Last week at the Financial Times Cyber Resilience Summit, SEC Enforcement Director Gurbir Grewal spoke on the topic of the SEC’s approach to cybersecurity issues, while not weighing in on the pending rulemaking activity for public companies and regulated entities. He shared five principles “that guide the work we are doing across the Enforcement Division to ensure that registrants take their cybersecurity and disclosure obligations seriously.” The five principles are:
1. “[W]hen there are cyber attacks on publicly traded companies and other market participants, we consider the investing public to also be potential victims of those incidents…So in addition to ensuring that market participants are doing their part to prevent and respond to cyber events, our goal is to prevent additional victimization by ensuring that investors receive timely and accurate required disclosures.”
2. “[F]irms need to have real policies that work in the real world, and then they need to actually implement them; having generic “check the box” cybersecurity policies simply doesn’t cut it.”
3. “[R]egistrants [must] regularly review and update all relevant cybersecurity policies to keep up with constantly evolving threats. What worked 12 months ago probably isn’t going to work today, or at a minimum may be less effective. And relatedly, registrants and the professionals that counsel them would be well-served by reviewing the Commission’s enforcement actions and public orders on these topics. They clearly outline what good compliance looks like and where and how registrants fall short with their cybersecurity obligations.”
4. “When a cyber incident does happen, the right information must be reported up the chain to those making disclosure decisions. If they don’t get the right information, it doesn’t matter how robust your disclosure policies are.”
5. “[W]e have zero tolerance for gamesmanship around the disclosure decision. Here, I am talking about those instances where folks are more concerned about reputational damage than about coming clean with shareholders and the customers whose data is at risk. Companies might, for example, stick their head in the sand, or work hard to persuade themselves that disclosure is not necessary based on their hyper technical readings of the rules, or by minimizing the cyber incident. Don’t do that. It doesn’t work for the customers whose data is at risk. It doesn’t work for the shareholders who are kept in the dark about material information. And it most certainly doesn’t work for the company, which will most likely face stiffer penalties once the breach gets out, as it invariably will, and if it turns out that the company violated its obligations.”
Grewal went on to note that, with respect to cybersecurity matters and more broadly, “firms that meaningfully cooperate with an SEC investigation, including by coming in to speak with us or self-reporting, receive real benefits, such as reduced penalties or even no penalties at all.”
In his speech last week at the Financial Times Cyber Resilience Summit, SEC Enforcement Director Gurbir Grewal made the point that companies must regularly review and update cybersecurity polices and keep abreast of the SEC’s enforcement actions in the area for insights into “what good compliance looks like.” If you are looking for resources to facilitate that regular review, check out the “Cybersecurity” Practice Area on TheCorporateCounsel.net. There is an incredible array of resources available in the Practice Area on cybersecurity and data privacy matters, including the latest coverage of SEC enforcement actions and SEC guidance, updates on the SEC’s rulemaking efforts, the latest thought leadership on corporate governance considerations, very helpful checklists and coverage of federal and state-level legislative and rulemaking developments.
If you do not have access to the Practice Areas and other resources available on TheCorporateCounsel.net, sign up today. During the first 100 days as an activated member, you may cancel for any reason and receive a full refund.
It is that time of year when the Supreme Court wraps up its term and issues a long list of decisions. While rulings on several high profile cases are expected very soon, the Court recently weighed in on perhaps the more mundane topic of whether a state can require a company, as a condition of doing business in the state, to consent to being sued there for any and all claims. As my colleagues at Morrison Foerster note in this alert, inMallory v. Norfolk Southern Railway Co., 599 U.S. __ (2023), the Court concluded that such a requirement is consistent with the Fourteenth Amendment’s due process clause, opening the door to a major increase in out-of-state corporations’ exposure to lawsuits if states seek such consents from businesses.
The case involved Pennsylvania’s long-arm statute, which authorizes Pennsylvania courts to exercise “general personal jurisdiction” over any corporation that is registered with the state (which is a requirement of doing business in the state). The MoFo alert notes:
In a fractured opinion, the Supreme Court vacated and remanded, ruling that Pennsylvania’s consent scheme does not violate the Due Process Clause. Although five Justices agreed that the state court ruling should be vacated and remanded, Justice Gorsuch wrote for a majority of the Court only for portions of his opinion. Justice Alito filed an opinion concurring in part and concurring in the judgment, and Justice Barrett filed a dissenting opinion for four Justices. Justice Jackson also filed a concurring opinion.
* * * *
Mallory represents a potentially vast increase in out-of-state corporations’ exposure to jurisdiction in unexpected places, often where jury verdicts are excessive. After the decision, states can now require companies to consent to personal jurisdiction as a condition of doing business there (even if another state has a greater interest in the underlying dispute). And while the Court’s opinion is fractured, it is clear that a majority of Justices agree that consent remains an independently sufficient ground for exercising general personal jurisdiction.
What remains unclear, however, is how many states will accept that invitation. As discussed in oral argument, laws like Pennsylvania’s may deter smaller businesses from operating in a particular state. States may conclude that those concerns outweigh any interest in providing a forum for suit. And even if states do enact such laws, a majority of the Court may view them as invalid, between the dissent’s due-process/federalism reasoning and Justice Alito’s dormant-Commerce-Clause analysis, which is likely to be tested in the next phase of this case.
