I’ve been hearing some pushback from the securities law community about the need for so-called 10b5-1 “reform.” Here are some of the pointed questions that people are asking me and each other:
– Where are the SEC cases against insiders for entering into these plans when they are tainted with MNPI – which would violate the 10b5-1 safe harbor requirements?
– Why are we all jumping on the “10b5-1 reform” bandwagon when the SEC itself hasn’t found evidence of wrongdoing with these plans — as is evidenced by the dearth of enforcement cases?
– Why are we letting academic studies not supported by any meaningful SEC enforcement demonize 10b5-1 plans that have been used by individuals looking to do the right thing re: portfolio diversification and by companies looking to do the right thing by returning value to stockholders via stock buyback programs?
On a related note, some securities law practitioners are also starting to take issue with the terminology of so-called “cooling off” periods – and refer to them as, more accurately, “just in case I’m tainted” provisions. Said differently, what are insiders “cooling off” from? Being ice cold regarding MNPI on 10b5-1 execution date? It’s not universal, but some in-house folks view this as a biased and inaccurate term and are concerned that it is coloring public perceptions.
– Liz Dunshee
Ransomware attacks are getting more common – and responding to them is getting more difficult in light of attackers’ new techniques and regulators taking steps to discourage companies from paying. That’s according to this Milbank memo, which also points out that responding to these incidents continues to be a board issue because of the business & legal risks. In order to navigate these risks, board advisers need to have a high-level understanding of the issues and the response plan.
The memo delves into three assessments that could affect how to respond. Here’s an excerpt:
The fact that paying the ransom is not illegal in and of itself does not make deciding whether to pay any less difficult. Planning how to make that decision is key. Companies and their boards that have methodically pre-identified important factors in paying the ransom will be prepared to pragmatically and decisively address the problem when it arises. We recommend three assessments for victim companies deciding whether to pay: (i) the value of the breached data in light of modern ransomware attacks; (ii) the risks from paying the ransom; and (iii) negotiation and payment options.
On the first prong of evaluating whether paying the ransom makes sense because of the value of the stolen data, the memo suggests considering whether the captured data has been backed up or can be rebuilt, whether there are publicly available data keys that can decrypt locked data, and whether the company will face legal or regulatory claims, or reputational and relationship issues, if the stolen data is released to the public.
– Liz Dunshee
I’m thrilled to announce that we’ve made two great additions to our team:
Julie Gonzales has joined us as an Associate Editor after spending 16 years at a publicly traded company in the oil & gas industry, including as the Stock Plan Administrator, Corporate & Securities Paralegal and Assistant Corporate Secretary. Julie can be reached at email@example.com.
Emily Sacks-Wilner is our newest Editor. Emily has spent time in fintech and at large firms, working closely with public companies and pre-IPO companies on numerous equity offerings, periodic SEC filings, M&A and corporate governance matters. Emily has also served as in-house M&A counsel for an S&P 500 company. She can be reached at firstname.lastname@example.org – and will be joining our blogging lineup soon!
Emily & Julie both bring tons of practical experience and have jumped in with very helpful contributions to our resources. I’m excited for you to get to know them. Feel free to drop them a welcome note!
– Liz Dunshee
The PCAOB recently published this 14-page summary of observations on its 2020 inspections of public accounting firms. The report highlights obstacles & good practices at audit firms, which can be helpful for audit committees to know when they’re engaging & overseeing auditors. Here’s one takeaway that’s good if you’re using a firm that’s inspected annually (which are listed on this page):
For the majority of the annually inspected audit firms, we identified fewer findings in 2020 compared to our 2019 inspections. In our triennially inspected audit firms, some improvements were noted, although deficiencies continue to remain high.
The report says that revenue recognition remains an area with room for improvement – so expect auditors to continue to be very focused on that. And, if your company has experienced a cybersecurity incident, the ICFR impact of that is going to get a second look during an inspection:
We continue to review audits of public companies that experienced a cybersecurity incident during the audit period. We observed in our reviews how the auditor considered the cybersecurity incident in their risk assessment process and, if applicable, in their response to identified risks of material misstatement.
In certain audits reviewed, the auditor evaluated he severity and impact of the cybersecurity incident but did not consider whether the incident affected their identification or assessment of risks of material misstatement; whether modifications to the nature, timing, or extent of audit procedures were necessary; and whether the incident could be indicative of one or more deficiencies in ICFR.
