On April 4, 2024, the Cybersecurity Infrastructure and Security Agency (“CISA”) issued a proposed rule to implement the reporting requirements imposed by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). The proposed rule would impose cyber incident & ransom payment reporting obligations on “covered entities”, and this Venable memo says it casts a very wide net:
The regulation would encompass a wide range of “covered entities” in critical infrastructure sectors. Importantly, CISA makes clear that “covered entities” would be broader than owners and operators of critical infrastructure systems and assets. Instead, entities that are active participants in critical infrastructure sectors may be considered “in the sector,” even if the entity itself is not critical infrastructure. [Sec. IV.B.i] CISA welcomes your organization’s outreach if you are unsure whether you are part of a critical infrastructure sector. [Sec. IV.B.ii]
To establish what qualifies as “critical infrastructure sectors,” CIRCIA draws from Presidential Policy Directive 21 (PPD-21). [Sec. IV.B.i] PPD-21 enumerates 16 sectors, encompassing services across large swathes of the economy. The critical infrastructure sectors are 1) Chemical, 2) Commercial facilities, 3) Communications, 4) Critical manufacturing, 5) Dams, 6) Defense industrial base, 7) Emergency services, 8) Energy, 9) Financial services, 10) Food and agriculture, 11) Government facilities, 12) Healthcare and public health, 13) Information technology, 14) Nuclear reactors, materials, and waste, 15) Transportation systems, and 16) Water and wastewater systems.
Umm, that’s a whole lot of sectors! CISA’s definition of “critical infrastructure sectors” kind of reminds me of James Joyce’s famous definition of the Catholic Church – “here comes everybody.” Anyway, the memo says that the comment period will expire on June 3, 2024 and CISA expects to have a final rule in place in early 2026.
Former Delaware Chancellor & Chief Justice Leo Strine has authored a forthcoming law review article addressing the importance of good board minutes and offering up some advice on good minuting and documentation practices. Here’s the abstract:
In this article, which was originally the basis for the 21st Annual Albert A. DeStefano Lecture on Corporate, Securities & Financial Law on February 27, 2024, at Fordham University School of Law, the importance of good corporate minuting and board documentation practices is addressed. Using lessons from Delaware cases where the quality of these practices has determined the outcome of motions and cases, the article identifies effective and efficient practices to better address this decidedly not sexy, but unquestionably essential, corporate governance task. The recent Delaware cases underscore the importance of quality and timely documentation of board decision-making, the material benefits of doing things right, and the considerable downside of sloppy, tardy practices.
The article’s less than 40 pages long (double spaced) and is written in Strine’s always engaging conversational style. In short, if you’re involved in preparing or reviewing board minutes, it’s definitely worth your time.
The SEC’s order staying its climate disclosure rules pending the resolution of challenges currently pending in the 8th Circuit has some companies questioning whether they can take a “pencils down” approach to their compliance efforts. This recent Ropes & Gray memo weighs in with some thoughts on this topic:
It’s likely pencils down for now on compliance with the SEC climate rules. It’s hard to envision many registrants devoting time and resources to preparing for compliance with rules that have been stayed.
The case is likely to go on for some time. The litigation concerning the SEC’s conflict minerals rule went on for more than four years (see our earlier post here). The climate rules stay order cites two other rules stayed by the SEC pending judicial review in similar circumstances: a rule establishing a transaction fee pilot in NMS stocks and proxy access rules. It took approximately a year for the appellate court decision on the proxy access rules. In the transaction fee pilot case, the court took slightly under a year-and-a-half. The current stay order contemplates that the challenges to the climate rules may extend beyond 2025.
If the SEC prevails in the litigation, we expect it will push back at least some of the disclosure requirements. Large accelerated filers will not be in a position to make their first disclosures for 2025 (due in 2026) if they do not begin their supporting work well in advance. It seems unreasonable for the SEC to expect registrants to move forward with their compliance preparation while the stay is in effect.
