Monthly Archives: October 2017

October 17, 2017

Today: “Pay Ratio & Proxy Disclosure Conference”

Today is the “Pay Ratio & Proxy Disclosure Conference”; tomorrow is the “Say-on-Pay Workshop: 14th Annual Executive Compensation Conference.” Note you can still register to watch online by using your credit card and getting an ID/pw kicked out automatically to you without having to interface with our staff. Both Conferences are paired together; two Conferences for the price of one.

How to Attend by Video Webcast: If you are registered to attend online, just go to the home page of or to watch it live or by archive (note that it will take about a day to post the video archives after it’s shown live). A prominent link called “Enter Pay Ratio Conference Here” – on the home pages of those sites – will take you directly to today’s Conference (and on the top of that Conference page, you will select a link matching the video player on your computer: HTML5, Windows Media or Flash Player). Here are the “Course Materials,” filled with 182 pages of annotated model pay ratio disclosures, 156 pay ratio nuggets, talking points, etc.

Remember to use the ID and password that you received for the Conferences (which may not be your normal ID/password for or If you are experiencing technical problems, follow these webcast troubleshooting tips. Here is today’s conference agenda; times are Eastern.

How to Earn CLE Online: Please read these “FAQs about Earning CLE” carefully to see if that is possible for you to earn CLE for watching online – and if so, how to accomplish that. Remember you will first need to input your bar number(s) and that you will need to click on the periodic “prompts” all throughout each Conference to earn credit. Both Conferences will be available for CLE credit in all states except for a few – but hours for each state vary; see this “List: CLE Credit By State.”

SEC Comments: What’s the New “SWAT” Process?

Recently, a member posted this question in our “Q&A Forum” (#9233): “Back on September 18th, Broc blogged about Corp Fin having a new SEC comment letter process. Is the whole “Swat” thing something that is a big difference in how Corp Fin is processing comment letters?” This was my answer:

SWAT is a workflow system that will better document the Staff’s comment letter process, make everything available to everyone on the Staff more easily, provide reports and reminders, etc. It’s all internal and won’t have any impact on what companies see. So it’s just a workflow system. No real impact on what is commented upon…

Corp Fin’s “Climate Change” Comments: The Coming GAO Report

By the way, the announcement about SWAT was buried in the SEC’s Inspector General report about Corp Fin’s comment letter process. That report was pretty innocuous and not of any great moment.

I forgot to note why the IG prepared that report. In July of last year, some members of Congress sent a letter to the IG (and to GAO) asking that they review the SEC’s efforts to implement the climate change guidance of 2010 and assess Corp Fin’s comment letter process. These members of Congress were of the view that Corp Fin should be issuing more comments and they wanted to understand why that was not the case.

This IG report says that the GAO will report separately on its observations related to the SEC’s climate change-related policies & procedures. Now that should be interesting…

Broc Romanek

October 16, 2017

What If the Reg Flex Agenda Became “Real”?

One of the things that I’ve blogged about more than I would like is how the Reg Flex Agenda is merely aspirational – and people should pay little mind to it (here’s one of my more recent entries). History certainly has borne out the truth – I imagine the SEC has missed it’s predicted timetables for rulemakings listed in the Reg Flex Agenda many more times than not. And not that there’s anything wrong with that, it’s always been viewed as a meaningless regulatory exercise for those “in the know.”

But now – probably due to all the Congressional & media attention being paid to it – SEC Chair Clayton recently told the Senate Banking Committee that he intends to make the Reg Flex Agenda more realistic, including streamlining it (see this Cooley blog).

Kudos if the SEC can pull it off. But I worry that by promising to make deadlines, the SEC is placing a bullseye upon itself. In recent years, the Staff has smartly avoided mentioning any “hard” time frames for conducting rulemaking. That’s because it’s nearly impossible to predict when a rulemaking will come out, even when you’re the one actually writing the rules! It’s difficult to even predict which season of the year it will happen.

