This 20-page report from LRN analyzes codes of conducts across the globe and suggests best practices that could help during your next review. First, LRN (which provides ethics & compliance trainings and resources) says that an effective code can be measured across 8 dimensions. The report provides examples of codes and code provisions that cover each of them:
– Tone from the top
– Purpose and values orientation
– Applicability and administration
– Speaking up
– Risk topics
– Knowledge Reinforcement
– Usability
– Look and feel
What makes a code “effective”? According to LRN, your code is most effective if it does the following:
– Communicating a leadership message that connects employees to purpose and company heritage.
– Integrating and providing behavioural guidance around their values and mission.
– Referencing specific responsibilities and expectations of stakeholders.
– Providing details on the resources for reporting concerns and making those resources accessible.
– Covering important risk areas and giving values-based business rationale for risk-mitigating measures.
– Incorporating multiple types of reinforcement tools throughout the document.
– Ensuring the document is laid out as a guide: linked, easy to read, and logically organised.
– Unifying the document with company branding and reinforcing the culture visually.
Public companies aren’t the only ones grappling with cybersecurity right now. Your law firm may need to revisit how to respond to cyber-breaches and government requests for client info, in light of a recent court order.
I’ve blogged a couple of times about the SEC’s efforts to compel cooperation from a law firm whose clients may have had information accessed or stolen in a big cyber breach. The SEC wanted the firm to turn over the names of nearly 300 clients. The firm – along with 83 other big firms – pushed back.
As reported by Reuters, in late July, a court ordered the law firm to give the SEC the names of 7 clients. The firm identified those clients in an internal review that assessed whether any material non-public information may have been improperly accessed – and for those 7, the firm couldn’t rule out that possibility.
The SEC wants to use the info to probe for securities law violations relating to the attack. Specifically:
(1) to determine whether a threat actor or others engaged in illegal trading based upon access to material nonpublic information; and
(2) to evaluate whether any publicly traded issuers failed to disclose material cybersecurity events in connection with the attack.
The firm plans to appeal. In the meantime, law firms that discover a cyber breach will continue to face complex decisions about whether to notify law enforcement and what data to provide during an investigation.
Our “SEC Comment Letter Process Handbook” – which was recently updated with gracious assistance from former Staffers Sonia Barros & Sara von Althann of Sidley Austin – notes that almost any of your disclosures are “fair game” during Corp Fin’s disclosure review process, including earnings calls and perhaps even social media. The Enforcement Division is also interested in those disclosures – as indicated by the non-GAAP enforcement action that John blogged about in March.
This research about how the Corp Fin Staff uses earnings call disclosures in its comment letters provides numerical data to back that up. The authors analyzed over 800 letters from 2005 to 2018. Here are a few takeaways that they recently shared on the CLS Blue Sky Blog:
We examine all SEC comment letters referencing a firm’s earnings conference call(s). Our sample includes over 800 letters from 2005 to 2018, representing slightly over 1 percent of all comment letter conversations available from Audit Analytics. More than two-thirds of the sample are 10-K comment letters, and another 18 percent pertain to 10-Qs. Thus, conference call disclosures primarily serve as a reference point during SEC reviews of periodic reports.
…We observe that approximately 80 percent of the sample are cases where the SEC refers to information disclosed in a conference call to support the claim that the firm’s disclosures in its periodic report(s) are insufficient. The second-largest group comprises 15 percent of the sample and includes comment letters emphasizing that a specific disclosure in the reviewed filing is inconsistent with the facts disclosed or the extent or format of the disclosure in the conference call. Except for non-GAAP or key performance indicators (KPI) comments, very few letters suggest that a specific disclosure in a conference call is a problem.
Our manual examination of the conference call comment letters allows us to provide other descriptive details about the subject and format of conference call disclosures targeted by the SEC. The three most frequent topics addressed are revenues, segment reporting, and non-GAAP/KPIs. Together, these three issues account for 45 percent of our sample. Management Discussion and Analysis (MD&A) disclosures related to risk factors, products, customers, markets, or seasonality are also common, representing 23 percent of the sample.
