AI has been especially prevalent in the news this week, following the Executive Order that President Biden issued on Monday (here’s the fact sheet). Among other things, the order gives broad leeway to federal agencies to set standards for the use of AI (e.g., the NIST framework) and for the protection of individual privacy. It’s not a stretch to think that this developing issue is on the SEC’s radar.
With that, here’s a good recap of the recent Securities Enforcement Forum from Holly Carr, who spent a decade in the SEC’s Enforcement Division and is now at BDO. On top of Dave’s recent reminder about cyber risks, this jumped out at me on the topic of AI:
On AI, companies should be assessing how not just their use of AI but how the use of AI by others may expose their business to new or increased risks. For example, how are customers or vendors using AI that may impact your organizations’ risk profile.
As John noted a few weeks ago, we’re continuing to post practical governance & disclosure resources in our “Artificial Intelligence” Practice Area. And on the topic of SEC Enforcement, make sure to mark your calendars for our webcast – “SEC Enforcement: Priorities and Trends” – which is less than two weeks away, on November 15th at 2pm Eastern. We’ll hear from Hunton Andrews Kurth’s Scott Kimpel, Locke Lord’s Allison O’Neil, and Quinn Emanuel’s Kurt Wolfe about the Division’s priorities, the latest developments on “gatekeeper” scrutiny, the pros & cons of voluntary reporting & cooperation, and more. CLE credit is available!
I don’t know if you’ve heard, but FTX founder Sam Bankman-Fried has been on trial for the past month. Last night, the jury returned a guilty verdict on all counts, after deliberating for only a few hours. Sentencing is scheduled for March. Here’s more detail from CBS News:
The 31-year-old former cryptocurrency billionaire was convicted of two counts of wire fraud conspiracy, two counts of wire fraud, and one count of conspiracy to commit money laundering, each of which carries a maximum sentence of 20 years in prison. He was also convicted of conspiracy to commit commodities fraud and conspiracy to commit securities fraud, which each carry a five-year maximum sentence.
As my kindergartner would say: “Bruh, I can’t even.” The big verdict caps off a busy few weeks of crypto regulatory news. On the SEC front:
2. “Crypto Mom” Hester Peirce published a dissent on the Commission’s enforcement action against LBRY
3. The SEC decided not to appeal the Grayscale ruling, which may open the door to a Bitcoin ETF
Meanwhile, states are also getting in on the action:
4. New York AG Letita James is accusing the Winklevoss twins (sorry, the Winklevii) of perpetuating fraud through their crypto exchange & crypto “lending platform”
5. California Governor Gavin Newsom signed a law to create a regulatory framework for crypto (following NY’s lead)
This is not an exhaustive list of developments! I am not sure that there is a “big picture” takeaway other than that fraud is still illegal, and as someone mostly observing from the sidelines, I’m also not sure whether these items collectively show that we are moving closer to a world of acceptable digital assets or further away.
In the latest 22-minute episode of Women Governance Trailblazers, Courtney Kamlet & I were delighted to interview Cigdem Oktem, who leads EY’s Center for Board Matters in the US Central Region. She launched EY’s regional approach to help boards and C-suite executives benefit from the practices of their peers and CBM insights. Cigdem is a sought-after speaker and facilitator for board and CEO events around the country and is particularly skilled at using the power of storytelling to help leaders ask the right questions. Listen to hear:
1. Cigdem’s career journey in corporate governance & finance – including her roles as a CFO and as an advisor to boards and audit committees.
2. The biggest governance changes that are happening right now.
3. Tips on sharing information and influencing board behavior.
4. What’s next for the EY Center for Board Matters.
5. What Cigdem thinks women in the corporate governance field can add to the current conversation on the societal role of companies.
To listen to any of our prior episodes, visit the podcast page on TheCorporateCounsel.net or use your favorite podcast app. If there are “women governance trailblazers” whose career paths and perspectives you’d like to hear more about, Courtney and I always appreciate recommendations! Shoot me an email at liz@thecorporatecounsel.net.
Yesterday’s blog betrayed that I had resigned myself to parsing through exhibits with daily share repurchase data and explaining the reasons for share repurchase programs, under rules adopted by the SEC in May. I stand by the notion of having the mechanics of a share repurchase be consistent with the authorizing board resolution (not a new concept and something you’re probably already doing), but in a stroke of luck, the Fifth Circuit has stepped in to say that we may not need to publicly disclose the details after all. A 3-judge panel issued this opinion – which holds that the SEC acted arbitrarily and capriciously in adopting the final rule, in violation of the Administrative Procedure Act.
