I’m thrilled to announce that we’ve made two great additions to our team:
Julie Gonzales has joined us as an Associate Editor after spending 16 years at a publicly traded company in the oil & gas industry, including as the Stock Plan Administrator, Corporate & Securities Paralegal and Assistant Corporate Secretary. Julie can be reached at jgonzales@ccrcorp.com.
Emily Sacks-Wilner is our newest Editor. Emily has spent time in fintech and at large firms, working closely with public companies and pre-IPO companies on numerous equity offerings, periodic SEC filings, M&A and corporate governance matters. Emily has also served as in-house M&A counsel for an S&P 500 company. She can be reached at eswilner@ccrcorp.com – and will be joining our blogging lineup soon!
Emily & Julie both bring tons of practical experience and have jumped in with very helpful contributions to our resources. I’m excited for you to get to know them. Feel free to drop them a welcome note!
The PCAOB recently published this 14-page summary of observations on its 2020 inspections of public accounting firms. The report highlights obstacles & good practices at audit firms, which can be helpful for audit committees to know when they’re engaging & overseeing auditors. Here’s one takeaway that’s good if you’re using a firm that’s inspected annually (which are listed on this page):
For the majority of the annually inspected audit firms, we identified fewer findings in 2020 compared to our 2019 inspections. In our triennially inspected audit firms, some improvements were noted, although deficiencies continue to remain high.
The report says that revenue recognition remains an area with room for improvement – so expect auditors to continue to be very focused on that. And, if your company has experienced a cybersecurity incident, the ICFR impact of that is going to get a second look during an inspection:
We continue to review audits of public companies that experienced a cybersecurity incident during the audit period. We observed in our reviews how the auditor considered the cybersecurity incident in their risk assessment process and, if applicable, in their response to identified risks of material misstatement.
In certain audits reviewed, the auditor evaluated he severity and impact of the cybersecurity incident but did not consider whether the incident affected their identification or assessment of risks of material misstatement; whether modifications to the nature, timing, or extent of audit procedures were necessary; and whether the incident could be indicative of one or more deficiencies in ICFR.
We’ve posted the transcript for our recent DealLawyers.com webcast: “Navigating De-SPACs in Heavy Seas.” This program provided a lot of great practical guidance on handling the increasingly complex and challenging De-SPAC process. Erin Cahill of PwC, Bill Demers of POINT BioPharma, Reid Hooper of Cooley and Jay Knight of Bass Berry & Simms addressed the following topics:
– Overview of the Current Environment for SPAC Deals
– Negotiating Key Deal Terms/Addressing Target Concerns
– The PIPE Market and Alternative Financing Methods
– Target Preparations to Go Public Through a SPAC
– Managing the Financing and Shareholder Approval Process
– Post-Closing Issues
We made this webcast available as a bonus to member of TheCorporateCounsel.net, and so we’ve posted the transcript on this site as well.
It is my favorite time of year – the leaves are changing colors, there is a slight chill in the air, and my thoughts inevitably turn to – cybersecurity? October is Cybersecurity Awareness Month, which has apparently been a thing since 2004. The overarching theme for Cybersecurity Awareness Month 2021 is “Do Your Part. #BeCyberSmart.”
I think the focus on cybersecurity awareness makes it a great time to take a close look at your cybersecurity disclosure practices. As this MoFo memo notes, the SEC certainly does not need the month of October to be made aware of cybersecurity matters, given that the Division of Enforcement has focused its attention in recent months on “the efficacy of cybersecurity disclosure controls and procedures, especially where sensitive personally identifiable information (PII) is compromised without appropriate remediation, escalation, and disclosure.” With the annual reporting season fast approaching, October is a great time to take a step back and look at both your disclosure controls and procedures and your overall disclosure profile when it comes to cybersecurity.
On the disclosure controls and procedures front, the MoFo memo suggests the following key features of effective cybersecurity controls and procedures:
Set forth steps to identify and investigate cybersecurity incidents;
Assess and analyze the impact of the incident on the company’s business and customers;
Ensure careful analysis of whether the cybersecurity incident is material, giving rise to disclosure obligations;
Refer potentially material cybersecurity incidents to appropriate committees, including the disclosure committee, for assessment and analysis;
Ensure that material cybersecurity incidents are reported to senior management and to the board of directors;
Ensure that material cybersecurity incidents are disclosed to investors and that existing disclosures are reviewed and, if necessary, updated if new facts render them incorrect or misleading;
Prescribe steps and deadlines to remediate incidents based on severity;
Address circumstances under which trading restrictions should be imposed on company personnel who are in possession of material non-public information (MNPI) regarding the incident; and
Provide for the issuance of a document preservation or litigation hold for material incidents or other incidents where the company anticipates litigation.
I think that it is also an opportune time between now and Halloween to review the cybersecurity disclosures in your SEC filings, particularly your cybersecurity risk factor disclosure. Some of the persistent areas of Staff focus through the comment letter process have been as follows:
Unbundling the Cybersecurity Risk. The Staff has often asked that a company break out cybersecurity risks into a separate risk factor, rather than including the risk in one risk factor that addresses a variety of other concerns that the issuer faces.
