On Friday, the SEC announced the creation of the Interagency Securities Council. The Council includes representatives from more than 100 departments and agencies at the federal, state and local levels.
The Council’s purpose is to ensure that law enforcement and regulatory agencies at all levels of government are working together to combat financial fraud and provide a means to share information with law enforcement officials who don’t frequently deal with securities law violations. During quarterly meetings, members will “participate in discussions with experts on emerging threats, hear from investigators conducting and supervising investigations, and explore case study examples of agencies employing innovative approaches to combat financial fraud.”
ICYMI, last week, Delaware Governor John Carney signed into law SB 313, the controversial 2024 DGCL amendments. The most hotly contested change put in place by the legislation is new Section 122(18) of the DGCL, which is intended to address the Chancery Court’s decision in West Palm Beach Firefighters v. Moelis, (Del. Ch.; 2/24), but the amendments also respond to issues raised by several other recent Chancery Court decisions. Advocates of the legislation contend that it is necessary to address “rogue” decisions by the Chancery Court that were inconsistent with market practice, while critics argue that it makes seismic changes to the DGCL without sufficient deliberation, raises a number of unanswered questions and reopens many governance issues that were long thought to be settled.
With all of the controversy surrounding the 2024 DGCL amendments and their potentially profound impact on Delaware corporations, you won’t want to miss today’s DealLawyers.com webcast – “2024 DGCL Amendments: Implications & Unanswered Questions” – from 2 to 3 pm ET.Steven Haas of Hunton Andrews Kurth, Julia Lapitskaya of Gibson Dunn, and Eric Klinger-Wilensky of Morris Nichols will address the following:
– Overview of the DGCL amendments
– Implications for governance agreements
– Implications for acquisition agreements
– Fiduciary duties v. contractual obligations
– Unanswered questions
Members of DealLawyers.com are able to attend this critical webcast at no charge. If you’re not yet a member, subscribe now. If you need assistance, send us an email at info@ccrcorp.com – or call us at 800.737.1271.
We will apply for CLE credit in all applicable states (with the exception of SC and NE, which require advance notice) for this 60-minute webcast. You must submit your state and license number prior to or during the program using this form. Attendees must participate in the live webcast and fully complete all the CLE credit survey links during the program. You will receive a CLE certificate from our CLE provider when your state issues approval, typically within 30 days of the webcast. All credits are pending state approval.
In the wake of some welcome news for the cybersecurity community late last week came a widespread and nearly economy-stopping tech outage on Friday morning that impacted many industries, including airlines, banks & hospitals, and government entities, like school districts & courthouses. While many whose lives and jobs were impacted by the outage are likely most concerned that a software update at one company could put so many businesses temporarily out of commission, we securities lawyers are thinking about what disclosures may need to be made — and what lawsuits may follow.
While CrowdStrike announced that the occurrence wasn’t “a security incident or cyberattack,” impacted companies should remember that the definitions of “cybersecurity incident” and “information systems” for purposes Item 1.05 of Form 8-K are very broad.
Cybersecurity incident means an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.
Information systems means electronic information resources, owned or used by the registrant, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of the registrant’s information to maintain or support the registrant’s operations.
The adopting release also noted that the word “unauthorized” is meant to be broadly interpreted:
One commenter sought clarification of whether the definition encompasses accidental incidents, such as chance technology outages, that do not involve a malicious actor, while another commenter advocated broadening the definition to any incident materially disrupting operations, regardless of what precipitated it. …
We are also retaining “unauthorized” in the incident definition as proposed. In general, we believe that an accidental occurrence is an unauthorized occurrence. Therefore, we note that an accidental occurrence may be a cybersecurity incident under our definition, even if there is no confirmed malicious activity. For example, if a company’s customer data are accidentally exposed, allowing unauthorized access to such data, the data breach would constitute a “cybersecurity incident” that would necessitate a materiality analysis to determine whether disclosure under Item 1.05 of Form 8-K is required.
The SEC has noted on its homepage that it is monitoring for market-related impacts of this “widespread IT disruption.” Maybe at some point the Staff will also clarify how to apply the “cybersecurity incident” definition to outages like this. In the meantime, companies will need to gather facts internally and assess with counsel whether their situation meets the definition of “cybersecurity incident” with the guidance we do have — including the adopting release and CDIs.
