Yesterday, the SEC announced that it has officially filed charges against SolarWinds – as well as its Chief Information Security Officer – in connection with the Enforcement Division’s long-running investigation of the cyberattack that came to light in December 2020 and was followed by a 35% drop in the company’s stock price. John flagged the “Wells Notice” a few months ago, noting that it was unusual (at least until now) for a CISO to be caught in the SEC’s crosshairs.
The 68-page complaint takes issue with alleged “hypothetical risk factors” and other perceived disclosure shortcomings – not just in SEC filings, but also on the company’s website. Here are a few of the claims that the SEC is making:
– In October 2018, the same month that SolarWinds conducted its Initial Public Offering through a registration statement with only generic and hypothetical cybersecurity risk disclosures, Brown wrote in an internal presentation that SolarWinds’ “current state of security leaves us in a very vulnerable state for our critical assets.”
– SolarWinds and/or Brown made materially false and misleading statements and omissions related to SolarWinds’ cybersecurity risks and practices in at least three types of public disclosures:
(a) Statements that purported to describe the Company’s cybersecurity practices and policies, including a “Security Statement” posted to the Company’s website throughout the Relevant Period;
(b) Form S-1 and S-8 Registration Statements and periodic reports filed with the SEC throughout the Relevant Period; and
(c) A Form 8-K filed with the SEC on December 14, 2020 regarding the massive SUNBURST cybersecurity incident that impacted SolarWinds’ Orion software platform.
– The Security Statement was materially misleading because it touted the Company’s supposedly strong cybersecurity practices.
– SolarWinds’ SEC filings similarly concealed the Company’s poor cybersecurity practices. They contained general, high-level risk disclosures that lumped cyberattacks in a list of risks alongside “natural disasters, fire, power loss, telecommunication failures…[and] employee theft or misuse.” The cybersecurity risk disclosure was generic and hypothetical, allowing for negative consequences “[i]f we sustain system failures, cyberattacks against our systems or against our roducts, or other data security incidents or breaches.”
This disclosure failed to address known risks. For example, it warned of an inability to defend against “unanticipate[d]… techniques” but failed to disclose that SolarWinds had already determined that it was not taking adequate steps to protect against anticipated and known risks, including failing to follow the steps outlined in the Security Statement. These general warnings were then repeated verbatim in each relevant filing, despite both the ongoing problems and the increasing red flags in 2020 that SolarWinds was not only being specifically targeted for a cyberattack, but that the attackers had already gotten in.
The complaint – which seeks permanent injunctions, disgorgement, a D&O bar, and civil penalties – lists internal communications and documents that the SEC says reflected known vulnerabilities that were not properly disclosed. According to the SEC, the defendants knew that the undisclosed information would be material to investors. The SEC also makes sure to note:
To be clear, SolarWinds’ poor controls, Defendants’ false and misleading statements and omissions, and the other misconduct described in this Complaint, would have violated the federal securities laws even if SolarWinds had not experienced a major, targeted cybersecurity attack. But those violations became painfully clear when SolarWinds experienced precisely such an attack.
The lengthy complaint is full of interesting tidbits that I’m sure will be unpacked and analyzed over the coming months. It implies the SEC found it important that the CISO was an officer at the time of these events and signed sub-certifications attesting to the adequacy of the company’s cybersecurity internal controls. And in a parallel to the new Dodd-Frank clawback rules, the SEC didn’t like that he exercised options and sold SolarWinds stock during the time leading up to the announcement of the incident – “when SolarWinds’ stock price was inflated by the misstatements, omissions, and schemes discussed in this Complaint.”
That said, much of the 68-page complaint boils down to the basic notion that your disclosures can’t be materially misleading. For example, don’t say that you measured compliance with the NIST Framework but leave out that you don’t meet most of the Framework’s controls. And while the SolarWinds incident was unique in many ways, the alleged missteps also give the Enforcement Division a convenient opportunity to send a high-profile signal on disclosure controls – which have been the linchpin of a string of actions this year. The complaint also takes issue with internal controls over financial reporting, which SEC Chief Accountant Paul Munter warned companies about in August.
So, as Dave reminded us just last week, it’s as important as ever to “tune up” your cyber risk factors and take a close look at your policies & controls. We’ll be posting the inevitable flood of memos in our “Cybersecurity” Practice Area, but for now I leave you with these parting words from Enforcement Director Gurbir Grewal:
Today’s enforcement action not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company’s ‘crown jewel’ assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.
