This Reuters article says that SEC Enforcement Co-Directors Stephanie Avakian & Steve Peikin have identified cyber crime as the top threat facing US securities markets:
“The greatest threat to our markets right now is the cyber threat,” said Peikin, who was still wearing a guest badge because he has not yet received his formal SEC credentials yet. “That crosses not just this building, but all over the country.”
The SEC has started to see an “uptick” in the number of investigations involving cyber crime, as well as an increase in reports of brokerage account intrusions, Avakian said. As a result, the agency has started gathering statistics about cyber crimes to spot broader market-wide issues.
The kinds of cyber crimes the SEC has been noticing range from stealing information for the purpose of insider trading, to breaking into accounts to either steal assets, trade against them or manipulate markets.
SEC enforcement actions involving cyber crime include notable insider trading cases based on information obtained by hacking into computer systems of major newswires and – more recently – two prominent law firms.
Cybersecurity: Target Settlement & Emerging Best Practices
In addition to acting against cyber criminals, the SEC & other authorities are demanding increased vigilance on the part of businesses to prevent these crimes from happening. Just last month, Target announced a $18.5 million settlement with 47 state attorneys general & DC to resolve issues arising out of its 2013 customer data breach. As part of the deal, Target also agreed to implement new measures to safeguard consumer privacy.
This Davis Polk memo points out that the measures agreed to in this settlement are much more detailed and specific than those contained in the company’s 2015 consumer class action settlement:
Comparing the measures that were required in the 2015 settlement with those in the 2017 settlement highlights the dramatic increase in expectations for cybersecurity over the last two years. Indeed, the requirements set forth in the recent Target settlement closely track the cybersecurity measures that were recently imposed by the New York Department of Financial Services (“DFS”) through Rule 23 NYCRR 500, which New York Governor Cuomo described as “strong, first-in-the-nation protections,” and which the DFS characterized as “landmark regulation.”
The memo includes a chart comparing the terms of the recent settlement with the 2015 settlement and the DFS’s requirements. The significant overlap between what Target signed up for & New York’s requirements suggests that the measures prescribed in the DFS regs may be emerging as “best practices” when it comes to data protection.
Tomorrow’s Webcast: “Flash Numbers in Offerings”
Tune in tomorrow for the webcast — “Flash Numbers in Offerings” — to hear Cravath’s LizAnn Eisen, Simpson Thacher’s Joe Kaufman and Latham & Watkins’ Joel Trotter analyze all the issues related to the use of flash numbers in offerings.
While the rest of us were listening to former FBI Director James Comey’s testimony before the Senate Intelligence Committee, the House passed the Financial Choice Act by a vote of 283-186, with 11 abstentions. Here’s a shock – the vote was along party lines, with Rep. Walter Jones of North Carolina being the sole Republican to vote against the bill.
Here’s an executive summary of the legislation provided by the House Financial Services Committee. Speaker Paul Ryan praised the bill for reining in “the overreach of Dodd-Frank.” Investor advocates have a different perspective. CII Director Ken Bertsch commented that “The Choice Act would dismantle important shareholder rights, make investing in public companies riskier and undercut the ability of the Securities and Exchange Commission to protect investors.”
As I previously blogged, this bill is likely “face down & floating” in the Senate – but it’s just the opening salvo.
Enforcement: Stephanie Avakian & Steve Peikin Named Co-Directors
Last week, Liz blogged about reports that Acting Director Stephanie Avakian and Sullivan & Cromwell’s Steve Peikin would serve as co-heads of the SEC’s Division of Enforcement. Yesterday, the SEC made it official with this press release announcing Stephanie and Steve’s appointment as Co-Directors.
Private Company Employee Stock Valuations: A Shell Game?
This DealBook article criticizes tech companies’ use of 409A valuations for employee stock issuances – calling the approach Silicon Valley’s “dirty little secret”:
This type of valuation allows hot, privately owned technology companies — like Uber, Airbnb or Nextdoor — to issue common stock or stock options to employees at a low price and, at the same time, or nearly the same time, sell preferred stock to outside investors at a price that is often three or four times higher. It’s also a way for company founders to control the market for the stock of their private companies while rewarding themselves and key employees with cheap shares that seem instantly worth a lot more than the price at which they were issued.