There’s a myriad of review layers within the SEC, including:

1. Your superiors within your Division (and there might be quite a few of those)
2. The folks within the SEC’s Office of General Counsel
3. That ever-growing newish Division of Economic & Risk Analysis (DERA)
4. Each Commissioner (and their counsels)
5. Possibly other Divisions or Offices within the SEC, depending on the nature of the rulemaking
6. Possibly members of Congress (or their staff) if it’s a politically-sensitive topic

You think its tough getting your proxy through an internal review? That’s nothing. A proposing/adopting release can easily go through 20 drafts. Anyway, I draw your attention to the transcript of one of my favorite webcasts if you want to learn more: “How the SEC Really Works“…

Poll: I Love the Reg Flex Agenda for…

Please participate in this anonymous poll:

find bike trails

Broc Romanek

October 13, 2017

Edgar Vulnerable to “Denial of Service Attacks”!

Recently, I blogged how the SEC’s Edgar is critical to a transparent financial market – and how the recent hack of Edgar is serious business. This Reuters article notes that Edgar could be at risk from “denial of service” attacks. Even worse news comes from this excerpt:

The memo shows that even an unintentional error by a company, and not just hackers with malicious intentions, could bring the system down. Even the submission of a large “invalid” form could overwhelm the system’s memory.

Hopefully, Congress will do the reasonable thing and give the SEC more resources (they need it in all sorts of areas – including to investigate when it is hacked, as noted in this article). Edgar arguably is held together with duct tape and no one should act surprised that it was hacked. The NSA can’t even avoid getting hacked.

By the way, this new bill that would subject credit bureaus – like Equifax – to federal cybersecurity reviews cracks me up. As if the federal government will be using its best cyber resources to review the security of outside entities – it can’t even protect its own systems…

Your Sensitive Information Was Accessed in a Government Hack? No Remedy?

This Davis Polk blog notes that those who have their personal information stolen during a hack of a government database are unlikely to have a remedy. And this Davis Polk blog wonders whether the hack of Edgar will result in a delay of the Consolidated Audit Trail (which will consist of a central repository for SROs and broker-dealers to submit extensive information in standardized formats regarding securities trading activity)…

The SEC’s New “Cyber” Unit: Getting the Band Back Together!

Last week, I blogged about the challenges that the SEC will face hiring cybersecurity experts given the extreme shortage of that resource. On a lighter note, it is interesting that the SEC’s Division of Enforcement disbanded its “Office of Internet Enforcement” in 2009, recognizing that the entire Division really should have expertise in that area. Now with the SEC creating a similar “Cyber” unit, John Reed Stark shared this great pic of his former office on LinkedIn:

Broc Romanek

October 12, 2017

SEC Proposes Fast Act Rules to Simplify S-K

Perhaps you thought the FAST Act was way behind us – but remember the SEC still hasn’t adopted some rules required by Dodd-Frank. Yesterday, the SEC proposed a variety of rules and form changes as required by the FAST Act. Here’s the 253-page proposing release; we’ll be posting memos in our “Disclosure Effectiveness” Practice Area. In this blog, Cydney Posner highlights some of the proposals, including:

1. Limit the period-to-period comparison required in MD&A to only the two most recent fiscal years presented in the financials, so long as the earlier period discussion is no longer material to understanding the financials and it has been included in the previous 10-K.

2. Allow companies to omit or redact confidential information from material contract exhibits that is not material and would cause competitive harm if publicly disclosed, without having to submit an unredacted copy and prior formal request to the Corp Fin Staff, as is currently required. This is intended to change process only & will not be intended to change the substantive requirements.

3. Limit the two-year “look back” requirement for exhibits to apply only to newly reporting companies.

4. Clarify that disclosure regarding properties is required only to the extent that the property is material.

5. Require inline XBRL tagging for all cover page information – and require the cover page to include the (tagged) ticker symbol for each class of securities registered under the Exchange Act.

6. Require disclosure of legal entity identifiers (“LEIs”) for the company & any significant subsidiaries identified on Exhibit 21.

7. Require links to information incorporated by reference from previously filed documents.

In this blog, Ning Chiu does a great job of listing the seven ways that periodic reporting could change…

Pay Ratio: How to Handle PR & Employee Fallout

For those coming to next week’s “Pay Ratio & Proxy Disclosure Conference,” you’ll hear tidbits about the hot “employee reaction” topic all day long – but particularly during the panel entitled “Pay Ratio: How to Handle PR & Employee Fallout.” Recently, as noted in this press release, Willis Towers Watson found that this was the topic of largest concern when it surveyed companies. Here’s an excerpt:

Indeed, roughly half of the respondents polled (49%) cited forecasting how their employees will react to the ratio disclosure as their number one challenge, but that other challenges still loom. About four in 10 (39%) said determining the consistently applied compensation measure (CACM) is their great challenge followed by getting accurate pay data (38%), deciding how to craft their required disclosure (37%) and determining where their pay ratio stands compared with that of their peers, their industry and the market (35%).

