The upcoming proxy season promises to be yet another year of change. We have so many SEC rulemakings to take into consideration as we prepare annual reports and proxy statements, while also paying attention to evolving investor concerns. With all of this brewing for 2024, you definitely do not want to miss our September Conferences.
I look forward to joining the SEC All-Stars for our hour-long Proxy Season Insights panel on Wednesday, September 20. The All-Stars joining me on this panel are Sonia Barros, Meredith Cross, Alan Dye and Lona Nallengara. We will be covering a wide range of topics, including:
– Use of Rule 10b5-1 plans and insider trading policy updates
– Share repurchase programs
– Cyber disclosures & governance
– Board diversity requirements & disclosures
– Beneficial ownership modernization and Section 16/Form 144 developments
I plan to address the topic of share repurchase programs, where the implementation of the SEC’s new daily repurchase disclosure rules will be a significant consideration for many companies as we go into the annual reporting season.
This SEC All-Stars panel, along with the rest of the panels at the “Proxy Disclosure & 20th Annual Executive Compensation Conferences” will provide you with the guidance that you need to successfully navigate the proxy season, so I encourage you to register today. Here is the full agenda – and here is more information about our expert speakers. In addition, be sure to check out the agenda for our “2023 Practical ESG Conference” – which is happening virtually on Tuesday, September 19th. This event will help you avoid ESG landmines and anticipate opportunities. You can bundle the Conferences together for a discount.
The National Institute of Standards and Technology (NIST) recently released drafts of its Cybersecurity Framework (CSF) 2.0 for public comment. The NIST CSF consists of standards, guidelines, and best practices that help organizations improve their management of cybersecurity risk. In its announcement of the new CSF, NIST notes:
The world’s leading cybersecurity guidance is getting its first complete makeover since its release nearly a decade ago.
After considering more than a year’s worth of community feedback, the National Institute of Standards and Technology (NIST) has released a draft version of the Cybersecurity Framework (CSF) 2.0, a new version of a tool it first released in 2014 to help organizations understand, reduce and communicate about cybersecurity risk. The draft update, which NIST has released for public comment, reflects changes in the cybersecurity landscape and makes it easier to put the CSF into practice — for all organizations.
In February 2022, NIST released a request for information about the CSF. In response, commenters indicated that the framework remains an effective tool for reducing cybersecurity risk, but indicated “that an update could help users adjust to technological innovation as well as a rapidly evolving threat landscape.”
In its announcement of the updated draft, NIST notes the following key changes to the CSF:
• The framework’s scope has expanded — explicitly — from protecting critical infrastructure, such as hospitals and power plants, to providing cybersecurity for all organizations regardless of type or size. This difference is reflected in the CSF’s official title, which has changed to “The Cybersecurity Framework,” its colloquial name, from the more limiting “Framework for Improving Critical Infrastructure Cybersecurity.”
• Until now, the CSF has described the main pillars of a successful and holistic cybersecurity program using five main functions: identify, protect, detect, respond and recover. To these, NIST now has added a sixth, the govern function, which covers how an organization can make and execute its own internal decisions to support its cybersecurity strategy. It emphasizes that cybersecurity is a major source of enterprise risk, ranking alongside legal, financial and other risks as considerations for senior leadership.
• The draft provides improved and expanded guidance on implementing the CSF, especially for creating profiles, which tailor the CSF for particular situations. The cybersecurity community has requested assistance in using it for specific economic sectors and use cases, where profiles can help. Importantly, the draft now includes implementation examples for each function’s subcategories to help organizations, especially smaller firms, to use the framework effectively.
The CSF 2.0, while still in draft form, is a good resource to review as you are preparing for the new SEC disclosure requirements, as you evaluate whether your practices for managing cybersecurity risks are consistent with best practices.
The comment period for the draft CSF 2.0 runs until November 4, 2023.
One of the occupational hazards of being a securities lawyer is that you are often asked to predict what the SEC or the SEC Staff will do in a particular situation, and at times making such predictions can be difficult. The challenge can be particularly acute when it comes to SEC rulemaking, because so many variables are at play in any given rulemaking action. Sometimes I feel like Zoltar, the vending machine fortune teller from the movie Big.
The process of notice and comment rulemaking is very much a “give and take” process. Having been involved in this process at the SEC, I would say that rulemaking involves quite a bit of what we would always refer to as “horse trading,” particularly when the rulemaking is being considered at the Commission level. As a member of the Staff, sometimes the horse trading can be frustrating, because things can end up in proposed rules that do not necessarily make a lot of sense or are not consistent with what you were hoping to achieve. The process becomes even more complex once you have proposed the rules and are considering the input of commenters, particularly when you are dealing with a controversial rulemaking that is likely to be subject to legal challenge.
