Yesterday, the SEC issued an order to approve Nasdaq’s proposal to require a listed company conducting a reverse stock split to:
– Notify Nasdaq about certain details of the reverse stock split at least 5 business days (no later than noon ET) prior to the anticipated market effective date, and
– Make public disclosure about the reverse stock split at least 2 business days (no later than noon ET) prior to the anticipated market effective date.
These changes will be reflected in new Rules 5250(b)(4) and 5250(e)(7), new IM 5250-3, and amended Rule 5250(b)(1) – so once they’re posted to the rulebook, read those for more detail. The Company Event Notification Form will also be updated to reflect the information that a company must disclose to the Exchange about a reverse split. Here’s what happens if you don’t comply:
Additionally, if a company takes legal action to effect a reverse stock split notwithstanding its failure to timely satisfy these requirements, or provides incomplete or inaccurate information about the timing or ratio of the reverse stock split in its public disclosure, Nasdaq will halt the stock in accordance with the procedure set forth in Nasdaq Equity 4, Rule 4120, that provides Nasdaq with the authority to halt trading to permit the dissemination of material news.
For most companies, if you’re approving or executing buybacks this quarter, it’s important to keep in mind that you’ll have to describe your actions in detail in your next Form 10-K or Form 10-Q – under the share repurchase disclosure amendments that the SEC adopted in May. One thing that companies are worried about is that when the “data bots” and the rest of the public have access to these new details alongside all of the other information they have about corporate activities, certain folks will find a way to allege corporate wrongdoing, even where the board has been acting on an informed basis and in its business judgment.
To that end, Meredith shared some good suggestions over the summer about how to prepare for the new disclosures. One item is ensuring that the relevant Board minutes or resolutions address the repurchase program’s objectives.
It’s easy to gloss over the resolutions as a run-of-the-mill exercise, but this is an area where you need to proceed with caution. That’s because – as explained in this HLS blog – the mechanics of the buyback program can affect whether the articulated objectives are actually satisfied. The blog goes on to connect a few dots that may not be top-of-mind for corporate governance practitioners. Here’s an excerpt:
Governance relating to rationale based on valuation
Firstly, if the board and management endorse the share buyback based on the premise that the share price is undervalued, several considerations must be accounted for. Arguably, none is more critical than imposing a share price cap or limit on the buyback. This suggestion arises because research indicates that there is a series of execution products used by companies to implement share buy-backs that are not share price constrained. One such set of products are Accelerated Share Repurchases (ASRs), which are guaranteed buyback products, and reportedly 68% are purchased without a cap or collar on the share price. This structure means that the company will buy shares at any price regardless of share price fluctuations. In this scenario how does the governance process ensure that the company’s rationale for the buyback, rooted in a perceived undervaluation, remains intact across all share prices?
Governance relating to rationale not based on valuation
If the board simultaneously approves the buyback without expressing an opinion on valuation, should the board inform shareholders? We contend that it is sound governance to consider whether there exists a responsibility to apprise shareholders. This stance aligns with the widespread understanding, as mentioned at the article’s outset, that if a share buyback is executed when the share price is overvalued, value shifts from long-term shareholders to those selling their shares. Not all shareholders may possess views on the current share price versus valuation metrics, and they may expect the board to make this determination on their behalf. This expectation is not unreasonable, given that shareholders entrust the board with decision-making authority and conflict management in their long-term interests. If the board has not considered the potential value transfer in the event of an expensive purchase price, shareholders ought to be informed. This would empower shareholders to make their own evaluations. Anecdotal evidence suggests that such communication is rarely found in share buyback disclosures.
Governance relating to buyback progress update delays
How does the governance process assess the share price risk for shareholders seeking to “harvest” a dividend if the board’s rationale for the buyback revolves solely around returning excess capital? Does this evaluation include how this added risk is factored into the overall benefits for shareholders compared to dividend alternatives which involve riskless cash?
Lastly, does the governance process possess a comprehensive understanding of the mechanics underlying various share buyback implementation methods? Such understanding is crucial to enable shareholders willing to sell shares back to the company to do so effectively.
While in many cases it makes sense to keep board resolutions for repurchase programs as flexible as possible, if your board has a specific objective in mind, you will want to make sure that what’s authorized and carried out actually fulfills that objective. You don’t want to be on the verge of filing your Form 10-K and realize that there is a mismatch between the board resolutions, the company’s activities, and the public disclosure.
