Monthly Archives: June 2019

June 20, 2019

What If the Post Office Was the SEC?!?

The SEC celebrated its 85th birthday a couple weeks ago. You probably know that the Securities Act was one of FDR’s reform initiatives way back in 1933. But did you know that one of the first suggestions he received was for the US Post Office to regulate the securities law? The Post Office! Eventually the SEC was created under a different version of the bill, which passed either because it was “so [darned] good or so [darned] incomprehensible.” Some things never change…

Find more interesting historical details in this book excerpt – which Jeffrey Rubin of Ellenoff Grossman was kind enough to share.

More Exchanges Are Beating the “Sustainability” Drum

Ninety percent of exchanges now have ESG initiatives, according to this survey from the World Federation of Exchanges. No wonder it’s so hard to keep track of who’s doing what. Luckily, most of the initiatives are converging around the UN Sustainable Development Goals. From the WFE’s announcement, here’s a few other findings:

– Although two-thirds of responding exchanges encourage or require ESG disclosure, there is still no consistent global standard for ESG reporting.

– While there appears to be growing investor demand for ESG disclosure, the level of this demand is still considered to be limited in many markets.

– Sustainability indices remain the most commonly offered products, but there has been considerable growth in ESG-related bond offerings, with 73% of exchanges with sustainability products offering green bonds in their markets.

ESG Disclosure Guides: So Many to Choose From

As a follow up to last week’s blogs on sustainability reporting, there’s no shortage of guidelines for disclosure. In fact, that’s part of the problem…and why some predict that companies & investors will end up coalescing around frameworks that are more principles-based, like what’s offered by the UN Sustainable Development Goals or the TCFD – see this Troutman Sanders memo.

Here are three relatively recent disclosure guides (also see this blog about moving sustainability reporting into SEC filings – and this new Nasdaq survey of large company disclosure trends):

1. The 65-page “TCFD Implementation Guide” – brought to you by the Sustainability Accounting Standards Board (SASB) and the Climate Disclosure Standards Board (CDSB) – focuses on annotated mock disclosures that align with the principles of the Task Force on Climate-Related Financial Disclosures. According to this announcement, the guide is a direct response to requests from companies that want to see what effective climate-related disclosure looks like. Bonus points if you can keep all the acronyms straight – there’s a glossary on page 24 if you need help.

2. The “World Business Council for Sustainable Development” recently published this 34-page disclosure handbook that walks through the “who/what/why/how” of ESG disclosure (see pg. 28 for a handy checklist of key points)

3. Nasdaq’s 34-page “ESG Reporting Guide” summarizes reporting frameworks from the TCFD and the UN’s Sustainable Development Goals – as well as guidance & best practices gleaned from the World Federation of Exchanges & Nasdaq’s own pilot program for ESG reporting

SEC Commissioner Nominee: Allison Lee Advances to Senate

Back in April, John blogged that Allison Lee had been nominated to fill the Commissioner vacancy created by the departure of Kara Stein. Bloomberg reported that the Senate Banking Committee has approved her nomination – so it now goes to the Senate. This blog says that the nomination hearing a few weeks ago was pretty short…

Liz Dunshee

June 19, 2019

Private Offerings: SEC’s “Concept Release” Looks to Harmonize Exemptions

Yesterday, the SEC announced that it’s seeking input – via this 211-page concept release – on ways to “simplify, harmonize & improve the exempt offering framework.” While this sounds like a pretty low bar given the complicated interplay of all the federal & state exemptions, I don’t envy the staffers who might be tasked with crafting further changes that please everyone…and don’t cause more confusion. Among the many topics discussed in the concept release, the Commission is considering whether:

– The SEC’s exempt offering framework, as a whole, is consistent, accessible & effective – or whether the SEC should consider simplifications

– There should be any changes to streamline capital raising exemptions – especially Rule 506 of Reg D, Reg A, Rule 504 of Reg D, the intrastate offering exemption, and Regulation Crowdfunding

– There may be gaps in the SEC’s framework that make it difficult for small companies to raise capital at critical stages of their business cycle