These are all valid points, but for many companies a “go slower” approach may be preferrable to a “pencils down” alternative. For now, the SEC hasn’t said anything about pushing back compliance dates, and the panelists in our recent webcast on the rules made it clear that building the climate disclosure infrastructure necessary to comply with them is going to be a heavy lift. Furthermore, even if the SEC ultimately decides to extend the compliance dates, it’s unclear how long they’ll give companies to get their acts together.
Also, keep in mind that the compliance dates vary depending on filer status and the provisions of the rules in question, and there’s no telling whether later compliance dates would also be pushed out as part of any extension. Finally, even if you’re betting on the rules being thrown out, the SEC isn’t the only game in town. For many companies, building out their climate disclosure infrastructure will be necessary to comply with the EU’s CSRD or with California’s climate disclosure laws (assuming they survive their own legal challenges).
The 8th Circuit isn’t the only front in the battle over the SEC’s climate disclosure rules. The House Financial Services Committee is holding a hearing this morning titled “Beyond Scope: How the SEC’s Climate Rule Threatens American Markets.” Here’s the Committee Memorandum on the hearing & here’s the witness lineup:
Mr. Elad Roisman, Partner, Cravath, Swaine & Moore LLP and former Commissioner and Acting Chairman of the U.S. Securities and Exchange Commission
Mr. Robert Stebbins, Partner, Willkie Farr & Gallagher LLP and former General Counsel of the U.S. Securities and Exchange Commission
Mr. Chris Wright, Chief Executive Officer of Liberty Energy
Mr. Joshua T. White, Assistant Professor of Finance, Owen Graduate School of Management, Vanderbilt University
Professor Jill E. Fisch, Saul A. Fox Distinguished Professor of Business Law, University of Pennsylvania Law School
In case you’re wondering why the Committee has scheduled this hearing, the fact that it has posted a discussion draft of legislation disapproving the rules under the Congressional Review Act on its website might provide a clue.
Join us at 2 pm eastern tomorrow for our “Conduct of the Annual Meeting” webcast to hear J.M. Smucker’s Peter Farah, Broadridge’s William Kennedy, Intuit’s Erick Rivero, and the one and only Carl Hagberg, Independent Inspector of Elections and Editor of The Shareholder Service Optimizer, offer practice pointers and discuss trends in meeting format & logistics, rules of conduct, and other matters companies will confront at their annual meetings.
Members of this site are able to attend this critical webcast at no charge. If you’re not yet a member, subscribe now. The webcast cost for non-members is $595. You can sign up by credit card online. If you need assistance, send us an email at info@ccrcorp.com – or call us at 800.737.1271.
Continuing Legal Education: We will apply for CLE credit in all applicable states (with the exception of SC and NE who require advance notice) for this 1-hour webcast. You must submit your state and license number prior to or during the program. Attendees must participate in the live webcast and fully complete all the CLE credit survey links during the program. You will receive a CLE certificate from our CLE provider when your state issues approval; typically within 30 days of the webcast. All credits are pending state approval.
A few months ago, Dave blogged about SEC v. Panuwat, the agency’s novel insider trading action alleging that a corporate insider used MNPI about a pending acquisition of his company to unlawfully trade in the stock of a competitor that would be impacted by the deal. This “shadow trading” theory received a big endorsement last week, when a federal jury in San Francisco concluded after an eight-day trial that the executive had engaged in insider trading. Here’s SEC Director of Enforcement Gurbir Grewal’s statement on the jury’s decision:
“As we’ve said all along, there was nothing novel about this matter, and the jury agreed: this was insider trading, pure and simple. Defendant used highly confidential information about an impending announcement of the acquisition of biopharmaceutical company Medivation, Inc., the company where he worked, by Pfizer Inc. to trade ahead of the news for his own enrichment. Rather than buying the securities of Medivation, however, Panuwat used his employer’s confidential information to acquire a large stake in call options of another comparable public company, Incyte Corporation, whose share price increased materially on the important news.”
