Finrep at Society for Corporate Governance National Conference
Gana Misra
By Gana MisraCEO, Finrep
Fri Jul 03 2026

SEC Comment Letter Response Best Practices: 2026 Playbook

Share
SEC Comment Letter Response Best Practices: 2026 Playbook

SEC Comment Letter Response Best Practices: The 2026 Playbook for CFOs and Securities Counsel

If your company just received an SEC comment letter, the clock is already running. This playbook gives CFOs, controllers, and securities counsel the tactical mechanics to respond well, resolve comments in one round, and protect the company's legal position, all before the letters go public.

Key takeaway: The SEC's comment letter process is non-adversarial by design. The staff's stated goal is to help companies comply with disclosure requirements, not to find violations. Responses that treat it as a legal battle tend to generate more rounds of comments, not fewer.

What Is an SEC Comment Letter and Why Does It Matter?

An SEC comment letter is formal correspondence from the Division of Corporation Finance asking a registrant to clarify, revise, or expand its public disclosures. The staff issues comments via EDGAR as form type UPLOAD; registrant responses are filed as form type CORRESP. Both become publicly available 20 business days after the staff closes the review.

Under SOX Section 408, the SEC must review every reporting company's filings at least once every three years. In practice, the staff uses a risk-based approach, so companies with material restatements, significant market cap, or operations in high-scrutiny sectors (tech, biotech, financial services) may be reviewed more frequently. The SEC's FY 2026-2030 Strategic Plan signals continued emphasis on disclosure quality, meaning comment volume is not going to shrink. Every public company should treat this as a recurring compliance obligation, not a one-time surprise.

For registration statements (S-1, S-11, and similar), the stakes are higher still: unresolved comments can prevent the SEC from accelerating the effective date, which effectively blocks an IPO or public offering. That time pressure does not exist for periodic report reviews, but the reputational and investor-relations exposure is real for both.

The Four Types of Staff Requests (and What Each Requires)

Before drafting a single word of your response, classify each comment. The SEC's own FAQ identifies four distinct request types, and the required mechanics differ for each:

Request TypeWhat the Staff WantsResponse Mechanics
Supplemental informationContext to help staff understand existing disclosureWritten explanation; may not require an amended filing; request return of materials under Rule 418(b)/12b-4
Revise existing filingChange a document already on fileFile an amendment (e.g., 10-K/A) concurrent with or following the response letter
Add disclosure to existing filingInclude something missing from a current filingFile an amendment; show proposed language in blackline
Future filing commitmentProvide disclosure in the next applicable periodic reportCommit specifically in the response letter; the staff will check your next 10-K or 10-Q

The fourth type carries a trap many teams miss: when you agree in a response letter to provide certain disclosure in future filings, that commitment is effectively binding. The staff will review subsequent filings and may issue a new comment letter if the promised disclosure is absent or inadequate. Be precise about what you commit to and when.

How Long Do You Have to Respond to an SEC Comment Letter?

The standard deadline is 10 business days for registration statement comments and 30 calendar days for periodic report comments, though the staff typically grants extensions when requested promptly and with a reasonable explanation. PwC's Viewpoint guide confirms this timing.

A few practical rules on extensions:

  • Request an extension by phone or email before the deadline, never after.
  • A one-to-two week extension is generally reasonable for complex comments; longer requests require a stronger justification.
  • For active registration statements, if you take longer than 90 days to respond, the staff may treat it as a restart of the review cycle and take up to 30 days to review your response rather than the standard 10.
  • Missing the deadline without requesting an extension on a pending offering can jeopardize the offering timeline. Don't let the clock run out silently.

Should You Call the SEC Staff Before Responding in Writing?

Yes, in most cases, and especially when a comment is ambiguous. This is standard practice among experienced securities counsel but is rarely documented publicly.