Overall, we document a broad scope of issues addressed, suggesting that the SEC finds firms’ conference call disclosures useful in many aspects of the review process. We observe that the SEC refers to information disclosed both during the management presentation and the question-and-answer portion of the calls. While half of the comments refer to the conference call from the same fiscal quarter as the filing under review, the SEC also references conference call disclosures from earlier periods and even from calls that occur after the filing being reviewed.
This info provides a good roadmap for what to focus on when you’re reviewing an earnings release, in addition to forward-looking statements. And if you’re looking for a way to show your “value-add” in the earnings release process, you can now point to data to show that your involvement may save your company from comment letters – or worse – down the road.
If you’ve been working with companies on SEC compliance, one question that you are bound to get sooner or later is, “What happens if we fall short of what’s required?” Sometimes, the answer is “Not much.” But this Gibson Dunn memo says that in the current environment, the risk of SEC enforcement is very real. It is striking to reflect on the Enforcement Division’s expansion plans:
The Commission has so far not slowed its enforcement strategy, and is unlikely to do so in the months ahead. In the Consolidated Appropriations Act of 2023, Congress agreed to give the Commission $2.2 billion in funding for the current fiscal year, a $210 million increase over the prior fiscal year. The Commission is planning to use the increased funding to hire 400 more staff members, including 125 new personnel for its Enforcement Division. Of those 125 new hires for the Enforcement Division, 33 will be joining the Crypto Assets and Cyber Unit, a sub-unit of the Commission that has already seen heightened activity this year. With a rapidly expanding workforce, the Commission could end up filing even more enforcement actions this year than the 760 it filed in fiscal year 2022—a 9% increase over the prior year.
The memo walks through key topics that appear to be getting the Enforcement Division’s attention. While we have blogged about many of these actions in real-time, this recap can help you remember where things stand:
In the area of financial reporting and accounting, this Commission has brought a number of technical accounting and disclosure cases against issuers and individuals, and has pushed the boundaries of its own jurisdiction to bring charges relating to harassment and workplace misconduct under the guise of non-disclosure and internal controls failures. As all administrations do, the SEC has maintained a steady diet of insider trading cases, and used some of those cases to send a message tied to its rulemaking. The same is true in the cybersecurity area, where we now have final rules that will no doubt provide additional bases for the SEC to bring new cases. Finally, the SEC recently awarded its largest whistleblower bounty in the history of the program—greater than the entire amount awarded in all of 2022—that evinces a program that has been wildly successful at attracting more and better tips from individuals with first-hand knowledge of potential wrongdoing.
One of the insider trading cases that the memo discusses is the 10b5-1 complaint that the SEC & DOJ filed earlier this year. I blogged last fall that the agencies are using data analytics to identify suspicious trades. A recent WSJ interview with the outgoing head of the DOJ’s criminal division reinforces that it’s going to become more & more difficult for unusual activity to fly under the radar:
The Justice Department’s recent use of data analytics is a sea change for how such techniques have traditionally been used in criminal cases. Where data was applied in the past to build a case once it had already been identified, the goal of the department’s more recent efforts has been to find cases where patterns in the data warrant further investigation, according to Polite.
So, the regulators have new tech tools, plus more humans to use them, and more rules to enforce. Maybe securities lawyers aren’t speeding toward obsolescence after all.
The specter of a successful securities class action suit is another risk that keeps securities lawyers up at night, but take heart: Cornerstone Research and the Stanford Law School Securities Class Action Clearinghouse recently published their latest report, Securities Class Action Filings—2023 Midyear Assessment, and it gives some encouraging news.
While the number of securities class-action filings has remained pretty steady compared to historical averages, US exchange-listed companies are actually less likely to face these types of lawsuit than they were from 2009 – 2022. Here’s more detail:
– At the current pace, only 3.4% of companies listed on major US exchanges are or will become subject to a core or M&A filing in 2023. This is in line with the percentage in 2022 but represents a large decline from 2016-2020 levels.
– The percentage of US exchange-listed companies subject to a core filing in 2023 H1 was 1.6%, on pace to be in line with that of 2022 but below the 2009-2022 average.
