Last month, I blogged about the DOJ’s new whistleblower program. In February, the DOJ also announced a new AI initiative in which it will seek input from experts in the field of artificial intelligence in order to help DOJ understand and prepare for how AI will affect its mission. This excerpt recent CLS Blue Sky Blog post by two McDermott Will lawyers says that these two initiatives have significant implications for corporate boards’ oversight responsibilities:
First and foremost, the initiatives are a reminder of DOJ’s continuing commitment to corporate fraud enforcement and especially of is commitments to individual accountability. Among all the strategic and tactical challenges facing a company, the importance attributed to corporate responsibility is a constant. This may affect the board’s allocation of resources to the compliance function and its expectation of coordination between legal, compliance, and executive compensation functions.
Second, officers and directors will be called on to adjust the corporate compliance program to address an entirely new regime of risks arising from potential whistleblowers who are focused on indications of corporate fraud. Internal controls with respect to potential fraud must be sharpened, and overt efforts to demonstrate “tone at the top” should be increased to convince potential whistleblowers of the organization’s commitment to effective compliance. In addition, 24 Hour “hotline” reporting systems should be improved and anti-whistleblower retaliation protections enhanced.
Third, leadership should request a significant increase in the level of coordination between those responsible for internal direction of the company’s AI efforts and appropriate compliance and risk management executives. Until DOJ more clearly defines “disruptive technology risks,” this coordination should extend not only to the known risks and harms that can arise from AI and related technology, but also to the ways in which AI can be used to facilitate corporate fraud. Without further guidance from DOJ, this could require significant time and resources from the company.
The blog says that companies should expect pushback on coordination efforts from their tech leaders, who may not appreciate the need to address compliance issues, and says that the GC, CCO and CTO can be particularly valuable advisers to the board on its oversight efforts.
Meredith blogged last week about comments made during the “SEC Speaks” conference by Corp Fin General Counsel Michael Seaman concerning the application of the agency’s rules on shell companies in the context of reverse mergers. As part of that discussion, she linked to a Goodwin memo discussing Staff comments on shelf company issues in this context. Over on our Q&A Forum (Topic #11254), a member asked about a statement in that memo concerning the inability of affiliates to use the resale shelf S-1 filed after a reverse merger:
Curious about application of Rule 145(c) to affiliates and the following statement in tcc.net April 3 blog: “No Rule 145(c) Securities on the Form S-1 Resale Shelf: investors who were affiliates of the private company and receive securities of the public company in the RM (i.e., Rule 145(c) securities) will be statutory underwriters with respect to resales of those securities and, as such, the Staff has indicated that such securities may not be included in the Form S-1 resale shelf and instead may be sold only in a fixed price offering in which such investors are named as underwriters in the prospectus.” Seems that Staff may be applying this in contexts where they view the resale as a primary offering. Otherwise, I’m at a loss to see where the fixed price offering requirement is provided by Rule 145(c).
This was my response:
Yes, the Staff does view that situation as involving a primary offering. The problem is that because those shareholders are deemed to be underwriters, the offering is viewed as being an “at the market” offering made on behalf of an issuer that isn’t eligible to use Form S-3 for primary offerings. Only Form S-3 issuers are eligible to engage in a primary “at the market” offering. See Rule 415(a)(4) and Securities Act Rules CDI 612.14.
Last week, Meredith blogged about the debate over the possibility that the SEC’s climate rules might contain a “back door” through which Scope 3 emissions disclosures might be required. During the ABA Business Law Section’s “Dialogue with the Director” held on Friday, Corp Fin Director Erik Gerding confirmed that quantifying Scope 3 emissions in SEC filings is purely voluntary, and that the agency didn’t intend to introduce the possibility of a back door Scope 3 disclosure requirement. That’s welcome reassurance, but at the risk of being accused of seeing ghosts, I still think that some companies may face tough decisions about whether to “voluntarily” disclose Scope 3 emissions data.