The phone call strategy works like this:

  1. Who to call: Contact the named reviewer in the closing paragraph of the comment letter, not the branch chief. The closing paragraph also tells you whether the comments are legal, accounting, or both, which signals who on your team should be on the call.
  2. Frame it as clarification, not debate. As Gibson Dunn partner Brian Lane has noted at FEI conferences, the staff does not want to debate the letter on the phone. Call to say you want to make sure you understand what the staff is getting at, then listen. That conversation often reveals the real concern behind a broadly worded comment.
  3. Prepare before you dial. Review the issue with your auditor, the audit firm's national office, and legal counsel. Have talking points, but don't read from a script; that reduces engagement and can come across as evasive.
  4. Memorialize the call in writing. In your response letter, reference the conversation: "As discussed with the Staff on [date]..." This creates a record, signals good faith, and often helps frame your written response more precisely.

If you're not confident on the phone, don't put a nervous executive on the call. The wrong person saying the wrong thing verbally is harder to walk back than a written response.

How to Structure the Response Letter

The response letter has a standard format that virtually every CORRESP filing follows. Deviating from it signals inexperience and can irritate staff reviewers.

Here is the anatomy of a well-structured response letter, drawn from real EDGAR CORRESP filings including CPSI's August 2023 response and Palo Alto Networks' 2012 S-1 response:

1. Header

Identify the company, the filing under review, the SEC file number, and the date of the staff's comment letter. Address the letter to the specific named reviewers, not generically to "SEC Staff."

2. The Three-Part Acknowledgment Paragraph

This language is required by the staff and must appear in every response letter. It reads, in substance:

(1) The company is responsible for the adequacy and accuracy of the disclosure in the filing. (2) Staff comments or changes to disclosure in response to staff comments do not foreclose the Commission from taking any action with respect to the filing. (3) The company may not assert staff comments as a defense in any proceeding initiated by the Commission or any person under the federal securities laws.

Many companies add a fourth sentence, following Sullivan & Cromwell's 2004 recommendation to the SEC: that "changes to disclosure in response to staff comments should not be interpreted as an admission that previous disclosure was defective." The SEC did not formally adopt this as required language, but it is widely used and the staff accepts it.

3. Each Staff Comment Quoted Verbatim

Reproduce the staff's comment in full, in bold or italics, before your response. Do not paraphrase. This makes the letter self-contained and makes it easy for the staff to confirm you addressed every sub-question.

4. The Company's Response

Immediately following each quoted comment, provide the response. Lead with the direct answer, then the supporting rationale, then the proposed disclosure revision.

5. Proposed Disclosure Revisions

Show proposed changes in blackline (redline), either inline or as an exhibit. For registration statement responses, file an amendment concurrently with the response letter and reference it explicitly.

6. Signature

The CFO or a senior officer of the company should sign the letter, not outside counsel. As the CPSI response letter demonstrates, the company owns the response. PwC's Viewpoint puts it directly: "Own the process. Companies should leverage the knowledge and experience of their advisors, but the company should own the process and be the primary point of contact with the SEC staff."

When to Push Back vs. When to Concede

This is the decision that matters most strategically, and it is where many companies get it wrong in both directions.

Conceding too quickly on the first round sets a precedent for future filings and can result in disclosure obligations that are difficult to walk back. Refusing without a substantive explanation tends to generate a second round of comments and signals bad faith.

The right framework is a three-part structure for respectful pushback, illustrated by the CPSI 2023 response letter when the staff asked for a metric that appeared in investor presentations but not in SEC filings:

  1. Explain the context: Why the metric appeared in a different venue and for what purpose.
  2. Explain management's view: Why the company does not consider it a KPI for SEC disclosure purposes, citing the specific accounting literature or disclosure standard that supports this position.
  3. State what you will do: What disclosure you will provide going forward, framed narrowly to limit future obligations.

Citing the literature is not optional. As Brian Lane of Gibson Dunn has noted at FEI conferences, the most powerful answer to a staff comment is: "We looked at paragraph X and sub-paragraph Y, and we believe we followed precisely what GAAP requires." That kind of response, grounded in the standard and the facts, is what closes a comment in one round.

