TheCorporateCounsel.net

Monthly Archives: May 2024

May 28, 2024

Data Governance: The Board’s Role

Artificial intelligence tools are becoming a key part of growth strategies for companies across a wide range of industries. In turn, keeping pace with developments in AI and the issues they create has become a top priority for legislators and regulators, including the SEC.  The growing importance of AI and the risks associated with it means that it can be added to the list of critical data governance issues that corporate boards must effectively address. This Freshfields blog provides some thoughts on what boards need to know about AI and other data governance topics in order to satisfy their oversight responsibilities.

The blog reviews the rapidly evolving regulatory environment for AI, cybersecurity and data privacy, as well as the growing risks of privacy litigation. It advises boards to engage with management in order to understand how the company assesses and manages the risks associated with data collection, use and storage and to set expectations for levels of acceptable risk. The board should also be involved in budgeting for risk mitigation efforts and monitor the progress of those efforts. The blog says that the board should also set “red flag” rules ensuring that management informs it when certain risks are elevated. This excerpt highlights some of the key questions boards should ask concerning their oversight of data-related governance:

– Does the company have a framework for measuring risks related to data, understanding controls and mitigations for those risks, and accepting residual risks?

– Does management keep the board informed regarding critical risks, including risks related to its most important “crown jewel” data, ongoing regulatory risks, and potential reputation impact of its data practices?

– Does the board understand the company’s data strategy and how data is used in its key products?

– Is data central enough to the company’s mission and success that a board committee should be assigned oversight of data governance? Has a cadence of regular reporting to the committee and the board been established? Have committee charters been updated or revised to conform to this allocation of responsibilities?

The blog identifies several other areas of inquiry for the board, including the frequency with which the board discusses existing, new and emerging data-related risks and the level and amount of information required to permit the board to fulfill its oversight responsibilities.

John Jenkins

May 28, 2024

T+1 Settlement Day: “Follow Me! Follow Me to Freedom!”

Happy T+1 Settlement Day to those who celebrate! All the ink that’s been spilled about the transition to T+1 settlement – including by us – reminded me a little of the fuss surrounding Y2K. That’s why I thought it would be appropriate to celebrate the big day by recalling one of the most entertaining bits of silliness from that era – ESPN SportsCenter’s epic “Follow me! Follow me to freedom!” Y2K commercial.

John Jenkins

May 24, 2024

Cyber Incidents: More on Reporting Early or Immaterial Incidents

Earlier this week, I shared a statement from Corp Fin Director Erik Gerding encouraging companies that choose to voluntarily disclose an immaterial cybersecurity incident or choose to disclose early while a materiality determination is still being made to do so under a different item of Form 8-K — like 8.01 for Other Events — not Item 1.05. This Gibson Dunn blog on the statement gives some statistics on Item 1.05 8-Ks filed so far that provide some context for why Director Gerding issued this statement.

[A]s of May 22, 2024, 17 companies have disclosed cybersecurity incidents under Item 1.05 over the course of 26 filings (inclusive of 8-K amendments) whereas 7 companies reported cybersecurity incidents under Item 7.01 or 8.01.  Of those 17 companies reporting events under Item 1.05, with some companies disclosing material operational impact while the incident was ongoing or material impact on financial quarterly results, most of these companies disclosed no material impact on their operations and also generally disclosed (either as part of original filing or by amendment) that the cyber incidents have not had, or were not expected to have, a material impact on such companies’ overall financial condition or results of operations (or that companies have not yet made a materiality determination).

I think companies are very accustomed to filing under Item 8.01 for other disclosures that may be related to but don’t trigger another 8-K item, and I chalk this up to growing pains as they adapt to the new requirements. The blog also describes why these voluntary filings are so common.

Companies have often encountered challenges in reaching a materiality determination with respect to cybersecurity incidents due to the often tedious process of evaluating the nature and scope of an incident, the extent of unknown information, and the difficulty of assessing future consequences, particularly in the context of an evolving situation. Since the new rules went into effect, companies now must conduct an on-going reassessment of whether the incident has crossed the tipping point to become, in some aspect, material to investors, based on the known state of information and assessment of potential impacts.  As such, companies facing potential scrutiny for not making timely disclosure have opted to voluntarily disclose cybersecurity incidents before reaching a definitive materiality determination.

