Big thanks to member Sundance Banks for alerting us to what appears to be a pretty widespread whistleblower hoax, and to others who have provided more background over the last few days, including WilmerHale’s Susan Muck & Kevin Muck. Many companies maintain an email inbox at which employees can submit concerns about accounting or compliance matters, in addition to their third-party ethics hotline. An anonymous gmail account has been pinging those inboxes with a message that starts like this:
Dear Ethics Committee,
I am a long-time employee, but for the purpose of this report, I request to remain anonymous. I also do not want to name the person this report is about, at least for the time being. I would like to bring to your attention an incident that happened a while back to see whether it warrants any action on my part.
My boss, whom I’ve worked with for years now, and in any respect had been a stand-up person I look up to, has confided in me about stock trading they’ve made the past year. He/She shared with me the fact that they’ve bought and sold a significant amount of [our company’s shares/one of our major business partner’s shares]. When I asked how often they traded and how much money did they earn, he/she just smiled and said: “let’s just say I know something others don’t. That’s what working in this company for __ years will get you”, indicating how long they worked in the company. A couple of days later, he/she called me to their office for a quick chat. We began talking about normal work affairs, but towards the end of the conversation, the boss asked me to close the door. When I did, he/she brought up the conversation about the stock trading again, telling me it’s probably for the best I don’t share this with anyone. I immediately responded that I didn’t and had no intention to do so. I also mentioned that this is not my business. The boss looked at me for a while and said that they knew they could count on me. They also mentioned that I am a very good employee and that he/she really appreciates me. The boss has been nothing but nice to me since then.
The message continues for a few more paragraphs and honestly seems pretty believable. But it quickly came to light as a scam when several companies contacted outside counsel about next steps, and the lawyers recognized that multiple clients were receiving very similar submissions. At least 25 companies have received this – the full number is likely much higher. Until Snopes starts debunking fake whistleblower messages, what should you do – or not do – if you receive this email or something like it?
1. Contact your outside counsel – a key takeaway here is that outside counsel can be very helpful in spotting commonalities that could be red flags.
2. Don’t respond until you’ve verified that the submission is legit – this is tricky, because whistleblower submissions typically trigger a cascade of policies & procedures, including prompt notification of directors and outside auditors, and responding to the whistleblower to get more information. But if you get this exact email, know that even regulators agree that it isn’t genuine and companies shouldn’t spend resources responding. They don’t want you engaging with potential criminals, if you can help it.
3. Don’t provide additional info to the whistleblower until you’ve verified that the submission is legit – again, this is delicate, but even responding with seemingly benign info could give the scammer points of contact in the legal, compliance or finance departments for future phishing schemes or illegitimate requests for money transfers.
4. Don’t download files or click on links – this version of the email doesn’t contain any files or links, but if you’ve already responded and received any sort of follow-up communication, don’t open it.
5. Alert your directors & auditors – this incident underscores the need for strong cybersecurity training and good email hygiene, and they should be on the lookout for scams.
6. Don’t forward the email – the scammer may be able to collect more email addresses if you do that. Copy & paste the content into a new message – or take a screenshot – if you need to share something that seems suspicious.
A very troubling aspect of this hoax – in addition to it coming at a time when the White House has warned all companies to be on high-alert about cybercrime – is that it undermines an important system that companies and regulators rely on to prevent wrongdoing. I don’t want to suggest in any way that you ignore whistleblower complaints – but in light of this, it’s probably worth doing a gut-check with outside counsel before responding. I’ve been told that regulators are also taking this incident very seriously.
Quick Poll: What’s the Fake Whistleblower’s Endgame?
Like a chain email that just won’t stop, or one of those Facebook “warnings” from 2009 that periodically recirculates for no apparent reason, the endgame here is a bit of a mystery. Vote for your favorite theory in this anonymous poll:
It is with a heavy heart that I share the sad news that we lost a legend of the SEC’s Division of Corporation Finance and the securities bar, Abbie Arms. Abbie passed away on May 19, 2021 at the age of 73 after a long and difficult battle with lung disease. For many years, Abbie served in key senior positions in Corp Fin, where she shaped regulatory policy on many important capital markets and public company issues.
Abbie was a brilliant securities lawyer who was highly skilled at analyzing complex issues and formulating appropriate regulatory responses that were consistent with the Commission’s investor protection mandate. Abbie loved working at the SEC and mentoring and teaching young lawyers in the Division. In my formative years at the SEC, I learned much about the operation of the Securities Act from being in meetings with Abbie, and I still use and value those insights to this day.
