Last week, the SEC proposed changes to the EDGAR system designed primarily to enhance EDGAR security, specifically related to EDGAR filer access and account management. In his Statement, SEC Chair Gary Gensler observed that a “lot has changed in the three decades since the Commission first required mandatory EDGAR filings in 1993.” While the SEC has updated EDGAR several times, it’s been over ten years since the SEC updated EDGAR login, password and other account access protocols in any significant way. Currently, Gensler reminded us, “registrants have one login per company. This is like having a family passing around one shared login and password for a movie streaming app. You know where that can lead. That’s simply not the most secure system—for filers and the Commission alike—when it comes to information relating to financial disclosure. By contrast, today’s actions would further secure login protocols by requiring every person filing something into EDGAR to login with individual credentials and to use multi-factor authentication.” Will the proposed new system, if finalized, put the kibosh on fake SEC Form 4s, fake Forms 8-K, fake Schedules 13D, fake SEC correspondence and other fake SEC filings? The proposal is open for comment for 60 days after publication in the Federal Register.

The proposal indicates that the SEC “is seeking to enhance the security of EDGAR, improve the ability of filers to securely manage and maintain access to their EDGAR accounts, facilitate the responsible management of filer credentials, and simplify procedures for accessing EDGAR.” These modifications would include rule and form changes, as well as some related technical changes, all of which the SEC is referring to collectively as “EDGAR Next.” EDGAR Next would “enhance security by requiring an individual seeking to make a filing on EDGAR to sign in with individual account credentials, complete multi-factor authentication, be authorized by the filer or the filer’s account administrator, and enter the filer’s CIK and CCC” confirmation code.

Currently, to file on EDGAR, the applicant must apply for access by completing a Form ID application on the EDGAR Filer Management website and submitting a notarized copy of that application signed by an authorized individual of the filer. However, filings are not easily traceable to individuals, and the SEC does not currently offer a technical solution for filers to manage those making submissions on filers’ behalf. As a result, “staff and affected filers often encounter delays in addressing potentially problematic filings.” In September 2021, the SEC issued a Request for Comment, seeking feedback from filers about potential technical changes to EDGAR access and account management. After considering public comments and subsequent dialogue with interested parties, the SEC has issued the new proposal for EDGAR Next.

Under the proposal, the obligations for filers would generally be codified in Rule 10 of Reg S-T, with some additional changes to Rule 11. The proposal would require each filer to authorize at least two individuals to act as account administrators to manage the filer’s EDGAR account on the filer’s behalf or, for individual filers and single-member companies, the filer would need to authorize one account administrator.  (The account administrator would not need to be an employee of the filer, so long as the authorized individual provided a notarized power of attorney authorizing that individual to be the filer’s account administrator.)  Each filer would “be required to maintain accurate and current information about the filer on EDGAR,” and “to securely maintain information relevant to the ability to access the filer’s EDGAR account.”

As part of EDGAR Next, the SEC will make available, at the filer’s option, application programming interfaces, APIs, to “facilitate machine-to-machine communication with EDGAR, including submission of filings and retrieval of related information.” However, if the filer uses an API, the filer would need to authorize two individuals to be technical administrators to manage API tokens and related technology. (Fortunately, one individual may be authorized to perform more than one role; for example, one individual could be both an account administrator and a technical administrator.) As proposed, all account administrators, users and technical administrators would be required to use their individual account credentials, along with multi-factor authentication, to sign into all EDGAR filing websites.

The EDGAR system would have an “interactive function”—a dashboard on the EDGAR Filer Management website—where electronic filers manage their EDGAR accounts. On the dashboard, “account administrators would take actions on behalf of the filer to add and remove authorized users, account administrators, and technical administrators; and annually confirm the accuracy of the filer’s information on the dashboard. Additionally, on the dashboard, account administrators could delegate authority to file on behalf of the filer to any other EDGAR account, such as a filing agent, making that account a delegated entity of the filer, and could remove a delegated entity’s authority to file on the filer’s behalf.” Under the proposal, each filer, through its authorized account administrators, would be required to confirm annually that the filer has authorized  all account administrators, users, delegated entities and technical administrators shown on the dashboard for the filer’s EDGAR account and that all dashboard information about the filer is accurate. Got it? Filers, users, account administrators, delegated entities, delegated users, technical administrators. It’s all there in the proposing release for your reading pleasure.

In the press release, the SEC announced that it would “open to the public a beta software environment for filer testing and feedback, which will reflect the proposed rule and form amendments and the related technical changes.” Check out the EDGAR Next Proposing Beta landing page, accessible until March 15, 2024.

Posted by Cydney Posner