With the compliance date kicking in December 18th for the SEC’s new line-item requirement to report material cyber incidents in real-time, it’s worth noting that the complaint that the SEC brought yesterday against SolarWinds and its CISO doesn’t award kudos to the defendants for their eventual decision to report the cyberattack on a Form 8-K. Instead, it doubles down on allegations that those disclosures were misleading:
On December 14, 2020, SolarWinds filed a Form 8-K with the SEC disclosing that its Orion network monitoring software contained malicious code that had been inserted by threat actors as part of a supply-chain attack. The Form 8-K was drafted by a group of executives, including Brown, and signed by SolarWinds’ CEO. That Form 8-K was materially misleading in several respects, including its failure to disclose that the vulnerability at issue had been actively exploited against SolarWinds’ customers multiple times over at least a six-month period in the incidents involving U.S. Government Agency A, Cybersecurity Firm B, and Cybersecurity Firm C.
Form 8-K disclosure may be the last thing on everyone’s mind when a cyber-attack is discovered, which is why you need to integrate this step into your incident response plan on a clear day. The good news (or the bad news, depending on your perspective), is that since the time of the SolarWinds announcement in 2020, we’ve all had a lot more experience with cyber incidents and companies have become more sophisticated with their Form 8-K disclosures, even in advance of the new requirement. Here are a couple of examples. This Cybersecurity Dive article says that the same bad actors might be behind both of these attacks, and that they’re still at large.
John & I blogged earlier this year about the very difficult task of delivering bad news during earnings season. So, this is unfortunate to see:
“Our early read on the third quarter earnings season suggests one of the most challenging reporting periods – across sectors – in recent history.”
That’s from a recent Riveron blog. And while it’s not a very bold prediction given where many companies are finding their stock price, it’s a good reminder that regardless of whether your company gives formal guidance, your friends in Finance & IR may be looking for ways to get creative with Q3 earnings releases – and they also may be faced with extra Q&A during this quarter’s earnings call. Here are a few of the blog’s suggestions:
1. Reinforce the longer-term value of the company
2. Convince the Street that short-term dynamics are ringfenced
3. Focus on 2024 value drivers including those investors who may be overlooking
The Riveron team gives more color on each of these tips, which are definitely the types of messages I would want to be able to deliver if I were an executive trying to reassure my investors. But wearing my “securities lawyer” hat, some of the suggestions made my heart race – for example:
– Discuss sales meetings on the calendar and new partnership discussions in the works, and
– Convey the company’s ability to control the impact of short-term dynamics like inflation and global supply chain disruptions
While it is good to reassure investors that the company has a handle on things, there are many factors beyond the control of boards & executives, and you have to be careful to not be misleading. Plus, plaintiffs’ firms live for these kinds of assurances. So, if you find these types of predictions in your company’s earnings release, I offer these general tips:
– Make your best effort to frame predictions as expectations rather than guarantees.
– Be very clear that the company is speaking only as of the current date.
– Include appropriately tailored cautionary statements – with specific reference to any assumptions on which predictions are based.
– To the extent you’re able, ask questions to confirm that the company does indeed have backup & controls to support its statements. It may be misleading to share only positive aspects of certain topics without also disclosing downsides.
– Consider whether the statements set an aggressive precedent for investor disclosure expectations.
– Confirm that the disclosures align with the company’s other public statements.
Keep in mind that you’ll need to balance all that with making the safe harbor disclaimer as short as possible in the earnings call script – because as Adam Epstein points out, your CEO doesn’t want investors to run for the hills. The Riveron team also suggests taking this opportunity to introduce key operational leaders who are expected to contribute to the business in 2024, and notes that companies should set the stage without overcommitting to a specific timeframe. They make this good point that we can all get behind:
Companies that lead with a clear, compelling, and convincing story of strengthening in the months and years to come do not need to sell the exact timing of these improvements. Rather, it’s more important (and credible) to present a narrative that illustrates how all the elements are in place for a successful 2024.
Visit our “Earnings Guidance” Practice Area for checklists & other practical resources that willare intended to help you as questions arise.
It feels like four years ago that we narrowly avoided a government shutdown, but it’s actually only been four weeks – and it’s likely that our politicians will once again negotiate down to the wire when they revisit whether our government can continue operating past November 17th. Like most things in Washington, this isn’t just a “yes/no” decision. That means that when the SEC (eventually) gets funded, “Congress gonna Congress” when it comes to what exactly the Commission can do with the money.
