Last year, Liz blogged about how disclosure related to a cyber breach presents a tricky issue because disclosure requirements vary quite a bit for companies based on state-specific laws, industry rules, varying international laws and then of course, SEC requirements. Audit Analytics recently issued a report analyzing cyber breach disclosure trends from 2011 – 2019. A chart on the first page of the report shows a dramatic increase in the number of breaches since 2011, with an increase of 54% in the last two years. In terms of disclosure detail, here’s some of what the report found:
– 43% of firms that reported a cyber breach since 2011 didn’t disclose the type of attack – meaning whether it resulted from malware, phishing, unauthorized access, etc.
– For companies disclosing a data breach, since 2011, Audit Analytics found that it took an average of 108 days before companies discovered the breach – with a maximum of 1,625 days and a median of 30 days
– But, it took companies on average another 49 days before disclosing the breach – with a maximum of 456 days and a median of 30 days
– The report mentions, as most already know, that delays in discovering data breaches may raise red flags about internal controls and disclosure delays could lead to SEC action as was the case involving Yahoo! several years ago
– Shedding light on factors that may lead to delays in discovering data breaches and longer disclosure time, the report found companies in certain industries, the type of attack and type of information all impact time to discover a breach and delays in disclosure – the blog provides specifics on these findings
Cyber Breach Disclosure & Insider Trading Risk
The risk of insider trading with cyber breaches originates from several factors – one being delays in disclosure. Based on the average 7-week disclosure delay reported by Audit Analytics, it’s important to keep insider trading risk top of mind now as many have warned about growing prevalence of Covid-19-related cyberattacks –a Baker Hostetler blog discusses those warnings.
In terms of what to do about cyber breach disclosure and risk of insider trading, a recent Greenberg Traurig blog provides a refresher of the issues. Besides investing in IT and security infrastructure and employee compliance training programs, the blog also offers these suggestions about clarifying company policies:
An area where many organizations could focus attention is in clarifying certain policies, in particular, in relation to data breaches. For instance, clarification or heightened emphasis can be given to trading blackout periods. This clarification or heightened emphasis could be included within an incident response plan or other company protocols in the event of a suspected data breach. Such policies must provide specificity as to how such a blackout period will be determined and communicated. Other considerations for incident response plans include limiting who has access to information about an incident, storing incident documentation in access-controlled locations, and implementing a review and approval process for selling stock post-incident.
More on “Change: One Asset Manager’s Call for Companies to do More”
On Tuesday, I blogged about one asset manager calling on companies to take concrete “anti-racism” steps and wondered whether other investors would start using this moment to push for change. Later that day, CII published this “call to action” – noting that many of its investor members have pushed for years for greater diversity & fair workplace treatment, and that we all must do more.
Based on a recent blog in IR Magazine, it sounds like more investors may be stepping up pressure on companies to do more too:
The Interfaith Center on Corporate Responsibility, which represents more than 300 institutional investors with more than $500 billion in assets under management, has a small group of investors working on a formal position about racial equality. ICCR said racial equality has been a prominent talking point since the start of Covid-19 when concerns were raised about the disproportionate effect Covid-19 was having on black Americans. The blog also says that Ceres, which has an investor network that includes over 175 institutional investors with more than $29 trillion in assets under management, is reviewing all policies and practices to achieve a ‘just and sustainable future for all people.’
In terms of what this might mean for shareholder proposals, the blog discusses how some proponents are watching which companies follow through on anti-racism statements. As You Sow is maintaining a database of companies that have published statements on Black Lives Matter and racial equality and it’s interested in which companies follow through on their statements. The blog quotes As You Sow’s CEO as saying ‘veracity and honesty are the most powerful commodities a person and a company can have’ and it plans to use the information gathered in its database to hold companies accountable.
As an aside, messages about hope, justice and change have sprung up around Minneapolis through street art on plywood that businesses used as they boarded up in response to unrest – here’s one photo with a message that seems on point – it’s of a local, boarded up Minneapolis movie theater…
We’ve wrapped up our latest survey on practices relating to board evaluations. Here are the results:
1. When is your company’s board evaluation typically conducted:
– During the fiscal year in which board performance is evaluated – 48%
– Following the fiscal year, but before the proxy statement is filed – 48%
– Between the filing of the proxy statement and the annual meeting of shareholders – 2%
– We do not perform annual board evaluations – 2%
2. In conducting board evaluations, some boards use written questionnaires and some use oral interviews (or both). At our company, we use:
– Written questionnaires only – 39%
– Oral interviews only – 29%
– Both written questionnaires and oral interviews – 32%
3. If written questionnaires are used in the board evaluation process, are copies retained:
– Yes – 39%
– No – 61%
4. Who manages the board evaluation process:
– Non-executive board chair or lead director – 11%
– Chair of governance/nominating committee – 25%
– All members of the governance/nominating committee – 7%
– General counsel/other in-house counsel – 34%
– Outside counsel/consultant – 21%
– CEO – 0%
– Other – 2%
5. Is a written report produced based upon the results of the board evaluation:
– Yes – 51%
– No – 49%
6. How do the minutes reflect the board evaluation results:
– Brief summary of results, without including conclusions – 41%
– Brief summary of results, including conclusions – 16%
– In-depth detail of results – 0%
– Minutes do not reflect results – 43%
Please take a moment to participate anonymously in these surveys:
Last week, the DOJ issued updated guidance on Evaluation of Corporate Compliance Programs. The updated guidance gives some insight into the DOJ’s expectations for corporate compliance programs and it can be used as a guide when reviewing and updating a company’s compliance program. We’re posting memos on the latest guidance in our “White Collar Crime” Practice Area.
