Author Archives: Liz Dunshee

June 4, 2021

GDPR Turns 3: Looking Back at Big Fines

The GDPR turned 3 last week. This BBC article takes a look at the biggest fines so far, and what led to them. The inclusion of a couple US companies shows that if you’re doing a lot of business in Europe, you need to be extra vigilant on data privacy & cybersecurity.

Liz Dunshee

June 4, 2021

GDPR: Regulatory & Enforcement Trends

This 20-page memo from Baker Hostetler takes a deep dive into data security and incident response plans. It gives 14 key takeaways on the front page that are worth checking out. Since we’re on the topic of GDPR today, I’ll highlight the EU regulatory update from page 13. Here are a few nuggets:

Timing Is (Still) Everything – Much of the focus on GDPR’s notice obligations has been on the 72-hour deadline for notifying a data protection authority (DPA). While some DPAs accept delays accompanied by explanations, others take a much narrower view of the permissible bases for extending the deadline. In particular, the Dutch DPA has taken a hard stance that the need to further investigate the incident and its effects is not a sufficient reason for delayed notice. Several other DPAs, including in Ireland and Sweden, fined companies for failing to notify within the 72-hour deadline. Companies subject to the GDPR should be prepared to move quickly to make an initial, timely notification that may require follow-up once a more complete analysis is ready.

Data Controller Responsibility – DPAs tend to have the greatest interest and assess the largest fines in incidents where the DPA finds fault with the company’s responsibility for EU personal data, particularly where there are repeat data breaches. In particular, DPAs have assessed how companies — identify and respond to data breaches, implement and maintain organizational and technical measures to safeguard personal data, assess third-party vendors, conduct data protection-related risk assessments, and document data breaches.

Mitigating Circumstances – DPA enforcement actions in 2020 drew particular attention to a number of mitigating factors in determining fines, and we expect these to be of continuing relevance this year – financial hardship, actions taken to minimize harm to individuals, cooperation with the DPA, appropriate notice to the regulator and individuals, other fines already imposed for the same incident, and absence of prior violations.

The memo also predicts that enforcement will expand during 2021 because more countries are implementing data breach notification procedures. But, since DPAs are just as overworked as the rest of us, they seem less likely to follow up on incidents that involved a small number of individuals or less-sensitive personal data, or companies without a significant EU footprint. Here’s a checklist for compliance for US companies.

Liz Dunshee

June 3, 2021

Engine No. 1: Third Exxon Seat – And Possible ETF?!

Yesterday, ExxonMobil filed its Form 8-K to report the voting results from its annual meeting. The preliminary count, which is not yet certified, indicates that Engine No. 1 won three board seats on the company’s 12-member board, one more than had been predicted after the meeting last week. Engine No. 1 had waged a campaign based on the impact of Exxon’s fossil fuel strategy on its financial performance.

The activist’s win is especially shocking in light of the fact that Exxon had appointed three other directors earlier this year in an attempt to appease investors. Two of those new directors – Michael Angelakis and Jeff Ubben – had the highest number of votes out of anyone. The third – Wan Zulkiflee (former CEO of Petronas) – was voted off the board after only four months of service.

The dissident directors who appear to have been elected are Kaisa Hietala (environmental scientist and former Neste EVP), Greg Goff (former CEO of Andeavor) and Alexander Karsner (strategist/PE investor/formerly at Google X and the Department of Energy). As Lynn blogged last week, shareholders also approved shareholder proposals calling for more disclosure of climate lobbying and other political activities, which weren’t supported by the board.

