As I recently noted in this blog, there are actions you should be taking now to prepare for the SEC’s new EDGAR Next. One thing you should be doing is becoming educated about what this is all about. Know that there is still a fair amount of uncertainty about what will eventually develop into standard practices in response to the SEC’s rulemaking, and that there also are some interpretive questions open that likely will be addressed by the SEC staff over time. There’s a reason for the dearth of law firm memos on this topic.
Bearing that in mind, here are the first four of 12 questions you should be asking yourself (I’ll run a blog with the last eight questions in a few weeks) – with a big hat tip to McKesson’s Jim Brashear for helping to sort this out:
1. Should I participate in the SEC’s beta program to get my feet wet?
As I blogged before, the SEC’s beta includes a new “EDGAR Filer Management” website that contains a dashboard, but you aren’t able to make actual filings with the SEC using the beta site at this time. You’re advised by the SEC to use dummy data when playing around on the beta.
The pros of exploring the beta site include gaining some experience and being ready to register your CIKs promptly when EDGAR Next goes live on March 24, 2025. The SEC Staff is encouraging companies to register in EDGAR Next as soon as they can. The cons are that it takes time, and maybe you want others to be the guinea pigs while you learn from them.
2. What are the bare minimum steps I probably should take now?
You may want to take preliminary steps to be ready for EDGAR Next, such as:
- Monitor developments – To keep track of the SEC’s information in this area, see this SEC webpage, “EDGAR Next – Improving Filer Access and Account Management.” The SEC also has an EDGAR Next Instructional Video Playlist available on YouTube.
- Communicate internally – Explain the coming changes to your internal constituents responsible for EDGAR filings. Depending on your company, there may be multiple audiences for different EDGAR filings, including your SEC officers and outside directors (Section 16 insiders). Align on necessary process changes as an aspect of disclosure controls.
Consider connecting with your IT security colleagues about credential security, configuring MFA, and managing systems access for employees onboarding and offboarding. This is an aspect of SOX controls to coordinate with your controller. - Obtain login.gov credentials – Your employees who will access EDGAR, directly or via a filing agent, should obtain login.gov credentials. It’s easy to create a login.gov credential. Depending on what multifactor authentication (MFA) methods you choose, it can be done in five to 15 minutes.
The EDGAR Business Office recommends that employees use their individual business email account to register with login.gov (no shared email accounts). You may want to specify the MFA methods to be used by your employees.
For example, you might want them to use the third-party authentication app that your company prefers for its single sign-on (SSO) provider, or SMS text messaging to the employee’s business mobile device, or both. - Collect EDGAR codes – You should gather the EDGAR codes that will be required to register each filer in the EDGAR Next dashboard. You’ll need their CIK, CCC and passphrase (which is different from their password).
If you do not have those codes, and you are authorized to register the filer in EDGAR Next, then someone will need to apply to the SEC for new codes, or to reset or recover the CCC and passphrase. See this SEC guide to learn more. - Coordinate with filing agents – Keep in touch with your third-party filing agents, so that you understand the steps required to be ready to file on those platforms.
Higher-volume filing agents are likely to implement application programming interfaces (APIs), so you’ll want to ensure your employees know how to generate user API tokens for APIs facilitated by those filing agents. You’ll also need to align on whether the filing agent will provide its filer API token, under a delegated entity arrangement, or if the filer has to appoint technical administrators to create filer API tokens for each CIK.
3. Should each Section 16 insider create their own login.gov credential for EDGAR Next?
This is not necessary, unless the Section 16 insider plans on accessing EDGAR Next to make their own filings (which is unlikely), or they want to be designated as an account administrator for their own EDGAR Next account (also probably unlikely).
The login.gov credential is used when logging into EDGAR Next to demonstrate that the individual submitting a filing has the authority to do so. The Section 16 insider does not, however, have to provide their credentials when a third party files for them. The Section 16 insider would only need the login.gov credential if they personally are accessing EDGAR.
Some insiders nevertheless might want to create their own login.gov MFA credential, even if they don’t intend to actually do anything with respect to their EDGAR Next account. After all, Section 16 filings are the personal responsibility of the insider. Being designated as an account administrator for their own EDGAR account can provide the Section 16 insider with visibility into their account. But for many Section 16 insiders, this may either be too complicated or something not worth their time. And some companies might not want Section 16 insiders to be too involved, as they might accidentally mess up a filing.
Note that the email address used to create the login.gov credential will be visible in the EDGAR Next dashboard. So, the Section 16 insider should use a business email address or another one they are comfortable sharing via EDGAR Next.
4. Who will act as EDGAR Next account administrators for our Section 16 insiders?
Consistent with historic practices, most Section 16 insiders likely will grant third parties the authority and responsibility to administer their EDGAR accounts and to sign and file their Form 3, 4 and 5 reports. The new account administrator function isn’t providing substantive legal advice or effecting filings; it’s ministerial account management.
Designating a third-party account administrator (TPAA) is a convenient way for a Section 16 insider to outsource their EDGAR Next account administration. Individuals are only required to have one account administrator, but it may make sense to have more than one for resiliency purposes.
Their TPAAs could be one or more employees at a company where they are a Section 16 insider or at a third-party service provider. One account administrator should be designated as the principal point of contact (POC) with the SEC’s EDGAR Business Office to address questions about the Section 16 insider’s EDGAR filings or account.
Note that the account administrator function isn’t providing substantive legal advice or effecting filings; it’s ministerial account management. Nevertheless, some sort of engagement agreement and/or POA might be appropriate.
- Centralized account administration – Perhaps Section 16 insiders will wind up designating their TPAAs by POA at only one company (e.g., their employer or the board of directors at which they have the longest tenure).
Because all account administrators have co-equal authority, limiting TPAA designations to one company may reduce coordination issues and conflicts among TPAAs at multiple companies. If the Section 16 insider later ceases to be affiliated with the company where the TPAAs are employed, any administrator may add new TPAAs at a different company and remove the TPAAs that are no longer needed. - Multiple entity/decentralized administration – Under this option, each Section 16 insider would have an account administrator at each public company with which they are affiliated, although only one account administrator would handle enrolling them and annual confirmations. The coordination of the multiple account administrators across a number of public companies would be key.
This option would involve more work due to the coordination necessary, and it contravenes the IT security principle of least privilege. That principle dictates that individuals should be granted the minimum levels of access or permissions needed to perform their job functions.
Despite the heightened risk introduced by the need to coordinate, this is an option that some of the filing agents are pushing, at least initially. If this becomes the standard practice, it remains to be seen whether there will need to be documentation and controls embedded in this new type of framework. - Self-administration – Designating the Section 16 insider as one of their own EDGAR Next account administrators can give them visibility into account activity, even if they intend to use a TPAA. Although the Section 16 insider theoretically could be designated as their sole account administrator, doing that would make them entirely responsible for all of their EDGAR account administration, including being the POC with SEC’s EDGAR Business Office.
It’s unlikely that any individual Section 16 insiders will choose this self-service option, as it’s highly doubtful that insiders will want to suddenly get involved in making their own Section 16 filings, although some shareholders (under 10%) may choose to self-administer.
Authored by
Broc Romanek