In mid-July, I blogged about the SDNY’s long-awaited order in SEC v. Ripple Labs, (SDNY 7/23), suggesting that the decision may not be the massive victory for crypto that some were calling it and lamenting that the Ripple decision was just one development in the crypto saga — certainly not bringing the regulatory clarity some had hoped. The latest crypto decision, also from the SDNY — SEC v. Terraform Labs, (SDNY 8/23) — supports these points. This Mayer Brown alert describes the decision:
Judge Jed Rakoff ruled this week in favor of the SEC on a motion to dismiss, finding the SEC’s amended complaint adequately pled that the crypto assets sold by Terraform Labs and its founder and Chief Executive Officer Do Keyong Kwon qualify as “investment contracts” under the Howey precedent. While this decision represents only a preliminary review of the issues and accepts the SEC’s allegations as true (for purposes of the motion), it provides useful commentary as well as some counterpoints to the Ripple analysis […]
Judge Rakoff appeared to agree with Judge Torres that digital assets do not constitute securities unless their offering, sale or use were tied to an economic benefit being conveyed upon the purchaser. However, Judge Rakoff also stated that a crypto asset that is not a security at one point in time may, as its circumstances and those of its related protocol(s) change, become an investment contract—i.e., a security—that is subject to SEC regulation.
The part of the decision certain to attract the most attention is Judge Rakoff’s explicit rejection of the approach used by Judge Torres in the recent Ripple ruling, which drew a distinction between digital assets based on the manner in which they were sold (primary issuance to institutional investors vs. secondary transactions involving retail investors). In doing so, Judge Rakoff stated that the Howey precedent does not differentiate among purchasers, because the manner in which digital assets are purchased would not change a purchaser’s reasonable belief in the promise of future profits. In the Terraform case, the SEC alleged that the defendants actively encouraged both retail and institutional investors to buy crypto assets while touting their ability to maximize returns on investors’ tokens.
Recent decisions appear to agree that:
– tokens, themselves, are not securities;
– some token sales are securities offerings, particularly those made directly from the issuer to a purchaser.
Recent decisions appear to disagree on whether or in what circumstances token sales are securities transactions in a secondary market;
The SEC sought leave to appeal the Ripple case, which may provide more substantial guidance next year.
Consider this for upcoming board and committee discussions — especially since cybersecurity disclosures are already bound to be on your agenda. Last week, the Department of Homeland Security announced the release of a report summarizing findings by the Cyber Safety Review Board regarding certain cyber incidents in 2021 and 2022 involving a particular threat actor group that impacted dozens of well-resourced organizations. The CSRB engaged nearly 40 organizations and individuals to discuss these incidents, including threat intelligence firms, incident response firms, targeted organizations, law enforcement, individual researchers and subject matter experts.
This post on the Jackson Lewis Workplace Privacy, Data Management & Security Report blog summarizes key highlights, specifically:
– The multi-factor authentication (MFA) widely used today is insufficient; one-time passcodes and push notifications sent via SMS can be intercepted, making application or token-based MFA methods preferred
– Employees can be compromised with monetary incentives and have handed over access credentials, approved upstream MFA requests, conducted SIM swaps, and otherwise assisted attackers in gaining access to an organization’s systems
– Threat actors also leverage third-party service providers to target downstream customers through secure file transfer services
Yikes! Some of these findings were surprising (to me) and — at least for some companies — may be worthy of board time and attention, including a discussion about how management is addressing these risks. To that end, here’s a further excerpt from the blog:
The Board outlines several recommendations, some are more likely to be within an organization’s power to mitigate risk than others. The recommendations fall into four main categories
– strengthening identity and access management (IAM); – mitigating telecommunications and reseller vulnerabilities; – building resiliency across multi-party systems with a focus on business process outsourcers (BPOs); and
– addressing law enforcement challenges and juvenile cybercrime.
As noted above, one of the strongest suggestions for enhancing IAM is moving away from passwords. The Board encourages increased use of Fast IDentity Online (FIDO)2-compliant, hardware backed solutions. In short, FIDO authentication would permit users to sign in with passkeys, usually a biometric or security key. Of course, biometrics raise other compliance risks, but the Board observes this technology avoids the vulnerability and suboptimal practices that have developed around passwords.
Another recommendation is to develop and test cyber incident response plans. As we have discussed on this blog several times (e.g., here and here), no system of safeguards is perfect. So, as an organization works to prevent an attack, it also must plan to respond should one be successful.
I also want to note that the title of this blog isn’t just clickbait. The opening message of the report references the 1983 movie WarGames and identifies parallels with modern-day real life, including that “teenagers are compromising well-defended organizations using a creative application of many techniques.”