I don’t think I’d necessarily call this a “valuation shell game” as DealBook contends. Employees are typically buying common stock, loaded down with fairly outrageous restrictions on transfer. Outside investors are buying “Series Whatever” preferred, with a whole different bundle of rights. Under those circumstances, it doesn’t require a huge leap of faith to justify a significant discount from what outside investors are paying.
DealBook is also critical of the false precision in these 409A valuations – but the same thing can be said of almost any third party valuations. False precision is sort of the nature of the beast. The other thing is, if this is a shell game, it’s one that’s been going on for ages – and in a lot of places other than Silicon Valley. This is just another variation on the theme of “cheap stock”, which has been an issue in IPOs for decades.
This Reuters article says that the President’s budget proposal would eliminate the SEC’s reserve fund, which was established under Dodd-Frank to be used “as the [SEC] determines is necessary to carry out the functions of the Commission.” The Administration says that eliminating the fund would reduce the deficit by $50 million.
In recent years, the fund – which is separate from the SEC’s budget and is funded with registration fees – has been used to support the SEC’s IT modernization efforts. According to this House Financial Services Committee memo, since FY 2012, the SEC has spent more than $205 million from the reserve fund for improvements to its website & internal IT systems.
The reserve fund has also attracted a lot of opposition from Republican lawmakers. The version of the Financial Choice Act recently passed by the House Financial Services Committee would also eliminate the fund, while the Congressional spending proposal put forth in early May would have slashed it by $25 million.
Insider Trading: Will Reserve Fund Cut Curb New Cases?
This Proskauer blog notes that the SEC’s Enforcement Division is making increased use of advanced data analytics in insider trading investigations. My Cleveland Browns are trying to do the same thing in football – but this excerpt suggests that the SEC has actually made progress:
Over the past few years, the SEC has taken strides to find cases on its own, not simply waiting for tips or FINRA referrals. Much of the SEC’s work on insider trading matters occurs within the Enforcement Division’s Market Abuse Unit, which proactively launches its own investigations through data mining and advanced detection. The co-chief of that unit, Joseph Sansone, has repeatedly noted that it makes sense to invest resources into investigations when analysts notice patterns in multiple trades over a period of time.
The blog points out several recent insider trading cases that the SEC developed through its own data analysis efforts. However, it also notes that cutting the $50 million annual reserve fund “may affect the SEC’s funding to mine and analyze large data sets.”
SEC Budget Proposal: On the Other Hand. . .
This Wolters Kluwer report notes that all things considered, the SEC could be doing worse in the budget battle. As things stand, it would essentially be getting what it asked for in its budget request. What about the hit to the reserve fund? Under the President’s proposal, those reserve fund cuts won’t kick in until after 2018.
Of course, as the SEC points out in its budget request, it has one thing going for it that many other agencies don’t:
It is important to note that the SEC’s funding is deficit-neutral, which means that any amount appropriated to the agency will be offset by transaction fees and therefore will not impact the deficit or the funding available for other agencies.
Here’s the results from our recent survey on compensation committee minutes & consultants:
1. When it comes to providing comp committee minutes to consultants, our company:
– Provides upon request in electronic form only – 41%
– Provides upon request in paper form only – 5%
– Provides upon request in both electronic & paper form – 11%
– Doesn’t provide – but does allow inspection onsite – 25%
– Doesn’t provide – nor allow inspection onsite – 18%
2. Our compensation consultants ask for copies – or inspection – of committee minutes:
– Prior to each meeting – 12%
– Once a year – 4%
– On irregular basis – 25%
– They never ask for them- 59%
Section 2(a)(19)(C) of the Securities Act says that a company can lose “emerging growth company” status by issuing more than $1 billion in non-convertible debt over a rolling 3-year period. This MoFo blog reviews what counts – and what doesn’t – when determining whether you’re over the limit. This excerpt addresses the treatment of asset-backed securities:
In calculating whether an issuer exceeds this $1 billion debt limit, the SEC Staff has interpreted all non-convertible debt securities issued by an issuer and any of its consolidated subsidiaries, including any debt securities issued by such issuer’s securitization vehicles, to count against the $1 billion debt limit. As a result, asset-backed securities that are considered non-recourse debt and consolidated on a parent issuer’s financial statements for accounting purposes should be included when calculating the applicability of the $1 billion debt limit.