Benchmarking Compliance Reporting
For those taking on responsibility for reviewing a company’s compliance program, along with using the DOJ’s updated guidance, NAVEX Global recently issued its Risk & Compliance Hotline Benchmark Report – providing another resource to help see how a company’s risk and compliance program stacks up. The report includes data gathered from over 3,200 of NAVEX’s customers and looks at data using median or midpoint rather than averages to reduce impact from outliers. It’s a 60-page report so it’s chalk full of data, here’s some high-level data points:
– Median hotline/incident reports per 100 employees remained steady at 1.4 – but 19% received 5 or more reports per 100 employees
– Case closure time increased from 40 to 45 days, a 13% increase – the report says best practice average case closure time should be 30-32 days – about 20% of customers take 100 days or more to close cases
– Extended time to close cases may indicate organizations aren’t prioritizing reports or they may not have enough resources to resolve them – the report advises companies to address both potential issues to boost credibility of the compliance program
– Analysis showed that 31% of reporters speak up in 9 days or less after an incident occurs – but 20% of reports come in 60 days or more after an incident occurs
– Delays in reporting incidents could be due to fear of retaliation, lack of awareness or availability of reporting systems and the report advises companies to identify possible causes because delays make it more difficult to close an investigation
As a lifelong Minnesota resident, I was jolted by the killing of George Floyd and the protests and unrest that followed, which are bringing a slew of other historical & current incidents to light. Many CEOs were also moved by these events and quickly issued “anti-racism” statements. But there are already calls for companies to follow those statements with more tangible steps. A recent blog post with a call to action from John Streur, President and CEO of Calvert Research and Management, says Calvert will start holding companies accountable for inaction – so at least some asset managers are using this moment to push for more change. Streur’s post says Calvert will call on companies to do the following:
– Publicly provide the information required to accurately assess racial diversity – Calvert acknowledges that companies aren’t required by law or regulation to disclose publicly the racial makeup of their board and management, but says companies generally have this information to the extent employees have self-identified, and companies should make the information public
– Disclose pay equity information across race and gender
– Make clear to local, state and federal governments that they must address police brutality against black people
– Publicly state what they are doing to combat racism and police brutality
– Take action to address systemic failures in our education system
The blog post concludes by saying that Calvert will take more action to push for changes needed to eliminate racism and police brutality in America. It also says investors need to do a better job of differentiating companies based on where they stand on these issues and hold them accountable for inaction.
Improving Board Oversight of Human Capital Management
As Covid-19 has brought increased focus to workplace safety, employee pay and other human capital issues, a recent EY white paper provides insight from directors to assist with improved board oversight of human capital. The report’s findings are based on a director survey about governance of human capital. Although the report says most boards spend more time on talent strategy than they did just five years ago, it also identifies areas of opportunity for boards, including:
– Making, or reaffirming, oversight of human capital and culture as a strategic priority as 30% of directors indicated that they are either unsure or unable to articulate their company’s cultural strengths and weaknesses
– Enhancing board knowledge and understanding through more regular interactions with and reporting from the CHRO – nearly half of directors surveyed said the CHRO doesn’t regularly report on human capital to the board
– Beyond hearing from the CHRO, bringing an outside perspective into the boardroom is crucial to keeping a pulse on external trends, challenging internal bias, identifying blind spots and bringing an objective viewpoint and new ideas to the strategic planning process
– Regularly incorporating a more comprehensive set of culture and talent-related metrics will make those discussions more robust and productive, and assigning explicit responsibilities at the full board or committee level will provide greater visibility and foster accountability
May-June Issue of “The Corporate Counsel”
We’ve wrapped up the May-June issue of “The Corporate Counsel” print newsletter – and will be mailing it soon (try a no-risk trial). The topics include:
– A Word From Our Founder — What We Each Can Be Doing Now
– Forward-Looking COVID-19 Disclosure: Watch Your Step!
