More than one-third of organizations worldwide have experienced a ransomware attack or breach in the last year, according to a survey announced recently by International Data Corporation. Thankfully, the incident rate is much lower in the US compared to the rest of the world – and the survey found that companies that are further along with their digital efforts are less likely to experience an event. That said, another attack on a sophisticated US company was also in the news earlier this month. The press release lays out some of the survey’s key findings:
– The incident rate was notably lower for companies based in the United States (7%) compared to the worldwide rate (37%).
– The Manufacturing and Finance industries reported the highest ransomware incident rates while the Transportation, Communication, and Utilities/Media industries reported the lowest rates.
– Only 13% of organizations reported experiencing a ransomware attack/breach and not paying a ransom.
– While the average ransom payment was almost a quarter million dollars, a few large ransom payments (more than $1 million) skewed the average.
Greater awareness of ransomware incidents has prompted organizations to undertake a variety of actions in response. These include reviewing and certifying security and data protection/recovery practices with partners and suppliers; periodically stress-testing cyber response procedures; and increased sharing of threat intelligence with other organizations and/or government agencies. Greater incident awareness has similarly prompted requests from boards of directors to review security practices and ransomware response procedures.
To help stem the tide of ransomware incidents, agencies across the US government have launched StopRansomware.gov – a “one-stop shop” for individuals and businesses to find the latest alerts & resources about attacks and how to report them. Here’s an excerpt from the DOJ’s announcement:
Ransomware is a long-standing problem and a growing national security threat. Tackling this challenge requires collaboration across every level of government, the private sector and our communities. Roughly $350 million in ransom was paid to malicious cyber actors in 2020, a more than 300% increase from the previous year. Further, there have already been multiple notable ransomware attacks in 2021, and despite making up roughly 75% of all ransomware cases, attacks on small businesses often go unnoticed.
Like most cyber attacks, ransomware exploits the weakest link. Many small businesses have yet to adequately protect their networks, and StopRansomware.gov will help these organizations and many more to take simple steps to protect their networks and respond to ransomware incidents, while providing enterprise-level information technology (IT) teams the technical resources to reduce their ransomware risk.
DHS, DOJ, the White House and our federal partners encourage all individuals and organizations to take the first step in protecting their cybersecurity by visiting StopRansomware.gov.
Yesterday, the SEC announced a $6 million settlement with a company that allegedly reported inflated earnings per share for several quarters, which caused the company to meet analysts’ consensus estimates when it otherwise would’ve missed. It sounds like the fine could’ve been worse – the order calls out the company’s cooperation and prompt remedial acts. The SEC also charged the company’s CFO & controller.
According to the SEC’s order, the problem arose in part out of the company’s failure to record & disclose litigation-related loss contingencies in the appropriate quarters, in addition to other shortcomings in disclosure controls. Here’s an excerpt:
Had the company properly recorded the financial impact of the loss contingencies at the time they were probable and reasonably estimable, the company would have reported lower EPS and missed research analysts’ consensus EPS estimates in many of the applicable quarters, including by as little as a penny. The company also would not have been able to report multiple quarters of EPS growth, including then-record-high EPS. For the quarters when the company eventually accrued for the loss contingencies, the accruals contributed to the company’s reporting of a net loss and loss per share, or reporting EPS that missed consensus estimates by a wide margin.
Consequently, the company’s financial statements filed with the Commission were materially misleading during these periods.
This enforcement action underscores a few things. One, loss contingencies are always a tricky disclosure topic, and you should check out our “Contingencies” Practice Area and our “Legal Proceedings Handbook” for help – in addition to following your auditor’s guidance. Second, the SEC takes reporting errors particularly seriously when they make the difference between meeting or missing expectations.
Lastly, this is the third action to result from the Enforcement Division’s EPS Initiative – which, according to the SEC, “uses risk-based data analytics to uncover potential accounting & disclosure violations caused by, among other things, earnings management practices.” John blogged about the first two actions last fall.
It’s hard to believe we’ve spent only two years analyzing the decision of 200 CEOs to sign the Business Roundtable’s “Statement on the Purpose of a Corporation” – and ostensibly change life as we know it. I don’t know about you, but it feels now like I was born thinking about corporate purpose. My mom read me bedtime stories about Milton Friedman & the BRT as a child, and I used the word “stakeholder” in my wedding vows. But alas – no – it really has been only two years.