The ruling was a partial win for the U.S. Chamber of Commerce, which – as discussed in our May webcast – had challenged the rule on multiple grounds. The court determined that the rule doesn’t violate the First Amendment by impermissibly compelling speech, and that the SEC’s 45-day comment period for this rule was adequate. The problem, in the court’s view, was that the SEC didn’t consider the Chamber’s comments on the rule, which suggested that the Commission quantify the costs & benefits of the proposed rule, even though the Chamber had provided the SEC with new data during the comment period that would have allowed it to do so. From the opinion:
The SEC — by continuing to insist that the rule’s economic effects are unquantifiable in spite of petitioners’ suggestions to the contrary — has failed to demonstrate that its conclusion that the proposed rule “promote[s] efficiency, competition, and capital formation” is “the product of reasoned decisionmaking.”
Additionally, the court went on to say that the supposed benefits of the new disclosure requirements don’t hold water, because the SEC hasn’t shown that opportunistic or improperly motivated buybacks are a genuine problem. According to the court, “That error permeates — and therefore infects — the entire rule.”
Hold off on deleting all your notes on the new requirements, though, because the SEC has 30 days to try to fix the defects in the rule and substantiate its decision to adopt it. My understanding is that the Commission could potentially ask for an extension – or appeal the ruling – but those avenues could be limited since the compliance date is quickly approaching. If the rule is actually vacated following expiration of this remand period, the SEC may be able to appeal that holding. The WSJ noted:
The ruling highlights the legal risks federal agencies face at a time of growing judicial scrutiny of their decisions. SEC Chair Gary Gensler is pushing an aggressive regulatory agenda that has angered American corporations and Wall Street, prompting groups such as the Chamber to challenge several rules in court.
This feels a little like when the SEC’s conflict minerals rule went on life support and nobody quite knew what would be required. The difference is that conflict minerals was struck down on First Amendment grounds, so it continued to exist, but on a much narrower basis. Whereas, if the SEC’s adoption of the share repurchase rule was faulty under the APA – and that’s not corrected – the entire rule would be vacated. We’ll see what the next 30 days bring.
In its opinion remanding the SEC’s share repurchase rule, the Fifth Circuit panel noted that the Chamber had submitted data for the Commission to consider. The Chamber did that by way of multiple comment letters that are available on the SEC’s website. One of the newer studies that the Chamber cited to was this one, from a quartet of European professors and part of the Finance Working Paper Series for the European Corporate Governance Institute, which was also summarized last year in this HLS blog. Here’s an excerpt:
The major insight of our paper is that both the timing of buyback programs and the timing of equity compensation, i.e., the granting, vesting, and selling of equity, are largely determined by the corporate calendar. We define the corporate calendar as the firm’s schedule of financial events and news releases throughout its fiscal year, such as blackout periods and earnings announcements. We argue that this calendar determines when firms implement decisions about buyback programs and equity compensation and when firms and CEOs can execute trades in the open market.
As a consequence, share repurchases and equity compensation are positively correlated. However, this correlation disappears once we account for the corporate calendar. Therefore, we conclude that the correlation between share repurchases and equity compensation is spurious and should not be interpreted causally.
Consistent with this insight, we do not find systematic evidence of price manipulation when the CEO’s equity vests or when the CEO sells her vested equity. In conclusion, we find no evidence to support the claim that CEOs systematically misuse share repurchases at the expense of shareholders.
I’m looking forward to people smarter than me describing how they’ve sorted through all of this information.
Yesterday, the SEC issued an order to approve Nasdaq’s proposal to require a listed company conducting a reverse stock split to:
– Notify Nasdaq about certain details of the reverse stock split at least 5 business days (no later than noon ET) prior to the anticipated market effective date, and
– Make public disclosure about the reverse stock split at least 2 business days (no later than noon ET) prior to the anticipated market effective date.
These changes will be reflected in new Rules 5250(b)(4) and 5250(e)(7), new IM 5250-3, and amended Rule 5250(b)(1) – so once they’re posted to the rulebook, read those for more detail. The Company Event Notification Form will also be updated to reflect the information that a company must disclose to the Exchange about a reverse split. Here’s what happens if you don’t comply:
Additionally, if a company takes legal action to effect a reverse stock split notwithstanding its failure to timely satisfy these requirements, or provides incomplete or inaccurate information about the timing or ratio of the reverse stock split in its public disclosure, Nasdaq will halt the stock in accordance with the procedure set forth in Nasdaq Equity 4, Rule 4120, that provides Nasdaq with the authority to halt trading to permit the dissemination of material news.
For most companies, if you’re approving or executing buybacks this quarter, it’s important to keep in mind that you’ll have to describe your actions in detail in your next Form 10-K or Form 10-Q – under the share repurchase disclosure amendments that the SEC adopted in May. One thing that companies are worried about is that when the “data bots” and the rest of the public have access to these new details alongside all of the other information they have about corporate activities, certain folks will find a way to allege corporate wrongdoing, even where the board has been acting on an informed basis and in its business judgment.