Issuers do get to exclude debt issued in an A/B exchange offer, since this involves simply replacing those securities with ones that are identical in all respects – except for their registered status.
Audit Reports: “Dear Audit Committee Member”
This recent blog from Davis Polk’s Ning Chiu provides a good example – in the form of a “Dear Audit Committee Member” letter – of a user-friendly way to communicate with directors about the PCAOB’s decision to modify the form of the auditor’s report to address “critical audit matters.”
Yesterday, a unanimous US Supreme Court held that the 5-year statute of limitations contained in 28 U.S.C. §2462 applies to SEC disgorgement claims. Justice Sotomayor’s opinion in Kokesh v. SEC concluded that since disgorgement involved violations of “public laws” (i.e., the harm was done to the United States, not an individual) & was punitive and non-compensatory, it was a “penalty” subject to the 5-year limitations period in the statute.
Disgorgement is a big part of the SEC’s enforcement arsenal – in fiscal 2016, the SEC obtained disgorgement orders totaling $2.8 billion, compared to only $1.3 billion in civil penalties. Nothing in the Supreme Court’s opinion prohibits the SEC from continuing to seek a disgorgement remedy, but now it’s got to keep an eye on the clock. We’re posting memos in our “SEC Enforcement” Practice Area.
The backstory in the Kokesh case may be more interesting than the opinion itself. I take that back – actually, it’s a lot more interesting.
Compliance Consultants: Coming to An Insider Trading Case Near You?
While we’re on the topic of remedies, this Drinker Biddle blog points out that a unique aspect of the SEC’s insider trading settlement with Leon Cooperman & his Omega Advisors hedge fund was the requirement that the firm retain a “compliance consultant.” Compliance consultants are a tool that the Division of Enforcement has used in other settings, but this is their first use in an insider trading case.
The blog points out that this requirement sets a precedent that could have a major impact on future cases:
The SEC’s use of this remedy may allow it to “lower the bar” for insider trading investigations knowing that it may be able to obtain settlements such as this which do not result in a suspension or bar. While the avoidance of the suspension or bar is of course paramount to individuals, an undertaking such as this involves an invasive-type relationship with a third party who – while “independent” – may have an allegiance to a regulator or a court.
The costs of a consultant – which are not insignificant – are always borne by the defendant firm, and the blog says it’s not a stretch to describe them as additional/hidden monetary penalties that over a period of years “may increase to hundreds of thousands of dollars or more.” The adoption of this new enforcement tool may turn out to be bad news for individuals and entities whom the SEC may not have considered charging before this settlement.
Our Executive Pay Conferences: Last Chance for 20% Early Bird Discount
1. The SEC All-Stars: A Frank Conversation
2. The SEC All-Stars: The Bleeding Edge
3. The Investors Speak
4. Navigating ISS & Glass Lewis
5. Parsing Pay Ratio Disclosures: US-Only Workforces
6. Parsing Pay Ratio Disclosures: Global Workforces
7. Pay Ratio: Sampling & Other Data Issues
8. Pay Ratio: The In-House Perspective
9. Pay Ratio: How to Handle PR & Employee Fallout
10. Keynote: A Conversation with Nell Minow
11. Proxy Access: Tackling the Challenges
12. Clawbacks: What to Do Now
13. Dealing with the Complexities of Perks
14. The Big Kahuna: Your Burning Questions Answered
15. Hot Topics: 50 Practical Nuggets in 60 Minutes
Early Bird Rates – Act by June 9th: Huge changes are afoot for executive compensation practices with pay ratio disclosures on the horizon. We are doing our part to help you address all these changes – and avoid costly pitfalls – by offering a special early bird discount rate to help you attend these critical conferences (both of the Conferences are bundled together with a single price). So register by June 9th to take advantage of the 20% discount.