Also see this Parker Poe blog – and this “HRE Daily” article

More on Our “Proxy Season Blog”

We continue to post new items regularly on our “Proxy Season Blog” for members. Members can sign up to get that blog pushed out to them via email whenever there is a new entry by simply inputting their email address on the left side of that blog. Here are some of the latest entries:

– More on “Showing Off Your Directors Via Video”
– Shareholder Proposal Reform: Keith Higgins Wades In…
– Showing Off Your Directors Via Video
– Proxy Season: Steps to Take Now to Prepare
– Online Disclosure & Mobile IR Websites: S&P 500 Study

Broc Romanek

October 11, 2017

The New Playbook? Treasury Recommends All Sorts of Reform!

As noted in Steve Quinlivan blog, Reuters article and WSJ article, the Treasury Department issued this 232-page report last week, as mandated by the Administration’s Executive Order that sets forth core principles for the markets.

This is one of 4 reports coming out of Treasury dealing with various types of reform. In this Treasury Report, there’s a bunch of recommendations that impact our area of law – and most of them can be accomplished at the agency level, not needing action by Congress. We’re posting memos in our “Regulatory Reform” Practice Area.

As noted in Steve’s blog, the list includes (but is certainly not limited to):

1. Repeal of Section 1502 (conflict minerals), Section 1503 (mine safety), Section 1504 (resource extraction), and Section 953(b) (pay ratio) of Dodd-Frank. In the absence of legislative action, the SEC should consider exempting smaller reporting companies (SRCs) and emerging growth companies from these requirements.
2. The SEC should move forward to remove SEC disclosure requirements that duplicate financial disclosures required under GAAP by the FASB.
3. Companies other than EGCs be allowed to “test the waters” with potential investors who are QIBs or institutional accredited investors.
4. $2,000 holding requirement for shareholder proposals should be substantially revised.
5. Resubmission thresholds for repeat proposals be substantially revised from the current thresholds of 3%, 6%, and 10%.
6. SEC should continue its efforts, when reviewing company offering documents, to comment on whether the documents provide adequate disclosure of dual class stock and its effects on shareholder voting.
7. Modify rules that would broaden eligibility for status as an SRC and as a non-accelerated filer to include entities with up to $250 million in public float as compared to the current $75 million.
8. Extend the length of time a company may be considered an EGC to up to 10 years, subject to a revenue and/or public float threshold.
9. Expand Regulation A eligibility to include Exchange Act reporting companies.
10. Tier 2 offering limit should be increased to $75 million.
11. The SEC, FINRA and the states propose a new regulatory structure for finders and other intermediaries in capital-forming transactions.
12. Accredited investor definition should be amended with the objective of expanding the eligible pool of sophisticated investors.
13. Review of provisions under the Securities Act and the Investment Company Act that restrict unaccredited investors from investing in a private fund containing Rule 506 offerings.

Here’s a “Fact Sheet” for the Report. Also see Appendix B of the Treasury Report (pg. 203) for a tabular breakdown of the recommendations by topic…

Today’s Webcast: “Evolution of the SEC’s OMA”

Tune in today for the webcast – “Evolution of the SEC’s OMA” – to hear Michele Andersen, Associate Director of the SEC’s Division of Corporation Finance & Ted Yu, Chief of the Corp Fin’s Office of Mergers & Acquisitions, Skadden’s Brian Breheny, Weil Gotshal’s Cathy Dixon, Alston & Bird’s Dennis Garris and Morgan Lewis’ David Sirignano in a discussion of how the Corp Fin’s Office of Mergers & Acquisitions has evolved over the years…

Mandatory Arbitration: Bad for Defendants?

In July, John blogged about SEC Commissioner Piwowar’s apparent support for mandatory arbitration clauses – which historically have been considered contrary to public policy & potentially inconsistent with Securities Act anti-waiver provisions.

