The PCAOB recently released its annual report on conversations with audit committee chairs. This FEI Daily blog highlights what that report has to say about the five biggest worries facing audit committee chairs. This excerpt says one of them is shortcomings in communications between auditors and audit committees:
A large number of audit committee chairs interviewed by the PCAOB cited “inconsistent or last-minute communication with auditors” as a growing issue and that the area needed improvement. While those leaders said that the auditor’s overall approach to communication in areas like emerging issues and education should be commended, they added there was room for improvement in audit status updates. “Audit committee chairs felt that early and ongoing communication with their auditors would help minimize the possibility of surprises throughout the audit,” the report states.
Other areas of concern include the impact of the “great resignation” on the accounting profession, the ongoing control challenges of a remote workforce, the need to prevent the determination of “Critical Audit Matters” from becoming a generic compliance exercise, and the accuracy of non-GAAP and other non-financial statement metrics.
On Friday, the SEC adopted a pair of rules mandated by Dodd-Frank & intended to enhance market transparency when it comes to short positions & securities lending activities. The SEC first announced the adoption of Rule 10c-1a, which will require certain persons to report information about securities loans to a registered national securities association and in turn require that association to make publicly available specified information about those loans. Here’s the 353-page adopting release and the 2-page fact sheet. This excerpt from the fact sheet explains why the new rule matters:
Parties to securities lending transactions are not currently required to report the material terms of those transactions. The lack of public information and data gaps create inefficiencies in the securities lending market and make it difficult for borrowers and lenders to ascertain – and to know whether the terms of their loans are consistent with – market conditions. Rule 10c-1a will provide market participants with access to pricing and other material information regarding securities lending transactions in a timely manner. Further, the rule will provide regulators with information for their market oversight functions.
The SEC then announced the adoption of Rule 13f-2, which is intended to increase the public availability of information about short sale activity. Here’s the 315-page adopting release and here’s the 2-page fact sheet. This excerpt from the fact sheet explains why this new rule matters:
Section 13(f)(2) of the Securities Exchange Act of 1934 (“Exchange Act”), added under Section 929X of the Dodd-Frank Wall Street Reform and Consumer Protection Act, requires the Commission to prescribe rules to make certain short sale related data publicly available. The data reported in Form SHO filings and the aggregated data from Form SHO filings that are published by the Commission pursuant to Rule 13f-2 will among other things, help inform market participants regarding the overall short sale activity by reporting Managers and will bolster the Commission’s and other regulators’ oversight of short selling.
The rules were adopted by the now customary 3-2 party line vote. The new rules may increase the transparency of short activity & securities lending – which typically go hand in hand – but as the WSJ points out, the final rules don’t require disclosure of the kind of granular information that could compromise the anonymity of hedge fund short sellers. I guess that means that the downtrodden stocks of corporate America will still need to pin their hopes from time-to-time on the intervention of the Dumb Money crowd for relief from short sellers’ depredations. For some of these companies, the meme stock folks may not be the heroes they need, but they’re almost always the ones they deserve.
The disclosure implications of the horrific terrorist attacks on Israel & the war that those attacks spawned are rightfully pretty far down the list of concerns raised by those events, but they are nevertheless something that public companies and those who advise them must keep in mind. This recent Goodwin blog addresses those implications, and points out that the Staff’s prior guidance concerning the implications of Russia’s invasion of Ukraine provides some insights about what the SEC is likely to expect from public companies impacted by the current hostilities in the Middle East:
Given the recency of the War, the Securities and Exchange Commission’s (the “SEC”) Division of Corporation Finance is yet to provide specific disclosure guidance related to the War. For context,when the geopolitical situation in Eastern Europe intensified in February 2022, with Russia’s invasion of Ukraine, the Securities and Exchange Commission’s (the “SEC”) Division of Corporation Finance released a sample letter reflecting comments it may issue to a registrant regarding compliance withthe SEC’s disclosure obligations.
The sample letter underscores the need for registrants to evaluate both direct and indirect impacts of wars, including potential or actual disruptions to suppliers, customers, or employees, among other considerations. The sample comments within the letter primarily focus on (1) risk factors, (2) Management’s Discussion and Analysis of Financial Condition and Results of Operations (MD&A), (3) internal control over financial reporting, (4) disclosure controls and procedures, and (5) non-GAAP measures.
The blog points out the importance of considering a company’s direct and indirect exposures to the impact of the conflict, particularly for those companies with material business ties to the region and those that lend to or borrow from entities in Israel or Gaza. It also notes that the war may impact an even wider range of public companies given its potential ramifications for the global economy and financial markets.
The comment period for the PCAOB’s controversial “NOCLAR” proposal expired in August, and that means the big question is “what happens now?” This Bass Berry blog has some thoughts on the answer to that question:
Now that the comment period has closed, the PCAOB will determine whether or not to adopt final rules and whether or not the final rules will make changes to the Proposal. Any final rules adopted will be submitted to the Securities and Exchange Commission (SEC) for approval. Pursuant to Section 107 of the Sarbanes-Oxley Act, proposed rules of the PCAOB do not take effect unless approved by the SEC.