This Bloomberg article says that the number of CEOs in the US & Canada fired for ethical lapses has more than doubled in the past five years:
Fourteen North American CEOs were ousted for ethical lapses from 2012 to 2016, compared with six in the preceding five-year period, according to a study of 2,500 global companies by PwC. The researchers included executives who left because of their own improper conduct or that of employees, so if, for example, a CEO was forced out because of widespread fraud in the organization, that counted as well.
The 102% increase in North American firings of wayward CEOs compares to an overall global increase of 36%. Western Europe saw these CEO terminations increase by 41%, while BRICS countries saw a 132% increase. According to one of the study’s authors, the crackdown reflects a number of factors, including shareholder activism & increased director exposure to liability for corporate malfeasance.
Did the CEO Quit – or Was it a Resig-firing?
Reading the tea leaves to determine whether a CEO was forced out is sometimes difficult. Corporate transition announcements tend to be ambiguous, and investors are often left to sort out for themselves whether the CEO was fired or resigned.
Now financial journalist Daniel Schauber has come up with a model – the “Push-out Score” – that he contends will help shed light on whether a CEO left voluntarily, or was shoved out the door. Here’s an excerpt from a Stanford article describing the model:
Unlike models that strictly categorize executive departures as forced or voluntary, the Push-out Score produces a score on a scale of 0 to 10 that amounts to a confidence level that the CEO was compelled to leave. (A score of 0 indicates that it is “not at all” likely that the executive was terminated or pressured to resign; a score of 10 indicates that termination is “evident.”)
The Push-out Score incorporates publicly available data along nine dimensions, including the form & language of the announcement, the time between announcement & departure, the official reason given for the change, the circumstances surrounding it and the nature of the succession. The model also takes into account extenuating circumstances and judgment, and assigns a score based on its assessment of the various dimensions reviewed.
As one of my law school profs was fond of saying in response to my brilliant insights – “so what?” Well, it turns out that there’s a correlation between a high Push-out Score and increased volatility (both positive & negative) in the market for the company’s stock. So the article suggests that this model may provide investors & companies with important information to assist in interpreting the market’s reaction to a CEO departure:
A positive reaction might indicate that shareholders approve of a decision to push out the CEO because of the potential for operational improvements or future sale of the company. On the other hand, a negative reaction to a high Push-out Score situation might indicate that shareholders view a forced termination as evidence of deeper operating, financial, or governance problems, or that shareholders disapprove of the decision to fire the CEO.
Keith Higgins: Back at Ropes & Gray!
After a nice healthy break, former Corp Fin Director Keith Higgins has resurfaced at his old firm – Ropes & Gray – to serve as Chair of that firm’s corporate department. Good to see Keith back in the saddle!
Yesterday, the SEC announced that Bill Hinman will serve as Corp Fin’s next Director. Bill previously was a partner in Simpson Thacher’s Silicon Valley office, having recently retired. He’s probably best known for his work on some of the most prominent tech & e-commerce IPOs of all time – including Alibaba, Facebook, Google & eBay.
Not positive, but we think Bill is the first Director hailing from the Valley – we’ve updated our “List of Corp Fin Directors.” In fact, Broc can’t recall any Staffers in Corp Fin moving to DC from the Valley.
CAQ’s Updated “Auditor Assessment” Tool
The Center for Audit Quality recently published a new version of its “External Auditor Assessment Tool.” The tool – which was introduced in 2012 – is intended to provide a framework for audit committees to assess the performance of a company’s external auditor and to make retention recommendations to the board.
