Yesterday, the SEC announced a $1 million settlement related to “cyber breach” risk factor disclosures and inadequate disclosure controls & procedures. Here are more details:
The SEC’s order finds that Pearson made misleading statements and omissions about the 2018 data breach involving the theft of student data and administrator log-in credentials of 13,000 school, district and university customer accounts. In its semi-annual report, filed in July 2019, Pearson referred to a data privacy incident as a hypothetical risk, when, in fact, the 2018 cyber intrusion had already occurred. And in a July 2019 media statement, Pearson stated that the breach may include dates of births and email addresses, when, in fact, it knew that such records were stolen, and that Pearson had “strict protections” in place, when, in fact, it failed to patch the critical vulnerability for six months after it was notified.
The media statement also omitted that millions of rows of student data and usernames and hashed passwords were stolen. The order also finds that Pearson’s disclosure controls and procedures were not designed to ensure that those responsible for making disclosure determinations were informed of certain information about the circumstances surrounding the breach.
The Pearson action is the second cyber-related settlement out of the Enforcement Division’s Cyber Unit since mid-June. At that time, the Commission settled charges relating to alleged failures in disclosure controls & procedures, which resulted in management lacking the info they needed to make accurate disclosures. Just a few days later, the Enforcement Division initiated information requests relating to the SolarWinds cyberattack. So far, the dollar values of the settlements aren’t huge – but they’re sending a message: be transparent with your disclosures.
If you missed yesterday’s blog, I highlighted sample cyber disclosures – and insider trading considerations. Meredith reminded listeners during our recent webcast that if you have a cyber breach, you don’t just need to close your window, you also need to lock all the doors. The point is, take it seriously. The Enforcement Staff may not be cutting much slack. As always, we’ll be posting memos about the enforcement action and disclosure & governance considerations in our “Cybersecurity” Practice Area.
1. Annually provide matrix (or substantially similar) disclosure of board diversity characteristics in the company’s proxy, Form 10-K or on the website, and
2. “Comply or explain” in regards to a new board composition requirement to have at least two “diverse” directors, including one director who self-identifies as female and one who self-identifies as an “underrepresented minority” or part of the LGBTQ+ community
If you’re trying to sort through when exactly you’ll be required to comply with these requirements and whether you’re subject to any exemptions, you’d do well to keep an eye on Nasdaq’s FAQs – which, as our friends at Goodwin pointed out, are now in their third or fourth iteration since the rule was approved. The FAQs:
– Emphasize that companies need to make the initial matrix disclosure in 2022:
• If a company files its 2022 proxy BEFORE August 8, 2022 and DOES NOT include the Matrix, then the company has until August 8, 2022 to provide the Matrix.
• If a company files its 2022 proxy ON or AFTER August 8, 2022, then it must either include the matrix in its proxy or post the Matrix on its website within one business day of filing its proxy.
• If a company only posts the Matrix on its website, then the company has until August 8, 2022 to provide the Matrix. Companies that elect to provide the Matrix on its website must also complete a short form through the Listing Center that includes the URL link to the disclosure.
– Continue to say that companies have until August 7th, 2023 to have at least one “diverse” director on the board (or explain why they don’t) – and a longer transition period for having two diverse directors
– Continue to explain the flexibility for smaller reporting companies, the SPAC exemption, etc.
Nasdaq has also invited listed companies to a series of webcasts – including one at noon eastern today – to help companies understand the listing rules and access free board recruiting services. The webcasts are also available for replay.
Last week, the SEC Commissioners issued this joint statement to thank Joe Brenner for 10 years of service as the Enforcement Division’s Chief Counsel – where he advised the Director of Enforcement as well as the Staff on investigations and recommendations to the Commission. Previously, Joe had been a Partner at Wilmer Hale.
Although the SEC hasn’t defined “human capital,” it does require companies to provide info about those resources, to the extent that info is material to the business as a whole. Staff comment letters & revised company disclosures can help us understand what Corp Fin is looking for – or at least what the Staff has flagged as potentially inadequate.
This Bass Berry blog does a nice job of outlining comment letter trends. They note that most of the comment letters so far are on registration statements, not Form 10-Ks. Here’s an excerpt:
As reflected in the underlying data chart, the SEC Staff’s comment on the human capital disclosures often simply cited the new regulation without any further explanation or guidance. However, an analysis of the revised filings by the registrants in response to the SEC Staff’s comments shines more light on the SEC’s expectations, or at least how registrants interpreted the requirements. While there were broad differences in which and how many human capital metrics companies disclosed, the following were the most common:
– Number of employees.
– Geographical distribution of employees.
– Breakdown of types of employees (e.g., full-time, part-time, seasonal).
– Steps taken to identify, recruit, and retain new and existing employees.
– Commitments to diversity and inclusion.
– Whether employees are represented by a labor union or covered by a collective bargaining agreement.