Given that the Proposal has majority support at the PCAOB and that even the two dissenting members expressed support for certain aspects of the Proposal, we expect any final rules submitted to the SEC for approval to expand auditors’ responsibilities with respect to NOCLAR. In the meantime, the PCAOB’s clear focus on NOCLAR might cause auditors to be more demanding with respect to these matters, even under the current standard.
The blog recommends that companies reevaluate their existing legal compliance policies and procedures, consider how their audit committee will evaluate information that auditors may provide about potential non-compliance with laws and regulations and how the company will respond for requests from auditors dealing with non-compliance, particularly if the information sought is privileged.
According to PwC’s latest annual director survey and highlights, directors are frequently critical of the performance of some of their peers but that hasn’t driven much board turnover. Specifically, the survey found that:
– 45% of directors think someone on their board should be replaced
– 39% say their boards have not made any changes as a result of their last board assessment
– Only 11% of directors say their board’s assessment processes resulted in the decision to not renominate a director
This is not a new problem, but the responsiveness rates haven’t markedly improved over the years. PwC notes that “annual rates of turnover in the S&P 500 were approximately 7% in 2023” and refreshment rules — like mandatory retirement ages and term limits — have not been very popular or effective at addressing the issue.
In the survey, directors point to ineffective assessment processes and board leadership often being unwilling to have hard conversations with underperforming directors. Interestingly — but not surprisingly — the response to an assessment differed depending on the independence of board leadership. 68% of directors on boards with independent chairs said their boards took action as a result of an assessment, while only 56% of directors on boards with executive chairs answered this question in the affirmative.
Early this month, the FDIC proposed, by a 3-2 vote, new corporate governance and risk management standards for certain FDIC-regulated institutions. This Mayer Brown publication discusses the history of governance and risk management at state-chartered banks and gives this high-level assessment:
The Proposed Standards would establish extensive and rigid requirements for a wide range of state-chartered banks. Further, they would reverse decades of reliance on state law for establishing governance and oversight obligations. […] The Proposed Standards lean toward a rules-based approach to corporate governance, in contrast to the principles-based approach that is prevalent under state law. Critics will observe that the Proposed Standards are presented as “good corporate governance” without appreciating that what is “good” for one bank may not be “good” for another and that achieving “good corporate governance” results not from uniform regulatory mandates but from default rules that can be tailored and fiduciary duties that can be fit.
The Proposed Standards would require many small, community banks to establish and operate extensive, formal risk management frameworks. The financial cost and time required by the board and management to stand up such programs, build relevant systems, and sustain them would impose a significant burden on affected banks.
The alert states that approximately 60 banks would currently be covered by the standards — that is, “state-chartered nonmember insured banks, state-licensed insured branches of foreign banks, and state savings associations that have $10 billion or more in total assets.” Here’s the memo’s summary of the corporate governance expectations:
The Proposed Standards would address the obligations, composition, duties, and committee structure that the FDIC expects bank boards to satisfy as part of good corporate governance.
Obligations. Covered directors would have a duty to safeguard the interests of the bank and confirm that the bank operates in a safe and sound manner and in compliance with applicable federal and state law. A board, in supervising the bank, should consider the interests of all its stakeholders, including shareholders, depositors, creditors, customers, regulators, and the public.
Composition. Covered boards would be required to consider how the selection of and diversity among board members collectively and individually may best promote effective, independent oversight of bank management and satisfy all legal requirements for outside and independent directors. A bank board should include a majority of outside and independent directors.
Duties. Covered boards would need to (i) set an appropriate tone and establish a responsible, ethical corporate culture; (ii) evaluate and approve a strategic plan; (iii) approve and annually review policies; (iv) establish and annually review a written code of ethics; (v) actively oversee the bank’s activities, including all material risk-taking activities; (vi) exercise independent judgment; (vii) select and appoint qualified executive officers; (viii) establish and adhere to a formal training program; (ix) conduct an annual self-assessment of its effectiveness; and (x) establish and annually review compensation and performance management programs.
Committee Structure. Covered boards would be required to implement an organizational structure to keep directors informed and provide an adequate framework to oversee the bank. At a minimum, a board would need to have an audit committee, compensation committee, trust committee (if it has fiduciary powers), and risk committee. It also should have any other committees that are necessary for the board to perform its duties. Each board committee would need a board-approved written charter outlining its purpose and responsibilities that is reviewed annually.
Finally, the proposed standards relating to risk management largely track the “Heightened Standards” adopted by the OCC in 2014 for larger federally chartered banks but “go into considerably more detail than the Heightened Standards and impose more extensive obligations.” We’re posting the Proposed Standards and related memos in our “Financial Institutions” Practice Area.
