Despite grappling with manyuncertainties right now, corporate teams may be breathing a little easier when it comes to the SEC Enforcement environment. That’s partly because people are predicting that the new leadership team will be focused more on individual accountability than on corporate penalties. This Reuters article details enforcement actions that presumptive SEC Chair Paul Atkins dissented from when he served as a Commissioner, which give some insight into what his priorities and approaches might be.
A shift in the enforcement environment doesn’t mean that compliance teams can fall asleep at the wheel, though. This Statement of the Commission Concerning Financial Penalties – which was unanimously approved back in 2006, when Paul Atkins was a Commissioner – lays out factors that, at that time, the Commission believed would warrant corporate penalties. Here’s Broc’s blog from way back when that happened. The two principal considerations were:
The presence or absence of a direct benefit to the corporation as a result of the violation. The fact that a corporation itself has received a direct and material benefit from the offense, for example through reduced expenses or increased revenues, weighs in support of the imposition of a corporate penalty. If the corporation is in any other way unjustly enriched, this similarly weighs in support of the imposition of a corporate penalty. Within this parameter, the strongest case for the imposition of a corporate penalty is one in which the shareholders of the corporation have received an improper benefit as a result of the violation; the weakest case is one in which the current shareholders of the corporation are the principal victims of the securities law violation.
The degree to which the penalty will recompense or further harm the injured shareholders. Because the protection of innocent investors is a principal objective of the securities laws, the imposition of a penalty on the corporation itself carries with it the risk that shareholders who are innocent of the violation will nonetheless bear the burden of the penalty. In some cases, however, the penalty itself may be used as a source of funds to recompense the injury suffered by victims of the securities law violations. The presence of an opportunity to use the penalty as a meaningful source of compensation to injured shareholders is a factor in support of its imposition. The likelihood a corporate penalty will unfairly injure investors, the corporation, or third parties weighs against its use as a sanction.
Additional factors included:
1. The need to deter the particular type of offense.
2. The extent of the injury to innocent parties.
3. Whether complicity in the violation is widespread throughout the corporation.
4. The level of intent on the part of the perpetrators.
5. The degree of difficulty in detecting the particular type of offense.
6. Presence or lack of remedial steps by the corporation.
7. Extent of cooperation with Commission and other law enforcement.
In a speech later that year, then-Commissioner Atkins noted:
It is worth noting that articulating the Commission’s approach to corporate penalties is one area where, thanks to Chairman Cox, we have made significant progress. Our January principles turn primarily on the existence or absence of a direct benefit to the corporation resulting from the violation and the degree to which the penalty will compensate or further harm shareholders. But, despite this guidance, do not think that large corporate penalties are a thing of the past. As I have said for quite a while, corporate penalties are appropriate in many circumstances, particularly where the company and its shareholders have broken the law and accrued a benefit from it. Consider, for example, the $700 million in disgorgement and penalty of $100 million that AIG agreed last month to pay.
He went on to discuss the undesired incentive-effect that large corporate penalties can have on the Enforcement Staff – along with ideas for rewarding Staff who pursue micro-cap cases and other less glamorous issues.
On Friday, the SEC announced that a new filing fee Fedwire format will take effect on March 10th. The old format will be retired on March 9th. Clients often appreciate help with the Fedwire process – especially smaller or newly public companies – so stay tuned for the SEC to share the new format on its instruction page.
While we’re on the topic of filing fees, don’t forget that all filers will be required to tag filing fee exhibits in iXBRL beginning July 31st of this year, as part of the modernization rules adopted a few years ago. Large accelerated filers were subject to the requirement beginning last summer, and others were permitted to voluntarily comply. The SEC has posted compliance resources to help with this transition.
The NYSE has sent its “annual compliance guide” to listed companies to remind them of their obligations on a variety of topics and summarize developments since last year. The letter gives a front-page reminder about the need to submit supplemental listing applications at least two weeks in advance of any issuances of a listed security, listing a new security, and certain other corporate events. Here’s more detail:
A listed company is required to file a SLAP to seek authorization from the Exchange for a variety of corporate events, including:
• Issuance (or reserve for issuance) of additional shares of a listed security;
• Issuance (or reserve for issuance) of additional shares of a listed security that are issuable upon conversion of another security, whether or not the convertible security is listed on the Exchange;
• Change in corporate name, state of incorporation, or par value; and/or
• Listing a new security (e.g., new preferred stock, second class of stock, or bond). No additional shares of a listed security, or any security convertible into the listed security, may be issued until the Exchange has authorized a SLAP.