This Proskauer blog discusses the case and points out that, like many other insider trading cases, this one was highly fact-specific:
The Panuwat verdict, like the prior court decisions, seems to have been fact-specific. For example, the jury’s materiality analysis presumably considered evidence showing that (i) the third-party issuer (Incyte) was one of only a limited number of companies in the acquisition target’s business and financial space; (ii) analysts had specifically cited the third party as a company that could be affected by the acquisition target’s transaction; (iii) the acquisition target’s investment banker had included the third party in the banker’s transaction analysis; and (iv) the trader had been directly involved in the underlying confidential corporate discussions and presentations concerning his employer’s sale. In addition, the SEC’s witnesses testified that the third party’s stock price was likely to be, and in fact was, positively affected by news of the Medivation acquisition. Changing any of those variables might have produced a different result.
The blog says that jury’s verdict may encourage the SEC pursue more “shadow trading”cases because the SEC appears to believe that there’s a lot of shadow trading going on. Since insider trading generally requires the trader to have breached a duty in trading on the basis of MNPI, the blog’s discussion of the kind of duties that a person engaging in shadow trading might be found to have breached is also helpful.
Last month, I blogged about the DOJ’s new whistleblower program. In February, the DOJ also announced a new AI initiative in which it will seek input from experts in the field of artificial intelligence in order to help DOJ understand and prepare for how AI will affect its mission. This excerpt recent CLS Blue Sky Blog post by two McDermott Will lawyers says that these two initiatives have significant implications for corporate boards’ oversight responsibilities:
First and foremost, the initiatives are a reminder of DOJ’s continuing commitment to corporate fraud enforcement and especially of is commitments to individual accountability. Among all the strategic and tactical challenges facing a company, the importance attributed to corporate responsibility is a constant. This may affect the board’s allocation of resources to the compliance function and its expectation of coordination between legal, compliance, and executive compensation functions.
Second, officers and directors will be called on to adjust the corporate compliance program to address an entirely new regime of risks arising from potential whistleblowers who are focused on indications of corporate fraud. Internal controls with respect to potential fraud must be sharpened, and overt efforts to demonstrate “tone at the top” should be increased to convince potential whistleblowers of the organization’s commitment to effective compliance. In addition, 24 Hour “hotline” reporting systems should be improved and anti-whistleblower retaliation protections enhanced.
Third, leadership should request a significant increase in the level of coordination between those responsible for internal direction of the company’s AI efforts and appropriate compliance and risk management executives. Until DOJ more clearly defines “disruptive technology risks,” this coordination should extend not only to the known risks and harms that can arise from AI and related technology, but also to the ways in which AI can be used to facilitate corporate fraud. Without further guidance from DOJ, this could require significant time and resources from the company.
The blog says that companies should expect pushback on coordination efforts from their tech leaders, who may not appreciate the need to address compliance issues, and says that the GC, CCO and CTO can be particularly valuable advisers to the board on its oversight efforts.
Meredith blogged last week about comments made during the “SEC Speaks” conference by Corp Fin General Counsel Michael Seaman concerning the application of the agency’s rules on shell companies in the context of reverse mergers. As part of that discussion, she linked to a Goodwin memo discussing Staff comments on shelf company issues in this context. Over on our Q&A Forum (Topic #11254), a member asked about a statement in that memo concerning the inability of affiliates to use the resale shelf S-1 filed after a reverse merger:
Curious about application of Rule 145(c) to affiliates and the following statement in tcc.net April 3 blog: “No Rule 145(c) Securities on the Form S-1 Resale Shelf: investors who were affiliates of the private company and receive securities of the public company in the RM (i.e., Rule 145(c) securities) will be statutory underwriters with respect to resales of those securities and, as such, the Staff has indicated that such securities may not be included in the Form S-1 resale shelf and instead may be sold only in a fixed price offering in which such investors are named as underwriters in the prospectus.” Seems that Staff may be applying this in contexts where they view the resale as a primary offering. Otherwise, I’m at a loss to see where the fixed price offering requirement is provided by Rule 145(c).
This was my response:
Yes, the Staff does view that situation as involving a primary offering. The problem is that because those shareholders are deemed to be underwriters, the offering is viewed as being an “at the market” offering made on behalf of an issuer that isn’t eligible to use Form S-3 for primary offerings. Only Form S-3 issuers are eligible to engage in a primary “at the market” offering. See Rule 415(a)(4) and Securities Act Rules CDI 612.14.