While it appears here, based on public reporting to date, that no data has been exposed nor systems accessed, this broad interpretation of “unauthorized” to include “accidental” has people scratching their heads, wondering whether including this type of software glitch in the universe of 8-K triggering events renders the “security” aspect of the rules meaningless. That said, some impacted companies clearly had issues with the “availability” of their information systems. If companies determine that a cybersecurity incident has occurred, they will need to assess whether it is material.
Whenever a company determines it has experienced a “cybersecurity incident,” it then needs to assess whether that incident is material based on company-specific facts and circumstances. The SEC Staff recently made clear that immaterial incidents should not be reported under Item 1.05 and that immaterial cybersecurity incidents or early disclosure should be reported under a different item of Form 8-K — like 8.01 for Other Events. For companies that get to the materiality step, keep in mind that the SEC has made clear that the materiality assessment is not limited to the incident’s impact on the company’s financial condition and results of operation.
– Corp Fin Director Erik Gerding’s recent statement about reporting immaterial incidents and some of the 5 new CDIs on Item 1.05 included guidance on assessing materiality.
– The adopting release also included a discussion of materiality and listed qualitative factors to consider.
– This WilmerHale resource (see especially page 22) does a great job of summarizing quantitative considerations, qualitative considerations and factors that are NOT relevant based on the adopting release and the firm’s experience helping companies evaluate disclosure obligations under the 2011 Staff Guidance and 2018 Interpretive Guidance.
This is an evolving area and one where it’s important to be able to think on your feet but also avoid rushing to conclusions. Our Proxy Disclosure & Executive Compensation Conferences include a panel dedicated to addressing the real-time reporting of cyber incidents during which attendees will hear from Tamara Brightwell of Wilson Sonsini, Howard Dicker of Weil Gotshal, Sophia Hudson of Kirkland & Ellis, and Bill Ridgway of Skadden. Our panel on navigating 10-K updates will also be addressing how companies approached cybersecurity disclosures in 10-Ks. We hope you join us in person! Register soon (this week, actually) by visiting our online store or by calling us at 800-737-1271 to get the early bird rate!
We previously blogged about the Chancery Court’s decision in Kellner v. AIM Immunotech, (Del. Ch.; 12/23), in which Vice Chancellor Will invalidated certain amendments to a company’s advance notice bylaw adopted during a proxy contest, but ultimately concluded that the board acted reasonably in rejecting the investors’ notice of nominations for noncompliance with the advance notice bylaw. Last week, the Delaware Supreme Court issued an opinion affirming that decision in part and reversing it in part.
The plaintiffs challenged six bylaw provisions, which are detailed in our earlier blog on the case. The Chancery Court invalidated four of the challenged bylaw provisions but upheld two others. The Supreme Court held that, under the circumstances of this case, all of the bylaws had to go. This excerpt from a recent blog by Prof. Ann Lipton summarizes the Court’s reasoning:
First, the Delaware Supreme Court held (and we should all take note of this for future cases) that advance notice bylaws may be evaluated for invalidity, and separately for inequity. A validity challenge is a facial challenge, and relatively narrow: quoting ATP Tour, Inc. v. Deutscher Tennis Bund, 91 A.3d 554 (Del. 2014), the Court held “A facially valid bylaw is one that is authorized by the Delaware General Corporation Law (DGCL), consistent with the corporation’s certificate of incorporation, and not otherwise prohibited.” The fact that it might operate inequitably or unlawfully in some circumstances is not sufficient to render the bylaw invalid.
On that analysis, the Court found that one amended AIM bylaw was invalid, because it was unintelligible: “The bylaw, with its thirteen discrete parts, is excessively long, contains vague terms, and imposes virtually endless requirements on a stockholder seeking to nominate directors….An unintelligible bylaw is invalid under ‘any circumstances.’”
The other bylaws, however, were found to be facially valid. But, they still had to be “twice-tested” in equity. And that test is the enhanced scrutiny test, as articulated in Coster v. UIP Companies, 300 A.3d 656 (Del. 2023). First, the board must identify a threat and act in good faith; second, the board’s response must be proportional.
