Category Archives: Reporting

UK Serious Fraud Office Issues New Self-Reporting and Corporate Cooperation Guidance

by Lloyd Firth and Frederick Saugman

Left to right: Lloyd Firth and Frederick Saugman (photos courtesy of Wilmer Cutler Pickering Hale and Dorr LLP)

On 24 April 2025, the UK Serious Fraud Office (SFO) issued new guidance to encourage companies to self-report suspected corporate wrongdoing. The guidance states that self-reporting, combined with full cooperation with the SFO’s investigation will, absent exceptional circumstances, lead to the SFO inviting the company to commence Deferred Prosecution Agreement (DPA) negotiations.[1] While the guidance is a welcome recognition that companies crave certainty of outcome in their dealings with the SFO and a sign of the agency’s increased pragmatism, in practice it is unlikely to move the needle for companies on notice of suspected wrongdoing facing the critical strategic decision of whether and when to self-report.

Continue reading

Bipartisan Bill Offers Needed Reforms to SEC Whistleblower Program

By Stephen M. Kohn and Geoff Schweller

Photos of the authors

Stephen M. Kohn and Geoff Schweller (photos courtesy of the authors)

Since it was established in 2010, the U.S. Securities and Exchange Commission (SEC) Whistleblower Program has emerged as the gold standard for whistleblower award programs. Through a combination of anonymous reporting channels, anti-retaliation protections, transnational reach, and mandatory whistleblower awards, the program has generated tens of thousands of tips, resulted in the collection of over $6 billion in sanctions from fraudsters and the return of over $1.3 billion directly to harmed investors.

Continue reading

End of the Road: Fincen Adopts Interim Final Rule Virtually Eliminating CTA Filing Requirements

by Matthew Bisanz, Brad A. Resnikoff, Kristin E. Rice-Gonzalez, Marcella Barganz, Courtney C. Seitz, Lorenz A. Taets, and Kelly F. Truesdale

photos of the authors

Top left to right: Matthew Bisanz, Brad A. Resnikoff, Kristin E. Rice-Gonzalez, Marcella Barganz, Bottom left to right: Courtney C. Seitz, Lorenz A. Taets and Kelly F. Truesdale (Photos courtesy of Mayer Brown)

March 21, 2025, the US Financial Crimes Enforcement Network (“FinCEN”) issued an interim final rule (the “IFR”) that exempts all domestic entities from beneficial ownership information reporting requirements under the Corporate Transparency Act (the “CTA”) and its implementing regulations (the “Reporting Rule”). These changes have the effect of eliminating any reporting requirement for more than 99.9% of the entities that were previously required to report[1] and, for domestic entities and US person beneficial owners, marking the end of the yearslong journey towards the CTAs reporting requirements, which were enacted into law in early 2021 and implemented by FinCEN’s original rulemaking  in September 2022.

Continue reading

Lessons Learned: One Year of Form 8-K Material Cybersecurity Incident Reporting

by Charu A. ChandrasekharErez LiebermannBenjamin R. Pedersen, Paul M. RodelMatt Kelly, Anna Moody, John Jacob, and Talia Lorch 

Photos of authors.

Top (left to right): Charu A. Chandrasekhar, Erez Liebermann, Benjamin R. Pedersen, and Paul M. Rodel. Bottom (left to right): Matt Kelly, Anna Moody, John Jacob, and Talia Lorch. (Photos of courtesy of Debevoise & Plimpton LLP)

On December 18, 2023, the Securities and Exchange Commission’s (the “SEC”) rule requiring disclosure of material cybersecurity incidents became effective. To date, 26 companies have reported a cybersecurity incident under the new Item 1.05 of Form 8-K (“Item 1.05”). After over a year of mandatory cybersecurity incident reporting, we examine the key trends and takeaways.

Key Takeaways from a Year of Cybersecurity Incident Reporting on Form 8-K

In early 2024, companies filed a flurry of Forms 8-K under Item 1.05, which stated that the relevant cybersecurity incidents did not have material impacts on the companies’ financial conditions or results of operations. These disclosures were in response to the SEC’s rules requiring that cybersecurity incident disclosures include a description of “the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the issuer, including its financial condition and results of operations.” Following these disclosures, the SEC clarified its expectations for cybersecurity incident reporting in a statement issued by the Director of the SEC’s Division of Corporation Finance (the “Statement”), as well as through several comment letters issued by the Staff of the SEC (the “Staff”) to companies which filed Item 1.05 Forms 8-K.

Continue reading

Key Considerations for Updating 2024 Annual Report Risk Factors

by Maia Gez, Scott Levi, Michelle Rutta, Melinda Anderson, and Danielle Herrick

Photos of the Authors.

Left to Right: Maia Gez, Scott Levi, Michelle Rutta, Melinda Anderson, and Danielle Herrick. (Photos courtesy of White & Case LLP)

With the 2025 annual reporting season upon us, public companies should consider potential updates to their risk factors for their Form 10-Ks and 20-Fs in light of recent economic, political, technological, and regulatory developments.[1]

As a starting point, this alert features (i) a list of key developments that US public companies should consider as they update risk factors in Part I and (ii) critical drafting considerations in Part II. Each company will, of course, need to assess its own material risks and tailor its risk factor disclosure to its particular circumstances.

