In addition to the results of Deloitte’s CFO survey, you might want to keep this recent Fenwick blog in mind when you think about what might need to be updated in your “Risk Factors” disclosure. This excerpt includes a few of the specific potential risks outlined in the blog:
Risk related to Chevron and related decisions – As previously noted, we have observed that life sciences companies are adding risk factor language in response to the U.S. Supreme Court overturning the Chevron Doctrine and related decisions. Companies in life sciences or other highly regulated industries should consider whether it is appropriate to include such disclosure. Please see our alert for an example of such risk factor language.
Ongoing risk related to CrowdStrike outage – Companies impacted by CrowdStrike’s defective software update should consider updating their risk factors and forward-looking statements about systems downtime and/or reliance on third parties to operate critical business systems. Remember to revise relevant hypothetical language about outages or systems downtime to indicate that such risks have already occurred. Finally, impacted companies should also consider discussing any material impacts (if any) in the management’s discussion and analysis section of their next Form 10-Q.
In addition, software and technology companies that similarly update systems, including automated updates, should ensure their risk factors cover risks associated with errant updates, and that their boards have oversight visibility on how those risks are mitigated where it may be deemed mission critical to the company. Please see our alert for more information.
Risk related to AI – As a reminder, the EU AI Act entered into force on August 1. Companies should review and update any relevant language in their AI risk factor to reflect this development. Note that the Securities and Exchange Commission (SEC) and the plaintiffs’ bar also continue to focus on AI washing. In a recent video about AI washing, SEC Chair Gary Gensler reminded companies that “any claims about prospects should have a reasonable basis and investors should be told that basis.”
Other potential risks noted in the blog include inflation and interest rates, trade tensions between the US and China, new export control rules and – inevitably – the US presidential election.
Labrador recently announced the winners of its 6th annual disclosure transparency awards. Here’s an excerpt from its press release:
Intel, Dow, and Mastercard have emerged as champions, securing top honors in the 2024 U.S. Transparency Awards unveiled today by Labrador, a leading global communications firm specializing in transparent corporate disclosure documents. The rankings are based on a rigorous evaluation of corporate disclosure documents among the top 250 companies in the S&P 5001 and recognize companies dedicated to building investor and stakeholder trust through clear, concise, and effective communication.
The Transparency Awards celebrate the 10 most transparent U.S. companies, the top three leaders in 11 industries, and the best performers in individual disclosure categories—from best overall transparency, proxy statement, and ESG reporting to Form 10-K, investor relations websites, codes of conduct, and plain language usage.
Be sure to check out the Transparency Awards website for more details about the awards and the companies that received them. University of Michigan alums in the audience – including our own Meredith Ervine – will no doubt recognize the reference to the Wolverines’ fight song in the title of this blog. That’s intentional, because as many of you know, our former colleague & Michigan alum Broc Romanek has been leading the charge on disclosure transparency for Labrador for the past couple of years. Here’s Broc’s 8-minute video announcing the winners of this year’s awards.
Those of you who know Broc probably won’t be surprised to learn that he remains the hardest working man in show business. In addition to his Labrador gig, he’s recently joined the folks at Cooley where he’ll provide corporate governance guidance on the firm’s new “The Governance Beat” blog.
If you’re on the risk management side of the business – like most in-house lawyers – the risks associated with emerging technologies like artificial intelligence are likely taking up an increasing amount of your time & mental energy. Concerns about those emerging technology risks and identifying effective risk management programs to address them aren’t likely to go away anytime soon. Fortunately, over on Radical Compliance, Matt Kelly recently flagged a new “AI Risk Repository” developed by the smarty-pants at MIT that offers assistance in identifying the risks associated with AI.
This excerpt from Matt’s blog provides an overview of what this resource is all about:
A team of MIT researchers known as the FutureTech Group published the catalog, formally known as the AI Risk Repository, earlier this month. It’s free to all and designed to help a wide range of audiences, from academic researchers to policy makers to, yes, corporate risk managers trying to develop risk assessments for the AI systems running at your company. (Credit to compliance consultant Mark Rowe for noting the repository on LinkedIn earlier this week.)
The 700+ risks are organized into seven primary domains, such as discrimination, privacy, and system safety. Those seven primary domains are then split into 23 more precise sub-domains, which are divided again into even more precise risk categories.
The actual repository exists as a Google spreadsheet you can download, with various columns classifying each risk, describing its potential severity, identifying the potential cause (human versus AI itself; accidental versus deliberate action), and otherwise giving you a wealth of context.
Matt goes on to offer some thoughts on how to put the repository to work in your own risk management and compliance program. He points out that the 700+ risks in the repository were pulled together from 43 separate risk management frameworks and asks whether the existing frameworks used by companies to manage AI risks – like the NIST AI Risk Management Framework and the ISO 42001 standard – are sufficient to meet the challenge.