In this case, the Court found that the totality of the amended bylaws – which were exceptionally broad, required information potentially unknown to the nominee, were ambiguous, unreasonable, and ultimately at odds with the board’s stated purpose of information-collection – suggested that the board did not, in fact, act with a proper purpose when amending them. Instead, the purpose was to block the dissident entirely. When it comes to proxy contests, boards may try to inform stockholders, but they can’t substitute their own judgment for the stockholder vote; therefore, all of the bylaws (including the two that Will did not find to be unreasonable) had to be stricken.
I think the Court’s reminder that “when corporate action is challenged, it must be twice-tested – first for legal authorization, and second by equity” is important to keep in mind, and not just for advance notice bylaw challenges. My guess is that the “twice-tested in equity” concept will feature prominently in the parade of case law that’s likely to result from the adoption of new Section 122(18) of the DGCL.
This week, I am taking a walk down memory lane and offering up some of the key lessons that I have learned over the course of my career. Today, I turn our attention to the mid-2000s options backdating fiasco, which I witnessed from my perch as Chief Counsel of the Division of Corporation Finance at the SEC.
For those who did not experience the events first-hand, the options backdating fiasco was a sprawling scandal that affected many public companies at a time when we were just trying to get past the crisis in confidence brought about by the major corporate scandals that I talked about yesterday. The conduct underlying the fiasco was simple enough – executives falsified corporate documents by selecting an option grant date when the stock price was at its lowest, locking in an immediate boost in value and achieving favorable tax outcomes. In addition to straight-up options backdating, there were other nefarious practices prevalent at the time, including “bullet dodging” and “spring loading” by timing option grants relative to the release of material nonpublic information, which remains a topic of great interest to the SEC even to this day.
What was particularly notable about this fiasco was the extraordinary impact on companies and shareholders of this seemingly innocuous act of selecting favorable grant dates. Many companies were forced to restate several years of their financial statements, and those restatements took extended periods of time as the investigations unfolded. Many talented executives from very high profile companies lost their jobs and were implicated personally in SEC actions. I gleaned some valuable lessons for the options backdating fiasco, including:
1. If it Sounds Too Good to Be True, It Probably Is: The fact that so many companies and executives were implicated in options backdating cases demonstrates how a practice can become endemic when no one steps up and says: “Isn’t this too good to be true?” Some healthy skepticism about conduct that did not even seem to pass the smell test might have gone a long way to avoid a situation where a great deal of shareholder value was destroyed and careers were ruined.
2. The Little Things Matter: While board and committee minutes, resolutions and consents are admittedly one of the more boring things that we do, it is critically important that they accurately reflect the proceedings and not be subject to manipulation. Whenever someone wants to “fudge” a date in a resolution, I always think back to the parade of horribles that emerged from the options backdating fiasco.
3. Creativity is Not Always Good: Lawyers and other professionals are always seeking to come up with creative solutions to the problems that clients face, which I think is generally a good thing, but those professionals need to always think about how a proposed “creative” approach to a problem could ultimately be viewed by regulators, criminal authorities, auditors, plaintiffs’ lawyers, academia and the media before advising companies to go down that creative path. In other words, there can sometimes be a fine line between being creative and committing fraud.
4. A Protracted Restatement is a Very Rough Ride: The sheer scope of options backdating issues meant that the internal investigations and restatement efforts at affected companies were very complicated and protracted, meaning that companies were slogging through the restatement process for many months before they could file restated financial statements. This often meant that companies could not hold their annual meeting (because they could not provided the financial information for the annual report that accompanies the proxy statement), could not raise capital in public markets (because they had to shut their registration statements down) and could not even offer equity compensation to employees in some circumstances (because their Form S-8 registration statement was no longer available). These were very difficult waters to navigate, and not any place that a company wants to find itself.
I am grateful to have had the opportunity to share my lessons learned with you this week!
