In a new whitepaper, “The SEC’s New Cybersecurity Regulations: What Investors and Shareholders Should Know” (available for download), Glass Lewis discusses how shareholders can leverage newly required disclosures to assess the cybersecurity of companies they invest in and use that information in investment and engagement strategies. Noting that many investors don’t have significant expertise in cybersecurity risk, Glass Lewis touts its partnership with Bitsight to provide insight into each company’s level of cyber risk exposure.
As explained in the paper, Bitsight uses cybersecurity data that it collects “continuously and non-intrusively” to create “quantitative, objective ratings and analytics that are similar to credit scores and updated daily.” Here’s how Glass Lewis is already sharing this information with its clients:
Glass Lewis Proxy Papers feature a point in time snapshot of a public company’s cybersecurity performance, pulled directly from the Bitsight platform. The report features the company’s overall Bitsight Security Rating and how the organization benchmarks against its peers, the organization’s performance over the last 12 months, the likelihood of ransomware incidents, the likelihood of data breach incidents, and any publicly disclosed incidents in the last 18 months.
The September-October issue of “The Corporate Counsel” newsletter is in the mail. It’s also available now online to members of TheCorporateCounsel.net who subscribe to the electronic format. This issue includes the following articles:
– Wells Notices: An Overview of the Disclosure Landscape
– Capital Markets Alternatives: PIPEs and Variations on the PIPEs Theme
– The Limits of Exculpation: Personal Liability for Acts Taken on Behalf of a Corporation
If you’re not already a subscriber, you can subscribe online to this essential resource or email sales @ccrcorp.com.
Yesterday, the SEC announced the adoption of final rules amending Regulation 13D-G. Here’s the 295-page adopting release, and here’s the 2-page fact sheet. Per the fact sheet, the amendments primarily:
– Shorten the deadlines for initial and amended Schedule 13D and 13G filings;
– Clarify the Schedule 13D disclosure requirements with respect to derivative securities; and
– Require that Schedule 13D and 13G filings be made using a structured, machine-readable data language.
Here’s more on the new filing deadlines, which differ a bit from the proposed form:
For Schedule 13D, the amendments shorten the initial filing deadline from 10 days to five business days and require that amendments be filed within two business days.
For certain Schedule 13G filers (i.e., qualified institutional investors and exempt investors), the amendments shorten the initial filing deadline from 45 days after the end of a calendar year to 45 days after the end of the calendar quarter in which the investor beneficially owns more than 5 percent of the covered class.
For other Schedule 13G filers (i.e., passive investors), the amendments shorten the initial filing deadline from 10 days to five business days. In addition, for all Schedule 13G filers, the amendments generally require that an amendment be filed 45 days after the calendar quarter in which a material change occurred rather than 45 days after the calendar year in which any change occurred.
Finally, the amendments accelerate the Schedule 13G amendment obligations for qualified institutional investors and passive investors when their beneficial ownership exceeds 10 percent or increases or decreases by 5 percent.
To ease filers’ administrative burdens associated with these shortened deadlines, the amendments extend the filing “cut-off” times in Regulation S-T for Schedules 13D and 13G from 5:30 p.m. to 10:00 p.m. Eastern time.
As usual, the amendments will be effective 90 days after publication in the Federal Register, but reporting persons aren’t required to comply with the structured data requirements until December 18, 2024 (with voluntary compliance permitted beginning December 18, 2023) or the revised 13G deadlines (not 13D deadlines!) until September 30, 2024. As an example, the adopting release states “a Schedule 13G filer will be required to file an amendment within 45 days after September 30, 2024 if, as of end of the day on that date, there were any material changes in the information the filer previously reported on Schedule 13G.” Check out our “Schedules 13D & 13G” Practice Area where we’ll post memos for more info.
If you’re wondering why we didn’t give a heads-up that this was on an upcoming open meeting agenda, that’s because it wasn’t. Here’s a blog from Broc from almost 10 years ago about the SEC’s ability to adopt rules by seriatim.
In addition to the revised filing deadlines, the amendments also revise Schedule 13D to clarify that reporting persons must disclose interests in all derivative securities that use the issuer’s equity security as a reference security (including cash-settled derivative securities) under Item 6, and the release provides guidance on the applicability of existing Rule 13d-3 to cash-settled derivative securities (other than security-based swaps). Consistent with guidance provided in its 2011 release, Beneficial Ownership Reporting Requirements and Security-Based Swaps, the release discusses circumstances when the holder of non-SBS derivative securities settled exclusively in cash may have voting or investment power or otherwise could be deemed to be a beneficial owner.
In lieu of adopting the proposed amendments to Rule 13d-5 that would have tracked the statutory text of Sections 13(d)(3) and (g)(3), the release provides guidance on the formation of a group. The guidance reiterates that Rule 13d-5(b) is not designed to define “group” in a way that would substitute the legal standard in 13(d)(3) and 13(g)(3) and that the existence of a group can be established by activities without an express agreement although there must be “an informal arrangement or coordination in furtherance of a common purpose to acquire, hold, or dispose of securities of an issuer.”