– The limitations on who can invest in exempt offerings, or the amount they can invest, provide an appropriate level of investor protection – versus making offerings unduly difficult for companies and/or restricting investors’ access to investment opportunities (this includes a discussion of the “accredited investor” definition)

– The SEC can & should do more to allow companies to transition from one exempt offering to another – and ultimately to a registered public offering – without undue friction or delay

– The SEC should take steps to facilitate capital formation in exempt offerings through pooled investment funds – and whether retail investors should be allowed greater exposure to growth-stage companies through these funds

– The SEC should change exemptions for resales to improve secondary market liquidity

This Cooley blog notes that SEC Chair Jay Clayton & Corp Fin Director Bill Hinman have been laying the groundwork for this release in several speeches during the last year. And many of these ideas have been discussed (passionately) for years in securities law circles and at the SEC’s annual Small Business Forum – so no doubt we’ll see some pretty thorough comments over the next few months. The comment period ends in late September.

Over on Twitter, Professor Ann Lipton pointed out that the concept release has a great table of existing exemptions on pages 10-11 – and intel on how much money was raised last year under each type of offering. We’ll be posting memos in our “Private Placements” Practice Area

“Regulation Crowdfunding”: Not Drawing Much of a Crowd

Yesterday’s concept release on private offering exemptions includes a mandated Staff report on the impact of Regulation Crowdfunding on capital formation & investor protection. Here’s the quotable stat:

From May 2016 (when the rule became effective) through the end of last year, there were only 519 completed offerings – mostly conducted by companies in California & New York – which raised a total of $108 million. During the same time period, 12,700 companies raised a total of $4.5 billion under Reg D.

The SEC does think the Regulation has been attracting new companies to the exempt offering market (rather than encouraging currently participating companies to switch exemptions). But that’s not too surprising given all the downsides of the current rule compared to a more traditional fundraising approach. The concept release includes 13 multi-part questions about ways to make crowdfunding more of a crowd-pleaser.

Auditor Independence: SEC Refines “Debtor-Creditor” Analysis

Yesterday, the SEC issued this 77-page adopting release to amend the auditor independence requirements in Rule 2-01 of Regulation S-X. The amendments impact the analysis of auditor independence when the auditor has a lending relationship with a client or its shareholders. Here’s what the revised rule will do:

– Focus the analysis on beneficial ownership rather than on both record and beneficial ownership

– Replace the existing 10 percent bright-line shareholder ownership test with a “significant influence” test

– Add a “known through reasonable inquiry” standard with respect to identifying beneficial owners of the audit client’s equity securities

– Exclude from the definition of “audit client,” for a fund under audit, any other funds, that otherwise would be considered affiliates of the audit client under the rules for certain lending relationships

According to the SEC, the amendments will more effectively identify debtor-creditor relationships that could impair an auditor’s objectivity and impartiality – as opposed to more attenuated relationships that don’t pose threats & aren’t important to investors.

Liz Dunshee

June 18, 2019

The “Nina Flax” Files: Ways We Make Work Fun

Here’s the latest “list” installment from Nina Flax of Mayer Brown (here’s the last one):

I’m currently the Office Practice Leader for our Northern California Corporate Group – but long before that I was a cheerleader (national champions in high school and, yes, even for a year in college – that surprises some and not at all others). So I think my “rah rah” focus on team work has been a contributing factor to some of these…

1. We Chide: Mostly about lunch. It is not okay to go to lunch by yourself. If the newer members of our team go to lunch without others, or without at least telling others, they get grief. I think deservingly so.

2. We Dance: Okay, maybe not the collective “we” so much as me. But randomly blasting music sometimes and dancing in the office is fun.

3. We Nickname: One of my close college friends was excellent at nicknaming people. He would “Mc” people. Like Sketchy McSpends-A-Lot (that was seriously one of them). I do not “Mc,” but I have come up with “Stealth” (sometimes referred to as “Sneaky,” when describing the way said colleague sometimes sneaks in or out of the office without saying hello or goodbye), “Stinky” (term of endearment, though said colleague sometimes doesn’t shower before 4am calls, which really we should all think is acceptable) and most recently “Bendit” (because said colleague had his hair cut at a barbershop co-owned by Beckham).

