This article originally appeared in the October 1998 issue of The Metropolitan Corporate Counsel and is republished with their permission. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of The Metropolitan Corporate Counsel.
SEC ISSUES INTERPRETIVE RELEASE ON YEAR 2000
DISCLOSURE REQUIREMENTS
By James P. Prenetta, Jr. and Charles J. Spiess*
In response to inadequacies in the quality of disclosure being made by public companies on Year 2000 ("Y2K") issues, on July 29, 1998 the Securities and Exchange Commission (the "SEC") unanimously approved the issuance of an interpretative release entitled "Disclosure of Year 2000 Issues and Consequences by Public Companies, Investment Advisers, Investment Companies and Municipal Securities Issuers" (the "Release").1 The Release, which became effective on August 4, 1998, provides specific guidance to public companies concerning their Y2K disclosure obligations under the current requirements of the federal securities laws.2
Public companies are required to follow the guidance contained in the Release in each quarterly filing made after August 4, 1998 and public companies with June 30th or July 31st year ends are required to follow the Release when they file their next annual report. The Release supercedes guidance provided earlier this year by the SEC in revised Staff Legal Bulletin No. 5.
Specific Guidance
The Release primarily focuses on Y2K disclosure obligations arising in the context of a public company's "Management's Discussion and Analysis of Financial Condition and Results of Operations" ("MD&A"), which discussion requires disclosure of known events, trends and uncertainties likely to have a material effect on the company's financial condition and results of operations.3 Under the guidance provided by the Release, Y2K disclosure is required by a company if (i) its assessment of its Y2K issues is not complete, or (ii) management determines that the consequences of the company's Y2K issues would have a material effect on the company's business, results of operations or financial condition, without taking into account the company's efforts to avoid those consequences.
Under the first test, a company must examine the nature of its relationships with third parties, such as its vendors and suppliers, to determine whether such relationships are material and, if material, whether such third parties are Y2K compliant. According to the SEC, relationships with vendors and suppliers will be material "if there would be a material effect on the company's business, results of operations, or financial condition if they do not timely become Year 2000 compliant."4 The SEC advises that companies should conduct an analysis of their material customers to determine whether such customers' Y2K readiness could result in a material loss of business to the company and that companies should also evaluate their own potential liability to third parties, resulting from possible legal actions for breach of contract or other harm, if their systems are not Y2K compliant. In the SEC's view, "a company's Year 2000 assessment is not complete until it considers these third party issues and takes reasonable steps to verify the Year 2000 readiness of any third party that could cause a material impact on the company."5
Under the second test, the SEC has indicated that companies must assume, in the absence of "clear evidence of readiness,"6 that they will not be Y2K compliant and must weigh the likely results of this unpreparedness. In addition, companies must also assume that third parties with which they have a material relationship will not be Y2K compliant in a timely fashion, unless they have received from such parties written assurances to the contrary. According to the SEC, the second test is "driven by measuring the consequences if the company is not prepared, rather than the amount of money the company spent, or plans to spend, to address this issue."7
What to Disclose
Once a company has determined that it has a Y2K disclosure obligation, the SEC states that, at a minimum, the following categories of information must be discussed in the company's MD&A: (1) the company's state of readiness; (2) the costs to address the company's Y2K issues; (3) the risks of the company's Y2K issues; and (4) the company's contingency plans. The SEC emphasizes that each company must consider its own unique circumstances in developing its Y2K disclosure, should quantify potential liabilities to the extent practicable and should avoid the use of generalities and boilerplate language.8 The SEC provides the following guidance concerning the four categories of information required to be disclosed.
The Company's State of Readiness. The SEC states that a description of a company's Y2K readiness should generally cover, at a minimum, the following three elements. First, the disclosure should include a discussion of all of the company's information technology and non-information technology systems (i.e., embedded technology such as microcontrollers), including, in the case of companies in industries such as software and hardware manufacturers, a discussion concerning whether their products and services will be Y2K compliant and the resulting consequences of any such noncompliance.
Second, with respect to their information technology and non-information technology systems, companies should discuss where they are in the process of becoming Y2K compliant. Such disclosure should include the status of the company's progress, identified by phase, and estimated timetables for completion of each remaining phase. The SEC advises that companies should give serious consideration to disclosing the following information at the end of each reporting period: (i) the kinds and percentages of the company's hardware and software systems which have been tested and verified to date for Y2K compliance, (ii) the kinds and percentages of embedded systems which have been tested and verified for Y2K compliance, and (iii) details concerning the type of testing and verification methodology which has been used.
Third, the description of a company's Y2K issues should address the risks resulting from third parties with which they have a material relationship, including the status of the company's assessment of these third party risks. Third party risks can be assessed by, among other things, attempting to get written assurances from third parties that they will be Y2K compliant by December 31, 1999.
The Costs to Address the Company's Y2K Issues. Companies must disclose material historical and estimated costs of remediation, including costs directly associated with correcting Y2K problems, such as modifying software and hiring consultants to analyze and address Y2K issues.9 According to the SEC, the cost of replacing non-compliant information technology systems should generally be disclosed as estimated Y2K costs, even if the company had planned to replace the system at a later date.