Commentators on the proposed rules expressed concerns about a chilling effect on shareholders’ ability to communicate with each other or a company’s management. Accordingly, the release (see pages 133 to 139) contains guidance in the form of questions and responses on common engagement and communication activities. Here’s an example:
Question: Is a group formed when two or more shareholders communicate with each other regarding an issuer or its securities (including discussions that relate to improvement of the longterm performance of the issuer, changes in issuer practices, submissions or solicitations in support of a non-binding shareholder proposal, a joint engagement strategy (that is not control related), or a “vote no” campaign against individual directors in uncontested elections) without taking any other actions?
Response: No. In our view, a discussion whether held in private, such as a meeting between two parties, or in a public forum, such as a conference that involves an independent and free exchange of ideas and views among shareholders, alone and without more, would not be sufficient to satisfy the “act as a . . . group” standard in Sections 13(d)(3) and 13(g)(3). Sections 13(d)(3) and 13(g)(3) were intended to prevent circumvention of the disclosures required by Schedules 13D and 13G, not to complicate shareholders’ ability to independently and freely express their views and ideas to one another.
The policy objectives ordinarily served by Schedule 13D or Schedule 13G filings would not be advanced by requiring disclosure that reports this or similar types of shareholder communications. Thus, an exchange of views and any other type of dialogue in oral or written form not involving an intent to engage in concerted actions or other agreement with respect to the acquisition, holding, or disposition of securities, standing alone, would not constitute an “act” undertaken for the purpose of “holding” securities of the issuer under Section 13(d)(3) or 13(g)(3).
If you attended our 2023 Practical ESG Conference or our 2023 Proxy Disclosure & 20th Annual Executive Compensation Conferences, you heard about two bills passed by California’s legislature in September that together comprise the state’s “Climate Accountability Package.” Here’s an important update that Lawrence shared yesterday with our Practical ESG blog subscribers:
This past Saturday, California Governor Gavin Newsom signed two sweeping climate disclosure bills into law as had been expected: SB253 – the Climate Corporate Data Accountability Act (see a summary here) and SB261 – Greenhouse gases: climate-related financial risk (see a summary here).
In almost identical letters to the state Senate announcing his action on SB253 and SB261, Newsom indicated that he has two significant concerns with the new law:
“… the implementation deadlines in this bill are likely infeasible, and the reporting protocol specified could result in inconsistent reporting across businesses subject to the measure. [Ed. note: Newsom’s comment about the reporting protocol was omitted in the letter on SB261]
Additionally, I am concerned about the overall financial impact of this bill on businesses, so I am instructing CARB [California Air Resources Board] to closely monitor the cost impact as it implements this new bill and to make recommendations to streamline the program.”
SB253 requires regulations to be developed and implemented by CARB, while SB261 is self-implementing with the first report due January 1, 2026. The concerns expressed by Newsom will likely be part of any legal challenge against the new laws. A lawsuit would also impact potential timing of the requirements as courts stay challenged language in situations like this until the suit(s) is/are resolved. The new laws could have an impact on the SEC’s climate disclosure as SEC Chair Gary Gensler hinted at two weeks ago. It’s going to be interesting to see how all the moving parts play out. We’re definitely tracking this from the legal, accounting, assurance and technical perspectives for you.
In March 2023, in the wake of the US Supreme Court decision in Slack Technologies v. Pirani, the Working Group on Investor Protection in Public Offerings, which includes academics, former SEC officials, and legal scholars, submitted a rulemaking petition urging the SEC to amend Rule 144 given the difficulties plaintiffs face in trying to trace their purchases to a registration statement. The petition notes that direct listings aren’t uniquely creating this issue, citing data showing the increasing frequency of lock-up waivers since 2010 — sometimes, even a few days post-IPO — causing tracing issues in the traditional IPO context as well. Here’s an excerpt regarding the proposed amendments:
Specifically, the Commission should amend Rule 144 such that, upon the effectiveness of a registration statement, holding periods are reset to the later of: (1) 90 days or (2) the next 10-Q or 10-K. Our proposed holding period is approximately half the length of the stated lockup period for most traditional IPOs—but gives ample time in which only registered shares trade, addressing the tracing problems modern offering practices have produced and retaining the deterrence that Congress designed Section 11 to achieve. At the same time, under our proposal issuers have the flexibility to effectively shorten the holding period by releasing post-offering financials.
Late last week, CII submitted a letter to the SEC supporting this rulemaking petition, and, while it doesn’t recommend a specific period, states the petition’s suggestion is a “useful starting point” for discussion. The working group argues that the proposed 90-day period balances the liquidity interests of early investors with the interests of public shareholders to maintain Section 11 protections.
