Over the past year, we have experienced a number of significant developments that impact public companies from a disclosure, compliance and governance perspective. During the course of 2023, we have seen the SEC’s rule changes regarding Rule 10b5-1 and insider trading go into effect, the first year of pay versus performance disclosure, the adoption of new and revised disclosure rules regarding share repurchases, the adoption of cybersecurity disclosure requirements and the SEC’s approval of the exchanges’ compensation clawback listing standards.
As we rapidly approach the end of 2023, now is good time for public companies to revisit important policies and controls (if they have not done so already). For example, here is my top ten list:
1. Companies should examine their insider trading policies and procedures and Rule 10b5-1 plan guidelines to reflect the changes to the affirmative defense contemplated by the SEC’s amendments to Rule 10b5-1 and related disclosure requirements (see the January-February 2023 issue of The Corporate Counsel).
2. Companies should carefully consider their approach to gifts under their insider trading policies and procedures, given the SEC’s interpretive positions articulated during the course of the rulemaking (see the January-February 2023 issue of The Corporate Counsel and the January-February 2022 issue of The Corporate Counsel).
3. Companies should review their insider trading policy and consider whether to specifically incorporate restrictions around when insiders can trade relative to the announcement of the share repurchase program or while share repurchases are being conducted, given the disclosure requirements adopted in the share repurchase rulemaking (see the May-June 2023 issue of The Corporate Counsel).
4. Companies that grant options should revisit policies regarding the timing of option grants, or consider adopting a policy if the company does not have one, in light of the new disclosure requirements regarding option grants adopted as part of the Rule 10b5-1 and insider trading disclosure rulemaking (see the January-February 2023 issue of The Corporate Counsel).
5. Companies may want to consider adopting more formal policies and procedures around share repurchases in light of the new insider trading policy and share repurchase disclosure requirements (see the January-February 2023 issue of The Corporate Counsel and the May-June 2023 issue of The Corporate Counsel).
6. In light of the new cybersecurity disclosure requirements, companies should: (i) reevaluate (or establish) a framework for assessing materiality “without unreasonable delay” after discovery of cybersecurity incident to facilitate decisions about whether an incident must be disclosed under SEC rules; (ii) make sure that the disclosure process is fully integrated with the company’s cybersecurity incident response policies and procedures to provide a clear path for how and when to escalate incidents; (iii) revisit disclosure controls and procedures to make sure that they provided the reporting of material cybersecurity incidents, including the nature, scope and timing of the incident and the impact or reasonably likely impact of the incident on the company within the four business day deadline contemplated by new Item 1.05 of Form 8-K, as well as any information that was not determined or was unavailable at the time of the initial Form 8 K filing (see the July-August 2023 issue of The Corporate Counsel).
7. Companies should create drafts of the new cybersecurity risk management, strategy and governance disclosures early, in order to identify any areas of deficiency now and work on integrating the disclosures with other cybersecurity disclosures so the company can figure out how all of this information will work in context (see the July-August 2023 issue of The Corporate Executive for our annotated sample disclosure).
8. Companies should also revise their disclosure controls and procedures to address the new disclosure requirements regarding Rule 10b5-1 plans, option grants, insider trading policies, share repurchases, pay versus performance and compensation recovery policies.
9. Company should consider the experience from the first year of pay versus performance disclosure and determine whether any changes should be made to the approach for calculating and disclosing pay versus performance information in light of the disclosures (see my blog from earlier this week).
10. Listed companies must adopt a compensation recovery policy that complies with the NYSE or Nasdaq listing requirements by December 1, 2023 (see the May-June 2023 issue of The Corporate Executive).
