If your company suffers a cybersecurity attack, one of the many things you may have to worry about is proving that your board did enough to prevent the incident in the first place. This Skadden memo explains how Delaware fiduciary duties apply to cybersecurity oversight – and suggests approaches to a few common areas of cyber risk:
First, in a world of expanding supply chain risks and “shadow IT,” boards should oversee company processes to track technology assets and understand associated threats. This could be satisfied, for example, via an IT asset mapping exercise, where the organization evaluates the location and interconnections among its various IT devices and networks to understand on what its IT systems depend and what is most critical. The board will want to ensure that management is aware of any technology blind spots, like unmanaged IT assets, and how the company addresses potential blind spots.
Second, regulators increasingly expect companies to adopt clear roles and responsibilities for cybersecurity and IT governance. The chain of command and authority should be clear and should ultimately route up to the board.
Third, boards need to understand to what extent their organization’s IT depends on other companies or specific pieces of technology. Several recent cases have highlighted the ways in which attacks on the software supply chain can have cascading effects far beyond the initial attack. In some sectors, such as financial services, regulators already expect boards to receive summaries or full reports of IT dependency that help pinpoint critical systems or third-party service providers.
If these three dimensions are not accounted for in a company’s governance procedures, officers and directors could face probing questions about the quality and sufficiency of their cybersecurity oversight.
The Skadden team notes that good records are critical to proving that the board acted in good faith to establish and monitor systems for cybersecurity risks, especially since plaintiffs are frequently using books and records demands as a prelude to litigation. They offer these recommendations:
– Consider delegating cybersecurity and data privacy oversight to a board committee and review that committee’s charter to consider specific cybersecurity language.
– Take steps to establish monitoring and compliance systems for cybersecurity issues and pay ongoing attention to them. This may include consulting legal counsel and other experts to identify where risks may arise and how best to monitor them.
– Directors should receive reports from management regarding internal and external cybersecurity events at whatever intervals make sense for a particular company.
– Coordinate with management and advisers regarding compliance with new cybersecurity disclosure rules and regulations.
– Given stockholders’ increasingly frequent demands to inspect corporate books and records as a prelude to litigation, boards should document their efforts and processes in sufficient detail to demonstrate the attention they have paid to understanding and overseeing risk and compliance systems and their responses to any cybersecurity issues that have arisen.
– Liz Dunshee
As expected, the SEC has announced that it’s monitoring the impact of the California wildfires on capital markets and lists contact info for the divisions that affected companies can call if they have questions. The announcement also warns against scams and links to summaries of what the DHS, FEMA, and the U.S. government are doing to help wildfire victims.
We continue to hope for the best for all of our members and friends who are affected by this disaster.
– Liz Dunshee
I mentioned yesterday that we have seen a number of announcements and settlements out of the SEC Enforcement Division over the past few weeks. When it comes to activity to cover on this blog, I have an embarrassment of riches.
Yesterday, the SEC filed a complaint against Elon Musk in D.C. federal district court, relating to how he reported his ownership stake in Twitter way back in 2022. The WSJ offered this summary:
The SEC’s lawsuit, filed in federal court in the District of Columbia, says Musk’s delayed disclosure of his ownership allowed him to save more than $150 million on buying Twitter stock.
The late disclosure hurt investors who sold at artificially low prices because they didn’t know about Musk’s plans, the SEC says.
The lawsuit comes after a long investigation that Musk sometimes delayed by not appearing for testimony. Musk, now closely aligned with President-elect Donald Trump, will likely ask the commission’s next leader to withdraw the case, teeing up a major test of the agency’s independence from the White House.
As you might remember, and as set forth in the complaint, Musk disclosed his ownership stake in Twitter on a Schedule 13G, more than 20 days after crossing the 5% threshold. The SEC alleges:
Musk understood that any substantial increase in Twitter’s common stock price would increase his costs to purchase shares. Accordingly, Musk’s wealth manager cautioned the broker to make the purchases in a way that would minimize any increase in Twitter’s stock price that might result from the purchases.