One thing that is important to not lose sight of is that while the final rules are not “negotiated” per se, the Commission will sometimes propose rule changes that may go farther than what the Commission actually expects to adopt as final rules, recognizing that some matters may be pared back or changed in response to comments. For this very reason, in the not-too-distant past, we did not always provide a whole lot of coverage in law firm client alerts and publications such as The Corporate Counsel on proposed rules, given the understanding that proposed rules may not necessarily be indicative of what the final rules will turn out to be, so it did not make much sense to dedicate scarce resources toward understanding the proposed rules. In recent years, there has been increased concern (whether warranted or not) that the Commission is proposing rules that it intends to adopt largely as proposed, without perhaps fully considering the concerns raised by commenters. The shifting sands have made things much harder to predict as the Commission tackles some very significant public disclosure issues through the rulemaking process.
Which brings us to the question that everyone is asking these days – what will the final climate change disclosure rules look like? In trying to answer this question like Zoltar, I am encouraged by the outcome we recently observed with the cybersecurity disclosure rules. In March 2022, the SEC originally proposed cybersecurity disclosure rules that included complex and highly detailed requirements that struck companies and their advisers as overly prescriptive and seeking too much detail. Consistent with other recent rulemakings, the Commission went down the path of proposing very prescriptive disclosure requirements on the topic of cybersecurity risk management and oversight for periodic reports and for the type of information that would be required to be disclosed when it is determined that a cybersecurity incident is material. The Commission also took what proved to be a controversial step of proposing that companies disclose information about the cybersecurity expertise of corporate directors.
In the final rules, the Commission clearly considered the concerns of commenters on a number of important issues and modified the final rules as a result, including paring back the disclosure required on a current basis when an incident is determined to be material, pivoting to a more principles-based approach for the disclosure related to risk management, strategy, and governance and not adopting the proposed requirement to disclose board cybersecurity expertise.
While it is obviously difficult to draw too many conclusions from just this one rulemaking, this recent outcome with the cybersecurity disclosure rules may give us hope that the Commission will make some significant adjustments to the proposed climate change disclosure requirements that were also proposed back in March 2022, particularly with respect to the disclosure of Scope 3 emissions, the detailed disclosure requirements regarding risk management and governance and the financial statement footnote disclosure requirements. The horse trading on these and other points is undoubtedly going on as we speak. I think that maybe only Zoltar knows how it will all come out.
You can get all of the latest insights by joining me on Wednesday, September 20 for my interview with Erik Gerding, Director of the SEC’s Division of Corporation Finance. Erik will share his views on the latest developments and priorities for the Corp Fin Staff, and his expectations for the upcoming proxy season. We are very fortunate to have Erik joining us for the “2023 Proxy Disclosure Conference” given all that is going on at the SEC right now. My interview with Erik is a great way to kick off three days of drilling down on all of the things you need to know for your SEC disclosures and executive compensation matters in these turbulent times.
While the SEC’s adoption of cybersecurity disclosure requirements last month was a long time in the making, that actual adoption of the rules and the relatively short compliance deadlines seems to have prompted some level of panic at public companies. Based on how the final rules came out, I hope to offer some reassuring words that your path to compliance with these requirements can build on your pre-existing efforts rather than recreating the wheel. To that end, I ask and answer some of the questions that have been emerging about the new rules. Please read them and take a few deep breaths.
Do I need to create new disclosure controls for Item 1.05 of Form 8-K?
Companies will be required to disclose, within four business days after determining that an incident is material pursuant to new Item 1.05 of Form 8-K (subject to limited exceptions), any cybersecurity incident that a company experiences that is determined to be material, describing the material aspects of its: (i) nature, scope, and timing; and (ii) the impact or reasonably likely impact of the incident on the company, including on the company’s financial condition and results of operations.
The disclosure controls necessary to escalate cybersecurity incidents and evaluate whether they are material and must be disclosed should already be in place at public companies. The SEC’s 2018 interpretive release strongly encouraged the filing of a Form 8-K when a cybersecurity incident is determined to be material, and subsequent SEC enforcement cases focused on the timing of current disclosure about cybersecurity incidents and the disclosure controls that were in place to facilitate that disclosure. As a result of these developments, companies have implemented procedures to identify cybersecurity incidents, escalate them to management, and have management evaluate the materiality of those incidents to determine whether they must be disclosed. Item 1.05 of Form 8-K now formalizes the Form 8-K filing requirements and assigns a four-business-day deadline to the disclosure obligation.
