On Tuesday, the SEC announced an enforcement action against RR Donnelley & Sons arising out of alleged disclosure and internal controls violations associated with a series of cyber incidents occurring in November and December 2021 that resulted in a hacker obtaining information belonging to 29 of the company’s clients. This excerpt from the SEC’s press release explains the basis for the action:
According to the SEC’s order, data integrity and confidentiality were critically important to RRD’s business. Because client data was stored on RRD’s network, its information security personnel and the third-party service provider RRD hired were responsible for monitoring the network’s security. However, according to the order, RRD failed to design effective disclosure controls and procedures to report relevant cybersecurity information to management with the responsibility for making disclosure decisions, and failed to carefully assess and respond to alerts of unusual activity in a timely manner.
The order further finds that RRD failed to devise and maintain a system of cybersecurity-related internal accounting controls sufficient to provide reasonable assurances that access to RRD’s assets – its information technology systems and networks – was permitted only with management’s authorization.
Under the terms of the SEC’s order in the case, the company consented, on a neither admit nor deny basis, to the entry of a C&D enjoining future violations of Exchange Act Section 13(b)(2)(B) and Rule 13a-15(a). In addition, the company agreed to pay a civil monetary penalty of $2.125 million.
In a dissenting statement, Commissioners Peirce and Uyeda again challenged the SEC’s use of Section 13(b)(2)(B) in a setting not involving accounting controls:
The Commission’s order faulting RRD’s internal accounting controls breaks new ground with its expansive interpretation of what constitutes an asset under Section 13(b)(2)(B)(iii). By treating RRD’s computer systems as an asset subject to the internal accounting controls provision, the Commission’s Order ignores the distinction between internal accounting controls and broader administrative controls. This distinction, however, is essential to understanding and upholding the proper limits of Section 13(b)(2)(B)’s requirements.
If this objection to an expansive interpretation of Section 13(b)(2)(B) sounds familiar, that’s because it’s one that these same two commissioners raised in response to two prior enforcement actions – the SEC’s 2020 enforcement action against Andeavor and its 2024 enforcement action against Charter Communications.
Here’s the final installment in our series of guest blogs on AI Related Disclosures by Orrick’s J.T. Ho, Bobby Bee and Hayden Goudy:
AI-related Business and MD&A Disclosure. Several companies in the S&P 500 mentioned AI in the Business or MD&A sections of their most recent 10-K, tying AI to their main products and services or to key business updates. While less common than an AI-related risk factor, 40% of the S&P 500 had an AI-related disclosure in the Business or MD&A sections of their most recent 10-K, an increase from 30% in the previous period.
AI-related disclosure in the Business or MD&A sections of the 10-K varied significantly by industry. For instance, 85% of companies in the information technology sector made an AI-disclosure in the Business or MD&A sections, compared to 56% of companies in the financial sector and 38% of companies in health care.
As more companies adopt AI in their operations, products and services, we expect more references to AI in the Business and MD&A sections of 10-Ks across the S&P 500.
Limited Disclosure in the Proxy Statement. AI-related disclosure in the proxy statement across the S&P 500 was limited. While more than 39% of companies in the S&P 500 mentioned AI in their most recent proxy statement, a significant proportion of references were to new AI-related products or the role that AI was playing as part of a business transformation. Additionally, 24% of the S&P 500 disclosed director-level AI-related expertise or experience in their most recent proxy statement.
However, a much smaller percentage of companies in the S&P 500, approximately 9%, disclosed the role of the board or its committees in overseeing AI-related risks.
For companies that disclosed board or committee oversight, the allocation of that responsibility varied.
The most common approach was at the full board level – 18 companies in the S&P 500 disclosed a clear role for the full board in overseeing AI-related risks. The second most common approach was for the Audit Committee to oversee AI-related risk.
