With over 140 Form SDs now on file (and even two amendments), we continue to get a trickle of conflict minerals-related queries in our “Q&A Forum.” Here is one that Dave Lynn answered yesterday:
Question: “We have heard from our printer that we can’t file our Conflict Minerals Report as an exhibit to our Form SD as Exhibit 1.01 because Exhibit 1.01 is reserved XBRL filings. The printer suggests that we file the CMR as Exhibit 1.02. Have others experienced this problem?”
Dave: “Yes, this issue has just come up this week as companies try to file their first Form SD. It seems that most are following the printer’s advice and submitting the Conflict Minerals Report as Exhibit 1.02 to the Form SD.”
Personally, I wonder if anyone will ever read these things and care besides the compliance folks who draft them. My guess is only us, unless there is a scandal in years from now where the company or auditors falsify the report…
Cybersecurity: Securities Class Actions are Coming
Yesterday, the NY Times reported that ISS recommended against most of Target’s board “directly linking what it said was a lack of adequate oversight by the board to the extensive breach of customer data late last year.”
Meanwhile, this interesting blog by Doug Greene of Lane & Powell will scare you. It should. And the time to be thinking about cybersecurity liability due to deficient disclosures is now. Here’s an excerpt from the blog:
In this post, I’d like to focus on cybersecurity disclosure and the inevitable advent of securities class actions following cybersecurity breaches. In all but one instance (Heartland Payment Systems), cybersecurity breaches, even the largest, have not caused a stock drop big enough to trigger a securities class action. But there appears to be a growing consensus that stock drops are inevitable when the market better understands cybersecurity threats, the cost of breaches, and the impact of threats and breaches on companies’ business models. When the market is better able to analyze these matters, there will be stock drops. When there are stock drops, the plaintiffs’ bar will be there.
And when plaintiffs’ lawyers arrive, what will they find? They will find companies grappling with cybersecurity disclosure. Understandably, most of the discussion about cybersecurity disclosure focuses on the SEC’s October 13, 2011 “CF Disclosure Guidance: Topic No. 2” (“Guidance”) and the notorious failure of companies to disclose much about cybersecurity, which has resulted in a call for further SEC action by Senator Rockefeller and follow-up by the SEC, including an SEC Cybersecurity Roundtable on March 24, 2014. But, as the SEC noted in the Guidance, and Chair White reiterated in October 2013, the Guidance does not define companies’ disclosure obligations. Instead, disclosure is governed by the general duty not to mislead, along with more specific disclosure obligations that apply to specific types of required disclosures.
Indeed, plaintiffs’ lawyers will not even need to mention the Guidance to challenge statements allegedly made false or misleading by cybersecurity problems. Various types of statements – from statements about the company’s business operations (which could be imperiled by inadequate cybersecurity), to statements about the company’s financial metrics (which could be rendered false or misleading by lower revenues and higher costs associated with cybersecurity problems), to internal controls and related CEO and CFO certifications, to risk factors themselves (which could warn against risks that have already materialized) – could be subject to challenge in the wake of a cybersecurity breach.
Plaintiffs will allege that the challenged statements were misleading because they omitted facts about cybersecurity (whether or not subject to disclosure under the Guidance). In some cases, this allegation will require little more than coupling a statement with the omitted facts. In cybersecurity cases, plaintiffs will have greater ability to learn the omitted facts than in other cases, as a result of breach notification requirements, privacy litigation, and government scrutiny, to name a few avenues. The law, of course, requires more than simply coupling the statement and omitted facts; plaintiffs must explain in detail why the challenged statement was misleading, not just incomplete, and companies can defend the statement in the context of all of their disclosures. But in cybersecurity cases, plaintiffs will have more to work with than in many other types of cases.
Pleading scienter likely will be easier for plaintiffs as well. With increased emphasis on cybersecurity oversight at the senior officer (and board) level, a CEO or CFO will have difficulty (factually and in terms of good governance) suggesting that she or he didn’t know, at some level, about the omitted facts that made the challenged statements misleading. That doesn’t mean that companies won’t be able to contest scienter. Knowledge of omitted facts isn’t the test for scienter; the test is intent to mislead purchasers of securities. However, this important distinction is often overlooked in practice. Companies will also be able to argue that they didn’t disclose certain cybersecurity matters because, as the Guidance contemplates, some cybersecurity disclosures can compromise cybersecurity. This is a proper argument for a motion to dismiss, as an innocent inference under Tellabs, but it may feel too “factual” for some judges to credit at the motion to dismiss stage.
Understanding the NIST Cybersecurity Framework
In this podcast, Revelle Gwyn of Bradley Arant Boult Cummings addresses cybersecurity in the context of the recently issued NIST Framework – and the implications of the Framework for all companies, including:
– Can you explain the NIST Framework and how it is intended to be used?
– Why is it important for companies outside critical infrastructure industries to be aware of the Framework, and how its use and content evolves?
– Has there been discussion of cost containment or incentives to defray companies’ costs of implementing and adhering to the Framework?
– Broc Romanek