This blog from Lane Powell’s Doug Greene explains why a shift to mandatory arbitration wouldn’t be the panacea that companies are looking for – in fact, they might be a lot worse off. Here’s a teaser:

These arbitrations would be unmanageable. Each plaintiffs’ firm would recruit multiple plaintiffs to initiate one or more arbitrations—resulting in potentially dozens of arbitrations over a disclosure problem. Large firms would initiate arbitrations on behalf of the institutional investors with whom they’ve forged relationships, as the Reform Act envisioned. Smaller plaintiffs’ firms would initiate arbitrations on behalf of groups of retail investors, which have made a comeback in recent years.

We often object to lead-plaintiff groups because of the difficulty of dealing with a group of plaintiffs instead of just one. In a world without securities class actions, the adversary would be far, far worse—a collection of plaintiffs and plaintiffs’ firms with no set of rules for getting along. Securities-disclosure arbitrations would cost multiple times more to defend and resolve.

All this to say – if a policy shift does come to fruition – we’re not sure it’ll be quickly embraced.

Broc Romanek

October 10, 2017

Today’s Webcast: “E&S Disclosures – The In-House Perspective”

Tune in today for the webcast – “E&S Disclosures: The In-House Perspective” – to hear National Vision’s Jared Brandman, Davis Polk’s Ning Chiu, Bristol-Myers Squibb’s Kate Kelly, Apple’s Jung-Kyu McCann and Clorox’s Stephanie Tang discuss environmental & social disclosure issues – in both SEC filings & other types of filings.

SASB Proposes ESG Disclosure Standards

As Ning notes in her blog, the Sustainability Accounting Standards Board (SASB) released draft standards for Environmental, Social and Governance (ESG) disclosure last week, launching a 90-day public comment period which ends on December 31st. Four years in the making, these standards set forth ESG topics covering 11 different sectors and 79 industries for public companies to disclose annually.

Ning has a link to where the exposure draft resides. I decided not to do so – because I’m dismayed that one can only receive a copy if you fill out a form. Studies show that downloads of documents dramatically go down if you force people into providing their personal information – even if the document is free. I dislike this practice – particularly for something like this that has a regulatory feel…

Heads Up! Legal Entity Identifier (LEI)/MiFID II Deadline

A member recently asked in our “Q&A Forum” (#9237): “It appears that several EU firms are reaching out to U.S. public companies to obtain a Legal Entity Identifier (LEI) in advance of the new EU financial markets regulation (MiFID II and MiFIR) becoming effective (or risk that company shares cannot be traded in Europe after January 3, 2018). Are public companies applying for LEI’s, and if so, how? It looks like Bloomberg is an accredited issuer of LEIs as a Local Operating Unit (LOU), but I’m just trying to get a handle on how other public companies are responding any why.”

I asked a few in-house friends about this – and they were unaware of this requirement. We posited some potential thoughts on this topic in response to the query in the “Q&A Forum” – and now the first law firm memo is out about it. Send more!

Broc Romanek

October 6, 2017

The (Very) Pregnant Securities Lawyer

Some of you might know that I’m rolling into “Week 38” of my second pregnancy…the “home stretch.” For all the parents out there – especially moms – you know that balancing your pregnancy & profession can present some unique issues. Here are 4 things I’ve experienced:

1. To-Do Lists: At this point, these are growing faster than the baby. There’s the work list, the mom/baby healthcare & benefits lists, the nursery list, etc. It can be overwhelming, especially since all the tasks have the same imminent – but unknowable – deadline.

With our firstborn, I managed to wrap up my work projects (and report for jury duty!) just before the baby’s early arrival. But, we were “those people” who didn’t have a name picked out & installed the car seat in the hospital parking lot. This time, I’d love to have 10 minutes of downtime to mentally prepare for the new person who’s joining our family. I’m not there yet – but there’s still hope.

2. Transition Mechanics: I’ve benefitted from good parental leave policies, but there’s an art to making this work. Good colleagues & relationships are key, since it’s scary to entrust your work and clients to someone else. You want to know they’ll do a great job but also that your position is secure and your clients will still want to work with you when you return. You’re also well-aware that you’re asking big favors. Co-workers are taking on extra work – with limited background and without an obvious long-term incentive. Clients are dealing with someone they don’t know, who might not have the entire backstory for on-the-fly questions.