Such authorization is required prior to issuance, regardless of whether the security is to be registered with the SEC, including if conversion is not possible until a future date. The Exchange requests at least two weeks to review and authorize all SLAPs. It is recommended that a SLAP be submitted electronically through Listing Manager as soon as a listed company’s board approves a transaction.
Section 703 of the Listed Company Manual provides additional information on the timing and content of SLAPs. Domestic companies should also give particular attention to Sections 303A.08, 312.03 and 313 of the Listed Company Manual (see Shareholder Approval and Voting Rights Requirements below). Generally, FPIs may follow home country practice in lieu of these requirements. Please consult the Exchange if you have any questions.
The letter also gives reminders to NYSE-listed companies on the new “compliance by reverse split” rules, timely alert policies, notification requirements, annual & interim affirmations, related party transactions, voting requirements for proposals at shareholder meetings, and more.
Nasdaq recently published Issuer Alert 2025-01, which is focused on Rule 5250(e)(7) notification requirements for reverse stock splits that changed as of January 30th. Here’s more detail:
On January 30, 2025, the deadline for a listed company to notify Nasdaq about a reverse stock split will change from five (5) business days to ten (10) calendar days in order to conform to the requirements of SEC Rule 10b-17 of the Securities Exchange Act of 1934. Nasdaq is not amending the existing requirement to provide public disclosure of the reverse stock split at least two (2) business days (no later than 12 p.m. ET) prior to the anticipated market effective date.
Under the amended rules, a listed company conducting a reverse stock split must:
• Notify Nasdaq of certain details of the reverse stock split no later than 12 p.m. ET at least ten (10) calendar days prior to the anticipated market effective date (rather than our current rule requiring five (5) business days notice); and
• Publicly disclose the reverse stock split by 12 p.m. ET at least two (2) business days prior to the anticipated market effective date (unchanged from current requirement).
Nasdaq notes that it won’t process a reverse stock split unless the above requirements have been satisfied, and it will halt trading in the security of any issuer that effects a reverse stock split without meeting these requirements. The notification form requires the company to include the new CUSIP number, the date that board and shareholder approval was obtained (if required), and the date that DTC made the new CUSIP eligible. The submission must also include a copy of the company’s draft public disclosure.
Nasdaq’s “disclose or comply” board diversity rule is officially gone. Nasdaq filed the proposed technical amendments with the SEC last month to delete Rule 5605(f), requesting effectiveness as of February 4th – which was the effective date of the federal court’s decision that struck down the rule. The SEC notice declared the rule change operative upon filing.
Some companies continued to request board demographic info in their D&O questionnaires this season – in large part because the court decision came too late to make a change and it wasn’t certain whether Nasdaq would appeal, and also because it was unclear at the time the questionnaires went out whether investors would still want to see the info. We’ve now seen we’ve seen BlackRock and Vanguard shift their voting policy language on board diversity.
Remember too, as Meredith blogged in December, the decision to vacate Nasdaq’s rules could have broader implications going forward, even when it comes to “traditional” disclosure rules. Stay tuned.
I’m excited to announce the launch of “Mentorship Matters with Dave & Liz” – a new podcast series available to members of TheCorporateCounsel.net. Dave Lynn and I will be sharing our perspectives on mentorship and career development – which we hope can help those looking for guidance on their own career path, as well as those who are looking for ideas on how to support people who are newer to the field.
Dave and I will be sharing our own stories and interviewing people in the community. We look forward to building on the support to our members that we provide through The Mentor Blog – and adding to our manypodcastofferings across our sites.
We blogged last fall about an NYSE rule proposal that would make it more difficult for companies to use repeated reverse stock splits to maintain compliance with continued listing standards. The SEC designated January 15th as the date by which it would either approve or disapprove, or institute proceedings to determine whether to disapprove, the proposed rule change. In the meantime, the NYSE amended its rule filing twice – here’s Amendment No. 2. The SEC didn’t receive any additional comments.
