Speaking of cybersecurity incidents, this Covington memo provides some guidance on how companies can minimize their own risk of running into trouble with the SEC on cybersecurity issues. One recommendation is that companies review and update their list of “crown jewel” information and technology assets:
The SEC’s SolarWinds complaint, along with commentary in the Rules’ adopting release, make clear that companies are expected not only to identify their “crown jewels,” but to take appropriate action to protect them. Specifically, the SEC’s complaint faulted both SolarWinds and its CISO for not disclosing to the investing public known risks facing products and services that it had identified as among its “crown jewels.” Similarly, the Rules’ commentary suggests that if a cybersecurity incident impacts a company’s “crown jewels,” that information might be sufficient to make a materiality determination even before the company has “complete information” about the incident.
Consider identifying your organization’s “crown jewels” (or re-evaluating an existing list) to ensure the list is updated and not overly broad. Also consider prioritizing efforts to identify cybersecurity risks regarding crown jewels and the controls that protect them.
The SEC’s SolarWinds complaint also treated a company’s “crown jewels” as key assets and the company’s safeguards to protect against unauthorized access to those assets as part of the company’s internal accounting controls (which were alleged to be inadequate).
Other recommendations include updating cybersecurity risk governance disclosures in annual reports to ensure their accuracy, resolving documented cybersecurity “red flags” and providing training on best practices for internal documentation, assessing how existing incident response plans and disclosure control procedures should be integrated, and engaging in pre-incident testing of response procedures.
In late December, the PCAOB issued a staff report detailing inspection priorities for 2024. The accompanying press release explains that the report “highlights key risks, like high interest rates, and other considerations, like audit areas with recurring deficiencies, that auditors should be focused on when planning and performing audit procedures.” Here’s the full list of the PCAOB’s prioritized inspection considerations:
– Challenges and Recurring Deficiencies We Have Observed in Our Inspections of Auditors of Broker-Dealers – Recurring Deficiencies
– Evaluating Audit Evidence
– Understanding the Company and Its Environment
– Use of Other Auditors
– Going Concern
– Critical Audit Matters (CAMs)
– Digital Assets
– Cybersecurity
– Use of Data and Technology
New for 2024 is a consideration of audit firm culture. Here’s an excerpt from the press release:
Among the PCAOB’s inspection enhancements in 2024 will be the creation of a PCAOB team that will evaluate culture across the largest domestic audit firms. This initiative will include interviewing firm personnel and evaluating other documentation, with the aim of using this information to enhance the PCAOB’s understanding of how audit firm cultures may be affecting audit quality.
On the D&O Diary, Kevin LaCroix blogged about the “Top Ten D&O Stories of 2023,” and focused on future implications of notable trends. Overall, he shared that federal court securities class action lawsuits were up 8% in 2023 over 2022. He also discusses how derivative suits are increasingly settling with significant cash components:
There was a time not long ago when it was unusual for the settlement of a shareholder derivative lawsuit to involve a significant cash component. The cases usually settled for the defendants’ agreement to adopt corporate therapeutics and the payment of plaintiffs’ attorneys’ fees. In more recent years, it has become more common for derivative suit settlements to include a significant cash component. Indeed, nine of the top ten largest derivative suit settlements over the last 20 years have taken place just in the last four years alone. The trend toward shareholder derivative settlements with significant cash components continued in 2023, as there were several settlements announced this year that are among the all-time largest settlements.
The blog then reviews in detail various factors that contributed to the increase in these lawsuits — including macroeconomic conditions and geopolitical risk. He hopes challenges from macroeconomic conditions will ease in 2024 due to the Fed’s shifting interest rate policy, although the interest rate environment and banking crisis weren’t the only macroeconomic factors triggering federal class action securities suits in 2023. He also cites labor supply and supply chain disruption issues.
He has no hope of geopolitical risk slowing this year. In 2024, he foresees increased business and operating difficulties for many businesses as a result of the “very dangerous geopolitical environment” and upcoming key elections.