For foreign private issuers, not much has changed in terms of the current disclosure framework. The SEC did amend General Instruction B of Form 6-K to reference material cybersecurity incidents in the list items that may trigger a current report on Form 6-K. The SEC notes in the adopting release that, “for a cybersecurity incident to trigger a disclosure obligation on Form 6-K, the registrant must determine that the incident is material, in addition to meeting the other criteria for required submission of the Form.”
The new disclosure obligation may require some fine tuning to pre-existing disclosure controls and procedures to reflect the disclosures that must be provided in response to the new Form 8-K item, as well as the process for tracking whether the Item 1.05 Form 8-K must be amended to reflect information that is not determined or is unavailable at the time of the required initial filing. Further, companies will need to assess whether the controls will facilitate a Form 8-K filing within four business days of determining that the incident is material.
Spoiler alert: In the vast majority of cybersecurity incidents that I deal with in my practice, it is ultimately concluded that the cybersecurity incident is not material under established standards for evaluating materiality. As a result, I do not expect to see a flood of Item 1.05 Form 8-Ks streaming into the SEC after the December 18, 2023 compliance date.
Should my approach to determining whether a cybersecurity incident is material change?
The approach to materiality is the same as it has always been. The SEC did not adopt any bright lines to be applied in determining whether an incident is material and therefore must be disclosed under new Item 1.05 of Form 8-K, leaving it to us to apply established standards of materiality. Consistent with past pronouncements, the Commission has indicated that the materiality standard that companies should apply in evaluating whether a Form 8-K would be triggered under Item 1.05 would be consistent with the caselaw standards that we are familiar applying in this context.
For the purpose of evaluating whether a Form 8-K is required to be filed pursuant to Item 1.05 of Form 8-K, information about a cybersecurity incident is considered “material” if there is a substantial likelihood that a reasonable investor would consider it important in making an investment decision or if the information would have been viewed by the reasonable investor as having significantly altered the “total mix” of information made available to the investor. As part of a materiality analysis, the company should consider the indicated probability that an event will occur and the anticipated magnitude of the event in light of the totality of company activity. No single fact or occurrence is determinative as to materiality, which requires an inherently fact-specific inquiry.
I advise that it is best to create your framework for evaluating the materiality of cybersecurity incidents ahead of time, and test that framework when you conduct tabletop exercises or otherwise evaluate your incident response plan. Once you have the framework sorted out and documented, then I don’t think it is necessary to document your specific evaluation of individual incidents, unless that is something that you would normally do in your Form 8-K process.
Do I need to change my board and management practices regarding cybersecurity?
While it is certainly always a good idea to evaluate your board and management practices around the oversight and management of cybersecurity risks to always put your best foot forward on this topic, nothing about the new disclosure requirements should necessarily drive a revamp of the company’s approach. In the adopting release, the SEC notes “that the purpose of the rules is, and was at proposal, to inform investors, not to influence whether and how companies manage their cybersecurity risk.” As originally proposed, the disclosure requirements could be read as normative standards for board oversight and management involvement, but in the final rules the SEC has taken a much more principles-based approach. Based on this pivot, one might expect to see a few paragraphs about cybersecurity risk management, strategy, and governance in upcoming Form 10-Ks rather than pages of disclosure. And those paragraphs are going to be pretty high level in terms of their description of the process, as even the SEC does not want companies to hand threat actors the “keys to the kingdom” through their Form 10-K disclosure. At this point, the best approach is to begin drafting the required disclosure so you can evaluate whether there are any areas that you want to shore up before going live in your Form 10-K.
Do the new rules supersede the SEC’s past guidance?
While some aspects of the 2018 interpretive guidance have now been incorporated into SEC’s rules (in particular the construct for current reporting on Form 8-K), companies still must consider that guidance in determining what to disclose under items that were not amended with this latest rulemaking effort, including: (i) risk factors; (ii) legal proceedings; (iii) MD&A; (iv) financial statements; (v) effectiveness of disclosure controls and procedures; and (vi) corporate governance (including disclosure in the proxy statement).
The SEC’s Division of Enforcement has conducted a lot of investigations of cybersecurity incidents in recent years, but it is important to keep in mind that there have been only four Enforcement actions brought against companies in the five years since the 2018 interpretative release.
Here are some of the notable takeaways from those actions:
1. The four actions focus on material misstatements and omissions regarding cyber incidents and deficiencies in cybersecurity disclosure controls and procedures.