After leaving the SEC, Abbie practiced for many years at Shearman & Sterling LLP, where she was able to assist the firm’s clients with her extraordinary knowledge and skills as a securities lawyer. She also served as a Trustee of the SEC Historical Society from 2007-2013. Abbie was a loving and compassionate person who was loved and admired by her family, friends, co-workers and community. We will greatly miss Abbie and we offer our sincerest condolences to her family and many friends.
This Equilar blog shares the result of the latest Gender Diversity Index. Progress on that aspect of representation has accelerated over the past several years. Check out these stats, collected as of March 31st:
– 24.3% of all board seats in the Russell 3000 were occupied by women – The percentage of women in board seats rose 3.4% from Q4 2020 and 10.5% from one year ago.
– For the first time, the percentage of boards with zero women has dropped below 5%.
– Seventy boards had gender parity in Q1 2021, which was one fewer than the previous quarter but 10 more than in Q1 2020.
– There were 256 Russell 3000 boards with at least 40% women in Q1 2021, or 8.8% of the index, in comparison to just 6.5% of boards (189) with at least 40% women a year earlier in Q1 2020. This is nearly four times the number of boards with at least 40% women compared to four years ago.
– In California, which has the highest number of boards of any state by a long stretch (489), just one lacked a woman (0.2%). Overall, the state of California has seen a gradual uptick in the percentage of women directors since its board gender diversity statute went into effect (17% in 2018 to 28% in 2021).
The blog points out that women held only 15% of board seats at the end of 2016, when Equilar’s Gender Diversity Index was first published. At that time, even 20% representation seemed like a stretch, in light of minuscule gains in prior years. State laws, investor pressure and shifts in public opinion have led to big advancements since then.
However, these nudges aren’t standalone solutions. Parity is still a distant possibility in light of the fact that only 41% of new board seats are going to women, especially because board turnover is infrequent.
The GDPR turned 3 last week. This BBC article takes a look at the biggest fines so far, and what led to them. The inclusion of a couple US companies shows that if you’re doing a lot of business in Europe, you need to be extra vigilant on data privacy & cybersecurity.
This 20-page memo from Baker Hostetler takes a deep dive into data security and incident response plans. It gives 14 key takeaways on the front page that are worth checking out. Since we’re on the topic of GDPR today, I’ll highlight the EU regulatory update from page 13. Here are a few nuggets:
– Timing Is (Still) Everything – Much of the focus on GDPR’s notice obligations has been on the 72-hour deadline for notifying a data protection authority (DPA). While some DPAs accept delays accompanied by explanations, others take a much narrower view of the permissible bases for extending the deadline. In particular, the Dutch DPA has taken a hard stance that the need to further investigate the incident and its effects is not a sufficient reason for delayed notice. Several other DPAs, including in Ireland and Sweden, fined companies for failing to notify within the 72-hour deadline. Companies subject to the GDPR should be prepared to move quickly to make an initial, timely notification that may require follow-up once a more complete analysis is ready.
– Data Controller Responsibility – DPAs tend to have the greatest interest and assess the largest fines in incidents where the DPA finds fault with the company’s responsibility for EU personal data, particularly where there are repeat data breaches. In particular, DPAs have assessed how companies — identify and respond to data breaches, implement and maintain organizational and technical measures to safeguard personal data, assess third-party vendors, conduct data protection-related risk assessments, and document data breaches.
– Mitigating Circumstances – DPA enforcement actions in 2020 drew particular attention to a number of mitigating factors in determining fines, and we expect these to be of continuing relevance this year – financial hardship, actions taken to minimize harm to individuals, cooperation with the DPA, appropriate notice to the regulator and individuals, other fines already imposed for the same incident, and absence of prior violations.
The memo also predicts that enforcement will expand during 2021 because more countries are implementing data breach notification procedures. But, since DPAs are just as overworked as the rest of us, they seem less likely to follow up on incidents that involved a small number of individuals or less-sensitive personal data, or companies without a significant EU footprint. Here’s a checklist for compliance for US companies.
Yesterday, ExxonMobil filed its Form 8-K to report the voting results from its annual meeting. The preliminary count, which is not yet certified, indicates that Engine No. 1 won three board seats on the company’s 12-member board, one more than had been predicted after the meeting last week. Engine No. 1 had waged a campaign based on the impact of Exxon’s fossil fuel strategy on its financial performance.
The activist’s win is especially shocking in light of the fact that Exxon had appointed three other directors earlier this year in an attempt to appease investors. Two of those new directors – Michael Angelakis and Jeff Ubben – had the highest number of votes out of anyone. The third – Wan Zulkiflee (former CEO of Petronas) – was voted off the board after only four months of service.