I am frequently referred to as “Stinky” (I promise there is no odor, it is a term of endearment, and has nothing to do with not showering before 4am calls) and “Lil’Bit.” I miss the days of “Bean” or “Neener.” I also miss being more creative – some of our nicknames are still just last names. We are working on that, but you can’t force it.

4. We Prank: There was recently a motion at an all-lawyer lunch (which we have each month) to move all of our snacks from the third floor kitchen to the second floor kitchen. Since we determined that the corporate folks present held proxies for all of the corporate colleagues not in attendance due to work travel and conflicting conference calls, the motion was vetoed. But later that night some elves in the office moved all of the snacks into the motioner’s office. In response, the motioner pretended to get said elves in trouble and spread a message through the office manager and others that snacks were being taken away.

5. We Hang: In the office, by having random conversations in our offices, in the kitchen or even in the hall. And importantly outside of the office, whether it is an impromptu dinner hosted at my house, a soccer game, a toddler’s birthday party or a random home drop-by. I have even helped the other Stinky clean and organize toys on a random Saturday – it was cathartic for both of us.

6. We Walk: Sometimes you just need a break – whether it’s from being indoors, or to vent about something that is on your mind. Me and my chief partner in crime have come up with a path around the office that we frequently walk and that we encourage others to walk with us when necessary – or just whenever!

7. We Conspire: Top of mind on this one is what funny artwork we will hang on Stealth’s wall – because it’s weird that they’ve never hung anything on office walls in years. By the time this is published, I will have brought in a print from my childhood bedroom (yes, that I still own). It is called “Shuffle Off to Buffalo,” by Harry Fonseca. My version of this print has buffalo in pink and white, WITH GLITTER, around the border. I am sure Stealth will love it. And even if they don’t, I suspect they won’t exert the energy to take it down, which is hilarious already. It will be a nice addition to the “farm” picture already pinned up courtesy of the other Stinky’s daughter. Stealth correctly identified the main blob as a chicken.

8. We Gift: Like bringing in an avocado with a “Happy Birthday!” post-it on it for a colleague who is on the keto diet. Or a sign from an event “The Future is Female” to put on a colleague’s door.

Transcript: “M&A Stories – Practical Guidance (Enjoyably Digested)”

We have posted the transcript for our recent webcast: “M&A Stories: Practical Guidance (Enjoyably Digested).”

Tomorrow’s Webcast: “Navigating Corp Fin’s Comment Process”

Tune in tomorrow for the webcast – “Navigating Corp Fin’s Comment Process” – to hear former Senior SEC Staffers Era Anagnosti of White & Case, Karen Garnett of Proskauer Rose and Jay Knight of Bass Berry explain the process by which the SEC Staff issues comments – step-by-step – as well as provide their practical guidance about how to respond. This program will cover both the basics, as well as advanced issues for practitioners to consider.

Liz Dunshee

June 17, 2019

Announcing… “CCRcorp”!

Although many of you know our work simply by the names of our “Essential Resources” – e.g.,,, and our related print newsletters – we’re actually part of a company called “EP Executive Press” that was founded by Jesse Brill over 40 years ago (here’s the last installment of Jesse’s “reminiscences” when the company celebrated its 35th anniversary).

Now, we’re entering another new chapter – with a parent-company rebranding to “CCRcorp.” Our new name stands for “Corporate Counsel Resources” – but I for one will forgive anyone who mixes us up with a certain ’60s rock band, especially since we’ll be “chooglin’ on down to New Orleans” for our “Proxy Disclosure Conference” this September.

You may notice some logo changes following our formal announcement later this week. But rest assured, we’ll be providing the same practical info…and when Broc & John are at the keyboard, it’ll even be entertaining.

