As I recently noted in this blog, there are actions you should be taking now to prepare for the SEC’s new EDGAR Next. One thing you should be doing is becoming educated about what this is all about. Know that there is still a fair amount of uncertainty about what will eventually develop into standard practices in response to the SEC’s rulemaking, and that there also are some interpretive questions open that likely will be addressed by the SEC staff over time. There’s a reason for the dearth of law firm memos on this topic.
Bearing that in mind, here are the first four of 10 questions you should be asking yourself (I’ll run a blog with the last six questions next week) – with a big hat tip to McKesson’s Jim Brashear for helping to sort this out:
1. Should I participate in the SEC’s beta program to get my feet wet?
As I blogged before, the SEC’s beta includes a new “EDGAR Filer Management” website that contains a dashboard, but you aren’t able to make actual filings with the SEC using the beta site at this time. You’re advised by the SEC to use dummy data when playing around on the beta.
The pros of exploring the beta site include gaining some experience. The cons are that it takes time, and maybe you want others to be the guinea pigs while you learn from them.
2. What are the bare minimum steps I probably should take now?
You may want to take other preliminary steps to be ready for EDGAR Next, such as:
- Monitor developments – To keep track of the SEC’s information in this area, see this SEC webpage, “EDGAR Next – Improving Filer Access and Account Management.”
- Communicate internally – Explain the coming changes to your internal constituents responsible for EDGAR filings. Depending on your company, there may be multiple audiences for different EDGAR filings, including your SEC officers and outside directors (Section 16 insiders). Align on necessary process changes as an aspect of disclosure controls.
- Obtain login.gov credentials – Your employees who will access EDGAR, directly or via a filing agent, should obtain login.gov credentials. It’s easy to create a login.gov credential. Depending on what multifactor authentication (MFA) methods you choose, it can be done in five to 15 minutes.
The EDGAR Business Office recommends that employees use their individual business email account to register with login.gov (no shared email accounts). You may want to specify the MFA methods to be used by your employees.
For example, you might want them to use the third-party authentication app that your company prefers for its single sign-on (SSO) provider, or SMS text messaging to the employee’s business mobile device, or both. - Collect EDGAR codes – You should gather the EDGAR codes that will be required to register each filer in the EDGAR Next dashboard. You’ll need their CIK, CCC and passphrase (which is different from their password).
If you do not have those codes, and you are authorized to register the filer in EDGAR Next, then someone will need to apply to the SEC for new codes, or to reset or recover the CCC and passphrase. See this SEC guide to learn more. - Coordinate with filing agents – Keep in touch with your third-party filing agents, so that you understand the steps required to be ready to file on those platforms.
Higher-volume filing agents are likely to implement application programming interfaces (APIs), so you’ll want to ensure your employees know how to generate user APIs facilitated by those filing agents.
3. Should each Section 16 insider create their own login.gov credential for EDGAR Next?
This is not necessary, unless the Section 16 insider plans on accessing EDGAR Next to make their own filings (which is unlikely), or they want to be designated as an account administrator for their own EDGAR Next account (also probably unlikely).
Consistent with historic practices, insiders could simply execute a power of attorney (POA) to authorize someone else to do those things for them. At this time, there seems to be conflicting guidance about whether a POA is required to authorize an account administrator. See the second bullet in Section 2 of this useful SEC guide for Section 16 filers that states “Individual filers do not need to execute a notarized power of attorney to authorize the person to enroll them.” But a POA may be the way many companies decide they will be most comfortable with confirming they have been granted authority from their insiders to handle the filings for them.
The login.gov credential is used for MFA when logging into EDGAR Next to demonstrate that the individual submitting a filing has the authority to do so. The Section 16 insider does not, however, have to provide MFA when a third party files for them. The Section 16 insider would only need the login.gov MFA if they personally are accessing EDGAR.
Some insiders nevertheless might want to create their own login.gov MFA credential, even if they don’t intend to actually do anything with respect to their EDGAR Next account. After all, Section 16 filings are the personal responsibility of the insider. Being designated as an account administrator for their own EDGAR account can provide the Section 16 insider with visibility into their account. But for many Section 16 insiders, this may either be too complicated or something not worth their time. And some companies might not want Section 16 insiders to be too involved, as they might accidentally mess up a filing.
Note that the email address used to create the login.gov credential will be visible in the EDGAR Next dashboard.
4. Who will act as EDGAR Next account administrators for our Section 16 insiders?
This is an issue for those Section 16 insiders who have to make filings for their roles at more than one company. It remains to be seen how account administration for these insiders will shake out and what will become standard practice.
There essentially are three options for EDGAR Next account administration (see Question 8 of this set of FAQs from Workiva for a breakdown of these options from their perspective):
- Centralized account administration provided by one entity.
- Decentralized account administration provided by multiple entities.
- Self-administration by the Section 16 insider.
Designating a third-party account administrator (TPAA) is a convenient way for a Section 16 insider to outsource their EDGAR Next account administration. Individuals are only required to have one account administrator, but it may make sense to have more than one for resiliency purposes.
Their TPAAs could be one or more employees at a company where they are a Section 16 insider or at a third-party service provider. One account administrator should be designated as the principal point of contact (POC) with the SEC’s EDGAR Business Office to address questions about the Section 16 insider’s EDGAR filings or account.
Note that the account administrator function isn’t providing substantive legal advice or effecting filings; it’s ministerial account management. Nevertheless, some sort of engagement agreement and/or POA might be appropriate.
- Centralized account administration – Perhaps Section 16 insiders will wind up designating their TPAAs by POA at only one company (e.g., their employer or the board of directors at which they have the longest tenure).
Because all account administrators have co-equal authority, limiting TPAA designations to one company may reduce coordination issues and conflicts among TPAAs at multiple companies. If the Section 16 insider later ceases to be affiliated with the company where the TPAAs are employed, any administrator may add new TPAAs at a different company and remove the TPAAs that are no longer needed. - Multiple entity/decentralized administration – Under this option, each Section 16 insider would have an account administrator at each public company with which they are affiliated, although only one account administrator would handle enrolling them and annual confirmations. The coordination of the multiple account administrators across a number of public companies would be key.
This option would involve more work due to the coordination necessary, and it contravenes the IT security principle of least privilege. That principle dictates that individuals should be granted the minimum levels of access or permissions needed to perform their job functions.
Despite the heightened risk introduced by the need to coordinate, this is an option that some of the filing agents are pushing, at least initially. If this becomes the standard practice, it remains to be seen whether there will need to be documentation and controls embedded in this new type of framework. - Self-administration – Designating the Section 16 insider as one of their own EDGAR Next account administrators can give them visibility into account activity, even if they intend to use a TPAA. Although the Section 16 insider theoretically could be designated as their sole account administrator, doing that would make them entirely responsible for all of their EDGAR account administration, including being the POC with SEC’s EDGAR Business Office.
It’s unlikely that any individual Section 16 insiders will choose this self-service option, as it’s highly doubtful that insiders will want to suddenly get involved in making their own Section 16 filings, although some shareholders (under 10%) may choose to self-administer.
Authored by
Broc Romanek