The dissident directors who appear to have been elected are Kaisa Hietala (environmental scientist and former Neste EVP), Greg Goff (former CEO of Andeavor) and Alexander Karsner (strategist/PE investor/formerly at Google X and the Department of Energy). As Lynn blogged last week, shareholders also approved shareholder proposals calling for more disclosure of climate lobbying and other political activities, which weren’t supported by the board.
This probably won’t be the last we’ll hear of Engine No. 1. While it was busy making a big name for itself last week with Exxon, it also managed to file a pre-effective amendment to a registration statement to launch an ETF, which identifies Schulte Roth & Zabel as outside counsel, lists “activism” as a risk factor, and also includes this nugget:
Principal Investment Strategies: The Fund seeks investment results that closely correspond, before fees and expenses, to the performance of the Morningstar US Large Cap Select Index (the “Underlying Index”), which measures the performance of the 500 largest U.S. stocks by market capitalization, as determined by Morningstar, Inc. The Underlying Index consists of securities from a broad range of industries. As of March 31, 2021, the Underlying Index is represented by securities of companies in sectors including, but not limited to, consumer, energy, financial services, healthcare, technology, and utilities. The components of the Underlying Index are likely to change over time and the Underlying Index and the Fund are rebalanced on a quarterly basis. To the extent that the securities in the Underlying Index are concentrated in one or more industries or groups of industries, the Fund may concentrate in such industries or groups of industries. As of March 31, 2021, the Underlying Index is not concentrated in an industry or group of industries.
The Fund seeks to encourage transformational change at the public companies within its portfolio through the application of proxy voting guidelines developed by the Adviser that are based on a commitment to protecting and enhancing the value of its clients’ assets and to aligning shareholder and stakeholder interests through favoring actions that encourage companies to invest in their employees, communities, customers and the environment.
Our Adviser intends to measure the investment made by companies in their employees, communities, customers and the environment with financial, operational, and environmental, social and governance (“ESG”) metrics that are provided by (i) the companies themselves, (ii) third-party data providers, and (iii) the Adviser itself. These metrics include, but are not limited to, wages, workforce diversity, employee health and safety, capital expenditures, carbon emissions, and land use, among others. The Fund’s proxy voting guidelines will apply to all companies held by the Fund. The Adviser will generally follow the recommendations of an independent third party proxy voting service retained by the Adviser to implement the proxy voting guidelines when determining how to vote on any specific matter.
The Fund will invest at least 80% of its Assets in securities included in the Underlying Index.
With about 2 weeks to go before the expiration of the time frame that the SEC had set to collect public input on the possibility of climate change disclosure rules, the Commission has held at least a couple dozen meetings with corporate leaders and trade organizations. In connection with those meetings, companies including Apple and Salesforce have spoken out in support of rulemaking. Most seem to be falling in line with support for principles-based disclosure.
Uber is one of the only companies so far that has taken the extra step of submitting a comment letter. In it, the ride-sharing company says it supports using existing principles-based frameworks to harmonize climate disclosures. Here’s an excerpt:
We support a climate disclosure framework that incorporates TCFD or SASB standards and is generally principles-based, so as to be sufficiently flexible to adapt to market and scientific developments and to accommodate the needs of public companies in various industries and at differing stages in their life cycles. We believe this approach would build upon years of thought leadership and stakeholder engagement by TCFD and SASB whose recommendations and standards are already utilized as a basis for voluntary reporting on climate change by many public companies…
…Incorporating the TCFD or SASB frameworks into a new,comprehensive and harmonized climate disclosure framework, promulgated by the Commission, will facilitate faster and more widespread adoption which would ultimately serve the best interests of investors.
In addition, we encourage the Commission to consider requiring that companies perform a company-specific materiality assessment to identify the ESG issues most relevant to their businesses. We believe that the most useful ESG disclosures will be grounded in the specific issues that are relevant to the particular company,as opposed to generic ESG disclosures that may or may not apply in a company’s individual circumstances.
Not everyone supports mandatory disclosure. I blogged about a First Amendment threat by West Virginia’s AG. The US Chamber of Commerce seems to be opposed to any legislation or Commission rules that would require ESG disclosures, and this letter argues that extra disclosure would have a disproportionate effect on smaller companies.
About a year ago, everyone was jumping on the SASB bandwagon and predicting it would become investors’ preferred disclosure framework. According to Morrow’s recent Institutional Investor Survey, though, sentiment has shifted. Here are some takeaways from 49 participants that collectively have $29 trillion in assets under management:
– 75% prefer the TCFD reporting framework
– 53% prefer SASB (down from 77% a year ago)
– 39% prefer proprietary in-house frameworks focused on material topics (up from 9% last year)
The TCFD framework encourages companies to use existing disclosure processes to report on climate-related risks and opportunities – focusing on governance, strategy, risk management, and metrics & targets. SASB is very industry-based and has been adopted by many companies as a way to map through and disclose financially material ESG information.
