A new dimension of “political spending” scrutiny that has emerged in the last few years from shareholders and employees is “values alignment.” I blogged earlier this year on our “Proxy Season Blog” about how to respond to shareholder proposals on this topic.
In a sign that companies will continue to face these proposals in 2024, the Interfaith Center for Responsibility sent letters in late summer to the CEO members of the Business Roundtable that call for values alignment for political contributions, along with improved board oversight and public disclosure. Here’s an excerpt:
We believe that BRT companies would benefit from a thoughtful assessment of their political spending and lobbying. We recommend two resources to help guide company policy development and decision-making toward more responsible political engagement.
I. Erb Principles for Corporate Political Responsibility
The first key resource is the Erb Principles for Corporate Political Responsibility, released in March after a lengthy, deliberative stakeholder process by the Erb Institute of the University of Michigan. Developed as a complement to the BRT’s statement on the Purpose of the Corporation and the BRT’s actions to support the peaceful transfer of power in 2021, the Erb Principles propose a practical, non-partisan, and comprehensive definition of corporate political responsibility (CPR) as a first step in establishing CPR as a new norm that will reduce business risk, strengthen civic trust and foster collaborative problem-solving.
The Erb Principles do this by helping companies better align their political influences — including any political spending — with their values, purpose, commitments, and larger responsibilities to a healthy economy, civic institutions, and informed civic discourse. The Principles were designed to provide U.S. companies with a non-partisan, principled thought process for responsible engagement, without prescribing positions on specific issues.
Next week is Election Week. Maybe you have some important local items on your ballot this year, but in my neck of the woods, most people are already bracing themselves for the polarized U.S. Presidential election cycle that will soon be in full swing. That means that corporate “political spending” activities (which are broadly defined!) will continue to attract scrutiny. A recent scandal shows that misplaced contributions can create financial & reputational risks for companies.
In that vein, The Center for Political Accountability recently published this 10-page guide to corporate political spending. The guide suggests solutions to 5 common challenges that arise from contributions to political candidates, trade associations, and other third-party groups. This HLS blog summarizes the key elements:
– Recognize the heightened risks that a company faces from contributions to third-party groups, specifically 501(c)(4) organizations engaged in political spending, trade associations, super PACs and 527 committees. The company needs to know where its money ultimately ends up, what causes and candidates it advances and what risks it is assuming.
– Understand that public companies can no longer publicly claim to support some aspects of a candidate’s platform while disavowing others. The challenge facing a company is that when it supports a candidate, all of the candidate’s actions and positions will be associated with the company.
– Align the company’s political spending with its core values, policies and positions.
– Avoid siloed decision-making. Political spending should fairly reflect the views and interests of the company’s various stakeholders. Companies benefit from active and dynamic engagement among public affairs, government relations and other internal actors responsible for promoting the company’s values, policies and positions and those making political spending decisions.
– Direct corporate contributions to politicians who refrain from punitively targeting companies for their policy decisions, personnel practices, public statements, or other values important to the company’s success and integrity.
– Protect the democratic institutions and rule of law that companies depend upon to operate, compete, and thrive.
I expect that this year’s CPA-Zicklin Index, which rates companies annually on the transparency of their corporate political spending, will be published any day. Last year, the Index expanded to cover Russell 1000 companies.
Check out our “Political Contributions” Practice Area for more benchmarking & practical checklists. We also covered this topic at our recent “Proxy Disclosure Conference” – you can still get access to the video archives & transcripts by emailing sales@ccrcorp.com. The program is also eligible for on-demand CLE credit!
As I noted in the blog earlier this week, yesterday SEC Chair Gary Gensler participated in a program organized by the U.S. Chamber of Commerce’s Center for Capital Markets Competitiveness titled Climate Disclosure Developments: The SEC, California, and EU Extraterritoriality (here’s the replay). David Hamm from Summit Materials noted the following interesting takeaways from Chair Gensler’s remarks:
– Chair Gensler did not provide any guidance on the expected timing of the rule. I knew that would be too good to be true, but I joined the event hoping against hope for some incremental guidance. He referenced the staff going through 16,000 comment letters, so I suppose that was a soft signal to not look for anything in the very near term.
– Chair Gensler didn’t seem to be very concerned with the developments in California (because of NSMIA) or Europe (because of the different remit of the SEC with the European regulators). The repeated theme was the limited remit of the SEC related to investors making investment decisions related to the 6,000-7,000 public registrants. This was an understandable approach, but I was expecting a bit more of a discussion of the interplay of the different regimes.