– The percentages of US exchange-listed companies subject to an M&A filing in 2022 and 2023 are the two lowest since tracking of M&A filings began in 2009. These rates remain well below 2016-2020 levels.
See the 33-page report for details on all sorts of key trends.
The comment period for the PCAOB’s “NOCLAR” proposal officially concluded yesterday – and although more comments will continue to roll in, now seems like a good time to take stock of the feedback to-date. As of the date of this blog, the PCAOB has posted 26 comment letters. Here are a few that caught my eye:
– Council of Institutional Investors – supporting the proposal, and encouraging the PCAOB to further expand the independent auditor’s responsibilities with respect to the company’s internal whistleblower program to include (i) requiring the auditor to obtain an understanding of the audit committee’s and management’s policies, processes and procedures for the program; (ii) testing controls to determine if the process operates as it is expected to; and (iii) reviewing and assessing complaints that are reasonably likely to have a material effect on the financial statements.
– Audit Committee Council (advisory committee of the Center for Audit Quality comprised of independent audit committee members) – supportive of modernizing accounting standards, but sharing the concerns on this proposal that were expressed by the dissenting PCAOB board members, and suggesting a more risk-based approach where the auditor considers the role that the company’s compliance program plays in detecting NOCLAR that could be material to the audited financial statements.
– US Chamber of Commerce – Requesting that the PCAOB withdraw the proposal because it “could degrade audit quality, harm investor protection, weaken attorney
client privilege protections, and impose additional audit costs on issuers by an estimated $36 billion dollars, far exceeding Sarbanes-Oxley 404b implementation.”
– Jon Lukomnik (well-known corporate governance thought leader – e.g., a member of Deloitte’s Audit Quality Advisory Committee and the PCAOB’s Standards and Emerging Issues Advisory Group, former member of the PCAOB’s Standing Advisory Group) – generally supporting the proposal, but suggesting improvements to address the critiques of “over-reaching.” Specifically, recommending two types of noncompliance that auditors should plan to identify, evaluate and, if necessary, communicate – systemic noncompliance, and noncompliance by senior officers or senior management responsible for a quantitatively material amount of revenue, profit or fixed assets.
I blogged last month about the potential impact of this standard on audit committee members. As this Perkins Coie blog notes, the Center for Audit Quality has posted a two-page letter for audit committee members to sign on to, which expresses concerns with the proposal. Other organizations, including the Society for Corporate Governance and the American Bar Association, will likely also submit comments.
Here’s something I blogged last week on CompensationStandards.com: DEI-related goals have become one of the most common non-financial metrics in public company executive incentive plans. However, in addition to thinking through potential complexities and unintended consequences, you may also need to work with your employment law colleagues to take a closer look at those programs and related disclosures in light of June’s SCOTUS affirmative action decision, and related fallout.
To get more color on what executive compensation advisors should know, I’m delighted to share this guest post from Orrick’s J.T. Ho, Mike Delikat, John Giansello and Bobby Bee:
On June 29, 2023, the Supreme Court found Harvard and UNC’s admissions policies, which considered race and ethnicity as factors in admissions, to be unlawful under Title VI of the Civil Rights Act of 1964 and the Equal Protection Clause of the Fourteenth Amendment. While this ruling does not directly impact corporate DEI programs due to existing legal prohibitions on considering race in employment decisions, this case may embolden more applicants, employees, government officials like state Attorneys General and conservative activist groups to bring “reverse discrimination” claims and shareholder demands and proposals, a trend that already is on the rise.
Executive compensation programs that include DEI performance as a metric have already been and may continue to be a source of such claims and attacks. Many executive compensation programs in recent years have incorporated DEI metrics due to institutional investor demands. Such goals are often tied to increasing the number of women or diverse employees by a certain percentage, especially in higher-paid roles or retaining a certain percentage of such groups of employees, and have become more formulaic and rigorous over the years due to investor scrutiny.