As you work through 10-K updates this year, keep these factors in mind as you draft MD&A (in addition to risk factors). Both investors and the SEC are going to be interested in clear disclosure of known trends and uncertainties and the reasons for material changes from period to period. Here’s a timely reminder from White & Case’s recent alert on key considerations for your upcoming Form 10-K:
MD&A remained one of the top targets of SEC Staff comments, with the majority of this year’s comments focused on disclosures about results of operations. Many comments related to a company’s lack of sufficiently detailed disclosures about the reasons for material period-to-period changes in the financial statement line items. These included comments reminding companies that if two or more factors contributed to a material period-to-period change in a financial statement line item or subtotal, Item 303 of Regulation S-K requires disclosure of the reasons for material changes, in quantitative and qualitative terms, for each factor. Comments have also asked about the effects of macroeconomic factors, such as inflation, interest rates and supply chain issues. Companies should review their MD&A disclosures to confirm the reasons for material changes are disclosed with sufficient specificity to avoid these types of comments.
We have another “Timely Takes” podcast out now! In this episode, I discuss whistleblower compliance & enforcement with Troutman Pepper’s Sheri P. Adler and Mary Weeks, and they share their “top 10” tips for getting your existing & future agreements and policies into compliance with Rule 21F-17. Here are the topics we cover in this 22-minute podcast:
The SEC’s Rule 21F-17 enforcement history
Problematic conditions or limitations companies have tried to impose on whistleblower carveouts
Other problematic provisions the SEC has taken issue with
Why companies need to take a broad, holistic and consistent approach to compliance with Rule 21F-17
Other takeaways from the SEC’s Rule 21F-17 enforcement actions
For more, including specifics on drafting improvements, check out Sheri and Mary’s memo and webcast recording on these “top 10” tips.
If you’d like to join us for a podcast to share insights on a securities law, capital markets or corporate governance topic, please reach out to me or John at mervine@ccrcorp.com or john@thecorporatecounsel.net.
Programming Note: There will be no blog on Monday as our offices will be closed in observance of Martin Luther King day. We’ll return Tuesday.
Earlier this week, Corp Fin updated CF Disclosure Guidance: Topic No. 7, which was initially rolled out in late 2019 and addressed how and what to provide when submitting a “traditional” confidential treatment request – i.e., outside of the streamlined process also announced in 2019 that allows companies to simply redact immaterial confidential information from exhibits. An explanatory note clarifies that the updates relate to expiring confidential treatment orders.
Per the updated guidance, when an order is about to expire, the available options depend on whether the order was initially issued more than three years ago. The prior update to this guidance had the options turn on whether the order was issued before October 15, 2017. So now, the options are:
refile the unredacted exhibit (if the contract is still material but the information is no longer confidential)
extend the confidential period pursuant to Rule 406 or Rule 24b-2 (whether a company can submit the short-form extension application to CTExtensions@sec.gov for this depends on whether the order was initially issued less than three years ago; it not, the long form is required) or
transition to Reg S-K Item 601(b)(10)’s redacted exhibit rules (if the order was issued more than three years ago and the contract is still material), if possible.
On the Cooley PubCo blog, Cydney Posner explained option 3 more fully as follows:
The streamlined approach allows companies to file redacted exhibits without submitting an explanation or substantiation to the SEC, or even providing an unredacted copy of the exhibit, except upon request of the staff. To accomplish the transition, the company would be required to refile the material contract in redacted form and comply with the legend and other requirements of the streamlined approach (Item 601(b)(10)(iv)). The SEC expects most companies to transition to the streamlined process.
With regard to timing, the staff will not recommend enforcement action if a company refiles a redacted exhibit under this streamlined approach in the company’s first Exchange Act report following the expiration of the CT order. However, if the CT order was initially granted more than three years ago, the company does not have to wait for the order to expire to effect the transition. Rather, the company can transition by complying with those rules in a new filing or by amending a previously filed document to refile a redacted exhibit.
An important side note for folks who rely on SEC email announcements: You’ve probably noticed that email alerts from the SEC are not always being sent for these and other updates. It seems like the related RSS feed is also not pushing updates. Our team has been relying on frequent checks of Corp Fin’s What’s New page and the SEC’s Upcoming Events page, so if you’re accustomed to getting real-time updates, those pages are your best bet – or you can just wait for our blog!