To mark the anniversary, Harvard Law Profs Lucian Bebchuk and Roberto Tallarita released this analysis of “stakeholder” companies’ governance documents, proxy statements and other statements & actions – and highlighted their findings in this WSJ op-ed last week. Here are the big takeaways:
1. Examining the almost one-hundred BRT Companies that updated their corporate governance guidelines in the sixteen-month period between the release of the BRT Statement and the end of 2020, we find that they generally did not add any language that improves the status of stakeholders and, indeed, most of them chose to retain in their guidelines a commitment to shareholder primacy;
2. Reviewing all the corporate governance guidelines of BRT Companies that were in place as of the end of 2020, we find that most of them reflected a shareholder primacy approach, and an even larger majority did not include any mention of stakeholders in their discussion of corporate purpose;
3. Examining the over forty shareholder proposals regarding the implementation of the BRT Statement that were submitted to BRT Companies during the 2020 or 2021 proxy season, and the subsequent reactions of these companies, we find that none of these companies accepted that the BRT Statement required any changes to how they treat stakeholders, and most of them explicitly stated that their joining the BRT Statement did not require any such changes.
4. Reviewing all the corporate bylaws of the BRT Companies, we find that they generally reflect a shareholder-centered view;
5. Reviewing the 2020 proxy statements of the BRT Companies, we find that the great majority of these companies did not even mention their signing of the BRT Statement, and among the minority of companies that did mention it, none indicated that their endorsement required or was expected to result in any changes in the treatment of stakeholders;
6. We find that the BRT Companies continued to pay directors compensation that strongly aligns their interests with shareholder value. Furthermore, we document that the corporate governance guidelines of BRT Companies as of the end of 2020 commonly required such alignment of director compensation with stockholder value and generally avoided any support for linking such compensation to stakeholder interests.
Our findings support the view that the BRT Statement was mostly for show and that BRT Companies joining it did not intend or expect it to bring about any material changes in how they treat stakeholders. These findings support the view that pledges by corporate leaders to serve stakeholders would not materially benefit stakeholders, and that their main effect could be to insulate corporate leaders from shareholder oversight and deflect pressures for stakeholder-protecting regulation. Stakeholder governance that relies on the discretion of corporate leaders would not represent an effective way to address growing concerns about the effects corporations have on stakeholders.
Last year, Professors Bebchuk & Tallarita released findings that they said implied CEOs didn’t intend to change anything by signing the BRT Statement, and this additional research seems to point in the same direction. That’s actually consistent with what a lot of corporate governance folks have been saying since Day 1: the debate around this is mostly semantics, since what’s good for “stakeholders” can also benefit shareholders in the long run. Even shareholders seem to be on the “stakeholder” bandwagon at the moment, and it doesn’t seem like their initial concerns of executives using this Statement to insulate themselves have come to pass.
That said, I’m not sure that corporate governance guidelines and investor-focused proxy statements give a full picture of everything that companies have been doing during the last two years. A lot of companies are adding ESG metrics to executive pay programs, enhancing website sustainability reporting, and amending board committee charters to expressly assign responsibility for things like “human capital” oversight. In this Wachtell Lipton memo, Marty Lipton elaborates on all the corporate actions that Professor Bebchuk’s analysis arguably overlooks.
Whether these efforts have trickled down to benefit stakeholders is another question. Right now, it seems good for the bottom line to consider the interests of customers, employees & communities. Bebchuk & Tallarita believe it would be better for the government to protect stakeholders than to rely on corporations to consistently do so. As Ann Lipton reminded everyone in this Tweet, this whole debate is really about management power & accountability – not stakeholders.
Companies appear to remain committed to shareholder primacy: delivering a profit to shareholders in either the short term or the long term. But is that still what shareholders want? Since shareholders aren’t a monolith, there are mixed messages.
While traditional shareholder activists still seem poised to push for maximum shareholder returns from individual companies, big asset managers and pension funds have been signaling that they’re maybe less focused these days on returns from individual companies, and more concerned with the performance of their overall portfolio. That means “ESG” performance takes on more importance, because it reduces systemic costs & risks that could result from irresponsible behavior by an individual company. Even if that company is outperforming financially, its negative actions drag down the returns for the rest of the portfolio.