We’re really looking forward to returning to an in-person format for our upcoming Proxy Disclosure and Executive Compensation Conferences to be held in San Francisco on October 14th and 15th. Our agenda is always topical, and this year is no exception. Here’s a taste of what we have in store for you:
– If you’ve been following this week’s blogs on AI-related disclosure issues, you won’t want to miss our “Governing and Disclosing AI” panel
– Our “Cyber Incidents: Handling Real Time Reporting” panel will offer insights to keep you out of the Division of Enforcement’s cross-hairs when it comes to cybersecurity issues.
– Our “Living with Clawbacks – What Have We Learned?” panel will bring you up to speed on how companies are adjusting to the clawback listing standards and the emerging issues they are encountering.
Of course, we’ll also have panels addressing the latest developments in shareholder activism, climate disclosure, key 10-K and proxy disclosures, perks, navigating ISS & Glass Lewis. You’ll hear insights on proxy disclosure and executive comp hot topics from our “SEC All-Stars” and have the opportunity to listen to Dave interview Corp Fin Director Erik Gerding. As always, we’ll also have a little fun – this year, it’s in the form of a “Family Feud”-style “lightning round” ame show that we think you’ll really enjoy.
We hope many of you will join us in San Francisco! Register by July 26th to lock in our “early bird” deal for individual in-person registrations ($1,750, discounted from the regular $2,195 rate). If traveling isn’t in the cards, we also offer a virtual option so you won’t miss out on the practical takeaways our speaker lineup will share. (Also check out our discounted rate options for groups of virtual attendees!) You can register now by visiting our online store or by calling us at 800-737-1271.
Yesterday, the SCOTUS granted a cert petition filed by NVIDIA seeking review of the 9th Circuit’s decision in E. Ohman J:Or Fonder AB v. NVIDIA Corp., (9th Cir.; 8/23), concerning the PSLRA’s heightened pleading requirements for allegations of falsity and scienter. In its cert petition, NVIDIA pointed out that plaintiffs often try to meet the PSLRA’s heightened pleading requirements for falsity & scienter by alleging that internal documents contradict a company’s public statements, and that the 9th Circuit’s ruling presented two questions that have divided the circuits concerning how the PSLRA’s pleading requirements apply in this “common and recurring context”:
1. Whether plaintiffs seeking to allege scienter under the PSLRA based on allegations about internal company documents must plead with particularity the contents of those documents.
2. Whether plaintiffs can satisfy the PSLRA’s falsity requirement by relying on an expert opinion to substitute for particularized allegations of fact.
NVIDIA went on to note that, with respect to the pleading requirement for alleging scienter based on internal documents that contradict public statements, five circuits have held that the statute requires to allege the contents of those documents with particularity, while two (now including the 9th) have held that plaintiffs may allege scienter “merely by hypothesizing about what those documents ‘would have’ said.” As to the falsity requirement, NVIDIA pointed out that two circuits have held that plaintiffs can’t satisfy the PSLRA’s pleading standards by substituting an expert opinion for particularized allegations of fact, so the 9th Circuit’s decision permitting plaintiffs to do that creates a split.
By the way, the case caption isn’t a typo, “E. Ohman J:Or Fonder AB” is the correct name of the lead plaintiff. For some odd reason, today is my day for blogs involving parties with names that look like typos to American eyes. Over on DealLawyers.com, I blogged about an EC investigation of a deal under the EU’s Foreign Subsidy Rule in which for some reason the regulators decided to abbreviate the name of Emirates Telecommunications Group Company PJSC as “(e&)”.
Here’s the second installment in our series of three guest blogs on AI Related Disclosures by Orrick’s J.T. Ho, Bobby Bee and Hayden Goudy:
Corporate Disclosure Trends We identified AI as one of the fastest growing disclosure topics in SEC filings across the S&P 500, with a rapidly growing number of companies disclosing AI-related risk factors in the 10 K. However, disclosure of AI-related oversight at the board and management level in the proxy statement significantly lagged disclosure of AI-related risks in the 10-K.