In his remarks, Director Gerding acknowledged that while the rules don’t require Scope 3 disclosure, registrants with transition plans or targets & goals incorporating reductions in Scope 3 emissions will need to describe qualitatively how they are managing that process. That’s where I think things might get a little sticky, because the disclosure called for by the relevant Reg S-K line items is pretty granular. For example, Item 1504 requires registrants to address the following in their targets & goals disclosure:
– The scope of activities included in the target;
– The unit of measurement;
– The defined time horizon by which the target is intended to be achieved, and whether the time horizon is based on one or more goals established by a climate-related treaty, law, regulation, policy, or organization;
– If the registrant has established a baseline for the target or goal, the defined baseline time period and the means by which progress will be tracked; and
– A qualitative description of how the registrant intends to meet its climate-related targets or goals.
In addition, registrants must disclose any progress made toward meeting the target or goal and how any such progress has been achieved. Registrants are also required to discuss any material impacts to the business, results of operations, or financial condition directly resulting from the target or goal or the actions taken to make progress toward meeting it, and to provide quantitative and qualitative disclosures about material expenditures and impacts on financial estimates and assumptions directly resulting from the target or goal or actions take to make progress toward it.
As Sullivan & Cromwell pointed out in its memo on the climate change rules, “[g]iven the broad scope of the disclosure requirements under Item 1504, a company may need to disclose Scope 3 emissions metrics on an annually updated basis if it has a Scope 3 emissions reduction target that has materially affected, or is reasonably likely to materially affect, its business, results of operations or financial condition.”
I think the Staff is likely to take a hard look at Item 1504 disclosures during the review process. In light of Director Gerding’s comments, I doubt very much that the Staff will call for disclosure of Scope 3 emissions data in comment letters, but unless it applies a light touch, some of the comments on Item 1504 disclosure for companies with Scope 3 targets & goals could prove to be difficult to resolve. It seems plausible to me that after going a few rounds with the Staff on these comments, some companies may decide to “voluntarily” disclose Scope 3 data in order to resolve them.
One of the things that makes cybersecurity compliance particularly challenging is the mosaic of privacy and data protection laws and regulations that companies have to comply with. This FEI Daily blog from two PwC partners offers some advice to companies on how to manage their cyber compliance efforts:
There are several regulations at the state, federal and international level that organizations, particularly multinationals, should be focused on: NY DFS 500, the California Privacy Protection Agency’s (CPPA) draft Cybersecurity Audit and Risk Assessment Regulations, the EU’s GDPR and the SEC cyber rules, to name a few. Additionally, there is the anticipated CISA cyber incident reporting rule, coming as soon as March 2024. This patchwork of regulations will likely continue to grow in complexity in the months ahead.
So, how can companies untangle this — and where is the most effective place to begin? Start with understanding which regulations apply to your organization. Then, rationalize the common requirements between them and implement no regrets decisions to address those head on. Then, take stock of unique requirements for various geographies. Lastly, engage in public policy to help influence future regulation.
In this evolving regulatory climate, companies that embrace this new era of transparency are likely setting themselves up for success. Those who shy away from transparency do so at their own reputational risk.
The blog also identifies some other cybersecurity trends to watch in 2024 and offers tips on how companies can boost their defenses. These include investing in tools that will permit companies to scale their cloud security efforts and leveraging generative AI in their threat detection and analysis as well as in their cyber risk disclosure and incident reporting processes.
Don’t miss tomorrow’s free virtual event – “Developments in Human Rights Due Diligence, AI in ESG & Carbon Markets” – hosted by our colleagues at PracticalESG.com. You can register here for this 3-hour program, which will kick-off at 12:00 pm eastern tomorrow. This virtual event features three panels of experts who will provide insights into the intersection between supply chains & human rights due diligence, how AI may transform ESG supplier due diligence, problem solving & reporting, and developments in carbon markets.