This inaugural annual report from The Shareholder Commons calls that phenomenon “beta stewardship” – and it walks through shareholder engagement campaigns and proposals that are advancing the concept. It is a perspective to keep in mind during off-season engagements, and means that it’s more important than ever to monitor and understand your shareholder base. Here are some additional points from the report to know as you prepare for your next proxy season:
TSC supported 24 shareholder resolutions at 23 companies during the 2021 proxy season. One proposal was withdrawn after reaching an agreement with the company. Of the remaining 23 proposals, three received at least 10% support from shareholders, six were excluded by the Securities and Exchange Commission (SEC), and seven reached the 3% threshold necessary for us to be able to provisionally file again in 2022. The complete results of these resolutions are included in the chart on page 10.
We worked on two distinct types of shareholder resolutions:
1. Disclosure of the costs imposed by society (i.e., externalized) by a company’s contribution to specific systemic risks. These risks include antimicrobial resistance, inequality, corporate governance failures, public health threats, and inadequate voting policies.
It’s our hope that these disclosures will provide the basis for a “gap analysis,” in which companies compare their ability to reduce a negative social or environmental impact under the constraint of optimizing their internal financial returns with their ability to reduce that impact if optimizing for systemic health. The goal behind disclosure is to provide investors, regulators, and policymakers with information needed to address systemic risks and to illustrate the gap between current investment perspectives and what could be achieved under a systems-first model.
2. Conversion to a “public benefit corporation” structure. PBCs are a type of for-profit entity that allows the directors of a company to better serve the interests of diversified shareholders by prioritizing impacts on society, workers, communities, and the environment when those impacts are more likely to be important to such investors than the financial returns of that company.
We specifically targeted companies that were signatories to the Business Roundtable Statement on the “Purpose of a Corporation,” which suggested corporate America is refocusing on the interests of stakeholders. The goal behind these proposals is to demonstrate that investors can be aligned with a more stakeholder-oriented management style, but that such a re-alignment requires understanding the fiduciary duty to shareholders as encompassing the full range of their interests, including as diversified investors.
The report includes case studies of engagements on these proposals and says that TSC will continue its work in the coming year. TSC also notes that because its proposals are focused on portfolio-level effects, neither ISS nor Glass Lewis supported any of them in 2021.
Last week, United Therapeutics filed this proxy statement for a special meeting to approve the company’s conversion to a public benefit corporation. I taped a podcast earlier this year with Meaghan Nelson about Veeva Systems’ conversion.
Lynn blogged a few months ago about a change to Section 314.00 of the NYSE Listed Company Manual that was causing some hand-wringing. The new rule not only required advance approval by independent directors of “related party transactions” – it also defined that term to mean any transaction required to be disclosed pursuant to Item 404 of Regulation S-K, but without applying the $120,000 transaction value threshold of that Item. It wasn’t clear whether that meant that all transactions with related parties required advance approval, regardless of dollar value.
Late last week, the NYSE proposed an additional amendment to allow companies to continue to abide by the commonly accepted practice of applying the $120,000 transaction value from Item 404 of Reg S-K when determining whether a transaction requires review (or a lower dollar threshold, in some cases, for smaller reporting companies). While you still might need to amend your related party transactions policy to address the “pre-approval” part of the rule, the new amendment clarifies that it can stay largely aligned with the disclosure standard. This Gibson Dunn blog gives more detail:
In its latest proposal, the NYSE noted that the prior amendment had been intended to “provide greater clarity as to the types of transactions that were specifically subject to review and approval under the rule” but that “[i]n the period since the adoption of that amendment, it has become clear to the Exchange that the amended rule’s exclusion of the applicable transaction value and materiality thresholds is inconsistent with the historical practice of many listed companies, and has had unintended consequences.”
As such, the NYSE’s latest amendments to Section 314.00 “provide that the review and approval requirement of that rule will be applicable only to transactions that are required to be disclosed after taking into account the transaction value and materiality thresholds set forth in Item 404 of Regulation S-K or Item 7.B of Form 20-F, respectively, as applicable.” Notably, Item 404 of Regulation S-K only requires disclosure of transactions where the amount involved is greater than $120,000 and in which the related person “had or will have a direct or indirect material interest” in the transaction. The notes to Item 404 also contain various other exclusions.