Over on The Advisors’ Blog on CompensationStandards.com, I recently blogged about a settlement agreement in a compensation-related derivative suit that really is one for the books. The litigation challenged the reasonableness of Tesla’s director compensation, and the settlement includes the clawback & forfeiture of compensation valued at $735 million. The blog post describes the mechanics of the clawback terms and discusses what this means for the director defendants.
In a follow-up blog, Liz gave more detail on the “corporate governance reforms” also contemplated by the settlement, including a “director say-on-pay” vote, which — although not a widespread practice — Liz explains, isn’t necessarily a new thing.
We often compare the Staff’s approach to non-GAAP financial measures to a swinging pendulum — over the years there have been times when the Staff is more accommodating to companies when they present non-GAAP financial measures in their SEC filings and other communications, but then there are times when the Staff expresses significant concern with the presentation of non-GAAP financial measures through the comment process, enforcement actions and Staff guidance. Today, the pendulum has definitely swung toward the latter end of that spectrum, with a fresh round of more rigid interpretive updates and a new enforcement action being brought against a company for misleading non-GAAP financial measures and inadequate disclosure controls.
Our panelists also shared what the Staff hopes companies will do following new or updated guidance — that is, read it and take a fresh look at their disclosures to make any necessary tweaks. With that in mind, the Staff may provide a window for companies to self-correct following new guidance and then issue comment letters with clean-up comments. Since we’re over six months from the December 2022 CDI updates, this MyLogIQ survey of non-GAAP comment letters from January 2022 to May 2023 caught my eye. The survey focused on topics that were both frequently the subject of a comment letter and addressed in the CDI updates and found that:
– Equal or greater prominence was the top non-GAAP issue triggering a comment letter
– The top three comment letter issues were all addressed in the December 2022 CDI updates — the next two being recurring expenses and individually tailored measures
The survey also provides examples of comments on each topic addressed in the updated CDIs. In multiple sample questions on recurring expenses, the SEC took issue with “pre-opening costs.” Here’s one of the sample comments:
We note the following in regards to your presentation and reconciliation of your Non-GAAP measures adjusted EBITDA and adjusted net income:Your reconciliation excludes “Pre-opening costs” which appears to be a normal, recurring cash operating expense. Please tell us your consideration of Question 100.01 of the staff’s Compliance and Disclosure Interpretation on Non-GAAP Financial Measures, or revise accordingly.
Liz got me thinking about earnings calls with her blog last week on how the Corp Fin Staff uses earnings call transcripts in the disclosure review process. This recent Q4 blog recommends earnings call post-mortems and preparations for the subsequent quarter. With so much attention focused on earnings calls — not just from investors but from regulators — it may make sense to integrate some of these steps into your quarterly process, and they’re a “must” for executives who are new participants on earnings calls:
Following an earnings call, you must assess the performance of your senior leadership team. To do this, review the webcast or call recording, identifying any challenging questions or topics. Encourage each team member to share their thoughts on their performance and areas for improvement. Gathering their valuable insights. You can pinpoint where the team can grow and enhance its effectiveness.
To prepare your team for future earnings events, develop a plan focusing on their needs. This plan may include additional training sessions to address knowledge gaps, Q&A exercises to build confidence, or providing more detailed briefing materials. Additionally, consider seeking support from investor relations consultants or communications experts who can help fine-tune your team’s messaging and presentation skills.
You’ll cultivate a strong and confident group of leaders by consistently evaluating your senior leadership team’s preparedness and taking steps to improve their performance. With this foundation, your team will be well-equipped to tackle the demands and challenges of post earnings events, approaching them with poise and expertise that will impress shareholders and analysts alike.
Liz’s blog also mentioned showing your “value-add” in the earnings release process. If you’re outside counsel, you can still take the opportunity post-earnings to improve your value-add in future quarters by listening to the Q&A and brushing up on how the company, analysts and investors view the company’s business and financial results. And better yet, referring back to the transcript when reviewing the next quarter’s 10-Q, earnings release and call script can help you identify themes and the types of inconsistencies the SEC is looking out for.
The latest issue of The Corporate Executive has been sent to the printer. It’s also available online to members of TheCorporateCounsel.net who subscribe to the electronic format – a now very popular and convenient option. Email sales@ccrcorp.com to subscribe to this essential resource! This issue includes:
– NYSE and Nasdaq Finalize Clawback Listing Requirements
– Our Model Clawback Policy
– The DOJ Focuses on Clawbacks
Speaking of clawbacks, don’t forget that we will also have a panel devoted to this topic at our rapidly approaching “Proxy Disclosure & 20th Annual Executive Compensation Conferences” – which will be held virtually September 20th to 22nd. Here’s the full agenda. If you haven’t already registered, sign up today on our membership center or by emailing sales@ccrcorp.com – or by calling 1-800-737-1271.
