August is a often a busy time for board meetings. While everybody is eager to get back to “normal,” a few folks have told me that their careful plans to resume in-person meetings are getting thrown by the wayside due to the latest Covid surge. This recent straw poll from Financial Advisor IQ is focused on the wealth management field, but says that 38% of professionals are currently rethinking in-person business meetings – and 14% never resumed them in the first place.
Remember that we’re running a “Quick Survey” on board meeting health protocols – here are the results to-date. Please take a minute to participate!
– Liz Dunshee
Yesterday, the SEC announced a $1 million settlement related to “cyber breach” risk factor disclosures and inadequate disclosure controls & procedures. Here are more details:
The SEC’s order finds that Pearson made misleading statements and omissions about the 2018 data breach involving the theft of student data and administrator log-in credentials of 13,000 school, district and university customer accounts. In its semi-annual report, filed in July 2019, Pearson referred to a data privacy incident as a hypothetical risk, when, in fact, the 2018 cyber intrusion had already occurred. And in a July 2019 media statement, Pearson stated that the breach may include dates of births and email addresses, when, in fact, it knew that such records were stolen, and that Pearson had “strict protections” in place, when, in fact, it failed to patch the critical vulnerability for six months after it was notified.
The media statement also omitted that millions of rows of student data and usernames and hashed passwords were stolen. The order also finds that Pearson’s disclosure controls and procedures were not designed to ensure that those responsible for making disclosure determinations were informed of certain information about the circumstances surrounding the breach.
The Pearson action is the second cyber-related settlement out of the Enforcement Division’s Cyber Unit since mid-June. At that time, the Commission settled charges relating to alleged failures in disclosure controls & procedures, which resulted in management lacking the info they needed to make accurate disclosures. Just a few days later, the Enforcement Division initiated information requests relating to the SolarWinds cyberattack. So far, the dollar values of the settlements aren’t huge – but they’re sending a message: be transparent with your disclosures.
If you missed yesterday’s blog, I highlighted sample cyber disclosures – and insider trading considerations. Meredith reminded listeners during our recent webcast that if you have a cyber breach, you don’t just need to close your window, you also need to lock all the doors. The point is, take it seriously. The Enforcement Staff may not be cutting much slack. As always, we’ll be posting memos about the enforcement action and disclosure & governance considerations in our “Cybersecurity” Practice Area.
– Liz Dunshee
We’ve been posting a ton of good memos in our “Nasdaq” Practice Area about the new listing rule that will require listed companies to:
1. Annually provide matrix (or substantially similar) disclosure of board diversity characteristics in the company’s proxy, Form 10-K or on the website, and
2. “Comply or explain” in regards to a new board composition requirement to have at least two “diverse” directors, including one director who self-identifies as female and one who self-identifies as an “underrepresented minority” or part of the LGBTQ+ community
If you’re trying to sort through when exactly you’ll be required to comply with these requirements and whether you’re subject to any exemptions, you’d do well to keep an eye on Nasdaq’s FAQs – which, as our friends at Goodwin pointed out, are now in their third or fourth iteration since the rule was approved. The FAQs:
– Emphasize that companies need to make the initial matrix disclosure in 2022:
• If a company files its 2022 proxy BEFORE August 8, 2022 and DOES NOT include the Matrix, then the company has until August 8, 2022 to provide the Matrix.
• If a company files its 2022 proxy ON or AFTER August 8, 2022, then it must either include the matrix in its proxy or post the Matrix on its website within one business day of filing its proxy.
• If a company only posts the Matrix on its website, then the company has until August 8, 2022 to provide the Matrix. Companies that elect to provide the Matrix on its website must also complete a short form through the Listing Center that includes the URL link to the disclosure.
– Continue to say that companies have until August 7th, 2023 to have at least one “diverse” director on the board (or explain why they don’t) – and a longer transition period for having two diverse directors
– Continue to explain the flexibility for smaller reporting companies, the SPAC exemption, etc.
Nasdaq has also invited listed companies to a series of webcasts – including one at noon eastern today – to help companies understand the listing rules and access free board recruiting services. The webcasts are also available for replay.
– Liz Dunshee
Last week, the SEC Commissioners issued this joint statement to thank Joe Brenner for 10 years of service as the Enforcement Division’s Chief Counsel – where he advised the Director of Enforcement as well as the Staff on investigations and recommendations to the Commission. Previously, Joe had been a Partner at Wilmer Hale.
