December 17, 2020

SEC Adopts “Resource Extraction” Disclosure Rules

At an open meeting yesterday, the SEC adopted final rules that will require public “resource extraction” issuers to disclose payments made to the US federal government or foreign governments, if the company engages in the commercial development of oil, natural gas, or minerals. After some drama in which Congress disapproved the SEC’s 2016 rulemaking on this topic, the current iteration is based on a 2019 proposal and implements Section 13(q) of Exchange Act, which was added by Dodd-Frank a decade ago. All of the SEC Commissioners, including Chair Jay Clayton, released their own statements about the final rules.

Although the final rules will be effective 60 days after publication in the Federal Register, there’s a two-year transition period before companies will be required to submit a Form SD with this info. And unlike the “conflict minerals” Form SD that is due by May 31st of each year for all companies, this one will be due within 270 days of each company’s fiscal year end. So for calendar-year companies, the first report will likely be due at the end of September 2024. The SEC also issued this order to recognize that a company that meets resource extraction payment disclosure requirements in the EU, UK, Norway or Canada would satisfy the Section 13(q) “alternative reporting” requirements.

Here are other highlights from the SEC’s press release – and we’ll also cover these new rules during our upcoming webcast, “Conflict Minerals & Resource Extraction: Latest Form SD Developments”:

– Require public disclosure of company-specific, project-level payment information;

– Define the term “project” to require disclosure at the national and major subnational political jurisdiction, as opposed to the contract, level, recognizing that more granular contract-level disclosure could be used to satisfy the rule;

– Add two new conditional exemptions for situations in which a foreign law or a pre-existing contract prohibits the required disclosure;

– Add a conditional exemption for smaller reporting companies and emerging growth companies;

– Define “control” to exclude entities or operations in which an issuer has a proportionate interest;

– Limit the liability for the required disclosure by deeming the payment information to be furnished to, but not filed with, the Commission;

– Add relief for issuers that have recently completed their US IPOs; and

– Extend the deadline for furnishing the payment disclosures.

Cyber Insurance: Claims Starting to Show “Covid-19” Impact

Over the past 5 years, companies’ average cost of cyber crime has increased 72% – to $13 million – and the average number of security breaches has increased by 67%. That’s according to this 14-page summary of cyber trends from Allianz – which, not surprisingly, explains that the work-from-home environment is heightening cyber risks. It also says hackers are selling high-end malware and tools to other attackers – so companies need to be on alert for sophisticated schemes.

That advice was underscored earlier this week when news broke about a cyberattack at SolarWinds and FireEye. This CNBC article says that SolarWinds’ stock dropped 23% after the hack was announced – not a position in which any company wishes to find itself – and a few people are also now questioning recent stock sales by some large investors of that company.

Our friend Melissa Krasnow of VLP Law Group noted that the incident highlights the need to double down on vendor management processes & agreements for privacy and data security provisions, to make sure that incident response plans and business continuity plans are in place and up-to-date, and to keep using tabletop exercises to spot weaknesses and craft responses.

Here’s more detail from the Allianz report:

Through 2020, malware and ransomware incidents have already increased by more than a third, at the same time as a 50%+ increase in phishing, scams, and fraud, according to international police body, INTERPOL. The rush to adopt new cloud systems and remote access solutions, has also driven up the number of data breaches. Over a four-month period, some 907,000 spam messages, 737 incidents related to malware and 48,000 malicious URLs – all of them in relation to coronavirus– were detected by one of INTERPOL’s private sector partners.

Business email compromise schemes (see page 7) are likely to increase further with the shift in the business landscape to remote working and the economic downturn, along with damage costs from phishing scams, ransomware attacks and insecure remote access to networks. Coronavirus-themed online scams and phishing campaigns which aim to take advantage of public concern about the pandemic are unlikely to dissipate anytime soon.

The pandemic will also have a long-term impact as companies increasingly digitalize, work remotely and rely more on online sales in response, meaning cyber risks will evolve in different shapes and forms.

Farewell to Paul Sarbanes

Paul Sarbanes, the 5-term U.S. Senator from Maryland who co-wrote the Sarbanes-Oxley statute, passed away last week at the age of 87. John, Broc and I reminisced about the landmark law a few years ago on the 15th anniversary. Here’s an excerpt from Mr. Sarbanes’ NYT obituary:

While other members of Congress pursued the Enron scandal with splashy televised hearings and spirited denunciations, Mr. Sarbanes approached it by holding 10 thorough hearings to get widespread expert advice on what corrective legislation should include.

Initially opposed by many Republicans and by the powerful lobbying of the accounting industry, the measure eventually passed 97 to 0 in the Senate after another accounting failure, at WorldCom, had sent the stock market plunging.

Mr. Sarbanes saw his career as having “bookends,” as he put it in an interview for this obituary in 2013: It began in 1974 with his role in the impeachment proceedings against President Richard M. Nixon and closed with the accounting law.

Liz Dunshee