With the conflict between the United States and Iran still simmering, US companies face an increased threat of Iran-backed cyber-attacks. This Weil memo addresses areas of potential vulnerabilities and attack vectors that companies should be monitoring, and this excerpt discusses some of the actions that companies should take now to protect themselves:
First, validate that incident response plans, escalation pathways and external contact lists (e.g., forensic firms, data breach counsel, cyber insurers, etc.) are current. The most common foot-fault in fast-moving events is not the absence of a plan, but the inability to operationalize it quickly.
Second, review external attack surface exposure and related vendor risk. That includes internet-facing remote access tools, privileged access pathways, legacy systems, third-party integrations and unmanaged assets. Companies should also identify vendors, service providers and other external parties with access to sensitive systems, data or operational environments, and assess whether those connections are necessary, appropriately secured and subject to heightened monitoring. Organizations that operate industrial processes or rely on building management and other facility control systems should ensure those environments are appropriately separated from the company’s general corporate network and that remote access is limited to necessary, secure and closely monitored connections.
Third, heighten monitoring for phishing, credential abuse, anomalous logins, multi-factor authentication bypass attempts, suspicious use of remote administration tools and early signs of denial-of-service or destructive activity. Where feasible, logging should be centralized and retained for a sufficient period to support investigation and remediation.
The memo also recommends testing business continuity plans with a focus on third-party dependencies and communications resilience preparing for the legal and regulatory dimensions of a cyber-attack.
I still get a sizeable knot in my stomach when I think about Barclays’ over-issuance debacle, but a recent 2nd Cir. decision suggests that some good for Barclays and other issuers may come out of the company’s misfortune. This Sullivan & Cromwell memo notes that in Knapp v. Barclays PLC, (2d. Cir.; 3/26), the Court affirmed the SDNY’s prior decision dismissing Securities Act claims brought by purchasers of an exchange traded note involved in the over-issuance.
The plaintiffs brought claims for rescission under Section 12(a)(1) of the Securities Act, and for misstatements under Section 11 of the Act. This excerpt from S&C’s memo summarizes the 2nd Cir.’s decision to affirm the lower court’s decision to dismiss the case:
As to the Section 12(a)(1) claim for rescission, the court held that the 4:1 reverse-split was not a “sale” that can trigger liability under the Securities Act. In resolving this novel issue, the court emphasized that the reverse-split did not constitute a “disposition for value” (which is the statutory definition of “sale”), because the reverse-split did not change the “nature of the investment” and the plaintiffs made no investment decision when Barclays exercised its contractual right to effectuate a reverse-split.
As the court stated, the “combination of four notes into one larger note is exactly the kind of nonsubstantive exchange that will not be treated as a sale.” Because the reverse-split “alter[ed] only the form of the securities,” the exchange did “not require distributees to give any value in exchange.” The court further explained that “[t]his conclusion neatly matches the purposes of the Securities Act”: “The design of [the Securities Act] is to protect investors by promoting full disclosure of information thought necessary to informed investment decisions. But when an issuer announces a mandatory split, as happened here, investors have no choice and make no investment decision.”
As to the Section 11 claim for misstatements, the court followed the strict tracing requirement that the Supreme Court adopted in Slack. Addressing Slack for the first time in the Second Circuit, the court explained that, “[b]ecause section 11 focuses on securities issued under a ‘particular registration statement,’ plaintiffs must first plead that they acquired securities ‘traceable to that allegedly defective statement.’”
Although the plaintiffs argued that the notes they received after the reverse-split were traceable to the registration statement that Barclays issued on the same day that the reverse split took effect, the court rejected that argument based on a careful parsing of the language in that registration statement. The registration statement’s “own terms show that it does not cover those [notes] but rather governs the ‘initial sale of the [post-split] [notes]’ that Barclays still held in its inventory, and which it had thus not distributed via the [reverse] split.” Accordingly, because the plaintiffs failed to meet Slack ’s tracing requirement, the court affirmed the dismissal of the Section 11 claim without addressing whether there were any misrepresentations in the registration statement.
