September 11, 2018

Beware: The SEC Has a (Very) Old “Form 4” Posted!

As you probably know, the SEC maintains a library of blank forms on its website – including all three of the Section 16 forms. It has come to our attention that the SEC currently has an outdated Form 4 posted – one that harkens back to pre-Sarbanes-Oxley days. This form is outdated, even though it has the first-blush appearance of being current with an OMB approval date in the top right corner of September 2018!

For those too young to remember, before Sarbanes-Oxley was enacted in 2001, Form 4 had a due date tied to the end of each month. The outdated form contains Table II language (see Column 9) about “owned as of the end of the month” – rather than language that should read “owned after the reported transaction.” And the heading for Column 10 should actually say: “Ownership Form of Derivative Security: Direct (D) or Indirect (I)”. So make sure you’re not using this blank form as it doesn’t comport with the SEC’s rules. I imagine the SEC will correct this mistake soon…

Gibson Dunn’s Mike Titera notes that because the templates for Section 16 forms are actually controlled by the SEC’s website (unlike other forms that are filed by uploading the document via Edgar), it appears that no one can actually file the old Form 4 on the SEC’s “Forms” page.

Insider Trading Policies: Cybersecurity Considerations

With the traffic to the transcript for our recent webcast – “Insider Trading Policies & Rule 10b5-1 Plans” – bearing out that this is the most popular program of the year, I thought I would share some of the practical guidance I learned:

Alan Dye, Partner, Hogan Lovells LLP and Editor, It’s become increasingly clear in recent years that a company’s announcement of a cyber breach can have a material adverse effect on both the company and the company’s stock price, so the challenge in the cybersecurity context is twofold.

First, having a process that allows the technical people who understand when a hack has been attempted or has occurred, and who understand what its consequences might be, to be in a position to identify quickly (in light of the SEC’s release) whether there has been an attempted hack in the company’s data systems that could have resulted in a material breach.

Second, escalating those potential material breaches to a level where the general counsel and other senior managers who are in a position to assess potential materiality can make that assessment and decide whether either disclosure is required, or in this context, a trading blackout is appropriate.

In practice, neither of those steps is necessarily easy. For many companies, an attempted breach of the security systems is a daily occurrence. Most of those occurrences turn out to be insignificant. If every one of those incidents led to an immediate blackout or an escalation of the issue to senior executive levels to assess materiality, the window might never open and the process itself could consume inordinate amounts of time.

The balance that companies try to achieve is to make that process both efficient and effective, without overburdening the process. Companies should consider the development of an incident response plan. Many companies are already considering or implementing an incident response plan.

The incident response plan is separate from the insider trading policy. I don’t think the insider trading policy needs to be bogged down with processes for addressing cybersecurity breaches. What the incident response plan does is establish a process at the technical staff level, so the IT group can identify incidents that might constitute a material breach. The incident response plan also includes escalation protocols. Once a potential material breach has been identified, then the breach is escalated so that the general counsel, senior management, or whoever is going to make the assessment of materiality, and whether to open or close the window, can make that assessment.

That process is not unique to or isolated to the insider trading policy, but it generally is and should be integrated into the company’s disclosure controls & procedures, since a breach raises disclosure issues as well as insider trading policy issues.

That process is going to succeed only if the general counsel and senior management, once an incident has been escalated, understand IT systems and understand the tech-speak that tends to come from the people in the IT department, well enough to make a judgment about its materiality. Some companies go so far as to engage in tabletop exercises, where after they’ve developed and put in place an incident response plan, they simulate a breach and an escalation. That process can familiarize both the technical staff who escalate the issue, and the executives and the GC who must make the determination whether that breach might be material, with the appropriate terminology and the analysis that needs to be undertaken.

It’s a nascent area of insider trading policies, so I don’t pretend to know how it’s all going to play out. There hasn’t yet been any case, to my knowledge, where an incident response plan has been put in place and led to either closing or opening the window. I have seen some simulation exercises and they can be puzzling, initially, to those of us who don’t speak “tech” when it comes to cybersecurity exercises.

Insider Trading Policies: Address “Expert Networks”

And here’s another nugget from that transcript:

Howard Dicker, Partner, Weil, Gotshal & Manges LLP: A company should also consider specifically, by prohibiting or warning against, an employee’s participation in a so-called “expert network.” An expert network is not about artificial intelligence or machine-based learning. Rather, it typically involves a firm. There are companies or firms out there that connect hedge funds and other investors with subject matter experts or industry experts.

These experts speak directly to the hedge funds and receive an hourly consulting fee. Some company employees may be interested in earning extra money this way. Some of the largest SEC insider trading cases have involved expert networks, and the allegations were of company employees tipping information not only about their own company, but also about company customers.

The employees involved were not senior executives who were subject to blackout periods and pre-clearance policies, but rather non-executive employees with a high degree of responsibility within the company. The information shared might not have been obviously MNPI, but it was obviously confidential.

I find that employee and director education and training is particularly critical for avoiding inadvertent disclosures of confidential information, and the related potential liabilities, costs, and damages to the employee, director and the company.

Liz Dunshee