– Chair Gensler’s most interesting statement to me was: “If we are able to finalize it [referring to the climate rule], it would be good to sustain it in the courts.” Given the audience (some had talked about this event as the Chair going into the lions’ den and there were some good spirited jokes about whether the US Chamber had filed a suit yet), this was clearly an appeal to think about the value to the US Chamber’s members to having a rule that they could point to in order to alleviate compliance with other regimes under a theory of substituted compliance (not equivalency given the different remits).
With the October timeframe for SEC action on climate disclosure now moving into the rearview mirror, we enter a new phase of anticipation (and dread) about the SEC’s climate disclosure rules. I would not expect to see the SEC’s Fall Reg Flex Agenda published until the end of December or the beginning of January, when we would next get a glimpse into the SEC’s anticipated timing on the climate disclosure rules and other rulemaking initiatives. Until then, we will basically be in “any day now” mode.
In the meantime, the pressure from Congress on climate disclosure is not abating. Earlier this month, 26 members of the House of Representatives representing constituents in California sent a letter to Chair Gensler strongly urging the SEC to include robust greenhouse gas emissions disclosure requirements in its final climate disclosure rulemaking, particularly in light of California’s anticipated Scope 3 disclosure requirements.
Chair Gensler had an active calendar this week, also speaking on Wednesday at Securities Docket’s 2023 Securities Enforcement Forum in Washington DC. In his speech, Chair Gensler quoted some of the “founding fathers” of the SEC – Joseph Kennedy, William O. Douglas and Felix Frankfurter – to describe the SEC’s enforcement focus, and then highlighted the key areas where the SEC has brought enforcement actions this year.
In introducing the inevitable discussion of digital assets, Gensler quoted Supreme Court Justice Thurgood Marshall, who in the Reves decision wrote: “Congress’ purpose in enacting the securities laws was to regulate investments, in whatever form they are made and by whatever name they are called.” Chair Gensler noted:
In most cases, that’s the economic reality at hand. As the Supreme Court said in the famous Howey decision: An investment contract exists when there is the investment of money in a common enterprise with a reasonable expectation of profits to be derived from the efforts of others.
As I’ve previously said, without prejudging any one asset, the vast majority of crypto assets likely meet the investment contract test, making them subject to the securities laws.
Further, it follows that most crypto intermediaries—transacting in these crypto asset securities—are subject to the securities laws as well.
With wide-ranging noncompliance, frankly, it’s not surprising that we’ve seen many problems in these markets. We’ve seen this story before. It’s reminiscent of what we had in the 1920s before the federal securities laws were put in place. This is a field rife with fraud, scams, bankruptcies, and money laundering. While many entities in this space claim they operate beyond the reach of regulations issued before Satoshi Nakamoto’s famous white paper, they also are quick to seek the protections of the law, in bankruptcy court and litigating their private disputes.
We have brought numerous enforcement actions against actors in this space—some settled, and some in litigation.
Chair Gensler went on to highlight the themes of accountability for firms and individuals, high impact cases, the importance of process and holding accountable those in a position of trust.
With Halloween just around the corner, you know that the 12-foot Giant-Sized Home Depot Skeleton will be soon replaced by Christmas decorations, and that could only mean one thing: the December 1 deadline for listed companies to adopt their exchange-compliant clawback policies is fast approaching.
To catch up on the latest thinking on implementing clawback policies, be sure to mark your calendars for our upcoming webcast “More on Clawbacks: Action Items and Implementation Considerations” which is coming up Thursday, November 16, 2023 from 2:00 – 3:00 pm, eastern time. If you are a last-minute shopper and are similarly putting off the drafting and adoption of your clawback policy until November, be sure to check out all of the resources that we have assembled in our “Clawbacks” Practice Area on CompensationStandards.com. Also, be sure to check out our coverage of clawback policies in the September-October 2022 issue of The Corporate Executive and the May-June 2023 issue of The Corporate Executive, which includes our annotated model clawback policy. If for some reason you do not have access to these resources, email sales@ccrcorp.com or visit the online membership portal today.
Earlier this week at the New York City Bar’s Compliance Institute, SEC Enforcement Director Gurbir Grewal outlined the rare circumstances in which the SEC may bring enforcement action individually against compliance professionals. Grewal noted that these circumstances include when the individual affirmatively participates in misconduct unrelated to compliance, when an individual misleads regulators or when there has been a wholesale failure in carrying out compliance responsibilities. Grewal further stated “We don’t second guess good faith judgments of compliance personnel — good faith judgments that are made after reasonable inquiry and reasonable analysis.” In the speech, Grewal noted:
But it is clear that we cannot reverse those trends and enhance Americans’ trust in our financial institutions through our efforts alone. We need your help to do so. We need to work together to create what I call a culture of proactive compliance.