Financial Reporting of Climate Issues: On the Rise

Despite this blog in which SASB comes around to website sustainability disclosure, two recent reports indicate that reporting about climate change risks – and opportunities – is moving from standalone reports into SEC filings. First, this big survey from CDP (formerly the “Carbon Disclosure Project”) identifies a number of physical, supply chain, compliance and other risks – as well as cost savings and strategic opportunities – that are financially impacting companies. Here’s an excerpt from this Cooley blog:

The vast majority of the potential financial opportunities were categorized as “likely, very likely or virtually certain.” Of these opportunities, companies reported that $471 billion could be recognizable now, but $1.34 trillion (62%) was expected to materialize in the short- to medium-term. Over $1.2 trillion of these opportunities were identified by companies in the financial services industry, followed by manufacturing ($338 billion), services ($149 billion), fossil fuels ($141 billion) and food, beverage and agriculture ($106 billion).

The Task Force on Climate-related Financial Disclosures also announced the takeaways from its new status report – which looked at disclosures from 1100 large companies in 142 countries. Here’s an excerpt from a Davis Polk blog about the findings (also see this Cooley blog, which emphasizes the report’s suggestions for improvement):

At the time the 2019 status report was written, approximately 800 organizations expressed support for the TCFD framework. This support marks a 50% uptick compared to the number reported in the 2018 version. According to the 2019 status report, the average number of TCFD recommended disclosures per company increased by 29% from 2.8 in 2016 to 3.6 in 2018. Moreover, the percentage of companies that disclosed information that aligns with at least one of the TCFD’s recommendations rose from 70% in 2016 to 78% in 2018.

While companies still disclose more climate-related information that aligns with the recommendations in sustainability reports, the TCFD found that between 2016 and 2018 there was a greater percentage increase in information reported in financial filings or annual reports (by 50%) than the increase in sustainability reports (by 30%).

Tomorrow’s Webcast: “Joint Ventures – Practice Pointers”

Tune in to tomorrow for the webcast – “Joint Ventures: Practice Pointers” – to hear Eversheds Sutherland’s Katie Blaszak, Hunton Andrews Kurth’s Roger Griesmeyer, Orrick’s Libby Lefever and Davis Polk’s Brian Wolfe share “lessons learned” that will help you master the art of joint ventures.

Liz Dunshee

June 14, 2019

“The Three Ruths”

At our “Women’s 100” event in NYC, Shelley Dropkin of Citigroup was honored with a lifetime achievement award. Shelley was kind enough to let us blog about her remarks. Here’s an excerpt:

Before I close, I would like to pay tribute to three women who in very different ways inspired and guided me. Interestingly, they are all named Ruth.

For years I carried for inspiration the words of Ruth Bader Ginsburg – who spoke most eloquently about what the support of her mother had meant to her – she described her mother as “the bravest and strongest person I have known, who was taken from me much too soon. I pray that I may be all that she would have been had she lived in an age when women could aspire and achieve and daughters are cherished as much as sons.”

The second is my sister-in -law Ruth Hochberger – Ruth was the editor in chief of the New York law journal raising her children in New York City when we met. She had figured out that balance that so many women were searching for and that I had just begun to grapple with. It was with her as a role model that I figured out that I could make a life as a mother and a professional work – and for that I am grateful.

Finally – and this is the most difficult – is my mother Ruth, who I lost way too young. She believed in me as only a mother can and made me believe in myself. I can only hope that I have provided that same foundation of love and support to my boys. It is to my mom that I dedicate this award.

Our “Women’s 100” Events: 10 Things We Discussed

Our annual “Women’s 100 Conferences” – in both Palo Alto & NYC – continue to be my favorite thing. Here are 10 discussion topics that Aon’s Karla Bos & I came up with for our “Big Kahuna” session:

1. Linking executive compensation to E&S/sustainability metrics: will it get much traction outside of energy companies?

2. State Street’s new “R-Factor” ESG rating

3. Investor & company views on the “Long-Term Stock Exchange”

4. Providing non-GAAP reconciliations in the CD&A

5. Proxy advisor/shareholder proposal reform

6. How to get started with sustainability reporting

7. Investor & company views on involving IR in engagement meetings

8. Equal pay audits & disclosure

9. Investor expectations for “human capital” disclosure

10. How to interact with shareholder proponents at meetings

Sights & Sounds: “Women’s 100 Conference ’19”

