Disclosure Trends From the 2023 Reporting Season (March 2024)

Disclosure Trends From the 2023 Reporting Season

Background

The global business environment has experienced rapid transformation in recent years, marked by factors such as interest rate increases, a shift in the macroeconomic landscape, supply chain disruptions, and geopolitical tensions.1 Among these persistent trends, the transformative potential of generative artificial intelligence (AI) is poised to significantly influence world markets. In a complex and uncertain environment, financial reporting plays a crucial role in conveying to investors how companies navigate and are affected by broader global events.

This Financial Reporting Spotlight examines how Fortune 500 companies have addressed various disclosures in their latest annual reports in light of these evolving themes. It also provides insights into some new disclosure requirements that became effective this year. While disclosures are most meaningful when tailored to a company’s specific facts and circumstances, understanding broader trends may be informative.

New Disclosure Requirements

Cybersecurity (Form 10-K, Item 1C)

The SEC’s final rule 2 on cybersecurity disclosures, which became effective in December 2023, requires public companies to disclose in their annual reports material information regarding their cybersecurity risk management, strategy, and governance. The SEC did not intend to prescribe what good cybersecurity risk management, strategy, and governance look like; rather, the final rule gives registrants the flexibility to disclose sufficient information to allow investors to reach their own conclusions about whether an entity is practicing good “cyber hygiene.” While the details of the disclosures varied, most companies discussed:

Their use of the NIST3 or ISO4 cybersecurity frameworks.
A formal incident response plan.
Employee cybersecurity trainings, including phishing exercises.
Some level of penetration or vulnerability testing.

These percentages reflect a population of the Form 10-K filings of Fortune 500 companies subject to the SEC’s final rule on cybersecurity from the date on which the rule became effective (December 15, 2023) through February 29, 2024.

The chief information security officer (CISO) was the position most frequently mentioned by registrants (69 percent) as being primarily responsible for assessing and managing cybersecurity risks. In terms of board oversight, more than three-quarters of registrants indicated that the audit committee is responsible or partially responsible for overseeing cybersecurity risks. A recent survey of audit committees discussed in a joint report by Deloitte and the Center for Audit Quality highlighted that cybersecurity ranks first among audit committee priorities and that it regularly appears, along with AI, on audit committee agendas.

Executive Compensation Clawback

On December 1, 2023, all listed SEC registrants were required to begin using two new checkboxes on the cover page of Form 10-K in accordance with the SEC’s final rule 6 on executive compensation “clawback” policies. Since the rule’s effective date:

Thirteen Fortune 500 registrants checked Box 1, indicating that they were correcting an error in previous financial statements.7 Seven companies reported changes to the statements of financial position, income, or cash flows, while six companies reported changes to the footnotes only.
Two registrants also checked Box 2, indicating that a corrected error prompted a clawback analysis.

Disclosure Trends

Artificial Intelligence

Companies are disclosing more information about how they may be incorporating AI into their businesses as well as any associated challenges, including risks and potential disruptions to traditional operating models. Risk factors more frequently addressed specific legal and compliance requirements, such as those under the E.U. Artificial Intelligence Act, the risks of regulatory penalties, and the potential growth of AI-enabled cyberattacks.

SEC Chair Gary Gensler has warned against potential “AI washing” (i.e., making unfounded AI-related claims), emphasizing that “[c]laims about prospects should have a reasonable basis” and that companies may need to “define for investors what they mean when referring to AI” (e.g., machine learning, algorithms, generative AI).

Hereafter, “percentage of companies disclosing” refers to our comparison of (1) the current-year Form 10-K filings (i.e., from July 1, 2023, to February 29, 2024) of a population of Fortune 500 companies with (2) those of the prior year (i.e., from July 1, 2022, to March 1, 2023).

“Percentage of disclosures by section” in the tables throughout this publication refers to our comparison of (1) the number of registrants in a population of Fortune 500 companies that discussed a given topic in a specific section of their current-year annual reports with (2) the total number of registrants that addressed that topic in their Form 10-K filings. We based the comparison on a search of keywords related to the topic being discussed in each section. If registrants discussed a topic in multiple annual report sections, the total percentages for that topic may exceed 100 percent.

Income Taxes — Pillar Two

Many registrants enhanced their tax legislation risk factor disclosures to encompass the potential material risk posed by changes in tax laws in relevant jurisdictions, including the global minimum tax under the “Pillar Two”10 framework. MD&A disclosures often addressed relevant jurisdictions that have announced plans to enact new tax laws11 related to the global minimum tax. Registrants operating primarily in jurisdictions that have not yet enacted such laws often disclosed that Pillar Two had no material impact on their reporting as of the fiscal year-end. Most registrants indicated that they are continuing to evaluate the impact of the global minimum tax.