This probably won’t be the last we’ll hear of Engine No. 1. While it was busy making a big name for itself last week with Exxon, it also managed to file a pre-effective amendment to a registration statement to launch an ETF, which identifies Schulte Roth & Zabel as outside counsel, lists “activism” as a risk factor, and also includes this nugget:

Principal Investment Strategies: The Fund seeks investment results that closely correspond, before fees and expenses, to the performance of the Morningstar US Large Cap Select Index (the “Underlying Index”), which measures the performance of the 500 largest U.S. stocks by market capitalization, as determined by Morningstar, Inc. The Underlying Index consists of securities from a broad range of industries. As of March 31, 2021, the Underlying Index is represented by securities of companies in sectors including, but not limited to, consumer, energy, financial services, healthcare, technology, and utilities. The components of the Underlying Index are likely to change over time and the Underlying Index and the Fund are rebalanced on a quarterly basis. To the extent that the securities in the Underlying Index are concentrated in one or more industries or groups of industries, the Fund may concentrate in such industries or groups of industries. As of March 31, 2021, the Underlying Index is not concentrated in an industry or group of industries.

The Fund seeks to encourage transformational change at the public companies within its portfolio through the application of proxy voting guidelines developed by the Adviser that are based on a commitment to protecting and enhancing the value of its clients’ assets and to aligning shareholder and stakeholder interests through favoring actions that encourage companies to invest in their employees, communities, customers and the environment.

Our Adviser intends to measure the investment made by companies in their employees, communities, customers and the environment with financial, operational, and environmental, social and governance (“ESG”) metrics that are provided by (i) the companies themselves, (ii) third-party data providers, and (iii) the Adviser itself. These metrics include, but are not limited to, wages, workforce diversity, employee health and safety, capital expenditures, carbon emissions, and land use, among others. The Fund’s proxy voting guidelines will apply to all companies held by the Fund. The Adviser will generally follow the recommendations of an independent third party proxy voting service retained by the Adviser to implement the proxy voting guidelines when determining how to vote on any specific matter.

The Fund will invest at least 80% of its Assets in securities included in the Underlying Index.

Liz Dunshee

June 3, 2021

Comments on Mandatory Climate Disclosure: TCFD & SASB Get a Nod

With about 2 weeks to go before the expiration of the time frame that the SEC had set to collect public input on the possibility of climate change disclosure rules, the Commission has held at least a couple dozen meetings with corporate leaders and trade organizations. In connection with those meetings, companies including Apple and Salesforce have spoken out in support of rulemaking. Most seem to be falling in line with support for principles-based disclosure.

Uber is one of the only companies so far that has taken the extra step of submitting a comment letter. In it, the ride-sharing company says it supports using existing principles-based frameworks to harmonize climate disclosures. Here’s an excerpt:

We support a climate disclosure framework that incorporates TCFD or SASB standards and is generally principles-based, so as to be sufficiently flexible to adapt to market and scientific developments and to accommodate the needs of public companies in various industries and at differing stages in their life cycles. We believe this approach would build upon years of thought leadership and stakeholder engagement by TCFD and SASB whose recommendations and standards are already utilized as a basis for voluntary reporting on climate change by many public companies…

…Incorporating the TCFD or SASB frameworks into a new,comprehensive and harmonized climate disclosure framework, promulgated by the Commission, will facilitate faster and more widespread adoption which would ultimately serve the best interests of investors.

In addition, we encourage the Commission to consider requiring that companies perform a company-specific materiality assessment to identify the ESG issues most relevant to their businesses. We believe that the most useful ESG disclosures will be grounded in the specific issues that are relevant to the particular company,as opposed to generic ESG disclosures that may or may not apply in a company’s individual circumstances.

Not everyone supports mandatory disclosure. I blogged about a First Amendment threat by West Virginia’s AG. The US Chamber of Commerce seems to be opposed to any legislation or Commission rules that would require ESG disclosures, and this letter argues that extra disclosure would have a disproportionate effect on smaller companies.

Liz Dunshee

June 3, 2021

ESG Disclosures: TCFD Overtakes SASB As Investors’ Preferred Framework?