In many ways, it’s each of you – the compliance professionals, consultants, attorneys, accountants, and others in this space – that serve as the first lines of defense against misconduct.
You are the ones that can work with firms to implement effective policies and procedures to ensure that those firms comply with their legal obligations on the front end, so that, instead of reading about compliance failures, the public understands that organizations like yours are proactively doing what they can to be compliant.
This is by no means easy work. Creating a culture of proactive compliance requires three things: education, engagement, and execution.
Grewal outlined actions necessary for proactive compliance and the need to execute based on meaningful policies and procedures.
At this time of year, I must admit that I really miss Halloween. I will be spending next Tuesday evening teaching a law school course rather than trick-or-treating. When my kids were young and in prime trick-or-treating mode, I went all in for Halloween, decorating my house with increasingly elaborate Halloween-themed displays and getting decked out in some funny costumes. And that was before one had access to the 12-foot Giant-Sized Home Depot Skeleton which is all the rage today.
Unfortunately for me, the kids grew up and trick-or-treating was no longer cool for them. I compounded the problem by moving to an old house that creepily sits at the top of a hill, at the end of a long driveway and in the middle of a dark forest, and no trick-or-treater has ever dared to make the trek to my front door. We have become so confident that we will have no Halloween visitors that we stopped buying candy “just in case.” My Halloween decorations have scaled down to some mums and two pumpkins. The only costume I will be wearing on Tuesday is “adjunct professor.”
So, I have had to begrudgingly replace the creative outlet that I found in Halloween with some other October activity, and of course it had to be Cybersecurity Awareness Month. As I noted last year, October has been Cybersecurity Awareness Month since 2004, and it just gets better every year as cybersecurity threats continue to proliferate.
In recognition of Cybersecurity Awareness Month, I was fortunate to recently be joined by my new colleague Linda Clark on MoFo’s Above Board podcast, and she addresses the important roles that GCs and directors play in protecting and maintaining their companies’ cybersecurity and mitigating the damage caused by cybersecurity incidents.
If you are looking for more Cybersecurity Awareness Month content, be sure to check out MoFo’s Cyber Security Resource Center.
With all of the focus on the SEC’s new cybersecurity disclosure rules, it is easy to lose sight of existing expectations for cybersecurity disclosure. Risk factor disclosure has been carrying a lot of the weight on the topic of cybersecurity to date, and as Cybersecurity Awareness Month reminds us, there is little hope that cybersecurity risks will be abating anytime soon.
As we note in the most recent issue of The Corporate Executive, it is always a good time for a cybersecurity risk factor tune-up. Some of the key things to keep in mind are:
1. Cybersecurity risks are among of the most existential risks that any public company faces, so the cybersecurity risk factor should reflect that reality. It should stand alone as its own risk factor, rather than being lumped in with a description of other risks that the company faces.
2. Avoid the hypothetical risk factor trap! Over the years, we have spilled a lot of ink describing the SEC’s concerns with cybersecurity risk factors being too hypothetical, i.e., when they describe the potential risks from cybersecurity but do not make clear that the company is under attack all of the time. In this regard, context is everything, so make sure that the risk factor accurately describes the company’s actual threat environment.
3. Your risk factor can describe preventative measures the company has taken and whether you have insurance, but be sure to clearly indicate that any such measures may not be sufficient to prevent, mitigate or offset the cost of a cybersecurity incident.
4. As demonstrated by the SEC’s new cybersecurity risk management, strategy and governance disclosure rules, there is an ever-present concern about the risks presented by third party access to company systems, and it is therefore important today to address those risks in the risk factor disclosure.
5. Carefully consider what consequences you face (or have faced) from a cybersecurity incident and articulate those consequences in the risk factor disclosure. Participating in table-top exercises and delving into the company’s incident response plans are great ways to develop the information necessary to accurately describe the potential outcomes from a cybersecurity incident.
Finally, I encourage you to consider the placement of your cybersecurity risk factor in the risk factors section. Is the risk factor buried in the back of the risk factors section, and should it be more prominent in the front of that section given the magnitude of the risk?
Over the past year, we have experienced a number of significant developments that impact public companies from a disclosure, compliance and governance perspective. During the course of 2023, we have seen the SEC’s rule changes regarding Rule 10b5-1 and insider trading go into effect, the first year of pay versus performance disclosure, the adoption of new and revised disclosure rules regarding share repurchases, the adoption of cybersecurity disclosure requirements and the SEC’s approval of the exchanges’ compensation clawback listing standards.