We’ve bloggedrepeatedlyover the past many years about appropriation bills that would tack on a restriction to the SEC’s ability to issue rules on “political spending” (or in some cases, that would remove the roadblock to rulemaking on that topic). Here’s the typical provision:
None of the funds made available by this Act shall be used by the Securities and Exchange Commission to finalize, issue, or implement any rule, regulation, or order regarding the disclosure of political contributions, contributions to tax exempt organizations, or dues paid to trade associations.
So, here we are again. Even though no “political spending” disclosure rules are contemplated by the hard-driving Reg Flex Agenda that represents Chair Gensler’s priorities, the risk of regulation persists, and appropriations bills that address this topic are making their way through the House & Senate in the form of H.R. 4664 and S. 2309. In addition, two other bills that have been introduced in the House – H.R. 4472 and H.R. 4563 – aim to codify this restriction so that it’s not dependent on the annual appropriations dance. Here’s an excerpt from that last one:
(a) Findings. — Congress finds the following:
(1) From 2010 through 2013, the Internal Revenue Service targeted conservative organizations seeking tax-exempt status. The result of this targeting was obvious—to discourage conservative organizations and individuals associated with them from engaging in the 2012 presidential election after an incredibly successful 2010 midterm election.
(2) In response to this treatment, a large number of conservative organizations sued the Internal Revenue Service. In 2017, a settlement was reached and the Internal Revenue Service was required to issue an apology for its actions.
(3) Congress quickly recognized that the Internal Revenue Service was not the only government agency that could question or threaten the tax-exempt status of disfavored political groups. The Securities and Exchange Commission, an independent government agency, also enjoys some regulatory power in this area.
(4) Beginning in 2015, Congress has included in every appropriations bill that has funded the Securities and Exchange Commission, an appropriations rider prohibiting the agency from using any of the funds made available to “finalize, issue, or implement any rule, regulation, or order regarding the disclosure of political contributions, contributions to tax exempt organizations, or dues paid to trade associations.” See Consolidated Appropriations Act, 2016, H.R. 2029, 114th Cong. § 1 (2015); Consolidated Appropriations Act, 2017, H.R. 244, 115th Cong. § 1 (2017); Consolidated Appropriations Act, 2018, H.R. 1625, 115th Cong. § 2 (2018); Consolidated Appropriations Act, 2019, H.J. Res. 31, 116th Cong. § 1 (2019); Consolidated Appropriations Act, 2020, H.R. 1158, 116th Cong. § 1 (2019); Consolidated Appropriations Act, 2021, H.R. 133, 116th Cong. § 2 (2020); Consolidated Appropriations Act 2022, H.R. 2471, 117th Cong. § 2 (2022); Consolidated Appropriations Act 2023, H.R. 2617, 117th Cong. § 2 (2022).
(5) This prohibition is too important to be subject to yearly renewal. Instead, it must be enacted into permanent law so political organizations of both political parties can rest assured the Securities and Exchange Commission will not target them.
(b) Prohibition. – The Securities and Exchange Commission may not finalize, issue, or implement any rule, regulation, or order regarding the disclosure of political contributions, contributions to tax exempt organizations, or dues paid to trade associations.
I’m not advocating for another disclosure rule, but I have always thought it was a stretch to compare the IRS settlement – which related to allegations that the agency was being extra strict in granting tax exempt status to conservative organizations – to the SEC’s consideration of a rule that would require companies to disclose the use of corporate resources for political activities. In any event, while our politicians have been arguing about it for the past decade, investors & companies have moved on with private ordering.
A new dimension of “political spending” scrutiny that has emerged in the last few years from shareholders and employees is “values alignment.” I blogged earlier this year on our “Proxy Season Blog” about how to respond to shareholder proposals on this topic.
In a sign that companies will continue to face these proposals in 2024, the Interfaith Center for Responsibility sent letters in late summer to the CEO members of the Business Roundtable that call for values alignment for political contributions, along with improved board oversight and public disclosure. Here’s an excerpt:
We believe that BRT companies would benefit from a thoughtful assessment of their political spending and lobbying. We recommend two resources to help guide company policy development and decision-making toward more responsible political engagement.
I. Erb Principles for Corporate Political Responsibility
The first key resource is the Erb Principles for Corporate Political Responsibility, released in March after a lengthy, deliberative stakeholder process by the Erb Institute of the University of Michigan. Developed as a complement to the BRT’s statement on the Purpose of the Corporation and the BRT’s actions to support the peaceful transfer of power in 2021, the Erb Principles propose a practical, non-partisan, and comprehensive definition of corporate political responsibility (CPR) as a first step in establishing CPR as a new norm that will reduce business risk, strengthen civic trust and foster collaborative problem-solving.
