Yesterday, the SEC announced charges against four current and former public companies for allegedly making materially misleading disclosures regarding cybersecurity risks and intrusions — all arising from the SEC’s investigation of public companies that were potentially impacted by the compromise of SolarWinds’ Orion software. The companies agreed to pay civil penalties ranging from $990,000 to $4 million. One company was also charged with disclosure controls and procedures violations. Here’s more from the announcement:
According to the SEC’s orders, Unisys, Avaya, and Check Point learned in 2020, and Mimecast learned in 2021, that the threat actor likely behind the SolarWinds Orion hack had accessed their systems without authorization, but each negligently minimized its cybersecurity incident in its public disclosures. The SEC’s order against Unisys finds that the company described its risks from cybersecurity events as hypothetical despite knowing that it had experienced two SolarWinds-related intrusions involving exfiltration of gigabytes of data. The order also finds that these materially misleading disclosures resulted in part from Unisys’ deficient disclosure controls.
The SEC’s order against Avaya finds that it stated that the threat actor had accessed a “limited number of [the] Company’s email messages,” when Avaya knew the threat actor had also accessed at least 145 files in its cloud file sharing environment. The SEC’s order against Check Point finds that it knew of the intrusion but described cyber intrusions and risks from them in generic terms. The order charging Mimecast finds that the company minimized the attack by failing to disclose the nature of the code the threat actor exfiltrated and the quantity of encrypted credentials the threat actor accessed.
Quotes from the SEC staff emphasized the importance of not downplaying the extent of a cybersecurity breach and that corporate victims of cyberattacks must not “further victimize their shareholders or other members of the investing public by providing misleading disclosures.”
The enforcement announcements are clearly still rolling in — in the new fiscal year! — so you won’t want to miss our upcoming webcast “SEC Enforcement: Priorities and Trends” at 2 pm ET on Wednesday, November 13, featuring Hunton’s Scott Kimpel, Locke Lord’s Allison O’Neil and Quinn Emanuel’s Kurt Wolfe. They’ll discuss the following topics, among others:
– SEC Enforcement Activities in 2024 and Priorities for 2025 – Implications of Jarkesy for SEC’s Enforcement Program – Monetary and Non-Monetary Penalties – Accounting and Disclosure Actions – Actions Targeting “Internal Controls” – Self-Reporting and Cooperation Credit – Coordination with DOJ Investigations
Commissioner Peirce and Uyeda’s joint dissenting statement — taking the position that SEC is regulating by enforcement with these settlements and citing immaterial, undisclosed details to support the charges — is worth a standalone blog. First, it thoroughly discusses the disclosures and omissions the SEC considered to be problematic and why the Commissioners don’t believe these altered the ‘total mix’ of information.
With respect to Avaya, the Commission highlights “the likely attribution of the [cyberattack] to a nation-state threat actor” as an example of omitted material information. [I]n its 2023 rulemaking on cybersecurity incident disclosure (the “2023 Cybersecurity Rule”), neither investors nor the Commission expressed a view that the identity of the threat actor is material information … Not a single one of the 150-plus comment letters submitted on the proposal requested disclosure of the identity of the threat actor. …
Although the Form 8-K requirements for disclosing material cybersecurity incidents, which were adopted as part of the 2023 Cybersecurity Rule, did not yet apply to Mimecast, it filed three Form 8-Ks related to the intrusion of the Orion software on its network. In the third Form 8-K, Mimecast filed its three-page incident report for the cyberattack as an exhibit. Mimecast’s efforts to inform its investors would not be rewarded; the Commission finds fault with its disclosures. …
The Commission highlights Mimecast’s failure to disclose that “the threat actor had accessed a database containing encrypted credentials for approximately 31,000 [of 40,000] customers.” … Mimecast disclosed, without providing a percentage or number, that encrypted customer credentials had been accessed. …
With respect to disclosure of exfiltrated source code, Mimecast stated in its incident report that the threat actor had downloaded a “limited number” of its source code repositories but the company believed that the downloaded code was “incomplete and would be insufficient to build and run any aspect of the Mimecast service.” The Commission finds that these statements were materially misleading because Mimecast did not disclose that the threat actor had exfiltrated “58% of its exgestion source code, 50% of its M365 authentication source code, and 76% of its M365 interoperability source code, representing the majority of the source code for those three areas.” … Similar to the Avaya case, such information is “details regarding the incident itself” that do not need to be disclosed.