I have to admit, it has been a while since I thought about the dormant Commerce Clause!
Earlier this week, the PCAOB announced that it had proposed amendments to its standards to address auditor responsibilities when using technology-assisted analysis of information in electronic form. The deadline for public comment on the proposal is August 28, 2023. The proposal includes changes to update aspects of AS 1105, Audit Evidence, and AS 2301, The Auditor’s Responses to the Risks of Material Misstatement. In the announcement for this proposal, the PCAOB notes:
The proposal seeks to improve audit quality by reducing the likelihood that an auditor who uses technology-assisted analysis will issue an opinion without obtaining sufficient appropriate audit evidence. In particular, the proposal would bring greater clarity to auditor responsibilities in the following areas:
Using reliable information in audit procedures: Technology-assisted analysis often involves analyzing vast amounts of information in electronic format. The proposal would emphasize auditor responsibilities when evaluating the reliability of such information. For example, when auditors test a company’s controls over electronic information, their testing should include controls over the company’s information technology related to such information.
Using audit evidence for multiple purposes: Technology-assisted analysis can be used to provide audit evidence for various purposes in an audit. For example, performing risk assessment procedures when planning an audit and performing substantive procedures in response to the auditor’s risk assessment. The proposal would specify that if an auditor uses audit evidence from an audit procedure for more than one purpose, the auditor should design and perform the procedure to achieve each of the relevant objectives.
Designing and performing substantive procedures: When designing and performing substantive procedures, auditors can use technology-assisted analysis to identify transactions and balances that meet certain criteria and warrant further investigation. For example, auditors can identify all transactions within an account processed by a certain individual or exceeding a certain amount. The proposal would clarify the factors the auditor should consider as part of that investigation, including whether the identified items represent a misstatement or a control deficiency or indicate a need for the auditor to modify its risk assessment or planned procedures.
The staff of the Public Company Accounting Oversight Board (PCAOB) from time to time provides Spotlights to highlight timely information for auditors, audit committee members, investors, and others. Our oversight activities continue to indicate that investors and other stakeholders look to audit committees of public companies to oversee the quality and sufficiency of the accounting and financial reporting processes of public companies, as well as the audits of public companies. As part of audit committees’ audit oversight responsibilities, it is important that audit committees engage in effective two-way communication with auditors and ask relevant questions throughout the audit.
This “Spotlight: Audit Committee Resource” suggests questions that may be of interest to audit committee members to consider amongst themselves or in discussions with their independent auditors, particularly given today’s economic and geopolitical landscape. Stakeholders may also consider other Spotlights as reference points for relevant discussions, including our April 2023 Spotlight, “Staff Priorities for 2023 Inspections.”
The Spotlight addresses a number key areas that are of interest audit committees, including the risk of fraud, risk assessment and internal controls, auditing and accounting risks, digital assets, M&A activities, use of the work of other auditors, talent and Its impact on audit quality, independence, critical audit matters and cybersecurity.
My colleagues at Morrison Foerster have announced the results of a second annual “GCs and ESG” survey. The highlights of the survey are described as follows:
The results show that ESG considerations have quickly evolved into a top corporate priority over the past year as companies are increasingly balancing ESG regulatory and internal mandates with a focus on both enhancing positive impact for the benefit of shareholders and stakeholders and mitigating negative ESG externalities. As priorities have shifted, so, too, has ESG leadership, with seventy-two percent of respondents this year reporting that either the CEO, Chief Compliance Officer or another C-Suite leader is spearheading ESG strategy, whereas it was only ten percent last year. The top ESG efforts have also shifted somewhat from last year’s focus on “G” (governance) to “E” (environment) this year. This shift is likely due to both more mature governance frameworks and increasing regulatory mandates from leading government agencies across the globe.
On the topic of the ESG backlash that has been coming up more and more these days, the survey indicates that almost half of respondents report that they have neither experienced nor been impacted by anti-ESG backlash, while others report that they have responded to the backlash by focusing on specific, granular areas of concern, such as climate, human rights, or DEI. Fifteen percent of respondents report that they are no longer using the term “ESG” or have changed terminology in response to the anti-ESG backlash. Larger and publicly held companies were more likely than smaller and privately held companies to not use the term “ESG.”
Join us today at 2:00 pm Eastern on CompensationStandards.com for our annual webcast, “Proxy Season Post-Mortem: The Latest Compensation Disclosures” – to hear from Mark Borges of Compensia, Ron Mueller of Gibson Dunn and me as we analyze this year’s proxy season. The duration of this program has been extended to 90 minutes so we can share practical insights that will help you finalize your Dodd-Frank clawback policy.
If you attend the live version of this program, CLE credit will be available. You just need to fill out this form to submit your state and license number and complete the prompts during the program. Members of CompensationStandards.com are able to attend this critical webcast at no charge. The webcast cost for non-members is $595. If you’re not yet a member, try a no-risk trial now. Our “100-Day Promise” guarantees that during the first 100 days as an activated member, you may cancel for any reason and receive a full refund. If you have any questions, email sales@ccrcorp.com – or call us at 1-800-737-1271.