To that end, Meredith shared some good suggestions over the summer about how to prepare for the new disclosures. One item is ensuring that the relevant Board minutes or resolutions address the repurchase program’s objectives.
It’s easy to gloss over the resolutions as a run-of-the-mill exercise, but this is an area where you need to proceed with caution. That’s because – as explained in this HLS blog – the mechanics of the buyback program can affect whether the articulated objectives are actually satisfied. The blog goes on to connect a few dots that may not be top-of-mind for corporate governance practitioners. Here’s an excerpt:
Governance relating to rationale based on valuation
Firstly, if the board and management endorse the share buyback based on the premise that the share price is undervalued, several considerations must be accounted for. Arguably, none is more critical than imposing a share price cap or limit on the buyback. This suggestion arises because research indicates that there is a series of execution products used by companies to implement share buy-backs that are not share price constrained. One such set of products are Accelerated Share Repurchases (ASRs), which are guaranteed buyback products, and reportedly 68% are purchased without a cap or collar on the share price. This structure means that the company will buy shares at any price regardless of share price fluctuations. In this scenario how does the governance process ensure that the company’s rationale for the buyback, rooted in a perceived undervaluation, remains intact across all share prices?
Governance relating to rationale not based on valuation
If the board simultaneously approves the buyback without expressing an opinion on valuation, should the board inform shareholders? We contend that it is sound governance to consider whether there exists a responsibility to apprise shareholders. This stance aligns with the widespread understanding, as mentioned at the article’s outset, that if a share buyback is executed when the share price is overvalued, value shifts from long-term shareholders to those selling their shares. Not all shareholders may possess views on the current share price versus valuation metrics, and they may expect the board to make this determination on their behalf. This expectation is not unreasonable, given that shareholders entrust the board with decision-making authority and conflict management in their long-term interests. If the board has not considered the potential value transfer in the event of an expensive purchase price, shareholders ought to be informed. This would empower shareholders to make their own evaluations. Anecdotal evidence suggests that such communication is rarely found in share buyback disclosures.
Governance relating to buyback progress update delays
How does the governance process assess the share price risk for shareholders seeking to “harvest” a dividend if the board’s rationale for the buyback revolves solely around returning excess capital? Does this evaluation include how this added risk is factored into the overall benefits for shareholders compared to dividend alternatives which involve riskless cash?
Lastly, does the governance process possess a comprehensive understanding of the mechanics underlying various share buyback implementation methods? Such understanding is crucial to enable shareholders willing to sell shares back to the company to do so effectively.
While in many cases it makes sense to keep board resolutions for repurchase programs as flexible as possible, if your board has a specific objective in mind, you will want to make sure that what’s authorized and carried out actually fulfills that objective. You don’t want to be on the verge of filing your Form 10-K and realize that there is a mismatch between the board resolutions, the company’s activities, and the public disclosure.
Make sure to check out the January-February 2023 issue of The Corporate Counsel and the May-June 2023 issue of The Corporate Counsel) for more practical tips on the actions you’ll need to take to comply with the new requirements. If you don’t already subscribe to that essential resource, email sales@ccrcorp.com.
I blogged in May that a Tennessee court had dismissed a lawsuit filed by the US Chamber of Commerce and the Business Roundtable that challenged the SEC’s decision to reverse parts of its 2020 rulemaking on proxy advisors. The 2020 rules would have imposed conditions on proxy voting advice that the corporate community felt would improve lead-time, transparency and accuracy of voting recommendations.
Last week, the the 6th Circuit heard oral arguments for the Chamber’s appeal of the dismissal. Here are the briefs that lay out the Chamber’s arguments that the SEC action violated the Administrative Procedure Act. The National Association of Manufacturers has also filed an amicus brief in this case. NAM’s parallel case went before the 5th Circuit in August. Bloomberg Law reported at that time:
The hearing will be the biggest judicial test yet of SEC authority in removing 2020 curbs on Institutional Shareholder Services Inc., Glass, Lewis & Co., and other firms that advise large funds voting on ESG proposals and other matters at annual shareholder meetings. The proceedings will follow in the wake of 2022 Fifth Circuit decisions limiting the power of SEC administrative judges and finding the Consumer Financial Protection Bureau’s funding unconstitutional.
I can’t predict how this will turn out, but I bet there are a lot of people who would be pleasantly surprised if we somehow know the outcome in time for proxy season. If the parties are aiming to stretch this litigation across a significant portion of Chair Gensler’s term, they are making good progress on that front.