– Status of the company’s relationship with employees (e.g., good, satisfactory).
– Impact of and response to the COVID-19 pandemic.
– Employee safety measures.
– Diversity statistics.
– Use of employee engagement surveys.
It is clear from our review that human capital disclosures are individualized and industry-dependent. Most filings addressed only a few of these subjects. Companies also varied in taking a qualitative or quantitative approach in response to comments, but the general theme is that quantitative information was typically not provided in the response, and, if it was, the information related to diversity statistics.
This 20-page Mayer Brown memo looks at where cyber disclosures are appearing – and what they’re saying. Samples include:
– Risk Factors: “general” cyber risk disclosures, risks specific to e-commerce, disclosures that cover the intersection of cybersecurity and data privacy, and disclosures about actual or known breaches.
– Description of Business: “general” disclosures, financial services industry, actual or known breaches, and ongoing litigation about breaches.
– MD&A: “general” disclosures, risk management, actual or known breaches, internal controls or material weaknesses from failure to address cyber risks, ongoing litigation about breaches.
The memo suggests ways to improve your required cyber disclosures – including consideration of whether to disclose the costs of managing & combating risks, and how to balance the need to make specific disclosures with the need to safeguard sensitive info.
I blogged a few months ago about the idea of using “risk ratings” to help convey the appropriate level of information. ISS Corporate Solutions has now also announced that it’ll be making its Cyber Risk Scores available on OneTrust Vendorpedia – so these scores might start to get more use.
We’ve posted the transcript from our recent webcast for members, “Insider Trading Policies & Rule 10b5-1 Plans.” Meredith Cross of WilmerHale, Alan Dye of Hogan Lovells and Section16.net, Dave Lynn of Morrison & Foerster and TheCorporateCounsel.net, and Haima Marlier of Morrison & Foerster covered these topics:
1. The New Enforcement Environment (including Focus on Rule 10b5-1 Plans)
2. Rule 10b5-1 Plan Considerations for Share Buybacks
3. Intersection of Insider Trading Policies & Rule 10b5-1 Plans
4. Pre-clearance Procedures and Blackout Period Trends
5. Pledging, Hedging & Short-Selling Transactions
6. Cybersecurity & Other Materiality Considerations
A recent Spencer Stuart Survey of nominating/governance committee chairs sheds some light on their priorities during the current year. In early 2021, the firm surveyed 77 committee chairs to find out what this year’s “top of mind” issues are, how their recruitment efforts have changed, and where the composition of their boards is headed. Here are some of the highlights:
– The top five governance priorities reported by survey respondents were enhancing ESG oversight (69%), enhancing racial and ethnic diversity (44%), developing a board succession strategy (39%), enhancing board effectiveness (38%) and overseeing company wide DEI efforts (36%).
– The top five recruiting priorities reported by survey respondents were adding directors from an underrepresented group (58%), directors with global perspectives & experiences (43%), directors with technology expertise (40%), directors with financial expertise (39%) and directors with operational expertise (38%).
– Interestingly, gender diversity, which was last year’s fourth most highly rated governance priority, did not crack this year’s top five. In terms of recruiting profiles, the survey says it fell from 3rd place to 10th.
– The number of respondents reporting that their board had underperforming directors dropped from 35% in 2020 to 18% this year.
Many commenters have expressed concern about the ability of companies to identify qualified directors from underrepresented groups, but 83% of the committee chairs surveyed reported no issues with recruiting directors with diverse backgrounds.
Earlier this year, the DOJ announced the formation of a “Covid-19 Fraud Enforcement Task Force.” The task force is a joint effort between DOJ & other governmental agencies, and Attorney General Garland promises that it “will use every available federal tool—including criminal, civil, and administrative actions—to combat and prevent Covid-19 related fraud.”
This Woodruff Sawyer blog says that the task force is likely to result in a full-court press targeting potential fraud by recipients of government funds in pandemic-related programs. That likely means that many companies are going to be subjected to probes by the DOJ or other agencies looking for potential violations of the False Claims Act (FCA). These investigations may be disruptive, but at least you can count on your D&O policy to pick up the tab, right? Well, as this excerpt from the blog explains, the answer is complicated:
One area of frustration for many companies will be the lack of response from a D&O insurance policy for governmental investigations of corporate entities. While some D&O insurance policies may provide limited coverage for the governmental investigation of a corporate entity, this is increasingly unusual. As a result, very large legal fees for these investigations are likely to fall on the corporation.
D&O insurance policies, on the other hand, may respond to defend individuals who are the target of government enforcement actions. However, this coverage is typically only available after the government has made it very clear whom they are pursuing, something that often happens quite late in an investigation process.
Having said that, some polices provide limited coverage for “pre-claim inquiries.” This means insurance coverage for legal counsel for individuals asked to respond to government subpoenas. The cost of document production for documents under the control of the company, however, is typically not covered by D&O insurance.
