Preparing your 2024 Form 20-F

Artificial intelligence

The SEC has been increasingly focused on disclosure around artificial intelligence (AI), including “AI washing,” or making potentially false or misleading AI-related claims. This has been reiterated in several instances, including in speeches by the SEC Chair and the directors of the Division of Enforcement and the Division of Corporation Finance. On April 15, 2024, the then-SEC Director for the Division of Enforcement gave a speech focusing on ways companies can use “proactive compliance” to avoid AI washing problems – emphasizing education on AI risk areas, engagement with relevant employees within a company and updates to policies and controls.

Director Gerding also highlighted AI in a June 2024 statement as a disclosure priority, noting that an increasing number of companies have mentioned AI in their periodic reports, often in the risk factors, business descriptions and/or operating and financial review and prospects (OFR) sections. He stated that existing rules or regulations may require disclosure about how a company uses AI and the risks related to its use (including disclosure in the business section, risk factors, OFR and financials) and the board’s role in risk oversight.

Director Gerding indicated that the SEC staff would consider whether a company:

• Clearly defines what it means by AI and how it could improve the company’s results of operations, financial condition and future prospects.
• Provides tailored (and not boilerplate) disclosures around AI, commensurate with how material AI is to the company, about material risks and the impact of AI on the company’s business and financial results.
• Focuses on the company’s current or proposed use of AI rather than “generic buzz” unrelated to its business.
• Has a reasonable basis for claims around AI prospects.

FPIs should also consider the EU AI Act, which became effective on August 1, 2024, and update their AI-related disclosures as required to the extent they are impacted by this legislation. Read our client update European Parliament approves AI Act for a discussion of the AI Act and its implications.

Cybersecurity

In July 2023, the SEC adopted final rules mandating cybersecurity incident and risk management disclosures for public companies. These final rules require FPIs to make annual disclosures on Form 20‑F to describe the company’s (i) processes to assess, identify and manage cybersecurity risks, (ii) board oversight of such risks, (iii) management’s role and expertise in assessing and managing such risks and (iv) assessment of whether any risks from cybersecurity threats have materially affected, or are reasonably likely to materially affect, the company (see Item 16K of Form 20-F). Beginning with the 2024 Form 20-F to be filed in 2025, companies must tag such required 20-F disclosures in Inline XBRL.

In our Preparing Your 2023 Form 20-F client update, we discussed how cybersecurity disclosure was likely to be closely scrutinized by private plaintiffs and the SEC staff in the event of a material cybersecurity incident. In October 2024 the SEC announced settled actions against four current and former public companies impacted by the 2020 SolarWinds Orion software hack, relating to actions that predate the new disclosure rules. The SEC alleged that the companies made materially misleading disclosures regarding cybersecurity risks and intrusions in response to the SolarWinds hack, and that one of the companies also had deficient disclosure controls and procedures.

In addition to crafting well-supported disclosure in response to the July 2023 risk management and governance disclosure mandate, FPIs should bear in mind that the SEC continues to focus on risk factors using hypothetical wording after a company has seen the risk materialize. For example, a statement that highlights the risk that a company could be a victim of a cyberattack could be viewed as misleading if that company has already experienced a cyberattack, as was illustrated in a recent SEC settled order. As a result, companies should review their risk factors in light of recent experiences and consider whether updates are warranted (a takeaway that extends beyond just risks relating to cybersecurity).

Read our client updates SEC adopts cybersecurity disclosure mandates for public companies and SEC charges public companies with inadequate disclosures in aftermath of the SolarWinds cyberattack for further detail.

Climate rules

After nearly two years and over 24,000 comment letters, in March 2024, the SEC adopted final rules for public companies that mandate significant new disclosures relating to climate-related risks, Scope 1 and Scope 2 greenhouse gas (GHG) emissions and climate-related financial metrics. The commentary in the 886-page adopting release and lively debate among SEC commissioners during the open meeting highlighted the challenges faced by the SEC, which adopted the final rules in a 3-2 vote along party lines. Legal challenges were filed soon after the rules were adopted. Only a month later in April 2024, the SEC issued an order staying the rules pending resolution of the legal challenges.

The outcome of the 2024 presidential election will likely significantly impact the future of these rules. President-elect Trump strongly opposes the Biden administration’s climate agenda, and we expect his administration will take steps to undo these rules. The SEC announced that Chair Gensler will step down from the SEC in January 2025. Once a Trump-appointed SEC commissioner is confirmed by the Senate (resulting in a Republican-controlled SEC), we expect the SEC will commence the process of repealing the climate disclosure rules by initiating notice and comment rulemaking. We also expect the SEC to seek to maintain the administrative stay in place—or otherwise delay implementation or enforcement of the rules—until a repeal rule is finalized.