Macroeconomic Issues

Inflation

Registrants continued to discuss the actual and potential impacts of inflation, such as decreased demand for their products or services as a result of higher prices and increased costs of products and services procured, including the cost of labor. They noted that the labor market remains tight, which they attribute to intensified competition for talent coupled with the ongoing challenges associated with local and global supply-chain disruptions as a result of the labor shortages. Multinational companies discussed risks or impacts related to doing business in a hyperinflationary economy.

The SEC staff continues to issue comment letters to request greater detail about the factors responsible for material changes in results, including inflation.12

Interest Rates

The disclosures in the notes to the financial statements and MD&A generally focused on the impact of changes in interest rates on a registrant’s financial statements (e.g., interest on variable rate debt, valuation of interest-rate-sensitive instruments, discount rates used in impairment assessments). Risk factors generally addressed the potential impact of increases in interest rates on the registrant’s business, financial condition, and results of operations, including the broader consequences of elevated interest rates such as strain on suppliers, reduced customer demand due to lower discretionary cash flows, and a lower-growth economic environment.

Elevated interest rates, among other factors, have also significantly affected the commercial real estate13 (CRE) industry, including investors and lenders. We observed notable increases in national banks’ loss reserves and charge-offs associated with their CRE lending activities, particularly with respect to office space. In addition, in December 2023, the SEC staff sent comment letters to regional banks to request that they further disaggregate their CRE portfolios and risk management strategies. Although the letters were issued just to regional banks, registrants with exposure to CRE may wish to consider them as well.

Climate Change

Business section disclosures primarily addressed a registrant’s sustainability activities, whereas in MD&A, registrants discussed how climate change might affect the company’s financial condition, results of operations, and growth prospects. Climate change disclosures are becoming more granular and contain more specific risk factors that address a variety of impacts, such as physical impacts, reputational risk, and regulatory risk, including the effects of the E.U. Corporate Sustainability Reporting Directive (CSRD)14 as well as California’s Climate Corporate Data Accountability Act and the Climate-Related Financial Risk Act.15

We expect that disclosures about climate-related matters will continue to evolve as companies approach adoption of the SEC’s final rule 16 on this topic.

Conclusion

The SEC encourages registrants to clearly disclose material risks, trends, and uncertainties related to the current environment. As the business landscape continues to evolve, registrants should assess their disclosures and consider whether they continue to reflect their current circumstances.

Contacts

	Doug Rand Audit & Assurance Managing Director Deloitte & Touche LLP +1 202 220 2754 dorand@deloitte.com		James Howell Audit & Assurance Senior Manager Deloitte & Touche LLP +1 312 486 1496 jamhowell@deloitte.com
	Ragan Powell Audit & Assurance Senior Manager Deloitte & Touche LLP +1 469 417 2356 rpowell@deloitte.com		Cody Yettaw Audit & Assurance Senior Manager Deloitte & Touche LLP +1 313 394 5505 cyettaw@deloitte.com
	Sam Paolini Audit & Assurance Manager Deloitte & Touche LLP +1 215 299 4577 sacolloi@deloitte.com

Footnotes

See Deloitte’s September 15, 2023, Financial Reporting Alert for further discussion of accounting and reporting considerations related to macroeconomic and geopolitical challenges.

SEC Final Rule Release No. 33-11216, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. See Deloitte’s July 30, 2023 (updated December 19, 2023), Heads Up for a discussion of the final rule.

National Institute of Standards and Technology.

International Organization for Standardization.

SEC Final Rule Release No. 33-11126, Listing Standards for Recovery of Erroneously Awarded Compensation. For more information about the final rule, see Deloitte’s November 14, 2022, Heads Up.

All error corrections were reported as immaterial restatements and did not result in amendments to prior filings.

For more information and answers to frequently asked questions about Pillar Two, see Deloitte’s March 5, 2024, Financial Reporting Alert.

The Organisation for Economic Co-operation and Development (OECD) provides jurisdictional legislation updates on its Web site.

See Deloitte’s Roadmap SEC Comment Letter Considerations, Including Industry Insights for further information.

See Deloitte’s May 22, 2023, Financial Reporting Alert for further discussion of these conditions and relevant accounting and reporting considerations.

See Deloitte’s August 17, 2023 (updated February 23, 2024), Heads Up for responses to frequently asked questions about the CSRD.

See Deloitte’s October 10, 2023 (last updated December 19, 2023), Heads Up for more information about California’s climate legislation.

SEC Final Rule Release No. 33-11275, The Enhancement and Standardization of Climate-Related Disclosures for Investors. See Deloitte’s March 6, 2024, and March 15, 2024, Heads Up newsletters for an executive summary and comprehensive analysis, respectively, of the SEC’s climate rule.

The Spotlight series is prepared by members of Deloitte’s National Office. New issues in the series are released as developments warrant. This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.

As used in this document, “Deloitte“ means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of our legal structure. Certain services may not be available to attest clients under the rules and regulations of public accounting.