Earlier this year, HanesBrands disclosed that it had been the victim of a ransomware attack. In its second quarter earnings release, the company disclosed that the attack had a “negative impact on second-quarter net sales, adjusted operating profit and EPS of approximately $100 million, $35 million and $0.08, respectively.” Over on Radical Compliance, Matt Kelly takes a look at the company’s disclosures and observes that they pretty much checked all of the boxes when it comes to the SEC’s disclosure expectations. He then segues into a discussion of the most challenging issue companies face when confronted with a cyberattack – assessing whether it’s material in the first place:
An attack that cuts net sales by 6.2 percent is material (any loss greater than 1 or 2 percent would be), but we’re looking at that number in hindsight. When a company first discovers that a ransomware attack is afoot, you most likely don’t know how severe the damage will be. You need to monitor the disruption as it unfolds, until it crosses some materiality threshold.
Well, think about what that means. You’d need to understand the value at risk from a cyber disruption. You’d need careful analysis of which systems are mission-critical, and the “hourly rate” of their importance, so to speak, so you can keep a running tally of the financial losses. For example, you’d need to be able to say something along the lines of, “For every minute our fulfillment system is off-line, we lose $3,300 in orders.” Do the math, and after three weeks a disruption like that would cost you $100 million in sales.
After only one week, however, that disruption would already have cost $33 million in lost sales. For a company with $1.6 billion in total sales, that would be a loss of roughly 2 percent — and plenty of people would say a 2 percent loss to net sales is material. So our hypothetical company would need to file a disclosure about the incident four days after it crossed that threshold, rather than eight or 10 weeks later in the next earnings release.
I only picked those numbers to give an example that roughly fits the losses HanesBrands suffered; everyone following along will need to use whatever numbers make sense for your own business. The underlying math, however, still holds. Under certain circumstances, a ransomware attack could cost you so much money that very quickly it’s material and needs to be disclosed to investors double-quick.
Matt says that given the speed with which a cyberattack can blossom into something very material to the business, compliance and risk management teams have to ask several questions in order to ensure that the company is prepared to make this assessment: “For example, has your company identified its mission-critical, revenue generating systems? Has it modeled out the estimated revenue per hour those processes generate? Have you consulted with finance and accounting teams so that everyone has a clear understanding of the financial threshold for a material loss?”
A recent Bryan Cave blog says that 20 years after its collapse, WorldCom still has plenty of lessons to offer internal and outside counsel, and one of those lessons relates to the application of the attorney-client privilege. The blog draws from reports issued by former US Attorney General Richard Thornburgh, who served as the bankruptcy court examiner overseeing the case. This excerpt notes how the examiner was able to access virtually all documents that he sought, even those that were privileged:
As a threshold matter, it’s worth noting that virtually all documents sought by the Examiner had to be produced for review, including detailed notes taken by internal counsel and other privileged communications. With the consent of the Company (under the supervision of the bankruptcy trustee), the Examiner obtained a court order providing that the delivery of such documents and other information, including emails, would not constitute a waiver of the attorney-client or other privilege. As a result, all communications with or notes recorded by counsel became available for review by the Examiner.
Counsel should remain mindful that ultimately, the attorney-client privilege belongs to the client and may be waived by the client. A company may consent to production of privileged communications, even without a non-waiver order as was entered in WorldCom. When a company files for bankruptcy, management of the company may shift from its prior executives to a bankruptcy trustee, who may view the waiver issue differently than prior management. In such situations, privileged communications may end up being produced to the government or private plaintiffs.
In other words, the attorney-client privilege belongs to the corporate client, and there may be an entirely new cast of decisionmakers when it comes to decisions about that privilege once a company enters bankruptcy.
The blog also addresses some of the factors identified in the examiner’s reports as leading to the governance breakdown at WorldCom. These include the fragmented reporting lines in the company’s law department and the failure to provide the board with appropriate advice concerning its fiduciary duties for material transactions.