– Corp Fin CDIs and FAQs on COVID-19 Exemptive Order
– Planning for Continuity of Board Operations During the COVID-19 “Emergency”
It’s been a couple of years since we’ve seen a SEC Enforcement action related to improper disclosure of perks but last week, the SEC settled a case. In this most recent case against Argo Group International Holdings, the SEC’s press release says the company failed to disclose over $5.3 million that it paid in connection to perks for the company’s then CEO. Here’s an excerpt:
The SEC’s order finds that in its proxy statements for 2014 through 2018, Argo disclosed that it had provided a total of approximately $1.2 million in perquisites and personal benefits, chiefly retirement and financial planning benefits, to its then CEO. According to the order, Argo failed to disclose over $5.3 million it had paid on the CEO’s behalf, including in filings for 2018 after a shareholder issued a press release alleging undisclosed perks to the CEO. The order finds that the perks Argo paid for, but did not disclose, included personal use of corporate aircraft, helicopter trips and other personal travel, housing costs, transportation for family members, personal services, club memberships, and tickets and transportation to entertainment events. The order finds that, as a result, Argo understated perks and personal benefits paid to the CEO over this period by more than $1 million per year, or 400%.
The SEC’s order provides more color about the company’s disclosure issues, which sound like in large part stemmed from failure to maintain internal accounting controls. The company settled the action without admitting or denying the SEC’s findings and it will pay a $900,000 civil penalty. Based on information in the SEC’s order, the company took quite a few remedial actions that likely didn’t come cheap while also leading to quite a bit of upheaval at the company.
We also have a panel about perk disclosures as part of our “Proxy Disclosure” conference – which is coming up in September via Nationwide Video Webcast. This is our big annual conference and it will cover all sorts of disclosure issues. Register now to receive the special Early Bird Rate!
First PPP-Related Securities Class Action
The Paycheck Protection Program has created plenty of blogging material and last week, Kevin LaCroix’s blog post reported on what is believed to be the first PPP-related securities class action lawsuit. What’s somewhat surprising about this case, as the blog notes, is that it involves a lender. Most would’ve thought these PPP D&O claims would involve PPP borrowers because as we’ve blogged, there has been concern about good faith need certifications PPP borrowers had to make.
The blog provides thoughts around why the lender may be targeted and says while a bank might not seem like the most obvious target to be hit with a coronavirus-related securities suit, there is this thing about banks: They always seem to be getting drawn into the latest securities litigation wave. They were certainly in the center of things in the litigation wave that followed in the wake of the global financial crisis. To be sure, that does not mean that other banks that participated on the PPP program necessarily are at greater risk of involvement in securities class action litigation. Rather, it is simply an observation that the plaintiffs’ lawyers seem ready to try to bring the banks into the litigation fray from the moment the starting gun sounds.
Technical Snafu Sends Double PPP Funds
By now, you’re probably thinking you’ve heard just about everything about the SBA’s Payment Protection Program. But, the PPP is a blogger’s dream as the stories keep coming. The latest is this Reuters story that says a technical snafu caused many small business owners to receive their loan amounts twice – potentially to the tune of over $100 million. Many of the duplicate loans have been identified and repaid, although not all.
Another story from NBC News explains more about how the double-payment snafu came about:
The issue stems from the hectic early weeks of the program, when funding ran out quickly and borrowers were not hearing back from their banks, industry sources told NBC News. Although businesses must certify they are only applying for one loan, some small-business owners applied at more than one bank to ensure they could secure a financial lifeline amid the economic shutdown. After funding ran out, some banks also suggested that customers who still had pending applications in their queue should apply with another bank in the meantime.
We’ll see how this all plays out, but the government will only guarantee one loan per borrower. The financial institutions obviously want to quickly address the problem and NBC News says borrowers expecting loan forgiveness are reaching out to repay the extra funds so they’re only responsible for one loan. For anyone not already returning any double PPP loan amounts, obviously it’d be good to do so – and maybe also take a gander at John’s “PPP Loan Enforcement: En Guarde!” blog.
During the Covid-19 pandemic, opportunities to join together for an in-person lunch-hour CLE while collecting the usual law firm swag are basically non-existent. So, what a nice surprise to receive law firm swag via email – Winston + Friends Cookbook! For someone who loves to eat and try new recipes, this made my day and hope some of you enjoy it too. Here’s the backstory to the 174-page cookbook from the firm’s email:
Soon after the COVID-19 pandemic left us no choice but to work remotely, Winston employees began a quarantine recipe exchange as a way to stay connected (and well-fed). What started as an internal email exchange among Winston personnel across the United States, has now led to a Winston + Friends Cookbook that contains over 100 recipes from Winston employees world-wide, as well as friends of the firm, including clients and professional chefs. The Winston + Friends Cookbook has delicious recipes for breakfast and brunch, condiments and sauces, appetizers, soups and salads, entrées, side dishes, desserts, and drinks.