– Liz Dunshee
Although the SEC hasn’t defined “human capital,” it does require companies to provide info about those resources, to the extent that info is material to the business as a whole. Staff comment letters & revised company disclosures can help us understand what Corp Fin is looking for – or at least what the Staff has flagged as potentially inadequate.
This Bass Berry blog does a nice job of outlining comment letter trends. They note that most of the comment letters so far are on registration statements, not Form 10-Ks. Here’s an excerpt:
As reflected in the underlying data chart, the SEC Staff’s comment on the human capital disclosures often simply cited the new regulation without any further explanation or guidance. However, an analysis of the revised filings by the registrants in response to the SEC Staff’s comments shines more light on the SEC’s expectations, or at least how registrants interpreted the requirements. While there were broad differences in which and how many human capital metrics companies disclosed, the following were the most common:
– Number of employees.
– Geographical distribution of employees.
– Breakdown of types of employees (e.g., full-time, part-time, seasonal).
– Steps taken to identify, recruit, and retain new and existing employees.
– Commitments to diversity and inclusion.
– Whether employees are represented by a labor union or covered by a collective bargaining agreement.
– Status of the company’s relationship with employees (e.g., good, satisfactory).
– Employee incentives and benefits (e.g., insurance packages, stock-based compensation awards, cash-based performance bonus awards).
– Employee learning/development/training programs.
– Core values (e.g., learning, development, inclusion, diversity, teamwork).
– Social impact and social justice initiatives.
– Impact of and response to the COVID-19 pandemic.
– Employee safety measures.
– Diversity statistics.
– Use of employee engagement surveys.
It is clear from our review that human capital disclosures are individualized and industry-dependent. Most filings addressed only a few of these subjects. Companies also varied in taking a qualitative or quantitative approach in response to comments, but the general theme is that quantitative information was typically not provided in the response, and, if it was, the information related to diversity statistics.
– Liz Dunshee
This 20-page Mayer Brown memo looks at where cyber disclosures are appearing – and what they’re saying. Samples include:
– Risk Factors: “general” cyber risk disclosures, risks specific to e-commerce, disclosures that cover the intersection of cybersecurity and data privacy, and disclosures about actual or known breaches.
– Description of Business: “general” disclosures, financial services industry, actual or known breaches, and ongoing litigation about breaches.
– MD&A: “general” disclosures, risk management, actual or known breaches, internal controls or material weaknesses from failure to address cyber risks, ongoing litigation about breaches.
The memo suggests ways to improve your required cyber disclosures – including consideration of whether to disclose the costs of managing & combating risks, and how to balance the need to make specific disclosures with the need to safeguard sensitive info.
I blogged a few months ago about the idea of using “risk ratings” to help convey the appropriate level of information. ISS Corporate Solutions has now also announced that it’ll be making its Cyber Risk Scores available on OneTrust Vendorpedia – so these scores might start to get more use.
– Liz Dunshee
We’ve posted the transcript from our recent webcast for members, “Insider Trading Policies & Rule 10b5-1 Plans.” Meredith Cross of WilmerHale, Alan Dye of Hogan Lovells and Section16.net, Dave Lynn of Morrison & Foerster and TheCorporateCounsel.net, and Haima Marlier of Morrison & Foerster covered these topics:
1. The New Enforcement Environment (including Focus on Rule 10b5-1 Plans)
2. Rule 10b5-1 Plan Considerations for Share Buybacks
3. Intersection of Insider Trading Policies & Rule 10b5-1 Plans
4. Pre-clearance Procedures and Blackout Period Trends
5. Pledging, Hedging & Short-Selling Transactions
6. Cybersecurity & Other Materiality Considerations
7. Latest Developments with Compliance Training
8. Defending an Insider Trading Action
– Liz Dunshee
Earlier this week, I asked my first-grader what sport he’d want to compete in if he could be an Olympian. When he responded that he wants to do whatever earns money so that he could buy video games, I feared the Games had lost their luster. But the very next day, our faithful correspondent Nina Flax sent in her latest “list” – and it’s heartening to see that the event is still imparting plenty of inspiration and self-reflection. From Nina:
I must admit that I do not remember my first Olympics exposure as a child (though I do very fondly remember my first viewings of Cool Runnings and Miracle). A few days into the Olympics, I thought I might share some of what I love about the Olympics more generally.
1. The Games are Inspiring. Seeing the culmination of all of the hard work put in by these athletes, and the amazing display of expertise is simply inspiring. (Side note: Yes, for those of you who have read some of the previous lists, I sometimes cry because I am so inspired.)