The Council of Institutional Investors recently announced that Executive Director Amy Borrus is planning to retire next spring. Amy has been leading CII since July 2020. In total, she’s been with CII for more than 17 years! Having met Amy many moons ago at our “Women’s 100” events, I can’t imagine corporate governance without her. Thank you, Amy, for all you’ve done for our field – and for the positive example you’ve set for all of us!
Yesterday, the SEC announced that it has officially filed charges against SolarWinds – as well as its Chief Information Security Officer – in connection with the Enforcement Division’s long-running investigation of the cyberattack that came to light in December 2020 and was followed by a 35% drop in the company’s stock price. John flagged the “Wells Notice” a few months ago, noting that it was unusual (at least until now) for a CISO to be caught in the SEC’s crosshairs.
The 68-page complaint takes issue with alleged “hypothetical risk factors” and other perceived disclosure shortcomings – not just in SEC filings, but also on the company’s website. Here are a few of the claims that the SEC is making:
– In October 2018, the same month that SolarWinds conducted its Initial Public Offering through a registration statement with only generic and hypothetical cybersecurity risk disclosures, Brown wrote in an internal presentation that SolarWinds’ “current state of security leaves us in a very vulnerable state for our critical assets.”
– SolarWinds and/or Brown made materially false and misleading statements and omissions related to SolarWinds’ cybersecurity risks and practices in at least three types of public disclosures:
(a) Statements that purported to describe the Company’s cybersecurity practices and policies, including a “Security Statement” posted to the Company’s website throughout the Relevant Period;
(b) Form S-1 and S-8 Registration Statements and periodic reports filed with the SEC throughout the Relevant Period; and
(c) A Form 8-K filed with the SEC on December 14, 2020 regarding the massive SUNBURST cybersecurity incident that impacted SolarWinds’ Orion software platform.
– The Security Statement was materially misleading because it touted the Company’s supposedly strong cybersecurity practices.
– SolarWinds’ SEC filings similarly concealed the Company’s poor cybersecurity practices. They contained general, high-level risk disclosures that lumped cyberattacks in a list of risks alongside “natural disasters, fire, power loss, telecommunication failures…[and] employee theft or misuse.” The cybersecurity risk disclosure was generic and hypothetical, allowing for negative consequences “[i]f we sustain system failures, cyberattacks against our systems or against our roducts, or other data security incidents or breaches.”
This disclosure failed to address known risks. For example, it warned of an inability to defend against “unanticipate[d]… techniques” but failed to disclose that SolarWinds had already determined that it was not taking adequate steps to protect against anticipated and known risks, including failing to follow the steps outlined in the Security Statement. These general warnings were then repeated verbatim in each relevant filing, despite both the ongoing problems and the increasing red flags in 2020 that SolarWinds was not only being specifically targeted for a cyberattack, but that the attackers had already gotten in.
The complaint – which seeks permanent injunctions, disgorgement, a D&O bar, and civil penalties – lists internal communications and documents that the SEC says reflected known vulnerabilities that were not properly disclosed. According to the SEC, the defendants knew that the undisclosed information would be material to investors. The SEC also makes sure to note:
To be clear, SolarWinds’ poor controls, Defendants’ false and misleading statements and omissions, and the other misconduct described in this Complaint, would have violated the federal securities laws even if SolarWinds had not experienced a major, targeted cybersecurity attack. But those violations became painfully clear when SolarWinds experienced precisely such an attack.
The lengthy complaint is full of interesting tidbits that I’m sure will be unpacked and analyzed over the coming months. It implies the SEC found it important that the CISO was an officer at the time of these events and signed sub-certifications attesting to the adequacy of the company’s cybersecurity internal controls. And in a parallel to the new Dodd-Frank clawback rules, the SEC didn’t like that he exercised options and sold SolarWinds stock during the time leading up to the announcement of the incident – “when SolarWinds’ stock price was inflated by the misstatements, omissions, and schemes discussed in this Complaint.”
That said, much of the 68-page complaint boils down to the basic notion that your disclosures can’t be materially misleading. For example, don’t say that you measured compliance with the NIST Framework but leave out that you don’t meet most of the Framework’s controls. And while the SolarWinds incident was unique in many ways, the alleged missteps also give the Enforcement Division a convenient opportunity to send a high-profile signal on disclosure controls – which have been the linchpin of a string of actions this year. The complaint also takes issue with internal controls over financial reporting, which SEC Chief Accountant Paul Munter warned companies about in August.
So, as Dave reminded us just last week, it’s as important as ever to “tune up” your cyber risk factors and take a close look at your policies & controls. We’ll be posting the inevitable flood of memos in our “Cybersecurity” Practice Area, but for now I leave you with these parting words from Enforcement Director Gurbir Grewal:
Today’s enforcement action not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company’s ‘crown jewel’ assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.