On January 15th, the SEC approved the rule change, as modified by Amendment No. 2, on an accelerated basis. Here’s more detail:
The Exchange now proposes to amend Section 802.01C to limit the circumstances under which a listed company that fails to meet the Price Criteria may be provided a compliance period under Section 802.01C. Specifically, the Exchange proposes that, notwithstanding the general ability of a listed company to utilize a reverse stock split as a mechanism for regaining compliance with the Price Criteria, if a listed company’s security fails to meet the Price Criteria and the company (i) has effected a reverse stock split over the prior one-year period13 or (ii) has effected one or more reverse stock splits over the prior two-year period with a cumulative ratio of 200 shares or more to one, then the company shall not be eligible for any compliance period specified in Section 802.01C and the Exchange will immediately commence suspension and delisting procedures with respect to such security in accordance with Section 804.00 of the Manual.
The Exchange also proposes to amend Section 802.01C to prohibit a listed company from effectuating a reverse stock split, for purposes of regaining compliance with the Price Criteria or otherwise, if the effectuation of such reverse stock split results in the company’s security falling below the continued listing requirements of Section 802.01A of the Manual (Distribution Criteria for Capital or Common Stock (including Equity Investment Tracking Stock)). If a listed company effectuates a reverse stock split notwithstanding this limitation, the company would not be eligible to follow the procedures outlined in Sections 802.02 and 802.03 of the Manual and the Exchange would immediately commence suspension and delisting procedures with respect to such security in accordance with Section 804.00 of the Manual.
Note that this new rule applies to a listed company even if the company was in compliance with the Price Criteria at the time of its prior reverse stock split.
I blogged yesterday about an enforcement action in which the SEC brought charges under the negligence-based antifraud provision of Securities Act Section 17 (specifically, Section 17(a)(3)), based only on grants of restricted stock to directors under an equity incentive plan. I have usually not paid much attention to these charges in complaints because in many cases there is a larger population of award recipients, but this one jumped out at me.
A member reminded me that this is an easy charge for the Enforcement Division to tack on, because not only does it not require scienter, but it can be predicated on either an offer or a sale. Having a registration statement on file is considered an “offer” – and an S-8 is low-hanging fruit. Most public companies have an S-8 on file, so it’s common for Enforcement to add this to its list of charges in an action. (Even if the only people actually receiving awards were directors!)
Programming Note: In observance of Martin Luther King Jr. Day, we will not be publishing blogs on Monday. We’ll return Tuesday.
Earlier this week, the SEC announced what I am pretty sure is the first “AI washing” case against a public company. (Please correct me if I’m wrong – we like to keep a solid record here.) Here’s more detail:
According to the SEC’s order, Presto made false and misleading claims about Presto Voice in Commission filings and public statements from November 2021 through May 2023. The order found that Presto’s statements regarding the technology powering Presto Voice were misleading because Presto failed to disclose that, for a period of time, the AI speech recognition technology in all units of Presto Voice that the company had then deployed was owned and operated by a third party.
Subsequently, Presto did deploy Presto Voice units powered by its own AI speech recognition technology with certain customers, but it falsely claimed that its own AI product eliminated the need for human order-taking. In fact, the vast majority of drive-thru orders placed through this version of Presto Voice required human intervention. The SEC’s order also found that Presto misleadingly disclosed its reported rate of orders completed without human intervention using this technology.
The SEC had previously brought charges against two investment advisors earlier this year and against at least one former founder and CEO, relating to private fundraising activity. As Dave predicted last March, it was only a matter of time before we’d see an action against a public company. Outgoing SEC Chair Gary Gensler has been talking about “AI washing” quite a bit – and he shared disclosure tips for artificial intelligence topics back in September (see this Baker Donelson memo for additional insights on preparing AI disclosures).
With all that build-up, I was a little surprised to see that the remedy in this inaugural action was merely a cease-and-desist order. The SEC did not impose a civil penalty – even though the fact pattern included a lot of the SEC’s favorite enforcement topics. For example, the company was a de-SPAC, and – wait for it – the order says that the company had no disclosure controls and procedures:
During this time period, Presto had no established process for drafting, reviewing, or approving periodic or current reports required to be filed with the Commission. Although Presto adopted a policy for review of press releases in December 2023, it never implemented disclosure controls and policies and procedures for reviewing periodic or current reports required to be filed by the company. As a result, Presto did not have an established process to ensure that the information required to be disclosed in its filings was recorded, processed, summarized, and reported accurately, or that information required to be disclosed by the company was accumulated and communicated to Presto’s management for timely assessment and disclosure pursuant to applicable rules and regulations. The result of this failure is that no one at Presto was formally responsible for ensuring that the information disclosed in Presto’s Commission filings was accurate.
I’d like to think this is a sign of brighter days ahead when it comes to leniency for deficient DCPs. What’s more likely is that it was unrealistic to collect a fine here. The SEC said the company cooperated, and it has since deregistered.