2. They also provide a reality check. Some people are just born with natural talents. I do not feel bad that I was not able to become an Olympic figure skater, and I will not feel bad as a parent if my child does not become an Olympic volleyball player (let’s be honest, I’m 5’1” and my husband is 5’10”). (Also a side note: Yes, I will feel like a failure if my child does not love reading.)
3. I appreciate the importance of personal interests. See item 1 above. These athletes grew into their sports out of personal interest – and that interest has helped define who they are in different moments. It is also refreshing to hear the stores about athletes who take breaks because of a falling out of love, and sometimes find their way back to joy in their sports. On a more personal/achievable note, our own game during the opening ceremony was to call my dad for the entire parade of athletes. Otro Papa – have you been to this place? Otro Papa – what about this other place? (My son speaks Spanish, and when he was first starting to speak and we were explaining that his abuelo was also a father just like his Papa was a father, it stuck that my parents are “other” mom and “other” dad. We think it’s cute.) We listed every single country/territory/represented area to see how many he has visited, and then we looked up which officially recognized countries do not have representatives at the games to add those. He has been to most, and he did not start traveling until later in life. His personal passion has driven joy and years to his life. Even if you are not an Olympian, there are ways personal interests can enrich and “purpose-fy” your life. Appreciating the personal interests of others and the impact of those interests on their lives also inspires me. Which is a nice reinforcing loop.
4. I always learn something new. Like about the pictograms! I had no idea that they were first introduced when Japan hosted the Games in 1964. Genius. If you haven’t watched this part of the opening ceremony, you should (and also the drones!).
My night-time work productivity and sleep will admittedly likely decrease this week and next as I continue to watch recaps and replays. Like watching the replay of the US vs. Sweden women’s soccer game – where my son routed for Sweden because he liked the color of their shirts. Which I was okay with – because I kept pointing out how the US kept playing and trying their hardest to the very end, and how they would need to move on from this loss because they had more games to play and could not let one setback get in their way. Great don’t-give-up, learn-but-don’t-beat-yourself-up moment. Or watching the recap of the women’s gymnastics qualifiers – and appreciating that even women like Simone Biles have off days, and that does not make her any less spectacular. We are all human. I hope everyone is able to enjoy and appreciate the reasons they love the Olympics as well!
– Liz Dunshee
Between news of salary wars, breathless recruiter messages and celebratory LinkedIn announcements, you’ve probably gathered that it’s a hot job market – and congrats to all of our readers who are taking this moment to advance and/or “right-size” their careers! This Think Advisor article says that the SEC hasn’t been immune from the attrition that many of us are facing. It also suggests that the aggressive enforcement environment that I blogged about earlier this week could also be contributing to turnover, at least in that particular Division.
According to the article, the reason for that is two-fold. First, departures are common in times of transition & leadership changes – and there have been a lot of changes at the Commission this year. Second, the Enforcement Division’s initiatives are creating high demand for litigators, which means firms are trying to recruit Staffers. Ironically, that means that the very initiatives that are creating this demand could leave the Staff short-staffed on its cases.
As we all know, SEC Chair Gary Gensler also has an ambitious agenda. That means he not only plans to fill open roles, but also wants to add even more hard workers to the SEC’s roster – in Enforcement and elsewhere. Here’s an excerpt from the article:
Gensler is potentially counting on adding more Staff that will get behind his vision of a watchdog with sharper teeth. In his FY 2022 budget request, Gensler asked for nine additional positions in the enforcement division and in total wants to raise staff from its current 1,316 to 1,330.
In testimony in front of a House appropriations subcommittee on May 26, Gensler said enforcement in 2020 had 6% fewer staff on board than it did in 2016.
Don’t forget to check out our free “Jobs Board” if you’re hiring or looking…and let us know if it helps you find a match!
– Liz Dunshee
If your company is subject to the CCPA, your compliance efforts are probably about to get more complicated. Here’s the intro from this Hogan Lovells memo:
On July 19, California’s recently appointed Attorney General, Rob Bonta, announced the launch of an interactive tool to aid consumers with drafting notices of non-compliance for businesses who fail to publish the “Do Not Sell My Personal Information” link (DNS link) required by the California Consumer Privacy Act (CCPA).
According to the AG, the consumer notice “may trigger” the 30-day cure period businesses enjoy before becoming subject to enforcement actions for non-compliance. Questions remain about use of resident-led notices of non-compliance, including whether this novel approach satisfies CCPA notice requirements or whether it may foster spamming and other abuses.
– Liz Dunshee