As we rapidly approach the end of 2023, now is good time for public companies to revisit important policies and controls (if they have not done so already). For example, here is my top ten list:
1. Companies should examine their insider trading policies and procedures and Rule 10b5-1 plan guidelines to reflect the changes to the affirmative defense contemplated by the SEC’s amendments to Rule 10b5-1 and related disclosure requirements (see the January-February 2023 issue of The Corporate Counsel).
2. Companies should carefully consider their approach to gifts under their insider trading policies and procedures, given the SEC’s interpretive positions articulated during the course of the rulemaking (see the January-February 2023 issue of The Corporate Counsel and the January-February 2022 issue of The Corporate Counsel).
3. Companies should review their insider trading policy and consider whether to specifically incorporate restrictions around when insiders can trade relative to the announcement of the share repurchase program or while share repurchases are being conducted, given the disclosure requirements adopted in the share repurchase rulemaking (see the May-June 2023 issue of The Corporate Counsel).
4. Companies that grant options should revisit policies regarding the timing of option grants, or consider adopting a policy if the company does not have one, in light of the new disclosure requirements regarding option grants adopted as part of the Rule 10b5-1 and insider trading disclosure rulemaking (see the January-February 2023 issue of The Corporate Counsel).
5. Companies may want to consider adopting more formal policies and procedures around share repurchases in light of the new insider trading policy and share repurchase disclosure requirements (see the January-February 2023 issue of The Corporate Counsel and the May-June 2023 issue of The Corporate Counsel).
6. In light of the new cybersecurity disclosure requirements, companies should: (i) reevaluate (or establish) a framework for assessing materiality “without unreasonable delay” after discovery of cybersecurity incident to facilitate decisions about whether an incident must be disclosed under SEC rules; (ii) make sure that the disclosure process is fully integrated with the company’s cybersecurity incident response policies and procedures to provide a clear path for how and when to escalate incidents; (iii) revisit disclosure controls and procedures to make sure that they provided the reporting of material cybersecurity incidents, including the nature, scope and timing of the incident and the impact or reasonably likely impact of the incident on the company within the four business day deadline contemplated by new Item 1.05 of Form 8-K, as well as any information that was not determined or was unavailable at the time of the initial Form 8 K filing (see the July-August 2023 issue of The Corporate Counsel).
7. Companies should create drafts of the new cybersecurity risk management, strategy and governance disclosures early, in order to identify any areas of deficiency now and work on integrating the disclosures with other cybersecurity disclosures so the company can figure out how all of this information will work in context (see the July-August 2023 issue of The Corporate Executive for our annotated sample disclosure).
8. Companies should also revise their disclosure controls and procedures to address the new disclosure requirements regarding Rule 10b5-1 plans, option grants, insider trading policies, share repurchases, pay versus performance and compensation recovery policies.
9. Company should consider the experience from the first year of pay versus performance disclosure and determine whether any changes should be made to the approach for calculating and disclosing pay versus performance information in light of the disclosures (see my blog from earlier this week).
10. Listed companies must adopt a compensation recovery policy that complies with the NYSE or Nasdaq listing requirements by December 1, 2023 (see the May-June 2023 issue of The Corporate Executive).
A perennial question that we receive when suggesting updates to a company’s insider trading policy is whether board approval of the policy or any changes to the policy is required. We address this question in the Insider Trading Policy Handbook available in the “Insider Trading Policies” Practice Area as follows:
While the insider trading policy has been an integral part of companies’ compliance programs for many years, the question continues to come up from time to time as to what level of authority in an organization needs to approve the insider trading policy and any changes to the policy. There are no specific legal requirements on this point, but it is typically advisable for the board of directors (or a committee of the board of directors) to consider and adopt (or amend) the insider trading policy. With the SEC’s 2022 rules, companies will also need to file their insider trading policies and procedures as exhibits to Forms 10-K and 20-Fs, so boards should have a say in reviewing the policy. Our model policy includes model resolutions for the board to consider in approving the policy.
While the SEC’s 2018 cybersecurity guidance is silent on the topic, it is clear that the SEC expects to see board level involvement in the management of risk, which would include the risk of improper trading in the company’s securities around the time of a cybersecurity breach. Given these expectations, the board (or a committee) is best equipped to provide the level of oversight necessary over the insider trading policy and the implementing procedures, and would likely expect in most circumstances to be involved in the decision-making regarding such matters.
My approach to the approval of various corporate policies over the years has always been: “When in doubt, have the board (or an appropriate committee of the board) approve the policies.” It is important for the directors to have visibility into key corporate policies in exercising their oversight duties, and you certainly do not want them to be surprised by any company policies if an issue arises down the road.