It’s best for everyone if you’re extremely organized going into leave (more to-do lists, plus contact lists). Discuss expectations with clients & colleagues – separately & during intro calls. I also continued to monitor e-mail and was available for questions during leave. People are pretty respectful, but they like knowing you won’t hang them out to dry. Small thank-you gifts also never hurt.

3. Awkward Networking: I don’t like being pregnant in a professional setting. Pretty much everyone stares at and/or comments on your body. This doesn’t bother me much if the other person is relating to me as a fellow parent – maybe it’s even a good icebreaker – but you still need a tactic for redirecting the conversation to any professional topics you wanted to cover. And always have a stock response ready for people who aren’t as smooth. Because the cruel irony is that you can’t just smile and take a big drink of wine…

4. Mixed Feelings: Don’t get me wrong, I love our two-year-old more than life and I’m grateful and excited for the opportunity to care for another little person. But parenthood isn’t always easy or fun, the world isn’t always kind, and experiencing all that love also requires a lot of vulnerability.

On top of that, there’s the postpartum identity crisis – during which you try to reconcile your ambitious, always-available, pre-baby self with the realities of limited time & sleep, as well as whatever you & society think a mother/parent should look like. There’s a tension between proving yourself all over again and setting boundaries that allow you to actually enjoy your family. Both are necessary and evolve over time. As a woman in an historically male-dominated profession, I’m also constantly thinking about how my attitude, day-to-day actions & career decisions might impact my kids’ ambitions and worldview.

But there’s upside: the transition is a chance to examine your goals – and decide how to maximize your potential. Plus, you might be more creative & efficient.

I know I’m not alone on this journey of balancing pregnancy, parenthood & lawyering – email me with any experiences & “lessons learned” that you want to share!

Corp Fin’s “Partial” Global Rule 13e-4 Relief

Here’s something that Broc blogged yesterday on the “ Blog“: Whenever Corp Fin’s Office of Mergers & Acquisitions posts a new no-action response, I take a gander to see if it’s new or unusual. Typically, they aren’t – and this new response to CBS falls within that category. It’s basically one of the formula pricing variety (albeit in the Reverse Morris Trust exchange offer context).

The Staff’s relief allows for the bidder/issuer to offer a number of shares in exchange based on the dollar amount of securities tendered – and relies on “formula pricing” mechanisms going back to the old Lazard Frères no-action letter from the 1980’s while utilizing the “pricing goes hard at least two days prior to expiration.”

So nothing surprising here, except the last paragraph in the no-action letter which states the Staff will no longer be issuing no-action letters for parts of this area. The global relief is somewhat narrow – it covers only Day 18 VWAP pricing in a RMT. So issuers can go on their own if they fit within the letter’s facts. Be careful – the request doesn’t expressly give global relief for Day 20 VWAP pricing, which has a few more conditions under Staff precedents.

This is clearly a sign that Corp Fin is looking to get out of the business of issuing timing-consuming no-action letters in situations where there is a well-trodden path of letters…

Speaking of the Staff, don’t forget to tune in next Wednesday, October 11th for the webcast – “Evolution of the SEC’s OMA” – to hear current & former Chiefs of the SEC’s “Office of Mergers & Acquisitions” discuss what that job is all about. Join Corp Fin’s Michele Anderson and Ted Yu, as well as Skadden’s Brian Breheny, Weil Gotshal’s Cathy Dixon, Alston & Bird’s Dennis Garris and Morgan Lewis’ David Sirignano. This is a unique event!

Do EPS Incentives Discourage CapEx?

This Goldman Sachs video suggests we’re in a period of declining capex – for the first time since the early 90s. Some think that’s because shareholders prefer dividends and buybacks over long-term investments. This Dealbreaker article suggests there’s also a connection to incentive pay structures:

How executives are rewarded has a real impact on capital allocation. When a CEO’s bonus is tied to earnings per share – a metric that can be juiced by gobbling up shares – that company will likely to do more and bigger buybacks. And when companies appear to buy back shares in order to avoid a negative earnings surprise, capex spending tends to be diminished in the following year. Executives whose personal wealth moves in tandem with their company’s stock price show a particular preference for repurchases over capital expenditures. Larry Fink has a term for this.

