You might notice an extra spring in every securities lawyer’s step this holiday season now that they know for sure that they will not have to compile detailed tabular disclosure of daily repurchase data, because the SEC’s share repurchase disclosure modernization rulemaking has been vacated by the United States Court of Appeals for the Fifth Circuit. As a result, a rule that I have characterized as “written by economists for economists” and which prompted some probing questions from me as to why this disclosure approach was necessary did not survive to see its implementation (at least for now).
As you no doubt recall, shortly after the SEC adopted the final share repurchase disclosure rulemaking, the U.S. Chamber of Commerce, the Longview Chamber of Commerce and the Texas Association of Business filed a lawsuit challenging the SEC’s share repurchase disclosure rule changes, and at the end of October the Fifth Circuit held that the SEC had acted arbitrarily and capriciously, in violation of the Administrative Procedure Act, when it failed to respond to the petitioner’s comments and failed to conduct a proper cost-benefit analysis. The Court granted the petition for review and issued a limited remand, directing the SEC to correct the defects in the rule within 30 days. The SEC stayed the rule while it conducted its efforts to address the defects in the rulemaking. The SEC ultimately sought an extension of the thirty-day period, but was denied that extension, and when the SEC was not able to meet the Court’s deadline, the Chamber, et al. filed a motion to vacate the rule.
Yesterday, the Fifth Circuit issued an opinion and judgment vacating the rule. The opinion states (footnotes omitted):
On October 31, 2023, we issued an opinion on petitioners’ challenge to the rule of the Securities and Exchange Commission (“SEC”) requiring issuers to report day-to-day share repurchase data once a quarter and to disclose the reason why an issuer repurchased shares of its own stock. Chamber of Com. of the U.S. v. SEC, 85 F.4th 760 (5th Cir. 2023). We held that the SEC had acted arbitrarily and capriciously, in violation of the Administrative Procedure Act (“APA”), when it failed to respond to petitioners’ comments and failed to conduct a proper cost-benefit analysis. We therefore granted the petition for review, issued a “limited remand” directing the SEC “to correct the defects in the rule within 30 days,” and “retain[ed] jurisdiction to consider the decision . . . made on remand.” Id.
On November 22, 2023 — twenty-two days after the initial opinion issued—the SEC filed an opposed motion seeking to extend the thirty-day remand period for an indefinite time. In that motion, the agency explained it “ha[d] worked diligently to ascertain the steps necessary to comply with the Court’s remand order and ha[d] determined that doing so w[ould] require additional time.” We denied that motion on November 26, 2023.
The thirty-day remand period expired on November 30, 2023. One day later, at the request of the Clerk of this court, the SEC filed a letter stating that “the Commission was not able to ‘correct the defects in the rule’ within 30 days of the [c]ourt’s opinion.”
I.
Under the APA, this court must “set aside agency action[] found to be arbitrary [or] capricious, contrary to constitutional right, or without observance of procedure as required by law.” Id. at 767–68 (citations omitted) (cleaned up). Accordingly, “[t]he default rule is that vacatur is the appropriate remedy.” Data Mktg. P’ship v. Dep’t of Lab., 45 F.4th 846, 859 (5th Cir. 2022).
Departing from that default rule is justifiable only in “rare cases”1 satisfying two conditions: First, there must be a “serious possibility” that the agency will be able to correct the rule’s defects on remand. Texas v. United States, 50 F.4th 498, 529 (5th Cir. 2022) (citation omitted). Remand without vacatur is therefore inappropriate for agency action suffering from one or more serious procedural or substantive deficiencies.2 Second, vacating the challenged action would produce “disruptive consequences.” Id. (citation omitted).
In this panel’s earlier opinion, we “recognized that there was at least a serious probability that the SEC would be able to substantiate its decision if given an opportunity to do so.” 85 F.4th at 780 (citations omitted) (cleaned up). We therefore “afford[ed] the agency limited time to remedy the deficiencies in the rule” by remanding “with direction . . . to correct the defects in the rule.” Id.
That thirty-day period has come and gone. The SEC claims to have “worked diligently to ascertain the steps necessary to comply with the Court’s remand order.” Yet the agency has nothing to show for its efforts. It returns to this court empty-handed, admitting that it “was not able to ‘correct the defects in the rule’ within 30 days.” The rule remains no less flawed—and no less unlawful—than it was on October 31, 2023.