The Erb Principles do this by helping companies better align their political influences — including any political spending — with their values, purpose, commitments, and larger responsibilities to a healthy economy, civic institutions, and informed civic discourse. The Principles were designed to provide U.S. companies with a non-partisan, principled thought process for responsible engagement, without prescribing positions on specific issues.
Next week is Election Week. Maybe you have some important local items on your ballot this year, but in my neck of the woods, most people are already bracing themselves for the polarized U.S. Presidential election cycle that will soon be in full swing. That means that corporate “political spending” activities (which are broadly defined!) will continue to attract scrutiny. A recent scandal shows that misplaced contributions can create financial & reputational risks for companies.
In that vein, The Center for Political Accountability recently published this 10-page guide to corporate political spending. The guide suggests solutions to 5 common challenges that arise from contributions to political candidates, trade associations, and other third-party groups. This HLS blog summarizes the key elements:
– Recognize the heightened risks that a company faces from contributions to third-party groups, specifically 501(c)(4) organizations engaged in political spending, trade associations, super PACs and 527 committees. The company needs to know where its money ultimately ends up, what causes and candidates it advances and what risks it is assuming.
– Understand that public companies can no longer publicly claim to support some aspects of a candidate’s platform while disavowing others. The challenge facing a company is that when it supports a candidate, all of the candidate’s actions and positions will be associated with the company.
– Align the company’s political spending with its core values, policies and positions.
– Avoid siloed decision-making. Political spending should fairly reflect the views and interests of the company’s various stakeholders. Companies benefit from active and dynamic engagement among public affairs, government relations and other internal actors responsible for promoting the company’s values, policies and positions and those making political spending decisions.
– Direct corporate contributions to politicians who refrain from punitively targeting companies for their policy decisions, personnel practices, public statements, or other values important to the company’s success and integrity.
– Protect the democratic institutions and rule of law that companies depend upon to operate, compete, and thrive.
I expect that this year’s CPA-Zicklin Index, which rates companies annually on the transparency of their corporate political spending, will be published any day. Last year, the Index expanded to cover Russell 1000 companies.
Check out our “Political Contributions” Practice Area for more benchmarking & practical checklists. We also covered this topic at our recent “Proxy Disclosure Conference” – you can still get access to the video archives & transcripts by emailing sales@ccrcorp.com. The program is also eligible for on-demand CLE credit!
As I noted in the blog earlier this week, yesterday SEC Chair Gary Gensler participated in a program organized by the U.S. Chamber of Commerce’s Center for Capital Markets Competitiveness titled Climate Disclosure Developments: The SEC, California, and EU Extraterritoriality (here’s the replay). David Hamm from Summit Materials noted the following interesting takeaways from Chair Gensler’s remarks:
– Chair Gensler did not provide any guidance on the expected timing of the rule. I knew that would be too good to be true, but I joined the event hoping against hope for some incremental guidance. He referenced the staff going through 16,000 comment letters, so I suppose that was a soft signal to not look for anything in the very near term.
– Chair Gensler didn’t seem to be very concerned with the developments in California (because of NSMIA) or Europe (because of the different remit of the SEC with the European regulators). The repeated theme was the limited remit of the SEC related to investors making investment decisions related to the 6,000-7,000 public registrants. This was an understandable approach, but I was expecting a bit more of a discussion of the interplay of the different regimes.
– Chair Gensler’s most interesting statement to me was: “If we are able to finalize it [referring to the climate rule], it would be good to sustain it in the courts.” Given the audience (some had talked about this event as the Chair going into the lions’ den and there were some good spirited jokes about whether the US Chamber had filed a suit yet), this was clearly an appeal to think about the value to the US Chamber’s members to having a rule that they could point to in order to alleviate compliance with other regimes under a theory of substituted compliance (not equivalency given the different remits).
With the October timeframe for SEC action on climate disclosure now moving into the rearview mirror, we enter a new phase of anticipation (and dread) about the SEC’s climate disclosure rules. I would not expect to see the SEC’s Fall Reg Flex Agenda published until the end of December or the beginning of January, when we would next get a glimpse into the SEC’s anticipated timing on the climate disclosure rules and other rulemaking initiatives. Until then, we will basically be in “any day now” mode.