A perennial question that we receive when suggesting updates to a company’s insider trading policy is whether board approval of the policy or any changes to the policy is required. We address this question in the Insider Trading Policy Handbook available in the “Insider Trading Policies” Practice Area as follows:
While the insider trading policy has been an integral part of companies’ compliance programs for many years, the question continues to come up from time to time as to what level of authority in an organization needs to approve the insider trading policy and any changes to the policy. There are no specific legal requirements on this point, but it is typically advisable for the board of directors (or a committee of the board of directors) to consider and adopt (or amend) the insider trading policy. With the SEC’s 2022 rules, companies will also need to file their insider trading policies and procedures as exhibits to Forms 10-K and 20-Fs, so boards should have a say in reviewing the policy. Our model policy includes model resolutions for the board to consider in approving the policy.
While the SEC’s 2018 cybersecurity guidance is silent on the topic, it is clear that the SEC expects to see board level involvement in the management of risk, which would include the risk of improper trading in the company’s securities around the time of a cybersecurity breach. Given these expectations, the board (or a committee) is best equipped to provide the level of oversight necessary over the insider trading policy and the implementing procedures, and would likely expect in most circumstances to be involved in the decision-making regarding such matters.
My approach to the approval of various corporate policies over the years has always been: “When in doubt, have the board (or an appropriate committee of the board) approve the policies.” It is important for the directors to have visibility into key corporate policies in exercising their oversight duties, and you certainly do not want them to be surprised by any company policies if an issue arises down the road.
The avalanche of SEC and stock exchange rulemaking this year did not specifically prescribe any changes that must be made to Board committee charters this year, but I think it does makes sense to review the charters in light of recent developments.
For example, the SEC’s cybersecurity disclosure rules require a description of: (i) a company’s processes, if any, for assessing, identifying and managing material risks from cybersecurity threats must be described in sufficient detail for a reasonable investor to understand those processes; (ii) management’s role in assessing and managing the company’s material risks from cybersecurity threats; and (iii) the board of directors’ oversight of material risks from cybersecurity threats, and if applicable, the company any board committee or subcommittee responsible for the oversight of risks from cybersecurity threats and describe the processes by which the board or such committee is informed about such risks. In light of these new disclosure requirements, a company may consider clarifying in its board committee charters which committee has oversight over cybersecurity risks and outline the means by which the committee is informed about such risks.
Similarly, with all of the focus on insider trading and share repurchases prompted by the SEC’s new rules, it may be advisable to revisit board committee charters to indicate which committee or committees have oversight responsibilities with respect to these key areas of risk.
Further, the compensation committee charter should be revised to indicate any role that the committee plays in the administration of the company’s stock exchange-compliant clawback policy, as well as the committee’s oversight of the timing of equity award grants in light of the new SEC disclosure requirements relating to option grant timing.
With all of those pointers in hand, happy year-end drafting!
For me, October has now come to be associated with not only Halloween and changing leaves, but also with waiting for the SEC’s final rules on climate disclosure. While it is does not appear that we will see the Commission act on climate disclosure by Halloween, we will get an opportunity to hear from SEC Chair Gary Gensler on the topic later this week.
On Thursday, October 26 at 9:00 am Eastern time, Chair Gensler will participate in a fireside chat at a program titled Climate Disclosure Developments: The SEC, California, and EU Extraterritoriality, which is organized by the U.S. Chamber of Commerce’s Center for Capital Markets Competitiveness. Chair Gensler’s remarks will be followed by a panel discussion. The event will be livestreamed from the Chamber’s offices in Washington, DC.
It will definitely be interesting to hear Chair Gensler’s perspectives on the SEC’s climate disclosure proposal, California’s recently-passed climate disclosure law, and the European Union’s Corporate Sustainability Reporting Directive (CSRD).
For those looking for some inspiration when drafting their new cybersecurity disclosure for upcoming Form 10-K filings, our latest issue of The Corporate Executive includes an annotated sample of the disclosure that is meant as a guide, rather than as a form that would readily apply to any company.
One of the more challenging aspects of the new disclosure requirements is Item 106(c)(2) of Regulation S-K and Item 16K(c)(2) of Form 20-F, which provide that when describing management’s role in assessing and managing the company’s material risks from cybersecurity threats, a company should address whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise. For this purpose, the SEC indicates that relevant expertise of management may include, for example, prior work experience in cybersecurity, any relevant degrees or certifications, and any knowledge, skills or other background in cybersecurity.