Companies Disclosed AI-Related Risks More Often Than AI Oversight. We found a gap between the prevalence with which companies in the S&P 500 disclosed significant or material AI-related risks and the prevalence with which they disclosed board and committee oversight of those risks in the proxy statement. Together with growing investor and activist interest, we expect increasing pressure from a range of stakeholders on public companies to address this gap, including pressure to develop and disclose an approach to AI oversight at the board or committee level.
AI-related Risk Factors.The most common type of AI-related disclosure in SEC filings across the S&P 500 was an AI-related risk factor. Nearly 60% of the S&P 500 disclosed an AI-related risk factor in their most recent 10-K. This was a major increase from the previous reporting period, where only 16% of the S&P 500 disclosed an AI-related risk factor.
Most relevant risk factors in the S&P 500 were not focused solely on AI. Instead, we found that references to AI were generally integrated into existing risk factors. Companies included AI-related references into risk factors addressing:
– Cybersecurity risks, such as higher levels of exposure due to threat actors using AI, or a higher likelihood of a data breach due to the use of AI tools.
– Operational and business risks, such as higher costs from adopting AI technology or potential loss of market share from AI-driven disruption.
– Potential harm to the company brand and reputation from intellectual property disputes involving AI.
– Costs or risks associated with AI regulations.
The final installment of this series will address AI-related Business and MD&A disclosure, as well as practices regarding AI-disclosures in proxy materials.
The latest issue of The Corporate Counsel has been sent to the printer. It is also available now online to members of The CorporateCounsel.net who subscribe to the electronic format. The issue includes the following articles:
– Supreme Court Weighs in on MD&A Disclosure: Should You Revisit Your MD&A Now?
– Navigating Item 601(b): Material (and Other) Agreements
Please email sales@ccrcorp.com to subscribe to this essential resource if you are not already receiving the important updates we provide in The Corporate Counsel newsletter.
We’re off tomorrow for the Juneteenth holiday. Our blogs will be back on Thursday.
Al disclosure is a topic that’s getting a lot of attention from investors and a lot of scrutiny from the SEC. That’s why we pleased to bring you this week a series of three guest blogs on AI disclosure practices among the S&P 500 by Orrick’s J.T. Ho, Bobby Bee and Hayden Goudy:
The growth of generative artificial intelligence (AI) is transforming business, sparking a rise in public company disclosure and considerable investor interest. A growing number of companies are disclosing AI capabilities, opportunities and risks in filings with the Securities and Exchange Commission (SEC). At the same time, the SEC has demonstrated its commitment to combat “AI washing” – the practice of overstating or falsifying AI usage – with enforcement actions against several investment advisors signaling the start of a broader effort to police AI-related disclosures.
Activist investors are also interested in AI-related risks. Several shareholder proposals requesting disclosure of AI-related oversight have received high levels of support at recent annual shareholder meetings.
Our review of SEC filings from the S&P 500 for the 12 months ending April 30, 2024, paints the portrait of an evolving landscape when it comes to AI-related disclosures. It reveals trends in:
(Including in proxy statements and in the “Risk Factors,” “Business” and “Management Discussion and Analysis” (MD&A) sections of annual reports on Form 10-K)
What Public Companies Should Consider Doing Now
Relevant disclosure is not only appropriate but often necessary when AI becomes a material aspect of a company’s business. Investors and market regulators expect transparency, effective governance oversight and effective risk management over the numerous ways that companies are developing and deploying AI. Misrepresenting AI capabilities and failing to properly oversee risks could severely damage investor trust and lead to lawsuits and regulatory action.
Where AI has a significant impact on the business, public companies should:
– Validate AI statements and develop effective disclosure controls and procedures to support the accuracy of public AI-related disclosures.
– Develop governance structures to identify and manage AI-related risks at both the board and management level, and disclose both significant AI-related risks and oversight of those risks in required SEC disclosures.