This 45-second video captures the sights & sounds of the “Women’s 100” events that recently wrapped up in Palo Alto & NYC:

Liz Dunshee

June 13, 2019

Director Independence: Nasdaq Proposes Changes to “Family Member” Def’n

Since 2002, the Nasdaq & NYSE definitions of “Family Member” have differed – and that’s caused more than a few headaches for anyone who has to prepare or complete a D&O questionnaire or analyze director independence. According to this notice published yesterday by the SEC, the discrepancies are all due to an oversight when Nasdaq paraphrased its definition 17 years ago – and now the exchange is proposing changes to Rule 5605(a)(2) that would essentially revert back to the old formulation.

If the revisions are approved, the Nasdaq definition will no longer include step-children – and there will also be a carve-out for domestic employees who share a director’s home. Of course, the board still has to make an affirmative determination that no relationship exists that would interfere with a director’s ability to exercise independent judgment, and those relationships can be considered as relevant factors. Comments are due in mid July.

On Monday, the SEC also published this notice of an immediately-effective Nasdaq rule change that adds a definition of “Derivative Securities” to the Rule 5615 corporate governance & IM-5620 annual meeting exemptions – and modifies & adds exemptions for issuers of only non-voting preferred securities & debt securities. Nasdaq noted that the proposed changes would substantially conform to the existing rules of NYSE Arca.

Board Leadership Structure: Governance Impact

Investors remain mixed in their view of whether companies should have an independent chair. In this “CLS Blue Sky Blog”, ISS Analytics examines the gap between board leadership practices in the US and the rest of the world – and the possible consequences. Here’s an excerpt:

In relation to board composition, board refreshment and gender diversity improve as independent leadership on the board increases. In addition, shareholder rights and responsiveness to shareholders also improve with increased board leadership.

On the compensation front, companies that lack board leadership tend to pay their CEO at a higher multiple compared to the CEOs of peer companies. However, pay equity within the C-Suite mainly correlates with whether the roles of Chair and CEO are combined. Combined CEO-Chairs tend to get paid more relative to the rest of their executive team regardless of whether there is a Lead Director on the board.

One of the next logical questions is, “Do these consequences ultimately impact company performance?” As you might expect from an academic paper entitled “Irrelevance of Governance Structure,” a couple of researchers say that “shareholder rights” might not matter.

Based on comparing “real world” outcomes to a constructed model of an efficient universe, they conclude that “the relationship between the allocation of control rights and firm performance is more complex than just holding conflicted managers accountable.” In the model, the governance structure was irrelevant when other factors were at play – e.g. shareholders having imperfect information or market power, and managers having meaningful career concerns.

Boards Around The World

Spencer Stuart has taken data from its well known “Board Indexes” (here’s the US version) and created this interactive tool to compare “average” board practices around the world. Topics include board composition, diversity, director pay and board assessments.

Liz Dunshee

June 12, 2019

ESG: Ratings Are Up, But So Are Controversies

Recently, ISS ESG (the “responsible investment” arm of ISS) announced its annual ratings of ESG performance for companies across the globe. At first glance, things look good:

This year’s report finds the share of companies covered by ISS’ Corporate Rating and assessed as “good” or “excellent” (both assessments lead to Prime status) now stands at 20.4 percent, up from just over 17 percent in the previous year. This year’s report also shows that the group rated with medium or excellent performance (on a four-category scale of poor, medium, good or excellent) now includes more than 67.5 percent of covered companies in developed markets. This represents an all-time high over the 11-year history of the report. Similar patterns can be observed among companies in emerging markets, the report finds, albeit at a considerably lower level.

But the jury’s still out on whether companies are following through on the sustainability strategies that they’re touting. We’ve blogged that CSR statements might serve as the basis for plaintiffs’ claims – and the ISS ESG analysis confirms that these types of disputes are on the rise. Here’s an excerpt:

Meanwhile, Norm-Based Research, which identifies significant allegations against companies linked to the breach of established standards for responsible business conduct, saw a more than 40 percent rise in the number of reported controversies across all ESG topics. This exemplifies a growing misalignment of corporate practices with stakeholder expectations that are grounded in UN Global Compact and the OECD Guidelines for Multinational Enterprises.