However, while “the devil is in the details,” incorporating DEI metrics into executive compensation programs can lead to the risk that managers perceive the achievement of the metrics as a de facto quota and impel employment decision-making based on diversity metrics instead of individual qualifications and job performance—or the reasonable perception thereof, which could give rise to reverse discrimination claims. For example, in Frank v. Xerox Corp. (5th Cir. 2003), where the Fifth Circuit reversed summary judgment for Xerox on a reverse discrimination claim, the court noted that “[s]enior staff notes and evaluations also indicate that managers were evaluated on how well they complied with the [diversity] objectives,” among other factors. As a result, the Fifth Circuit noted a jury could find the company “had considered race in fashioning its employment policies” and that because of plaintiff’s race, “their employment opportunities had been limited.” According to the EEOC amicus brief filed on appeal, managers were evaluated on how well they followed and adhered to diversity objectives in making personnel decisions; numerical targets were considered in hiring, promotion or pay decisions; and money designated for merit pay increases was allocated based on achievement in specific “EEO categories.”
The court arrived at a different conclusion in Coppinger v. Wal-Mart Stores (N.D. Fla. Oct. 25, 2008), where the plaintiff alleged, among other things, that Wal-Mart tied manager bonuses to its diversity program involving two components: (1) placement goals, which measured the disparity between the rate at which women and minorities apply for managerial positions and the rate they obtained such jobs, and (2) good faith effort goals, which required all salaried managers to mentor three employees from diverse backgrounds and attend at least one diversity event each year. Although the court granted Wal-Mart’s summary judgment motion, the court noted that it did so because, despite the allegations, “no part of any decisionmaker’s bonus or compensation was related to placement goals or good faith efforts goals other than attending one diversity event each year.” Although the court concluded that the plaintiff had failed to point to any record suggesting that managers took the goals into consideration when making any employment decision, it left open the question of whether it would have held differently had such goals been more concretely tied to the managers’ evaluations or bonuses.
While there are few cases in this area to date, in light of the recent Supreme Court decision, companies who incorporate DEI metrics into executive compensation programs should do a privileged evaluation of their programs to determine whether their goals actually impact individual employment decisions, which can be problematic, or merely inspire broader initiatives, such as improvements in outreach and in the composition of candidate and interview pools or evaluation techniques, which is legally permissible. In other words, rewarding executives for their overall efforts on DEI rather than for achieving targeted metrics will mitigate some of the legal risk.
Further, whether goals involve hiring or retention is also relevant as what leads to employee retention is a complicated set of factors, including organizational culture, effective leadership and employee perceptions of working conditions, and it is often difficult to connect goals related to retention to any individual employment decision in hiring, promotion, termination or salary and benefits. Such analyses are complicated, and companies are advised to seek legal counsel and the benefits of privilege to ensure that factors that mitigate against the risk of reverse discrimination claims are being considered and implemented when constructing executive incentive plans.
This is certainly a challenging area, and we’ll be discussing practical ways to approach it at our virtual conferences that are coming up in less than 2 months – the “2nd Annual Practical ESG Conference” and the “Proxy Disclosure & Executive Compensation Conferences.” Here’s the action-packed agenda for the Proxy Disclosure & 20th Annual Executive Compensation Conference. Get guidance on navigating DEI oversight, disclosures & goals during these two panels:
– “Human Capital Management: Facing Down Heightened Complexities & Disclosures” – with Skadden’s Ryan Adams, Kirkland’s Sophia Hudson, Vontier’s Courtney Kamlet, and Aon’s Laura Wanlass
– “ESG Metrics: Beyond the Basics” – with Orrick’s J.T. Ho, Semler Brossy’s Blair Jones, Davis Polk’s Kyoko Takahashi Lin, and Pay Governance’s Tara Tays
Register today for this can’t-miss event. Bundle your registration with our “2nd Annual Practical ESG Conference” to get all the info & perspectives you need at the best price!
The July-August issue of the Deal Lawyers newsletter was just posted and sent to the printer. This month’s issue includes the following articles:
– The Universal Proxy Card: Transforming Board Elections and Activism
– Anti-Activist Pills: Will Coster v. UIP Companies Sound Their Death-Knell?
– That Time I Filed the Registration Statement When I Wasn’t Supposed To …
In case the title of the last article caught your eye, it recounts the story of what John calls “one of his biggest legal career blunders,” although we are all relieved to say that it does have a happy ending. Anyway, the Deal Lawyers newsletter is always timely & topical – and something you can’t afford to be without in order to keep up with the rapid-fire developments in the world of M&A. If you don’t subscribe to Deal Lawyers, please email us at sales@ccrcorp.com or call us at 800-737-1271.
