As the number of people and businesses impacted by Hurricane Ida’s devastation continues to grow, it’s worth noting that earlier this week, the SEC issued a press release announcing that it was monitoring the situation and that the Staff will evaluate the appropriateness of providing regulatory relief for those affected by the storm. In 2018, the SEC issued an order granting relief from filing deadlines for companies unable to make their filings as a result of Hurricane Florence. At this point, there’s been no word from the SEC as to whether such relief will be provided here.
As Liz blogged last week, ransomware attacks seem to be multiplying and becoming more audacious with each passing day. In the current environment, managing ransomware risk is a critical component of the board’s cyber-oversight responsibilities. This Woodruff Sawyer blog provides practical tips on developing appropriate protocols to address ransomware threats, and on developing a plan to respond to an attack. This excerpt addresses some of the things to think about when planning to mitigate the risk of ransomware attacks:
Have you set up your systems in a way so that your business can continue to operate after a ransomware attack? This involves ensuring your data and networks can be restored from backups. Increasingly, however, bad actors are finding ways around this, including infiltrating a network and searching for backups right away. If they can encrypt backups, you may have to pay the ransom.
Do you have a detailed incident response plan? This includes knowing who owns the plan within the company and choosing your key response vendors before a cyber event occurs. It is especially important to establish ahead of time your trusted outside counsel and your investor relations team or consultant.
How will you handle communications and disclosures during and after the cyber incident? This is one area where you will want to lean on the guidance of your outside counsel. There is tremendous pressure to say something—anything—during a cyber incident. However, speaking too quickly or not being prepared can lead to ill-advised and incomplete disclosures. Think through various scenarios and consider ahead of time what will be your cadence of communications, what you will say, and who will say it. You will also need to make appropriate disclosures to agencies like the SEC. For more on this, see my colleague Dan Burke’s article on nailing your communications during a cyber event. Remember, too, that the SEC is coming down hard on companies that have executed their communication plans poorly. See recent SEC enforcement actions against First American Title Company and Pearson plc.
In what circumstances would you pay the ransom? There are several considerations when deciding whether to pay a ransom, including if you are able to restore from backups as outlined earlier as well as others highlighted in a recent article by Dan Burke on three things to consider before paying a ransom. You will also want to be sure the person or entity is not on a sanctions list managed by the US Department of the Treasury’s Office of Foreign Assets Control. This list prohibits transactions with certain people or entities as a matter of national security. The agency “may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to US jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.”
The blog also provides insights on whether to contact the government and how to interact with your insurance carrier in the event of a ransomware attack.
By the way, now is a good time to take a hard look at the way you approach cybersecurity governance. That’s because in a speech delivered yesterday, SEC Chair Gary Gensler reiterated previous comments to the effect that the Staff is “developing a proposal for the Commission’s consideration on cybersecurity risk governance, which could address issues such as cyber hygiene and incident reporting.”
Credibility International recently released this report on 2020 SEC & PCAOB enforcement activity relating to financial reporting, auditing, and accountants’ professional responsibilities. Overall, the report says that the SEC and PCAOB brought actions against 125 respondents in new matters. Of these, 62% were brought against individuals and 38% were brought against entities.
In addition to quantitative data on enforcement actions, the report also discusses significant themes of the SEC & PCAOB’s enforcement program. This excerpt includes observations on 2020 actions targeting revenue recognition and related disclosures that didn’t involve alleged GAAP violations:
A second important observation arising from 2020 activity is the prevalence of revenue recognition cases alleging revenue disclosure violations with no related alleged GAAP violation. These cases related to: (1) disclosures about known trends and uncertainties in Management’s Discussion and Analysis of Financial Position and Results of Operations (“MD&A”), and (2) reporting of sales-related key performance indicators (“KPIs”) and the presentation of non-GAAP financial measures related to revenue recognition.
Further, given the SEC’s increased focus in recent years on non-GAAP financial measures and on disclosures contained outside the audited financial statements, we anticipate continued enforcement activity in this area, regardless of whether alleged revenue violations result in material misstatements of GAAP financial statements.