In addition to general principles of good disclosure, FPIs should nonetheless take note of disclosure rules adopted in the European Union, as well as the recently enacted series of climate-related legislation in California (the Climate Corporate Data Accountability Act (CCDAA), the Climate-Related Financial Risk Act (CRFRA) and the Voluntary Carbon Market Disclosures Act (VCMDA)). Proposals to delay compliance deadlines in the CCDAA and the CRFRA failed to pass during the state’s recently concluded legislative session, and as a result, in-scope companies will be required to report under those laws as early as 2026 (unless pending legal challenges succeed). The CCDAA and the CRFRA apply to legal entities formed in the United States which do business in California, which means that U.S. subsidiaries of FPIs may be subject to these laws.

Legislation amending the VCMDA failed to get a final vote before the legislature adjourned. The VCMDA became effective on January 1, 2024, and is intended to address “greenwashing” by requiring detailed disclosure of the methodology for tracking and verifying claims made within California by entities operating within California regarding net zero, carbon neutrality or significant greenhouse gas emissions reductions, as well as disclosure regarding voluntary carbon offsets purchased, used, marketed or sold within California. Unlike the CCDAA and the CRFRA, the VCMDA is not limited to companies formed in the United States. The VCMDA will require any covered disclosures to be updated at least annually, and companies should consider carefully how these disclosure requirements, if applicable to them, might affect their disclosures in SEC filings, including their Form 20-F. Although the VCMDA requires information be posted to a company’s website, companies may want to consider having a dedicated webpage gathering information in a single place or referencing in their sustainability reports where the information can be found.

For more detail on the California legislation, see our client update California lawmakers fail to delay compliance deadlines in landmark climate-related disclosure laws.

Discrepancy between earnings calls and periodic filings

Over the past year, the SEC has increasingly focused on discrepancies between disclosure in the OFR section and statements made in an earnings call. The SEC has questioned, among other matters, why a company strategy referenced in an earnings call is not discussed in OFR, whether metrics discussed on an earnings call are key performance indicators that also ought to be included in periodic filings, or whether a revenue stream discussed on an earnings call deriving from certain activities that do not consistently fall within a particular segment should be broken out in the notes to the financials included in periodic filings.

Given the scope of the SEC’s review process and focus on statements made by companies in earnings calls (or other forums, including the company’s website), when drafting OFR or other disclosure in periodic filings, FPIs should consider whether the disclosure in their periodic filings, including the Form 20-F, captures material information discussed or to be discussed on earnings calls so that there are no material discrepancies.

Non-GAAP financial measures

As discussed in our Preparing Your 2023 Form 20-F client update, in December 2022 the SEC’s Division of Corporation Finance posted new and updated C&DIs on non-GAAP financial measures that companies should review, in particular if they present non-GAAP measures (which term includes non-IFRS measures) in their Form 20-F. Non-GAAP measures continue to feature prominently in SEC comment letters and were also referenced as an area of focus in Director Gerding’s June 2024 statement on disclosure review. They could therefore benefit from careful review for compliance with the relevant rules and guidance.

As a reminder, Item 10(e) of Regulation S-K applies to Form 20-F filings. It requires:

• Presentation of the most directly comparable GAAP metric “with equal or greater prominence.”
• A quantitative reconciliation of the differences between the non-GAAP and GAAP metrics “by schedule or other clearly understandable method.”
• Explanation of the reasons management believes the non-GAAP metric provides useful information to investors.
• Explanation of the additional purposes, if any, for which management uses the non-GAAP metric.

Item 10(e) of Regulation S-K prohibits:

• Excluding any charge or liability that requires cash settlement from a non-GAAP liquidity measure, other than EBIT and EBITDA.
• Adjusting a non-GAAP performance measure to omit an item identified as “non-recurring,” “infrequent” or “unusual,” if the item is reasonably likely to recur within two years or there was a similar item in the past two years.
• Presenting a non-GAAP metric on the face of the GAAP financial statements or in the accompanying notes, or on the face of any required pro forma financial statements.
• Using titles or descriptions that are the same as, or confusingly similar to, titles or descriptions for GAAP financial measures.

SEC staff have informally indicated that the lack of “equal or greater prominence” (which generally means GAAP discussion should precede non-GAAP discussion) continues to be a top area where they identify non-compliance with the rules.

Refresh risk factors, forward-looking statements and OFR trends

Risk factors. Companies are required to include a discussion of the material factors that make an investment in the company speculative or risky. Risks that have begun to materialize should not be presented as hypothetical, as was highlighted by recent SEC enforcement actions. This means companies should take care not to say certain events “could” or “may” occur if they have already occurred. Instead, risk factors should describe how a risk has materialized and what the impact has been on the company. The risk factors disclosure could benefit from a fresh review to ensure material risks facing the company are appropriately disclosed, including risks stemming from emerging areas like AI discussed above (such as risks and opportunities relating to using or not using generative AI), risks regarding potential tariffs under the incoming U.S. administration, as well as any risks facing a company from the broadening or escalation of the current conflict in the Middle East.