Addressing the Key Elements. The cybersecurity risk factor should address the types of cybersecurity threats that the company faces, and the extent to which the company has been impacted in a material way by actual breaches or other incidents. The cybersecurity risk factor should also address the risk that cyber incidents may go undetected for a long period of time, which could result in significant consequences. You should address preventative measures that have been established for the purpose of addressing cyber risks, and the risk that such measures may not be effective to avoid an incident. Risks are often raised by third-party access to the issuer’s IT systems, so the risk factor disclosure should address the extent to which access by vendors, outsourcing partiers or others might expose the issuer to a cyber attack. Risk factor disclosure should also address when an issuer has insurance coverage for cyber incidents, and the extent to which costs of a cyber attack could exceed that insurance coverage. The risk factor disclosure should highlight the actual and/or potential consequences of a cyber attack, which could include things like reputational harm, costs to remediate the impact of the attack, and costs for implementing protective measures.
Putting the Risk in Context. One frequent Staff comment asks that an issuer address in the risk factor actual or attempted cyber attacks, so that the reader can understand the risks as they apply in the context of the issuer’s business.
Avoiding Hypothetical Risk Factor Disclosure. With all of the warnings from the SEC and the Staff, it is now more important than ever to monitor all of the cybersecurity incidents that the company faces, so that you can accurately describe the cybersecurity threat in the risk factor without implying that the risks are only hypothetical. A good example of an emerging threat is the recent SolarWinds breach, which exposed companies to a potential threat through a “supply chain” attack, where the malicious software was inserted into the company’s patch prior to being distributed to customers.
As the SEC considers rulemaking in this area, companies should also consider the extent to which investors continue to look for the cybersecurity topic to be addressed from a governance perspective. We continue to see the evolution of disclosure in the proxy statement that addresses the extent to which the board and its committees oversee cybersecurity risks.
Last month, I blogged about the possibility of a large number of companies falling off of the Rule 15c2-11 cliff when amendments to the rule went into effect at the end of September. Rule 15c2-11 specifies the information that brokers must have to initiate or maintain quotations in OTC securities.
In the OTC Markets blog, we found some statistics which describe how companies were affected by the SEC rule change. OTC Markets notes that over 3,000 securities became eligible for public market maker price quotations on OTC Markets, after meeting the requirements of Rule 15c2-11 as amended. Meanwhile, 2,247 former “Pink No Information” securities shifted to the Expert Market tier, where securities may only be quoted on an unsolicited (customer order) basis. OTC Markets notes that “while this represents a large number of securities, it represented less than 5% of the total dollar volume.”
I am happy to report that all of the hard work has paid off and the updated Executive Compensation Disclosure Treatise is now available! I always think of this publication as my “baby,” and I can’t believe that it has reached its adolescence. With 2 volumes and over 1700 pages, my baby has really grown up. Order now so you can have all of the latest guidance for the upcoming proxy season!
During the “SEC All-Stars” panel at last week’s Proxy Disclosure Conference, I spoke on the topic of proxy plumbing. I commented on how the SEC issued the proxy plumbing concept release eleven years ago as of yesterday, and just when the Commission started to make progress in addressing some of the proxy plumbing topics from that concept release, we appear to be taking one step forward and two steps back. While I noted that usually people do not get too excited when you start talking about any topic with the word “plumbing” in it, the SEC’s recent efforts on proxy plumbing has seen more drama than an episode of “Keeping Up With the Kardashians.”
Well, that drama continues, with the National Association of Manufacturers announcing that it has sued the SEC for its approach of not enforcing the recently adopted proxy voting advice rules while the Staff is reviewing potential changes to those rules.
Back in July 2020, the SEC adopted the final rules governing proxy voting advice provided by proxy advisory firms such as ISS and Glass Lewis. The proxy advisory firms would be required to comply with most of the new requirements beginning December 1, 2021. Obviously a lot has changed at the SEC since July 2020, and earlier this year Chair Gensler directed the Staff to reconsider the rules and guidance. Corp Fin put out statement saying that it will not recommend enforcement action to the SEC based on the interpretive guidance and the rule amendments during the period in which the SEC is considering further regulatory action in this area. In addition, in the event that new regulatory action leaves the 2020 exemption conditions in place with the current compliance date, the Staff will not recommend any enforcement action based on those conditions for a reasonable period of time after any resumption by ISS of its litigation challenging the rules and guidance. The SEC’s June 2021 Reg Flex Agenda indicates that proposed amendments to the rules are expected by Spring 2022.
The National Association of Manufacturers, citing numerous concerns with proxy advisory firms, is challenging the SEC’s approach to the rule changes that were duly adopted through a notice and comment rulemaking process. The complaint states:
The SEC’s suspension of the Proxy Advice Rule is flatly unlawful. The SEC may not decide that it no longer stands by a regulation it earlier lawfully promulgated, and—absent any rulemaking process—simply suspend its application. To the contrary, the procedural provisions of the Administrative Procedure Act (APA) exist precisely to bring regularity to agency action.
NAM asks the court to set aside the SEC’s “suspension of the compliance date” for the rule. Stay tuned for the next episode of “Keeping Up With the Proxy Voting Advice Rules.”