II.
The SEC acted arbitrarily and capriciously, in violation of the APA, when it failed to respond to petitioners’ comments and failed to conduct a proper cost-benefit analysis. The challenged rule is VACATED. The mandate shall issue forthwith.
In a separate judgment, the Court stated (footnotes omitted):
This cause was considered on the petition of Chamber of Commerce of the United States of America, Longview Chamber of Commerce, Texas Association of Business, for review of an order of the United States Securities and Exchange Commission and was argued by counsel.
IT IS ORDERED and ADJUDGED that the decision of the United States Securities and Exchange Commission is VACATED.
IT IS FURTHER ORDERED that Respondent pay to Petitioners the costs on appeal to be taxed by the Clerk of this Court.
And with that, we observe the end of the share repurchase disclosure rulemaking, at least for now.
Of course, the Fifth Circuit decision vacating the share repurchase disclosure rule may not be the end of the story. It is possible (and perhaps likely) that the SEC will appeal the Fifth Circuit’s decision, which could drag this whole situation out for quite some time. For now at least, the rule changes have been vacated and were already subject to the SEC’s November 22, 2023 stay, so it does not look like we will have to comply with the new requirements in upcoming periodic reports as originally anticipated by the SEC. Instead, as this Weil alert notes, subject to further guidance from the SEC, we should continue complying with those pre-existing requirements in Item 703 of Regulation S-K that we have been working with for the past two decades. In case you are new to the game, this involves providing information about share repurchases every quarter on an aggregated, monthly basis.
Where did 2023 go? As we stare down the prospect of a new year and the annual reporting and proxy season, Goodwin’s Year-End Toolkit is now available. The Year-End Toolkit includes updated director and officer questionnaires and detailed calendars covering reporting and compliance deadlines. Download it today!
Yesterday, I discussed the implementation of Item 1.05 of Form 8-K, which is the new item for reporting material cybersecurity incidents. Someone always must be first, and this filing appeared to be the first Form 8-K filed under the new reporting regime.
In the Form 8-K, the company is reporting a cybersecurity incident that was detected just last week and is disrupting the company’s business operations. The company reports that the full nature, scope and impact of the breach are not yet known.
It is that time of year again when lights are twinkling on the trees, the stockings are hung with care by the fire and the stores are jammed with shoppers, which can only mean it is time for the SEC’s Office of the Advocate for Small Business Capital Formation to issue its 2023 Annual Report to Congress and the Commission. The SEC’s announcement of the 2023 Annual Report notes:
The report is a comprehensive resource on the dynamics of capital raising in communities across the country. Its contents include:
– Data on small business capital formation, broken down by:
> Small and emerging businesses
> Mature and later-stage businesses
> Initial public offerings and small public companies
> Women founders and investors
> Diverse founders and investors
> Natural disaster areas
> Rural communities
– Policy recommendations from the Office
– Highlights of the Office’s advocacy work and public engagements from fiscal year 2023
– Small Business Capital Formation Advisory Committee’s fiscal year 2023 summary of activities
The independent advocacy Office works to help advance the interests of small businesses and their investors. Based on feedback received through the team’s continuous public outreach, the Office has developed educational resources to help equip small businesses and their investors with tools to navigate capital raising. Throughout its activities, the Office proactively works to identify and address unique challenges faced by diverse founders and their investors.
One of the statistics that always blows me away in this report is that the amount of capital raised using Rule 506(b) private placements is $2.7 trillion, which is consistently more than the amount raised through any other exempt offering alternative or registered offerings. Despite the proliferation of offering exemptions over the past decade, Rule 506(b) is still where the action is!
It is that time of year when some companies are trying to get year-end deals completed before December 31, so it is important to keep in mind the SEC’s calendar over the next couple of weeks. The SEC will be closed for the Federal holidays on Monday, December 25 and Monday, January 1, which means no EDGAR filings on those days.
Note that the latest Continuing Resolution signed into law on November 16th contemplates funding the government until January 19, 2024, so we have a few weeks into the new year before we have to potentially roll out the SEC shutdown blogs. But maybe Congress will get its act together in 2024! One can always dream.