Make sure to check out the January-February 2023 issue of The Corporate Counsel and the May-June 2023 issue of The Corporate Counsel) for more practical tips on the actions you’ll need to take to comply with the new requirements. If you don’t already subscribe to that essential resource, email sales@ccrcorp.com.
I blogged in May that a Tennessee court had dismissed a lawsuit filed by the US Chamber of Commerce and the Business Roundtable that challenged the SEC’s decision to reverse parts of its 2020 rulemaking on proxy advisors. The 2020 rules would have imposed conditions on proxy voting advice that the corporate community felt would improve lead-time, transparency and accuracy of voting recommendations.
Last week, the the 6th Circuit heard oral arguments for the Chamber’s appeal of the dismissal. Here are the briefs that lay out the Chamber’s arguments that the SEC action violated the Administrative Procedure Act. The National Association of Manufacturers has also filed an amicus brief in this case. NAM’s parallel case went before the 5th Circuit in August. Bloomberg Law reported at that time:
The hearing will be the biggest judicial test yet of SEC authority in removing 2020 curbs on Institutional Shareholder Services Inc., Glass, Lewis & Co., and other firms that advise large funds voting on ESG proposals and other matters at annual shareholder meetings. The proceedings will follow in the wake of 2022 Fifth Circuit decisions limiting the power of SEC administrative judges and finding the Consumer Financial Protection Bureau’s funding unconstitutional.
I can’t predict how this will turn out, but I bet there are a lot of people who would be pleasantly surprised if we somehow know the outcome in time for proxy season. If the parties are aiming to stretch this litigation across a significant portion of Chair Gensler’s term, they are making good progress on that front.
The Council of Institutional Investors recently announced that Executive Director Amy Borrus is planning to retire next spring. Amy has been leading CII since July 2020. In total, she’s been with CII for more than 17 years! Having met Amy many moons ago at our “Women’s 100” events, I can’t imagine corporate governance without her. Thank you, Amy, for all you’ve done for our field – and for the positive example you’ve set for all of us!
Yesterday, the SEC announced that it has officially filed charges against SolarWinds – as well as its Chief Information Security Officer – in connection with the Enforcement Division’s long-running investigation of the cyberattack that came to light in December 2020 and was followed by a 35% drop in the company’s stock price. John flagged the “Wells Notice” a few months ago, noting that it was unusual (at least until now) for a CISO to be caught in the SEC’s crosshairs.
The 68-page complaint takes issue with alleged “hypothetical risk factors” and other perceived disclosure shortcomings – not just in SEC filings, but also on the company’s website. Here are a few of the claims that the SEC is making:
– In October 2018, the same month that SolarWinds conducted its Initial Public Offering through a registration statement with only generic and hypothetical cybersecurity risk disclosures, Brown wrote in an internal presentation that SolarWinds’ “current state of security leaves us in a very vulnerable state for our critical assets.”
– SolarWinds and/or Brown made materially false and misleading statements and omissions related to SolarWinds’ cybersecurity risks and practices in at least three types of public disclosures:
(a) Statements that purported to describe the Company’s cybersecurity practices and policies, including a “Security Statement” posted to the Company’s website throughout the Relevant Period;
(b) Form S-1 and S-8 Registration Statements and periodic reports filed with the SEC throughout the Relevant Period; and
(c) A Form 8-K filed with the SEC on December 14, 2020 regarding the massive SUNBURST cybersecurity incident that impacted SolarWinds’ Orion software platform.
– The Security Statement was materially misleading because it touted the Company’s supposedly strong cybersecurity practices.
– SolarWinds’ SEC filings similarly concealed the Company’s poor cybersecurity practices. They contained general, high-level risk disclosures that lumped cyberattacks in a list of risks alongside “natural disasters, fire, power loss, telecommunication failures…[and] employee theft or misuse.” The cybersecurity risk disclosure was generic and hypothetical, allowing for negative consequences “[i]f we sustain system failures, cyberattacks against our systems or against our roducts, or other data security incidents or breaches.”
This disclosure failed to address known risks. For example, it warned of an inability to defend against “unanticipate[d]… techniques” but failed to disclose that SolarWinds had already determined that it was not taking adequate steps to protect against anticipated and known risks, including failing to follow the steps outlined in the Security Statement. These general warnings were then repeated verbatim in each relevant filing, despite both the ongoing problems and the increasing red flags in 2020 that SolarWinds was not only being specifically targeted for a cyberattack, but that the attackers had already gotten in.