Since Director Gerding’s statement was very explicit that it was not discouraging voluntary filings, I assume we’ll continue to see them, but hopefully under another item.

Meredith Ervine 

May 24, 2024

Audit Committees: Considerations for the 2024 Agenda

This HLS blog is authored by a UK-based KPMG team, but most of the nine matters it recommends for 2024 audit committee agendas are just as applicable for US-based companies. In addition to the continuing need to focus on financial reporting, internal controls and risk oversight, particularly given the current geopolitical, macroeconomic, and risk landscape, which can significantly impact forecasting and forward-looking disclosures and put stress on internal controls, the blog also highlights the following areas that need particular attention from audit committees this year:

– Committee bandwidth and skillsets as the audit committee’s areas of oversight further expand beyond its core responsibilities, particularly for new climate and sustainability reporting requirements

– Cybersecurity and data privacy as AI, geopolitical conflicts and ill-defined lines of responsibility cause cyber risk to intensify

– New climate & sustainability disclosures, with a particular focus on the quality and reliability of underlying data

– Audit quality by setting expectations with the external auditor regarding communications with the audit committee, including beyond what’s required, and by considering the results of inspections and efforts to address deficiencies

– Ensuring internal audit is focused on critical operational and technology risks and related controls — beyond just financial reporting and compliance risks

– Managing leadership and talent in the accounting and finance teams, given talent shortages, and overseeing digital strategies and transformations

– Closely monitoring the tone at the top to maintain a culture of ethics and compliance

– Oversight of generative AI, which may be focused on compliance and internal controls or may be broader depending on the audit committee’s mandate

The blog’s discussion of the audit committee’s role in audit quality is UK-focused, but audit quality is an issue that’s been getting a lot of attention from regulators here in the US as well. The suspension of BF Borgers showed one of the worst-case scenarios in terms of auditor issues creating complications for public company clients. At a minimum, audit committees should be heeding the advice in the February 2024 statement from the SEC’s Office of Chief Accountant, which suggested committees evaluate whether and how they consider things like results of PCAOB inspections, industry expertise of the engagement team, sufficient involvement and leadership by the audit partner, the appropriateness of time spent and staffing and any changes in hours or staffing from previous audits.

Meredith Ervine 

May 24, 2024

Adoption or Termination of Rule 10b5-1 Plans: Quarterly Disclosure

This spring, a number of questions have been posted on our “Q&A Forum” related to 10b5-1 plan disclosures. One common question, asked a few different ways, relates to whether public companies must disclose their 10b5-1 trading plans in periodic reports.

The Fifth Circuit has vacated the SEC’s Share Repurchase Disclosure Rule. That rulemaking added a paragraph (d) to Item 408 of Regulation S-K. Was that addition to Item 408 also vacated by the Fifth Circuit?

Do the new SEC rules requiring quarterly disclosure of the adoption or termination of 10b5-1 trading plans by directors or officers extend to the company itself? If so what precisely needs to be disclosed?

Current disclosure requirements are counterintuitive because “new” Item 408(a) of Regulation S-K was part of the SEC’s rulemaking related to insider trading & Rule 10b5-1 reform, while Item 408(d) was part of the SEC’s share repurchase disclosure amendments, which were vacated. This Debevoise memo concisely addresses this question:

Q: Is an issuer required to disclose its 10b5-1 trading plans in periodic reports?

A: No, an issuer is no longer required to comply with proposed Item 408(d) of Regulation S-K regarding disclosure of the adoption or termination of any of the issuer’s trading plans that are intended to satisfy the affirmative defense conditions of Rule 10b5-1(c) in its periodic reports. However, an issuer is required to continue to disclose the adoption, modification and termination of Rule 10b5-1 and other trading arrangements by directors and officers in its periodic reports under Item 408(a) of Regulation S-K.

As an aside, there’s now a bipartisan push to re-propose the SEC’s stock buyback rule! See this Cooley PubCo blog for more.

Programming Note: Our blogs will be off on Monday for the holiday. We wish each of you an enjoyable Memorial Day weekend. We’ll be back to celebrate “T+1 day” with you on Tuesday!