The text of the NYSE’s latest amendment to Section 314.00 of the NYSE Manual follows (with deleted text shown in strikethrough):
A company’s audit committee or another independent body of the board of directors, shall conduct a reasonable prior review and oversight of all related party transactions for potential conflicts of interest and will prohibit such a transaction if it determines it to be inconsistent with the interests of the company and its shareholders. For purposes of this rule, the term “related party transaction” refers to transactions required to be disclosed pursuant to Item 404 of Regulation S-K under the Securities Exchange Act (but without applying the transaction value threshold of that provision). In the case of foreign private issuers, the term “related party transactions” refers to transactions required to be disclosed pursuant to Form 20-F, Item 7.B (but without regard to the materiality threshold of that provision).
The proposed rule took effect immediately, but can be suspended by the SEC within 60 days of the filing, and is open for comment for interested persons to submit written data, views, and arguments concerning the amendment. As a result of this latest proposal, NYSE-listed companies may still need to amend their related person transaction approval polices to address the “reasonable prior review” standard, but can otherwise more easily integrate the NYSE’s standards with those utilized for transactions under Item 404 of the SEC’s Regulation S-K, and have greater flexibility to establish reasonable processes for identifying and reviewing potentially disclosable transactions.
I blogged earlier this summer about a bill in the House that would require disclosure in SEC filings about tax havens & loopholes. Another bill introduced in both the House and the Senate is also aiming to amend the Exchange Act to require more detailed info about state, federal & foreign taxes paid.
This Cooley blog says that investors are split on whether “tax planning” is a good thing. The “shareholder primacy” model says that companies need to return as much money as possible to shareholders. Yet several investors signed on to support this lawmaking effort, because they’re starting to think that minimizing taxes creates reputational, customer & employee risks to individual businesses – as well as systemic risks that affect entire portfolios.
Similarly, a recent ISS ESG report suggests that a paradigm shift – from a focus on “tax burden” to a focus on “tax impact” – may be underway. Here are their views:
– Funding the Covid-19 recovery has led to a revived global debate about tax policy and rates, with 130 countries agreeing on a global minimum tax rate.
– Corporate tax avoidance is a major ESG issue, but disclosure on responsible tax practices is noticeable by its absence.
– Responsible investors are increasingly taking into account the implications of fair taxation for social issues such as global inequality, particularly given an increased focus on outcomes-based investing and stakeholder capitalism.
It seems unlikely that you’ll have to start filing a “tax report” with the SEC in the near-term – if ever. But with society’s “eat the rich” sentiments and at least some investors saying they want companies to proactively consider ESG issues, boards should probably add “public backlash” to the list of risks they consider during tax planning conversations. Also see this Accounting Today article, which predicts that a “global minimum tax” is getting more likely.
Tune in tomorrow for the webcast – “Newly Public: Building Reporting & Governance Functions” – to hear Dave Bell of Fenwick, Jared Brandman of National Vision, Courtney Kamlet of Vontier and Trâm Phi of DocuSign discuss lessons learned from their experience successfully managing the process of going through the IPO and creating processes from scratch.
If you attend the live version of this 60-minute program, CLE credit will be available! You just need to submit your state and license number and complete the prompts during the program.
Members of this site are able to attend this critical webcast at no charge. If you’re not yet a member, subscribe now. The webcast cost for non-members is $595. You can renew or sign up online – or by fax or mail via this order form. If you need assistance, send us an email at info@ccrcorp.com – or call us at 800.737.1271.
Last week, the “Alliance for Fair Board Recruitment” – a non-profit opponent of affirmative action which has also challenged California’s board diversity statutes and whose president, Edward Blum, also founded the “Students for Fair Admissions” organization that sued Harvard over allegedly discriminatory admissions processes – filed a Petition to challenge the SEC’s approval of Nasdaq’s new requirement that listed companies eventually must add at least one woman and one person from an underrepresented community to their board, or explain why they haven’t done so. In its press release announcing the move, AFBR says:
The Nasdaq rule will compel many of our nation’s largest publicly traded corporations to illegally discriminate on the basis of gender, race, and sexual orientation in selecting directors.
As AFFBR explained in a comment submitted to the SEC, Nasdaq’s discriminate-or-explain rule also exceeds its role and the authority granted by federal securities law and also violates core Bill of Rights guarantees against compelled speech and discrimination based on sex and race by stereotyping all people of the same skin color or sex as being alike and interchangeable.
Constitutional law isn’t my specialty, so here’s a CNN recap of where courts have come down on previous challenges that could be viewed as similar. This blog from Keith Bishop looks at the procedural details of AFBR’s Petition, including why it filed its claim in the federal court of appeals instead of a district court.