About a year ago, everyone was jumping on the SASB bandwagon and predicting it would become investors’ preferred disclosure framework. According to Morrow’s recent Institutional Investor Survey, though, sentiment has shifted. Here are some takeaways from 49 participants that collectively have $29 trillion in assets under management:

– 75% prefer the TCFD reporting framework

– 53% prefer SASB (down from 77% a year ago)

– 39% prefer proprietary in-house frameworks focused on material topics (up from 9% last year)

The TCFD framework encourages companies to use existing disclosure processes to report on climate-related risks and opportunities – focusing on governance, strategy, risk management, and metrics & targets. SASB is very industry-based and has been adopted by many companies as a way to map through and disclose financially material ESG information.

These two frameworks are also complementary in some ways – both are incorporated in the World Economic Forum’s “Stakeholder Capitalism Metrics” – which is part of the effort that was announced last fall to promote a single comprehensive reporting system. With standard-setters collaborating, companies becoming more mature in their own reporting, investors evolving the type of info they want, and an SEC proposal potentially on the horizon, it will be interesting to see where this all stands in another year.

Liz Dunshee

June 2, 2021

Proxy Advisors: SEC Won’t Enforce Last Year’s Rules, Pending Possible Reversal

Yesterday, in response to a directive from SEC Chair Gary Gensler, Corp Fin announced that:

1. It’s considering whether to recommend that the Commission revisit the proxy advisor rules that were adopted last summer – which would require proxy advisors to meet new conditions beginning December 1st of this year – and the Commission-level interpretive guidance that was issued the year before.

2. The Staff won’t recommend enforcement action to the Commission during the period in which the SEC is considering further regulatory action.

3. In the event that new regulatory action leaves the 2020 exemption conditions in place with the current December 1, 2021 compliance date, the staff will not recommend any enforcement action based on those conditions for a reasonable period of time after any resumption by Institutional Shareholder Services Inc. of its litigation challenging the 2020 amendments and the 2019 Interpretation and Guidance. (ISS v. SEC, 1:19-cv-3275 (D.D.C.)

This is the latest chapter in the long, ongoing saga over proxy advisors. The 2020 rules and 2019 guidance define proxy advice as a “solicitation” and would require proxy advisors to disclose conflicts of interest and adopt policies that allow for companies to review & respond to voting recommendations, in order to be exempt from the information & filing requirements that would otherwise apply to a solicitation. The amendments also specify what circumstances would cause proxy advice to be “misleading” within the meaning of anti-fraud rules.

The rules were celebrated by many companies, but proxy advisors and their investor clients criticized the proposal process, took issue with the Commission’s statutory authority, and felt that the substance of the rules would delay and impair the proxy voting process. This, in turn, made some companies worry that the proxy voting timeline would become even more compressed. As mentioned in yesterday’s Staff statement, ISS even sued the SEC over its efforts to regulate the industry, and appeared to be moving forward with that proceeding as recently as last August.

In light of those issues and the fact that the compliance date has not yet arrived, I’ve been wondering whether we’d see some steps to unwind (or not defend) the rules. Some are pondering whether this is the beginning of a trend of “back & forth” rulemaking, which would create uncertainty.

Commissioners Hester Peirce and Elad Roisman issued a response to Chair Gensler’s statement yesterday, saying that the 2020 rules were the result of an unassailable process and that there is no data yet to evaluate whether the rules work in practice. Meanwhile, CII called yesterday’s directive “Christmas in June for investors.”

Liz Dunshee

June 2, 2021

Enforcement’s Tesla Tweet Stalemate: How to Talk So Elon Will Listen?

The premise of one of my favorite parenting books is that standard negotiation techniques – logic, bribes, threats – aren’t going to deliver when it’s 8pm and my 3-year-old has been refusing to leave the playground for the last 45 minutes. In that situation, the only way out is to use a Jedi mind trick to reverse engineer and validate his deepest desires, and make the ride home even more magical and exciting than another trip down the 2-story slide.