The complaint – which seeks permanent injunctions, disgorgement, a D&O bar, and civil penalties – lists internal communications and documents that the SEC says reflected known vulnerabilities that were not properly disclosed. According to the SEC, the defendants knew that the undisclosed information would be material to investors. The SEC also makes sure to note:
To be clear, SolarWinds’ poor controls, Defendants’ false and misleading statements and omissions, and the other misconduct described in this Complaint, would have violated the federal securities laws even if SolarWinds had not experienced a major, targeted cybersecurity attack. But those violations became painfully clear when SolarWinds experienced precisely such an attack.
The lengthy complaint is full of interesting tidbits that I’m sure will be unpacked and analyzed over the coming months. It implies the SEC found it important that the CISO was an officer at the time of these events and signed sub-certifications attesting to the adequacy of the company’s cybersecurity internal controls. And in a parallel to the new Dodd-Frank clawback rules, the SEC didn’t like that he exercised options and sold SolarWinds stock during the time leading up to the announcement of the incident – “when SolarWinds’ stock price was inflated by the misstatements, omissions, and schemes discussed in this Complaint.”
That said, much of the 68-page complaint boils down to the basic notion that your disclosures can’t be materially misleading. For example, don’t say that you measured compliance with the NIST Framework but leave out that you don’t meet most of the Framework’s controls. And while the SolarWinds incident was unique in many ways, the alleged missteps also give the Enforcement Division a convenient opportunity to send a high-profile signal on disclosure controls – which have been the linchpin of a string of actions this year. The complaint also takes issue with internal controls over financial reporting, which SEC Chief Accountant Paul Munter warned companies about in August.
So, as Dave reminded us just last week, it’s as important as ever to “tune up” your cyber risk factors and take a close look at your policies & controls. We’ll be posting the inevitable flood of memos in our “Cybersecurity” Practice Area, but for now I leave you with these parting words from Enforcement Director Gurbir Grewal:
Today’s enforcement action not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company’s ‘crown jewel’ assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.
With the compliance date kicking in December 18th for the SEC’s new line-item requirement to report material cyber incidents in real-time, it’s worth noting that the complaint that the SEC brought yesterday against SolarWinds and its CISO doesn’t award kudos to the defendants for their eventual decision to report the cyberattack on a Form 8-K. Instead, it doubles down on allegations that those disclosures were misleading:
On December 14, 2020, SolarWinds filed a Form 8-K with the SEC disclosing that its Orion network monitoring software contained malicious code that had been inserted by threat actors as part of a supply-chain attack. The Form 8-K was drafted by a group of executives, including Brown, and signed by SolarWinds’ CEO. That Form 8-K was materially misleading in several respects, including its failure to disclose that the vulnerability at issue had been actively exploited against SolarWinds’ customers multiple times over at least a six-month period in the incidents involving U.S. Government Agency A, Cybersecurity Firm B, and Cybersecurity Firm C.
Form 8-K disclosure may be the last thing on everyone’s mind when a cyber-attack is discovered, which is why you need to integrate this step into your incident response plan on a clear day. The good news (or the bad news, depending on your perspective), is that since the time of the SolarWinds announcement in 2020, we’ve all had a lot more experience with cyber incidents and companies have become more sophisticated with their Form 8-K disclosures, even in advance of the new requirement. Here are a couple of examples. This Cybersecurity Dive article says that the same bad actors might be behind both of these attacks, and that they’re still at large.
John & I blogged earlier this year about the very difficult task of delivering bad news during earnings season. So, this is unfortunate to see:
“Our early read on the third quarter earnings season suggests one of the most challenging reporting periods – across sectors – in recent history.”
That’s from a recent Riveron blog. And while it’s not a very bold prediction given where many companies are finding their stock price, it’s a good reminder that regardless of whether your company gives formal guidance, your friends in Finance & IR may be looking for ways to get creative with Q3 earnings releases – and they also may be faced with extra Q&A during this quarter’s earnings call. Here are a few of the blog’s suggestions:
1. Reinforce the longer-term value of the company
2. Convince the Street that short-term dynamics are ringfenced
3. Focus on 2024 value drivers including those investors who may be overlooking
The Riveron team gives more color on each of these tips, which are definitely the types of messages I would want to be able to deliver if I were an executive trying to reassure my investors. But wearing my “securities lawyer” hat, some of the suggestions made my heart race – for example:
– Discuss sales meetings on the calendar and new partnership discussions in the works, and
– Convey the company’s ability to control the impact of short-term dynamics like inflation and global supply chain disruptions
While it is good to reassure investors that the company has a handle on things, there are many factors beyond the control of boards & executives, and you have to be careful to not be misleading. Plus, plaintiffs’ firms live for these kinds of assurances. So, if you find these types of predictions in your company’s earnings release, I offer these general tips:
– Make your best effort to frame predictions as expectations rather than guarantees.