Other major enforcement themes addressed in the report include ICFR & disclosure controls and procedures, gatekeepers, cooperation credit and remediation, and audit firm quality control systems. The report also identifies a number of emerging areas that may become enforcement priorities. These include asset impairment, valuation, earnings management, blank check companies, and COVID accounting and disclosure.
I’m afraid that I have some very sad news to report from our friends at Bass, Berry & Sims:
It is with a heavy heart that we inform you that our friend and Bass, Berry & Sims colleague Jim Cheek passed away last week. He was a legend in the legal industry, especially in the area of corporate and securities law, and he is remembered as an inspiring leader and mentor. His legal acumen and commitment to service and meaningful relationships with clients, colleagues, and friends have shaped our law firm and the broader legal community, and his influence will remain central to that foundation for years to come.
Last year markehisd Jim’s 50th anniversary with Bass, Berry & Sims. As we reminisce about Jim and his impact on the firm, we find solace in knowing we had the opportunity to celebrate his career through a video tribute and dedication of our Nashville boardroom in his honor. We invite you to watch the video, which can be found here, in remembrance of a great man.
I’d like to offer the condolences of everyone here at TheCorporateCounsel.net to Jim’s friends and family. I never had the pleasure of meeting Jim Cheek, but I can tell you that he was a role model and inspiration for me and many other securities law practitioners in the “flyover states.” Despite the concentration of legal talent on the coasts, Jim’s example showed those of us who weren’t in major east or west coast markets that we also could make meaningful contributions to the national dialogue on securities and corporate law issues.
Bass Berry says that it is collecting quotes in remembrance of Jim Cheek that the firm will share with his family. If you’d like to contribute, the firm invites you to email your tribute to tributes@bassberry.com.
Last week, a subcommittee of the SEC’s Investor Advisory Committee weighed in with a set of draft recommendations for Rule 10b5-1 reforms. This excerpt from a recent Sullivan & Cromwell memo summarizes the recommendations, which are expected to be approved at the IAC’s September 9th meeting:
The key proposals in the draft recommendation are (1) the implementation of a four-month cooling-off period before trades may occur under a newly adopted or modified plan, (2) prohibitions on overlapping plans, (3) required disclosures in Current Reports on Form 8-K, Forms 4 and proxy statements, (4) the application of Form 4 requirements to foreign private issuers and (5) the electronic filing of Form 144. Notably, many of these changes, including the four-month cooling-off period, would apply to individual and corporate trading plans, even though much of the scrutiny around trading plans has related to individual plans.
The memo provides details on these and other recommendations, and notes that many of them are consistent with the reform ideas outlined by SEC Chair Gary Gensler in June. However, there are some potential changes that Gensler referenced that aren’t addressed in the draft. These include limits on the ability of insiders to terminate plans while in possession of MNPI, and his cryptic reference to rules addressing “the intersection [of 10b5-1 plans] with share buybacks.” S&C’s memo suggests that we might see a rulemaking proposal as early as this fall.
Last week’s IAC meeting must have been pretty busy, because in addition to the 10b5-1 reform recommendations, it also received a subcommittee’s draft recommendations on enhancing SPAC disclosure. This excerpt from a recent CFO Dive article summarizes the key recommendations:
Based on the draft document, the advisory committee would recommend SPACs be required to:
– describe the role of its sponsor (including “insiders or affiliates such as celebrity sponsors/advisors”), their “expertise and capital contributions,” and any potential conflicts of interest, according to the advisory committee’s draft document;
– enable investors to gauge risks by providing “plain English” disclosure about stages in the SPAC process, including the “promote” to be paid to sponsors and the impact on dilution of shares and;
– detail “the mechanics and timeline of the SPAC process,” including a description of the asset to be purchased, events required during the next two years for the asset to appreciate and the shareholder approval process at the time of de-SPAC.
The draft also includes a recommendation that the SEC publish an analysis of the players in the various SPAC stages, their compensation, and their incentives. Following the publication of that analysis, the IAC may follow-up with additional actions or recommendations regarding SPACs.
If you take the time to read the draft, I think you’ll come away with the sense that the IAC subcommittee is very uncomfortable with how little is known about the post-2019 SPAC market. In particular, with so many SPACs still looking to complete their merger transactions, the draft says that “the greatest risk of SPACs to investors may remain ahead with the merger being a point of significant inflection for investors – and their related risk and returns.”