We do not interpret this disclosure item to require the level of detailed background information required for executive officers and directors under Item 401 of Regulation S-K. Rather, the item contemplates specific disclosure about the relevant expertise that individuals (such as the Chief Information Security Officer or members of a management cybersecurity committee) have in assessing and managing risks from cybersecurity threats. For example, in our annotated sample disclosure, we state:
The CISO has served in various roles in information technology and information security for over 25 years, including serving as the Chief Information Security Officer of two large public companies. The CISO holds undergraduate and graduate degrees in computer science and has attained the professional certification of Certified Chief Information Security Officer. The CTO holds an undergraduate degree in computer science and a master’s degree in business administration, and has served in various roles in information technology for over 30 years, including serving as either the Chief Technology Officer or Chief Information Officer of four public companies. The Company’s CEO, CFO and CLO each hold undergraduate and graduate degrees in their respective fields, and each have over 25 years of experience managing risks at the Company and at similar companies, including risks arising from cybersecurity threats.
On the topic of professional certifications that might be disclosed in this context, we note that examples of professional certifications in cybersecurity include Certified Chief Information Security Officer, Certified Information Systems Security Professional or Certified Information Systems Security Manager.
As I mentioned yesterday, it is important to remember that there is often an iterative process around the establishment of new disclosure requirements, in that we make an attempt to comply with the new disclosure requirement in the first year, and then we adjust the disclosure approach going forward as we observe what other companies disclose and consider any Staff guidance or comments on the new disclosure. This cybersecurity expertise disclosure is therefore likely to evolve through time.
If you do not have access to all of the practical guidance in The Corporate Executive, subscribe today!
It is important to remember that the SEC’s recent cybersecurity disclosure rulemaking did not supersede or replace all of the Staff and Commission guidance on cybersecurity disclosure, but rather augmented it. While the Commission’s February 2018 guidance regarding timely disclosure of cybersecurity incidents has now been clearly superseded by the adoption of new Item 1.05 of Form 8-K, the rest of the collective Staff and Commission guidance from CF Disclosure Guidance Topic No. 2 and Release No. 33-10459 continues to live on. As a result, when drafting your new risk management, strategy and governance disclosure for your upcoming Form 10-K, it also makes sense to go back and see how you have addressed the topic of cybersecurity in your business description, risk factors, MD&A, legal proceedings and financial statements and assess whether any tune-ups are necessary for your existing disclosure.
With regard to risk factor disclosure in particular, where most companies now have some discussion of cybersecurity risks, it may be necessary to align the disclosure in that section with the new risk management, strategy and governance disclosure when describing the threat environment that the company faces and the steps that the company takes to address those cybersecurity threats.
For more background on the overall disclosure expectations around cybersecurity, be sure to check out our “Cybersecurity” Practice Area. If you are not a member of TheCorporateCounsel.net, sign up today!
In its latest rulemaking focused on the operation of securities markets, last week the SEC proposed new Rule 6b-1 to address concerns with volume-based transaction pricing by the national securities exchanges. The SEC’s fact sheet for the rule proposals notes why the SEC believes that rulemaking action is appropriate now:
As self-regulatory organizations, exchanges are subject to unique principles and processes that do not apply to other businesses. Among other things, exchange rules, including transaction pricing schedules, may not be designed to permit unfair discrimination between brokers and may not impose any burden on competition not necessary or appropriate in furtherance of the purposes of the Exchange Act. Through increasingly complex transaction pricing schedules, many exchanges offer their broker-dealer members lower fees or higher rebates as the number of shares the member executes on the exchange reaches successively higher predefined volume-based tiers. The large number of available pricing tiers, and the possible combinations of some tiers, make exchange transaction pricing schedules difficult to understand. Volume-based exchange transaction pricing raises competitive concerns among exchange members and among exchanges. Further, the desire to qualify for volume-based transaction pricing tiers exacerbates a conflict of interest between members and their customers when members route customers’ orders for execution because the member can economically benefit from its routing decision.