– Be very clear that the company is speaking only as of the current date.
– Include appropriately tailored cautionary statements – with specific reference to any assumptions on which predictions are based.
– To the extent you’re able, ask questions to confirm that the company does indeed have backup & controls to support its statements. It may be misleading to share only positive aspects of certain topics without also disclosing downsides.
– Consider whether the statements set an aggressive precedent for investor disclosure expectations.
– Confirm that the disclosures align with the company’s other public statements.
Keep in mind that you’ll need to balance all that with making the safe harbor disclaimer as short as possible in the earnings call script – because as Adam Epstein points out, your CEO doesn’t want investors to run for the hills. The Riveron team also suggests taking this opportunity to introduce key operational leaders who are expected to contribute to the business in 2024, and notes that companies should set the stage without overcommitting to a specific timeframe. They make this good point that we can all get behind:
Companies that lead with a clear, compelling, and convincing story of strengthening in the months and years to come do not need to sell the exact timing of these improvements. Rather, it’s more important (and credible) to present a narrative that illustrates how all the elements are in place for a successful 2024.
Visit our “Earnings Guidance” Practice Area for checklists & other practical resources that willare intended to help you as questions arise.
It feels like four years ago that we narrowly avoided a government shutdown, but it’s actually only been four weeks – and it’s likely that our politicians will once again negotiate down to the wire when they revisit whether our government can continue operating past November 17th. Like most things in Washington, this isn’t just a “yes/no” decision. That means that when the SEC (eventually) gets funded, “Congress gonna Congress” when it comes to what exactly the Commission can do with the money.
We’ve bloggedrepeatedlyover the past many years about appropriation bills that would tack on a restriction to the SEC’s ability to issue rules on “political spending” (or in some cases, that would remove the roadblock to rulemaking on that topic). Here’s the typical provision:
None of the funds made available by this Act shall be used by the Securities and Exchange Commission to finalize, issue, or implement any rule, regulation, or order regarding the disclosure of political contributions, contributions to tax exempt organizations, or dues paid to trade associations.
So, here we are again. Even though no “political spending” disclosure rules are contemplated by the hard-driving Reg Flex Agenda that represents Chair Gensler’s priorities, the risk of regulation persists, and appropriations bills that address this topic are making their way through the House & Senate in the form of H.R. 4664 and S. 2309. In addition, two other bills that have been introduced in the House – H.R. 4472 and H.R. 4563 – aim to codify this restriction so that it’s not dependent on the annual appropriations dance. Here’s an excerpt from that last one:
(a) Findings. — Congress finds the following:
(1) From 2010 through 2013, the Internal Revenue Service targeted conservative organizations seeking tax-exempt status. The result of this targeting was obvious—to discourage conservative organizations and individuals associated with them from engaging in the 2012 presidential election after an incredibly successful 2010 midterm election.
(2) In response to this treatment, a large number of conservative organizations sued the Internal Revenue Service. In 2017, a settlement was reached and the Internal Revenue Service was required to issue an apology for its actions.
(3) Congress quickly recognized that the Internal Revenue Service was not the only government agency that could question or threaten the tax-exempt status of disfavored political groups. The Securities and Exchange Commission, an independent government agency, also enjoys some regulatory power in this area.
(4) Beginning in 2015, Congress has included in every appropriations bill that has funded the Securities and Exchange Commission, an appropriations rider prohibiting the agency from using any of the funds made available to “finalize, issue, or implement any rule, regulation, or order regarding the disclosure of political contributions, contributions to tax exempt organizations, or dues paid to trade associations.” See Consolidated Appropriations Act, 2016, H.R. 2029, 114th Cong. § 1 (2015); Consolidated Appropriations Act, 2017, H.R. 244, 115th Cong. § 1 (2017); Consolidated Appropriations Act, 2018, H.R. 1625, 115th Cong. § 2 (2018); Consolidated Appropriations Act, 2019, H.J. Res. 31, 116th Cong. § 1 (2019); Consolidated Appropriations Act, 2020, H.R. 1158, 116th Cong. § 1 (2019); Consolidated Appropriations Act, 2021, H.R. 133, 116th Cong. § 2 (2020); Consolidated Appropriations Act 2022, H.R. 2471, 117th Cong. § 2 (2022); Consolidated Appropriations Act 2023, H.R. 2617, 117th Cong. § 2 (2022).