Yesterday afternoon, the Commission approved a series of rule changes that will allow for the listing and trading of the 11 bitcoin ETFs that were the subject of applications by national securities exchanges — specifically, NYSE Arca, Nasdaq, and Cboe BZX Exchange. Chair Gensler’s supporting statement reminds us of the history here:
We are now faced with a new set of filings similar to those we have disapproved in the past. Circumstances, however, have changed. The U.S. Court of Appeals for the District of Columbia held that the Commission failed to adequately explain its reasoning in disapproving the listing and trading of Grayscale’s proposed ETP (the Grayscale Order). The court therefore vacated the Grayscale Order and remanded the matter to the Commission. Based on these circumstances and those discussed more fully in the approval order, I feel the most sustainable path forward is to approve the listing and trading of these spot bitcoin ETP shares.
His statement also included words of warning and a reminder of the limited nature of this approval.
While we approved the listing and trading of certain spot bitcoin ETP shares today, we did not approve or endorse bitcoin. Investors should remain cautious about the myriad risks associated with bitcoin and products whose value is tied to crypto […]
Importantly, today’s Commission action is cabined to ETPs holding one non-security commodity, bitcoin. It should in no way signal the Commission’s willingness to approve listing standards for crypto asset securities. Nor does the approval signal anything about the Commission’s views as to the status of other crypto assets under the federal securities laws or about the current state of non-compliance of certain crypto asset market participants with the federal securities laws. As I’ve said in the past, and without prejudging any one crypto asset, the vast majority of crypto assets are investment contracts and thus subject to the federal securities laws.
As usual, the SEC was divided, but, given the topic and Chair Gensler’s support, not in the usual way. Commissioner Crenshaw dissented, arguing that the Commission’s earlier decision to treat two registered bitcoin futures ETPs differently than the “spot” or “physical” bitcoin ETPs at issue here was reasonable. The WSJ reported that Commissioner Lizarraga also voted against the order.
Commissioner Uyeda supported while taking issue with the underlying analytical approach of the order, which he argued “effectively amounts to merit regulation.” Commissioner Peirce supported and largely used her statement to say ‘better late than never’ (not a quote!) and also briefly took issue with the order’s requirement not imposed on prior commodity-based ETPs, citing Uyeda’s statement for a full discussion.
Since the SEC’s proposed climate disclosure rules dropped in March 2022, there has been a flurry of foreign and state-level developments in climate change disclosure requirements. I don’t know about you, but I have trouble keeping up and keeping them straight. If you have felt that way as well, this recent Mayer Brown white paper on the global regulatory landscape for climate-related disclosure addresses key features of — and differences between — requirements in a dozen jurisdictions.
For those looking for additional detail on certain jurisdictions, the white paper includes more info in Appendix 1 and a handy table comparing the requirements in Appendix 2. It continues with a discussion of disclosure, governance and risk management considerations for boards and the C-suite. The white paper warns companies not to become complacent by thinking that any final SEC rules will “replace or supersede these other global climate initiatives.”
Yesterday afternoon, as reported by the WSJ, the SEC’s official X account @SECGov briefly stated bitcoin ETFs had been approved. Bitcoin prices shot up to nearly $48,000 before Chair Gensler clarified, also on X, that the post was unauthorized, the official account had been compromised and the SEC had not approved the listing and trading of spot bitcoin exchange-traded products. Here’s more from the article:
An SEC spokeswoman said that an unknown party had accessed the agency’s X account for a brief period after 4 p.m. The SEC will work with law enforcement to investigate the episode and pursue “next steps relating to both the unauthorized access and any related misconduct,” she added.
The article also explains that the tweet was well-timed:
Crypto investors have been eagerly anticipating an SEC green light for spot bitcoin ETFs from big asset managers such as BlackRock and Fidelity Investments, after a more-than-decadelong wait. Analysts say approval is highly likely after a flurry of activity in which SEC staff, ETF issuers and exchanges hashed out technical details for the funds’ operations in recent weeks.
Wednesday is the deadline for the SEC to approve or reject the listing of just one fund, a joint venture from Cathie Wood’s ARK Investment Management and crypto asset manager 21Shares. But several competing funds are also in the final stages of the process, and ETF executives expect multiple approvals to come at once, so one fund doesn’t gain a first-mover advantage. Fund managers have slashed their fees and launched advertising campaigns in anticipation that the ETFs will start trading.
