It is Annual Report Time - Recent Developments and Trends for the Preparation of the 2023 Form 20-F

Approaching the 2023 Form 20-F

There are several rule changes that have become effective for the 2023 Form 20-F reporting season which will require FPIs to include mandatory additional disclosures in the Form 20-F.

In addition, during 2023, the SEC has indicated its focus on certain disclosure areas, and companies should also evaluate their existing disclosures (or lack thereof) in view of the SEC’s guidance, public statements and proposed rules (as applicable) in relation to these topics. Companies can seek to minimize SEC comments and improve their overall disclosure by evaluating their business and disclosures in relation to these areas of focus.

2023 Form 20-F Quick Reference Summary

The following is a summary of the key points to be addressed by companies in the 2023 Form 20-F, which are discussed in more detail in this memorandum.

Topic

Form 20-F Location

Explanation of New Requirement

Cybersecurity

Item 16K

Disclosures relating to (i) processes, if any, for identifying, assessing and managing material risks from cybersecurity threats, (ii) whether any cybersecurity risks (including those as a result of any previous cybersecurity incidents) have materially affected or are reasonably likely to materially affect the company, and (iii) the role of the board of directors and management in cybersecurity governance.

Clawback of Incentive-based Compensation

Exhibit 97 and Cover Page

Dodd-Frank mandated clawback policy to be filed as an Exhibit 97 to Form 20-F.

Indicate (via checkboxes on the Form 20-F cover page) whether the filing includes errors or corrections to previously issued financial statements and whether these errors or corrections led to analysis of the clawback of executive officer compensation.

Disclosure Focus Areas

Various items

Companies should be review disclosures in respect of the following themes in particular:

• Russia-Ukraine conflict
• Israel-Hamas conflict
• Climate-related disclosures
• Non-GAAP financial measures
• Crypto assets
• Human capital management
• Artificial intelligence (AI)

Nasdaq Board Diversity Disclosure Requirements

Nasdaq requirement

Nasdaq-listed companies can choose whether to include the required board diversity matrix in their Form 20-F (starting with the 2023 Form 20-F) or whether to include the board diversity matrix on their website.

New Mandatory Disclosure Requirements in Effect for the 2023 Form 20-F

Cybersecurity

On July 26, 2023, the SEC adopted final rules that require reporting companies, including FPIs, to disclose certain information about cybersecurity risk management and governance and cybersecurity incidents. FPIs are required to make annual disclosures in their Form 20-F relating to their cybersecurity risk management and governance—these requirements are substantially the same as those that apply to domestic U.S. registrants. However, in contrast to domestic registrants, which now have additional Form 8-K current reporting obligations, FPIs are not required to disclose material cybersecurity incidents on a current basis on Form 6-K unless the FPI (i) makes or is required to make such material cybersecurity incident public pursuant to home country law, (ii) files or is required to file with a stock exchange disclosure of any material cybersecurity incidents or (iii) otherwise distributes, or is required to distribute to their security holders, disclosure of any material cybersecurity incidents.

FPIs are required to provide the following disclosures about their cybersecurity risk management, strategy and governance in Item 16K of Form 20-F:

• Processes: Item 106(b)(1) of Regulation S-K requires companies to describe their processes, if any, for identifying, assessing and managing material risks from cybersecurity threats, in sufficient detail for a reasonable investor to understand those processes. When describing cybersecurity risk processes, companies should disclose whether and how any such processes have been integrated into their overall risk management systems or processes, whether they engage consultants or other third parties in connection with such processes and whether they have processes to oversee and identify such risks from cybersecurity threats associated with the use of third-party service providers. However, unlike the initial rule proposal, the final rules do not require disclosure of a company’s prevention and detection activities, continuity and recovery plans or corrective actions taken as a result of prior cybersecurity incidents.
• Effect of Cybersecurity Threats: Item 106(b)(2) of Regulation S-K requires companies to describe whether any risks from cybersecurity threats (including as a result of any previous cybersecurity incidents) have materially affected or are reasonably likely to materially affect the company, including its business strategy, results of operations or financial condition, and if so, how.
• Governance: Item 106(c) of Regulation S-K requires companies to disclose the role of their board of directors and management in cybersecurity governance. Board Oversight: Companies are required to describe the oversight by the board of directors of risks from cybersecurity threats and, if applicable, any board committee or subcommittee responsible for cybersecurity oversight and describe the processes by which the board or such committee is informed about such risks. The SEC decided not to mandate disclosure about any cybersecurity expertise of directors and removed the proposed requirement to disclose the frequency of board or committee discussions on cybersecurity.
• Management Role: Companies are also required to describe management’s role in assessing and managing a company’s material risks from cybersecurity threats, which should include disclosure of whether and which management positions or committees are responsible for assessing and managing cybersecurity risks, the relevant expertise of such persons or members, the processes management uses to become informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity incidents and whether management reports this information to the board or a cybersecurity risk committee of the board.

