The SEC hasn’t acted on its recent cybersecurity rulemaking proposal, but it seems apparent that any rules the agency adopts will ratchet up the demands on companies to effectively manage cyber risks & promptly disclose material cybersecurity incidents. Since that’s the case, this Woodruff Sawyer blog offers up some suggestions on what issues boards should be thinking about now in order to position their companies to comply with these new demands.
The SEC’s proposal to require 8-K disclosure of material cybersecurity incidents within four business days “after the registrant determines that it has experienced a material cybersecurity incident” creates a couple of issues that will require board attention. This excerpt explains:
– Companies may need to bolster the efficiency of their disclosure committees. The proposed four-day rule may be unworkable; boards and management nevertheless have to make every effort to comply. Now is the time for companies to review who is on these committees, as well as what resources they have to be able to comply with the SEC’s proposed timeline for disclosure. Although the rule is four days from a materiality determination, the SEC has made it clear that it will have no patience for companies attempting to slow-walk a materiality determination.
– Companies will want to review how they think about the financial impact of a cyber breach. The four-day rule allows very little time for companies to assess the impact of a cyber incident after it has happened. As a result, the onus will be on companies to attempt to calibrate these costs ahead of time, or at least consider a methodology for doing so.
Other areas that the blog identifies as meriting board consideration include the advisability of adding a cybersecurity expert to the board and reassessing the limits of the company’s cyber insurance policy.
The SEC’s Office of Investor Education and Advocacy announced yesterday that it was launching a series of game show themed PSAs to help investors make informed decisions and avoid fraud. The SEC’s press release makes it crystal clear that this program is being launched with the best of intentions:
One of the goals of the Investomania campaign, which features a 30-second TV spot, 15-second informational videos on crypto assets, margin calls, and guaranteed returns, and interactive quizzes, is to reach existing, new, and future investors of all ages. The campaign encourages investors to research investments and get information from trustworthy sources to understand the risks before investing. The campaign also reminds investors to take advantage of the free financial planning tools and information on Investor.gov, the SEC’s resource for investor education.
That being said, I’m not sure how these PSAs are going to play with their target audience. I’m skeptical that the SEC is “reading the room” well when it comes to the tone of the ads. After all, this campaign comes on the heels of a massive two-year surge in the number of new stock market investors, many of whom have taken a pretty big hit to their wallets over the past several months.
Since that’s the case, I think there’s a risk that a fair number of those investors are going to feel belittled by some of the content – particularly the videos lampooning meme stock & crypto investors. The early returns from social media suggest that’s exactly what’s happening.
Liz has blogged a couple of times about some of the comments on the SEC’s Rule 10b5-1 proposal, and Dave recently hosted a podcast with Stan Keller, who helped draft the ABA comment letter on the proposal. Now, just to make sure you’re completely up to date, here’s a recent Bryan Cave blog that reviews representative comments from the business and investor communities. I’m sure that it will come as no surprise that most investor groups were in favor of the proposal, while most business groups didn’t think much of it.
Among other things, most business groups commenting on the proposal called for shortening or eliminating the proposed 120-day cooling off period, clarifying or narrowing the proposed restrictions on multiple overlapping plans, and eliminate the certification and insider trading plan disclosure requirements. As this excerpt indicates, commenters zeroed in on the SEC’s statements about the potential that gifts might be subject to insider trading liability:
As noted in our December 16 client alert, the SEC included in its proposals a cautionary warning about the timing of gifts of securities. Some commenters strongly objected to the SEC’s warning, noting the absence of any judicial or SEC precedent for its position, and its failure to explain the circumstances where a charitable gift would involve a fraudulent breach of trust and confidence. Instead, a donor should be able to avoid insider trading liability by obtaining the charitable donee’s commitment not to dispose of the securities until any MNPI known by the donor at the time of the donation has become public or stale.”
I’m not a big fan of a number of the proposed changes to Rule 10b5-1, and I’m glad to see that those who actually work with the rule on a regular basis appear to have weighed in during the comment period. We’ll see if they carry any weight with the commissioners.