At the close of 2018, failures to respect human rights and labour rights together accounted for the majority (56 percent) of significant controversies assessed under ISS ESG’s Norm-Based Research. Industries that are most exposed to controversies in the environmental area are Materials, Energy, and Utilities. On social matters, Materials is also leading, similarly followed by Energy and Capital Goods. The governance area sees most controversies within Banks, Capital Goods, and Pharmaceuticals & Biotechnology.

ESG Ratings: Making Sure They’re Accurate

This 19-page DFin paper points out that it’s increasingly important to understand your ESG ratings and correct any errors, because investors are using them to evaluate non-financial performance and compare your company to other investment alternatives (e.g. this blog says that the universe of “sustainable funds” grew by 50% last year – also see this WSJ article). In addition to outlining the issues that factor into ratings, DFin gives seven steps to ensure accurate scoring:

1. Learn about existing ESG ratings frameworks
2. Know your ESG scores
3. Compare yourself to your peers
4. Understand how the various ratings standards compare to one another
5. Attend to the raw data your company provides – the data comes from SEC filings, your website, blogs, social media, etc.
6. Supply information proactively
7. Sharpen your communications

ESG: Advantages for Small & Mid-Cap Companies

We’ve blogged (sometimes more than we’d like) about the growing interest in ESG topics – among institutional as well as retail shareholders, and even credit rating agencies. While most large cap companies are now publishing sustainability reports and incorporating ESG metrics into business decisions, many smaller companies are just beginning that journey.

This blog from Next Level Investor Relations explains how even thinly-staffed small & mid-cap companies can identify strategic & disclosure-based ESG improvements that can improve their business, make important customers happy, and enhance their access capital. Here’s an excerpt (also see this blog from the Governance & Accountability Institute addressing ROI for sustainability efforts):

As highlighted in recent Gartner supply chain research, “ESG has emerged as a source of growth & innovation strategy for supply chains, spurring better performance & mitigating supply chain risks.” So why develop the widget (or ESG disclosure) that nobody wants? What are your customers (and competitors) focusing on in their ESG/Sustainability disclosure and supplier questionnaires?

AlphaSense search on ‘ESG Sustainability AND Profitability’ for the latest 12 months found 56 small and mid-cap companies across 10 sectors, with related disclosure including supply chain policies, expectations and supplier audit practices across the cap range, from $266mm market cap Natural Grocers by Vitamin Cottage [$NGVC] to Tetra Tech [$TTEK] and Goodyear [$GT], market cap $3.3bn and $4.2bn, respectively.

Liz Dunshee

June 11, 2019

Proxy Access Nominee Gets Elected

Last December, Broc blogged about the second-ever attempt at using proxy access – via a Schedule 14N filed for “The Joint Corp.” This Form 8-K reports that the nominee was elected – along with all of the incumbents that the company nominated. It doesn’t look like the company put up much of a fight (at least not publicly). The filings indicate that the proxy access nominee was added to the slate in lieu of one of the prior-year directors, who wasn’t renominated.

Our “Proxy Disclosure Conference”: Reduced Rates End This Friday

Time to act. Register now for our popular conferences – “Proxy Disclosure Conference” & “16th Annual Executive Compensation Conference” – to be held September 16-17th in New Orleans and via Live Nationwide Video Webcast. Here are the agendas – nearly 20 panels over two days.

Among the panels are:

– The SEC All-Stars: A Frank Conversation
– Hedging Disclosures & More
– Section 162(m) Deductibility (Is There Really Any Grandfathering)
– Comp Issues: How to Handle PR & Employee Fallout
– The Top Compensation Consultants Speak
– Navigating ISS & Glass Lewis
– Clawbacks: #MeToo & More
– Director Pay Disclosures
– Proxy Disclosures: 20 Things You’ve Overlooked
– How to Handle Negative Proxy Advisor Recommendations
– Dealing with the Complexities of Perks
– The SEC All-Stars: The Bleeding Edge
– The Big Kahuna: Your Burning Questions Answered
– Hot Topics: 50 Practical Nuggets in 60 Minutes

Reduced Rates – act by June 14th: Proxy disclosures are in the cross-hairs like never before. With Congress, the SEC Staff, investors and the media scrutinizing disclosures, it is critical to have the best possible guidance. This pair of full-day Conferences will provide the latest essential—and practical—implementation guidance that you need. So register by June 14th to take advantage of the discount.