A Closer Look at Investor Activity and Corporate Disclosure Trends
In the sections that follow, we examine AI-related disclosure trends in SEC filings across the S&P 500. We also explore the expectations of proxy advisors and activist investors, share data on increasing references to AI in annual reports on Form 10-K and highlight a potential gap in proxy statement disclosures regarding AI oversight.
Emerging Investor Expectations
While AI is an emerging priority for many investors, institutional asset managers and proxy advisors generally have not established formal guidelines regarding oversight of AI by the board or its committees.
Several major investors have identified AI as a significant opportunity for their investment activities, but most U.S.-based investors have not articulated specific expectations for oversight and management of AI by public companies.
The proxy advisors Glass Lewis and ISS have identified AI as a relevant area for future policy development, but currently approach AI-related matters on a case-by-case basis. For the limited number of AI-related shareholder proposals voted on to date, Glass Lewis and ISS generally consider the following criteria when making recommendations:
Activist Investor Interests
Activist investors are also interested in AI-related issues.
We identified 13 shareholder proposals related to AI submitted in the 2024 proxy season. These proposals ask for disclosure on topics including the use of AI in company product and operations, the role of the board in overseeing AI and the prevalence of AI-related risks. Several AI-related proposals have received the support of 20 percent or more of votes cast at an annual shareholder meeting.
We expect AI-related shareholder proposals to continue to be an agenda item for activist investors, especially for companies that experience AI-related controversies or have business models at risk due to the potential impact of AI.
Be sure to check out the next installment of this three-part series, which will focus on AI-related risk factor disclosures.
Tune in at 2 pm Eastern tomorrow for the CompensationStandards.com webcast – “Proxy Season Post-Mortem: The Latest Compensation Disclosures” – to hear Mark Borges of Compensia, Dave Lynn of CompensationStandards.com and Goodwin & Ron Mueller of Gibson Dunn discuss the ins and outs of compensation disclosures during the 2024 proxy season. They’ll cover:
The State of Say-on-Pay During the 2024 Proxy Season
Highlights and Tips from this Year’s CD&As
Best Practices for Disclosing Incentive Compensation Adjustments and Outcomes
Trends in Disclosure Regarding Operational and Strategic Metrics
Pay-versus-Performance: SEC Staff Guidance Issues and Year 2 Enhancements
Perquisites Disclosure and Recent Enforcement Focus
Shareholder Proposals – Company Strategies; No-Action Trends; Activists and Universal Proxies
Proxy Advisory Firms – Is Their Influence Starting to Wane?
Rule 10b5-1 Plan Disclosure Developments
Pending SEC Rulemaking
Members of CompensationStandards.com are able to attend this critical webcast at no charge. If you’re not yet a member, subscribe now. If you need assistance, send us an email at info@ccrcorp.com – or call us at 800.737.1271.
We will apply for CLE credit in all applicable states (with the exception of SC and NE, which require advance notice) for this 90-minute webcast. You must submit your state and license number prior to or during the program using this form. Attendees must participate in the live webcast and fully complete all the CLE credit survey links during the program. You will receive a CLE certificate from our CLE provider when your state issues approval, typically within 30 days of the webcast. All credits are pending state approval.
The Exchange Act celebrates its 90th birthday on June 6th. Among other things, that statute created the SEC (the FTC was the original regulator under the Securities Act). The SEC is commemorating that milestone with a webcast event featuring two panels, one comprised of former SEC chairs, and another featuring historian Michael Beschloss, legal scholar Joel Seligman, and former Maryland lieutenant governor Kathleen Kennedy Townsend. Lt. Gov. Townsend is also the granddaughter of the SEC’s first chair, Joseph Kennedy.
