Article
Brochure
Insight Hub
Executive Resource
Ext. Publication
Video2024 Q3 Accounting and SEC Update
Never miss a thing.
Sign up to receive our insights newsletter.
Weaver’s third quarterly Accounting and SEC Update of 2024 covered the U.S. Supreme Court’s decision to overturn the Chevron doctrine, recent developments in cybersecurity and accounting reminders regarding goodwill impairment and other considerations.
Supreme Court Overturns Chevron Deference
The U.S. Supreme Court’s recent ruling in Loper Bright Enterprises et al v. Raimondo, Secretary of Commerce, et. al (Loper Bright) overturned a decision known as the Chevron doctrine, which required courts to defer to the agency interpretation of a silent or ambiguous statute even if the reviewing court read the statute differently. The ruling in Loper Bright has the potential to bring challenges to a wide range of regulations as well as lead to longer periods for issuing guidance.
Chevron Deference & Loper Bright
Traditionally, courts independently examined a federal statute to determine its meaning. In 1984, the U.S. Supreme Court made a marked departure from this approach with its holding in Chevron U.S.A., Inc. v. National Resource Defense Council, Inc. (Chevron), which articulated a two-step approach to reviewing agency actions. First, courts were to “determine whether Congress ha[d] directly spoken to the precise question at issue.” If congressional intent was clear, the courts were to “reject administrative constructions that are contrary to clear Congressional intent.” Second, if “the statute [was] silent or ambiguous with respect to the specific issue,” the reviewing court had to defer to the agency if the agency had offered “a permissible construction of the statute.” If Congress did not address the issue with a certain level of specificity, the agency’s interpretation was “entitled to deference.”
In 2022, the Supreme Court adopted the “major questions” doctrine, weakening Chevron deference by requiring clear congressional authorization before regulators can act.
In Loper Bright, herring fishermen challenged the Magnuson-Stevens Act (MSA), which allows the National Oceanic and Atmospheric Administration (NOAA) to require monitors on commercial fishing boats to ensure ethical fishing practices. The MSA also requires certain types of fishing boats to pay for their monitors. Despite that herring boats were not listed as required to pay for monitors, the NOAA required the herring boats do so. The herring fishermen contested this, but according to Chevron deference, the lower courts were stuck with the agency’s interpretation that herring boats must pay because the law was silent. This led to the U.S. Supreme Court ruling, which held that courts must independently assess an agency’s actions within its legal authority rather than automatically deferring to agency interpretations in cases of ambiguity or silence. This decision overruled Chevron.
Challenges Ahead
Already, dozens of federal lawsuits challenging regulations have cited the Loper Bright decision, and the U.S. Supreme Court has sent cases back to lower courts for reconsideration. The Loper Bright decision is likely to impact a wide range of regulations in tax, such as challenges to Treasury regulations, Internal Revenue Service guidance and the Inflation Reduction Act. In anticipation of these challenges, companies should review their tax positions to determine if there are any issues with a regulation under challenge, denied deductions or other areas that could be impacted.
For the financial sector, the decision could affect the U.S. Securities and Exchange Commission (SEC) rules on insider trading, cryptocurrency and climate reporting. The SEC’s climate and environmental, social and governance (ESG) agenda faces heavy scrutiny from industry participants and activists, and the agency dissolved its Climate and ESG Task Force in 2024.
Other regulatory areas that have old laws with robust agency interpretation are ripe for litigation. These include industries such as energy, technology, telecom and health care and a wide variety of issues including labor laws.
Cybersecurity Update: SolarWinds and Crowdstrike
Two recent cybersecurity events provide companies with important lessons around both cybersecurity plans and documentation, as well as around communication and disclosures.
SolarWinds – Litigation and Lessons Learned
The SolarWinds breach in 2020 was a cyberattack in which a nation-state group gained access to the networks of thousands of SolarWinds customers. The hackers used a sophisticated supply chain attack to install malware in a core platform used for software updates. The updates were then distributed to customers without their knowledge, giving the hackers a backdoor to the customers’ systems.
The SEC filed a complaint against SolarWinds and its chief information security officer (CISO) at the time. The SEC alleged that the CISO made material misrepresentations and omissions in the company’s cybersecurity program and charged both the company and the CISO with violating anti-fraud provisions, SEC disclosure rules and internal control requirements.
The U.S. District Court dismissed most of the allegations described above, noting the following: the internal accounting controls clause in the SEC rules does not include cybersecurity controls. The court also ruled that the company’s cybersecurity risk disclosures were sufficient, and the CISO’s general statements in public about the company’s dedication to security standards were “non-actionable corporate puffery.” The court found that the company issued its Form 8-K filings in a timely fashion, and the disclosures were not misleading. The court did, however, uphold that statements regarding security on the company’s website could lead to securities fraud liability.
