Disclosure Trends From the 2024 Reporting Season (April 2025)

Disclosure Trends From the 2024 Reporting Season

Background

The global business environment continues to undergo rapid transformation. In addition to regulatory changes, shifts in the macroeconomic and global trade landscape, and geopolitical tensions, generative artificial intelligence (AI) is continuing to transform the ways companies operate. In this complex and uncertain environment, clear financial reporting remains crucial in conveying to investors how companies navigate and are affected by broader global events and trends.

We have examined how Fortune 500 companies have addressed various disclosures in their latest annual reports in light of these evolving themes. This Financial Reporting Spotlight offers insights into how companies have approached those disclosures and examines the new segment disclosures required this year. While disclosures are most meaningful when tailored to a company’s specific facts and circumstances, understanding broader trends may be informative.

New Disclosure Requirements

Reportable Segment Disclosures

ASU 2023-07 1 added the requirement for public entities to disclose, in the segment footnote, the expense categories and amounts of significant segment expenses that are regularly provided to the chief operating decision maker (CODM) and included in the segment measure(s) of profit and loss and certain other additional disclosures. The ASU became effective for all public entities for fiscal years beginning after December 15, 2023, and was adopted by calendar-year-end companies in their 2024 Form 10-K.2

Segment disclosures, including those on significant segment expenses, reflect how management views the business. Such disclosures are therefore based on a company’s unique facts and circumstances and will vary widely among registrants, even those in similar industries. Not surprisingly, companies have differed in both the number of significant segment expenses identified and the nature of those expenses.

The CODM’s title and position now must be disclosed, along with an explanation of how the CODM uses the reported segment measure(s). About 86 percent of Fortune 500 filers disclosed that the CODM is the chief executive officer. Companies most frequently cited “budget to actual variance analyses” when describing how the CODM uses the measure of performance to allocate resources and make decisions. Disclosures also noted the CODM’s use of the measure of performance in forecasting, developing the annual plan, and determining management’s compensation and incentives.

ASU 2023-07 also permits, but does not require, companies to disclose more than one measure of segment profit or loss used by the CODM, provided that at least one of the reported measures includes the segment profit or loss measure that is most consistent with GAAP measurement principles. About 7 percent of Fortune 500 filers disclosed a voluntary additional measure of segment performance that was also consistent with GAAP (e.g., segment operating income and segment net income), with 1 percent disclosing a voluntary additional measure of performance that was a non-GAAP measure (e.g., segment-adjusted operating income and segment EBITDA3).

Cybersecurity (Form 10-K, Item 1C)

The SEC’s final rule 4 on cybersecurity disclosures became effective in December 2023; thus, for the second year, public companies were required to disclose in their annual reports material information regarding their cybersecurity risk management, strategy, and governance. Since the release of the final rule, the SEC has emphasized that disclosures should (1) represent processes registrants have in place and are not aspirational; (2) contain sufficient detail for a reasonable investor to understand those processes, including oversight of third-party service providers; (3) take into account the expertise of all management personnel responsible for managing cybersecurity risk; and (4) not be hypothetical if such cybersecurity risks have already materialized. While the details of the disclosures varied, in 2024 most companies expanded their cybersecurity disclosures from the prior year, as shown in the following chart:

These percentages reflect a comparison of a population of Fortune 500 companies’ Form 10-K filings between (1) March 1, 2024, to March 3, 2025 (“2024”), and (2) December 15, 2023 (the date on which the final rule became effective), to February 29, 2024 (“2023”).

National Institute of Standards and Technology.

International Organization for Standardization.

The chief information security officer continues to be the position that registrants most frequently mention (72 percent in 2024 compared with 69 percent in 2023) as being primarily responsible for assessing and managing cybersecurity risks. Regarding board oversight, 81 percent of registrants indicated that the audit committee is responsible or partially responsible for managing cybersecurity (76 percent in 2023), while nearly half of registrants disclosed that they reported on cybersecurity risks on at least a quarterly basis to those responsible for overseeing such risks. A recent survey of audit committees discussed in a joint report 8 by Deloitte and the Center for Audit Quality (CAQ) highlighted that cybersecurity continues to be ranked first among audit committee priorities and that it regularly appears, along with AI governance and sustainability reporting, on audit committee agendas.

