The SEC’s litigation against SolarWinds has gotten a lot of attention — largely due to the high-profile nature of the breach that brought issues to light and the SEC’s decision to individually charge the company’s CISO. As Liz shared, much of the original 68-page complaint boiled down to the basic notion that disclosures can’t be materially misleading, but, in mid-May, the parties presented oral arguments on the defendants’ motion to dismiss that, together with the SEC’s amended complaint, give us a better picture of the SEC’s allegations. This HLS blog from Jenner & Block says the SEC is also arguing that the company’s cybersecurity weaknesses amounted to internal accounting control failures.
The SEC was similarly criticized for alleging that the “internal accounting controls” provisions of the Exchange Act apply to cybersecurity controls and suggesting that companies and individuals can be charged with a securities violation for failing to protect company assets from cybersecurity attacks. Section 13(b)(2)(B), which was enacted as part of the Foreign Corrupt Practices Act in response to concerns about bribery of foreign officials by US business interests, requires public companies to maintain internal accounting controls “sufficient to provide reasonable assurances that . . . access to assets is permitted only in accordance with management’s general or specific authorization.”
In response to the SEC’s inclusion of this claim, the US Chamber of Commerce and Business RoundTable filed an amicus brief arguing that cybersecurity controls are unrelated to the reliability of financial reporting for purposes of the statute and that the use of this charge would unfairly penalize companies that are victims of a cyberattack. […]
The SEC also sought to defend their allegation that Defendants violated the internal accounting controls provision of the Exchange Act by failing to “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances” to prevent unauthorized access of SolarWinds’ assets—i.e., its software code and technology infrastructure.
The SEC’s amended complaint expounded on this novel charge, explaining that “[t]he cybersecurity controls at issue here were ‘internal accounting controls’ in that they were plans, procedures, and records of SolarWinds concerned with the safeguarding of corporate assets. Cybersecurity policies must be designed and implemented to provide shareholders with reasonable assurances that access to corporate assets—including technology assets, computer code and software for distribution to customers—are limited to authorized users, and thus support the twin goals of corporate accountability and management stewardship over corporate assets underlying Rule 13(b)(2)(B).”
While the court seemed to question the SEC’s position here during oral arguments, the blog warns that more disclosure actions are likely to come if the Enforcement Division is successful. It recommends that companies take a cautious approach to how they describe cybersecurity practices and ensure the CISO’s responsibility for disclosure and controls is clearly defined.
As John shared in March, one of the unique aspects of the litigation challenging the SEC’s final climate disclosure rules is that the SEC’s rulemaking was being challenged by both sides of the aisle. Challengers included not only Red State AGs, the U.S. Chamber of Commerce and energy companies saying the rule went too far, but also the NRDC and The Sierra Club saying the rule didn’t go far enough. The litigation only got more complicated when the U.S. Chamber of Commerce moved to intervene in The Sierra Club’s challenge to the rules, which put the Chamber in the position of both challenging the rules and defending them in the consolidated litigation.
As this Cooley PubCo blog points out, the NRDC and the Sierra Club have now filed unopposed motions seeking voluntary dismissal of their petitions for review, both saying they’re planning to focus their limited resources to advocate for further disclosure outside of the litigation. The blog says, “the authority of the SEC to adopt the final rules will not be without support” since AGs of various states have filed a successful motion to intervene on behalf of the SEC, and “presumably, these states will not be challenging whether the SEC went far enough.
John speculated early on that the lottery system may have been a factor in the environmental groups’ decision to file the lawsuit. It may have been a factor in the decision to move for voluntary dismissal as well — after the challenges that were filed in six different circuits were consolidated in the Eighth Circuit which, as Dave noted, is comprised of conservative-leaning judges, similar to the Fifth Circuit.
In the latest addition to the ongoing debate over proposed 2024 amendments to the DGCL, a group of prominent law professors recently submitted a letter to the Delaware Legislature opposing the proposed changes to Section 122(18) of the DGCL intended to address the Chancery Court’s decision in the Moelis litigation invalidating certain governance provisions contained in a stockholders agreement. This excerpt provides the gist of their concerns:
The Proposal would do more than simply overturn Moelis. It would allow corporate boards to unilaterally contract away their powers without any shareholder input. It would also exempt such contracts from Section 115, thereby creating a separate class of internal corporate claims—including claims of breach of fiduciary duty—that could be arbitrated and decided under non-Delaware law. These would be the most consequential changes to Delaware corporate law of the 21st century, and they should not be made hastily—if at all.
Proponents of the Proposal argue that the Moelis decision struck down a common practice of Delaware corporations and that the Proposal merely restores the status quo ante. Not so. The contract in Moelis was far from typical, especially for public corporations, and the Moelis decision only held that certain of its provisions contravened the board-centric model of governance codified in Section 141(a). Those provisions could only be adopted in the corporate charter, and thus only after a majority of shareholders—who invested in reliance on Section 141(a)—gave their approval.