Next, the dissent highlights how the issues identified in the enforcement action may shape disclosure under Item 1.05 of Form 8-K.
Companies reviewing today’s proceedings reasonably could conclude that the Commission will evaluate their Item 1.05 disclosure with a hunger for details that runs contrary to statements in the adopting release. To avoid being second-guessed by the Commission, companies may fill their Item 1.05 disclosures with immaterial details about an incident, or worse, provide disclosure under the item about immaterial incidents. The Commission staff has already identified the latter practice as an issue, and today’s proceedings may exacerbate the problem.
Finally, do go read the full dissent for its detailed discussion of the enforcement actions involving hypothetical and generic risk factors — drawing parallels to portions of the SolarWinds case that were dismissed and raising concerns that bringing “hypothetical” risk factor charges may result in companies including immaterial, specific disclosures in risk factors just to avoid these types of charges.
In late September, John blogged about the latest Regulation FD enforcement action, which arose out of the use of a social media account of the CEO of DraftKings to disseminate material non-public information about the company. This Freshfields blog has some timely reminders on Regulation FD in light of this enforcement action.
First, social media channels do not automatically constitute “broad dissemination” but may — if the company takes certain steps.
In its guidance from 2013, the SEC made clear that dissemination of information through social media (without more) does not constitute broad dissemination of this information. Pursuant to that guidance, companies may disclose MNPI through social media channels only if sufficient steps were taken to alert investors and the market that such social medial channels will be used for the dissemination of MNPI. Methods of appropriate notice could be references to such social media channels in their periodic reports or press releases.
Second, prompt broad dissemination is appropriate when a company discovers an unintentional selective disclosure — although the initial disclosure may still be a Regulation FD violation.
Under Regulation FD, if a company unintentionally selectively discloses MNPI, it should remediate the violation by broadly disseminating the information “promptly.” For purposes of Regulation FD, promptly means “as soon as reasonably practicable (but in no event after the later of 24 hours or the commencement of the next day’s trading on the New York Stock Exchange) after a senior official of the issuer… learns that there has been a non-intentional disclosure by the issuer or person acting on behalf of the issuer of information that the senior official knows, or is reckless in not knowing, is both material and nonpublic.”
KPMG recently released the latest edition of its CEO Outlook analyzing insights shared by over 1,300 CEOs at large companies globally. The survey shows that, in today’s environment, CEOs are primarily focused on “anticipating and staying ahead of compound volatility…strategically allocating capital to address near-term risks such as cyber and geopolitics that can cause abrupt business disruption in the short term, while making long-term investments in generative artificial intelligence and mergers and acquisitions to spur future growth.” KPMG coined this term “compound volatility” which it describes as “the combination of near-term risks to growth and the structural changes to the US economy that raise the cost of doing business with little margin for error on strategy development and execution.”
– 78% of CEOs were confident in their company’s growth prospects over the next three years
– Top risks identified were cost of living, cybercrime, cybersecurity and talent
– 70% of CEOs identified GenAI as a top investment priority, particularly in IT, sales and marketing and finance and accounting
– 72% said GenAI won’t significantly impact the number of jobs but will require upskilling
One of the biggest changes in survey responses year-over-year relates to return-to-office plans. This year, almost 80% of CEOs envisioned a full return to office over the next three years (up from only 34% saying so a year ago).
Speaking of “compound volatility,” this summer KPMG also released an in-depth guide to accounting for economic disruption with guidance on how various balance sheet and income statement line items and other disclosures may be impacted. KPMG encourages management teams to be proactive when it comes to considering how volatility impacts their financial statements and financial reporting:
During periods of economic disruption, it is crucial for companies to promptly identify the potential financial statement impacts and consider the accounting and disclosure consequences. Regulators place a strong emphasis on high-quality financial reporting during these times and closely scrutinize the sufficiency and timeliness of related disclosures. Transparency becomes particularly important, especially when it comes to estimation uncertainties and the underlying basis for critical judgments used in financial reporting.
The guide has chapters on:
– Revenue
– Financial assets, derivatives & hedging
– Inventory
– Goodwill and indefinite-lived intangibles
– Long-lived assets, leases and equity method investments
– Liabilities
– Compensation and benefits
– Income taxes
– Financial statement presentation, disclosures & MD&A
Each chapter starts with a description of how the relevant topic may be impacted by economic disruption and lists example questions to consider, with cross-references to the sections that address each question. Here’s an excerpt on compensation and benefits:
In response to economic disruption, companies may take actions related to compensation and benefits that have an impact on financial reporting. Examples include:
– providing revised or new compensation arrangements;
– evaluating existing compensation arrangements to determine if any specific terms, conditions or estimates have been affected;
– making modifications to compensation and benefit arrangements; and
– taking workforce actions that could result in pension or postretirement curtailments or settlements, or the need to pay severance and other postretirement benefits.