For accounting comments specifically, Kevin Woody, SEC Accounting Branch Chief, has been explicit about what the staff expects. At a 2023 industry panel summarized by KPMG's FRV team, he stated:

"The critical accounting estimates disclosure should not be a repeat of the significant accounting policy disclosure in the financial statement notes. The disclosure must include the quantitative and qualitative information about the critical accounting estimate... the degree to which the estimates and underlying assumptions have changed, and the sensitivity of the estimates to the methods and assumptions."

If your disclosure does not meet that standard, concede and revise. If it does, say so precisely and cite the paragraph.

How to Prevent a Second Round of Comments

The single most effective way to avoid a second round is to over-answer the first. Address the spirit of the comment, not just its literal text. Volunteer related disclosures the staff hasn't asked for yet, particularly if you can see the logical next question coming.

Specific tactics:

  • Audit your IR materials against your SEC filings before submitting any response. A recurring comment trigger identified at the 2023 SEC panel is inconsistency between investor presentations or earnings call disclosures and SEC filings. The staff compares these documents. If a metric appears in your earnings deck but not your 10-K, expect a comment asking why.
  • Don't leave sub-questions unanswered. Comment letters often contain multiple comments, each with several sub-questions. Answer every sub-question explicitly, even if the answer is the same for each.
  • Be quantitatively specific. The staff expects numbers. In the CPSI response, the company disclosed that 100% of new Acute Care EHR customer implementations in 2022 were in a SaaS environment, up from 68% in 2020 and 63% in 2021. That level of specificity signals that management has actually engaged with the question.
  • Check consistency between your response letter and any amended filing. The staff will compare them. Inconsistencies generate immediate follow-up.

The 20-Business-Day Window: What to Do Before Letters Go Public

Comment and response letters become publicly available 20 business days after the staff closes the review, which means issuing a "no further comments" letter. That window is your preparation period, and most companies waste it.

Here is what to do during those 20 business days:

  1. Brief the audit committee. Material comments touching on accounting estimates, internal controls, or non-GAAP measures should be documented in the committee's oversight record.
  2. Prepare IR talking points. Investors, analysts, and the press will read the letters. Draft clear, factual explanations of what the staff asked, what the company said, and what (if anything) changed in the disclosures.
  3. Alert legal and communications. Review the letters for any language that could be read as an admission that prior disclosure was defective. If such language exists, prepare a proactive explanation.
  4. Consider whether a Form 8-K is warranted. Most comment letter exchanges do not require an 8-K, but if the resolution involved a material restatement or a significant change in disclosure, consult securities counsel.
  5. Do not proactively disclose the existence of an open comment letter unless required. Most companies do not, and there is no general obligation to do so for periodic report reviews. Registration statement reviews are different because the comment letter may be visible in the filing timeline.

As Sullivan & Cromwell noted in their 2004 comment to the SEC, response letters cannot be edited for public consumption the way disclosure documents can. Draft every response letter as if investors, competitors, and the press will read it, because they will.

How to Request Confidential Treatment for Supplemental Materials

When the staff asks for supplemental information (valuation analyses, board materials, customer contracts), you can provide it without making it part of the permanent public record. Two mechanisms apply:

  • Rule 418(b) / Rule 12b-4: Supplemental materials provided under these rules can be returned to the company upon request and are not part of the public record. Always request return of supplemental materials in your response letter.
  • Rule 83 (17 C.F.R. § 200.83): For confidential treatment of response letter content itself, file a separate letter with the Office of Freedom of Information and Privacy Act Operations. The EDGAR version of the response must be marked to show redacted portions. The Palo Alto Networks S-1 response demonstrates this mechanics precisely.

Do not include commercially sensitive information in the body of the response letter without first considering whether confidential treatment is available and worth pursuing.

How to Escalate When You Disagree with the Staff

Most comment letters resolve through normal correspondence. When they don't, there is a defined escalation path that experienced securities counsel use but that is rarely documented publicly:

  1. Request a call with the branch chief. If the staff reviewer is not moving, ask to discuss the issue with their supervisor. Frame it as seeking additional guidance, not as an appeal.
  2. Escalate to the Office of Chief Accountant for accounting issues, or to the Deputy Director of Corporation Finance for disclosure issues. These escalations are uncommon but available and are taken seriously.
  3. Request a no-action letter or waiver in extreme cases where the staff's position would require disclosure that is genuinely impractical or legally problematic.