In addition to our “Artificial Intelligence” Practice Area on this site for governance and disclosure issues, we have a new resource. If you’re looking for direction on other compliance issues arising from AI, cyber, and other emerging technologies, make sure to check out our new “AI Counsel” blog! John and Zachary are sharing best practices and providing alerts about evolving issues for front-line risk management and compliance professionals.
Earlier this week, the SEC announced settled charges based on disclosure a hospitality services company made about its investigation into a completed ransomware incident. Here’s more detail from the complaint:
[The company stated that the cybersecurity incident] resulted in “potential exposure of certain employee personal information.” Ashford went on to state, “[w]e have completed an investigation and have identified certain employee information that may have been exposed, but we have not identified that any customer information was exposed.”
Ashford, however, knew or should have known that, contrary to its public disclosures, customer information was exposed, because, as Ashford knew or should have known, the files exfiltrated in the September 2023 Cyber Incident did contain customer information, including but not limited to sensitive personally identifiable information (“PII”) and financial information for some of Ashford’s customers.
This will be one of the final – if not the final – cyber enforcement action announced under outgoing Chair Gary Gensler’s leadership, and we don’t know yet whether it will continue to be an area of focus. But for now, the settlement underscores the need to pay close attention to the details of any cybersecurity incident disclosure. Here are 4 reasons why:
1. The Enforcement Division pays attention to cyber disclosures, even if they are outside of the new(ish) line-item requirements. Here, the incident and initial disclosure occurred prior to compliance date for reporting material cybersecurity incidents on Form 8-K. The disclosures appeared in the company’s discussion of litigation proceedings in its periodic reports, as well as in a risk factor in the company’s Form 10-K. Following the initial disclosure, the Staff reached out to the company to request additional information, which the company voluntarily provided, but it also continued to repeat the disclosure in subsequent filings until August 2024, when it removed language that it had “not identified any customer information was disclosed” and stated that it had notified affected individuals.
2. The investigation really dug into the terms and execution of the company’s incident response plan, in order to determine whether the company “knew or should have known” that the disclosure was materially false and misleading. In this case, the SEC said that the file names in the list suggested that the files contained sensitive customer information. For example, hundreds of file names contained titles such as “guest incident report” and “guest folio” with a corresponding customer name and/or date of their stay. However, when the company contacted employees whose departments maintained those files and asked them whether they kept customer PII, they did not have them review the file trees for the compromised data and apparently did not involve the employees in the incident response plan. The SEC said that had the employees seen the file tree, they would have known there was PII, and that the company’s response was inconsistent with its incident response plan.
3. As support for its allegation that the statements were material, the SEC cited to risk factor disclosure that said, “protection of business partners, employees and company data is critically important to [it].” (In other words, in addition to ensuring your cyber disclosure is accurate, it’s also important to vet language in your risk factors to ensure that you aren’t overstating the importance of particular issues.)
4. The allegedly problematic disclosures first appeared in a Form 10-Q filed in November 2023, which wasn’t that long ago, and the company is no longer a registered issuer. The SEC investigated and settled these charges rather quickly and pursued the settlement even though the company deregistered. It assessed a modest penalty of $115k, which took into account the company’s cooperation. The company didn’t admit or deny the allegations.
Lastly, it was interesting to note the charges tied to equity awards and a Form S-8 registration statement. In addition to charges under Section 13(a) of the Exchange Act, the SEC brought a charge under Section 17(a)(3) of the Securities Act, which prohibits engaging in any transaction “which operates or would operate as a fraud or deceit upon the purchaser.” The charge seems to be based on the company’s grants of stock and deferred stock to its directors under an equity incentive plan registered on Form S-8. As we’ve noted previously in the July-August 2021 issue of The Corporate Counsel newsletter (and elsewhere), the SEC’s Enforcement Division isn’t shy about claims based on Form S-8 registration statements, but it may still come as a surprise to some people that this charge was in play when the only “purchasers” in this case were directors who presumably had full information.
Side note: In footnote 2 of the 2018 concept release on compensatory security offerings, the SEC shed light on the parameters of the “no-sale” theory for compensatory grants. I didn’t dig into the details of the restricted stock grants in the case at hand, but it appears the SEC considered the directors to be “purchasers” – which implies that the “no-sale” position was a “no-go.” So, remember to be cautious if you are ever looking to rely on that theory.