The following are example questions to consider that are specific to economic disruption and the potential impact to compensation and benefits and associated accounts (not exhaustive).
– Have either of the following related to share-based payments been affected: the probability assessment for performance-based awards; and/or the volatility input used to value awards on the grant date?
– Have any share-based payment awards been modified (e.g. changes to vesting criteria or strike price) and/or are discretionary clauses or claw back provisions starting to be included in awards?
– Have termination benefits (voluntary or involuntary) been offered or implemented?
– Has a significant event occurred (e.g. plan amendment, curtailment or termination) that could cause an interim remeasurement of defined benefit pension or postretirement plan assets and obligations?
– Have new or revised sick leave or paid time off policies been implemented or have furlough arrangements been offered to employees?
In the latest “Understanding Activism with John & J.T.” podcast, John and Orrick’s J.T. Ho were joined by Jim McRitchie, one of the leading voices in retail investor activism. Topics covered during this 37-minute podcast include:
– Collaboration among investors to influence corporate governance
– Top retail investor priorities for next year’s proxy season
– Deciding which companies receive shareholder proposals
– Measuring a proposal’s success
– Important factors in deciding whether to settle a proposal
– How companies can respond constructively to shareholder proposals
– How investors can maximize their ability to influence corporate governance
– Impact of election and changes at the SEC
John and JT’s objective with this podcast series is to share perspectives on key issues and developments in shareholder activism from representatives of both public companies and activists. They’re continuing to record new podcasts, and I think you’ll find them filled with practical and engaging insights from true experts – so stay tuned!
I hope you were able to join us last week for our 2024 Proxy Disclosure & 21st Annual Executive Compensation Conferences. I’d like to send a big shoutout to our colleagues at CCRcorp who made everything happen and worked tirelessly to give our in-person and virtual attendees great experiences! I also want to thank all our fantastic speakers and sponsors. We quite literally couldn’t do it without you!
I thought I would take the opportunity to share some key points I took away or interesting tidbits I enjoyed from the conference panels. Here are a few I happened to be able to jot down, in no particular order:
– Sidley’s Sonia Barros reminded attendees of the importance of involving internal audit in cyber disclosures. For NYSE companies, internal audit is required to make ongoing assessments of risk management and, with the criticality of cyber these days, it may be a significant risk management process that internal audit is looking into. You want to make sure your 10-K disclosures are consistent with findings from any internal audit review.
– Michele Anderson of Latham, Anne Chapman of Joele Frank and Sean Donahue of Paul Hastings discussed 12 things a public company should do to be prepared for activism. Tip #12 was a practical suggestion for your annual D&O questionnaires: There are eight or so questions you need to include in the D&O questionnaire if a contest ensues. There’s no reason not to have those in your D&O questionnaire all the time, so the questionnaire you send an activist under your advance notice bylaw is already ready to go.
– Bill Ridgway of Skadden noted that, while cyber incident response plans should be documented, they should be more akin to guidelines than rigid plans since cyber incidents are so varied. You need to maintain flexibility to respond appropriately to the situation. If you set forth specifics and don’t follow them exactly, the SEC staff will point to that. And they’ve been very focused on controls and process and whether the technical details are making their way to the right people.
– Davis Polk’s Ning Chiu kicked off the panel on Rule 14a-8 and shareholder proposals by acknowledging that shareholder proposals are something many mid- or small-cap companies don’t often deal with but noted that these companies are impacted by proposals nonetheless, as they expand what voluntary disclosures become “market.” When a large company gets a proposal and starts reporting additional information voluntarily, say as a result of a settlement, that practice of reporting becomes the norm and pressures other companies to follow suit, even those that don’t regularly get proposals.
– It can be fun to learn about perks! Mark Borges and Alan Dye of Hogan Lovells described some more novel perks they’ve encountered over the years — like Employer Subsidized Pet Health Assistance and home lawn mowing. For some of these, it might be appropriate to ask first whether they are company-wide benefits. Sometimes they turn out to be a company-wide benefit (as Employer Subsidized Pet Health Assistance was for the particular company) saving you from further analysis. Others may not be widely offered (as, it turned out, lawn mowing was not) and you’ll need to assess under the two-step test to determine whether something is a perquisite or other personal benefit.