The practical & insightful guidance that you’ll get at the Conferences will be key to helping you put the finishing touches on your policy, consider implementation mechanics, and prepare for all the issues that proxy season and SEC rulemaking are going to throw our way. What’s more, Conference attendees will have continued access to the video archives & transcripts for a year following the event – so you can continue to refer back to this essential guidance as you navigate year-end and proxy season. CLE credit is also available for the live event as well as the on-demand replays!
I hate to add to the things that keep you up at night, but so it goes. In a recent post on The10b-5 Daily, Lyle Roberts recently warned us of the risk inherent in using a common phrase when describing pending legal matters — “without merit.” In City of Fort Lauderdale Police and Firefighters’ Retirement Sys. v. Pegasystems, Inc. (D. Mass. 7/23), Pegasystems used this phrase in its public disclosure to describe a claim that it willfully misappropriated trade secrets. When the company was ultimately required to pay $2 billion in connection with the litigation, the stock price dropped and a shareholder filed a securities class action lawsuit. The district court denied the motion to dismiss as to two of the defendants.
As to the opinion that the trade secrets litigation was “without merit,” the court found that the statement did not “fairly align” with the CEO’s “awareness of, involvement in, and direction of Pega’s espionage campaign.” Moreover, “a reasonable investor could justifiably have understood [the CEO’s] message that [the] claims were ‘without merit’ as a denial of the facts underlying [the] claims – as opposed to a mere statement that Pega had legal defenses against those claims.”
Over on the D&O Diary, Kevin LaCroix added more color on the case. Here’s an excerpt from his blog regarding disclosure alternatives to saying “without merit” when it may not be appropriate to use that phrase:
This conclusion does not mean, as Judge Young put it, that companies must “confess to wrongdoing.” Companies may, Judge Young said, “legitimately oppose a claim against it.” Companies may state, without being misleading, that they intend to “oppose” the allegations. Companies may also say, for example, that the company believes it has “substantial defenses” against a claim if it reasonably believes that to be true. An issuer may not, Judge Young said, make misleading substantive declarations regarding its beliefes about the merits of the litigation.
Earlier this year, Tulane law prof Ann Lipton blogged about an SDNY opinion that declined to impose liability for statements by the pre-merger target, about the pre-merger target when neither of the plaintiffs purchased shares of the pre-merger target. Ann notes that this decision was the natural result of Menora Mivtachim Insurance Ltd. v. Frutarom Industries Ltd., (2d. Cir.; 9/22), which John blogged about on DealLawyers.com.
In her latest post, Ann addresses a May opinion regarding Section 10(b) claims in In re Mylan NV Sec. Litig., (W.D. Pa. 5/23). Unlike Frutarom and related cases, this decision didn’t involve statements about one company that impacted trading in a different company, but the district court nonetheless held that the statements on the defendant’s general public-facing website were not made “in connection with” the purchase or sale of a security. Ann quotes the decision to show the court’s reasoning:
After careful consideration, the Court concludes that the statements from Mylan’s website are not the type of statements upon which a reasonable investor would rely. To start, the alleged misstatements appeared on Mylan’s general website, not its investor-relations page. While certainly not dispositive, this fact suggests that investors visiting Mylan’s website would view the information contained on the separate investor-relations page to have more value to them, since it was specifically targeted to them. The information on the other pages within Mylan’s website drives this point. These other pages included things like descriptions of products, general statements about safety and quality, and narratives regarding the company’s history.
But this is not how public companies and their securities lawyers operate! We worry about antifraud liability for general website statements, product launch announcements, and even statements made in a Code of Conduct — and for good reason. More from Ann:
[I]n In re Carter-Wallace Sec. Litig., 150 F.3d 153 (2d Cir. 1998), the Second Circuit held that even product advertisements in medical journals might be relied upon by investors, and since then, courts have generally accepted that all public statements by a company, no matter where they appear, were fair game for fraud on the market cases.
The SEC has specifically warned companies that their general websites might be relied upon by investors as sources of information. See Commission Guidance on the Use of Company Websites, 73 Fed. Reg. 45862 (Aug. 7, 2008) (“companies should be mindful that they ‘are responsible for the accuracy of their statements that reasonably can be expected to reach investors or the securities markets regardless of the medium through which the statements are made, including the Internet.’ Accordingly, a company should keep in mind the applicability of the antifraud provisions of the federal securities laws, including Exchange Act Section 10(b) and Rule 10b-5, to the content of its Web site.”).