Woodruff Sawyer recently released the first in a two-part series meant to demystify SEC investigations for directors and officers. Part one focuses on the investigative stage and begins with this note about the sheer volume of tips and investigations the Division of Enforcement receives and addresses annually:
The SEC receives tens of thousands of enforcement tips every year. SEC Enforcement has almost 1,500 staffers and about 1,500 open investigations at any given time across the country. […] SEC Enforcement lawyers can and will open an investigation any time they believe it is possible that a securities law violation has occurred. In practice, this means that they can open investigations freely, at any time, and for any legitimate, non-discriminatory reason.
The post explains that there are a few “procedural paths” the investigation can take and which path the Division of Enforcement chooses can be indicative of the Division’s initial expectations about the investigation:
An encounter with the SEC can fall anywhere on a wide spectrum of pain, from expensive procedural annoyance to substantive existential threat. […] [T]he bureaucratic posture of an investigation can be important: The posture can hint at whether the government is just kicking the tires and may walk away after a limited review or whether they are likely to dig in for the long haul.
Through a helpful flow chart, the post describes those two initial paths — opening a “matter under inquiry (MUI)” or an investigation — and their implications and then summarizes the subsequent documents phase and possible testimony phase. Maybe most importantly, the post describes the ways that a government investigation differs from private litigation and has this reminder to manage the expectations of all involved:
Once a formal order exists, you should be prepared for a long road ahead. On average, it takes about two years from the time the SEC opens an investigation to the time it brings a case. (This statistic doesn’t include investigations closed without charges; unfruitful investigations also often drag on for years.) Over the course of an investigation, you will see flurries of activity and then long periods of inactivity and uncertainty. While the government considers the documents you’ve produced and mulls over the next steps, it won’t provide the company with much information about where things are headed.
In the final cybersecurity rules, the SEC did away with the proposed requirement to disclose board cybersecurity expertise, even though, during the “Dialogue with the Director” session at the ABA’s Business Law Section Fall Meeting, Corp Fin Director Erik Gerding stressed that the proposal was not meant to impact board composition. The final rules instead focus on management expertise. But that doesn’t mean that directors can ignore cybersecurity expertise at the board level.
In 2023, 61% of companies disclosed cybersecurity as an area of expertise sought on the board, up from 20% in 2018. More than two-thirds of the companies now cite cybersecurity experience in at least one director biography, up from 33% in 2018.
A closer look at these changes over the past few years shows that, in most cases, the increases in director experience are related to most companies adding cyber-related experience to longer-standing board member bios, with some boards adding a new director with cybersecurity experience. The new arrivals have included former CIOs and senior information technology executives, the head of a cybersecurity company, and former leaders in federal intelligence agencies or the Department of Defense.
This HLS blog post by NightDragon and Diligent suggests ways boards can bolster their cyber “technical chops.” Spoiler alert! The first recommendation is to make cyber education a priority. From the management perspective, the blog also highlights how CISOs can prepare themselves to address and educate their boards and acknowledges some of the biggest challenges CISOs face when presenting to the board — determining the right amount of information to provide and focusing on the business. The blog says this means “ditching the industry lingo and always speaking in terms of risk to the business, such as how cybersecurity risk could impact revenue acceleration, international expansion, and other strategic topics.”
In a new whitepaper, “The SEC’s New Cybersecurity Regulations: What Investors and Shareholders Should Know” (available for download), Glass Lewis discusses how shareholders can leverage newly required disclosures to assess the cybersecurity of companies they invest in and use that information in investment and engagement strategies. Noting that many investors don’t have significant expertise in cybersecurity risk, Glass Lewis touts its partnership with Bitsight to provide insight into each company’s level of cyber risk exposure.
As explained in the paper, Bitsight uses cybersecurity data that it collects “continuously and non-intrusively” to create “quantitative, objective ratings and analytics that are similar to credit scores and updated daily.” Here’s how Glass Lewis is already sharing this information with its clients:
Glass Lewis Proxy Papers feature a point in time snapshot of a public company’s cybersecurity performance, pulled directly from the Bitsight platform. The report features the company’s overall Bitsight Security Rating and how the organization benchmarks against its peers, the organization’s performance over the last 12 months, the likelihood of ransomware incidents, the likelihood of data breach incidents, and any publicly disclosed incidents in the last 18 months.
The September-October issue of “The Corporate Counsel” newsletter is in the mail. It’s also available now online to members of TheCorporateCounsel.net who subscribe to the electronic format. This issue includes the following articles:
– Wells Notices: An Overview of the Disclosure Landscape
– Capital Markets Alternatives: PIPEs and Variations on the PIPEs Theme
– The Limits of Exculpation: Personal Liability for Acts Taken on Behalf of a Corporation
If you’re not already a subscriber, you can subscribe online to this essential resource or email sales @ccrcorp.com.