The SEC's 2009 speech on best practices for working with SEC staff confirms that the review remains open until a formal "no further comments" letter is issued. Until that letter arrives, additional rounds of comments remain possible regardless of how many rounds have already occurred.

2025-2026 Hot-Button Comment Topics

Knowing where the staff is focused helps you anticipate comments before they arrive and respond more precisely when they do. Current high-activity areas include:

  • Non-GAAP measures: Still the most frequent comment area. Staff scrutinizes prominence (non-GAAP must not be presented more prominently than the comparable GAAP measure), reconciliation completeness, and consistency between periods.
  • Critical accounting estimates: As Kevin Woody made clear, the staff expects quantitative sensitivity analysis, not a restatement of accounting policy. See the SAB 74 disclosure guide for related disclosure requirements.
  • Cybersecurity incident disclosure: Following the SEC's 2023 cybersecurity rules, the staff is actively reviewing Item 1.05 Form 8-K disclosures and the annual Item 106 disclosures in 10-Ks for specificity and consistency.
  • Segment reporting: ASC 280 amendments are effective for fiscal years beginning after December 15, 2023. The staff is reviewing whether companies have correctly identified reportable segments and whether segment-level disclosures are sufficiently granular.
  • Tariff and macroeconomic risk factors: The staff expects risk factor disclosure to be company-specific, not generic. See the tariff disclosure best practices guide for the current standard.
  • Inconsistency between IR materials and SEC filings: As noted above, the staff compares earnings releases, investor presentations, and SEC filings. Metrics that appear in one venue but not another are a reliable comment trigger.

For a systematic approach to preventing these comments from recurring, the 2026 process guide for avoiding repeat SEC comments covers the root-cause analysis and pre-filing review process in detail.

Using EDGAR to Benchmark Peer Responses

One of the most underused research tools in the response drafting process is EDGAR's full-text search for CORRESP filings. Over 20 years of response letters are now searchable, covering filings made after August 1, 2004.

To use it effectively:

  • Search by SIC code and date range to find peer companies that received similar comments.
  • Look for what arguments the staff accepted versus rejected in analogous situations.
  • Note the level of quantitative specificity in responses the staff closed without further comment.
  • EDGAR full-text search returns up to 800 filings per search; use targeted search strings (company name, SIC code, specific accounting standard) to avoid hitting that cap.

For a full guide to this technique, see EDGAR benchmarking for SEC disclosures.

FAQ

What happens if we miss the response deadline? For periodic report reviews, a missed deadline without a prior extension request signals poor process management and may accelerate staff scrutiny. For registration statements, it can delay the offering timeline significantly. Always request an extension before the deadline, not after.

Can we request confidential treatment for our response letter? Yes, under Rule 83 (17 C.F.R. § 200.83), by filing a separate letter with the Office of FOIA and Privacy Act Operations. The EDGAR version must show redacted portions. This is most commonly used for supplemental materials, not the response letter itself.

What does a 'no further comments' letter mean? It is the formal closure of the review cycle. Until you receive it, the review remains open and additional rounds of comments are possible. The SEC's 2009 staff speech confirms this.

Should outside counsel or the CFO sign the response letter? The CFO or a senior company officer should sign. Outside counsel plays a drafting and advisory role, but the company must be the primary point of contact with the staff. Delegating entirely to outside counsel is a common mistake.

How do we handle a comment about a metric in our investor presentations that isn't in our 10-K? Use the three-part structure: explain why the metric appeared in presentations, explain why management doesn't consider it a required KPI for SEC disclosure, and state precisely what you will disclose going forward. The CPSI 2023 response letter is the best public example of this approach.

What are 'futures' comments and how do we respond to them? A futures comment asks you to provide disclosure in your next applicable periodic report rather than amending the current filing. Agree specifically and narrowly in your response letter, because that commitment is binding. The staff will check your next 10-K or 10-Q against what you promised.

Run your SEC filing cycle on Finrep