Corp Fin has posted a sample comment letter to companies about potential disclosure obligations arising out of the Russian invasion of Ukraine, the international response to it and related supply chain issues. Corp Fin wants companies to provide more “detailed disclosure, to the extent material or otherwise required,” about the direct or indirect impact on their businesses of their exposure to or business relationships with Russia, Belarus or Ukraine, any goods or services sourced in those countries and supply chain disruption. The letter provides a useful resource to help companies think through how their businesses have been or may be affected, even if they don’t have operations in Russia or Ukraine.
More specifically, Corp Fin advises companies to provide detailed disclosure regarding
- “direct or indirect exposure to Russia, Belarus, or Ukraine through their operations, employee base, investments in Russia, Belarus, or Ukraine, securities traded in Russia, sanctions against Russian or Belarusian individuals or entities, or legal or regulatory uncertainty associated with operating in or exiting Russia or Belarus,
- direct or indirect reliance on goods or services sourced in Russia or Ukraine or, in some cases, in countries supportive of Russia,
- actual or potential disruptions in the company’s supply chain, or
- business relationships, connections to, or assets in, Russia, Belarus, or Ukraine.”
Corp Fin advises that companies should also consider the impact on their financial statements. For example, companies may “need to reflect and disclose the impairment of assets, changes in inventory valuation, deferred tax asset valuation allowance, disposal or exiting of a business, de-consolidation, changes in exchange rates, and changes in contracts with customers or the ability to collect contract considerations.”
Even if companies do not have significant operations in or dealings with Russia, Belarus or Ukraine, they could still experience a substantial impact. For example, since the invasion, Corp Fin observes, “many companies have experienced heightened cybersecurity risks, increased or ongoing supply chain challenges, and volatility related to the trading prices of commodities regardless of whether they have operations in Russia, Belarus, or Ukraine that warrant disclosure.”
Corp Fin also advises companies to consider the impact on their controls, including management’s evaluation of disclosure controls and procedures and management’s assessment of the effectiveness of internal control over financial reporting. In addition, companies should consider “the role of the board of directors in risk oversight of any action or inaction related to Russia’s invasion of Ukraine, including consideration of whether to continue or to halt operations or investments in Russia and/or Belarus.”
The sample comment letter provides illustrative comments related to the impact of the invasion generally, cybersecurity risks, MD&A, non-GAAP measures, disclosure controls and internal control over financial reporting. For example, where the company or companies with which it does business have material operations or conduct business through facilities located in Russia, Belarus or Ukraine, Corp Fin asks for a description of the direct or indirect impact of Russia’s invasion of Ukraine on the company’s business, taking into account the impact:
- “resulting from sanctions, limitations on obtaining relevant government approvals, currency exchange limitations, or export or capital controls, including the impact of any risks that may impede your ability to sell assets located in Russia, Belarus, or Ukraine, including due to sanctions affecting potential purchasers;
- resulting from the reaction of your investors, employees, customers, and/or other stakeholders to any action or inaction arising from or relating to the invasion, including the payment of taxes to the Russian Federation; and
- that may result if Russia or another government nationalizes your assets or operations in Russia, Belarus, or Ukraine.”
If the company considers the impact to be immaterial, Corp Fin asks for an explanation.
In another sample comment, Corp Fin asks for a description of “the extent and nature of the role of the board of directors in overseeing risks related to Russia’s invasion of Ukraine,” including “risks related to cybersecurity, sanctions, employees based in affected regions, and supply chain/suppliers/service providers in affected regions as well as risks connected with ongoing or halted operations or investments in affected regions.”
Not surprisingly, most of the sample comments are directed toward MD&A, including known trends or uncertainties “arising from, related to, or caused by the global disruption from, Russia’s invasion of Ukraine,” critical accounting estimates, and the impact of import and export bans and supply chain disruptions. For example, with regard to critical accounting estimates, the staff requests enhanced disclosure of both qualitative and quantitative information related to new uncertainties associated with the estimate arising out of the conflict, the method used to develop the estimate and the significant assumptions underlying the estimate, changes in the estimate and assumptions during the current period, and sensitivity of the reported estimate “to the method and assumptions underlying its calculation. For example, if the cash flow estimates used were based on assumptions about the invasion or sanctions and those assumptions could significantly impact the estimate, then that should be disclosed along with how sensitive the estimate is to changes in those assumptions.”
The sample questions also highlight potentially problematic non-GAAP measures. For example, adjustments to add an estimate of lost revenue due to the invasion or supply chain disruptions or adjustments for certain expenses incurred related to operations in Russia, Belarus or Ukraine that “appear to be normal and recurring” may not be in accordance with Reg G and related CDIs and could be subject to comment by the staff.
With regard to cybersecurity, the staff asks about “new or heightened risk of potential cyberattacks” and what actions the company has taken to mitigate potential risks. There are also illustrative comments related to changes in internal control and disclosure controls.