The professors argue that instead of “hastily rewriting the rules,” the better path would be to wait for the Delaware Supreme Court to weigh in on the issues raised by the Moelis decision.
We cover a lot of “shareholder activism” developments over on DealLawyers.com, so in early January, John blogged there about the Chancery Court’s decision in Kellner v. AIM Immunotech (Del. Ch.; 12/23) addressing a challenge to advance notice bylaw amendments. Vice Chancellor Will upheld certain amendments but struck down others. This recent Morgan Lewis law flash says plaintiff firms are back at it, having “recently filed several virtually identical complaints in the Delaware Court of Chancery challenging often used public company advance notice bylaws as facially invalid.” The alert says none of these suits appear to arise from any active director nomination process at the defendant companies, and the potential plaintiffs’ attorney fee seems to be what’s motivating their filing.
Consider yourself on notice — now’s the time to review your bylaws if you haven’t already! Take a look at our prior blogs on identifying and modifying offending provisions and how to make sure that advance notice bylaws incorporate the latest protective features without going so far that the bylaw will be struck down when it’s enforced.
Thanks to this Toppan Merrill blog for highlighting that large accelerated filers are required to submit filing fee data in iXBRL starting July 31, 2024 (July 31, 2025 for all other filers).
In a previous blog post, we outlined the initial phases of the SEC’s Filing Fees and Payment Method Modernization final rule. The mandate changed how filing fees in registration statements, fee bearing proxies and tender offers were disclosed and disseminated. While the new fee table layout launched on Jan 31, 2022, we still see instances of fee tables that do not match the specific instructions presented in the final rule or provided in the SEC Forms. During this initial phase, filers have had the option to construct fee tables in HTML without following the explicit instructions of the rules and form instructions.
Beginning July 31, 2024, large accelerated filers are required to submit the fee data in Inline XBRL (iXBRL) format, with all other filers phased in beginning July 31, 2025. Once filers are mandated to file with iXBRL tagging, the layout and requirements for the fee tables must be followed in order for the filing to be accepted by EDGAR.
The blog then walks through how tables need to be formatted for tagging (and filing acceptance), which may require changes to common practices. Here are two examples, but there are many more tips for preparers of filing fee tables — even if you don’t handle XBRL tagging.
Currently: Filers typically list Unallocated (Universal) Shelf at the bottom of the individually listed securities in the fee table.
In iXBRL format: The Unallocated (Universal) Shelf line will be listed first, followed by each listed class nested below.
Currently: Footnote references are allowed in any table cell or table head in HTML format.
In iXBRL format: A single footnote reference is allowed per listed security, excluding nested Unallocated (Universal) Shelf, listed within the table. Footnote references are not allowed in column heads or within the ‘totals’ cell(s). The same footnote cannot be referenced on multiple rows.
The SEC also previously posted“How do I” guidance shortly after the voluntary compliance period under the SEC’s Filing Fee Modernization Rule began. The announcement provides contact information for the Staff but strongly encourages filers to review these resources before reaching out.
With the stay order and pending litigation surrounding the final climate rule, we realize that our work to prepare sample climate disclosure might be a “hurry up and wait” situation, but we’re nonetheless very excited that our 64-page Annotated Sample Climate Disclosure is now available to members of TheCorporateCounsel.net (posted in our “Climate Change” Practice Area). It includes example text and tables, along with annotated guidance on key elements of the final rules applicable to large accelerated filers for the first year of disclosures – whenever that will be.
We hope these sample disclosures serve as a good starting point for discussion – since sometimes getting started is the hardest part – or something to compare against your existing disclosures to see what you’ll need to add to address all required disclosures, if and when the rules are effective.
If you are not a member of TheCorporateCounsel.net, you can sign up online or contact Sales@CCRcorp.com.
Last week, the WSJ reported that paragraph (c) of Item 1.05 of Form 8-K has been invoked “several times” since the SEC’s new cybersecurity disclosure rules went into effect in December. Paragraph (c) provides a framework for delaying the filing of an Item 1.05 Form 8-K if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the SEC of such determination in writing.
The article says that Matthew Olsen, assistant attorney general for national security, whose office has been delegated the responsibility for handling these determinations, reported at the WSJ’s “Tech Live: Cybersecurity” conference that “on a number of occasions, the Justice Department has delayed companies’ disclosures because making the attacks public would create substantial risks and raise national-security concerns,” without giving any numbers.