The Risks of the Company's Y2K Issues. Companies must include a description of "their most reasonably likely worst case Year 2000 scenarios"10 including estimated material lost revenue due to Y2K issues. If the company is unable to determine this scenario, this uncertainty must be disclosed, as well as the efforts which the company has made to analyze the uncertainty and how the company intends to deal with such uncertainty.
The Company's Contingency Plans. Companies must also describe how they are preparing to handle their most reasonably likely worst case Y2K scenario. Under this category, the company must describe its contingency plans. Such discussion should (i) identify the systems and third party risks that the plan addresses, (ii) include an analysis of strategies and available resources to restore operations, and (iii) describe the company's recovery program including the identities of participants, processes and any significant equipment needed. In the event that a company has not established a contingency plan, it must acknowledge that no such plan exists and must indicate whether, and on what timeframe, it intends to create a contingency plan.
Additional Guidance
The SEC also provided the following suggestions intended to help companies meet their Y2K disclosure obligations:
7 Disclose historical and estimated costs related to Y2K issues;
7 Disclose, as of the end of each reporting period, how much of the total estimated Y2K project costs have already been incurred;
7 Identify the source of funds for Y2K costs, including the percentage of the information technology systems budget used for remediation;
7 Explain if other information technology systems projects have been deferred due to the Y2K efforts, and the effects of this delay on financial condition and results of operations;
7 Describe any independent verification and validation processes being used to assure the reliability of risk and cost estimates;
7 Use a chart to provide Y2K disclosure; and
7 Breakdown Y2K costs, such as disclosure of costs to repair software problems and costs to replace problem systems and equipment.
Safe Harbor
In recognition of the fact that most of the MD&A disclosures required by the new Y2K requirements are forward-looking statements and to encourage companies to provide more meaningful Y2K disclosure, the SEC has taken the unusual step of providing interpretative guidance on the application of the two statutory safe harbors for forward-looking information provided by the Private Securities Litigation Reform Act of 1995.11 The Release provides that the statutory safe harbors apply to material Y2K forward-looking statements that are accompanied by "meaningful cautionary statements."12 These statutory safe harbors, however, only offer limited protection since they do not apply to initial public offerings or to statements which were knowingly false at the time they were made and apply only in private actions in federal courts.
In the Release, the SEC provided the following examples of Y2K disclosure which are forward-looking: projections of capital expenditures or other financial items, such as the estimated costs of remediation and testing; assumptions concerning estimated costs or plans for future operations; contingency plans that assess which scenarios are most likely; and the estimated future cost due to business disruption caused by suppliers, customers or vendors or from the possible loss of electric power or phone service. In addition, the SEC indicated that a description of anticipated problems and timetables for implementation of future phases of Y2K remediation, including estimates of how long internal and third-party testing phases will take, constitute forward-looking statements up until the time the phases are complete. In contrast, the SEC provided the following examples of Y2K disclosure which are not forward-looking: whether the company has a contingency plan at all; whether the company has actually performed an assessment; and whether the company has performed an inventory of hardware, software, and embedded costs.
Conclusion
Although the impact of the Y2K "bug" remains unclear, the SEC has sent a clear message to public companies and their lawyers and accountants regarding the breadth of disclosure which the SEC expects companies to provide concerning their Y2K issues. The SEC has also sent an equally clear message that the SEC expects companies to take appropriate action to correct their Y2K issues in an expeditious fashion.
* James P. Prenetta, Jr. is a partner and Charles J. Spiess is an associate in Kelley Drye's Securities Practice Group.
1. Release No. 33-7558, 63 Fed. Reg. 41394 (August 4, 1998).
2. Although not addressed in this article, the Release also provides guidance to investment advisers, investment companies and municipal securities issuers concerning their Y2K disclosure obligations.
3. In addition to the required MD&A disclosure, the SEC reminds companies that they must consider their Y2K disclosure obligations in connection with the following six additional federal securities rules or regulations: (1) Description of Business (Item 101 of Regulation S-K), (2) Legal Proceedings (Item 103 of Regulation S-K), (3) Material Contracts (Item 601(b)(10) of Regulation S-K), (4) Risk Factors (Item 503(c) of Regulation S-K), (5) Form 8-Ks and (6) any additional material information necessary to make the required disclosure not misleading (Rule 408 of the Securities Act of 1933 and Rules 12b-20 and 14a-9 of the Securities Exchange Act of 1934).
4. 63 Fed. Reg. at 41398.
5. Id. at 41398-41399.
6. Id.
7. Id.
8. The following example was provided by the SEC and shows the type of boilerplate language that the SEC deems to be unacceptable:
"The Company has not yet completed its assessment, but currently believes that costs of addressing this issue will not have a material adverse impact on the Company's financial position. However, if the Company and third parties upon which it relies are unable to address this issue in a timely manner, it could result in a material financial risk to the Company. In order to assure that this does not occur, the Company plans to devote all resources required to resolve any significant Y2K issues in a timely manner."
Sample provision distributed by the SEC at their July 29, 1998 meeting.
9. 63 Fed. Reg. at 41400.
10. Id.
11. Securities Act of 1993, Section 27A (15 U.S.C.A. 77z-2 (1995)); Securities Exchange Act of 1934, Section 21E (15 U.S.C.A. 78u-5 (1995)).
12. 63 Fed. Reg. at 41397 (citation omitted).