2. Three of the four actions involve negligence charges stemming from materially misleading disclosures and omissions regarding cybersecurity incidents and risks, but not intentional or reckless fraud.
3. All four actions involve charges related to deficiencies in disclosure controls and procedures.
4. These actions all involve unauthorized access and/or theft of sensitive personally identifiable information.
5. The companies that were the subject of these actions settled to administrative charges on a “neither admit nor deny” basis.
The SEC does have ongoing investigations of cybersecurity incidents, including those related to the Solarwinds breach, and I do expect that we will continue to see the SEC bring actions based on the old interpretive guidance and pre-existing requirements even when the new rules go into effect.
Well folks, we are less than a month away from our September conferences, and that means I am going to be spending my week on the blog reminding you of why you need to sign up for this big event. Today I am going to focus on the “2023 Practical ESG Conference,” which takes place virtually on Tuesday, September 19, 2023.
The 2023 Practical ESG Conference will deliver usable, practical guidance on current ESG developments in a candid and conversational format. We have assembled an extraordinary group of speakers and you will not want to miss any of these sessions:
• ESG Hot Topics – Forewarned is Forearmed
• What your DEI Leader Wants You to Know
• Your Evolving Climate Disclosure: Data Perils & Protections
• Anti-ESG: Practical Steps to Navigate the Crosshairs
• The Great Debate: Does DEI Belong in HR, ESG, or Somewhere Else?
• Greenwashing 2.0: New Ways to Tackle Your Company’s ESG Embellishments
• ESG Oversight: How to Protect Your Board & Audit Committee From a Litany of Risks
I am particularly looking forward to joining a great group of panelists – Doug Parker from Ecolumix, Mark Trexler from The Climate Web and Kristina Wyatt from Persefoni – for the panel “Your Evolving Climate Disclosure: Data Perils & Protections.” This panel will provide an overview of top concerns on GHG data collection, validation and management and how you can reduce your reporting risk.
The “2023 Practical ESG Conference” can be conveniently bundled with the “Proxy Disclosure & 20th Annual Executive Compensation” Conferences. With all that is going on, this is definitely the year to participate in our Conferences – you do not want to miss all of the insights that our incredible group of speakers bring to the table. Sign up today!
Bloomberg recently reported that inflation has been a hot topic in SEC comment letters — particularly the depth and detail of the discussion of inflation in MD&A. That shouldn’t come as a surprise — for one, it had been a long while since we’ve really had to flex our MD&A disclosure muscles when it comes to inflation. But also, just before inflation became a problem for the first time in a long time in the US, the SEC amended Item 303 of Regulation S-K to remove the express requirement to address the impact of inflation on the basis that other MD&A requirements would require a discussion of material inflationary impacts (for example, as a known trend or uncertainty or to explain material changes in line items from period to period). The 2020 Proposing Release for the MD&A amendments stated that a specific reference to inflation and changing prices “may give undue attention to the topic.” But here we are in an environment where attention is deserved.
Cooley’s Cydney Posner pulled recent comment letters on the topic and, in this post, shared additional color & sample comments:
In regular comments on SEC filings to a diverse mix of companies, Corp Fin has asked companies to discuss in more detail the impact of inflationary pressures, including at times, with quantification. From a quick EDGAR search, I found, for example, a comment from Corp Fin related to a risk factor that discussed inflation, asking the company to “update this risk factor in future filings if recent inflationary pressures have materially impacted your operations. In this regard, identify the types of inflationary pressures you are facing and how your business has been affected.”
In another case, where a company disclosed that its costs of necessary commodities, labor, energy and other inputs had significantly increased and were expected to continue to affect the business, the staff asked for more detail, requesting that the company revise its disclosure to quantify the impact of inflation, including providing year-over-year comparisons of the impact, and provide more detail regarding the company’s efforts to offset cost pressures through price increases, including the success of those efforts. In another instance, commenting on MD&A disclosure that inflation had negatively affected results of operations as a consequence of increased cost of sales and operating expenses, Corp Fin asked the company to “quantify and disclose the impact of the inflationary pressures you are experiencing on cost of sales, gross margins and operating expenses,” quantifying increases in transportation and fuel costs, materials, commodities and packaging costs, as well as production inefficiencies and geographical sales mix.
Another comment asked a different company to expand on how the impact of higher rates of regional inflation and raw material supply in certain regions affected the company’s operations, potentially affecting its operating segment analysis. In yet another example, the staff observed that when the financials reflect material changes from period-to-period in one or more line items, or where material changes within a line item offset one another, the company is still required to describe the underlying reasons in quantitative and qualitative terms. The staff then asked the company to “quantify the impact of each factor or component associated with material changes, including the impact of inflation associated with any material changes.”