(5) This prohibition is too important to be subject to yearly renewal. Instead, it must be enacted into permanent law so political organizations of both political parties can rest assured the Securities and Exchange Commission will not target them.
(b) Prohibition. – The Securities and Exchange Commission may not finalize, issue, or implement any rule, regulation, or order regarding the disclosure of political contributions, contributions to tax exempt organizations, or dues paid to trade associations.
I’m not advocating for another disclosure rule, but I have always thought it was a stretch to compare the IRS settlement – which related to allegations that the agency was being extra strict in granting tax exempt status to conservative organizations – to the SEC’s consideration of a rule that would require companies to disclose the use of corporate resources for political activities. In any event, while our politicians have been arguing about it for the past decade, investors & companies have moved on with private ordering.
A new dimension of “political spending” scrutiny that has emerged in the last few years from shareholders and employees is “values alignment.” I blogged earlier this year on our “Proxy Season Blog” about how to respond to shareholder proposals on this topic.
In a sign that companies will continue to face these proposals in 2024, the Interfaith Center for Responsibility sent letters in late summer to the CEO members of the Business Roundtable that call for values alignment for political contributions, along with improved board oversight and public disclosure. Here’s an excerpt:
We believe that BRT companies would benefit from a thoughtful assessment of their political spending and lobbying. We recommend two resources to help guide company policy development and decision-making toward more responsible political engagement.
I. Erb Principles for Corporate Political Responsibility
The first key resource is the Erb Principles for Corporate Political Responsibility, released in March after a lengthy, deliberative stakeholder process by the Erb Institute of the University of Michigan. Developed as a complement to the BRT’s statement on the Purpose of the Corporation and the BRT’s actions to support the peaceful transfer of power in 2021, the Erb Principles propose a practical, non-partisan, and comprehensive definition of corporate political responsibility (CPR) as a first step in establishing CPR as a new norm that will reduce business risk, strengthen civic trust and foster collaborative problem-solving.
The Erb Principles do this by helping companies better align their political influences — including any political spending — with their values, purpose, commitments, and larger responsibilities to a healthy economy, civic institutions, and informed civic discourse. The Principles were designed to provide U.S. companies with a non-partisan, principled thought process for responsible engagement, without prescribing positions on specific issues.
Next week is Election Week. Maybe you have some important local items on your ballot this year, but in my neck of the woods, most people are already bracing themselves for the polarized U.S. Presidential election cycle that will soon be in full swing. That means that corporate “political spending” activities (which are broadly defined!) will continue to attract scrutiny. A recent scandal shows that misplaced contributions can create financial & reputational risks for companies.
In that vein, The Center for Political Accountability recently published this 10-page guide to corporate political spending. The guide suggests solutions to 5 common challenges that arise from contributions to political candidates, trade associations, and other third-party groups. This HLS blog summarizes the key elements:
– Recognize the heightened risks that a company faces from contributions to third-party groups, specifically 501(c)(4) organizations engaged in political spending, trade associations, super PACs and 527 committees. The company needs to know where its money ultimately ends up, what causes and candidates it advances and what risks it is assuming.
– Understand that public companies can no longer publicly claim to support some aspects of a candidate’s platform while disavowing others. The challenge facing a company is that when it supports a candidate, all of the candidate’s actions and positions will be associated with the company.
– Align the company’s political spending with its core values, policies and positions.
– Avoid siloed decision-making. Political spending should fairly reflect the views and interests of the company’s various stakeholders. Companies benefit from active and dynamic engagement among public affairs, government relations and other internal actors responsible for promoting the company’s values, policies and positions and those making political spending decisions.
– Direct corporate contributions to politicians who refrain from punitively targeting companies for their policy decisions, personnel practices, public statements, or other values important to the company’s success and integrity.
– Protect the democratic institutions and rule of law that companies depend upon to operate, compete, and thrive.
I expect that this year’s CPA-Zicklin Index, which rates companies annually on the transparency of their corporate political spending, will be published any day. Last year, the Index expanded to cover Russell 1000 companies.
Check out our “Political Contributions” Practice Area for more benchmarking & practical checklists. We also covered this topic at our recent “Proxy Disclosure Conference” – you can still get access to the video archives & transcripts by emailing sales@ccrcorp.com. The program is also eligible for on-demand CLE credit!