Three weeks ago, I started a new chapter of my career at Goodwin. I often analogize moving from one law firm to another to the process of jumping from one speeding train to another speeding train – it is a difficult maneuver that is not without some risk! I am getting settled into my new work home, where I serve as chair of the firm’s Public Company Advisory practice. I am looking forward to all the opportunities that I will have at my new firm.
Today is the effective date for new Item 1.05 of Form 8-K, which requires companies to disclose, within four business days after determining that an incident is material, any cybersecurity incident that a company experiences that is determined to be material, describing the material aspects of its: (i) nature, scope, and timing; and (ii) the impact or reasonably likely impact of the incident on the company, including on the company’s financial condition and results of operations. But don’t expect a flood of Item 1.05 Form 8-Ks starting this morning, because the materiality qualifier is the critical element of Item 1.05. And when I think about materiality in the Form 8-K context, I always go back to the Commission’s characterization of the items selected for disclosure in Form 8-K in the 2004 adopting release (which brought us a significantly expanded Form 8-K), and that is the notion that Form 8-K is intended to address the “unquestionably or presumptively material events” that a company faces. The most difficult part that I think we can all acknowledge is assessing whether a particular cybersecurity event is in fact material. To that end, I share with you some of my experiences from the “trenches” of determining whether cybersecurity events are material:
1. Beware of the Titanic Effect – When I was in college, I decided to drive my VW Rabbit up one of those enormous snow mounds that accumulate in parking lots during the winter (an astute reader/listener might ask themselves why I was driving a VW Rabbit, but that is a whole other story). My friend tried to discourage me from this endeavor, but I said to him something to the effect of “What could go wrong, it is only a little snow?” In response, he delivered the deadpan line “Tell that to the Titanic.” I proceeded to try to drive into (not up) the snow mound, and it turned out to be rock hard ice that ripped the front bumper and driving lights off the Rabbit. The moral of the story, other than that no one in their right mind should have ever given me a driver’s license, is that nothing is ever quite as it seems, particularly in the context of cybersecurity breaches. The Titanic effect is real in many cybersecurity breaches, in that one can easily misperceive that the giant iceberg lurking under the surface is just some harmless floating ice. In many of the situations that I have observed over the years, the breach appears to be innocuous in the beginning, and then, as more investigation occurs, a much wider threat is identified, including situations where threat actors may still be active in a company’s systems. These evaluations do not happen overnight, so the materiality assessment must be ongoing as new facts come in. Parties involved in the evaluation – including management, directors and outside advisors – need to make objective assessments of the risks associated with the breach and the potential consequences, and do so as quickly as possible. The last thing anyone wants to have happen is that a material cybersecurity incident is disclosed too late in the SEC’s eyes, simply because the Titanic effect clouded everyone’s judgment as to the size and scope of the breach.
2. The Benefit of Hindsight – As has become evident from the cybersecurity enforcement cases that the SEC has brought over the years and those investigations that remain ongoing, the SEC looks at the current disclosure of cybersecurity incidents with the benefit of 20-20 hindsight. The timing of disclosure decisions can invariably raise eyebrows when evaluating the situation two or three years later, after everyone has already observed what happened next after the breach was discovered. Therefore, I think it is always important to conduct a materiality assessment through this lens, trying to evaluate how this disclosure decision will look to future investigators under the range of possible scenarios. I recognize that this is a departure from focusing on the pure materiality considerations that we are all familiar with, but it is just a practical reality of where we are with this issue today.
3. Do Your Homework – I believe that one of the most important things that a company can do now to prepare itself for a potential Item 1.05 of Form 8-K disclosure situation is to draft a materiality framework that is specific to the company and can be applied to any potentially material cybersecurity breach that comes along. I have seen this approach work successfully in the past, because often it is difficult in the heat of a cybersecurity incident to come up with an approach to assessing materiality that works for that particular company. This does not have to be a lengthy policy or procedure – what I envision is a few pages of questions that can be asked to objectively assess the materiality of the circumstances.