There were so many other gems I’d love to include here! You can also check out these two LinkedIn posts from my former colleague and these conference highlights from the Cooley PubCo blog for more.
If you missed any parts of the Conferences, archives of the sessions are now available. Attendees should receive an email today with a link to our 2024 Conference Archives page. Members of TheCorporateCounsel.net who registered for the Conferences can use their existing logins to access the Proxy Disclosure Archives and the Executive Compensation Archives. You may be eligible to earn CLE credit for the replays if you follow the instructions outlined on our CLE FAQ page, but note that you may not earn CLE credit for any session or session combinations that you previously watched live.
If you didn’t register to attend the conferences, you can purchase access to the archives (which will be available until October 15, 2025) online or by emailing sales@ccrcorp.com or calling 1-800-737-1271.
Thank you to all our blog subscribers who responded to our anonymous quick polls for the “Game Show Lightning Round: All-Star Feud” at our 2024 Conferences. If you joined us in person or virtually and were able to watch the “Feud,” I hope you enjoyed it. I really appreciated how enthusiastically our SEC All-Stars agreed to some lighthearted competition and Dave’s commitment to the game show host role (complete with costume change). Here’s a photo, ICYMI.
I took a “behind the scenes” role on the game show, running the slides — complete with automatic scoring and sound effects. As Dave noted during the game, I was, at times, quite generous in doling out points for guesses that only roughly matched the most popular survey responses. In my defense, in the one run-through I did with someone actually guessing, the “contestants” were my two kids. For “What’s the hottest shareholder proposal topic going to be in 2025?” my 7-year-old guessed, “How new phones will change our lives.” That was “AI” in my book!
One of our favorite things about our Conferences is talking to members — both virtually and IRL. Almost our entire editorial team was there in San Francisco, and we loved meeting everyone and hearing about what you do and what we can do to make this event and our sites more valuable to you. It energizes us all to catch up with friends & fellow practitioners and “nerd out” over corporate governance and securities law — not to mention that hearing how you use our resources reminds us why we do what we do! For those we didn’t get to connect with, we especially want to hear from you — please feel free to reach out to any of us editors!
Also, be on the lookout for an email asking for your feedback. But don’t let that stop you from sharing suggestions with our editorial team directly at any time. Our contact information is always at the bottom of our daily blog emails and on the “About Us” page on TheCorporateCounsel.net.
The PCAOB recently added a “Fraud Risk Resources” page to its website. While the materials on this page are intended to assist auditors in complying with their obligations to consider fraud during the course of an audit, the information the PCAOB provides there is also likely to be of assistance to audit committees in understanding those obligations and their implications for the audit process. Here’s an excerpt from the discussion of the auditor’s obligations with respect to the risk assessment process:
PCAOB standards require auditors to perform risk assessment procedures that are sufficient to provide a reasonable basis for assessing the risks of material misstatement, whether due to error or fraud, and designing further audit procedures. The risk assessment procedures required by PCAOB standards are intended to direct the auditor to identify external and company-specific factors that affect risks due to error or fraud, such as, fraud risk factors, for example, factors that create pressures to manipulate the financial statements.
Some required risk assessment procedures and procedures performed when identifying and assessing risks are directed specifically at risks of material misstatement due to fraud (“fraud risks”), such as:
– Conducting a discussion among the engagement team members of the potential for material misstatement due to fraud;
– Inquiring of the audit committee, management, internal auditors, and others about fraud risks;
– Performing analytical procedures relating to revenue for the purpose of identifying unusual or unexpected relationships involving revenue accounts that might indicate a material misstatement, including material misstatement due to fraud;
– Considering factors relevant to identifying fraud risks, including in particular, fraud risks related to improper revenue recognition, management override of controls, and risk that fraud could be perpetrated or concealed through omission of disclosures or presentation of incomplete or inaccurate disclosures; and
– Evaluating the design of controls that address fraud risks.
A substantial number of the other required risk assessment procedures also can provide information that is relevant to the auditor’s consideration of fraud.
Other topics addressed by the PCAOB here include acceptance and retention of audit engagements, audit planning, responses to the risk of material misstatements, and fraud considerations in ICFR audits.