This excerpt from the intro reviews the audit committee’s oversight role with respect to the external auditor & identifies specific areas that should be addressed in the evaluation of the auditor’s performance:
Audit committees should regularly (at least annually) evaluate the external auditor in fulfilling their duty to make an informed recommendation to the board whether to retain the external auditor. Further,providing constructive feedback to the external auditor may improve audit quality and enhance the relationship between the audit committee and the external auditor. The evaluation should encompass an assessment of the qualifications and performance of the external auditor; the quality and candor of the external auditor’s communications with the audit committee and the company; and the external auditor’s independence, objectivity, and professional skepticism.
The tool includes sample question sets covering each of the areas upon which the auditor will be evaluated, as well as materials to be used in obtaining input from management and a summary of applicable standards.
Update – Here’s an interesting observation from one of our readers:
Don’t you think it’s a bit odd that the CAQ, the audit industry lobbying arm of the AICPA, a trade association, is putting out a guide for issuers on how to select and monitor auditors? Seems a bit self-serving, bordering on conflicted.
Who Needs an IPO? NYSE Proposes to Facilitate Direct Listing
Broc recently blogged about Spotify’s reported plans for a “direct listing” – which involves bypassing an IPO, and simply registering common stock under the Exchange Act & listing on an exchange. This MoFo blog reports that the NYSE has proposed a rule change to facilitate this kind of process (which is already possible under existing rules). While Spotify is the highest profile direct listing candidate, this excerpt notes that this alternative may appeal to a variety of companies:
This approach could be of significant interest for issuers that have completed 144A equity offerings, which are still popular among REITs, for issuers that have completed numerous private placements and have VC or PE investors that need liquidity, and for issuers, including foreign issuers, that are well-funded and do not need a capital raise through an IPO, but would still like to have their securities listed or quoted on a securities exchange.
This Protiviti article sets forth key considerations for directors to keep in mind in providing oversight for their company’s efforts to address cyber risk. One of those considerations is particularly scary – it is highly probable that the company is already breached and doesn’t know it:
The old thinking of “it’s not a matter of if a cyber risk event might occur, but more a matter of when” is dated. It’s happening — now. For most companies, cyber risk events have already happened and may still be underway. Yet many organizations do not have the advanced detection and response capabilities they need. The proliferation of data privacy regulations around the globe and the publicity about data breaches affecting politicians, governmental agencies, global financial institutions, major retailers and other high-profile companies, along with the growing presence of state-sponsored cyberterrorism and espionage, are leading directors and executives alike to recognize the need for “cyber resiliency” to preserve reputation and brand image.
Detection & monitoring controls are generally not well-developed, and that results in continuing failures to detect breaches on a timely basis. Boards should be concerned how long significant breaches have evaded detectionabout the duration of significant breaches before they are finally detected.
The article says that simulations of likely attacks should be performed periodically to ensure that they can be detected & responded to quickly. Boards should also focus on the adequacy of the company’s playbook for responding, recovering and resuming normal business operations after an incident has occurred.
Also, as noted in this CAQ alert, the AICPA recently released a voluntary cybersecurity reporting framework – see this overview and this description of criteria for a risk program.
More on Our “Proxy Season Blog”
We continue to post new items regularly on our “Proxy Season Blog” for TheCorporateCounsel.net members. Members can sign up to get that blog pushed out to them via email whenever there is a new entry by simply inputting their email address on the left side of that blog. Here are some of the latest entries:
– Coca-Cola’s Usable Approach to the Annual Meeting
– 2016 Mini-Season Results
– More on “Shareholder Proposals – Do They Move the Market?”
– Shareholder Proposals: Do They Move the Market?
– Tax Disclosure: Investors Demand More
As noted in this article, the latest version of the omnibus spending bill from Congress would continue to prohibit the SEC from using funds on rulemaking for political contribution disclosure – recent spending bills have also contained this bar.
But that doesn’t mean that others aren’t pushing for more transparency in this area. The Center for Political Accountability has a new website – TrackYourCompany.org – containing a searchable database of information from the 305 S&P 500 companies that post information about some (or all) of their political spending on their corporate websites. While the site’s data includes only spending from each company’s treasury, the “individual company detail” pages link to OpenSecrets.org and FollowtheMoney.org, which provide information on PAC & individual contributions at the federal & state level.