In the meantime, the pressure from Congress on climate disclosure is not abating. Earlier this month, 26 members of the House of Representatives representing constituents in California sent a letter to Chair Gensler strongly urging the SEC to include robust greenhouse gas emissions disclosure requirements in its final climate disclosure rulemaking, particularly in light of California’s anticipated Scope 3 disclosure requirements.
Chair Gensler had an active calendar this week, also speaking on Wednesday at Securities Docket’s 2023 Securities Enforcement Forum in Washington DC. In his speech, Chair Gensler quoted some of the “founding fathers” of the SEC – Joseph Kennedy, William O. Douglas and Felix Frankfurter – to describe the SEC’s enforcement focus, and then highlighted the key areas where the SEC has brought enforcement actions this year.
In introducing the inevitable discussion of digital assets, Gensler quoted Supreme Court Justice Thurgood Marshall, who in the Reves decision wrote: “Congress’ purpose in enacting the securities laws was to regulate investments, in whatever form they are made and by whatever name they are called.” Chair Gensler noted:
In most cases, that’s the economic reality at hand. As the Supreme Court said in the famous Howey decision: An investment contract exists when there is the investment of money in a common enterprise with a reasonable expectation of profits to be derived from the efforts of others.
As I’ve previously said, without prejudging any one asset, the vast majority of crypto assets likely meet the investment contract test, making them subject to the securities laws.
Further, it follows that most crypto intermediaries—transacting in these crypto asset securities—are subject to the securities laws as well.
With wide-ranging noncompliance, frankly, it’s not surprising that we’ve seen many problems in these markets. We’ve seen this story before. It’s reminiscent of what we had in the 1920s before the federal securities laws were put in place. This is a field rife with fraud, scams, bankruptcies, and money laundering. While many entities in this space claim they operate beyond the reach of regulations issued before Satoshi Nakamoto’s famous white paper, they also are quick to seek the protections of the law, in bankruptcy court and litigating their private disputes.
We have brought numerous enforcement actions against actors in this space—some settled, and some in litigation.
Chair Gensler went on to highlight the themes of accountability for firms and individuals, high impact cases, the importance of process and holding accountable those in a position of trust.
With Halloween just around the corner, you know that the 12-foot Giant-Sized Home Depot Skeleton will be soon replaced by Christmas decorations, and that could only mean one thing: the December 1 deadline for listed companies to adopt their exchange-compliant clawback policies is fast approaching.
To catch up on the latest thinking on implementing clawback policies, be sure to mark your calendars for our upcoming webcast “More on Clawbacks: Action Items and Implementation Considerations” which is coming up Thursday, November 16, 2023 from 2:00 – 3:00 pm, eastern time. If you are a last-minute shopper and are similarly putting off the drafting and adoption of your clawback policy until November, be sure to check out all of the resources that we have assembled in our “Clawbacks” Practice Area on CompensationStandards.com. Also, be sure to check out our coverage of clawback policies in the September-October 2022 issue of The Corporate Executive and the May-June 2023 issue of The Corporate Executive, which includes our annotated model clawback policy. If for some reason you do not have access to these resources, email sales@ccrcorp.com or visit the online membership portal today.
Earlier this week at the New York City Bar’s Compliance Institute, SEC Enforcement Director Gurbir Grewal outlined the rare circumstances in which the SEC may bring enforcement action individually against compliance professionals. Grewal noted that these circumstances include when the individual affirmatively participates in misconduct unrelated to compliance, when an individual misleads regulators or when there has been a wholesale failure in carrying out compliance responsibilities. Grewal further stated “We don’t second guess good faith judgments of compliance personnel — good faith judgments that are made after reasonable inquiry and reasonable analysis.” In the speech, Grewal noted:
But it is clear that we cannot reverse those trends and enhance Americans’ trust in our financial institutions through our efforts alone. We need your help to do so. We need to work together to create what I call a culture of proactive compliance.
In many ways, it’s each of you – the compliance professionals, consultants, attorneys, accountants, and others in this space – that serve as the first lines of defense against misconduct.
You are the ones that can work with firms to implement effective policies and procedures to ensure that those firms comply with their legal obligations on the front end, so that, instead of reading about compliance failures, the public understands that organizations like yours are proactively doing what they can to be compliant.
This is by no means easy work. Creating a culture of proactive compliance requires three things: education, engagement, and execution.
Grewal outlined actions necessary for proactive compliance and the need to execute based on meaningful policies and procedures.