Meredith Ervine 

May 23, 2024

Nasdaq Proposes Phase-In and Cure Period Changes and Clarifications

Yesterday, the SEC posted this notice & request for comment for a proposed Nasdaq rule change that would amend Rules 5605, 5615 and 5810 to make the following (and other non-substantive) changes:

– Clarify and modify the phase-in schedules to the independent director and committee requirements for IPOs by amending Rule 5615:

  • To include the text of the phase-in provisions of SEC Rule 10A-3 regarding the number of independent audit committee members required post-IPO (rather than simply referencing the rule)
  • To provide that companies may also phase in compliance with the three-member requirement for audit committees on a schedule that tracks Rule 10A-3 (i.e., at least one member by the listing date, at least two members within 90 days and at least three members within one year)
  • To allow companies to comply with the requirement to have one independent director on the compensation and nominations committees by appointing such director by the earlier of the date the IPO closes or five business days from the listing date (to avoid conflicting with a common practice of holding a meeting to appoint additional independent directors shortly after the listing date but prior to closing)

 

– Clarify and/or modify certain phase-in periods for companies emerging from bankruptcy, transferring from national securities exchanges, listing securities previously registered under Section 12(g), listing in connection with a carve-out or spin-off transaction or ceasing to qualify as a foreign private issuer or controlled company

– Codify its current positions that:

  • A company relying on the applicable phase-in period is not eligible for a cure period immediately following the expiration of the phase-in period unless it complied with the applicable audit committee, compensation committee or majority independent board requirement during the phase-in period but fell out of compliance, and
  • If a company demonstrated compliance but subsequently fell out of compliance before the end of the phase-in period, the cure period is calculated based on the event that caused the non-compliance (not the end of the phase-in period)

 

– Amend Rule 5810 to describe cure period procedures if a company fails to meet the compensation committee composition requirement due to one vacancy or one member ceasing to be independent: Nasdaq will notify the company and the company must cure by the earlier of its next annual meeting or one-year from the event (with a minimum of 180 days if the annual meeting is held sooner)

The SEC is seeking comments on the proposal.

Meredith Ervine 

May 23, 2024

Chair Gensler Issues Statement on Crypto Bill Pending in the House

Yesterday, Chair Gensler issued a statement regarding the crypto legislation pending in the House of Representatives — the Financial Innovation and Technology for the 21st Century Act — which, according to this Better Markets Fact Sheet “claims to seek to modernize the regulation of investment contracts by creating a new category called ‘investment contract assets,'” which “are excluded from the definition of a ‘security,’ likely eliminating SEC oversight.”

Chair Gensler believes the bill would “create new regulatory gaps and undermine decades of precedent regarding the oversight of investment contracts, putting investors and capital markets at immeasurable risk.” He identifies seven concerns in detail. Here are two:

[T]he bill’s regulatory structure abandons the Supreme Court’s long-standing Howey test that considers the economic realities of an investment to determine whether it is subject to the securities laws. Instead, the bill makes that determination based on labels and the accounting ledger used to record transactions. It is akin to determining the level of investor protection based on whether a transaction is recorded in a notebook or a software database. But it’s the economic realities that should determine whether an asset is subject to the federal securities laws, not the type of recordkeeping ledger. The bill’s result would be weaker investor protection than currently exists for those assets that meet the Howey test.

[T]he bill specifically excludes crypto asset trading systems from the definition of an exchange and thus removes, for investors on crypto asset trading platforms, the protections that benefit investors on registered exchanges. These crypto trading platforms would be able to legally comingle their functions in a way that fosters conflicts of interest, may allow trading against their customers, and reduces custody protections for their customers.

He then warns that the bill could undermine the broader capital markets “by providing a path for those trying to escape robust disclosures, prohibitions preventing the loss and theft of customer funds, enforcement by the SEC, and private rights of action for investors in the federal courts.” For example, if “perpetrators of pump and dump schemes and penny stock pushers” were to “contend that they’re outside of the securities laws by labeling themselves as crypto investment contracts or self-certifying that they are decentralized systems [as permitted by the bill].” The bill only allows the SEC 60 days to contest any self-certification.

Meredith Ervine 

May 23, 2024

Enforcement: NYSE and Other Intermediaries Dinged for Ultimately De Minimis Cyber Intrusion

Yesterday, the SEC announced cease-and-desist proceedings against the Intercontinental Exchange and nine affiliates, including the NYSE, for failing to notify the Commission about a cyber intrusion as required by Regulation SCI (Systems Compliance and Integrity). The settlement included a $10 million civil penalty.