Determining whether a company has a duty to disclose a governmental investigation is always a complicated process, and the outcome of cases alleging the existence of such a duty depends on the specific facts and circumstances. That being said, you can add the 2nd Circuit’s recent decision in Noto v. 22nd Century Group, Inc. (2d. Cir. 5/22) to the list of cases finding that the plaintiffs sufficiently alleged that a company had a duty to disclose the existence of an SEC investigation. This excerpt from a recent Proskauer blog summarizes the decision and its potential implications:
The Court of Appeals for the Second Circuit yesterday reversed the dismissal of a securities class action alleging fraud based on the defendants’ failure to disclose an SEC investigation into the company’s disclosed financial-control weaknesses. The May 24, 2022 ruling in Noto v. 22nd Century Group, Inc. (No. 21-0347) is fact-specific, requiring disclosure of the investigation because the defendants (i) had disclosed the accounting deficiencies that had led to the investigation, (ii) had said they were working on the problem, and (iii) eventually had said they had resolved it, even though the SEC investigation had been pending during that entire period.
The Noto decision could affect disclosure assessments where issuers disclose an underlying accounting problem or other deficiency but are debating whether they must also disclose a pending SEC or other governmental investigation related to that specific problem. Depending on the facts and circumstances of the particular situation, a court might hold that failure to disclose the governmental investigation makes the disclosure of the underlying problem materially misleading because nondisclosure of the investigation could cause reasonable investors to make “an overly optimistic assessment of the risk” posed by the underlying problem.
This Goodwin blog discusses the distinction between “non-GAAP financial measures” (NGFMs) subject to Reg G and Item 10(e) of S-K, and other disclosures that, while they aren’t GAAP numbers, aren’t subject to the requirements imposed by those rules. Here’s an excerpt:
In very general terms, a NGFM is a numerical financial measure that reflects adjustments not permitted or required by GAAP. Because the application of this definition may not always be clear, Regulation G specifically excludes operating and other financial measures and ratios and statistical measures calculated using financial measures calculated in accordance with GAAP and/or the somewhat circular and often less than helpful category of “operating measures or other measures that are not non-GAAP financial measures.” The Financial Reporting Manual, prepared by the Division of Corporation Finance, provides a series of examples, including among others the following:
– operating and statistical measures (such as unit sales, number of employees, number of subscribers), and
– ratios or statistical measures that are calculated using exclusively operating measures or other measures that are not non-GAAP measures (such as dollar revenues per square foot for hotels, same store sales, and revenues per slot machine for casinos, assuming that sales/revenues for each measure is based on GAAP numbers).
The blog provides a reminder that because metrics like these aren’t subject to the requirements that apply to NGFMs, adjustments to them that would be problematic if applied to a GAAP financial measure are not per se problematic in these cases. However, it also points out that Rule 10b-5 applies to these statements and the SEC’s guidance on disclosure of KPIs should also be kept in mind.
Last year, Audit Analytics reported that 2020 saw the lowest percentage of financial restatement disclosures (Big R & Little r) in the 20 years that Audit Analytics has been monitoring those disclosures. According to this year’s report from Audit Analytics, things were very different in 2021. Restatements soared, and you can blame that entirely on SPACs. Here are some of the highlights:
– After declining for many years, the total number of restatements and the number of unique companies that disclosed a restatement last year rose to their highest levels since 2006. Total restatements increased by 289%, and unique companies that disclosed a restatement rose by 194%.
– The number of restatements filed increased significantly to 1,470, due to SPAC restatements. 77% of all restatements last year were SPAC-related, and excluding those restatements, there was a 10% year-over-year decrease.
– 62% of restatements were “Big R” reissuance restatements. Again, SPACs distort the picture here – backing out SPAC restatements, 24% were Big R, but that’s still up 3% over the prior year.
– The top reason for restating last year in both SPAC & non-SPAC settings was debt and equity accounting issues. Revenue recognition held the top spot for each of the three prior years
As always, the report contains a lot of other data on restatements, including the impact of restatements on net income, the average length of time required to restate financials and the average days restated.
On Friday, the SEC announced that Investor Advocate Rick Fleming will be leaving the agency effective July 1, 2022. He was appointed to serve as the first director of the Office of the Investor Advocate in 2014 and has served in that capacity for the last eight years. This excerpt from the SEC’s announcement summarizes his accomplishments:
As the Investor Advocate, Mr. Fleming has built an office responsible for assisting retail investors in their interactions with the Commission and self-regulatory organizations (SROs), analyzing the impact on investors of proposed rules and regulations, identifying problems that investors have with financial service providers and investment products, and proposing legislative or regulatory changes to promote the interests of investors. In addition, he has introduced a new program to utilize surveys and other research methods to help the Commission understand the needs of investors.
One thing that Rick Fleming has not been during his tenure is a shrinking violet. Among other things, he’s been an outspoken critic of dual class structures & has recently called upon the stock exchanges to tighten SPAC listing standards. OIA Chief Counsel Marc Sharma help administer the Office’s functions until a new Investor Advocate is appointed.