Therefore, when preparing the 2023 Form 20-F, companies should review their cybersecurity risk management and governance policies and procedures. As these new disclosures are likely to be a means of comparison for assessments of the quality of cybersecurity incident preparedness within and across industries, companies should review and, where necessary, enhance and update their existing practices and policies with a view to their public disclosure in future annual reports on Form 20-F. As companies consider the disclosure to include in their Form 20-F in response to the new disclosure requirements, they should determine which practices should now be documented to provide the appropriate compliance rigor and to demonstrate the formalization of these processes within their business. Companies should avoid reliance on boilerplate disclosure and should ensure that any disclosure accurately reflects the company’s existing policies, procedures and preparedness. If a company suffers a material cybersecurity incident, the SEC, investors and potential private securities litigants will carefully examine the company’s cybersecurity disclosures, and companies should therefore ensure they pay particular attention to disclosures as to their level of preparedness for cybersecurity incidents.

The final rules became effective on September 3, 2023, and FPIs must provide the required Form 20-F disclosures about risk management and governance beginning with Form 20-F for fiscal years ending on or after December 15, 2023. For FPIs with a calendar year end, this means that these periodic disclosures will be required for the first time in the Form 20-F for fiscal year 2023, to be filed by April 30, 2024.

As noted above, the new rules do not create a standalone trigger requiring FPIs to disclose cybersecurity incidents on a current basis on Form 6-K. However, even if FPIs are not required to report material cybersecurity incidents on Form 6-K as a result of a foreign disclosure (as noted above), some FPIs may nonetheless look to the incident reporting rules for domestic issuers for guidance on when it may be appropriate to disclose cybersecurity incidents voluntarily, including as a result of investor expectations or governance considerations.

The SEC did not amend Form 40-F to include cybersecurity disclosure requirements, which means that eligible Canadian FPIs using the multijurisdictional disclosure system (MJDS) to satisfy SEC registration and disclosure requirements will continue to comply with applicable Canadian disclosure requirements.

Read our related client publication, SEC Mandates New Cybersecurity Disclosures, for further detail on the cybersecurity disclosure rules.

Clawback Rules

On October 26, 2022, the SEC adopted final rules to implement Section 954 of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010. The rules required U.S. stock exchanges to establish listing standards requiring listed companies to adopt, disclose and enforce a compensation clawback policy for the recovery of erroneously awarded compensation. The listing standards of the New York Stock Exchange and Nasdaq Stock Market required listed companies to adopt a compliant clawback policy by December 1, 2023.

FPIs are now required to file a copy of their Dodd-Frank mandated clawback policy (but not any other clawback policies) as Exhibit 97 to Form 20-F, which should be labeled as Exhibit 97. FPIs should also be aware that Form 20-F now also includes new checkboxes indicating (i) whether the financial statements included in the filing reflect correction of any error to previously issued financial statements and (ii) whether any of those error corrections are restatements that required a recovery analysis under the company’s clawback policy.

For more information, please refer to our related client publication, SEC Clawback Rules Take Effect: What Companies Should Do Now, and our FPI guide to these rules.