From an issuer’s perspective, the decision is helpful precedent. Not only does it indicate that the 2nd Cir. isn’t amenable to efforts to end run Section 11’s tracing requirement, but it’s nice to have something to point to from one of the nation’s most respected appellate courts holding that stock splits don’t involve a “sale” of securities.
It looks like the SEC’s “neither admit nor deny” settlement policy may at last be on its way to the ash heap of history. On Friday, the SEC filed a document with OIRA titled “Rescission of Policy Regarding Denials in Settlements of Enforcement Actions.” While the document itself isn’t publicly available, its title doesn’t leave much to the imagination.
The SEC’s so-called “gag rule” and the repeated efforts to eliminate it has provided us with plenty of fodder for our blogs over the years, but we’d be happy to find something else to write about. Personally, I think Judge Ronnie Abrams of the SDNY was on the money in a 2022 opinion slamming the SEC’s neither admit nor deny policy. In her opinion, she noted that the effect of the policy was to ensure that the public would never know whether the government’s charges were true, and said that this ability to draw a curtain down over governmental action was precisely the kind of societal harm that the First Amendment was intended to protect against:
The dominant purpose of the First Amendment was to prohibit the widespread practice of governmental suppression of embarrassing information . . . . Secrecy in government is fundamentally anti-democratic, perpetuating bureaucratic errors. Open debate and discussion of public issues are vital to our national health.
Of course, some – including former SEC commissioners and Enforcement chiefs – have contended that the “neither admit nor deny” policy is in many instances too lenient, and have pushed for the SEC to require admissions of wrongdoing in more cases. As this Bloomberg Law article on the move to repeal the gag rule notes, its elimination won’t preclude the SEC from negotiating for admissions as part of a settlement.
Given the current environment, many boards may be asking themselves whether they need to add directors with AI expertise in order to fulfill their oversight responsibilities with respect to their companies’ development and usage of AI tools. This Debevoise memo says that the answer to that question is more complicated than it seems at first glance:
While appointing a director with AI expertise may be appealing, it can present practical and governance challenges. First, the pool of individuals with both deep AI expertise and the qualifications to serve effectively as a public company director is limited.
Second, the percentage of companies for which AI is so fundamental to their business that it requires an AI expert on the board is very small. The appointment of a director with AI expertise could raise questions about a lack of specific board expertise covering other areas of potential enterprise risk (e.g., such as cybersecurity, political or environmental risks).
Third, the presence of a designated expert may inadvertently undermine effective board dynamics. For example, other directors may defer excessively to an AI expert, reducing the level of constructive challenge and debate that is critical to effective oversight. This dynamic can undermine the collective decision-making that is at the heart of board function and weaken the board’s ability to independently assess management’s approach to AI. Over time, concentrating AI knowledge in a single director may also reduce other directors’ incentives to learn about AI, which is likely to become increasingly important in the future.
Finally, individuals with deep AI expertise often have extensive experience in the technology industry and may have conflicts of interest, such as investments in AI companies or commercial relationships with vendors, which would require careful management.
The memo goes on to explain that adding an AI expert as a director isn’t the only way for a board to “get smart” about AI-related issues and discusses the role that expert guidances and appropriate education and regular reporting from management and outside advisors can play in supporting the board’s oversight of AI.
According to a new study by B-school profs at The University of Cincinnati and Penn State, the accelerated reporting of gifts adopted as part of the SEC’s 2022 Rule 10b5-1 amendments and the SEC’s comments in related releases about the potential insider trading implications of well-timed gifts may have had significant and unexpected consequences on corporate R&D expenditures. Here’s an excerpt from the study’s abstract:
[W]e compare firms whose insiders historically concentrate stock gifts on unusually high-price days with other firms. We find that these treated firms significantly reduce R&D investment following the reform. The effect is strongest where opportunistic gift timing is likely most valuable and where insiders have greater discretion to influence investment policy.