Given the uncertain times, and the effects that this pandemic has had on access to food, the firm and our people have donated substantial sums to food-based organizations around the globe (and through our pro bono efforts have helped secure DACA renewals for front line food workers). Should you choose to help, we share at the end of the cookbook organizations founded or run by contributors to the cookbook as well as the contact information for Feeding America, the largest hunger-relief organization in the United States.
Board Gender Diversity: Another State Mandate
We’ve blogged before about board gender diversity and there are plenty of studies analyzing and reporting progress. These numbers will likely climb again as a recent Dorsey blog says the State of Washington will require gender diversity on public company boards or board diversity disclosure by January 1, 2022. The blog says to meet this gender diversity requirement, a public company will have a gender-diverse board of directors if, for at least 270 days of the fiscal year preceding the applicable annual meeting, individuals who self-identify as women comprise at least 25% of the directors serving on the board.
For companies that don’t meet the gender diversity requirement by 2022, the blog describes Washington’s disclosure requirements. One of the disclosure requirements includes discussion of any policy adopted by the board relating to identifying and nominating diverse director candidates for election and if there isn’t such a policy, the reasons why.
Washington will likely see an uptick in female directors much like California did. And, as this Shearman & Sterling blog notes, attention on board diversity will continue as several other states have considered similar legislation. In terms of progress, Equilar has been tracking board gender diversity at Russell 3000 companies and yesterday it issued its Q1 2020 report showing continued improvement. Equilar’s website commentary on the report says over the last quarter, the percentage of companies that previously had zero women on their board dropped from 7.7% to 7.1% and 129 companies have boards with between 40% and 50% women, up from 114 companies last quarter.
Importance of Updating Risk Management Programs
A recent Nixon Peabody memo reminds management teams to ensure risk management policies and procedures are updated, implemented and that any crises are resolved – ignoring a “red flag” may indicate a breach of management’s duty of care. The memo provides suggestions for updating company risk management programs, saying it’s now more important than ever, as many existing risk management programs may no longer be adequate during the Covid-19 pandemic. Here’s an excerpt:
Such procedures must be updated in accordance with state and federal recommendations and address not only the damage caused so far, but the arduous task of reopening, and the potential for similar or greater crises down the line. In particular, companies must have risk management policies and procedures updated for coronavirus in relation to:
– Possible industry-specific impacts
– Continuity of business issues
– Supply chain disruption
– Increased risk of litigation
– Decreased or impaired workforce
– Increased cybersecurity risks
Furthermore, under the current circumstances, company management cannot simply enact such risk management and step aside. Management is well-advised, for example, to set up COVID-19 subcommittees to report on a regular, if not daily, basis. Regular meetings, with minutes, must be held in response to the changing COVID-19 landscape to document the measures that are being taken, and the motivations for business decisions, to help stave off future regulator actions and derivative litigation.
Management should report about what it’s doing and what advice and guidance it’s relying on. The memo also says in certain circumstances it may be appropriate for management to bring in an inside or outside expert to present to the board – doing so can help bolster the board’s record of diligence. Management and the board should document the advice sought and how it was applied.
Last week when SEC Chairman Jay Clayton spoke before the SEC Investor Advisory Committee meeting, he concluded his remarks by noting his views on disclosure of ESG matters – saying that lumping “E”, “S” and “G” disclosure matters together reduces the usefulness of the disclosures. Yesterday, Chairman Clayton re-emphasized his view in remarks before a meeting of the SEC’s Asset Management Advisory Committee. Here’s an excerpt from Chairman Clayton’s remarks yesterday:
I believe I have made it clear that, while I believe that in many cases one or more “E” issues, “S” issues, or “G” issues are material to an investment decision, I have not seen circumstances where combining an analysis of E, S and G together, across a broad range of companies, for example with a “rating” or “score,” particularly a single rating or score, would facilitate meaningful investment analysis that was not significantly over-inclusive and imprecise.
Along with everyone else that has compiled data and responses for surveys used in ESG ratings, it seems safe to say that Chairman Clayton isn’t a fan of the proliferation of ESG ratings either.
The Commission has a tall order now that the SEC Investor Advisory Committee approved its recommendation suggesting the Commission get moving on ESG disclosure. Part of the Investor Advisory Committee’s recommendation is that the Commission conduct outreach about ESG reporting requirements to investors, companies and others. The Commission is clearly conducting outreach by gathering information from the Investor Advisory Committee and Asset Management Advisory Committee – although at this point, it’s hard to tell where the Commission’s effort on ESG disclosure goes from here – or for that matter, whether it will go any further.
Proxy Advisor Regulation – Is a Speed Bump the Answer?