This clearly isn’t Blum’s first rodeo. Courts haven’t agreed with him yet, but he’s attempting to take the Harvard case to the Supreme Court. For now, Nasdaq-listed companies should still plan to comply with the exchange’s matrix disclosure requirement next year and the initial phase of the “comply or explain” board composition requirement by the following year.
The weekend edition of the NYT Dealbook took a deep dive into the SPAC revolution – and notes that we may start seeing a new type of blank-check entity called a SPARC (special purpose acquisition rights company). A SPARC is basically a SPAC that just gives investors a right to buy shares down the road when a merger target is announced, rather than putting money in up front. It also sounds like a character in a Dr. Seuss book. Anyway, all of this was a follow-on to the supposed troubles that Bill Ackman’s SPAC is facing, which John blogged about last week on DealLawyers.com. Here’s what John wrote:
The world’s largest SPAC, Pershing Square Tontine Holdings, has been named as a defendant in a shareholder derivative lawsuit filed by, among others, former SEC Commissioner Robert Jackson and Yale Law Prof. John Morley. In a nutshell, the complaint alleges that PSTH is an unregistered investment company, and that as a result, the goodies that flow to insiders under the typical SPAC structure – specifically, sponsor & director warrants – represent unlawful compensation under the Investment Company Act.
Much of the media appears to be reporting the story like its hair is on fire. Here’s an excerpt from the NY Times DealBook that makes it sound like this lawsuit could, if successful, result in “SPACmageddon”:
If the suit succeeds, it could make professional investors who have found SPACs attractive wary of potential legal challenges, chilling the market. Proving damages will be difficult because the Universal Music deal was scrapped. But more important, perhaps, the case attempts to address underlying issues about the motivations of some SPAC sponsors. And its analysis of the meaning of investing in securities — part of any M.&A. deal — raises existential questions about the purpose and treatment of SPACs in general.
I think that DealBook has a point about the difficulty of proving damages, but although I’m no 1940 Act guru, it seems to me that the plaintiff may have bigger problems than that. Here’s why – all of the allegations in the complaint seem to depend upon the court concluding that PSTH should be registered under the Investment Company Act. But the problem is that there’s an exemption from that statute that this SPAC & every other one has been structured to fit into. This Mayer Brown memo explains:
The structure of a SPAC’s trust account is designed to avoid the SPAC being classified as an “investment company” under the Investment Company Act of 1940, as amended (the “Investment Company Act”). Following its IPO, a SPAC is typically required to invest the IPO proceeds held in trust in either government securities or in money market funds that invest only in government securities.
By doing so, a SPAC may rely on Rule 3a-1 under the Investment Company Act, which excludes companies with no more than 45% of the value of its total assets consisting of, and no more than 45% of the issuer’s net income after taxes deriving from, securities (excluding government securities). There are also no-action letters in which the SEC Staff concurs with the view that securities in certain money market funds also can be excluded from these calculations.
The complaint says that “an Investment Company is an entity whose primary business is investing in securities. And investing in securities is basically the only thing that PSTH has ever done. From the time of its formation, PSTH has invested all of its assets in securities.” What kind of securities has it invested in? Again, here’s what the complaint says: “The Company’s agreement with its trustee specified the money was to be “invested only in U.S. Treasury obligations with a maturity of 180 days or less or in money market funds . . . which invest only in U.S. Treasury obligations.”
So, the complaint appears to allege that PSTH is an investment company because it – like every other SPAC – has invested the proceeds of IPO in exactly the type of securities that would permit it to rely on the exemption provided by Rule 3a-1 of the Investment Company Act. This excerpt from a CNBC article on the lawsuit makes it clear that this point wasn’t lost on Pershing Square:
A spokesperson at Pershing Square said the complaint bases its allegations, among other things, on the fact that PSTH owns or has owned U.S. Treasurys and money market funds that own Treasurys, as do all other SPACs while they are in the process of seeking an initial business combination. “PSTH has never held investment securities that would require it to be registered under the Act, and does not intend to do so in the future. We believe this litigation is totally without merit,” the spokesperson said.
Like I said, this isn’t my area of expertise, so there may well be depths to this complaint that I haven’t fathomed. After all, this just can’t be that simple, right? I mean, there are some pretty serious folks on the pleadings. Maybe this case will turn out to have some traction. If so, then it may well toss a rather large monkey wrench in the works of the increasingly troubled SPAC boom. But at this stage, I think the media should stop hyperventilating.