While many organizations are slowly returning to in-person meetings, digital events continue to grow and will likely continue to be a big part of the landscape in the post-pandemic era. This recent Q4 blog offers up some thoughts on best practices for digital “Investor Days” or “Capital Markets Days” (CMDs), including things like the use of pre-recorded messaging, and entertainment and production values.
All those topics are familiar ones to most companies after more than two years of virtual events, but the blog also had some interesting things to say about the content of presentations. Here’s an excerpt reminding companies of the need to distinguish the content presented at a CMD from the more short-term focused content typically presented in an earnings call:
Presentation is key, though content is still very much king. With so much information readily available and so much misleading noise about, directly providing investors with the most relevant and accurate story from the source is critical to underpin a successful CMD. Because the CMD is not always an annual event, the content needs to be relevant and resonate with investors for an extended period of time. Remember that this event is unlike results day, where you update information every quarter. Rather, the CMD is the stage for communicating both the short and mid-long term investment value of the organisation.
Last week, Dave blogged about whether companies are likely to ask stockholders to approve officer exculpation charter amendments & how stockholders will react if they do. If you’re thinking about proposing such an amendment at your next annual meeting, this Freshfields blog offers up some sample language for such an amendment and, in this excerpt, raises some important points to consider when gauging the likely reaction of institutional investors & proxy advisors:
One open question is how institutional shareholders and proxy advisory firms will react to proposals to amend the charter in this manner. The answer, in the case of listed companies, may depend on:
– the other elements of the corporation’s governance profile and the extent to which there may already be tension with shareholders over governance;
– the extent to which the corporation otherwise engages in best practices relating to its executive officers, including their compensation, diversity, and skillsets;
– the relationship between management and the shareholders, including the extent of shareholders’ confidence in management’s stand-alone plan and their assessment of recent performance;
– management’s approach to shareholder engagement and its ability to articulate effectively in off-cycle meetings with shareholders in the coming months the rationale for putting forward this proposed charter amendment at the next annual meeting; and
– the effectiveness of the articulation of the rationale for this charter amendment in the proxy statement for the meeting at which the amendment will be voted on and in related solicitation conversations.
The blog says that there’s a strong policy rationale for these charter amendments and that it makes sense for institutional investors & proxy advisors to support them, but it also acknowledges that getting these constituencies to sign-off on such an amendment will require “thoughtful and deliberate” efforts on the part of companies when engaging with stockholders.
If you’re thinking about an officer exculpation amendment, then you’re probably also thinking about what your proxy disclosure and the text of that amendment might look like. Thanks to Daniel Rubin’s Twitter feed, we’ve found an example. Nasdaq-listed SWK Holdings filed a definitive proxy statement on July 18th asking its stockholders to, among other things, amend its certificate of incorporation to exculpate officers to the fullest extent permitted by law. Here’s an excerpt describing the reasons for the proposal:
As part of its continuing review of the elements of our corporate governance standards and practices, the Governance and Nominating Committee concluded that the current exculpation and indemnification provisions in Article VIII of our Certificate of Incorporation should be updated to, among other things, reflect developing law. Legislation has been proposed that, if enacted, would enable a corporation to include in its certificate of incorporation a provision exculpating certain officers from liability for breach of the duty of care in certain actions.
Such a provision would not exculpate such officers from liability for breach of the duty of loyalty, acts or omissions not in good faith or that involve intentional misconduct or a knowing violation of law, or any transaction in which the officer derived an improper personal benefit. Nor would such a provision exculpate such officers from liability for claims brought by or in the right of the corporation, such as derivative claims.
Taking into account the narrow class and type of claims that such officers would be exculpated from liability for, and the benefits the Governance and Nominating Committee believed would accrue to the corporation from providing such exculpation, the Governance and Nominating Committee recommended to the Board of Directors an amendment to the Certificate of Incorporation to provide such exculpation to the fullest extent permitted by law.