Proxy advisors and others are voicing displeasure at the notion of a “speed bump” when it comes to proxy advisor reports. Even though the comment period for the SEC’s proposed proxy advisor regulations closed back in February, concerned voices haven’t quieted. The latest concern relates to the “speed bump” that Commissioner Elad Roisman spoke about back in March at CII’s spring conference.
During his remarks, Commissioner Roisman mentioned one idea that would allow contemporaneous review – companies would receive and review a proxy advisor’s report at the same time the proxy advisor sent the report to its clients. While a company reviewed a proxy advisor’s report, as a way to manage “automatic voting,” Commissioner Roisman suggested a “speed bump” – basically a time period during which the proxy advisor would disable any automatic voting submission features.
While some see contemporaneous review and a speed bump as an improvement compared to how things stand today, the constituents that don’t are jumping on the “voice of concern bandwagon.”
First, a CFA Institute blog says they want the SEC to propose new rules so details of contemporaneous review and the speed bump can be better understood. Without reopening a revised proposal for comments, the blog says the SEC risks shutting out stakeholders from providing comments.
A recent Pension & Investments article, titled “Truce sorely wanted on proxy proposal championed by SEC” (subscription required), quotes Glass Lewis’s SVP & GC, Nichol Garzon-Mitchell, as saying the proxy advisor still has concerns about some of the alternatives the SEC may be considering and that details of a new proposed approach should be vetted through public comment. The article also quotes representatives of the Investment Advisor Association and the Council of Institutional Investors as saying that the idea of contemporaneous review and a speed bump is promising but more information is needed and basically the SEC should re-propose the rule to sort out potential concerns and issues.
ISS declined to comment for that article, but separately a recent opinion piece from ISS’s head of Governance Research & Voting, Lorraine Kelly, also voices displeasure about the “speed bump” solution. The opinion piece echoes the IIA and CII concerns and suggests because the alternative proposal is so different from the original rule proposal it should require the rulemaking process to go back to start over. The opinion piece concludes by suggesting the SEC shelve the proposed rules.
Give the Commission credit, it’s no easy task to try to change or improve the process around proxy advisor reports and they’ve stepped up to try and address it. The proposed rules are controversial and no matter what is done, somebody’s probably not going to like it. At the same time, companies have been frustrated for years with the existing process for proxy advisor reports so some change would likely be welcome news.
Post-Mortem Assessment of Virtual Financial Close
Working remote continues for many and a recent Deloitte memo takes a look back at what, for most, was the first virtual financial close to help smooth the effort the next time around. Many companies had to adjust financial close processes on the fly and the memo says this may have raised questions about internal controls and it lists questions to help guide an assessment of potential weaknesses.
Knowing that the recent virtual financial close likely won’t be the last, if companies haven’t already done so, the memo serves as a reminder that now might be a good time to conduct a post-mortem of the most recent quarter-close experience. For a post-mortem assessment, the memo provides questions covering accounting and reporting impacts, impacts on the timeline, close and task management, governance and compliance, resourcing, technology, and remote working. Here’s an excerpt of questions about accounting and reporting impacts:
What were the technical accounting or disclosure impacts of the current pandemic—and how might they change in future periods?
Which elements of the financial statements needed increased focus?
Was there adequate time allowed for management reviews at all levels?
Where does management have limited transparency into the results and underlying drivers?
Were there any new focus areas for the external audit this period, or places where auditors spent additional time?
In the pre-COVID-19 world, I was monitoring independent chair proposals for the 2020 proxy season. I was particularly interested in those submitted by members of the Investors for Opioid & Pharmaceutical Accountability (IOPA), which was established in July 2017 to focus on opioid-related risks and which has since expanded to include drug-pricing risks. While I still believe in the momentum for these proposals, the pandemic appears to have temporarily changed things.
As these proposals became public and IOPA members filed exempt solicitations in support (see, e.g., Johnson & Johnson, Eli Lilly and Gilead Sciences), it seemed possible that the time had finally come for independent chairs in the pharmaceutical industry. Not only had opioid abuses and anti-competitive drug pricing become “kitchen table” topics, but more conventional corporate voices had also added support. According to the 2019 U.S. Spencer Stuart Board Index, the number of S&P 500 companies with independent board chairs more than doubled over the past decade, to now include one-third of the companies; and among the 18 Biotechnology/Pharmaceutical companies, seven have independent chairs, including Biogen Idec, Regeneron Pharmaceuticals, Perrigo Company and Nektar Therapeutics. PwC and the Harvard Business Review also weighed in to support independent chairs.