Executive Compensation Clawback

In 2023, the SEC mandated that all listed registrants use two new checkboxes on the cover page of Form 10-K to address executive compensation “clawback” policies.9 In the 2024 reporting period:

Fifteen Fortune 500 registrants10 marked Box 1 (up from thirteen in 2023), indicating that they were correcting an error in previous financial statements. Among these, eleven companies reported changes to the statements of financial position, income, or cash flows, while four companies noted adjustments solely in the footnotes.
Six registrants also checked Box 2 (up from two in 2023), indicating that a corrected error prompted a clawback analysis.

Because this rule has been in effect for a year, the SEC staff has shared some additional observations regarding its expectation that, for any material or required immaterial restatement, Box 2 should be checked and disclosures related to the clawback analysis should be provided. A registrant must provide such disclosures, including a brief explanation of why the recovery policy yielded the resulting conclusion, regardless of whether a clawback is ultimately required (e.g., because the restatement did not affect measures that drive compensation).

Disclosure Trends

Artificial Intelligence

As AI technologies become more ubiquitous in the business world, registrants are increasingly discussing the extent to which they have integrated or will integrate AI into their operations. References to AI, generative AI, or other AI-related matters continue to be incorporated heavily into registrants’ risk factors and business sections. Companies continue to disclose information about how they are using, or plan to use, generative AI in their businesses as well as any associated challenges, including risks related to traditional operating models, operational and market dynamics, data privacy, and labor market effects.

Hereafter, “percentage of companies disclosing” refers to our comparison of a population of Fortune 500 companies’ Form 10-K filings between (1) March 1, 2024, to March 3, 2025 (“2024”) and (2) March 2, 2023, to February 29, 2024 (“2023”).

“Percentage of disclosures by section” in the tables throughout this publication refers to our comparison of (1) the number of registrants in a population of Fortune 500 companies that discussed a given topic in a specific section of their 2024 Form 10-K (i.e., filings between March 1, 2024, and March 3, 2025) with (2) the total number of registrants that addressed that topic in their Form 10-K filings. We based the comparison on a search of keywords related to the topic being discussed in each section. If registrants discussed a topic in multiple annual report sections, the total percentages for that topic may exceed 100 percent.

Risk factors more frequently include specific legal and compliance requirements, such as the costs and burdens of complying with international (e.g., EU Artificial Intelligence Act), federal, and state policies; risks of regulatory penalties; and the potential growth of AI-enabled cyberattacks.

The SEC staff has cautioned against the potential for “AI washing” (i.e., making unfounded AI-related claims), emphasizing that companies should have a basis for any claims they disclose about AI. The staff has also encouraged companies with material AI risks to consider disclosing information about AI risk management and corporate governance policies.

Income Taxes — Pillar Two

Many registrants continue to enhance their tax legislation risk factor disclosures to reflect the material risk posed by changes in tax laws in relevant jurisdictions, including the global minimum tax under the “Pillar Two”13 framework, which many jurisdictions have adopted, with changes beginning in 2024 and other changes expected to take effect in 2025. Most registrants have noted the uncertainty in the timing, scope, and impact of the United States’s adoption of the framework. MD&A and financial statement disclosures often addressed relevant jurisdictions that have enacted the new tax laws14 related to the global minimum tax for the fiscal year-end and included a description of the extent of the economic impact. The SEC staff has encouraged companies to provide an estimate of the impact or a range of possible impacts.

Global Trade

The macroeconomic landscape has been changing rapidly in response to increased global trade tensions associated with the implementation of new tariffs, affecting various industries and market dynamics. Registrants have disclosed, primarily within the risk factors section, that these tariffs are likely to affect their cost structures, profitability of their companies, and consumer demand and that they may need to make strategic adjustments to avoid potential issues with global supply chains. Further, many registrants have disclosed that these tariffs, along with retaliatory tariffs and related regulations and restrictions, may lead to increased volatility in operating costs and sales margins. We expect companies’ disclosures related to this topic will continue to evolve throughout 2025.