One of the topics that we will discuss later today on our very timely CompensationStandards.com webcast is all of the many considerations that go into adopting or amending your clawback policy to be compliant with the requirements of the NYSE and Nasdaq that will be effective on October 2, 2023. Companies will have until December 1, 2023 to adopt compliant clawback policies. While the requirements for the policy that are dictated by SEC Rule 10D-1 are very specific (and restrictive), the actual implementation of clawback provisions in response to those requirements is proving to be somewhat complex for listed companies.
This new alert from Gunster highlights the many decisions that companies will have to make as they seek to adopt or update clawback policies in light of the new listing requirements. The alert notes the following regarding updates to existing policies:
The new rules are complex and require a listed company to take a number of steps in order to amend existing clawback policies or provisions (contained in compensation plans or otherwise) or, if none, to adopt and implement one or more compliant policies in a timely manner. The following is a summary of the key steps to be taken and decisions to be made.
If your company has an existing clawback policy, you will need to compare the existing policy to the requirements of the new rules, including any additional requirements in the applicable listing standards. For example:
Existing policies may apply to a narrower or broader employee population than is required under the new rules, which applies to current and former Section 16 officers.
Existing policies may be tied to a specific type of restatement or may apply only in cases of misconduct. The new rules require recoupment for two types of restatements and apply whether or not the restatements are the result of misconduct.
Existing policies may apply to different forms of compensation. The new rules apply to all “incentive-based compensation,” which is broadly defined as any compensation that is granted, earned, or vested based wholly or in part upon the attainment of any “financial reporting measure.”
Existing policies may be discretionary, whereas under the new rules clawbacks are mandatory except in three limited circumstances.
The alert goes on to highlight considerations with respect to: maintaining multiple clawback policies; the treatment of existing clawback provisions (including provisions in plans, specific grants under plans, employment agreements, or otherwise); the incorporation of the clawback policy in awards going forward; the approach to enforcing the clawback policy; the determination of executive officer status; and ongoing disclosure obligations. Needless to say, there is a lot of work required to finalize a compliant clawback policy that works within a company’s existing plans and programs.
They are here! Yesterday, the International Sustainability Standards Board (ISSB) rolled out its inaugural standards—IFRS S1 and IFRS S2. As you may recall, the ISSB was established in November 2021 at COP26 to develop a comprehensive global baseline of sustainability disclosures. ISSB consolidated the CDSB and the Value Reporting Foundation (the combination of SASB and IIRC) under the auspices of the IFRS Foundation.
IFRS S1 provides a set of disclosure requirements designed to enable companies to communicate to investors about the sustainability-related risks and opportunities they face over the short, medium and long term. IFRS S2 sets out specific climate-related disclosures and is designed to be used with IFRS S1. The ISSB notes in its announcement that both IFRS S1 and IFRS S2 fully incorporate the recommendations of the Task Force on Climate-related Financial Disclosures (TCFD). The ISSB’s announcement notes:
The ISSB Standards are designed to ensure that companies provide sustainability-related information alongside financial statements—in the same reporting package. The Standards have been developed to be used in conjunction with any accounting requirements. They are also built on the concepts that underpin the IFRS Accounting Standards, which are required by more than 140 jurisdictions. The ISSB Standards are suitable for application around the world, creating a truly global baseline.
For more coverage of these new ISSB standards, sign up today for PractialESG.com. You can begin your membership today online, or you can contact a Specialist at Sales@CCRcorp.com or at 1-800-737-1271 for assistance.
At last week’s meeting of the SEC’s Investor Advisory Committee, the role of the audit committee was explored in a panel discussion focused on audit committee workload and transparency. The Committee’s consideration of audit committees begins at around the 1 hour and 39 minute mark of the replay of the afternoon webcast. The agenda described the topic as follows:
This panel will focus on the role of the audit committee, which is rapidly changing, where many audit committees now oversee a variety of emerging risks while balancing an ever-increasing workload. Simultaneously, there is a larger focus on the audit itself with the PCAOB taking a fresh look at auditing standards. Risks continue to emerge and evolve. The presenters and the panel will explore how audit committees are keeping pace with shifting responsibilities and priorities, and whether existing audit committee disclosures adequately benefit investor needs.
Two presentations were made available to the Investor Advisory Committee: one presentation titled “Audit Committee: The Kitchen Sink of the Board,” was presented by Lauren Cunningham, Keith Stanga Professor of Accounting, University of Tennessee, while the other presentation was titled “Audit Committee Transparency Barometer,” which was presented by Vanessa Teitelbaum, Senior Director, Professional Practice, The Center for Audit Quality. A panel discussion followed which included four audit committee chairs, including Robert Herz, chair of the Morgan Stanley Audit Committee and formerly chair of the FASB and a member of the IASB and the Value Reporting Foundation.
The topic of audit committee disclosure has been something that the SEC Staff has been discussing on and off for over the past decade or so. This discussion of the Investor Advisory Committee may ultimately evolve into some further recommendations on expanding audit committee disclosures.