Last week, Meredith blogged about the debate over the possibility that the SEC’s climate rules might contain a “back door” through which Scope 3 emissions disclosures might be required. During the ABA Business Law Section’s “Dialogue with the Director” held on Friday, Corp Fin Director Erik Gerding confirmed that quantifying Scope 3 emissions in SEC filings is purely voluntary, and that the agency didn’t intend to introduce the possibility of a back door Scope 3 disclosure requirement. That’s welcome reassurance, but at the risk of being accused of seeing ghosts, I still think that some companies may face tough decisions about whether to “voluntarily” disclose Scope 3 emissions data.
In his remarks, Director Gerding acknowledged that while the rules don’t require Scope 3 disclosure, registrants with transition plans or targets & goals incorporating reductions in Scope 3 emissions will need to describe qualitatively how they are managing that process. That’s where I think things might get a little sticky, because the disclosure called for by the relevant Reg S-K line items is pretty granular. For example, Item 1504 requires registrants to address the following in their targets & goals disclosure:
– The scope of activities included in the target;
– The unit of measurement;
– The defined time horizon by which the target is intended to be achieved, and whether the time horizon is based on one or more goals established by a climate-related treaty, law, regulation, policy, or organization;
– If the registrant has established a baseline for the target or goal, the defined baseline time period and the means by which progress will be tracked; and
– A qualitative description of how the registrant intends to meet its climate-related targets or goals.
In addition, registrants must disclose any progress made toward meeting the target or goal and how any such progress has been achieved. Registrants are also required to discuss any material impacts to the business, results of operations, or financial condition directly resulting from the target or goal or the actions taken to make progress toward meeting it, and to provide quantitative and qualitative disclosures about material expenditures and impacts on financial estimates and assumptions directly resulting from the target or goal or actions take to make progress toward it.
As Sullivan & Cromwell pointed out in its memo on the climate change rules, “[g]iven the broad scope of the disclosure requirements under Item 1504, a company may need to disclose Scope 3 emissions metrics on an annually updated basis if it has a Scope 3 emissions reduction target that has materially affected, or is reasonably likely to materially affect, its business, results of operations or financial condition.”
I think the Staff is likely to take a hard look at Item 1504 disclosures during the review process. In light of Director Gerding’s comments, I doubt very much that the Staff will call for disclosure of Scope 3 emissions data in comment letters, but unless it applies a light touch, some of the comments on Item 1504 disclosure for companies with Scope 3 targets & goals could prove to be difficult to resolve. It seems plausible to me that after going a few rounds with the Staff on these comments, some companies may decide to “voluntarily” disclose Scope 3 data in order to resolve them.
One of the things that makes cybersecurity compliance particularly challenging is the mosaic of privacy and data protection laws and regulations that companies have to comply with. This FEI Daily blog from two PwC partners offers some advice to companies on how to manage their cyber compliance efforts:
There are several regulations at the state, federal and international level that organizations, particularly multinationals, should be focused on: NY DFS 500, the California Privacy Protection Agency’s (CPPA) draft Cybersecurity Audit and Risk Assessment Regulations, the EU’s GDPR and the SEC cyber rules, to name a few. Additionally, there is the anticipated CISA cyber incident reporting rule, coming as soon as March 2024. This patchwork of regulations will likely continue to grow in complexity in the months ahead.
So, how can companies untangle this — and where is the most effective place to begin? Start with understanding which regulations apply to your organization. Then, rationalize the common requirements between them and implement no regrets decisions to address those head on. Then, take stock of unique requirements for various geographies. Lastly, engage in public policy to help influence future regulation.
In this evolving regulatory climate, companies that embrace this new era of transparency are likely setting themselves up for success. Those who shy away from transparency do so at their own reputational risk.
The blog also identifies some other cybersecurity trends to watch in 2024 and offers tips on how companies can boost their defenses. These include investing in tools that will permit companies to scale their cloud security efforts and leveraging generative AI in their threat detection and analysis as well as in their cyber risk disclosure and incident reporting processes.