Musk and his wealth manager also understood that once Musk’s Twitter stake was disclosed to the public, Twitter’s common stock price might substantially increase.
By the time he filed the 13G, Musk owned 9% of the company’s outstanding common stock and had been in conversations with Twitter about possibly joining the board – and whether the company would consider going private. That’s why, at the time, most securities lawyers watching from the sidelines were surprised that the report was on Schedule 13G rather than Schedule 13D. In its complaint, the SEC also takes issue with that choice.
The SEC is seeking an injunction against further violations of Section 13(d) and Rule 13d-1, disgorgement plus interest, and a civil penalty. Obviously, this is a high-profile case – but if you’re thinking that the SEC wouldn’t spend time pursuing this type of action against people who are not Elon Musk, that’s not quite right. John blogged about a big enforcement sweep just a few months ago – and Meredith shared that the Staff has also been issuing comments. The WSJ also points out that Section 13(d) enforcement is not unusual – and that it’s a strict liability regime:
The new claims against Musk might be hard for a friendlier administration to immediately dismiss. That is because the measure Musk allegedly violated is what regulators call a strict-liability rule. Just as police officers don’t have to prove drivers intended to speed to issue a ticket, regulators don’t have to show an investor meant to violate 13D to bring an enforcement action.
The commission routinely enforces the 13D rule. For instance, in March regulators required HG Vora Capital Management, an investment adviser, to pay a $950,000 fine for violating the regulation. HG Vora disclosed an intent to take over trucking firm Ryder seven days after the 13D deadline, according to the SEC.
Marc Fagel, a former director of the SEC’s San Francisco office, said the need to deter others from doing the same thing may explain why the commission acted. “If you can get away with it when it’s front-page news, why bother to comply at all?” he said.
Keep in mind that the activities that are the subject of this complaint also preceded the amendments to Regulation 13D-G that were adopted a little over a year ago. Now, the deadlines are even tighter – and “machine readable” requirements have also kicked in.
– Liz Dunshee
Over the past couple of years, several companies have paid fines to the SEC to settle claims that they had made deficient disclosure about related party transactions. With this settlement from late last week, we can add another one to the list. It’s a timely reminder for everyone working on 10-Ks and proxies! The SEC’s order alleges:
On March 8, 2021, Shift4 filed a Form 10-K for its fiscal year ended December 31, 2020. The Form 10-K indicated that the related person transaction information required by Item 404 was incorporated by reference to Shift4’s forthcoming proxy statement.
On April 27, 2021, Shift4 filed a definitive proxy statement, which included the election of directors and failed to disclose that a sibling of an executive officer and director (as well as a child of a different director), in 2020, had received approximately $1.1 million in compensation while serving as a nonexecutive employee of the company.
In addition, the proxy statement failed to disclose that a sibling of an executive officer and director (as well as a stepchild of a different director), in 2020, received $281,609 from Shift4 as payment of residual commissions while acting as an independent sales agent not employed by the company.
Similar omissions happened the following year, and the year after that. Because both the 10-K and the proxy were involved, the SEC asserted violations of Exchange Act Section 13(a), Rule 13a-1, Section 14(a) and Rule 14a-3.
The company agreed to pay $750,000 to settle the claim. The SEC said it considered the company’s prompt remedial efforts in assessing that penalty – which included making disclosures and improvements to policies and procedures. Check out this blog from Meredith about how to improve your controls for family member employees before you end up with an RPT disclosure violation. We also had a great webcast on this topic last year – here’s the transcript. And remember that smaller reporting companies have a different lookback period and may have a different disclosure threshold.
– Liz Dunshee
Congrats to SEC Chief Accountant Paul Munter, who is retiring from federal service effective January 24th, according to a Commission press release published yesterday. We covered many of Paul’s 22 statements and speeches on this blog. We wish him the best!