In contrast, we fail to find a corresponding effect for firms whose insiders historically engage in opportunistic Rule 10b5-1 stock sales, helping isolate the gift-disclosure channel from other features of the amendment. Overall, our evidence suggests that a disclosure reform aimed at curbing opportunistic insider behavior had the unintended consequence of reducing corporate risk-taking.
One of the study’s authors summarized its implications in a LinkedIn post:
The key takeaway is that a disclosure reform designed to curb insider opportunism may have had real effects on corporate investment. More broadly, personal tax-planning opportunities can shape insiders’ willingness to support risky corporate policies, and regulatory changes that constrain those opportunities can affect firm decisions in ways that extend well beyond the regulated transaction itself.
Companies that are considering the possibility of moving to semiannual reporting have plenty of things to think about. Fortunately, the law firm memos on the SEC’s semiannual reporting proposal are rolling in and are full of helpful insights for these companies and their advisors. Here are a few examples from some of the memos that we’ve received so far:
Weil’s memo discusses the implications of reporting covenants in debt instruments on the ability of companies to opt in to the semiannual reporting regime, and as this excerpt explains, it all depends on how the covenant is written:
– Rule 144A Indentures for companies that are already reporting companies sometimes provide that “whether or not the Company is subject to the reporting requirements of Section 13 or 15(d) of the Exchange Act, the Company shall file with the SEC and provide the Trustee and Holders with such annual reports and such information, documents and other reports as are specified in Sections 13 and 15(d) of the Exchange Act, within the time periods specified in such Sections or in the applicable forms.” This formulation should provide flexibility for companies to report on a semiannual basis.
– Other Rule 144A Indentures instead require the issuer to deliver “all annual and quarterly financial statements that would be required to be contained in a filing with the SEC on Forms 10-K and 10-Q if the issuer were required to file such forms” within a specified timeframe. Because the proposed rules do not eliminate Form 10-Q, but instead make the filing of Form 10-Q optional, it is less clear that the issuer could choose not to continue to provide quarterly financial statements under this formulation.
This excerpt from Sidley’s memo discusses the need for companies to consider the seasonality & volatility of their business when deciding on the timing of their periodic reports and voluntary disclosures:
Does the company’s quarterly performance vary dramatically due to seasonality or other factors? Do investors focus on consecutive quarterover-quarter results more than results over corresponding prior-year periods? Companies with results that vary dramatically quarter to quarter would likely face longer trading blackout periods and longer quiet periods under a semiannual reporting regime absent voluntary Form 8-K filings or expanded earnings releases.
Latham’s memo highlights, among other things, the implications of the proposal for current market practice regarding auditor’s comfort letters:
Currently, an auditor’s comfort letter cannot include negative assurance regarding subsequent changes to financial statements as of a date 135 days or more after the most recent balance sheet date of the most recently completed audit or review, under PCAOB Auditing Standard 6101 (formerly SAS 72). The SEC has requested comments on whether to modernize that standard to accommodate semiannual reporting.
Investment banks have traditionally been unwilling to underwrite securities offerings without market-standard comfort letters. As a result, we would expect implementation of semiannual reporting to prompt reconsideration of the 135 day limit in AS 6101 to facilitate traditional comfort letter practice in a world of semiannual reporting.
Hunton’s memo also focuses on the proposal’s implications for capital markets transactions:
We expect market practice around securities offerings to evolve for companies electing to report semi-annually. Even if SEC rules would permit an offering on financial statements that are six months old, underwriters may be less comfortable going to market with interim financial statements older than 135 days.
Other prudential factors may also encourage companies on a six-month reporting schedule to disclose material interim developments. Quarterly ATM programs, for example, may pose unique challenges. Accordingly, companies reporting under a semi-annual cycle may still be motivated to publicize quarterly results or flash numbers, at least when contemplating an offering of securities. Again, practices across industries and companies of different sizes may diverge.
According to a recent Barker-Gilmore research report, the way that corporate boards and general counsels work together could use some improvement. The report says that Boards and General Counsel are aligned on outcomes, but operating models for corporate governance haven’t kept pace with the GC’s expanded role.