According to a new report from Arize AI, the number of Fortune 500 companies citing AI-related risk factors in their annual reports has increased by nearly 500% since 2022, with 281 companies currently addressing AI in their risk disclosures. The report says that media and entertainment (92%), software and technology (86%), telecommunications (70%), healthcare (65%) and financial services (63%) lead all other industries in disclosing risks from AI.
The report also includes excerpts from various categories of corporate risk factor disclosures, including competitive risks, regulatory risks, security risks, and what the report calls “general harms”. This latter category encompasses “physical, reputational, or other harms to company or its stakeholders from AI”. Here’s an example of this general harm risk disclosure from Motorola’s annual report:
As we increasingly build AI, including generative AI, into our offerings, we may enable or offer solutions that draw controversy due to their actual or perceived impact on social and ethical issues resulting from the use of new and evolving AI in such offerings. AI may not always operate as intended and datasets may be insufficient or contain illegal, biased, harmful or offensive information, which could negatively impact our results of operations, business reputation or customers’ acceptance of our AI offerings.
Although we work to responsibly meet our customers’ needs for products and services that use AI, including through AI governance programs and internal technology oversight committees, we may still suffer reputational or competitive damage as a result of any inconsistencies in the application of the technology or ethical concerns, both of which may generate negative publicity.
If you found today’s AI-related blogs interesting, you won’t want to miss our “In-House Insights: Governing and Disclosing AI” panel at our 2024 “Proxy Disclosure and 21st Annual Executive Compensation Conferences” – and that’s just one of the 15 timely, topical panels you’ll hear from over our two days of programs. As we’ve mentioned before, one of those panels will feature our SEC All-Stars participating in a “Game Show Lightning Round: All-Star Feud” – and we’re back with another request for your responses to one of the survey questions they’ll be asked to address.
Please take a moment to respond to our latest anonymous poll. We’ll gather and rank responses by popularity. Responses will be hidden, so you will have to join day 1 of our Conferences to hear whether your response made the “most popular” list.
If you haven’t done so already, today is a great day to sign up for our Conferences, which are taking place on October 14th & 15th in San Francisco. There is also a virtual option if you are unable to attend in person. You can register by visiting our online store or by calling us at 800-737-1271.
Earlier this month, the CII released a report on what it refers to as “stealth” dual-class structures – alternatives to multi-class capital structures that allow insiders the control benefits associated with owning high-vote stock without the potential investor relations downsides. Here’s the intro:
Traditional dual-class or multi-class stock structures have received significant attention from market participants because of the disconnect they create between voting rights and economic ownership, thereby insulating company insiders from accountability to the company’s owners. However, it is important for investors to understand that companies can deliver substantially similar entrenchment mechanisms without creating multiple classes of common stock or adopting widely understood anti-takeover devices such as poison pills. In fact, there may be an incentive for insiders to achieve the same control enhancing outcomes without adopting a traditional dual-class structure.
By doing so, they may receive the private benefits of outsized decision-making power without receiving the negative attention and stock price discount accompanying dual-class stock. This paper reviews nine examples of arrangements that could constitute “stealth dual class”: identity-based voting power, side agreements with favored shareholders, stock pyramiding/cross-ownership, umbrella partnerships and C corporations (Up-Cs), employees granting irrevocable proxy voting rights transferred from employees to insiders, golden shares, situational super-class issuances, non-equity votes and vote caps.
The article goes on to explain how each of these alternatives replicates the benefits of a dual-class structure and offers some specific real-world examples. It also says that Delaware’s adoption of new Section 122(18) of the DGCL may facilitate their increased usage, which is a topic about which the CII has previously expressed concern.
Given the wailing and gnashing of teeth over dual-class structures in the US by proxy advisors & investor representatives, it may come as a surprise to learn that UK regulators recently adopted a rule change permitting dual-class companies to list on the LSE. An ISS report on the change notes that it was opposed by many prominent UK & European institutional investors, but also acknowledges a big reason why their objections didn’t carry the day:
As others have highlighted, many of the institutional investors and pension funds that have concerns in relation to the so-called watering down of UK shareholder rights and protections do invest in other financial markets with lower corporate governance standards, and often where the use of multiple class share structures has been the norm for many years.
Indeed, this is not the first time that this has been noted by external observers. Earlier in June 2024, the Chair of Marks & Spencer, Archie Norman, blamed UK pension funds for the decline of the LSE on the grounds that they had cut their UK equity exposure to a shadow of what it had been just decades before. According to a release by the Office for National Statistics, published in December 2023, the proportion of UK shares held by UK insurance and pension funds has fallen dramatically since 1997 when the two sectors held a combined total of 45.7% of quoted shares. By 2022, the holdings of the two sectors had fallen to 4.2%, “the lowest proportion jointly held by them on record”.