Sustainability

While regulatory requirements for sustainability disclosures are evolving, highlighted by the SEC’s recent withdrawal of its legal defense for its currently stayed climate disclosure final rule 15 and the European Commission’s proposed omnibus initiative, most registrants have continued to disclose sustainability matters in their annual reports under existing disclosure requirements, including the SEC’s 2010 interpretive guidance on climate-change disclosures. Business section disclosures primarily addressed a registrant’s sustainability activities, including net zero or carbon neutral commitments (such disclosures were provided by approximately a quarter of the Fortune 500 companies). On the other hand, in MD&A, registrants discussed how climate matters might affect their financial condition, results of operations, and growth prospects. Given the evolving regulatory landscape, climate-related disclosures are becoming more granular and contain more specific risk factors that address a variety of impacts, such as physical impacts; reputational risk; and regulatory risk, including the effects of the E.U.’s Corporate Sustainability Reporting Directive (CSRD),16 International Sustainability Standards Board (ISSB) IFRS S2,17 and California’s Climate Corporate Data Accountability Act and Climate-Related Financial Risk Act.18

Conclusion

The SEC encourages registrants to clearly disclose material risks, trends, and uncertainties related to the current environment. As the business landscape evolves, registrants should continue to assess their disclosures and consider whether they still reflect their current circumstances.

Contacts

If you have questions about this publication, please contact the following Deloitte professionals:

	Sean May Audit & Assurance Partner Deloitte & Touche LLP +1 415 783 6930 semay@deloitte.com		Christine Mazor Audit & Assurance Partner Deloitte & Touche LLP +1 212 436 6462 cmazor@deloitte.com
	John Wilde Audit & Assurance Partner Deloitte & Touche LLP +1 415 783 6613 johnwilde@deloitte.com		Doug Rand Audit & Assurance Managing Director Deloitte & Touche LLP +1 202 220 2754 dorand@deloitte.com
	Samantha Paolini Audit & Assurance Senior Manager Deloitte & Touche LLP +1 215 299 4577 sacolloi@deloitte.com		Cody Yettaw Audit & Assurance Senior Manager Deloitte & Touche LLP +1 313 394 5505 cyettaw@deloitte.com
	Megan D’Alessandro Audit & Assurance Manager Deloitte & Touche LLP +1 203 563 2368 medalessandro@deloitte.com

Footnotes

FASB Accounting Standards Update (ASU) No. 2023-07, Segment Reporting (Topic 280): Improvements to Reportable Segment Disclosures.

We examined the adoption of ASU 2023-07 by Fortune 500 companies that have filed as of March 3, 2025, and whose fiscal years began on or after December 15, 2023. This represents approximately 70 percent of the Fortune 500; the remainder consists of non–calendar-year-end companies. See Deloitte’s November 30, 2023 (last updated September 10, 2024), Heads Up for a discussion of ASU 2023-07.

Earnings before interest, taxes, depreciation, and amortization.

SEC Final Rule Release No. 33-11216, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. See Deloitte’s July 30, 2023 (updated December 19, 2023), Heads Up for a discussion of the final rule.

National Institute of Standards and Technology.

International Organization for Standardization.

The population covered in the Deloitte and CAQ joint report differs from that used in this publication (see footnote 5); therefore, the applicable cybersecurity percentages may vary from those shown herein. However, it is clear from both populations that reporting to the audit committee and quarterly reporting are key components of cybersecurity oversight.

SEC Final Rule Release No. 33-11126, Listing Standards for Recovery of Erroneously Awarded Compensation. For more information about the final rule, see Deloitte’s November 14, 2022, Heads Up.

These amounts refer to our comparison of a population of Fortune 500 companies’ Form 10-K filings (excluding amendments) between (1) March 1, 2024, to March 3, 2025 (“2024”), and (2) March 2, 2023, to February 29, 2024 (“2023”). All error corrections were reported as immaterial restatements and did not result in amendments to prior filings.

For more information and answers to frequently asked questions about Pillar Two, see Deloitte’s March 5, 2024 (last updated November 8, 2024), Financial Reporting Alert.

The Organisation for Economic Co-operation and Development (OECD) provides jurisdictional legislation updates on its Web site.

SEC Final Rule Release No. 33-11275, The Enhancement and Standardization of Climate-Related Disclosures for Investors. See Deloitte’s March 6, 2024 (last updated April 8, 2024), and March 15, 2024 (last updated April 8, 2024), Heads Up newsletters for an executive summary and comprehensive analysis, respectively, of the SEC’s climate rule.

See Deloitte’s August 17, 2023 (updated February 23, 2024), Heads Up for responses to frequently asked questions about the CSRD.

IFRS S2, Climate-Related Disclosures.

See Deloitte’s October 10, 2023 (last updated December 19, 2023), Heads Up for more information about California’s climate legislation.

The Spotlight series is prepared by members of Deloitte’s National Office. New issues in the series are released as developments warrant. This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.

As used in this document, “Deloitte“ means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of our legal structure. Certain services may not be available to attest clients under the rules and regulations of public accounting.