The proposed rule includes three main components:
1. A prohibition on volume-based exchange transaction pricing in connection with the execution of agency or riskless principal orders in NMS stocks;
2. A requirement that exchanges adopt rules, policies, and procedures to detect, deter, and facilitate compliance with the proposed agency-related volume prohibition; and
3. A requirement that exchanges disclose (in structured data format) on a monthly basis their volume-based transaction pricing tiers and the number of members that qualify for each.
The deadline for submission of public comments will be sixty days after the date of publication in the Federal Register.
It is hard to believe that preparations for the 2024 proxy season are already underway, and that means that we now must face the pay versus performance disclosure requirements yet again. I always like to point out that the process for new disclosure requirements is often an iterative one – we give it our best shot in the first year that the disclosure is required, and then we learn from what others have done and any guidance that the SEC provides to improve our disclosure in subsequent years. While consistency is an admirable quality for your SEC disclosures, it should not serve as a bar to making improvements when necessary.
Maybe it is just me, but I feel like our efforts toward complying with the pay versus performance disclosure requirements last proxy season were somewhat chaotic. The SEC did not give us a whole lot of time to get ready for the new disclosure requirements, although I am not too sure if more time would have helped all that much. The actual disclosure turned out to be pretty extensive, as compared to other disclosures related to executive compensation, and the valuation aspects turned out to be complex in some instances, adding to the overall burden. With all of that now behind us, we can now look to next proxy season’s disclosures with the wisdom of wizened veterans.
As Meredith recently noted in The Advisors’ Blog on CompensationStandards.com, the SEC Staff has been busy reviewing proxy statements from earlier this year to evaluate how we did with our first shot at pay versus performance disclosure. Overall, the critiques thus far have not been too bad. Compensation Advisory Partners released this summary of the first 16 comment letters. The comments focus on missing required disclosures and issues with calculating “compensation actually paid.” Here are the common topics noted in the memo, separated by disclosure issues and CAP calculation issues:
– Missing required elements of the disclosure, such as a description of the relationships between Compensation Actually Paid (CAP) and the metrics or the list of 3-7 financial performance measures used to link CAP with company performance;
– Including multiple Company-Selected Measures, or not including the Company-Selected Measure in the tabular list of 3-7 most important financial performance measures;
– Failing to provide a reconciliation of non-GAAP measures selected as the Company-Selected Measure (CSM) against GAAP financial statements;
– Using a TSR peer group that does not match either the industry group used for Regulation S-K in the 10-K performance graph or the compensation peer group disclosed in the CD&A; or
– Incorrect footnote descriptions to the table that suggest misinterpretation of the rules.
– Not including or not identifying all NEOs who served in each year in the table;
– Using partial compensation received for the year for individuals in the table (e.g., if an individual is promoted to a Named Executive Officer (NEO) role during the year, only including compensation earned for the period served as an NEO); and
– Footnotes indicating a “year over year” change in fair value for awards that should be valued as of the date of vesting, rather than at year end.
The memo then lists and summarizes each comment letter, ranked by the recipient company’s annual revenue.
Also, as I noted in the blog at the end of last month, the Staff issued nine new Regulation S-K Compliance and Disclosure Interpretations and updated one existing Regulation S-K Compliance and Disclosure Interpretation to provide guidance regarding the pay versus performance disclosure requirements.
Finally, I would like to point out the accumulation of knowledge that we have assembled in the “Pay-for-Performance” Practice Area on CompensationStandards.com, where we have posted the Treatise chapter on Item 402(v) of Regulation S-K along with many memos addressing the disclosure requirements and observations on the first round of disclosures. Armed with these resources, I hope that things will go smoothly with this next round of pay versus performance disclosures!