In the Advisor’s Blog on CompensationStandards.com, Liz covers a recent announcement by Glass Lewis that it has launched of an Equity Plan Advisory service – through a newly formed affiliate, Glass Lewis Corporate. This service appears to be similar to that provided by ISS Corporate Solutions. The Glass Lewis press release states:
Public companies can work with a Glass Lewis Corporate advisor to model their equity compensation plan against the Glass Lewis model. Advisors will review plans with customers, testing different new-share requests and equity plan amendments against Glass Lewis’ methodology, examining multiple what-if scenarios. Glass Lewis maintains a strict separation between Glass Lewis Corporate advisors and Glass Lewis research analysts in order to ensure the continued independence of our proxy advice.
As Liz notes, this new business model could draw some criticism, as Glass Lewis starts to look more like ISS with this foray into counseling the same companies that are the subject of its recommendations.
Glass Lewis has announced a strategic partnership with Arabesque, a provider of ESG data and insights. The announcement states:
The partnership will see Arabesque provide company ESG profiles for Glass Lewis’ Proxy Paper research reports, enabling clients to gain the latest ESG data and insights on over 8,000 companies worldwide, and access to climate and regulatory data solutions. Using big data and a quantitative, algorithmic approach, Arabesque’s capabilities draw on more than four million ESG data points daily from over 30,000 sources for performance metrics on sustainability, including corporate net-zero alignment.
As a rationale for this partnership, Glass Lewis indicates that investor demand for ESG data is surging, with one third of all assets under management globally now integrating sustainability factors.
As long as I can remember, the SEC’s budget has been a political football. Despite the SEC’s earnest requests for self-funding over the years (the SEC has traditionally netted enough cash from its operations to actually fund its own budget and more), Congress has chosen to keep control of the purse strings as a means to maintain some control over the agency’s regulatory direction. The practical result of this is that the SEC, like many government agencies, is perennially underfunded for the enormous task that it faces.
Earlier this month, the House Financial Services Committee considered the SEC’s mission and budget and heard from Chair Gary Gensler. The Majority Staff memorandum regarding the hearing notes that the SEC’s fiscal year 2023 budget request of $2.169 billion reflects an 8.8 percent increase from fiscal year 2022 “in order to address key priority areas” and “is needed to hire additional agency personnel to oversee increasingly complex and growing financial markets that are expanding across borders and asset classes, including digital assets.” Congresswoman Maxine Waters (D-CA), Chairwoman of the Committee, told Gensler at the hearing: “You have a lot to restore and rebuild. During the Trump Administration, the Commission provided minimal oversight and eliminated key protections for investors.”
The Committee considered a number of pieces of legislation and potential legislation related to the SEC’s mission, including the following:
H.R. ___, Strengthening the Office of Investor Advocate. This discussion draft will strengthen the independence and increase reliability of the funding of the SEC’s Office of Investor Advocate. It would also authorize this office to conduct investor testing and other research, and publicize its findings.
H.R.___, Investor Justice Act of 2021. This discussion draft would create a grant program, administered by SEC’s Office of Investor Advocate, to support investor advocacy clinics.
H.R.___, Empowering States to Protect Seniors from Bad Actors Act. This discussion draft would create a grant program—similar to the one created by the Dodd-Frank Act’s Sec. 989A, which has not been implemented, housed within the SEC Investor Advocate Office to support and strengthen states’ senior investor protection programs.
H.R.___, To amend the Securities Exchange Act of 1934 to improve the governance of multiclass stock companies, to require issuers to make annual diversity disclosures, and for other purposes. This discussion draft would establish minimum listing standards for the stock exchanges in two areas of corporate governance: (1) multiple classes of stock with unequal voting rights, and (2) board diversity. The discussion draft would also require newly listed companies that choose to have multi-class stock structure to also include a seven year sunset provision for that multi-class stock structure, eventually leading to “one share, one vote.”
H.R. 2620, Investor Choice Act of 2021 (Foster). This bill would prohibit financial professionals from requiring their clients into pre-dispute arbitration agreements and ban prohibitions on class action lawsuits in customer contracts that investors often are required to sign in order to receive services from broker-dealers or investment advisers.
H.R.___, Whistleblower Protection Reform Act (Green). This bill is identical to H.R. 2515, which passed the House in 2019 on suspension. It would protect whistleblowers against retaliation, including individuals (1) who blow the whistle internally; (2) who assist in an SEC investigation of these violations, or (3) make disclosures that are required or protected under any law subject to SEC jurisdiction. Currently, these anti-retaliation protections apply only to individuals who report information directly to the SEC.
H.R.___, To prohibit registered investment advisers, brokers, and registered representatives of brokers from facilitating the transaction of or recommending the securities of certain special purpose acquisition companies, and for other purposes. This discussion draft would prohibit brokers and investment advisers from recommending to retail investors SPACs that grant high percentage of “promote” to the sponsors—a compensation arrangement that offers free shares to the sponsors of the SPACs. Currently, SPAC sponsors receive 20% or more in “promote,” which dilutes the shares of retail investors.