The report argues that the way to address this issue and strengthen governance & decision-making is by modernizing the norms for how the GC interacts with and accesses members of the board to better reflect the way in which the GC’s role has evolved. The report’s conclusion offers some specific suggestions on how to change existing norms to improve the alignment between boards and GCs:
The research points to a clear opportunity to modernize governance interaction models to reflect the expanded scope of the General Counsel role. Effective models consistently include:
– Explicit expectations that GC input shapes strategy before board materials are finalized
– Normalized, recurring interaction with Committee Chairs and Lead Directors
– Clear CEO–GC alignment on when and how the GC may engage directors directly
– Visible GC ownership within enterprise risk management, M&A documentation, and strategic disclosures
– Use of the Corporate Secretary role to shape agenda flow, executive exposure, and risk framing
Barker Gilmore says that these modernized norms do not dilute CEO authority, but strengthen decision-making “by ensuring risk, governance, and legal judgment are integrated early and visibly.”
This BCLP blog offers some advice on topics that should be addressed with the board during cybersecurity briefings. These include discussions of the threat landscape & the company’s risk profile, the potential impact of AI, an overview of the legal and regulatory landscape, an overview of the company’s cybersecurity program, a description of maintenance/improvement activities, and topics for board approval. The blog also offers the following thoughts on private discussions with the CISO & director education efforts:
As part of periodic board briefings, it may be beneficial for the board or committee charged with overseeing cybersecurity to have private sessions with the CISO to discuss topics of material importance away from other management. Interaction between the board and CISO may build trust between the parties, which is critical in the event of a material cyber incident.
In addition to board briefings, a company may also encourage its directors to take continuing education classes on cybersecurity topics, as well as participate in the company’s tabletop exercises to get a better understanding of how significant cybersecurity incidents may be addressed.
Last month, the Corp Fin Staff issued a no-action letter to the Bank of England that addressed the U.S. federal securities implications of a proposed approach for addressing bank failures. This Reuters article notes:
The Bank of England updated its guidance on handling bank failures on Monday, introducing an alternative bail-in mechanism that changes how bondholders are compensated during a rescue, after securing assurances from U.S. regulators.
The BoE said it had received a no-action letter from U.S. regulators, assuring it that U.S. authorities would not pursue enforcement action over use of the new mechanism.
The new guidance was supported by lessons learned from the failures of Credit Suisse and Silicon Valley Bank, the BoE said.
Under the new approach, bondholders whose debt is wiped out or converted as part of a bank rescue will first receive temporary placeholder rights rather than shares in the rescued bank.
These rights, known as PROPPs, are a provisional entitlement that will later be converted into actual shares in the recapitalised bank once regulators have worked out exactly how much each creditor is owed.
“The key addition is the introduction of an alternate approach to bail-in where affected creditors receive non-transferable contingent beneficial interests,” the BoE said in a statement.
In the scenario described in the Incoming Letter, as part of the Bail-In [a process used by a resolution authority to recapitalize a failing financial institution without using taxpayer funds], all ordinary shares of the failed Firm would be transferred to either the BoE or a third-party depositary bank, in each case with no consideration payable and without the consent of the holders of such ordinary shares. This process was distinct from Credit Suisse’s resolution, during which its Additional Tier 1 capital securities were written down despite the common stock remaining outstanding and even being entitled to receive proceeds from the sale of that bank. The voting rights pertaining to the ordinary shares of the failed Firm will be exercisable by either the “resolution administrator” of the failed Firm appointed pursuant to the “Bail-In Resolution Instrument,” or alternatively by the BoE. The BoE would then determine a structure for how the failed Firm’s liabilities that are subject to the Bail-In, including the Bail-In Securities, would be written-down. The BoE has established a structure whereby the holders of Bail-In Securities that have been or will be written-down would be granted contingent beneficial interests, created by virtue of the Bail-In Resolution Instrument, which would entitle such holders to the delivery of ordinary shares of the Firm after the resolution, or alternatively, if applicable, the receipt of the net cash proceeds derived from the sale of the ordinary shares. These interests are referred to as Potential Rights to Onward Property or Proceeds (“PROPPs”). Once the Bail-In process has been concluded and each class of PROPPs has been valued, some PROPPs may be converted into equity securities of the post-resolution Firm. The BoE’s question was whether the exchange or conversion process was exempt from registration under Section 3(a)(9) of the Securities Act.