If there is an FCA investigation that, when disclosed, causes your company’s stock price fall, you can typically expect to be able to rely on your D&O insurance. A modern D&O insurance policy usually covers a securities claim or a breach-of-fiduciary-duty suit related to disclosure concerning the government investigating the company under the FCA. However, the insurance would not cover any settlements with the government. This is because Side C of the D&O insurance policy only covers securities claims. An FCA claim is not a securities claim.
The blog also points out that most D&O policies have an exclusion for claims involving intentional fraud, and that fines and penalties are typically excluded from coverage. Even if coverage is potentially available, the blog provides a reminder that government agencies often demand that companies and individuals forgo any insurance or rights to indemnification when settling with the government.
August is always a strange “either/or” month – either nothing happens in the financial markets or something apocalyptic happens. I guess we’re fortunate that, so far at least, this August seems to have fallen into the former category. But that doesn’t help me out, because I’ve still got to come up with 3 blogs a day, and all the newsmakers are at the beach.
I was getting a little desperate to find a third blog for this morning when it occurred to me that it’s been several months since I took a look at what the Wu-Tang Clan has been up to. Last time we checked-in with them, the guys were getting into the non-fungible token game. At the time, it was a group effort, but according to this Rolling Stone article, Method Man now has a solo NFT project going:
Method Man is launching his own comics universe, titled Tical World, via NFT. The first installment of the rapper’s anthology series, “Part 1: The Origin,” features original characters, animations, artwork, apparel, and unreleased music available for sale as NFTs.
This includes a Killa Beez-inspired original artwork signed by Method Man and New York artist Alex Smetsky; a 3D-enabled digital animation depicting the origin story of Tical World; an unreleased audio recording with music and lyrics by Method Man; the sole copies of the first artistic renderings of the Tical World characters; and a gold VIP card for Tical Athletics, Method Man’s athleisure line. Tical World also represents the first “community owned crypto-characters” to use Flow Blockchain, developed by Dapper Labs and secured by the patented TuneGO Vault.
I don’t understand very much of the excerpt I just quoted, but whatever he’s doing sure sounds pretty cool. In other Wu-Tang Clan news, the U.S. government sold the only copy of the group’s “Once Upon a Time in Shaolin” album that it confiscated from the previous owner, fraudster Martin Shkreli, and the second season of “Wu-Tang: An American Saga” is set to premiere on Hulu on Sept. 8th.
Okay, my work here is done – now I just have to figure out what I’m going to do over on the DealLawyers.com Blog.
Our friends at WilmerHale tipped us off to this email message, which purports to be from the author of the hoax whistleblower emails received by a number of public companies over the past few months. The message says that the false reports were part of a research project led by a PhD student at the National University of Singapore. What’s this research project all about? This excerpt will give you the gist of its supposed purpose:
The purpose for the investigation was to see whether firms responded differently based on the identity of the sender and the route of the plane we send seemingly identical messages from both customers and employees raising concerns ranging from alleged bribery fraud and accounting mistakes. we varied the email to suggest that in some claims firms are perhaps benefiting from the alleged misbehavior whereas in others it is completely to their detriment.
We then compared the differences in response time the quality of the response and the language used. Importantly throughout our experiment, we’ve made sure no real names are used to not harm any real employee. The claims brought forth were completely fictitious and deliberately did not bare enough details to necessitate the launch of an investigation. Once the claim was made, we’ve only recorded your initial response and did not pursue the matter any further. Thereby interfering with your day-to-day business as little as possible.
Don’t you just love that these experts on the workings of U.S. public company whistleblower programs blithely state that their deception “did not bare enough details to necessitate the launch of an investigation”? Then they have the gall to pat themselves on the back for structuring their charade to “interfer[e] with your day-to-day business as little as possible.” If you ask me, there’s enough self-serving manure in this explanation to fertilize Nebraska.
There’s always the possibility that this communication is itself another hoax (it comes from a gmail account, not a university address). If it is, then the plot has thickened considerably. On the other hand, if it is legitimate, it’s either the most disingenuous CYA attempt I’ve ever read or an admission of breathtaking recklessness on the part of everyone involved in signing-off on this research project.
I’d be willing to wager that the aggregate fees and expenses recipient companies incurred in determining whether and how to investigate these false whistleblower allegations are easily in the hundreds of thousands of dollars. The cost could be even higher once you factor in the cybersecurity concerns raised after companies realized this was a hoax. The email says that companies are “free to withdraw their data” from the study, but must let the researchers know within a month. Frankly, if I received this, the only thing I’d be tempted to send to these folks within a month is an invoice.
If you do choose to reach out to the researchers, it’s probably best to contact the university by means of a hard copy letter, given the potential concerns about the authenticity of the email & the possibility that we might still be dealing with some kind of elaborate phishing scheme.