These events are free to all – you don’t have to be a member of PracticalESG.com to attend. But if you’re attending events like these, you need the resources that PracticalESG.com provides. Become a member today by clicking here, emailing sales@ccrcorp.com or by calling (800) 737-1271.
We know that many of you experienced significant problems with the live stream of Wednesday’s “The SEC’s Climate Disclosure Rules: Preparing for the New Regime” webcast. We sincerely apologize for the inconvenience and are working with our tech team to ensure this doesn’t happen again. We strive to offer our members high-quality programming in a user-friendly, accessible format. The webcast was excellent, and we think that those of you who listen to the archive – or read the transcript when it’s posted in the next week or so – will agree. However, the technical quality of the live webcast clearly did not live up to those standards, and for that we are truly sorry.
We don’t think simply saying “we’re sorry” is enough, so we’re also trying to make amends as best we can. Our team hustled to get the on-demand audio replay of the webcast posted as soon as possible. I’m pleased to say that it’s now available and does not have any of the audio problems experienced with the live feed. We are also applying for on-demand CLE credit for the webcast, so those of you who were counting on picking up credit for the webcast should be able to do that as well (pending approval from your state). You’ll need to follow the instructions on the webcast’s landing page to apply for on-demand CLE credit.
We sincerely appreciate your continued support of our sites and deeply value your membership. We will continue to strive to provide you with the quality resources and programming that you’ve come to expect from us, and we’re working hard to ensure that we don’t experience a problem like this again.
Last week, Meredith discussed the lawsuits filed by various Red State AGs seeking to invalidate the SEC’s climate disclosure rules. She also said that environmental groups like the Sierra Club were planning to launch challenges of their own, and sure enough, the Sierra Club filed a petition for review with the DC Circuit yesterday. As this excerpt from the Sierra Club’s press release announcing the filing explains, their problem with the rule is that it doesn’t go far enough:
The Sierra Club and the Sierra Club Foundation manage millions of dollars in investments for their respective organizations, including employee 401Ks. In addition, the Sierra Club represents millions of members and supporters, many of whom have significant investments of their own. These investors cannot adequately manage their investments without complete information on publicly-traded companies’ vulnerability to climate-related risks, including greenhouse gas emissions profiles. By allowing companies to selectively report their emissions, the SEC has fallen short of its statutory mandate to protect investors, maintain fair, orderly, and efficient markets, and promote capital formation.
The Sierra Club and Sierra Club Foundation affirm the SEC’s fundamental legal authority to require climate-based disclosures and call on the agency to fulfill its obligation to protect investors.
That last paragraph appeared in bold face in the original as well, and I think it’s interesting that the petitioners chose to emphasize that language. Perhaps they were trying to convince people (or even themselves) that a lawsuit like this doesn’t necessarily invite the DC Circuit to join some of its more conservative siblings in chipping away at the SEC’s authority.
On the other hand, maybe the Sierra Club’s action is a little more strategic – and shrewd – than it first appears. As this Vinson & Elkins memo points out, all of the various lawsuits challenging the rule will be consolidated into a single circuit court challenge based on a lottery system. So, while I’m sure the Sierra Club sincerely wants more demanding disclosure rules, one of its main objectives in filing may be to buy the regulator-friendly DC Circuit a ticket to that lottery.
Last November, Liz blogged about an attempt by a hacker group to exploit the SEC’s new Form 8-K cybersecurity disclosure rules to extort money from a company by threatening to go to the SEC and tell the agency that the company failed to disclose a material hack. The same group apparently tried that tactic again in December and again last month. This recent Woodruff Sawyer blog highlights how this new threat puts public companies in a tough spot:
Companies were already very concerned that the four-day disclosure rule would cause chaos. The idea that the hackers themselves would weaponize the rule, however, is an entirely new twist on what is already a fraught situation. Any hacker worth the name will take the position that their hack is material—but that doesn’t necessarily make it so.