Dividends: NYSE Wants Advance Notice of Announcements
This Davis Polk blog says that the NYSE filed a rule proposal with the SEC last month that would require companies to provide at least 10 minutes advance notice of a dividend announcement – not just during the period from 7:00 am until 4:00 pm when the exchange’s immediate release policy is in effect.
Conflict Minerals: GAO Says “Country of Origin” Still a Challenge
Recently, the GAO issued this 16-page annual report on its review of 2015 corporate disclosures under the SEC’s conflict minerals rule. The report says that although companies are more informed about their supply chains, they’re still struggling to identify the country of origin of their conflict minerals. Here’s an excerpt:
As in 2014, a majority of companies reported in 2015 that they were unable to determine the country of origin of the conflict minerals in their products and whether such minerals benefited or financed armed groups in the covered countries. However, companies reported a range of actions they had taken, or planned to take, to build on or improve their due diligence efforts, such as shifting operations or encouraging those in their supply chain to shift from current suppliers to suppliers who are certified as conflict free.
It’s been almost a full year since Corp Fin dropped its updated CDIs on the use of non-GAAP information – and this Sullivan & Cromwell memo reports on nearly 300 Staff comment letters issued since that time. Here’s an excerpt identifying the “hot button” issues:
Based on our analysis of these comment letters, we have identified a number of areas of SEC staff focus during this period, in descending order of frequency:
– Failure to present GAAP measure with equal or greater prominence (C&DI 102.10)
– Inadequate explanation of usefulness of non-GAAP measure
– Misleading adjustments, such as exclusion of normal, recurring cash expenses (C&DI 100.01)
– Inadequate presentation of income tax effects of non-GAAP measure (C&DI 102.11)
– Individually tailored revenue recognition or measurement methods (C&DI 100.04)
– Misleading title or description of non-GAAP measure
– Use of per share liquidity measures (C&DI 102.05)
Five of the areas of emphasis tie specifically to the issues raised in the May 2016 CDIs, while the other 2 (inadequate explanations of usefulness & misleading title or description) are issues that have traditionally drawn comments from Corp Fin.
By the way, it’s official – Jay Clayton was sworn in yesterday afternoon as the SEC’s 32nd Chair by Justice Kennedy. Here’s the SEC’s press release.
Blockchain: Broadridge & Banks Wrap Pilot Voting Project
Broadridge recently announced that it had completed a pilot project with J.P. Morgan, Banco Santander & Northern Trust that employed blockchain technology to “enhance global proxy vote transparency and analytics.” The pilot was Broadridge’s first application of blockchain technology, and adapted distributed ledger capabilities to provide a limited group of users with secure, daily insight into the progress of the annual meeting vote throughout the proxy voting period.
Why all the interest in blockchain technology for proxy voting? This “IR Magazine” article provides some insight:
One financial services function ripe for reimagining is the proxy voting process. A blockchain can, in theory, end errors associated with manual audits, improve efficiency, reduce reporting costs and – potentially – support deeper regulatory oversight.
Blockchain’s potential as a proxy voting solution is being explored by a number of other interested parties, including Nasdaq and TMX Group, the parent of the Toronto Stock Exchange.
“Freedonia’s Going to Market”: FAQs on Foreign Government Offerings
Honestly, I don’t know how relevant this Latham memo on FAQs about registered offerings by foreign governments is to many of our members. But they called it “Hail, Hail Freedonia: Frequently Asked Questions About SEC Registration on Schedule B by Foreign Governments” – and as far as I’m concerned, anybody who references the Marx Bros. in the title of a client memo has earned a plug from me.
For those of you who aren’t Marx Bros. fans, the reference is to the 1933 classic “Duck Soup,” & the fictional nation of Freedonia, for which Groucho’s “Rufus T. Firefly” serves as an unlikely war leader. It also contains my favorite Groucho quote: “Chicolini may look like an idiot and sound like an idiot, but don’t let that fool you – he really is an idiot.”