As a result, it is not surprising that some observers contend that the recent arguments of some UK pension funds regarding the need to retain shareholder rights and protections ring hollow, given their apparent willingness to invest in other international markets despite the lower protections and corporate governance standards, coupled with their reduced ‘skin in the game’ in the UK market.
ISS goes on to argue that UK regulators should’ve paid more attention to investors’ negative reaction to multi-class structures in jurisdictions where they’re permitted when deciding whether to permit listings on the LSE. On the other hand, maybe regulators just paid more attention to investors’ actions than their words, since they still seem to gobble up dual class companies’ IPOs whenever they get the chance.
The SEC issued its first fee rate advisory for the 2025 fiscal year. The bad news is that filing fees are going up for the third straight year, but the good news is that they’re rising at a much slower rate than they have during the past two fiscal years. For fiscal 2025, the SEC says that the filing fees will increase from $147.60 per million dollars to $153.10 per million dollars, effective October 1, 2024. That’s a 3.7% increase, but it’s a lot less than the 34% fee increase for fiscal 2024 and the 19% increase for fiscal 2023.
The fee rate advisory points out that the SEC doesn’t set filing fees arbitrarily:
The securities laws require the Commission to make annual adjustments to the rates for fees paid under Section 6(b) of the Securities Act of 1933, which also adjusts the annual fee rates under Sections 13(e) and 14(g) of the Securities Act of 1934, as well as Rule 24f-2 under the Investment Company Act of 1940. The Commission must set rates for the fees paid under Section 6(b) to levels that the Commission projects will generate collections equal to annual statutory target amounts.
The Commission’s projections are calculated using a methodology developed in consultation with the Congressional Budget Office and the Office of Management and Budget. The Commission determined the statutory target amount for fiscal year 2025 to be $864,721,147 by adjusting the fiscal year 2024 target collection amount of $839,771,535 for the rate of inflation.
Yesterday, the SEC approved several rule changes proposed by the PCAOB. The changes address auditors’ general responsibilities in conducting an audit, the use of technology assisted data analysis in audits, and auditor liability. This excerpt from the SEC’s press release summarizes the new rules:
The Commission approved the PCAOB’s new AS 1000, General Responsibilities of the Auditor in Conducting an Audit, along with related amendments to other PCAOB standards, to reaffirm, consolidate, and modernize the general principles and responsibilities of the auditor when conducting an audit. These standards cover such foundational topics as affirming the auditor’s duty to protect investors through the preparation and issuance of informative, accurate, and independent auditor’s reports; the exercise of due professional care, professional skepticism, and professional judgment when performing audits; and compliance with ethics and independence rules.
In addition, the Commission approved the PCAOB’s amendments to AS 1105, Audit Evidence, and AS 2301, The Auditor’s Response to the Risks of Material Misstatement, and conforming amendments, to address the use of technology-assisted data analysis in audit procedures. The amendments specify and clarify auditors’ responsibilities when the auditor uses such analytical tools in conducting audits.
Finally, the Commission approved the PCAOB’s amendment to Rule 3502, Responsibility Not to Knowingly or Recklessly Contribute to Violations, governing the liability of an associated person of a registered public accounting firm who directly and substantially contributes to that firm’s violations of the laws, rules, and standards that the PCAOB enforces. The amendments to Rule 3502 revise from recklessness to negligence the standard for an associated person’s contributory liability, while maintaining the requirement that to be held liable, an associated person must have contributed to the firm’s violation “directly and substantially.”
Commissioner Peirce issued a dissenting statement with respect to the changes to Rule 3502, and Commissioner Uyeda did as well. Both commissioners supported the other rule changes. PCAOB Chair Erica Williams issued her own statement in response to the SEC’s action.
We’ve blogged about these rule changes several times, and they’re not insignificant. Check out this blog for more on the new AS 1000, this blog for the implications of the amendment to Rule 3502, and this blog for information on the amendments to AS 1105 & AS 2301.
The Society for Corporate Governance & EY recently issued a report addressing the evolution of Disclosure Committees. The report updates their 2021 report, and this excerpt from the press release announcing the issuance of the report highlights some of the key findings:
– 60% of disclosure committees now regularly review cybersecurity risk and governance disclosures and nearly 40% now regularly review human capital disclosures, up from 32% and 13%, respectively, in our 2021 survey, likely reflecting increasing regulatory and stakeholder scrutiny and expectations.
– Nontraditional roles, such as the heads of Risk, Human Resources, and Information Security, are increasingly among the regular members of companies’ disclosure committees.
– Nearly half of respondents involve their disclosure committees in determining whether cyber incidents are material and require Form 8-K disclosure, while the balance look to another individual or group of individuals to make that determination.