These two frameworks are also complementary in some ways – both are incorporated in the World Economic Forum’s “Stakeholder Capitalism Metrics” – which is part of the effort that was announced last fall to promote a single comprehensive reporting system. With standard-setters collaborating, companies becoming more mature in their own reporting, investors evolving the type of info they want, and an SEC proposal potentially on the horizon, it will be interesting to see where this all stands in another year.
Yesterday, in response to a directive from SEC Chair Gary Gensler, Corp Fin announced that:
1. It’s considering whether to recommend that the Commission revisit the proxy advisor rules that were adopted last summer – which would require proxy advisors to meet new conditions beginning December 1st of this year – and the Commission-level interpretive guidance that was issued the year before.
2. The Staff won’t recommend enforcement action to the Commission during the period in which the SEC is considering further regulatory action.
3. In the event that new regulatory action leaves the 2020 exemption conditions in place with the current December 1, 2021 compliance date, the staff will not recommend any enforcement action based on those conditions for a reasonable period of time after any resumption by Institutional Shareholder Services Inc. of its litigation challenging the 2020 amendments and the 2019 Interpretation and Guidance. (ISS v. SEC, 1:19-cv-3275 (D.D.C.)
This is the latest chapter in the long, ongoing saga over proxy advisors. The 2020 rules and 2019 guidance define proxy advice as a “solicitation” and would require proxy advisors to disclose conflicts of interest and adopt policies that allow for companies to review & respond to voting recommendations, in order to be exempt from the information & filing requirements that would otherwise apply to a solicitation. The amendments also specify what circumstances would cause proxy advice to be “misleading” within the meaning of anti-fraud rules.
The rules were celebrated by many companies, but proxy advisors and their investor clients criticized the proposal process, took issue with the Commission’s statutory authority, and felt that the substance of the rules would delay and impair the proxy voting process. This, in turn, made some companies worry that the proxy voting timeline would become even more compressed. As mentioned in yesterday’s Staff statement, ISS even sued the SEC over its efforts to regulate the industry, and appeared to be moving forward with that proceeding as recently as last August.
In light of those issues and the fact that the compliance date has not yet arrived, I’ve been wondering whether we’d see some steps to unwind (or not defend) the rules. Some are pondering whether this is the beginning of a trend of “back & forth” rulemaking, which would create uncertainty.
Commissioners Hester Peirce and Elad Roisman issued a response to Chair Gensler’s statement yesterday, saying that the 2020 rules were the result of an unassailable process and that there is no data yet to evaluate whether the rules work in practice. Meanwhile, CII called yesterday’s directive “Christmas in June for investors.”
The premise of one of my favorite parenting books is that standard negotiation techniques – logic, bribes, threats – aren’t going to deliver when it’s 8pm and my 3-year-old has been refusing to leave the playground for the last 45 minutes. In that situation, the only way out is to use a Jedi mind trick to reverse engineer and validate his deepest desires, and make the ride home even more magical and exciting than another trip down the 2-story slide.
It seems like that’s kind of the position that the SEC finds itself in with Elon Musk, especially after reading this WSJ article yesterday about the Enforcement Division’s attempts to follow up on tweets that the Commission believed went against its 2018 settlement with the Technoking. Here’s an excerpt:
From the start, the social-media policy was difficult for the SEC to enforce. The SEC accused Mr. Musk of violating the rules in February 2019 and asked a Manhattan federal court to consider holding him in contempt. The judge signaled she wanted the two sides to settle the dispute and they agreed to modify the policy by clarifying which topics required pre-approval. Those were identified as including communications about production figures, new business lines and the company’s financial condition.
Within months, the SEC was writing Tesla again, questioning a tweet Mr. Musk wrote on July 29, 2019, that stated: “Spooling up production line rapidly. Hoping to manufacture ~1000 solar roofs/week by end of this year.”
It’s not surprising that this notion of “pre-clearing” tweets isn’t playing out smoothly – the question all along has been, what can the SEC do about it? The WSJ says that the latest dispute, over a May 2020 tweet, appears to have ended in a stalemate. The Enforcement Division encouraged the company to apply its disclosure controls & procedures, Tesla said it hadn’t done anything wrong, the SEC threatened to go back to court, and nothing happened.
Yes, the SEC is still working through the permissible ways for companies to use social media. The board and Elon are also defendants in shareholder suits because of these tweets. Maybe for this high-profile CEO, someone also needs to find a way to make compliance as fun as public taunting.