As further described below, calendar year-end companies should review and update their risk factors by assessing the material risks that impact their businesses. Well-drafted risk factors play a crucial role in defending public companies against allegations of fraud under the US federal securities laws, and companies should therefore take the time to update their risk factor disclosure and tailor risks to their own facts and circumstances.

Continue reading

Cybersecurity Disclosure and Enforcement Developments and Predictions

by Francesca L. OdellRahul Mukhi, Tom Bednar, Nina E. Bell, and Greg Stephens

Photos of the authors

Left to right: Francesca L. Odell, Rahul Mukhi, Tom Bednar, and Nina E. Bell (Photos courtesy of Cleary Gottlieb Steen & Hamilton LLP) (Not Pictured: Greg Stephens)

The SEC pursued multiple high-profile enforcement actions in 2024, alongside issuing additional guidance around compliance with the new cybersecurity disclosure rules.

Together these developments demonstrate a continued focus by the SEC on robust disclosure frameworks for cybersecurity incidents. Public companies will need to bear these developments in mind as they continue to grapple with cybersecurity disclosure requirements going into 2025.

Continue reading

An Update on SEC Cybersecurity Reporting

by Scott Kimpel

Photo of the author

Photo courtesy of Hunton Andrews Kurth LLP

As we approach the one-year anniversary of the effective date of the U.S. Securities and Exchange Commission (“SEC”) reporting rules on Form 8-K for material cybersecurity incidents, we provide a high-level overview of the last year’s developments.

Background on SEC Reporting Rules

Under the SEC’s rules, Item 1.05 of Form 8-K generally requires public companies in the United States to disclose material cybersecurity incidents within four business days of determining that the incident is material. The disclosure must contain the nature, scope and timing of the incident and the impact or reasonably likely impact of the incident on the company, its financial condition and its results of operations. For these purposes, SEC rules define “cybersecurity incident” to include “an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.”

Continue reading

SEC Continues Focus on AI and Cyber-Risk Related Enforcement Cases

by Brendan F. Quigley and Matthew R. Baker

photos of authors

Left to right: Brendan F. Quigley and Matthew R. Baker. (Photos courtesy of Baker Botts)

The SEC kicked off its fiscal year by bringing enforcement actions focused on AI and cyber disclosures. As discussed in more detail below:

  • These actions again show SEC Enforcement prioritizing “hot button” issues like AI and cyber, highlighting, for example, a company’s statements about its use of AI in what otherwise appeared to be a fairly garden-variety securities fraud case.
  • The actions largely involve well-worn principles of securities law applied in the context of emerging technologies, including (i) while there may be no obligation to speak on a particular issue (such as AI), if a company does speak, its statements must be full, complete, and not misleading and (ii) companies’ obligation to consider whether existing disclosures need to be updated in light of recent events (such as a cyberattack).
  • The cyber-disclosure actions prompted a lengthy, two-commissioner dissent, accusing the commission of playing “Monday morning quarterback” by bringing the case, highlighting the potential for the upcoming election (and the appointment of commissioners under a new administration) to impact the SEC’s enforcement posture.
  • The dissent in the cyber cases also undertook a lengthy analysis, comparing the allegations in the settled cases to allegations against another company, arising out of the same series of cyberattacks, in an action the SEC litigated in federal district court. As we discussed here and as pointed out by the dissent, the federal district court dismissed many of those allegations. While deciding to settle with the SEC (or any government agency) is always a complicated, multi-faceted decision, the dissent’s comparison of the litigated case and the settled actions shows the need for parties under investigation to seriously consider the merits of potentially litigating cases when appropriate.

Continue reading

Avoid Kicking the Hornet’s Nest: A Fresh Look at How to Anticipate, Avoid, and Respond to BIS Administrative Subpoenas (Part 2)

by Brent Carlson and Michael Huneke

Photos of authors.

Brent Carlson and Michael Huneke (photos courtesy of authors)

In Part 2 we pick up where we left off in Part 1 to continue our discussion of how best to avoid an administrative subpoena. We then discuss how best to respond, if and when they cannot be avoided, and conclude with some practical guidance.

Avoid:  How to Dissuade BIS from Resorting to Administrative Subpoenas (Continued)

Prepare well for outreach visits

Companies should prepare for outreach visits. Persons who will be meeting or speaking with OEE agents should be well prepared to do so with an eye toward and an awareness of the implications of the information and representations they are providing to BIS. Any and all information that company representatives provide to BIS representatives is fair game for future enforcement and for sharing with other U.S. agencies.

Continue reading

BIS Final Rule on Voluntary Self-Disclosure Process and Penalty Guidelines Highlights Significant Export Control Violations and Higher Penalties

by Christopher Timura, David Burns, Adam M. Smith, Stephenie Gosnell Handler, Samantha Sewall, Cody Poplin, Chris Mullen, and Audi Syarief

Top left to right: Christopher Timura, David Burns, Adam M. Smith, and Stephenie Gosnell Handler.
Bottom left to right: Samantha Sewall, Cody Poplin, Chris Mullen, and Audi Syarief. Photos courtesy of the authors.

In a final rule effective September 16, 2024, the Department of Commerce’s Bureau of Industry and Security (“BIS”) updated its process for handling voluntary self-disclosures from industry and expanded its discretion to impose higher monetary penalties for violations of export control laws. Whether to submit a voluntary self-disclosure remains a fact-dependent decision and requires careful weighing of factual, legal, practical and policy considerations.

Continue reading