As the article notes, when the final rules were adopted, there were doubts about how easy or practical it would be for companies to avail themselves of the delay provisions. I think much of that concern was assuaged by the December guidance released by multiple agencies — the FBI’s Guidance to Victims of Cyber Incidents on SEC Reporting Requirements: Request a Delay, plus multipleCDIs from the SEC Staff, and a statement from Corp Fin Director Erik Gerding — which evidenced that necessary interagency channels of communication were being forged and processes being created for these delay provisions to work. I can’t say I’m happy to hear that there have been cyber incidents that presented national security concerns, but for companies that may need to seek this relief, it’s good to know that there’s some precedent for it.
While we can’t escape the constant reminders that we’re in the midst of a U.S. presidential election year, I didn’t realize 2024 is what WTW calls “the year of elections.” With “83 elections in 78 countries […] there will not be an equivalent number of elections held worldwide in any single year until 2048.” Yikes! Here’s more from this report by the Director of Political Risk Analytics at WTW:
Writing in early 2024, we cannot be certain how many of the elections scheduled for this year will in fact be held. Some of 2024’s contests will surely be postponed by budding autocrats. Other polling dates will be unexpectedly added to the annual calendar as parliamentary governments lose no-confidence votes and snap elections are called.
What is clearer, is that 2024 is very likely to play host to consequential elections. By some estimates, more than 4 billion votes will be cast in national polls in 2024 (owing in significant part to elections in India and the multinational elections for the European Parliament). That figure may not be reached again until after 2070.
What might these elections mean for macroeconomic and political conditions? Well, WTW says, generally speaking, soaring inflation means “it is not likely to be a good year for incumbents” and “changes of government are an opportunity for dramatic geopolitical realignments.” As an example, it cites the recent “change in the U.S. relationship with China,” which “has prompted companies to rethink their globalisation strategies.” In fact, Microsoft recently made the news after asking at least 100 employees in China to relocate given governmental tensions.
As Dave noted, the SEC’s rulemaking strategy can also be significantly impacted by changing administrations, but that doesn’t necessarily mean that we’ll see a slowing down or pausing in rulemaking activity.
Don’t miss PracticalESG.com’s virtual event “DEI Full Circle” featuring three panels of experts who will provide a comprehensive exploration of Diversity, Equity, and Inclusion from various angles – “Exploring Executive Viewpoints,” “Embedding DEI Throughout the Employee Life-Cycle” and “Understanding the Social Impact of DEI Work.” Join us at 12:00 pm eastern today, June 11. You can register here.
These events are free to all – you don’t have to be a member of PracticalESG.com to attend. That said, if you find the content helpful, know that PracticalESG.com has many more resources for you! Become a member today by clicking here, emailing sales@ccrcorp.com or by calling (800) 737-1271.
Over at Radical Compliance, Matt Kelly discussed a new survey of vendor risk management processes at 156 companies from third-party risk management software provider Prevalent. While companies are improving their processes in some areas — for example, “cybersecurity and data privacy teams are now more involved in third-party risk management (TPRM) than they were a year ago” — generally, Prevalent found that third-party risk management programs were still struggling with limited resources and a hodgepodge of tools and practices:
– Resource Constraints: Many organizations struggle with inadequate resources, with only one-third of vendor relationships being managed in a TPRM program.
– Dependence on Outdated Tools: Half of the surveyed companies still rely on spreadsheets and multiple disparate tools to assess and manage their third-party relationships.
– Limited Remediation: Despite tracking risks across the vendor lifecycle, few companies actually do anything about what they find.
Matt highlighted some other statistics showing a piecemeal approach, leaving “the average company with too many TPs not RM’ed.”
Only 51% say they are able to assess risk at every stage of the vendor lifecycle (think a vendor not disposing of equipment or data as promised when a contract is terminated, or your own failure to disable their user access)
Only 49% say their TPRM program has the automation and reporting necessary to demonstrate compliance
While companies are making some strides in cybersecurity, it sounds like third-party risk management practices could use improvement across the board. As a reminder, the new cybersecurity disclosure rules include “whether the registrant has processes to oversee and identify such risks from cybersecurity threats associated with its use of any third-party service provider” in the non-exclusive list of matters to address when describing the company’s processes for assessing, identifying, and managing material risks from cybersecurity threats. So how are companies addressing this disclosure?
As Dave and John have observed, this year’s Form 10-K cybersecurity disclosures varied but tended to be shorter than expected, and most companies’ disclosure of their overall cybersecurity risk management approach wasn’t particularly detailed. The January-February 2024 issue of The Corporate Executive includes a deep dive into 10-K cybersecurity disclosures and makes this related observation:
Some companies simply stated that their cybersecurity risk management processes included assessing, identifying and managing material risks arising from threats associated with third-party vendors. Others provided a highly detailed discussion of their efforts to address third-party cyber risks. […]
More commonly, companies provided a general description of their efforts to identify and manage cybersecurity risks during the vendor approval and contracting process, and indicated that these efforts involved a combination of risk assessments and contractual commitments from their vendors.