Inflation was already a trending comment letter topic in 2022 when it was at its peak, but comments seemed to focus more on risk factors and, in particular, the ever-important-to-avoid hypothetical risk factor trap. Cydney notes that these comments — now MD&A focused — are still coming, even as inflation slows.
John recently blogged that emojis can create binding contracts and advised us to think long and hard before clicking “send” on that email or text with a cute little emoji. In fact, you may want to cut out emojis completely — at least in your professional life — especially if you’re a public figure. This Bryan Cave blog discusses a recent U.S. District Court decision rejecting a motion to dismiss a claim that a large investor in Bed Bath & Beyond, well-known to the meme-stock world, used a tweet with an emoji to orchestrate a pump and dump scheme.
On August 12, 2022, CNBC tweeted a negative story about the company, accompanied by a picture of a woman pushing a shopping cart at a Bed Bath store. In response, Cohen tweeted a reply: “At least her cart is full” with what was described as a “smiley moon emoji.” The court stated: “Some online communities understand the smiley moon emoji to mean ‘to the moon’ or ‘take it to the moon.’ . . . In other words, according to Plaintiff, Cohen was telling his hundreds of thousands of followers that Bed Bath’s stock was going up and that they should buy or hold.”
He then filed a close-in-time, but potentially unrelated, amendment to his Schedule 13D which indicated that it “was triggered solely due to a change in the number of outstanding Shares of the Issuer” and made no mention of any plans to sell. Two days later, he filed another amendment reporting the sale of all of his Bed Bath shares.
With respect to the emoji, the blog summarizes the court’s conclusions as follows:
– Although an emoji may be ambiguous, its meaning can be clarified “by the context in which [it] is used.”
– “Emojis may be actionable if they communicate an idea that would otherwise be actionable.”
– The plaintiff “plausibly alleged that the moon tweet relayed that Cohen was telling his hundreds of thousands of followers that Bed Bath’s stock was going up and that they should buy or hold. In the meme stock ‘subculture,’ moon emojis are associated with the phrase ‘to the moon,’ which investors use to indicate ‘that a stock will rise.’ So meme stock investors conceivably understood Cohen’s tweet to mean that Cohen was confident in Bed Bath and that he was encouraging them to act” [citations omitted].
– The tweet is actionable because “plausibly material,” rather than “mere puffery,” as evidenced by investors’ reliance in driving up the stock price. Further, “[i]nvestors may have reasonably seen Cohen as an insider sympathetic to the little guy’s cause,” by interacting with followers on Twitter, his large stake and public interactions with the company.
It’s worth noting that the plaintiffs claimed that the first 13D amendment and related Form 144 were also misleading. In response to the 13D claim, the defense pointed out that Section 13(d) has no private right of action for damages. To this the court replied, “No matter. Even if that is right, it does not follow that 10(b) claims may not be based on misleading 13D filings. Those are two separate questions.”
Here’s something that John blogged last week on DealLawyers.com:
The Activist Investor’s Michael Levin flagged a recent Institutional Investor article that claims that activist hedge funds look at the diversity of a board when identifying potential targets for their campaigns. Here’s an excerpt:
Activist hedge funds are paying attention to board diversity — and are using that information to decide on their next targets. New research shows that activist investors are more likely to succeed when boards are less united and slower to act — two characteristics that are common among diverse boards, where members come from different backgrounds and tend to bring different perspectives. The study found that hedge funds exploit differences of opinion among board members, as well as their more deliberate decision-making processes, to sway shareholder votes in their favor.
The article quotes one of the study’s authors as saying that although diversity provides many benefits, diverse boards take longer to come to a consensus than boards comprised of members of the “old boys network.” Boards and their advisors should keep this vulnerability in mind when evaluating their potential to be targeted by activist hedge funds and in their activism preparedness efforts.
On a related note, make sure to mark your calendar for our upcoming joint webcast with PracticalESG.com “Corporate DEI Programs After Students for Fair Admissions v. Harvard” on Thursday, August 31, 2023, at 2 pm Eastern. J.T. Ho, Co-head of Public Companies & ESG practice at Orrick, Ngozi Okeh, DEI Editor at PracticalESG.com, and Travis Sumter, Labor & Employment Attorney at NextRoll, will discuss the increasingly complex surroundings in which corporate DEI programs operate. If you’re not already a member with access to this webcast, sign up online for a no-risk trial or email sales@ccrcorp.com.