For a time, independent chair proposals seemed as if they could achieve majority votes, and CEO/chair separations could take place, in this industry, as they had for financial companies that shared responsibility for significant national crises, such as Bank of America and Wells Fargo. Then the pandemic hit, and priorities changed for companies, investors and regulators. Independent chair votes at pharmaceutical companies have received significant support (based on For/For + Against), including:
42% at J&J, where the vote had been increasing in recent years and where there was majority support for another IOPA proposal requesting a board report on governance of opioid-related risks;
34% at Eli Lilly, where it was a first-time proposal and where the vote would be 40% if the Lilly Endowment shares were backed out;
44.5% at Bristol-Myers Squibb, another first-time proposal; and
43.5% at Gilead Sciences, significantly higher than 29% in 2019 and the only over-40% vote that didn’t receive a FOR recommendation from ISS
Two non-IOPA independent chair proposals have passed this season: at Boeing (53%), where there have been significant legal, cultural and regulatory concerns; and medical products company Baxter International (55%), where a March 2020 restatementapparently raised sufficient investor concern. Some thoughts on what may be going on:
As I blogged earlier, the pandemic has sharpened investor focus on COVID-19-related issues. While investors are still raising non-COVID ESG issues, there is some sensitivity about piling on too much in their engagements with – and votes at – companies;
Pharmaceutical companies may be getting a slight pass, as the nation is looking to them to find COVID-19 cures, vaccines and tests;
Unlike Glass Lewis that supports most independent chair proposals, ISS appeared unconvinced of the need for structural leadership change at some of the IOPA-targeted companies, although their AGAINST recommendations left some room for evaluating what happens over the next year; and
Boeing hit a tipping point with investors, even with a currently independent chair.
Stay tuned for a few more 2020 voting results, as well as for how the off-season engagements and 2021 proposals evolve around this proposal. The time for independent chairs may yet arrive more broadly in the United States.
PPP: More Guidance About Loan Forgiveness
As we’ve blogged before, the Paycheck Protection Program has been fraught with issues and guidance about the program has been seemingly endless. Late last Friday, while some headed out for a weekend party, the SBA issued two PPP Interim Final Rules – the first IFR relates to requirements for loan forgiveness, the second IFR relates to the loan review process and borrower and lender responsibilities. Here’s a Venable memo highlighting notable aspects of the latest guidance, here’s another with key insights from Sidley.
Audit Committee Covid-19 Checklist
For those looking for another resource to help ensure the audit committee is covering all the bases when it comes to Covid-19, AICPA has answered the call. AICPA issued a checklist specifically related to audit committee Covid-19 oversight responsibilities – it’s in the form of questions and is intended to guide conversations to help identify weaknesses needing attention. AICPA says these questions should be discussed in an open forum with the audit committee, management and internal and external auditors – it could serve as a helpful oversight confirmation resource.
Late last week, the SEC’s Investor Advisory Committee approved a recommendation that encourages the SEC to begin addressing ESG disclosure. The recommendation might best be summed up as asking the SEC to “get moving” on ESG disclosure. Throughout the recommendation it reiterates familiar concerns raised by many including the “plethora” of ESG data provider questionnaires that create an exorbitant amount of work for companies – leaving many questioning whether the information that’s collected is material to investors and leaving others to set questionnaires aside due to resource constraints. The recommendation also says the SEC should take the lead or some other jurisdiction will. Here’s an excerpt:
The US capital markets are the largest and deepest in the world. Therefore, the SEC should take the lead on this issue by establishing a principles-based framework that will provide the Issuer-specific material, decision-useful, information that investors (both institutional and retail) require to make investment and voting decisions. This disclosure should be based upon the same information that companies use to make their own business decisions. If the SEC does not take the lead, it is highly likely that other jurisdictions will impose standards in the next few years that US Issuers will be bound to follow, either directly or indirectly, due to the global nature of the flow of investment into the US markets.
The recommendation itself doesn’t call for specific reporting standards or a specific framework and instead references existing standards – GRI, SASB and the TCFD framework, etc. – as examples to help shape the SEC’s thinking.
Although the committee approved the recommendation, this blog describes views of committee members that opposed it:
Those who were not in favor of the recommendation expressed concerns about the ambiguity of the term “materiality,” and that ESG ratings should be left to the private parties, rather than mandating a central group, such as the SEC. Creating such a framework would be both expensive and inconclusive since private parties have yet to come to consensus themselves due to the issue’s complexity. The naysayers also suggested protecting the Financial Accounting Standards Board from being “diluted” by the new ESG standards.
Another blog further summarizes committee member views and notes that, Commissioner Hester Peirce expressed her reservations about the recommendation – here’s her remarks in which she says today’s securities disclosure framework is “very good at handling all types of material information.”