It seems like that’s kind of the position that the SEC finds itself in with Elon Musk, especially after reading this WSJ article yesterday about the Enforcement Division’s attempts to follow up on tweets that the Commission believed went against its 2018 settlement with the Technoking. Here’s an excerpt:

From the start, the social-media policy was difficult for the SEC to enforce. The SEC accused Mr. Musk of violating the rules in February 2019 and asked a Manhattan federal court to consider holding him in contempt. The judge signaled she wanted the two sides to settle the dispute and they agreed to modify the policy by clarifying which topics required pre-approval. Those were identified as including communications about production figures, new business lines and the company’s financial condition.

Within months, the SEC was writing Tesla again, questioning a tweet Mr. Musk wrote on July 29, 2019, that stated: “Spooling up production line rapidly. Hoping to manufacture ~1000 solar roofs/week by end of this year.”

It’s not surprising that this notion of “pre-clearing” tweets isn’t playing out smoothly – the question all along has been, what can the SEC do about it? The WSJ says that the latest dispute, over a May 2020 tweet, appears to have ended in a stalemate. The Enforcement Division encouraged the company to apply its disclosure controls & procedures, Tesla said it hadn’t done anything wrong, the SEC threatened to go back to court, and nothing happened.

Yes, the SEC is still working through the permissible ways for companies to use social media. The board and Elon are also defendants in shareholder suits because of these tweets. Maybe for this high-profile CEO, someone also needs to find a way to make compliance as fun as public taunting.

Liz Dunshee

June 2, 2021

Evolving Geopolitical Risks: Investors Aren’t Scared

The BlackRock Investment Institute has relaunched its “Geopolitical Risk Dashboard” (there’s also an interactive version) – adding 4 new risks to the “top 10”:

– COVID-19 resurgence: The fight against COVID-19 falters in the developed world.

– Climate policy gridlock: Developed economies fail to take policy actions consistent with their goals to reach net-zero emissions.

– Emerging markets political crisis: Failure to arrest the COVID-19 pandemic severely stresses EM political systems and institutions.

– Global technology decoupling:Technology decoupling between the U.S. and China significantly accelerates in scale and scope.

The unique thing about BlackRock’s dashboard is that it includes indicators that show whether the risks are on investor radar screens, and it analyzes how much markets have already priced in each risk. BlackRock finds that investors have been feeling pretty good since the change in the US administration, and attention to geopolitical risks is below the average of the past four years. Unfortunately that means that if some of these risks materialize, they could catch the markets off-guard.

Liz Dunshee

June 1, 2021

Lead Director as Shareholder Liaison: Lessons From Engine No. 1

This HLS blog from Nell Minow predicts that we’ll see more ESG-focused proxy fights in light of the results last week at ExxonMobil. Here’s her concluding recommendation:

Every board should have a committee that oversees investor communications and lead directors should be liaisons for shareholder concerns. They should expect a lot more interest from shareholders in the quality of the board, with emphasis on independence that goes beyond resume disclosures. Wise boards will solicit suggestions from investors and make sure that all directors know that their obligation as fiduciaries is to shareholders, not executives, and that their actions make that message clear to shareholders as well. Engine No. 1 is the first of a new kind of activists; its success makes it clear it will not be the last.

Liz Dunshee

June 1, 2021

Internal Audit Assessments: Tool for Audit Committees

Internal audit oversight is typically part of the audit committee’s charter because of listing exchange rules. It’s also part of ensuring the directors are getting quality info about the company’s risk profile & financial results.

The Institute of Internal Auditors recently launched a tool to help audit committees make sure the internal audit function is working well. Here are the sample questions it proposes the committee consider with regard to risk management:

– Does the IA activity expand the board or AC’s knowledge about current and emerging risks to the organization?

– Are there clear links between the audit plan and the organization’s strategic objectives and risks?

– Does the CAE explain to the AC how the audit plan covers challenging and critical areas, including emerging or existing risk areas that will or could impede the organization’s objectives?

Liz Dunshee