That was fast. On Friday, the SEC’s cybersecurity disclosures were published in the Federal Register. Here’s an excerpt from the release that explains what that means for the effective date & compliance dates:
The final rules are effective September 5, 2023. With respect to Item 106 of Regulation S–K and item 16K of Form 20–F, all registrants must provide such disclosures beginning with annual reports for fiscal years ending on or after December 15, 2023. With respect to compliance with the incident disclosure requirements in Item 1.05 of Form 8–K and in Form 6–K, all registrants other than smaller reporting companies must begin complying on DECEMBER 18, 2023. As discussed above, smaller reporting companies are being given an additional 180 days from the non-smaller reporting company compliance date before they must begin complying with Item 1.05 of Form 8–K, on June 15, 2024.
With respect to compliance with the structured data requirements, as noted above, all registrants must tag disclosures required under the final rules in Inline XBRL beginning one year after the initial compliance date for any issuer for the related disclosure requirement. Specifically:
– For Item 106 of Regulation S–K and item 16K of Form 20–F, all registrants must begin tagging responsive disclosure in Inline XBRL beginning with annual reports for fiscal years ending on or after December 15, 2024; and
– For Item 1.05 of Form 8–K and Form 6–K all registrants must begin tagging responsive disclosure in Inline XBRL beginning on DECEMBER 18, 2024.
Following up on the largest-ever award only a few months ago, the SEC announced on Friday that it bestowed $104 million upon 7 whistleblowers whose information and assistance led to a successful SEC enforcement action and related actions brought by another agency. The combined payout is the 4th largest bounty in the history of the Commission’s whistleblower program. Here’s more detail:
The seven whistleblowers were composed of two sets of joint claimants and three single claimants, and each provided information that either prompted the opening of or significantly contributed to an SEC investigation. The seven individuals’ assistance to the staff included providing documents supporting the allegations of misconduct, sitting for interviews, and identifying potential witnesses.
As usual, the order is full of redactions to protect the confidentiality of the whistleblowers. But this one does say that many of them are foreign nationals who shared info about misconduct in what were probably non-US territories, which is a reminder that the SEC’s whistleblower program applies to securities law violations and tips from anywhere in the world. The order also gives a peek into the jockeying amongst the whistleblowers for how the combined award would be divided, and explains why two other individuals were denied from sharing in the payment – including one of the company’s lawyers:
Claimant 8 does not qualify for a whistleblower award. Because significant portions of the information submitted by Claimant 8 appeared to be derived from his/her employment as an attorney for Subsidiary, the TCR and subsequent information Claimant 8 submitted was deemed potentially privileged by an Enforcement filter team and either redacted or withheld from investigative staff.
Accordingly, Claimant 8’s information did not cause the staff to open the Investigation or to inquire concerning different conduct, nor did it significantly contribute to the Investigation. Claimant 8’s contention in his/her response to the Preliminary Determinations that his/her information is not privileged is not relevant—the staff did not review significant portions of Claimant 8’s information and thus Claimant 8’s information did not lead to the success of the Covered Action.
As to Claimant 8’s contention in his/her response that staff said Claimant 8’s information was “highly relevant” and “valuable,” staff indicated in a supplemental declaration, which we credit, that while the staff spoke briefly with Claimant 8, the purpose of the conversation was to determine the nature of Claimant 8’s employment responsibilities at Subsidiary. When the staff learned of Claimant 8’s role as an in-house counsel, the staff ceased the conversation so as not to infringe upon any attorney-client communication. For these reasons, Claimant 8 is not eligible for an award.
Here’s a useful index of awards that a law firm has published in order to summarize what led the SEC to grant or deny each whistleblower claim through the program’s history. If you are reading this as a lawyer who has discovered questionable activity and you are daydreaming of retiring on a whistleblower award, I am sorry to remind you of these extra constraints on sharing information that would lead to a successful enforcement action. But don’t forget that you will still need to report “up the ladder” under SEC rules!