It is certainly a time of transition at the SEC. Commissioner Jaime Lizárraga’s last day is this Friday, due to his wife’s illness, and Chair Gary Gensler departs on Monday. In the near-term, the Commission will operate with three Commissioners – which is still enough for a quorum. In 2017, it dropped down to two!
– Liz Dunshee
“Don’t cross the boss” can be decent advice, depending on the type of boss you have. At the SEC, though, who is the boss right now?
On one hand, Gary Gensler is still in charge for one more week – and he had a certain view on the SEC’s priorities and how to accomplish them. On the other hand, while it’s too early to make solid predictions, Paul Atkins has been tapped to lead the Commission and has made a lot of public comments about easing companies’ regulatory burdens, and he could also transform the enforcement environment. At least one former SEC official thinks things could get a little less treacherous for companies, and that he’ll encourage the Enforcement Division to focus more on individual wrongdoers.
The anticipated shift probably adds a wrinkle to in-process enforcement actions. The SEC’s newsroom has announced a number of settlements over the past few weeks, but of course the one the SEC announced last week with Vince McMahon – former WWE CEO and Linda McMahon’s legal spouse – caught my eye. Yes, celebrity gossip is what drew me in, but the nerdy securities law issues are what kept me reading till the very end.
The gist of the SEC’s findings, which Vinny Mac neither admits nor denies, is that he entered into two hush money agreements under which he, individually, paid a total of $10.5 million. However, the Mac Attack also signed the agreements on behalf of the company, which also benefitted from releases of claims. He didn’t inform WWE’s board, legal department, accountants, financial reporting personnel, or auditor, about the agreements. So, nobody considered whether those transactions needed to be accounted for or disclosed by the company. According to the SEC’s order, that was a problem:
McMahon’s failure to disclose the Agreements caused material misstatements in WWE’s 2018 and 2021 annual reports and certain quarterly reports. Because the payments required by the 2019 agreement were not recorded, even though the amounts were paid or to be paid by McMahon, WWE overstated its 2018 net income by approximately 8% for the year and approximately 22% for the fourth quarter of 2018. Similarly, because the payments required by the 2022 agreement were not recorded, WWE overstated its 2021 net income and the net income for the fourth quarter of 2021 by approximately 1.7% and 4.9%, respectively. In addition, these Agreements should have been disclosed as related party transactions. The subsequent payments were also not reflected in the books and records of the Company.
Quoting again from the order, here’s why this caused a restatement:
Although McMahon was obligated to pay all amounts owed, the payments under the Settlement Agreements should have been recognized as expenses by the Company as of December 31, 2018 and as of December 31, 2021. WWE was a party to the Agreements, as evidenced by McMahon signing on behalf of the Company. In addition, WWE benefitted from the Settlement Agreements, receiving releases and avoiding reputational harm caused by allegations of misconduct by its CEO being made public.
As noted above, not only was there a restatement issue, but because the CEO, Chairman and principal stockholder agreed to make the payments on behalf of the Company, the SEC said that in addition to recording the expense, WWE was also required to disclose the transactions and the subsequent payments when made as related party transactions under GAAP.
But wait, there’s more! After the agreements came to light and the board investigated and identified the restatement triggers, it clawed back incentive compensation payments that McMahon received during the 12-month periods following filings containing the financial statement periods that the company was required to restate. That takes care of one aspect of the required Sarbanes-Oxley clawback (in this case, the smaller part dollar-wise). What the company did not do was claw back profits received from stock sales during the applicable period. The SEC is not one to let any prong of a SOX 304 clawback slip by, so it brought a claim for that too.