The SEC has a rich history that you can learn quite a bit about by visiting the SEC Historical Society’s website. For example, this excerpt from the website’s discussion of the early days of the SEC provides a reminder that strong policy disagreements among commissioners are nothing new:
The Securities Exchange Act required a bipartisan Commission. The two Republicans appointed by Roosevelt were highly experienced: George C. Mathews had directed the Wisconsin Public Utilities Commission before joining the FTC; and Robert E. Healy sat on the Vermont Supreme Court and ran an FTC investigation of public utility holding companies before joining the Commission.
Not surprisingly, some conflict arose during the sessions that the Commission held nearly every day during its first three months. Pecora continually pushed for a more adversarial approach, hoping that further revelations would lead to greater reform. Owing to his public utilities knowledge, Healy sympathized, but sided with Kennedy in the end. Landis and Mathews both agreed with the Chairman that the SEC could best establish its legitimacy and further constructive reform by easing regulations and accommodating business.
Although he respected the Chairman’s abilities, Pecora tired of being in the minority and resigned after six months. For the remainder of Kennedy’s tenure, the four Commissioners handled the heavy load alone.
The Library of Congress also has resources devoted to the Exchange Act and the SEC, including this blog on how the agency’s activities have made public company information more transparent and broadly available, and this group photo of the first commissioners.
Seated, left to right: Ferdinand Pecora, Joseph P. Kennedy, James M. Landis. Standing, left to right: George C. Matthews, Robert F. Healy.
The last time we checked in on the PPP loan program we found that the SBA had concluded that the level of fraud was apparently massive & that the loan forgiveness process was snarled in red tape. Now, bankrupt small business lender Kabbage, which was one of that program’s largest lenders, has agreed to pay up to $120 million to the federal government in order to resolve fraud allegations raised by the US Attorney for the District of Massachusetts. Here’s an excerpt from the US Attorney’s press release announcing the settlement:
The first settlement, which provides the United States with a claim for recovery of up to $63.2 million, resolves allegations that Kabbage systemically inflated tens of thousands of PPP loans, causing the SBA to guarantee and forgive loans in amounts that exceeded what borrowers were eligible to receive under program rules. As part of the settlement, KServicing Wind Down Corp. admitted and acknowledged that Kabbage double-counted state and local taxes paid by employees in the calculation of gross wages; failed to exclude annual compensation in excess of $100,000 per employee; and improperly calculated payments made by employers for leave and severance.
The United States alleged that Kabbage was aware of its errors as early as April 2020, yet Kabbage failed to remedy all incorrect loans that had already been disbursed and continued to approve additional loans with miscalculations. The resolution also provides for Kabbage to receive a $12.5 million credit for payments it previously returned to the SBA during the Department’s investigation of this alleged misconduct.
The second settlement, which provides the United States with a claim for recovery of up to $56.7 million, resolves allegations that Kabbage knowingly failed to implement appropriate fraud controls to comply with its PPP and BSA/AML obligations. In particular, the United States allege that Kabbage removed underwriting steps from its pre-PPP procedures in order to process a greater number of PPP loan applications and maximize processing fees.
The government further alleged that Kabbage knowingly set substandard fraud check thresholds despite knowledge of SBA’s concerns that fraudulent borrowers might seek to benefit from the PPP; relied on automated tools that were inadequate in identifying fraud; devoted insufficient personnel to conduct fraud reviews; discouraged its fraud reviewers from requesting information from borrowers to substantiate their loan requests; and submitted to the SBA thousands of PPP loan applications that were fraudulent or highly suspicious for fraud.
During the pandemic, we blogged about Kabbage’s problematic PPP loans to purported agricultural businesses located on Long Beach Island, NJ. In addition to being my summer vacation destination of choice, LBI has recently achieved notoriety for another summer resident’s regrettable outdoor decoration choices. Anyway, I can assure you that LBI has miles of beaches, and plenty of ice cream shops, seafood markets, restaurants and delis – but like most beach communities, it’s pretty devoid of agricultural businesses, unless the Wawa in Ship Bottom somehow counts.