Disclosure Focus Areas

Current Disclosure Considerations

Many companies are currently being impacted by, or may potentially be impacted in the future by, a number of developments, including:

• Inflation and the effects of an inflationary environment;
• Interest rates, including the impact on the cost of borrowing and any impacts on a company’s ability to raise finance or refinance existing indebtedness;
• Supply chain disruptions;
• Tight labor market conditions;
• Volatility in commodity markets and exchange rates;
• other direct or indirect ongoing impacts of (i) the continuing Russia-Ukraine conflict, (ii) the Israel-Hamas conflict and (iii) emerging geopolitical conflicts, including rising tensions between China and Taiwan and the relationship between China and the United States;
• Sanctions, terrorism and human rights laws, regulations and regimes;
• Risks related to the 2024 U.S. presidential, congressional, state and local elections;
• Evolution and use of AI, including generative AI, including its impacts on a company’s business and the industry in which it operates;
• Effects stemming from long-term reliance on hybrid work arrangements; and
• Matters related to environmental, social and governance (ESG) developments, including climate-related challenges.

Companies should continue to discuss in their operating and financial review and prospects section (often referred to as the MD&A) and as part of risk factors how recent developments have materially impacted or may materially impact their business, operations and financial performance, including impacts on liquidity, capital resources, business outlook, strategies and goals. When preparing the 2023 Form 20-F, companies should also consider whether their forward-looking statement disclaimers and disclosure and business section need to be updated to refer to any additional important factors that could cause actual results to differ from the forward-looking statements made by the company. In addition, companies should continue to identify any material actions taken or planned to mitigate challenges and how these have impacted or may impact the company’s performance.

Companies should avoid describing currently prevailing conditions (i.e., materialized or materializing risks) as potential future risks and uncertainties. Therefore, in preparing the 2023 Form 20-F, companies should review existing risk disclosures, which may have been previously discussed in the hypothetical, and update such disclosures to address the factors that have already had a material impact on the company and, as appropriate, to increase the specificity of such risk disclosures.

Companies should also evaluate whether to delete references to risks that are no longer applicable, including whether COVID-19-related risks (as distinct from potential future pandemic risks) should be removed in view of the fact the World Health Organization declared on May 5, 2023, that COVID-19 no longer constituted a public health emergency of international concern.

Israel-Hamas Conflict

Companies that have direct or indirect business operations, interests, investments, assets or reliance on goods sourced in, or services provided from, Israel or the Middle East in general, or business relationships with companies that do, should evaluate including disclosure of any material direct or indirect impacts and risks related to the current conflict between Israel and Hamas. As of the date of this client publication, the SEC Division of Corporation Finance has not published a sample letter reflecting comments it may issue related to disclosure regarding this conflict, but the sample letter to companies regarding disclosures pertaining to the Russia-Ukraine conflict may provide guidance as to the types of disclosure that companies should consider if they could be materially impacted by this conflict.

Russia-Ukraine Conflict

As discussed in last year’s edition of this client publication, companies should continue to evaluate whether they have been or may be materially impacted by the direct and indirect effects of the continuing Russia-Ukraine conflict, including by the imposition of sanctions.

Over a year has now passed since Russia invaded Ukraine, and the U.S., the European Union and its member states, the United Kingdom and many others—including Japan, Australia, New Zealand, Taiwan and Canada—continue to exert pressure on Russia through expanding sanctions regimes. The sanctions related to the Russia-Ukraine conflict are multi-faceted and, at times, complex and far-reaching, with potential implications for any business operating in the global economy, even those businesses with no immediate or direct ties to Russia, Belarus or Ukraine. For more information, please refer to our related client publication, US, EU and UK Maintain Pressure Through Russia Sanctions.

Companies should review the SEC’s sample letter to companies regarding disclosures pertaining to Russia’s invasion of Ukraine and related supply chain issues that the SEC published on May 3, 2022. Even if a company does not have operations in Russia, Belarus or Ukraine, disclosures may be required on the indirect consequences of the conflict, including supply chain disruptions, volatility in the trading prices of commodities and heightened cybersecurity risks.