According to the company’s August 10th Form 8-K (which includes the text of the amendment). its stockholders overwhelmingly approved the proposed amendment. Steve Haas also pointed us in the direction of this Form 8-K filing from Snap, which includes the text of an officer exculpation charter amendment that its Class C stockholders approved by written consent. Snap didn’t solicit consents from public stockholders, so there’s no sample disclosure to go along with this.
I wouldn’t draw a lot of conclusions about stockholder support at other public companies from either SWK or Snap’s action. Two investment funds control nearly 80% of SWK’s stock, while voting control of Snap rests in the hands of its founders who hold the Class C stock.
Last week, the SEC issued its first fee rate advisory for fiscal 2023. Although the last several years have seen significant decreases in the filing fees for registration statements & certain other transactions, the advisory says those fees will increase next year from $92.70 per million to $110.20 per million – or nearly 19%. As always, the new rate will apply effective October 1, 2022, which is when the SEC’s new fiscal year begins.
On Friday, the SEC announced that it had adopted two amendments to the rules governing its whistleblower program. Here’s the 46-page adopting release and the two-page fact sheet. This excerpt from the SEC’s press release summarizes the changes:
Specifically, the SEC amended Rule 21F-3 to allow the Commission to pay whistleblower awards for certain actions brought by other entities, including designated federal agencies, in cases where those awards might otherwise be paid under the other entity’s whistleblower program. The amendments allow for such awards when the other entity’s program is not comparable to the Commission’s own program or if the maximum award that the Commission could pay on the related action would not exceed $5 million.
Further, the amendments affirm the Commission’s authority under Rule 21F-6 to consider the dollar amount of a potential award for the limited purpose of increasing the award amount, and it would eliminate the Commission’s authority to consider the dollar amount of a potential award for the purpose of decreasing an award.
The amendments prompted much rejoicing from the whistleblower bar but left the two dissenting Republican commissioners scratching their heads about why the SEC felt the need to do this. Frankly, I find myself doing the same. Here’s an excerpt from Commissioner Uyeda’s dissenting statement, which picks up on some recent criticism concerning the program’s lack of transparency:
High-quality tips from whistleblowers represent an important tool in the Commission’s enforcement program. To the extent that the Commission seeks to improve the Whistleblower Program and its rules, it should perhaps consider promoting greater visibility into its claims and award determinations, and increasing the number of high-quality tips from unrepresented persons. Such a review could also evaluate the role played by lawyers representing whistleblowers on a contingency fee basis and how they present tips to the Commission.
The SEC’s surprise adoption of the pay for performance disclosure rules didn’t leave Dave room to address the universal proxy CDIs that the SEC issued last Thursday. Here’s what I had to say about them over on the DealLawyers.com Blog:
With the universal proxy compliance date less than a week away, the SEC yesterday issued three new Proxy Rules and Schedules 14A/14C CDIs addressing issues arising under Rule 14a-19. Unfortunately, the SEC didn’t include links to the individual CDIs, so you’ll need to scroll down to the new Section 139 in order to find them. Here’s a brief summary of the issues they address:
CDI #139.01 addresses the ability of a dissident shareholder to change its slate of nominees after the Rule 14a-19(b) notice deadline due to a nominee’s decision to withdraw or a change in the number of director seats up for election.
CDI #139.02 deals with the registrant’s obligation to comply with Rule 14a-19(b)’s notice requirements in the case of a contested election in which more than one dissident shareholder intends to present a slate of director nominees.
CDI #139.03 addresses the registrant’s obligation under Rule 14a-5 to disclose in its proxy materials Rule 14a-19(b)(1)’s requirement that a dissident provide notice of its nominees at least 60 calendar days before the anniversary of the prior year’s annual meeting in situations where the registrant’s advance notice bylaw provides for an earlier notification date.