Tomorrow’s Webcast: “Proxy Season Post-Mortem – The Latest Compensation Disclosures”

Tune in tomorrow for the webcast – “Proxy Season Post-Mortem: The Latest Compensation Disclosures” – to hear Mark Borges of Compensia, Dave Lynn of and Morrison & Foerster and Ron Mueller of Gibson Dunn analyze what was (and what was not) disclosed this proxy season.
Liz Dunshee

June 10, 2019

Cyber Breaches: New California Law Discourages Disclosure?

At a recent meeting of the Twin Cities Chapter of the Society for Corporate Governance, Dorsey’s Bob Cattanach shared details on California’s Consumer Privacy Act – or as he called it, “the single most difficult cyber development in the US over the last decade.”

With the legislation set to become effective next January, Bob & other litigators are predicting a surge in class actions for companies that do business in that state. That’s because the provision that allows consumers to recover up to $750 in damages per incident makes it much easier to show that the breach caused injury (and as this Womble Bond Dickinson chart says, a pending amendment may even allow consumers to sue for violations other than data breaches). So plaintiffs’ firms are lining up – and there’s reason to think twice about automatically treating any cyber incident as a “breach,” before you’re certain that breach notification & disclosure requirements have been triggered.

Bob noted that practicing mock breach scenarios under your “incident response plan” is now all the more important. With so much more soon to be at stake, you will need to anticipate the challenges of assessing your many overlapping disclosure obligations, and the likely lack of sufficient & reliable information necessary to make decisions under increasingly shortened time periods, in advance.

For more details on California’s law – and similar legislation that is cropping up in other states – check out the memos in our “Cybersecurity” Practice Area

Cyber Breach Disclosure: 90% of Incidents Aren’t “Material”?

One of the many things that makes cyber breach disclosure a tricky issue is that the market can get info from notices that are required by state law, even if a company doesn’t disclose the incident in a press release or 8-K. Last summer, I blogged that SEC Commissioner Rob Jackson was concerned that this creates an opportunity for “arbitrage” – and market overreactions.

Disclosure of cyber incidents seems to be trending up, but it’s still rare. That’s according to this WSJ article, which says that Rob is still focused on the issue – and that he thinks companies might benefit from a bright-line disclosure rule. According to his latest research, 10% of known cyber incidents were disclosed in SEC filings in 2018. That compares to 3% in 2017, before the SEC issued its disclosure guidance.

Consistent with those findings, this Audit Analytics blog reports that 121 breaches were disclosed in SEC filings last year – compared to the thousands of breaches & “incidents” identified in Verizon’s latest “Data Breach Investigations Report.” Audit Analytics also found that it takes companies a little over a month to discover a breach and another 4-6 weeks to report it – i.e. 2-5 months between the time of the initial breach and the time of disclosure – and companies vary widely in the level of detail they disclose about the breach.

Meanwhile, this blog says that the SEC’s Enforcement Division remains focused on cybersecurity controls & inadequate disclosure. Relevant factors for investigations include “how the information was accessed, whether there were sufficient walls in place, when the company knew about the intrusion, what the company did in response to the intrusion, and when the company came forward.”

Cybersecurity: When the Threat Comes From Inside

A significant number of cybersecurity incidents & breaches are the result of “privilege misuse” by employees and independent contractors, according to Verizon’s 11th annual “Data Breach Investigations Report.” It also says that “miscellaneous errors” are the second-most common cause of breaches! Hacks can happen if an employee or director is using a personal email account to send confidential documents, or faxing information to an unconfirmed number.