4. Process is Critical – It has been drilled into our heads from the SEC’s cybersecurity enforcement efforts that controls are king. This is an area where the SEC Staff expects to see robust disclosure and internal controls that are designed to get to the right result, i.e., timely and accurate disclosure of material cybersecurity incidents. I am by no means suggesting that companies go to extreme lengths to establish these controls – in a way, I think it is a mistake to treat Item 1.05 differently than any other Form 8-K disclosure item. Rather, I believe it is important to have in place measured and demonstrable controls that are designed to surface potentially material cybersecurity incidents to the decision-makers within the organization and to provide those decision-makers with the information they need to make correct disclosure decisions. This is something we have been doing with the many other Form 8-K items for the almost two decades now since the SEC substantially expanded current reporting on Form 8-K.
5. Human, All Too Human – In my experience, perhaps the biggest impediment to timely and accurate cybersecurity incident disclosure is human nature. I am not trying to blame anyone here, but time and time again I have come across scenarios where folks in the IT function tend to want to downplay or delay telling anyone about a cybersecurity incident, because they have an honest belief that it is not so bad and that they can fix it before any harm is done. This approach is not surprising, given that the cybersecurity staff is inundated with attacks from all manner of threat actors all day, every day, so their natural reaction is to just deal with them and not overreact to the situation. It is this natural impulse that the disclosure controls need to overcome, so that information can “bubble up” through the organization about potentially material cybersecurity incidents. This is not an easy thing to solve for, and it takes and top-down, organization-wide approach to try to overcome the human nature element that threatens your timely material cybersecurity incident reporting.
I hope these tips are helpful to you as we move forward under the new current reporting requirements – and whatever you do, avoid those parking lot snow mounds this winter, they are dangerous to drive into!
On Friday, the SEC announced that it had issued a Staff Report on the accredited investor definition. The Dodd-Frank Act directs the SEC to review the accredited investor definition as it relates to natural persons every four years to determine whether the definition should be modified or adjusted. The Staff previously reviewed the definition in 2015 and 2019, and now the Staff from Corp Fin and the Division of Economic and Risk Analysis prepared this report in connection with a third review of the accredited investor definition. The SEC notes in its announcement:
The report examines the current status of the accredited investor pool and concludes with a review of frequently suggested revisions to the accredited investor definition received from a variety of sources, including public commenters, the Investor Advisory Committee, and the Small Business Capital Formation Advisory Committee.
This report could potentially serve as a basis for future rulemaking on the always difficult topic of accredited investor status for natural persons.
Yesterday, Corp Fin added one more Form 8-K CDI addressing a company’s efforts to delay Item 1.05 disclosure of a material cyber incident on national security or public safety grounds:
Question 104B.04
Question: Would the sole fact that a registrant consults with the Department of Justice regarding the availability of a delay under Item 1.05(c) necessarily result in the determination that the incident is material and therefore subject to the requirements of Item 1.05(a)?
Answer: No. As the Commission stated in the adopting release, the determination of whether an incident is material is based on all relevant facts and circumstances surrounding the incident, including both quantitative and qualitative factors, and should focus on the traditional notion of materiality as articulated by the Supreme Court.
Furthermore, the requirements of Item 1.05 do not preclude a registrant from consulting with the Department of Justice, including the FBI, the Cybersecurity & Infrastructure Security Agency, or any other law enforcement or national security agency at any point regarding the incident, including before a materiality assessment is completed. [December 14, 2023]
Corp Fin Director Erik Gerding also issued a lengthy statement on the rationale underlying the SEC’s adoption of the cybersecurity disclosure and governance rules, the mechanics of the rules, the national security and public safety delay provisions, and Corp Fin’s next steps concerning implementation of the rules and review of disclosures. In the course of that discussion, he commented on the motivation behind the latest CDI:
I hope this [CDI] underscores that the rule does not create a disincentive for public companies to consult with law enforcement or national security agencies about cybersecurity incidents. Indeed, I would encourage public companies to work with the FBI, CISA, and other law enforcement and national security agencies at the earliest possible moment after cybersecurity incidents occur. I believe this timely engagement is in the interest of investors and the public. While this is not within the Commission staff’s purview, companies and government agencies may find that such timely engagement could assist them in a later determination of whether to seek a delay from the DOJ.
Director Gerding closed his statement by offering reassurance that in the first year of the rule’s implementation, Corp Fin isn’t looking to “make ‘gotcha’ comments or penalize foot faults,” and that to the extent appropriate, it may issue “future filings” comments or additional CDIs.
