2019, the company was notified of a software vulnerability that exposed personal and financial data, after which it issued a statement and furnished a Form 8-K, stating it had taken "immediate action" to terminate external access to the data. However, the executives responsible for the statement and Form 8-K were not informed that the company's information security personnel had been aware of the vulnerability since January 2019 or that the company had failed to timely remediate that vulnerability in accordance with its policies. According to the SEC, the January 2019 findings "would have been relevant to management's assessment of the company's disclosure response…and the magnitude of the resulting risk" and the company failed to maintain disclosure controls and procedures to ensure that management had all available relevant information prior to making its disclosures.
With respect to cybersecurity, the SEC found that Yahoo's risk factor disclosures in its annual and quarterly reports were materially misleading in that they claimed the company only faced the "risk of potential future data breaches" that might expose the company to loss and liability "without disclosing that a massive data breach had in fact already occurred." The SEC's action is available here. For more information, see our prior alert, "SEC Fines Yahoo $35 Million for Failure to Timely Disclose a Cyber Breach."
22. For more information, see our alert, "Time to Revisit Risk Factors in Periodic Reports."
23. A White & Case LLP survey of the disclosures made by Fortune 50 companies found that every company included at least one risk factor related to cybersecurity in its 2022 Form 10-K, and 42 of the 50 companies included detailed risk factors discussing the impact that a cybersecurity incident or data breach could have on the company's results of operations or financial condition.
24. For more information, see our prior alert, "New 1% Excise Tax on Stock Buybacks May Have Far-Reaching Consequences for Capital Markets, SPAC and M&A Transactions."
25. For more information, see our prior alert, "Uyghur Forced Labor Prevention Act: Commercial Implications, Compliance Challenges and Responses."
26. Disclosure may be required whether or not the degree of occurrence is material on its own. For more information, see our prior alerts, "Time to Revisit Risk Factors in Periodic Reports" and "Key Considerations for the 2022 Annual Reporting and Proxy Season Part I: Form 10-K Considerations."
27. The Form 20-F also states that "companies are encouraged, but not required, to list the risk factors in the order of their priority to the company." See Part I, Item 3.D of Form 20-F. In addition, Item 105 applies to foreign private issuers to the extent their Form 20-F is incorporated by reference into a registration statement, such as a Form F-1, F-3, or F-4.
28. For more information, see our prior alert "SEC Adopts Amendments to Modernize Disclosures and Adds Human Capital Resources as a Disclosure Topic: Key Action Items and Considerations for U.S. Public Companies."
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.
© 2022 White & Case LLP