Forward-looking statements. Companies can gain protection from liability by taking advantage of the safe harbor for forward-looking statements. But to do so, the cautionary language relating to any forward-looking statement should identify important factors that could cause actual results to differ materially from those in the forward-looking statements and be specifically tailored to the particular forward-looking statements. General boilerplate warnings are not sufficient. Consider whether the factors identified in last year’s 20-F continue to apply (or apply in the same way), and whether others might be added particularly to reflect updates made to risk factors.

Operating and financial review and prospects. Companies are required to describe in their OFR any known trends or uncertainties that have had or that are reasonably likely to have a material favorable or unfavorable impact on net sales or revenues or income from continuing operations, as well as any known trends or demands, commitments, events or uncertainties that will result in or that are reasonably likely to result in the company’s liquidity increasing or decreasing in any material way and any known material trends, favorable or unfavorable, in the company’s capital resources.

Refer to our client update SEC issues disclosure guidance on key performance indicators and metrics in MD&A for a discussion of the SEC’s 2020 interpretive guidance on this matter.

Inflation and interest rates

As discussed in our Preparing Your 2023 Form 20-F client update, inflation has affected and continues to affect companies in different industries. While inflationary pressures appear to have eased, current economic conditions might require additional disclosure beyond what has historically been provided in a more steady-state economic environment. Director Gerding noted in his June 2024 statement that “…this is not the time for issuers to revert to boilerplate disclosures. Any material ongoing impacts should be disclosed and we ask companies to not just note high level trends, but discuss the more particularized risks and impacts on their specific company.” Companies should consider additional disclosure in OFR trends, or otherwise in the period-on-period discussion, focused for example on how these trends have affected results of operations, sales, profits, capital expenditures or a company’s business and pricing strategy in the face of rising costs.

In addition, the cost of borrowing continues to be high for many companies relative to what it was for several years before 2023. Companies should consider updating disclosure (particularly in risk factors and OFR) to reflect any continuing impact they are experiencing from high interest rates and their ability to access capital markets.

Russia-Ukraine conflict

As discussed in our Preparing Your 2023 Form 20-F client update, in May 2022 the Division of Corporation Finance published a sample comment letter, stating that companies may have disclosure obligations under the federal securities laws related to the direct or indirect impact that Russia’s invasion of Ukraine and the international response thereto have had or may have on their business.

Since Russia’s invasion of Ukraine, many companies have experienced heightened cybersecurity risks, increased or ongoing supply chain challenges and volatility related to the trading prices of commodities (regardless of whether they have operations in Russia, Belarus or Ukraine) that may warrant disclosure.

Middle East conflict

While the Division of Corporation Finance has not yet published a sample comment letter on the conflict in the Middle East, the SEC staff has issued comments on registration statements relating to the conflict and its impact on a company’s business similar to comments it issued in relation to the impact of the war in Ukraine. If a company has any business exposure in Israel or in the Middle East more broadly, it should consider including disclosure of the potential (or actual) impact on its business and related risks stemming from the escalation or broadening of the conflict.

China-specific disclosure

As discussed in our Preparing Your 2023 Form 20-F client update, in July 2023 the Division of Corporation Finance published a sample comment letter regarding the disclosure obligations of companies based in or with a majority of their operations in the People’s Republic of China.

The comment letter focuses on three areas of disclosure related to China-specific matters:

• Reminding companies of their disclosure obligations under the Holding Foreign Companies Accountable Act, or HFCAA. Public companies identified as Commission-Identified Issuers under the HFCAA must comply with the submission and disclosure requirements under the HFCAA and SEC rules for each year in which they are identified, as discussed in our Preparing Your 2022 Form 20-F client update.
• Seeking more specific and prominent disclosure about material risks related to the role of the government of the People’s Republic of China in the operations of China-based companies.
• Noting that companies may need to make disclosures related to material impacts of certain statutes, such as the Uyghur Forced Labor Prevention Act.

Director Gerding reiterated in in his June 2024 statement that the SEC staff would continue to focus on these topics and to elicit disclosure from affected companies on the material risks they face from the Chinese government intervening in their operations in China.

Crypto assets disclosure

As discussed in our Preparing Your 2023 Form 20-F client update, in December 2022 the Division of Corporation Finance published a sample comment letter to companies regarding crypto asset market-related disclosure obligations. The letter includes non-exhaustive sample comments the Division of Corporation Finance may issue to companies about their disclosures (or the lack thereof) generally, as well as in the business description, risk factors and OFR sections. Companies should evaluate whether their businesses experienced or may be affected by recent developments in crypto assets, including exposure to liquidity risks, financing risks and risks related to legal proceedings, investigations or regulatory changes, and update their disclosures accordingly.