As this Reuters article notes, the SEC suffered a significant setback in its ongoing cybersecurity enforcement efforts when U.S. District Judge Paul Engelmayer dismissed a significant part the SEC’s allegations against SolarWinds in a closely-watched and sprawling case that the SEC has been pursuing for several years. The article notes:
U.S. District Judge Paul Engelmayer in Manhattan dismissed all claims against SolarWinds and chief information security officer Timothy Brown over statements made after the attack, saying the claims were based on “hindsight and speculation.”
In a 107-page decision on Thursday, the judge also dismissed most SEC claims concerning statements predating the attack, apart from securities fraud claims based on a statement on SolarWinds’ website touting the company’s security controls.
The SEC declined to comment on Judge Engelmayer’s decision. There will no doubt be a lot of ink spilled over the coming days analyzing the potential implications of the decision for the SEC’s current Enforcement efforts with respect to cybersecurity disclosure and internal accounting controls, but suffice it to say that this decision pushes back on the some of the agency’s most aggressive enforcement theories in the cybersecurity space.
ESG investing isn’t new, but it is in a new world right now with unprecedented regulatory, financial, macroeconomic and geopolitical dynamics. Both investors and their holdings struggle to keep up with these changes while meeting competing priorities and facing oscillations in strategies.
Nawar Alsaadi, CEO and founder of Kanata Advisors and Marie-Josée Privyk, Founder and ESG Advisor of FinComm Services, will take these matters head-on to help both sides stay focused on what is important rather than running down distractions.
Topics to be covered include:
– Defining “ESG investing” today, especially in relation/contrast to impact investing
– Current investor trends: information needs, decision criteria, engagement v. divestment, use of ESG ratings, impact of naming rules
– Portfolio companies: responding to investors, emphasizing business fundamentals
– Implications of investor dissatisfaction/divestment: does divestment really hurt portfolio companies?
This webcast is presented at no additional cost to members of PracticalESG.com. If you are not already a PracticalESG.com, you can sign up today and take advantage of our no-risk “100-Day Promise” – during the first 100 days as an activated member, you may cancel for any reason and receive a full refund.
This week, I am looking back on almost thirty years of practice and offering up some of the key lessons that I have learned over the course of my career. Today, I am focusing on what I think of as the era of corporate scandals, which was the period of time in the early 2000s when we experienced a large number of corporate scandals that rocked the markets, eroded investor confidence and prompted Congress to act in a bipartisan manner to enact sweeping legislative initiatives that are still very much a part of the fabric of what we do today, nearly a quarter century later. I am of course talking about the spate of high profile financial, disclosure and governance failures at Enron, WorldCom, Tyco, Adelphia, Global Crossing and others. I had the unique experience of seeing these scandals upfront while in private practice, and then dealing with the aftermath when I was back at the SEC for my second tour.
By the early 2000s, I had left the SEC and was in private practice at a firm that seemed to be handling most of the extraordinary corporate scandals of the day. I was incredibly fortunate to have an opportunity to work with a fantastic group of lawyers and other professionals who taught me so much about conducting investigations, addressing intense regulatory and law enforcement attention, managing a crisis and navigating a wide range of incredibly complex regulatory, financial market, governance and ethics issues. With the benefit of that experience and similar experience that I have had since the early 2000s, I offer up a few of my favorite lessons learned:
1. Don’t Violate the First Law of Holes: Those of you who have read my musings here (and in our other publications) have no doubt noticed that I have penchant for using all manner of adages and aphorisms. One of my favorite ones is “the first law of holes,” which goes something along the lines of “when you find yourself in a hole, you should stop digging.” Unfortunately, time and time again, we have observed that corporate executives, directors and employees just can’t seem to avoid violating the first law of holes, and that is how scandals happen. While there are plenty of situations where individuals set out to defraud investors from the outset, there are also plenty of situations where something gets pushed close to the line in one quarter, and then the individuals find themselves digging their hole deeper and deeper in each successive quarter, because they think that they can ultimately dig their way out when circumstances change. This phenomenon really emphasizes the need for effective controls and good governance, so that the individuals are not tempted (or do not feel compelled) to fall into the hole in the first place. And once the potentially illegal conduct has been discovered, it is critical for counsel and other professionals assisting with the crisis to help prevent the company from falling into new holes, or deepening the hole that it already finds itself in. Otherwise, things can go very bad, very quickly, as we saw with those early 2000s corporate scandals.