There seem to be plenty of interesting and engaging jobs at the SEC, but there are two that I know for sure I’d never want. The first is the poor soul who picks up the phone at the number the SEC tells you to call when EDGAR is on the fritz, and the second is the person in charge of the SEC’s social media accounts. In fairness, the problem doesn’t appear to be all of the SEC’s social media accounts – just those on Twitter, the world’s most popular “rage-as-a-service” platform.
Any tweet, no matter how innocuous, from the SEC or any of its commissioners results in an avalanche of frothing-at-the-mouth replies from the most unhinged corners of the Internet. For instance, check out the replies to this tweet announcing the very controversial news that last week’s open meeting was about to start.
See what I mean? The typical person who shows up in the mentions seems to a crypto-meme stock enthusiast and devoted Alex Jones listener who’s convinced that Gary Gensler, Jay Clayton and Bill Hinman are corrupt acolytes of the New World Order and that they were also probably involved in the JFK assassination.
How’d you like to have to deal with this stuff every time you tweeted something? Can you imagine when this poor slob gets home from work – “How was your day, dear?” “Well, not too bad – @cryptocthulhu666 and @diamondhandsboredape only posted 12 memes of Gary Gensler in a clown suit today.” Maybe this kind of job is your cup of tea, but I’ll take a hard pass!
Oh, and it doesn’t appear to pay to court these folks. Commissioner Peirce has been viewed as a champion by many in the crypto-crowd, and she accepted the “Crypto Mom” moniker they bestowed upon her with grace & good humor. But that still didn’t stop the Internet people from creating a bunch of scam Instagram accounts under her name.
Directors are fiduciaries and have the responsibility for overseeing the business and affairs of the company. In keeping with those responsibilities, directors generally have a right to see any corporate information they want, including information that’s subject to the attorney-client privilege. But this ArentFox Schiff memo says that right is subject to certain exceptions. This excerpt explains:
In many jurisdictions—including Delaware, Illinois, Virginia, D.C., and Massachusetts—a director cannot obtain privileged company records where the director seeks them for an improper purpose. Jurisdictions such as Delaware and Massachusetts also restrict a director’s access to privileged communications where the director is acting adversely to the company’s interests. Similarly, under California law, a director generally cannot obtain the company’s privileged communications relating to a lawsuit the director filed against the company.
Courts conduct a fact-intensive inquiry to determine whether a director has an improper purpose for Courts conduct a fact-intensive inquiry to determine whether a director has an improper purpose for inspection or is acting adversely to the company. That inquiry involves considering whether the company has specific evidence—beyond anticipating the director may sue the company—of an improper purpose or adversity. For example, evidence that a director seeks to access privileged company records to harass the company or to force a buyout of the director’s shares at a premium may be sufficient to prevent the director from accessing those records.
Further, it is not sufficient for the company to show that the director is acting adversely to other directors. Instead, the company must show that the director is acting adversely to the company.
The memo goes on to offer several proactive steps that companies might take to shield corporate records from directors in order to avoid the fact-intensive inquiry described above. These include appointing a special committee to deal with a dispute involving a director as soon as it arises and having that committee retain its own counsel.
On a related topic, be sure to check out Keith Bishop’s blog on the issue of whether directors of a corporation are “joint clients” of a lawyer for the company.
If you’ve ever been involved in an internal investigation involving a potentially substantial issue, you know that it’s virtually impossible to avoid sharing information about that investigation with the company’s independent auditors. But if you do that, do you risk losing privilege in the event of subsequent litigation? This Perkins Coie blog says that at least some courts have answered that question in the affirmative:
Although not in the majority, courts have concluded that independent auditors in fact have an inherently adversarial relationship with the companies they audit. Compare Medinol, Ltd. v. Boston Scientific Corp., 214 F.R.D. 113, 116 (S.D.N.Y. 2002). As a consequence, companies have a solid basis for fearing a downstream assertion that they waived work product protection over the subject of the information disclosed to their outside auditors. These cases, and the more generally unsettled state of the law on this key issue, create a non-trivial risk that turning over their search terms today could create privilege waiver arguments tomorrow.
The blog says that the good news is that it’s not a foregone conclusion that a court will find that privileged has been waived under these circumstances. This is an issue that has been litigated, and only a minority of courts have taken the position that sharing such information with auditors results in a waiver of work product protection.