If this criticism sounds familiar, it’s because the potential use of buybacks to support stock prices became a “hot topic” a couple years ago. Here’s one of Broc’s blogs discussing it.

Liz Dunshee

October 5, 2017

Course Materials: Updated Model Pay Ratio Disclosures, Expanded 156 Pay Ratio Nuggets & More!

For the many of you that have registered for our “Pay Ratio & Proxy Disclosure Conference” coming up in less than two weeks – starting on Tuesday, October 17th – we have posted the “Full Set of Course Materials.” The Course Materials are better than ever before – due to the new SEC pay ratio guidance that came out a few weeks ago, we have updated our “Annotated Model Pay Ratio Disclosures” – as well as our “How to” Pay Ratio Manual,” so that it now has 156 practice nuggets over 65 pages!

Here’s some other info:

How to Attend by Video Webcast: If you are registered to attend online, just go to the home page of or to watch it live or by archive (note that it will take a few hours to post the video archives after the panels are shown live). A prominent link called “Enter the Conference Here” – which will be visible on the home pages of those sites – will take you directly to the Conference (and on the top of that Conference page, you will select a link matching the video player on your computer: HTML5, Windows Media or Flash Player).

Remember to use the ID and password that you received for the Conferences (which may not be your normal ID/password for or If you are experiencing technical problems, follow these webcast troubleshooting tips. Here are the conference agendas; times are Eastern.

How to Earn CLE Online: Please read these “FAQs about Earning CLE” carefully to see if it’s possible for you to earn CLE for watching online – and if so, how to accomplish that. Remember you will first need to input your bar number(s) and that you will need to click on the periodic “prompts” all throughout each Conference to earn credit. Both Conferences will be available for CLE credit in all states except for a few – but hours for each state vary; see our “CLE Credit By State” list.

Register Now to Watch Online: There is still time to register for our upcoming pair of executive pay conferences – which starts on Tuesday, October 17th – to hear Keith Higgins, Meredith Cross, etc. If you can’t make it to Washington DC to catch the program in person, you can still watch it by video webcast – either live or by archive. Register now to watch it online.

Register in Washington DC to Watch In-Person: Starting next Thursday, October 12th, you will no longer be able to register to attend in Washington DC through this site – but you can always register to attend when you arrive in DC! You just need to bring payment with you to the conference and register in-person. But until next Thursday, you can still register online to attend in DC…

Transcript: “Pay Ratio Workshop – What You (Truly Really) Need to Do Now”

We have posted the transcript for our recent pre-conference webcast: “Pay Ratio Workshop – What You (Truly Really) Need to Do Now.” Now get ready for the main event taking place in less than two weeks in Washington DC and by video webcast – 20 pay ratio panels over 2 days: “Pay Ratio & Proxy Disclosure Conference.” It’s time to register now…

SEC Seeks to Enhance Cybersecurity Expertise: Good Luck With That…

Yesterday, SEC Chair Clayton gave testimony before the House Financial Services Committee about the SEC’s budget for the agency’s next fiscal year. The Chair noted that he intended to ask for a $100 million increase over the $1.6 billion budget that the SEC currently has – and also planned to ask permission to lift the hiring freeze currently in place.

The main reason for the additional funds would be to enhance the SEC’s cybersecurity efforts. This article excerpts the key paragraph from the Chair’s testimony:

“The $234 million that the SEC plans to spend on information technology in fiscal year 2018 is quite modest, by way of comparison, to the amounts that the major Wall Street firms spend on their own information technology systems,” he said. “For example, in 2016 one large financial institution alone spent more than $9.5 billion on technology firm-wide, with $3 billion of that dedicated to new initiatives. Another large financial institution spent $6.6 billion in 2016 on technology initiatives.”

That paragraph says it all. When many are predicting a very serious shortage of cybersecurity expertise in the near future, how is a government agency able to compete in recruiting cybersecurity people worth their salt? The government is quite limited in the pay packages it can offer. It’s going to be a very uphill climb – even if Congress agrees to give the SEC this additional money…

Broc Romanek

October 4, 2017

Your Edgar Filing Was Hacked? 11 Things You Need to Do Now

Yesterday, I blogged about the seriousness of the SEC’s Edgar being hacked (and what we know – & don’t know – about that hack). Today, let’s delve into “what does it mean for those of you that are in-house?” For purposes of this blog, I’m assuming a different type of scenario than the Edgar hack that was just disclosed by the SEC. Something more sinister – such as a hacker going in and changing the numbers in a company’s financials, etc.