2. The Cover-up is Worse than the Crime: To borrow a ubiquitous Watergate-era adage, one often observes in the course of a corporate crisis that nothing can be more true than the notion that “the cover-up is worse than the crime.” Efforts to conceal potentially illegal conduct during the course of a crisis always makes things worse for everyone involved, and always puts the board of directors and senior management in a difficult spot with respect to those individuals involved in the conduct. Over the years, I have observed numerous situations where transparency around the subject conduct might have avoided catastrophic consequences, so that is why it critically important that a company’s control environment and governance structure encourages transparency at all levels, even when the going gets tough.
3. It’s All About the Benjamins: I have not run across too many corporate scandal situations where an individual was engaging in the illegal activity purely for the fun of it. There is usually a financial incentive that serves to motivate the unlawful behavior. Since the corporate scandals of the early 2000s, I think that we have collectively gotten much better at structuring compensation programs that seek to address the risk of incentivizing illegal conduct, but no compensation approach is ever perfect, and for each individual involved there are often a variety of motivating factors that have caused them to go astray. I do think that it is incumbent on boards and compensation committee to always consider the risk that financial incentives could encourage bad behavior and take steps to minimize that risk as much as possible under the circumstances.
4. Human, All Too Human: The title of one of my favorite Friedrich Nietzsche books (perhaps because it was written in an aphoristic style?) serves as a reminder that, until artificial intelligence is in a position to replace us in preparing and auditing financial statements and writing SEC disclosure, us humans are going to continue to hack away at it, and we are going to make mistakes. Unfortunately, human nature doesn’t always encourage us to admit our mistakes or exercise good judgment. This is particularly the case when our financial livelihood, professional reputation and self-esteem are on the line. The human element must always be anticipated, and that is why we have such extensive controls in place today in the wake of the Sarbanes-Oxley Act. We should never forget that we are all humans that can (and often do) fail, but we should make sure that no single human’s failure is going to send the company spinning into a corporate scandal.
5. Be Creative When Faced with Calamity: One of the most significant responses to the crisis in market confidence brought about by the early 2000s corporate scandals was when the SEC issued an emergency order under Section 21(a) of the Exchange Act which imposed a one-time certification requirement on CEOs and CFOs of public companies with revenue of $1.2 billion or more. The sworn statements demanded by the order were intended to restore confidence in the financial statements of large public companies and became the model for the certifications later required by the Sarbanes-Oxley Act and SEC rules. There was no precedent for this creative approach taken by the SEC, and it highlighted how important it can be to think “outside of the box” when faced with a crisis situation.
Earlier this week, Nasdaq filed a proposal with the SEC that would modify the suspension and delisting processes for SPACs, representing yet another effort to make life harder for the once high-flying acquisition vehicles. As this Cooley blog notes:
Nasdaq has just filed a proposal, Notice of Filing and Immediate Effectiveness of Proposed Rule Change to Amend Certain Procedures Related to the Suspension and Delisting of Acquisition Companies, designed to address the suspension and delisting process applicable to Acquisition Companies, companies such as SPACs with business plans to complete one or more acquisitions, as described in Rule IM-5101-2. The rule changes would apply to an Acquisition Company that “fails to (i) complete one or more business combinations satisfying the requirements set forth in Listing Rule IM-5101-2(b) (“Business Combination”) within 36 months of the effectiveness of its IPO registration statement; or (ii) meet the requirements for initial listing following the Business Combination.” The proposal would also “limit the Hearings Panels authority to review the Nasdaq Staff’s decision in these instances to a review for factual error only.” Nasdaq also proposes to clarify Listing Rule 5810(c)(1) (with no substantive change) to improve transparency and readability. The rule changes will be operative for Staff Delisting Determination letters issued on or after October 7, 2024.
Nasdaq notes in the filing that the proposal to remove the stay provision so that a SPAC’s securities will be suspended from trading on Nasdaq during the pendency of the Hearings Panel’s review is consistent with the rules of the NYSE.