On Friday, the PCAOB announced that it had reached an agreement with the China Securities Regulatory Commission and the PRC’s Ministry of Finance to permit the PCAOB to fully inspect and investigate registered public accounting firms headquartered in mainland China and Hong Kong. The PCAOB announced that the deal, which is embodied in a “Statement of Protocol,” is just a first step, and this excerpt from the comments of PCAOB Chair Erica Williams suggest a healthy degree of skepticism about whether China’s regulators will honor the accord in practice:
“On paper, the agreement signed today grants the PCAOB complete access to the audit work papers, audit personnel, and other information we need to inspect and investigate any firm we choose, with no loopholes and no exceptions. But the real test will be whether the words agreed to on paper translate into complete access in practice.
Today, I directed the PCAOB inspection team to finalize their preparations to be on the ground by mid-September so we can put this agreement to the test. The Statement of Protocol grants the PCAOB complete access in three important ways:
– The PCAOB has sole discretion to select the firms, audit engagements and potential violations it inspects and investigates – without consultation with, nor input from, Chinese authorities.
– Procedures are in place for PCAOB inspectors and investigators to view complete audit work papers with all information included and for the PCAOB to retain information as needed.
– The PCAOB has direct access to interview and take testimony from all personnel associated with the audits the PCAOB inspects or investigates.
Now we will find out whether those promises hold up.”
As Liz recently blogged, the tentative accord comes on the heels of increased activity surrounding the implementation of the Holding Foreign Companies Accountable Act, which could ultimately result in the wholesale delisting of China-based companies unless the PCAOB is provided with the kind of access to audit materials & personnel contemplated by the deal.
Typically, the last two weeks of August are a pretty quiet time on the regulatory front. Not so for the SEC in 2022! At long last, the SEC finally got around to adopting the pay versus performance disclosure requirements that they were directed to adopt by the Dodd-Frank Act over a dozen years ago. The surprise rulemaking action is described in a press release and fact sheet.
Earlier this year, the SEC had reopened the comment period for the rules that had originally been proposed in 2015 to implement Section 953(a) of the Dodd-Frank Act, which would require a comparison of a company’s performance to the compensation actually paid to the company’s principal executive officer and other executive officers. In reopening the comment period, the SEC acknowledged “[s]ince the Proposed Rules were published, executive compensation practices related to company performance have continued to develop and evolve, to the point that we believe interested persons should be given a further opportunity to analyze and comment upon the Proposed Rules.”
New Item 402(v) of Regulation S-K will require that companies provide a table disclosing specified executive compensation and financial performance measures for the company’s five most recently completed fiscal years. This table will include, for the principal executive officer and, as an average, for the other named executive officers, the Summary Compensation Table measure of total compensation and a measure reflecting “executive compensation actually paid,” as specified by the rule. The financial performance measures to be included in the table are:
– Total shareholder return for the company;
– TSR for the company’s peer group;
– The company’s net income; and
– A financial performance measure chosen by the company and specific to the company that, in the company’s assessment, represents the most important financial performance measure the company uses to link compensation actually paid to the company’s NEOs to company performance for the most recently completed fiscal year.
In addition, Item 402(v) require a clear description of the relationships between each of the financial performance measures included in the table and the executive compensation actually paid to its principal executive officer and, on average, to its other named executive officers over the company’s five most recently completed fiscal years. The company will be required to also include a description of the relationship between the company’s TSR and its peer group TSR.
Item 402(v) also requires a list of three to seven financial performance measures that the company determines are its most important measures. Companies are permitted, but not required, to include non-financial measures in the list if they considered such measures to be among their three to seven “most important” measures.
The pay versus performance disclosure will need to be tagged using Inline XBRL. The disclosure requirements do not apply to emerging growth companies, registered investment companies, or foreign private issuers.
Not surprisingly, Commissioners Peirce and Uyeda did not support the final rule. Commissioner Peirce issued a statement saying the rule “will elicit costly, complicated, disclosure of questionable utility” and Commissioner Uyeda issued a statement questioning the SEC’s compliance with the Administrative Procedure Act by adopting a long dormant rule proposal after issuing an insufficient “reopening” release.