Commissioners Peirce and Uyeda issued a joint statement calling the penalty “disproportionately large” given that the ICE subsidiaries ultimately determined the incident was de minimis. Toward the end of the statement, the Commissioners expressed their concerns about “imposing outsized penalties for minor violations” in Commission enforcement actions generally — worrying that public perception of the Commission’s regulatory agenda is harmed when “regulatory foot faults result in ever-steeper penalties that bear little to no relation to real-world harm.”

The SEC’s press release has this to say in a quote by Enforcement Director Gurbir Grewal:

Under Reg SCI, [intermediaries] have to immediately notify the SEC of cyber intrusions into relevant systems that they cannot reasonably estimate to be de minimis events right away. […] [T]hey instead took four days to assess its impact and internally conclude it was a de minimis event. When it comes to cybersecurity, especially events at critical market intermediaries, every second counts and four days can be an eternity.

Meredith Ervine 

May 22, 2024

Cyber Incidents: Corp Fin Director on Reporting Early or Immaterial Incidents

Yesterday, Corp Fin Director Erik Gerding released this statement (subject to the standard disclaimer) regarding new Item 1.05 of Form 8-K requiring public companies to disclose material cybersecurity incidents. In the statement, Director Gerding encourages companies that choose to voluntarily disclose an immaterial cybersecurity incident or choose to disclose early while a materiality determination is still being made to do so under a different item of Form 8-K — like 8.01 for Other Events. The statement notes that reporting immaterial incidents under Item 1.05 (“Material Cybersecurity Incidents”) could confuse investors.

Given the prevalence of cybersecurity incidents, this distinction between a Form 8-K filed under Item 1.05 for a cybersecurity incident determined by a company to be material and a Form 8-K voluntarily filed under Item 8.01 for other cybersecurity incidents will allow investors to more easily distinguish between the two and make better investment and voting decisions with respect to material cybersecurity incidents.  By contrast, if all cybersecurity incidents are disclosed under Item 1.05, then there is a risk that investors will misperceive immaterial cybersecurity incidents as material, and vice versa.

It stresses that this is not intended to discourage or disincentivize voluntary early reporting or reporting of immaterial incidents, which can be valuable to investors, the marketplace and companies. It also reminds companies that early reporting may mean two 8-Ks will be necessary:

If a company discloses an immaterial incident (or one for which it has not yet made a materiality determination) under Item 8.01 of Form 8-K, and then it subsequently determines that the incident is material, then it should file an Item 1.05 Form 8-K within four business days of such subsequent materiality determination. That Form 8-K may refer to the earlier Item 8.01 Form 8-K, but the company would need to ensure that the disclosure in the subsequent filing satisfies the requirements of Item 1.05.

Earlier this year, I shared a Cleary alert on the potential benefits of early reporting under Item 7.01 or 8.01 that is worth sharing again.

Meredith Ervine 

May 22, 2024

Cyber Incidents: Corp Fin Director on Assessing Impact and Materiality

Yesterday’s statement from Corp Fin Director Erik Gerding (subject to the standard disclaimer) also addresses materiality determinations for cyber incidents, stressing that companies should assess “all relevant factors” and not limit that assessment to the incident’s impact on the company’s financial condition and results of operation.

“[C]ompanies should consider qualitative factors alongside quantitative factors.” For example, companies should consider whether the incident will “harm . . . [its] reputation, customer or vendor relationships, or competitiveness.” Companies also should consider “the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and Federal Governmental authorities and non-U.S. authorities.”

Echoing a key comment from SEC Speaks, the statement also adds the following (which is contemplated by Instruction 2 to Item 1.05):

There also may be cases in which a cybersecurity incident is so significant that a company determines it to be material even though the company has not yet determined its impact (or reasonably likely impact).  In those cases, the company should disclose the incident in an Item 1.05 Form 8-K, include a statement noting that the company has not yet determined the impact (or reasonably likely impact) of the incident, and amend the Form 8-K to disclose the impact once that information is available.

The initial Form 8-K filing, however, should provide investors with information necessary to understand the material aspects of the nature, scope, and timing of the incident, notwithstanding the company’s inability to determine the incident’s impact (or reasonably likely impact) at that time.

Meredith Ervine