Climate-related Disclosures

As discussed in last year’s edition of this client publication, after much anticipation, on March 21, 2022, the SEC released its proposed climate-related disclosure framework which, if adopted, would represent a sweeping overhaul of the current, materiality-based climate change disclosure requirements and would substantially expand the reporting obligations for public companies. The proposed disclosures are modeled in part on the disclosure framework recommended by the Task Force on Climate-Related Financial Disclosures and would require companies to include significant climate-related disclosure in both the body of periodic reports and registration statements as well as in the notes to their financial statements. The proposed rules would apply to both domestic issuers and FPIs (other than MJDS filers). The SEC currently expects to adopt final rules by April 2024, as indicated by the Staff of the Division of Corporation Finance (the Staff) in the Fall 2023 Unified Agenda of Regulatory and Deregulatory Actions.

The SEC has delayed its final rulemaking on climate-related disclosure, including to consider extensive public comments—over 16,000 comments were received, a record-breaking number. One of the most controversial areas in the rule proposal is the requirement for companies to report Scope 3 emissions when such emissions are material or when the company has established a Scope 3 emissions reduction target, including concern being expressed as to the degree to which the underlying data and disclosure would be onerous to produce and may not be decision-useful to investors. Whether mandatory Scope 3 emissions disclosure requirements are included within the final rules will be of significant interest to market participants.

For more information on the proposed rules, please refer to our related client publication, SEC Proposes Sweeping New Climate-related Disclosure Framework.

In addition to this proposed rulemaking, the Staff has been focused on how companies comply with existing disclosure requirements, including the interpretative guidance published by the SEC on February 2, 2010, and the sample letter to companies regarding climate change disclosures published by the SEC on September 22, 2021.

The SEC issued a number of comment letters focused on climate-related disclosure matters during 2022 and 2023, and these comments have frequently required multiple rounds of correspondence with SEC examiners. In preparing the 2023 Form 20-F, companies should consider how their own disclosures (particularly risk factors, MD&A, business and legal proceedings disclosures) may be informed by the following themes and trends that can be identified in SEC comment letters:

• Companies should consider whether the information included in their corporate social responsibility report, sustainability report or ESG report (an ESG Report) should be included in their Form 20-F. Companies could take the view that not all information in an ESG Report is material to investors. The content of an ESG Report is intended for an audience that is broader than investors in the company’s securities and includes employees, customers, suppliers, non-governmental organizations and governments who may use ESG Reports for different purposes. Companies taking this view should be prepared to support the conclusion that the effects of climate-related matters, including the related costs and expenses, are not material, as the SEC may ask companies to quantify such effects, costs and expenses and provide detailed explanation of the materiality analysis.
• Companies should focus on whether climate-related disclosures are required in respect of (i) the impact of pending or existing climate change-related legislation, regulations and international accords, (ii) the indirect consequences of regulation or business trends (such as transition risks relating to low/net zero carbon emissions) and (iii) the physical impacts of climate change.
• Companies should disclose whether they have experienced or may experience a material increase in capital expenditures or operating costs associated with climate-related matters, including costs and expenditures incurred to mitigate the physical effects of climate change or incurred in connection with any plans they may have to reduce emissions or their reliance on carbon-based energy. Companies should consider whether any such increased costs or expenditures may represent a known material trend or uncertainty that should be disclosed as such.

As further discussed in our related client publication, as companies prepare for reporting under a potential climate-related disclosure framework, companies should continue the process of building the necessary internal controls and disclosures controls necessary for any climate-related disclosures. Early engagement with this topic is central to being ready for climate-related reporting as contemplated by the proposed climate disclosure rule, including to ensure that the underlying climate-related data captured by a company is reliable and is capable of being subject to any assurance requirements to which companies may become subject.

In addition, in 2023 new climate-related laws were introduced in the state of California, including (i) the Climate Corporate Data Accountability Act, and the Climate-Related Financial Risk Act, which are limited to legal entities incorporated in the United States, but may be applicable to United States subsidiaries of FPIs, and (ii) the Voluntary Carbon Market Disclosures Act (the VCMDA), which is not limited to companies incorporated in the United States. The VCMDA, which became effective on January 1, 2024, is intended to address “greenwashing” by requiring detailed disclosures of