Speaking of complying with new disclosure requirements, I poured my heart and soul into the latest issue of The Corporate Executive, which has been sent to the printer. The latest issue is also available now online to members of TheCorporateCounsel.net who subscribe to the electronic format. The issue includes articles on:
– Getting Your Cybersecurity Disclosure Right: Our Annotated Sample
– Do Rule 10b5-1 Plans Still Make Sense?
– Generative AI: What Should You Be Thinking About Now?
Don’t miss out on the practical guidance that The Corporate Executive has to offer. Email sales@ccrcorp.com to subscribe to this essential resource.
On Wednesday, a panel of 5th Circuit judges rejected a challenge to Nasdaq’s board diversity rule. In Alliance for Fair Board Recruitment v. SEC, (5th. Cir.; 10/23), the Court was unpersuaded by the plaintiffs’ argument that the diversity rules violate the 1st and 14th Amendments to the U.S. Constitution and the SEC’s statutory obligations under the Exchange Act and the Administrative Procedure Act.
In order for the 1st & 14th Amendments to be implicated by Nasdaq’s rulemaking, the plaintiffs had to establish that the rules involved “state action.” The plaintiffs made two arguments in support of that position. The first was that Nasdaq was itself a governmental entity, and the second was that Nasdaq’s rules were attributable to the government, and that as a result constitutional constraints on its actions applied. As this excerpt from the opinion indicates, the Court wasn’t very impressed with the argument that Nasdaq should be regarded as a government entity:
Nasdaq is a private entity. It is a private limited liability company wholly owned by Nasdaq, Inc., a publicly traded corporation. Nasdaq’s board of directors is selected by its broker-dealer members and by Nasdaq, Inc., and companies wishing to list on Nasdaq do so by entering into contracts with Nasdaq. While Nasdaq must register with and is heavily regulated by the SEC, the Supreme Court has made clear that a private entity does not become a state actor merely by virtue of being regulated. “[T]he ‘being heavily regulated makes you a state actor’ theory of state action is entirely circular and would significantly endanger individual liberty and private enterprise.” Halleck, 139 S. Ct. at 1932.
The argument that Nasdaq’s rules were attributable to the government didn’t fare any better with the Court. It noted that in order for the actions of a regulated entity to be attributed to the government, there had to be a close nexus between the State and the challenged action. That nexus had been found to exist only in a few limited circumstances, “including, for example, (i) when the private entity performs a traditional, exclusive public function; (ii) when the government compels the private entity to take a particular action; or (iii) when the government acts jointly with the private entity.” The Court found that none of these circumstances were present in this case.
The Court also rejected claims that the SEC’s actions exceeded its authority under the Exchange Act and was arbitrary and capricious in approving Nasdaq’s diversity rule. One aspect of this part of the opinion that’s worth noting is that the Court specifically rejected a claim that the SEC lacked the authority to promulgate rules requiring disclosures that weren’t material to investors:
[A] disclosure rule can be “related to the purposes of [the Exchange Act],” 15 U.S.C. § 78f(b)(5), even if the SEC does not find that the disclosure rule is limited to information that would be “material” in the securities fraud context. The “fundamental purpose” of the Exchange Act is “implementing a philosophy of full disclosure,” Levinson, 485 U.S. at 230 (internal quotation marks and citation omitted)—not just the disclosure of information sufficient to state a securities fraud claim. Indeed, the Exchange Act gives the SEC “very broad discretion to promulgate rules governing corporate disclosure.”Nat. Res. Def. Council, Inc. v. SEC, 606 F.2d 1031, 1050 (D.C. Cir. 1979).
While the decision is a resounding win for Nasdaq and the SEC, it’s unlikely that this will be the last word on the case. As this Reuters article points out, the defendants drew a very favorable panel comprised entirely of Democratic appointed judges. If the plaintiffs appeal to the full 5th Circuit, the SEC & Nasdaq may well face a more hostile reception, because 12 of the 16 judges there were appointed by Republican presidents.