John has come up with your “11-step plan of action” if one of your company’s filings on Edgar is hacked:

1. Review your prior filings and press releases on your website and the EDGAR database to determine whether they have been altered from their original versions.

2. Keep a hard copy of your SEC filings “at the ready.” If Edgar is hacked – and it’s your filing being manipulated – you may need something that you know isn’t tainted. It’s hard to taint a hard copy.

3. Have a plan in place to react to your SEC filing being hacked. This includes a list of who you’re going to call first (think senior management, the board, your stock exchange, etc.). And what you’re going to say. After verifying the accuracy of prior filings & coming up with an action plan, contact your stock exchange rep to either confirm to them that any prior filings they’ve looked at are valid – or tell them what you’re working to correct.

4. This is instantly a board matter. Contact the head of the audit committee or other appropriate committee charged with risk oversight immediately. The SEC and the FBI should also be on the short list of people you contact (the SEC’s Enforcement Division has just formed a special unit in this area). Tell your Assistant Director in Corp Fin what has happened and what you are doing to address it early on in the process.

5. Don’t assume that your filing is the only thing that’s been hacked or that it’s the SEC’s fault. Proceed under the assumption that your most sensitive internal systems have been hacked and initiate an investigative and cybersecurity response on that basis. Also, proceed under the assumption that the hack has been going on for a long time. Just blaming the SEC right away might not be appropriate – maybe it was someone at your company (or your financial printer, etc.) that screwed up.

6. Your top public communications priority needs to be correcting the record or acting to disseminate material non-public information that may have been comprised. If the hack has resulted in inaccurate disclosure (e.g., if your filing was hacked), correct it immediately and succinctly. If you have reason to believe that it has resulted in a leak of MNPI, get the information out immediately.

7. Move! Time is of the essence. Don’t get bogged down in narrow legal issues about whether you have a duty to speak. Depending on the circumstances, you may or may not have a legal obligation to do this – but one of the big problems is that you likely won’t know right away where the responsibility for the breach lies. Remember, you will be judged by investors and regulators in part based on how prompt, thorough and transparent your response to the problem is.

8. Credibility is essential. Be as transparent as possible. Don’t spin. Don’t speculate. If you don’t know something, tell people that. If you can’t discuss something, say so and be upfront as to the reasons why.

9. As part of your investigation, review trading activity surrounding prior SEC filings and communications (including any comment letters and responses) to determine whether there has been any unusual activity.

10. Immediately impose a blackout on insiders under your insider trading policy & review recent insider transactions (first thing the media will look at, even though it may be completely irrelevant).

11. If your company sends “test” filings through Edgar, reconsider that practice – or perhaps shorten the window between when you submit a test filing and a “live” filing. And of course, avoid posting earnings releases, etc. online before they are supposed to – remember that series of “URL-sniffing bots” fiascos from a few years back…

John notes: “I don’t know if you’ve seen the show “Mr. Robot,” but it’s basically what “Fight Club” would look like if it was written by smart people. Anyway, the show’s about a group of hackers who bring down the social order by hacking into and destroying personal financial information held by a large corporation (sound familiar?). One of the points the show makes is that in an information-based economy, everything is based on trust. Whether you have any responsibility for the hack or not, people’s trust in YOU has been undermined by it. That fundamental point should underscore every move you make in response.”

Non-GAAP: Does Reg G Apply to M&A Projections?

Here’s something that John blogged on our “ Blog“: Most public company M&A disclosure documents include a section addressing the forecasts provided to the board and the company’s financial advisors in connection with their evaluation of the transaction. These forecasts typically include non-GAAP financial information, but Rule 100(d) of Reg G provides an exemption from its requirements that applies to disclosures summarizing “the bases for and methods of arriving at” a fairness opinion.

While these forecasts appear to be well within the scope of the exemption, plaintiffs – and in some cases the Staff – have challenged this assumption in the case of non-GAAP information disclosed under a separate heading (typically captioned “Forecasts” or “Projections”) from the discussion of the banker’s fairness opinion. Some have also called into question the applicability of this exemption to tender offer filings.