Companies should takeaway several important lessons from the SolarWinds breach and related litigation:
- File your Form 8-K timely.
- Develop an Incident Response Plan (IRP). During incidents, follow the IRP and keep documentation of evaluations, actions and results.
- Classify levels of incidents and the necessary outcomes.
- Practice your IRP through an incident response tabletop exercise. Understand the communication required based on the incident and whether it rises to a level of a disclosure.
- Check all locations where there are security statements, including websites. Review these statements from the perspective of a policy commitment rather than that of marketing language.
CrowdStrike Business Interruption Incident
CrowdStrike’s business interruption incident involved a faulty automatic software update that contained a critical logic error, which caused a widespread system crash on Windows machines.
A key lesson from the incident is that reliance on a single cybersecurity provider can create a weakness if a major outage occurs. Companies should improve their third- and fourth-party risk management by thoroughly assessing and managing risks associated with vendors, including their processes for vetting and rolling out software updates, and potential vulnerabilities.
Companies should also have robust and effective testing procedures. The incident highlights the need for rigorous testing of software updates and the need for business continuity plans to mitigate disruptions caused by third-party outages. This should include testing of processes that support disaster recovery and business continuity plans, like backups and restores. Companies should also implement updates in stages with a controlled rollout to identify and address potential issues before full deployment.
Accounting Reminders
The Financial Accounting Standards Board did not issue any accounting standards updates during the second or third quarters, so the Q3 accounting update focused on year-end impairment tests and other reminders as we head into the fourth quarter.
Year-End Impairment Tests under ASC 350
Intangible assets are accounted for in accordance with ASC 350-30, and the test for impairment depends on whether an asset is definite lived or indefinite lived.
Definite lived assets, in which the company’s expected useful life is limited, are tested for impairment whenever events or circumstances indicate the carrying amount of the asset (or asset group) may not be recoverable. It is a two-step process, whereby the carrying value is compared to the undiscounted cash flows associated with the asset group. If the carrying value is not recoverable, an impairment loss is recognized for the carrying amount in excess of fair value.
With indefinite lived assets, there are no legal, regulatory, contractual, competitive, economic or other factors that limit the useful life to the entity. The assets are tested for impairment at least annually and are tested more frequently if a triggering event occurs. If it is more likely than not that the asset is impaired, the entity must perform a quantitative test by comparing the fair value of the asset with its carrying amount and recognizing an impairment loss for any excess.
Goodwill is an indefinite lived asset and is accounted for in accordance with ASC 350-20. The test for impairment is performed at the reporting unit level annually, or between annual tests, if one or more triggering events are identified. Companies may perform a qualitative assessment first, but should not limit the assessment to ASC 350-20-35-3C. If a quantitative assessment is needed, the goodwill impairment test is now a “one-step” measurement in which impairment is recognized as the excess of the carrying amount over fair value. The impairment loss is limited to the goodwill of the reporting unit.
When performing a quantitative assessment, companies should be mindful of the following:
- When allocating carrying value to reporting units, consider corporate assets and intercompany assets. This may require subjectivity at times, but consistency is key.
- Fair value should be based on the “market participant” concept.
- Deferred tax assets or liabilities are allocated to reporting units. Companies must also evaluate impacts of taxable versus non-taxable goodwill.
- Internal controls are critical, and often challenging, to document for estimates. Companies must identify and document the rationale and considerations for key inputs. They must also review specialist work, including completeness and accuracy of information provided.
Other Reminders
Remediating internal control deficiencies: When evaluating deficiencies in internal controls, companies must consider what could have happened, rather than what did happen. Timely remediation is key, and changes must be implemented with sufficient time prior to year-end to demonstrate operating effectiveness.
Segment reporting: ASU 2023-07 expands reporting requirements to include significant segment expenses, among other information, and confirms that ASC 280 disclosure requirements apply to entities with a single reporting segment. The discussion with management and other relevant parties should be held early in order to allow time to prepare for the changes that need to be made.
Management Discussion & Analysis (MD&A): MD&A should include the effects of the current environment, such as decreasing interest rates, inflation, geopolitical issues and political elections. Companies should avoid being overly general and should quantify the key drivers of results.
Next Steps
Weaver’s accounting, tax, and technology advisors offer companies several ways to learn more about building their paths forward during Weaver’s Quarterly Accounting and SEC Update webinars, within their podcast series, and in their Executive Resource Center. To discuss your unique circumstances, we encourage you to contact us directly to schedule a consultation.
©2024
Webinar