The NASPP Blog

The SEC has announced an update to the process used to generate a new EDGAR passphrase. In anticipation of this, now would be a good time to make sure your email address is correct (and the email addresses for all of your Section 16 insiders) in the EDGAR system.

What Is a Passphrase and How Is It Different from a Password or a Password Modification Authorization Code (PMAC)?

The EDGAR system has a ridiculous number of password-type codes assigned to each individual user.  You probably only need one password to access your bank account, but EDGAR assigns four password-type codes to each user.  And, even with that shockingly complex security protocol, it’s still possible to submit fake EDGAR filings.

Your passphrase is used to generate a completely new set of EDGAR codes (CCC, password, and PMAC). You do this when you are first assigned a CIK (because you won’t have any of the other codes yet). It’s also the only way to generate a new password if you’ve forgotten yours.

What Is the New Process?

The problem with having to use your passphrase to generate a new password (and CCC) is that if you’ve forgotten your password, you’ve probably also forgotten your passphrase. In which case, you have to request a new passphrase before you can generate a new password.

Previously, to generate a new passphrase, you completed the online request form and submitted a new notarized Form ID to the SEC (for a more detailed, somewhat humorous explanation of this, see “My EDGAR Nightmare“).  Now, you’ll also have to provide an “electronic security token” with your request.  The electronic security token will be emailed to you by EDGAR at the time you make the request to change your passphrase. This is why it is important to make sure your email address is correct; if the EDGAR system doesn’t have your correct email address, you won’t get the email with your electronic security token and you’ll have to go through some sort of manual review to get your passphrase updated, which could take more than two days (and I’m sure you all understand the significance of process that takes longer than two days in the EDGAR context).

What Exactly Is an Electronic Security Token?

Got me. Since EDGAR is emailing it to you, my guess is that it is some sort of code that you enter into the EDGAR website, but it could also be a link in the email that you have to click.

Will Form ID Still Be Required to Change a Passphrase?

No idea on this either. The announcement from the SEC did not include a lot of information.

When Is the New Process Going Into Effect?

The SEC announcement, which was issued on December 12, says “soon.” When dealing with the government, “soon” often is later than you might expect but I still wouldn’t wait to make sure your and your insiders’ email addresses are correct.

Thanks to Tami Bohm of Radian Group for reminding me to blog about this.

– Barbara