This “Insider Threat Report” – also from Verizon – suggests ways to minimize these internal risks through internal controls. The report’s sample fact patterns could serve as “table top exercises” to help you simulate all of the issues that arise when a data breach happens – including the need to make disclosure & insider trading decisions. Note that Verizon recommends limiting employee access to sensitive data (pg. 9), which is a step some companies are also taking to prevent insider trading. Also see this blog about how law firms can help clients address the risk of internal threats.

Liz Dunshee

June 7, 2019

Audit Committees: PCAOB Guidance on Auditor Independence Communications

PCAOB Rule 3526 requires auditors to communicate with audit committees concerning relationships that might impact their independence.  Last week, the PCAOB issued guidance concerning the communications that are required under this rule when the auditor identifies one or more violations of applicable independence rules – but doesn’t think the violations disqualify it from continuing to serve as the auditor.  The PCAOB also issued this summary of the guidance. This excerpt from the guidance document details the disclosures required by the rule:

The Firm would comply with Rule 3526 by:

a. summarizing for the audit committee each violation that existed during the year;

b. summarizing for the audit committee the Firm’s analysis of why, for each violation and notwithstanding the existence thereof, the Firm concluded that its objectivity and impartiality with respect to all issues encompassed within its engagement had not been impaired, and why the Firm believes that a reasonable investor with knowledge of all relevant facts and circumstances would have concluded that the Firm was capable of exercising objective and impartial judgment on all issues encompassed within the Firm’s engagement;

c. if more than one violation existed during the year, providing to the audit committee a separate analysis of why, notwithstanding all of the violations taken together, the Firm concludes that its objectivity and impartiality with respect to all issues encompassed within its engagement has not been impaired, and why the Firm believes that a reasonable investor with knowledge of all relevant facts and circumstances would conclude that the Firm was capable of exercising objective and impartial judgment on all issues encompassed within the Firm’s engagement;

d. engaging in dialogue with the audit committee regarding the violation(s) and the Firm’s related analyses (as described in (a)-(c) above);

e. documenting the substance of the Firm’s discussion(s) with the audit committee (as described in (d) above); and

f. affirming in writing to the audit committee that, except for the violation(s) expressly identified, the Firm would be independent in compliance with Rule 3520.

In a nutshell, the auditor must consider the impact of the violation or violations on its objectivity and impartiality. It then communicates that analysis to the audit committee, which makes its own decision about whether to continue to retain the audit firm.

There are several other components to the guidance, and one of the more interesting is the PCAOB’s view that in this situation, the auditor “should not state in its required annual affirmation that the auditor is independent, but instead indicate that the auditor would be independent except for the violation or violations that it has identified and discussed with the audit committee.”

However, the auditor may issue its report without altering the required title: “Report of Independent Registered Public Accounting Firm.” The PCAOB views this as stating a legal requirement, and not a specific assertion of compliance with the applicable PCAOB rule.

Internal Controls: More ICFR Risk Factors in Wake of SEC Enforcement Action

I’ve blogged a few times (here’s the most recent) about the SEC’s enforcement action against a handful of companies that couldn’t get their acts together when it came to addressing material weaknesses in ICFR. Now, this Audit Analytics blog says that some companies with material weakness disclosures extending over multi-year periods are including “Risk Factor” disclosure specifically addressing the risk of SEC enforcement resulting from their inability to resolve those issues.

This excerpt suggests that we’re likely to see more disclosure along these lines as the year progresses:

It appears public companies are taking notice of the SEC’s January statement that merely disclosing ICFR material weakness is not enough. This year we may see more companies disclose ineffective controls, and this is meaningful because of the SEC’s scrutiny.

In conclusion, analysts and investors need to be on guard for more companies disclosing material weakness with ICFR. Further, they need to consider that admission of weak internal controls doesn’t necessarily mean 2018 was the first year the firm had problems. It’s possible historical filings could show years of ineffective ICFR.

Transcript: “How to Handle an SEC Enforcement Inquiry Now”

We have posted the transcript for our recent webcast: “How to Handle an SEC Enforcement Inquiry Now.”

John Jenkins