Like I said, this order has something for everyone. The SEC brought claims under various provisions. The press release summarizes:
McMahon consented to the entry of the SEC’s order finding that he violated the Securities Exchange Act by knowingly circumventing WWE’s internal accounting controls and that he directly or indirectly made or caused to be made false or misleading statements to WWE’s auditor. The order also finds that McMahon caused WWE’s violations of the reporting and books and records provisions of the Exchange Act. Without admitting or denying the SEC’s findings, McMahon agreed to cease-and-desist from violating those provisions, pay a $400,000 civil penalty, and reimburse WWE $1,330,915.90 pursuant to Section 304(a) of the Sarbanes-Oxley Act.
That penalty seemed relatively light to me, but maybe it’s reasonable under the circumstances. Not only are enforcement priorities an open question, but I can certainly see how a person who’s not well-versed in accounting literature would assume that payments they made individually wouldn’t affect the company’s financials or disclosures. Actually, though, a similar scenario is described right in a Staff Accounting Q&A. I guess that’s why you’d want to run your agreements by the accountants and lawyers.
– Liz Dunshee
As reported by Reuters, a committee in Arizona today is considering an application that could have big ramifications for lawyers. From Bloomberg:
Big Four accounting firms have intermittently been seen as a potential threat to Big Law firms, even though they’ve never competed for complex legal work in the US. Many industry observers have said that could possibly change if the Big Four were able to overcome the barrier to practicing law in the US, the world’s largest and most important legal market.
A committee that makes recommendations to Arizona’s top court is slated on Jan. 14 to review an ABS application filed by KPMG Law US. Arizona, unlike most other states, allows approved entities to provide legal services even if some of their owners are not lawyers.
KPMG and other accounting firms have provided legal-adjacent services to companies in the US, but have been restricted from practicing law or providing legal advice. Most US states’ professional ethics rules limit the practice of law, which has a broad definition, and law firm ownership, to licensed lawyers.
KPMG says that if approved, its work would “complement” the services of traditional law firms. Its focus would be on large-scale, process-driven work, such as volume contracting, remediation exercises, M&A-driven harmonization of contracts, and other legal managed services. Stay tuned!
– Liz Dunshee
Big 4 firms have been making a play for legal services for more than two decades. This Artificial Lawyer blog says that in countries where they’ve entered the market, they haven’t “rocked the world.” Richard predicts we’d likely see the same (minimal) impact here.
What do you think? Please participate in our anonymous poll to share your view on what would happen if KPMG gets the license it’s seeking:
– Liz Dunshee
It’s been gut-wrenching to watch the wildfire destruction that has occurred in California over the past several days. Our hearts go out to the nearly 8 million residents of L.A. and Ventura Counties who are facing dangerous conditions, and everyone else affected by the disaster. I think that even if they haven’t lived in California, many people across the country have some connection to the Los Angeles region. We have all been watching with sadness – as well as hope that people will come together to rebuild.
As of this morning, the SEC has not made a broadly applicable announcement about filing relief, but I expect they would encourage companies and other regulated entities to contact the Staff with questions and concerns and tell investors to watch out for scams, similar to their response to Hurricane Helene. We will continue to monitor developments.
– Liz Dunshee
John drew the short draw of blogging over the holidays, and the CTA drama gave him a few things to write about. The saga isn’t over, but we now have more clarity. Here’s an update, courtesy of this McGuireWoods blog:
You may recall that on December 26, 2024, the Fifth Circuit vacated the “part of the motions-panel order granting the Government’s motion to stay the district court’s preliminary injunction enjoining enforcement of the CTA,” as well as the Reporting Rule. In other words, FinCEN cannot enforce the CTA and there is no reporting obligation until this gets resolved.
The Fifth Circuit has issued an expedited briefing. Briefing will occur in February, and the court has scheduled oral argument on March 25, 2025, after which it will need time to issue an opinion. As with the temporary lifting of the injunction precluding enforcement, FinCEN would likely provide additional time to file should the law go back into effect. In light of this schedule, Reporting Companies now have some clarity on the time – likely Q2 2025 – they have to analyze their compliance obligations.
– Liz Dunshee