In July, Dave blogged about the rise in the number of deficiencies identified in audits during PCAOB inspections in 2021 and 2022. He noted that PCAOB Chair Erica Williams released a statement on the Staff report calling the deficiency rate “unacceptable.” In a speech late last week at the PCAOB Conference on Auditing and Capital Markets, Chair Williams again called out these alarming trends in deficiencies:
This means audit opinions were signed without completing the audit work required to verify the accuracy of the financial statements. That is a serious problem at any rate, and 40% is completely unacceptable. I have challenged auditors to sharpen their focus and called on audit committees to hold their firms accountable. Of course, as our third pillar of strengthening enforcement suggests, the PCAOB has not hesitated to bring enforcement cases against auditors when appropriate.
In addition to discussing enforcement, she highlighted the PCAOB’s efforts to improve the transparency of inspection results:
In May, we announced enhancements to make our inspection reports more transparent with a new section on auditor independence and a range of other improvements to make more relevant, reliable, and useful information available for investors, researchers, and others.
In July, we rolled out new features on our website to help users compare inspection report data.
This was just the beginning of our work to increase transparency and make PCAOB data more accessible.
Transparency is one of the most powerful tools the PCAOB has to improve audit quality. Sharing our inspection results empowers audit committees and boards of directors – which are responsible for hiring auditors of public companies – to hold audit firms accountable directly.
So audit committees will soon have more information on their independent auditor’s performance. Dave’s blog noted questions audit committees should consider asking their independent auditors regarding inspection results, including whether the engagement partner has been inspected and what the firm is doing to address the increasing number of deficiencies.
Check out John’s latest “Timely Takes” Podcast featuring Orrick’s J.T. Ho. John and J.T. address these complex topics in 13 minutes:
– The EU’s Corporate Reporting Sustainability Directive
– Corp Fin’s New 10b5-1 and Buybacks CDIs
– Changes to Nasdaq’s listing rules on code of conduct waivers
– Claims that litigation is “without merit” can come back to bite you
– The SEC’s recent Form 12b-25 enforcement actions
As always, if you have insights on a securities law, capital markets or corporate governance issue, trend or development that you’d like to share in a podcast, we’d love to hear from you. You can email us at mervine@ccrcorp.com or john@thecorporatecounsel.net.
With all the new rules and their associated compliance & effective dates, it is getting difficult to keep track of what will need to change in your next Form 10-K. This memo from Bryan Cave Leighton Paisner is a helpful resource for doing that, with summaries for each of these new 10-K/proxy statement disclosures:
1. Annual cybersecurity disclosures
2. 10b5-1 plan quarterly disclosures
3. Clawback policy and disclosures
4. Share repurchase disclosures
The memo also runs through other “hot topics” that may warrant extra attention as you prepare your reports. And, it looks ahead to additional items that will be required in 2025! Also check out Meredith’s blog from earlier this week on our Proxy Season Blog about potential D&O questionnaire updates (visit our “D&O Questionnaire” Practice Area for our handbook, memos, and samples).
Earlier this week, I jokingly referenced the Commission’s “customary year-end enforcement spree” – a reliable addition to the government’s bottom line. On the final business day this year, the SEC raked in $218 million in fines!
New research in the Journal of Accounting & Economics looks at 20 years of data to figure out whether the “September Spike” is really a thing – and if so, whether it can be explained away by market or other factors. Here’s an excerpt about the case volume at the SEC’s FYE:
We find that the average number of cases (of any category) filed in September is almost double the average in other months, and that the median percentage of total annual cases filed in September is 16%. We refer to higher case volume in September relative to other months as the “September spike” and document variation in the size of this spike across time.
Our results are consistent with trends described in the financial press and examined by legal scholars. The Wall Street Journal, for example, reported an uptick in case volume in September 2013 (Eaglesham, 2013b), and subsequent legal research has shown similar upticks over longer sample periods (Velikonja, 2017; Choi, 2020). We extend the descriptive and graphical evidence in these articles by showing that the September spike is robust to controlling for various factors that may influence case volume, such as trailing securities class actions, SEC investigations, and other market factors.
The researchers found that the spike is larger when case totals are lagging the prior year, and smaller when the Chair is in their first year in office. It’s also larger when the SEC’s spending exceeds its budget authority and when the Enforcement Division has more resources. Does it matter? The authors suggest that in “high-spike” years, the resolutions of complex and possibly egregious cases are getting kicked down the road:
Regarding case selection, we create measures of case complexity and find that SEC staff prioritize less complex cases at fiscal year-end. Specifically, the standalone cases filed in September are significantly more likely to reference defendant cooperation and to only name companies as defendants, and are less likely to include a fraud allegation and to reference parallel criminal proceedings. For instance, September cases are approximately 11% less likely to include fraud allegations than cases filed in other months.
The annual year-end pressure might also give companies more leverage for settlements:
We find that defendants receive lower financial sanctions—both disgorgement and civil penalties—when they settle in September. On average, our results suggest the SEC discounts financial sanctions for cases filed as settled charges in September by approximately $132,000—an economically meaningful discount, given that the average financial sanction is $270,000. We also find an 11% lower likelihood of a large financial sanction in September.
As far as whether companies need to be on their best behavior in September, a graph on pg. 45 shows that the number of investigations remains steady year-round. Fiscal year end is just a good time to negotiate a settlement.