This Cleary blog sets forth a detailed argument that these distinctions are inappropriate – and that the reconciliation requirements of Reg G do not apply to this information, regardless of what type of disclosure document it appears in or where it appears. Here’s an excerpt summarizing the argument:

It is true that the projections in the “Forecasts” section of M&A disclosure documents include projections that are not GAAP. Indeed, projected unlevered free cash flows are a central input into any discounted cash flow analysis. But in our view the contention that these projections are subject to Regulation G is incorrect.

The provision of a GAAP reconciliation for these forecasts would not serve the purpose for which Regulation G was adopted – namely, to prevent a company from misleading investors by providing NGFMs that obscure its GAAP results and guidance. No such concern applies to the “Forecasts” section of M&A disclosure documents, where the data are being provided solely to enable shareholders to understand the specific, projected financial metrics that the company’s financial advisor used in its financial analyses to support a fairness opinion.

The blog notes that the Staff has sometimes issued comments to the effect that Reg G applies to these disclosures, and recommends that the Staff issue interpretive guidance confirming that the exemption applies to forecasts included in M&A disclosure documents.

Broc Romanek

October 3, 2017

The SEC’s Edgar Hacking: Serious Business

I’m concerned that some folks aren’t worried enough about the SEC’s Edgar being hacked. I’ve seen a number of blogs about SEC Chair Clayton’s cybersecurity statement that didn’t bother to even mention the most important item in that statement: Edgar was hacked! Perhaps that was a byproduct of the SEC “burying the lead” when it stuck that revelation in the middle of a 5-page statement about cybersecurity generally.

But make no mistake about it, this is a huge development. Don’t be numb because hacking news has become so routine. John’s blog about the Chair’s statement keyed in on this theme with his title of “Wow! Edgar Hacked!”

This Bloomberg article notes the significance – here’s an excerpt:

If such breaches continue, or if the SEC is too underfunded or outgunned to fix them, it could undermine company and investor confidence in the agency. That might threaten the regulator’s ability to provide a bedrock principle of the U.S. financial system: market transparency.

The SEC’s Hacking Incident: What We Know (& Don’t Know)

The SEC is certainly now taking the hacking seriously. Yesterday, SEC Chair Jay Clayton issued this update on the breach since the agency has now found that personal information for at least two individuals was hacked (see this Reuters article).

And culling through the written testimony from Chair Clayton before the Senate Banking Committee last week – and the media pieces about that (WSJ’s Andrew Ackerman has penned several pieces; this is the latest), here’s a few things we know – and don’t know:

1. Management Kept in the Dark – Although the breach was reported in 2016 to the Department of Homeland Security and the security gaps were patched, SEC Commissioners and the SEC’s then-COO were unaware of the 2016 hack. It’s not known when in 2016 the hacking took place.

2. SEC Has Enforcement Action Pending – An ongoing enforcement probe prevents the SEC from revealing many details about the cyber incident – so there’s a probe into possible illegal trading (or “outside trading” as John Stark describes it). Chair Clayton did disclose that the investigation, which he learned about last month, spurred a second look at the breach.

3. Sparse Facts Known So Far – The SEC hasn’t revealed the type of information accessed by hackers in 2016 nor which companies were affected. So we don’t know which filings were hacked – nor which companies might have been affected by the breach. Chair Clayton’s statement says the SEC’s Inspector General is probing the source of the hack, the type of information obtained and how the SEC responded internally to the breach – he decided to disclose the SEC’s own breach as soon as he had enough information to accurately inform market participants and investors.

4. “Customized” Part of Edgar Enabled the Hack – The hackers exploited a vulnerability in the “customized” part of Edgar that allows companies to test the accuracy of data transmitted in new forms. The SEC has hired outside consultants to test the vulnerability of its systems.

Survey: Boards Not Sharing Cyber Incident News

It apparently isn’t only the SEC that is slow to share the fact that a cyber incident occurred. This recent BDO survey found that just one-quarter of boards (25%) are sharing information gleaned from cyber-attacks with external entities! The survey also found that boards are more involved with cybersecurity than they were 12 months ago – and a similar percentage (78%) say they have increased company investments during the past year to defend against cyber-attacks, with an average budget expansion of 19%.

Broc Romanek