For those wanting to get a sense of what the SEC might be looking at when reviewing Covid-19 related disclosures, a recent Intelligize blog reviewed some early SEC comment letters for insight. The blog provides links to the comment letters so they’re available to provide full context and it identifies five initial lessons:
– Understand the continuum between risk factors’ reasonably likely known effects and MD&A’s known trends
– Provide forward-looking insights about the impact of Covid-19
– Provide a complete picture with your metrics
– Clarify the impact of any facility closures or supply chain issues
– Ensure that material information included in press releases also appears in SEC filings
Post-Covid-19 Governance & Social Purpose
Will board governance change in a post-Covid-19 world? That’s a question considered in a recent Deloitte memo and it lists questions that should be on the radar for boards when thinking about their oversight role. The memo lists considerations involving overboarding, succession planning, oversight, investor concerns and social purpose and stakeholder governance. Questions for boards to consider about social purpose and stakeholder governance include:
– Will the pandemic cause a reordering of US business priorities?
– Will considerations regarding social purpose be impacted by continued market declines?
– Will the pandemic increase or decrease the focus on diversity, equity, and inclusion?
– Will shareholder value come back as being the primary priority?
We’ve blogged quite a bit about virtual annual meetings and here’s another development – a recent Wachtell Lipton memo discusses the first contested virtual annual meeting – it took place at TEGNA Inc. The memo reports the company’s nominees were re-elected and the bottom line message is that a contested virtual meeting is an option. Given the stakes involved with a contested meeting, the memo includes practical considerations to keep in mind if you find yourself navigating a contested virtual meeting:
– Customization may be required for the virtual meeting platform: this may necessitate help from outside service providers
– Conduct dry runs with cross-functional teams: include IT, legal, outside counsel, proxy solicitors, public-relations advisors
– Coordinate with inspector of elections in advance: alternative means of communication with both parties will be needed, determine process for submitting all proxies & ballots before polls close
– Ensure both parties understand rules and processes
The memo also discusses whether virtual shareholder meetings provide more opportunities than in-person meetings for shareholders to vote by ballot and split their votes between company and dissident director-nominees. Activists have long called for “universal ballots” that would allow shareholders to “mix and match” votes. For now, the memo says because virtual meetings are easier to attend than in-person meetings, maybe they provide more opportunities for shareholders to mix and match their votes. But, whether the meeting is virtual or in-person, it’s still a bit of a process to vote by ballot.
It’s Proxy Season, Plumbing Needs Some Attention
Last week, John blogged about some issues investors have run into this year with virtual shareholder meetings – noting too that Doug Chia is keeping a diary of his virtual shareholder meeting experiences. Doug’s notes from an experience at one shareholder meeting makes it painfully obvious the patchwork of proxy plumbing needs some attention. Here’s an excerpt:
Knowing you need a control number to enter any virtual annual meeting, I asked my broker for the control numbers I would need to attend the virtual annual meetings of a bunch of companies, including Danaher. It turns out my broker gave me the control number to vote my shares in advance of the meeting, not the control number to attend the meeting. Nope, they’re not the same, at least not for this particular meeting.
What I needed to do to get the meeting attendance control number was go through the steps to (1) ask for and get a legal proxy from my broker, (2) scan and email it to the transfer agent at least six days before the meeting, (3) watch for an email back from the transfer agent with the control number, and then (4) use that number along with the password listed on the notice to enter the meeting site on the day-of. I assumed that if I asked my broker for the control number, they’d be able to just get it and save me the hassle. (“When you assume….”)
So, is what I’m saying that this so-called “plumbing” system is such that if Mr. & Ms. Main Street hold shares of a company through a broker, which most people do because most people buy shares through a broker, then they’ll always have to jump through all of those hoops I described above just to attend the one meeting the Streets have the legal right to attend? The answer is… it depends!
The experience will vary depending on a company’s service providers to no fault of the service providers. Doug says that the process will be different for different meetings because using different combinations of vendors can result in different processes being necessary to get into these virtual meetings. Maybe it’s time proxy plumbing gets some needed attention…I prefer not to call in the plumber but this year’s annual meeting process is bringing this issue back to the fore.
As a point of contrast, Doug posted notes from his experience at Intel’s audio-only meeting – Intel has held virtual-only meetings for years and it sounds like they’ve got the process down pat.
PPP Safe Harbor Extended Until Monday!
It turns out the SBA wasn’t done Wednesday when they issued FAQ #46 “clarifying” the safe harbor for returning Paycheck Protection Program funds. Sometime later in the day, the SBA added FAQ #47 extending the PPP safe harbor until Monday, May 18th. A little more time for companies to think over whether to return the funds …
Last week, when John blogged about the deadline for borrowers to return Paycheck Protection Program funds without penalty, he also noted that the SBA said it would provide additional guidance on the PPP’s need certification requirement. Yesterday, right before today’s expiration of the safe harbor, the Treasury Department and SBA issued FAQ #46. The need certification has been a tricky issue, in part, due to a previous FAQ issued by the SBA.