Late last night, X, through the account @Safety, posted its explanation of how the SEC’s account was compromised.
– The proposed scope is overly broad. Investors and investor associations had inconsistent views. Some believe the proposed requirements are sufficiently clear while others expressed concerns about the scope of proposal and the potential negative impact on auditor effectiveness.
– The proposed requirements blur the roles of the auditor and a company’s management and legal functions creating auditor independence concerns. The investor community had mixed views on this topic as well. While some investor associations view the proposed requirements as a function of management, others do not view the proposed auditor responsibilities as a replacement or duplication of management’s functions.
– Auditors are not lawyers: The business community expressed strong and consistent views that auditors are not legal experts. Audit committee members, preparers, and business associations raised concerns the proposal will significantly increase risk to a company’s legal privilege. The investor community’s views continued to be mixed. Certain investors and investor associations do not believe that the proposal requires auditors to function as lawyers; whereas other investor associations believe that auditors are not trained in law nor qualified to make the legal judgments that would be required by the proposal.
– Costs and benefits: The business community believes that the anticipated benefits of the proposal do not justify the costs and that the economic analysis is inadequate. The investor community’s views varied. Some investor associations commented that the benefits would outweigh the costs, while others expressed the opposite view, that the risks of financial misstatements and NOCLAR far outweigh the costs of audits.
– Need for further study and evaluation: The broad consensus among the majority of stakeholder groups is that there is a need for multi-stakeholder engagement and further evaluation before acceptable alternatives to the proposal can be developed, and that the PCAOB needs to conduct more research and engage in an open standard-setting process involving roundtable discussions and public meetings with various stakeholder groups before issuing a revised proposal.
The concern expressed under “Auditors are not lawyers” was more fully fleshed out by Jay Knight of Barnes & Thornburg in a recent podcast with John. John asked Jay about the most significant concerns from a lawyer’s perspective. Jay replied:
[T]hat the proposed standards do not adequately take into account the importance of protecting confidential client information, attorney-client privilege and attorney work product. As your listeners know, the confidentiality of attorney-client communications is a bedrock principle of the legal system. […] To satisfy the expansive requirements under the proposed standards, however, auditors would likely need to seek information and analysis from their audit client regarding information protected as confidential under the rules of professional conduct, legal advice that has been communicated and is protected by the attorney-client privilege and protected attorney work product that has been prepared to enable them to assess compliance with any given set of regulations. […] The release fails to consider these important protections and the risk of eroding these protections if the proposed standards are adopted.
On the last point from the CAQ regarding the need for further engagement, it appears that the PCAOB is already moving in this direction. Liz blogged last week about PCAOB Chair Erica Williams’s defense of the NOCLAR proposal during testimony before the House Financial Services Committee’s Capital Markets Subcommittee. In that testimony, she suggested that the PCAOB would be holding a public roundtable for additional feedback on the proposal.
In the latest “Timely Takes” podcast, John discusses “pass-through voting” with Karla Bos of Aon. In this 15-minute podcast, Karla and John discuss:
What is “pass-through voting” and why has it been gaining traction?
What are the implications of the growth in pass-through voting for the influence of proxy advisors?
What are pass-through voting’s implications for levels of support for shareholder proposals?
How might the growth of pass-through voting influence the way companies engage with investors?
As an aside, I think of Karla as somewhat of a celebrity of efficiency and list-making — those of you who read this blog in 2018 may agree. I really appreciated her list of 18 things she accomplished before 8:30 am. Maybe even just her use of the word “accomplished” reframed things for me and made me feel differently about my mornings. It reminded me that all those things we do in the morning (or any time) that aren’t paid work deserve to be treated as productive and worthwhile — because they are — and we should give ourselves credit for them. For me, even, or maybe especially, when it feels like getting my kids to school took an entire day’s worth of energy.
Anyway, as always, if you have insights on a securities law, capital markets or corporate governance trend or development — whether in list form or otherwise — that you’d like to share in a podcast, please reach out to me or John at mervine@ccrcorp.com or john@thecorporatecounsel.net.