– Liz Dunshee
We’ve posted the transcript for our recent DealLawyers.com webcast: “Navigating De-SPACs in Heavy Seas.” This program provided a lot of great practical guidance on handling the increasingly complex and challenging De-SPAC process. Erin Cahill of PwC, Bill Demers of POINT BioPharma, Reid Hooper of Cooley and Jay Knight of Bass Berry & Simms addressed the following topics:
– Overview of the Current Environment for SPAC Deals
– Negotiating Key Deal Terms/Addressing Target Concerns
– The PIPE Market and Alternative Financing Methods
– Target Preparations to Go Public Through a SPAC
– Managing the Financing and Shareholder Approval Process
– Post-Closing Issues
We made this webcast available as a bonus to member of TheCorporateCounsel.net, and so we’ve posted the transcript on this site as well.
– Liz Dunshee
It is my favorite time of year – the leaves are changing colors, there is a slight chill in the air, and my thoughts inevitably turn to – cybersecurity? October is Cybersecurity Awareness Month, which has apparently been a thing since 2004. The overarching theme for Cybersecurity Awareness Month 2021 is “Do Your Part. #BeCyberSmart.”
I think the focus on cybersecurity awareness makes it a great time to take a close look at your cybersecurity disclosure practices. As this MoFo memo notes, the SEC certainly does not need the month of October to be made aware of cybersecurity matters, given that the Division of Enforcement has focused its attention in recent months on “the efficacy of cybersecurity disclosure controls and procedures, especially where sensitive personally identifiable information (PII) is compromised without appropriate remediation, escalation, and disclosure.” With the annual reporting season fast approaching, October is a great time to take a step back and look at both your disclosure controls and procedures and your overall disclosure profile when it comes to cybersecurity.
On the disclosure controls and procedures front, the MoFo memo suggests the following key features of effective cybersecurity controls and procedures:
- Set forth steps to identify and investigate cybersecurity incidents;
- Assess and analyze the impact of the incident on the company’s business and customers;
- Ensure careful analysis of whether the cybersecurity incident is material, giving rise to disclosure obligations;
- Refer potentially material cybersecurity incidents to appropriate committees, including the disclosure committee, for assessment and analysis;
- Ensure that material cybersecurity incidents are reported to senior management and to the board of directors;
- Ensure that material cybersecurity incidents are disclosed to investors and that existing disclosures are reviewed and, if necessary, updated if new facts render them incorrect or misleading;
- Prescribe steps and deadlines to remediate incidents based on severity;
- Address circumstances under which trading restrictions should be imposed on company personnel who are in possession of material non-public information (MNPI) regarding the incident; and
- Provide for the issuance of a document preservation or litigation hold for material incidents or other incidents where the company anticipates litigation.
I think that it is also an opportune time between now and Halloween to review the cybersecurity disclosures in your SEC filings, particularly your cybersecurity risk factor disclosure. Some of the persistent areas of Staff focus through the comment letter process have been as follows:
Unbundling the Cybersecurity Risk. The Staff has often asked that a company break out cybersecurity risks into a separate risk factor, rather than including the risk in one risk factor that addresses a variety of other concerns that the issuer faces.
Addressing the Key Elements. The cybersecurity risk factor should address the types of cybersecurity threats that the company faces, and the extent to which the company has been impacted in a material way by actual breaches or other incidents. The cybersecurity risk factor should also address the risk that cyber incidents may go undetected for a long period of time, which could result in significant consequences. You should address preventative measures that have been established for the purpose of addressing cyber risks, and the risk that such measures may not be effective to avoid an incident. Risks are often raised by third-party access to the issuer’s IT systems, so the risk factor disclosure should address the extent to which access by vendors, outsourcing partiers or others might expose the issuer to a cyber attack. Risk factor disclosure should also address when an issuer has insurance coverage for cyber incidents, and the extent to which costs of a cyber attack could exceed that insurance coverage. The risk factor disclosure should highlight the actual and/or potential consequences of a cyber attack, which could include things like reputational harm, costs to remediate the impact of the attack, and costs for implementing protective measures.
Putting the Risk in Context. One frequent Staff comment asks that an issuer address in the risk factor actual or attempted cyber attacks, so that the reader can understand the risks as they apply in the context of the issuer’s business.
Avoiding Hypothetical Risk Factor Disclosure. With all of the warnings from the SEC and the Staff, it is now more important than ever to monitor all of the cybersecurity incidents that the company faces, so that you can accurately describe the cybersecurity threat in the risk factor without implying that the risks are only hypothetical. A good example of an emerging threat is the recent SolarWinds breach, which exposed companies to a potential threat through a “supply chain” attack, where the malicious software was inserted into the company’s patch prior to being distributed to customers.