Section 3(a)(9) Exemption
Section 3(a)(9) exempts from registration “any security exchanged by the issuer with its existing security holders exclusively where no commission or other remuneration is paid or given directly by or indirectly for soliciting such exchange.” The BoE was of the opinion that the exchange of ordinary shares in a failing Firm with the holders of Bail-In Securities would satisfy the requirements of Section 3(a)(9) in a case where the exchange is effectuated through the PROPPs mechanism. TheStaff concluded that it would not recommend enforcement action if a Firm, as part of the Bail-In process, (1) exchanges its Bail-In Securities for non-transferable PROPPs; and (2) subsequently exchanges those PROPPs for ordinary shares in the resolved Firm without registration under the Securities Act, in reliance on an opinion of counsel that the exemption provided in Section 3(a)(9) is available.
In its no-action letter, the Staff stated:
Based on the facts presented, the Division will not recommend enforcement action to the Commission if a Firm (1) exchanges its Bail-In Securities for non-transferable PROPPs and; (2) subsequently exchanges those PROPPs for ordinary shares in the resolved Firm without registration under the Securities Act, in reliance on your opinion of counsel that the exemption provided in Securities Act Section 3(a)(9) is available.
In a statement released on the same day that the no-action letter was published, SEC Chairman Paul Atkins directed the Staff to prepare a rulemaking for consideration by the Commission that would provide an exemption from registration under Section 5 of the Securities Act for bank bail-in frameworks beyond the Bank of England situation, stating:
I am pleased that the Division has issued the letter in response to the Bank of England’s request. However, there is a wide range of bank bail-in frameworks used globally. To account for these various frameworks and to provide for a more certain and authoritative solution, I have instructed the Division to prepare a rulemaking recommendation to the Commission regarding a potential exemption from the Securities Act’s registration requirements, for securities offered and sold in connection with a regulatory bail-in.
Until the Commission takes up any such rulemaking, I encourage other foreign regulators and regulated firms to contact the Division to discuss their particular bail-in processes or frameworks.
And with that directive there is yet one more rulemaking piled on Corp Fin’s already overflowing plate!
Zach Barlow recently noted on the PracticalESG blog that 23 State Attorneys General sent a letter to Fitch, Moody’s, and S&P Global addressing downgrades of the credit ratings for fossil fuel companies. In the letter, the AGs claim that that the ratings agencies have unjustly and unlawfully used ESG criteria in their credit rating decisions. For example, the letter states:
Based on the same flawed “energy transition” and “increasing regulations” ESG predictions, S&P claimed that fossil-fuel-producing states’ economies were only improving “for now,” and projected that those states would face a more “prolonged economic recovery,” lagging behind other states. The Ratings Agencies continue to use ESG factors to weigh down ratings for fossil-fuel-producing states and municipalities, even after the Ratings Agencies’ ESG-driven predictions have proven to be incorrect. These methodological departures and conflicts of interest harm state economies, tax revenues, and investments.
Zach notes in the blog:
The AGs allege that ratings agencies adopted undisclosed UN PRI pledges. They argue that this, in conjunction with the agencies’ ESG consulting arms, created conflicts of interest in violation of SEC rules. They are requesting that the ratings firms withdraw from ESG commitments. Along with the letter, the AGs provide a list of 27 interrogatories that ask about how firms consider ESG factors in their credit ratings. The AGs warn that if their demands are not met, they will bring state legal action or refer the credit agencies to federal regulators.
If you do not have access to the complete range of benefits and resources on PracticalESG.com, be sure to sign up now and take advantage of our no-risk “100-Day Promise” – during the first 100 days as an activated member, you may cancel for any reason and receive a full refund.