FAQ #46 gives a safe harbor to borrower’s receiving a PPP loan of less than $2 million but then the FAQ goes on to say that those receiving more than $2 million might still be okay. Not sure this new FAQ completely clears things up but for those still contemplating whether to return PPP funds, here it is:
Question: How will SBA review borrowers’ required good-faith certification concerning the necessity of their loan request?
Answer: When submitting a PPP application, all borrowers must certify in good faith that “[c]urrent economic uncertainty makes this loan request necessary to support the ongoing operations of the Applicant.” SBA, in consultation with the Department of the Treasury, has determined that the following safe harbor will apply to SBA’s review of PPP loans with respect to this issue: Any borrower that, together with its affiliates, received PPP loans with an original principal amount of less than $2 million will be deemed to have made the required certification concerning the necessity of the loan request in good faith.
SBA has determined that this safe harbor is appropriate because borrowers with loans below this threshold are generally less likely to have had access to adequate sources of liquidity in the current economic environment than borrowers that obtained larger loans. This safe harbor will also promote economic certainty as PPP borrowers with more limited resources endeavor to retain and rehire employees. In addition, given the large volume of PPP loans, this approach will enable SBA to conserve its finite audit resources and focus its reviews on larger loans, where the compliance effort may yield higher returns.
Importantly, borrowers with loans greater than $2 million that do not satisfy this safe harbor may still have an adequate basis for making the required good-faith certification, based on their individual circumstances in light of the language of the certification and SBA guidance. SBA has previously stated that all PPP loans in excess of $2 million, and other PPP loans as appropriate, will be subject to review by SBA for compliance with program requirements set forth in the PPP Interim Final Rules and in the Borrower Application Form. If SBA determines in the course of its review that a borrower lacked an adequate basis for the required certification concerning the necessity of the loan request, SBA will seek repayment of the outstanding PPP loan balance and will inform the lender that the borrower is not eligible for loan forgiveness. If the borrower repays the loan after receiving notification from SBA, SBA will not pursue administrative enforcement or referrals to other agencies based on its determination with respect to the certification concerning necessity of the loan request. SBA’s determination concerning the certification regarding the necessity of the loan request will not affect SBA’s loan guarantee.
There have been lots of law firm memos about the PPP requirements, including several yesterday about FAQ #46. A memo from Crowell & Moring described the SBA’s shifting guidance as sending borrowers on a roller coaster ride. For anyone wanting to reminisce about a “fun” ride, here’s a roller-coaster video from a Minnesota amusement park ride.
Director Service on Multiple Boards – CPA-Zicklin Data Pivot
The Center for Political Accountability may be taking its analysis of political and lobbying contribution disclosures a bit further than its annual CPA-Zicklin ranking. A Law.com blog says that CPA has looked for overlap among directors – meaning directors serving on boards of CPA-Zicklin top-ranked companies who also serve on boards of companies ranked in the CPA-Zicklin bottom-tier.
The blog says that CPA identified at least 85 directors holding positions on two or more boards of companies that are both in the top-tier and also the bottom-tier of the CPA-Zicklin index. In the blog, Bruce Freed, CPA’s president, had this to say about the “overlap” situation:
Either directors of top-tier companies are not fulfilling their fiduciary responsibility by pressing the lower-tier company to manage the risk posed by corporate political spending by adopting political disclosure and accountability policies, or the directors of bottom-dweller companies are not learning from the practices of the top-tier companies on whose boards they sit.
Not to go out on a limb but every company is unique, including the make-up of its board, the degree of transparency the board and senior leaders engage in, and its political and lobbying spend. For various reasons, companies will differ in the degree of political and lobbying contribution disclosures. There’s no indication of CPA-Zicklin’s future plans with this data but something for directors to make note of if they find themselves tagged in this latest report.
Board’s Role in Improving Diverse Leadership Teams
We’ve blogged quite a bit about board diversity and some of the progress that’s been recognized. Focus might be beginning to shift to C-suite and management diversity where, according to this Boston Consulting Group memo, progress lags. The memo says boards may be more diverse but they’re likely following recommendations of less diverse leadership teams. In fact, the memo says that among companies in the UK’s FTSE 100 Index in 2019, women held 39% of non-management director positions, but they represented just 11% of executive positions and only 7% of CEOs.
The memo lists three priorities for boards to help improve diversity and inclusion efforts at companies. Within each priority, there’s a list of questions for boards to consider or ask their management teams. Here’ s an excerpt about holding leaders accountable:
Boards need to set explicit goals for D&I, track progress, and hold leaders accountable for results. Multiyear goals need to be established for the organization and broken down by individual business unit. Key questions include:
– How is leadership compensation tied to D&I goals?
– What are the CEO’s objectives for D&I over the next one, three, and five years?
– What strategic programs and tactical interventions are in place to support diversity? How are they used?
– What happens when the company doesn’t hit its D&I goals?