However, in a world where attackers themselves are alerting the SEC, it becomes increasingly challenging to dismiss any cyberattack as inconsequential. We all understand that hackers are using the whistleblower tactic to throw companies back on their heels and pressure them into paying the requested ransom as soon as possible.
It’s a cliché for a reason: the question is not whether you will be hacked, but when. With this in mind, it’s best to be proactive about putting in place the resources you will need to defend yourself.
The blog offers a list of 10 steps a company should take to reduce cyber liability risk and says that companies that take an active approach to managing cyber risk will be in the best position to respond swiftly to a breach and minimize the disruption to their business & the risk of subsequent litigation.
Our friends at Weil let us know the sad news that corporate governance legend Ira Millstein passed away on Wednesday. Here’s an excerpt from the firm’s announcement of his passing:
International law firm Weil Gotshal & Manges, LLP is saddened to announce today that our partner Ira M. Millstein died yesterday evening. He was 97 years old.
Mr. Millstein joined Weil in 1951, after spending two years at the Antitrust Division of the Justice Department in Washington, D.C. He was the Firm’s 11th partner. He played a key role in developing Weil into the full-service international corporate law firm it is today, and we credit him with helping to instill Weil with its unique culture of entrepreneurship, teamwork, camaraderie and the commitment to the greater community that remains today.
“The legal community has lost a true visionary,” said Weil Executive Partner Barry Wolf. “We mourn the loss of our partner and friend, and celebrate his achievements and his role in shaping Weil into the Firm it is today.”
If you take a moment to click on the link to the bio included in Weil’s announcement, you’ll begin to get a sense of just how towering a figure Ira Millstein was. In addition to his many accomplishments as a practitioner, Mr. Millstein was noted for his philanthropy and community service. He was also a formidable intellect who authored numerous books and articles on corporate governance topics, and he founded the Ira Millstein Center for Global Markets and Corporate Ownership at Columbia Law School. Here’s a video in which he reflects on his life, career, and the Millstein Center.
All of us here at TheCorporateCounsel.net extend our sincere condolences to Ira Millstein’s friends and family, as well as to all of his colleagues at Weil. He will most assuredly be missed by everyone in the legal and corporate governance community.
The Delaware Chancery Court has made it clear that officers as well as directors are subject to oversight responsibilities under Caremark, but while a lot of ink has been spilled providing advice to boards about their oversight responsibilities, I haven’t seen much guidance for officers on their oversight responsibilities. This excerpt from a recent Seyfarth memo on avoiding oversight claims helps to fill that gap:
Officers are generally most at risk concerning oversight claims by failing to monitor issues and risks in those areas which are within the officer’s scope of authority. Officers (including senior officers) should ensure that they are well-apprised of the risks that the company faces within the scope of their duties and have systems in place to monitor information concerning such issues and risks. Some action items that officers can take to mitigate the risk of an oversight claim include:
1. Identify Business Risks Within their Scope of Authority. Officers should identify “mission critical” issues and risks within their scope of responsibility and implement procedures for reporting any significant ones. Officers should also ensure proper controls are in place to help identify any significant problems within their scope of authority.
2. Get Regular Reports on Material Issues and Risks. Just as directors should have systems in place to regularly receive reports concerning material issues and risks, so too should officers see to that they are appropriately informed.
3. Consider with Legal Advice What Records Should be Kept of Oversight and Compliance Issues. Just as with directors, officers should have a system in place to address important issues and risks and actively monitor and utilize that system. This can include, where pros and cons are carefully considered, memorializing the subject of certain meetings that report on such items as well as memorializing in written reports made to a CEO. We also recommend an attorney review any officer’s reports to the board to help avoid unhelpful or inaccurate memorialization.
The memo reminds readers that Delaware case law indicates that “barring extreme facts,” oversight claims only extend to matters within the scope of the officer’s responsibilities and that the standard for oversight claims against officers is the same as it is for directors. It also points out the need for companies to ensure that they have they have adequate D&O insurance to protect directors and senior officers against potential oversight claims.
