October 4, 2017

Your Edgar Filing Was Hacked? 11 Things You Need to Do Now

Yesterday, I blogged about the seriousness of the SEC’s Edgar being hacked (and what we know – & don’t know – about that hack). Today, let’s delve into “what does it mean for those of you that are in-house?” For purposes of this blog, I’m assuming a different type of scenario than the Edgar hack that was just disclosed by the SEC. Something more sinister – such as a hacker going in and changing the numbers in a company’s financials, etc.

John has come up with your “11-step plan of action” if one of your company’s filings on Edgar is hacked:

1. Review your prior filings and press releases on your website and the EDGAR database to determine whether they have been altered from their original versions.

2. Keep a hard copy of your SEC filings “at the ready.” If Edgar is hacked – and it’s your filing being manipulated – you may need something that you know isn’t tainted. It’s hard to taint a hard copy.

3. Have a plan in place to react to your SEC filing being hacked. This includes a list of who you’re going to call first (think senior management, the board, your stock exchange, etc.). And what you’re going to say. After verifying the accuracy of prior filings & coming up with an action plan, contact your stock exchange rep to either confirm to them that any prior filings they’ve looked at are valid – or tell them what you’re working to correct.

4. This is instantly a board matter. Contact the head of the audit committee or other appropriate committee charged with risk oversight immediately. The SEC and the FBI should also be on the short list of people you contact (the SEC’s Enforcement Division has just formed a special unit in this area). Tell your Assistant Director in Corp Fin what has happened and what you are doing to address it early on in the process.

5. Don’t assume that your filing is the only thing that’s been hacked or that it’s the SEC’s fault. Proceed under the assumption that your most sensitive internal systems have been hacked and initiate an investigative and cybersecurity response on that basis. Also, proceed under the assumption that the hack has been going on for a long time. Just blaming the SEC right away might not be appropriate – maybe it was someone at your company (or your financial printer, etc.) that screwed up.

6. Your top public communications priority needs to be correcting the record or acting to disseminate material non-public information that may have been comprised. If the hack has resulted in inaccurate disclosure (e.g., if your filing was hacked), correct it immediately and succinctly. If you have reason to believe that it has resulted in a leak of MNPI, get the information out immediately.

7. Move! Time is of the essence. Don’t get bogged down in narrow legal issues about whether you have a duty to speak. Depending on the circumstances, you may or may not have a legal obligation to do this – but one of the big problems is that you likely won’t know right away where the responsibility for the breach lies. Remember, you will be judged by investors and regulators in part based on how prompt, thorough and transparent your response to the problem is.

8. Credibility is essential. Be as transparent as possible. Don’t spin. Don’t speculate. If you don’t know something, tell people that. If you can’t discuss something, say so and be upfront as to the reasons why.

9. As part of your investigation, review trading activity surrounding prior SEC filings and communications (including any comment letters and responses) to determine whether there has been any unusual activity.

10. Immediately impose a blackout on insiders under your insider trading policy & review recent insider transactions (first thing the media will look at, even though it may be completely irrelevant).

11. If your company sends “test” filings through Edgar, reconsider that practice – or perhaps shorten the window between when you submit a test filing and a “live” filing. And of course, avoid posting earnings releases, etc. online before they are supposed to – remember that series of “URL-sniffing bots” fiascos from a few years back…

John notes: “I don’t know if you’ve seen the show “Mr. Robot,” but it’s basically what “Fight Club” would look like if it was written by smart people. Anyway, the show’s about a group of hackers who bring down the social order by hacking into and destroying personal financial information held by a large corporation (sound familiar?). One of the points the show makes is that in an information-based economy, everything is based on trust. Whether you have any responsibility for the hack or not, people’s trust in YOU has been undermined by it. That fundamental point should underscore every move you make in response.”

Non-GAAP: Does Reg G Apply to M&A Projections?

Here’s something that John blogged on our “ Blog“: Most public company M&A disclosure documents include a section addressing the forecasts provided to the board and the company’s financial advisors in connection with their evaluation of the transaction. These forecasts typically include non-GAAP financial information, but Rule 100(d) of Reg G provides an exemption from its requirements that applies to disclosures summarizing “the bases for and methods of arriving at” a fairness opinion.

While these forecasts appear to be well within the scope of the exemption, plaintiffs – and in some cases the Staff – have challenged this assumption in the case of non-GAAP information disclosed under a separate heading (typically captioned “Forecasts” or “Projections”) from the discussion of the banker’s fairness opinion. Some have also called into question the applicability of this exemption to tender offer filings.

This Cleary blog sets forth a detailed argument that these distinctions are inappropriate – and that the reconciliation requirements of Reg G do not apply to this information, regardless of what type of disclosure document it appears in or where it appears. Here’s an excerpt summarizing the argument:

It is true that the projections in the “Forecasts” section of M&A disclosure documents include projections that are not GAAP. Indeed, projected unlevered free cash flows are a central input into any discounted cash flow analysis. But in our view the contention that these projections are subject to Regulation G is incorrect.

The provision of a GAAP reconciliation for these forecasts would not serve the purpose for which Regulation G was adopted – namely, to prevent a company from misleading investors by providing NGFMs that obscure its GAAP results and guidance. No such concern applies to the “Forecasts” section of M&A disclosure documents, where the data are being provided solely to enable shareholders to understand the specific, projected financial metrics that the company’s financial advisor used in its financial analyses to support a fairness opinion.

The blog notes that the Staff has sometimes issued comments to the effect that Reg G applies to these disclosures, and recommends that the Staff issue interpretive guidance confirming that the exemption applies to forecasts included in M&A disclosure documents.

Broc Romanek