On May 22, 2024, the U.S. House of Representatives passed the Financial Innovation and Technology for the 21st Century (FIT 21) Act. The organizing principle for FIT 21 is to divide primary regulatory responsibility over transactions in digital assets between the Commodity Futures Trading Commission and the SEC. As of the date of this client update, the FIT 21 Act remains on the U.S. Senate floor.

Read our client update Crypto market structure bill draws closer to a floor vote in the House for further detail on the FIT 21 Act.

Commercial real estate

Director Gerding also highlighted commercial real estate (CRE) as a new disclosure priority in his June 2024 statement. He indicated that banks and other entities with significant CRE exposure are subject to several related risks, including heightened vacancy rates, elevated interest rates, extended loan maturities and increased loan delinquencies. He encouraged companies to consider these and other risk areas in their disclosure where more granular information could be provided to improve investors’ understanding of the attendant risks and how companies are addressing them.

Sanctions

In past years, the SEC has sent numerous comment letters to public companies seeking more detail about disclosures related to dealings in countries that are the subject of U.S. sanctions enforced by the Treasury Department’s Office of Foreign Assets Control (OFAC). OFAC continues to administer and enforce comprehensive sanctions with respect to Cuba, Iran, North Korea, Syria, the Crimea, Donetsk People’s Republic, and Luhansk People’s Republic regions of Ukraine and the government of Venezuela, as well as against targeted individuals and entities involved in narcotics trafficking, terrorism and terrorist financing, transnational crime, proliferation of weapons of mass destruction, malicious cyber activities and election interference, or corruption and human rights abuses. In addition, targeted sanctions apply to individuals and entities in or related to former regimes in the Balkans, Iraq, Libya and Ukraine and current regimes in Afghanistan, Belarus, Burma, the Democratic Republic of the Congo, Eritrea and Ethiopia, Nicaragua, Russia, South Sudan, Venezuela and Zimbabwe, individuals and entities engaged in specific acts in or related to the Central African Republic, Darfur, Hong Kong, Lebanon, Mali, Somalia, Sudan, the West Bank, and Yemen, and targeted individuals and entities operating in certain sectors of the Russian economy, and to publicly traded securities of or linked to certain companies that have been identified as part of China’s military-industrial complex.

In response to the Russian invasion of Ukraine in February 2022, the U.S. government imposed significant new sanctions against Russia, including territorial embargoes on the Donetsk People’s Republic and Luhansk People’s Republic regions of Ukraine, prohibitions on trade in certain goods and services between the United States and Russia and new investment in Russia by U.S. persons, asset blocking sanctions on a number of Russian individuals and entities, restrictions on transactions involving certain Russian financial institutions and Russia’s Central Bank, National Wealth Fund and Ministry of Finance, and restrictions on dealing in Russian sovereign debt and debt or equity of certain Russian companies. Additional or expanded sanctions may be imposed in the future. FPIs should ensure their sanctions policies, procedures and systems are up to date and that they are compliant with U.S. law and, to the extent they are doing business in sanctioned countries or territories or with sanctioned persons (even if permissible without violating applicable U.S. law), they should consider whether disclosure of such activities, or associated risks, is appropriate.

Nasdaq board diversity rules

As discussed in our Preparing Your 2023 Form 20-F client update, in August 2021 the SEC approved Nasdaq’s proposed diversity rules defining diversity objectives and requiring all companies subject to Nasdaq rules, including FPIs, to publicly disclose in matrix form information on directors’ voluntary self-identified gender and racial characteristics, and LGBTQ+ status. The rules became effective in August 2022 (with simplified compliance deadlines adopted in December 2022).

A Nasdaq-listed company currently must have, or explain why it does not have, at least one diverse director (two diverse directors by December 31, 2025), in each case subject to differing deadlines depending on a company’s listing date and Nasdaq market tier. The rules also require annual disclosure of a company’s diversity matrix by December 31. The compliance deadlines vary based on transition and phase-in accommodations for companies listed on or after August 6, 2021, as detailed in a Nasdaq listing center summary.

For FPIs, the disclosure must be provided in the Form 20-F. Alternatively, the information may be provided on the company’s website, provided the company posts the disclosure concurrently with its annual SEC filing and submits a URL link to the disclosure via email ([email protected]) or through the Nasdaq Listing Center, within one business day after such posting.

The Fifth Circuit is considering a challenge to the SEC’s decision to approve Nasdaq’s board diversity rules. The court heard oral arguments en banc in May 2024, and a decision could come soon. In the meantime, companies should continue to comply with the rules.

Read our client update Nasdaq board diversity rules approved by SEC for more information on the topic, as well as Nasdaq’s FAQs.