Speaking of SPACs & SPAC mergers, be sure to tune in to our September 22nd joint webcast with DealLawyers.com on “Navigating De-SPACs in Heavy Seas” to hear our panel of experts discuss the De-SPAC process and the challenges presented by the current regulatory environment.
The Wilson Sonsini report reviews IPO filing, pricing, and value statistics for 123 initial public offerings completed by U.S.-based technology and life sciences companies between January 1 and June 30, 2021. In addition, the report addresses governance provisions, ownership & structure, and defensive measures. There are all sorts of interesting tidbits in here, including this excerpt on dual class capital structures:
Of the 123 companies considered, 36 companies (29.3%) had multiple classes of common stock. Of those 36 companies, 29 were technology companies and seven were life sciences companies. Thirty-two of the 36 companies implemented dual-class common stock. Four companies implemented multi-class common stock, all of which were technology companies. None of the life sciences companies implemented multi-class common stock.
Typically, when a company has multiple classes of stock, one class has more voting power while the other class has limited or no voting rights. Dual- or multi-class stock is often implemented to give existing stockholders—including founders or other executives—more control. However, multiple classes can be implemented for other reasons, including company structuring and regulatory compliance reasons.
Many companies that implement a dual- or multi-class structure with high-vote shares include a sunset provision in the charter where the high-vote shares fall away upon the occurrence of one or more specified conditions, such as the date on which all high-vote shares represent less than a certain percentage of all shares outstanding, after a specified time period, or upon the occurrence of a specific event, such as the death of a founder. Of the 36 companies that had multiple classes of common stock, 28 companies (77.8%) had a sunset provision.
The report also briefly discusses the prevalence and terms of early lock-up releases, concurrent private placements, indications of interest, direct listings, and directed share programs.
Watchdog Research recently reported the results of its analysis of trading by public company executives, which indicated that there’s a correlation between executives dumping large amounts of stock and subsequent securities class action filings. While acknowledging that executives often sell some stock to support their lifestyle, Watchdog assigned a “red flag” to sales involving more than 50% of an executive’s holdings or sales of more than $500K by either the CEO or the CFO. Here’s what they concluded from analyzing those red flag transactions & class action filings over a five-year period:
In our analysis we found that red-flag insider sales nearly doubled the probability that a company would be subject to a securities class action lawsuit in the following year. Interestingly, this correlation between insider sales and securities class actions is significantly weaker if you look at events in the same calendar year. A red-flag insider sale only increases the probability of having a Securities Class Action during the same calendar year by a factor of 1.35.
This disparity in risk between the year the trade is made, and the year following the trade means that the correlation is not simply due to the fact that both red flag insider sales and securities litigation disproportionately affects large companies. The fact that the association between insider sales and securities litigation grows stronger over time has troubling implications. It indicates that executives may be trading on material information concerning potential adverse events as much as a year before that information reaches the public.
Okay, unlike the “shadow trading” insider trading case that Liz blogged about last week, the one announced by the SEC yesterday was pretty prosaic. It basically involved adding a tippee defendant to an ongoing enforcement proceeding. Here’s an excerpt from the SEC’s press release:
The Securities and Exchange Commission announces insider trading charges against Robert J. Maron of Thousand Oaks, California, who generated more than $1 million in profits by trading in the securities of Illumina, Inc. ahead of an October 10, 2016 Illumina financial performance announcement.
The SEC’s amended complaint, filed on August 30, 2021 in the United States District Court for the Southern District of New York, alleges that Martha Patricia Bustos, formerly an Illumina accountant, tipped Donald Blakstad in advance of Illumina’s October 16, 2016 announcement. Blakstad, in turn, tipped Maron, who purchased Illumina securities and realized more than $1 million in profits.
Yes, you’ve seen cases like this a million times, so why am I blogging about it? Well, it turns out that according to the SEC’s press release, the new defendant is a “Calfornia-based watch dealer,” and the chance to pen a headline that was such an easy play on “Who Watches the Watchmen?” was more than my boomer dad brain could resist.