In fact, the “without merit” case I also blogged about today involved actionable statements in a Code of Conduct. Here’s Kevin LaCroix’s reminder:
Securities class action plaintiff’s counsel routinely scour corporate expressions of purpose, of conduct, or of ethics, to try to find statements that are contrary to subsequent corporate conduct, in order to try to support allegations that the statements misled investors. Court’s often reject these kinds of allegations on the grounds that the statements are expressions of aspiration rather than concrete commitments of corporate conduct. However, in this case, Judge Young rejected the defendants’ arguments that the Code of Conduct statements were merely aspirational; the statement he found stated with specificity the conduct the company foreswore, while engaging in precisely the foresworn conduct.
So we will keep on keeping on — worrying about antifraud liability everywhere and flagging absolute statements in public policy documents.
After working through input beginning last year from over 1,000 stakeholders, the Greenhouse Gas Protocol has released a summary of feedback that will form the basis of a revision to its Scope 2 methodology. As a quick reminder Scope 2 applies to indirect emissions from purchased electricity, steam, heat, and cooling using two distinct methods: location-based and market-based reporting.
The major points of feedback from stakeholders – and that any revisions are intended to address include:
– Modifying the structure of and process to update GHG Protocol standards to consolidate scope 1, scope 2, and scope 3 into a single document to streamline accounting and reporting.
– Creating alignment with voluntary and regulatory climate disclosure programs such as SBTi, the EU CSRD, ISSB and the US SEC’s proposed rule on climate-related disclosures (once issued in final form).
– Reviewing the objectives of scope 2 reporting.
– Updating dual reporting requirements to reflect the usefulness, appropriateness, implementation, and overall results of the dual reporting requirement (location-based and market-based).
– Requiring granular time and location criteria to potentially correlate with actual atmospheric GHG emission reductions.
– Allowing flexibility in time and location criteria to reflect accounting standards and clean energy procurement opportunities that are feasible to implement for organizations of all sizes, sophistication levels, and global regions.
– Calling for new emission impact-based reporting approach for demonstrating emission reduction effects of buying clean energy.
– Requiring additionality criteria to more clearly align with atmospheric emission reductions.
– Adding clarifications and new guidance such as updated guidance for purchased steam, heat, and cooling; clarifying overlaps between accounting for emissions in scope 2 or scope 3 category 3; and creating guidance for specific use cases like electric vehicle charging, and leased assets, and other activities.
The organization invites all interested stakeholders to read the full draft Scope 2 Survey Summary Report. If you or your organization completed the survey and believe that the main feedback in your original response is not accurately reflected in the draft summary report, you are invited to provide feedback on this draft summary here by Friday, September 8th.
For those wondering, these changes don’t directly impact the SEC’s climate proposal. As a reminder, the SEC’s proposed rules were largely based on concepts from the GHG Protocol — including Scopes 1, 2 and 3. Although the SEC stated that it expected most issuers would use GHG Protocol standards and guidance, the proposed rules didn’t mandate their use for calculating emissions, permitting some flexibility for registrants to adopt new approaches as they may emerge in the future. Also, in a departure from the GHG Protocol, the proposal contemplated different organizational boundaries for GHG emissions so that registrants would use the same scope of entities, operations, assets, and other holdings consistent with the accounting principles applicable to their financial statements.
As Liz blogged last week, the SEC’s cybersecurity disclosures were published in the Federal Register, confirming that all registrants other than smaller reporting companies must comply with the incident disclosure requirements in Item 1.05 of Form 8-K beginning on December 18, 2023. Companies have been grappling with current reporting of material cybersecurity incidents at least since the SEC’s 2018 interpretive guidance — as Dave noted in his blog drilling down on the 8-K requirements — and have devoted significant time and resources to shoring up disclosure controls and procedures in light of that guidance and related enforcement activity. The SEC has also been quick to remind us that the rule is not intended to dictate how companies manage their cyber defenses.
Nonetheless, companies still need to consider how their processes and procedures for responding to an incident dovetail with the new cybersecurity disclosure rules. In this article, Debevoise addresses key takeaways and action items in anticipation of the effectiveness of the new requirements. With respect to the four business-day obligation to disclose material incidents on Form 8-K, here are suggestions from the alert, which goes into more detail on each item.
– Review the incident response plan and procedures to ensure that the materiality analysis is appropriately sequenced alongside other incident response activities and that materiality determination protocols are well-informed, deliberative and documented.
– Develop a disclosure analysis framework that incorporates both qualitative and quantitative factors, that accounts for the broadened definition for “cybersecurity incident,” and does not disclose information that would impede incident response and remediation.
– Review policies and procedures regarding the triage and escalation of third-party cybersecurity incidents to enable prompt materiality analysis, where appropriate.
– Track any missing required information in the initial Form 8-K filing and establish a cadence to review ongoing material incidents.
The alert also makes preparedness recommendations for the disclosure requirements relating to risk management, strategy and governance.