As the SEC considers rulemaking in this area, companies should also consider the extent to which investors continue to look for the cybersecurity topic to be addressed from a governance perspective. We continue to see the evolution of disclosure in the proxy statement that addresses the extent to which the board and its committees oversee cybersecurity risks.
– Dave Lynn
Last month, I blogged about the possibility of a large number of companies falling off of the Rule 15c2-11 cliff when amendments to the rule went into effect at the end of September. Rule 15c2-11 specifies the information that brokers must have to initiate or maintain quotations in OTC securities.
In the OTC Markets blog, we found some statistics which describe how companies were affected by the SEC rule change. OTC Markets notes that over 3,000 securities became eligible for public market maker price quotations on OTC Markets, after meeting the requirements of Rule 15c2-11 as amended. Meanwhile, 2,247 former “Pink No Information” securities shifted to the Expert Market tier, where securities may only be quoted on an unsolicited (customer order) basis. OTC Markets notes that “while this represents a large number of securities, it represented less than 5% of the total dollar volume.”
– Dave Lynn
I am happy to report that all of the hard work has paid off and the updated Executive Compensation Disclosure Treatise is now available! I always think of this publication as my “baby,” and I can’t believe that it has reached its adolescence. With 2 volumes and over 1700 pages, my baby has really grown up. Order now so you can have all of the latest guidance for the upcoming proxy season!
– Dave Lynn
During the “SEC All-Stars” panel at last week’s Proxy Disclosure Conference, I spoke on the topic of proxy plumbing. I commented on how the SEC issued the proxy plumbing concept release eleven years ago as of yesterday, and just when the Commission started to make progress in addressing some of the proxy plumbing topics from that concept release, we appear to be taking one step forward and two steps back. While I noted that usually people do not get too excited when you start talking about any topic with the word “plumbing” in it, the SEC’s recent efforts on proxy plumbing has seen more drama than an episode of “Keeping Up With the Kardashians.”
Well, that drama continues, with the National Association of Manufacturers announcing that it has sued the SEC for its approach of not enforcing the recently adopted proxy voting advice rules while the Staff is reviewing potential changes to those rules.
Back in July 2020, the SEC adopted the final rules governing proxy voting advice provided by proxy advisory firms such as ISS and Glass Lewis. The proxy advisory firms would be required to comply with most of the new requirements beginning December 1, 2021. Obviously a lot has changed at the SEC since July 2020, and earlier this year Chair Gensler directed the Staff to reconsider the rules and guidance. Corp Fin put out statement saying that it will not recommend enforcement action to the SEC based on the interpretive guidance and the rule amendments during the period in which the SEC is considering further regulatory action in this area. In addition, in the event that new regulatory action leaves the 2020 exemption conditions in place with the current compliance date, the Staff will not recommend any enforcement action based on those conditions for a reasonable period of time after any resumption by ISS of its litigation challenging the rules and guidance. The SEC’s June 2021 Reg Flex Agenda indicates that proposed amendments to the rules are expected by Spring 2022.
The National Association of Manufacturers, citing numerous concerns with proxy advisory firms, is challenging the SEC’s approach to the rule changes that were duly adopted through a notice and comment rulemaking process. The complaint states:
The SEC’s suspension of the Proxy Advice Rule is flatly unlawful. The SEC may not decide that it no longer stands by a regulation it earlier lawfully promulgated, and—absent any rulemaking process—simply suspend its application. To the contrary, the procedural provisions of the Administrative Procedure Act (APA) exist precisely to bring regularity to agency action.
NAM asks the court to set aside the SEC’s “suspension of the compliance date” for the rule. Stay tuned for the next episode of “Keeping Up With the Proxy Voting Advice Rules.”
– Dave Lynn
In the Advisor’s Blog on CompensationStandards.com, Liz covers a recent announcement by Glass Lewis that it has launched of an Equity Plan Advisory service – through a newly formed affiliate, Glass Lewis Corporate. This service appears to be similar to that provided by ISS Corporate Solutions. The Glass Lewis press release states:
Public companies can work with a Glass Lewis Corporate advisor to model their equity compensation plan against the Glass Lewis model. Advisors will review plans with customers, testing different new-share requests and equity plan amendments against Glass Lewis’ methodology, examining multiple what-if scenarios. Glass Lewis maintains a strict separation between Glass Lewis Corporate advisors and Glass Lewis research analysts in order to ensure the continued independence of our proxy advice.
As Liz notes, this new business model could draw some criticism, as Glass Lewis starts to look more like ISS with this foray into counseling the same companies that are the subject of its recommendations.
– Dave Lynn