I don’t know about you, but the pace of SEC rulemaking these days has me worn out. Today, the SEC will consider final rules regarding cybersecurity disclosure, bringing to a conclusion a rulemaking that the SEC formally started with a proposal last year, but which actually started through Staff action over a dozen years ago. As the Commission is poised for action, I think it is a good time to look back on how we got here.
First, I will posit that cybersecurity is one of the principal risks that companies and individuals face today. If you speak with any of your cybersecurity colleagues on a regular basis, you are no doubt concerned about the security of your information every time you turn on your computer, or when you conduct an online transaction, or when you sleep at night for that matter. Information systems are under constant attack, and the threat actors are always devising new ways to take advantage of the weakest points of our systems, which often involves us very fallible humans. In fact, it is miracle that you are able to read this blog this morning. This threat environment has been ever present for many years, and it only seems to get worse. Against this backdrop, the only logical question is: why has it taken so long for the SEC to consider new cybersecurity disclosure rules?
The answer to that question is, of course, politics. Our representatives in Congress have tried to tackle the cyber threat over the decades, but as is often the case, they encountered the issue that the federal government does not directly regulate the conduct of most large companies, making it hard to tell them what to do. So, in their infinite wisdom, they of course turn to the tried-and-true strategy of trying to compel conduct by shaming companies through disclosure, and various proposed cybersecurity measures that have been advanced by members of Congress over the years have had some disclosure component. The SEC Staff, to its credit, tried to be proactive by advancing its own framework for disclosure of cybersecurity in the form of CF Disclosure Guidance Topic No. 2 – Cybersecurity (October 13, 2011), which generally reviewed the applicability of existing SEC disclosure requirements to cybersecurity concerns. Not surprisingly, the CF Disclosure Guidance looked very similar to the guidance provided regarding climate change risks, also against a backdrop of various legislative efforts to compel disclosure.
In the ensuing years, as one high profile cybersecurity incident after another hit the headlines, the SEC Staff (particularly the Division of Enforcement) seemed uncomfortable with the notion that we live in a world where U.S. public companies are subject to a periodic and current reporting system, a basic tenet of which is that unless a company has an affirmative disclosure obligation, it is not required to disclose material nonpublic information. While lacking any specific Form 8-K item that mandated current disclosure, the Staff (and the Commission through enforcement action) began to express concern with the delays that occurred between the discovery of a material cybersecurity breach and when investors ultimately learned about it.
One would have thought that this concern should have been addressed through rulemaking rather than through a “regulation through enforcement” approach, but surprisingly the Commission took a different turn in 2018 – by issuing an interpretive release. The interpretive release elevated the guidance from the CF Disclosure Guidance to Commission guidance, and strongly encouraged the filing of a Form 8-K when a cybersecurity event is material. The Commission noted in its guidance the importance of disclosure controls and procedures “that provide an appropriate method of discerning the impact that such matters may have on the issuer and its business, financial condition and results of operations, as well as a protocol to determine the potential materiality of such risks and incidents.”
And so we have lived in this regulatory grey area for the past five years, where a casual reader of Form 8-K would find no disclosure items that address cybersecurity, but yet the Commission brings action against companies that fail to timely disclose cybersecurity incidents. In some ways, having actual rules to work with rather than broad Commission interpretive musings may make things better for companies and practitioners, because at least the “rules of the road” are articulated and known.
One thing is for certain – the new disclosure regime that the Commission will consider today is not going to do anything to diffuse the threat environment that we operate in, so please don’t open those phishing email!
If the SEC adopts the cybersecurity disclosure rules largely as proposed, there will be one important piece of the rules that will likely remain within our purview (or the purview of the Generative AI robots, once they replace us). That is the question of materiality. In all likelihood, the SEC will not specifically define materiality for this purpose, but will rely on established standards of materiality for determining whether a particular cybersecurity incident must be disclosed on a current basis.
While I can only speak to the topic anecdotally, it is important to consider that they vast majority of cybersecurity incidents that occur on a daily basis are not material and therefore not disclosed through the SEC disclosure system. While it is always a tricky analysis based on the information that one has available at the time, many cybersecurity incidents just do not move the needle from a public disclosure standpoint. That is not to say that public companies should not be prepared from a disclosure standpoint and should not conduct a materiality analysis when an incident happens, but I think the practical reality is that when the SEC’s new rules go into effect, we are unlikely to see a flood of Form 8-Ks reporting material cybersecurity incidents.
In this regard, information about a cybersecurity incident is considered “material” if there is a substantial likelihood that a reasonable investor would consider it important in making an investment decision or if the information would have been viewed by the reasonable investor as having significantly altered the “total mix” of information made available to the investor. As part of a materiality analysis, the company should consider the indicated probability that an event will occur and the anticipated magnitude of the event in light of the totality of company activity. No single fact or occurrence is determinative as to materiality, which requires an inherently fact-specific inquiry.
The SEC has noted that an evaluation of the materiality of a cybersecurity incident should not be based solely on a quantitative analysis of the cybersecurity incident; rather, a company must thoroughly and objectively evaluate the total mix of information, taking into consideration all relevant facts and circumstances surrounding the cybersecurity incident (including both quantitative and qualitative factors) to determine whether the incident is material. Even if the probability of an adverse consequence from a cybersecurity incident is relatively low, when the magnitude of the loss, liability or other harm is high, the incident may still be material.
The materiality of cybersecurity incidents depends upon their nature, extent, and potential magnitude, particularly as they relate to any compromised information or the business and scope of company operations. The materiality of cybersecurity incidents also depends on the range of harm that such incidents could cause, including:
– The potential harm to the company’s financial performance;
– The potential harm to the company’s relationships with customers, clients, vendors, business partners and others;
– The potential harm to the company’s reputation; and
– The possibility of litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities and non-U.S. authorities.
Once the SEC’s rules are adopted, companies should revisit the materiality framework that they have established for cybersecurity incidents and the disclosure controls and procedures that are designed to facilitate the analysis of incidents in real time. For most companies, this will be a “tune up” rather than a blank slate exercise.
You can hear from our panel of experts on cyber risk disclosures at the Proxy Disclosure Conference, where we have an entire panel dedicated to the topic! Also, I will be interviewing Erik Gerding, Director of the Division of Corporation Finance, at the Proxy Disclosure Conference.
This is definitely the year to participate in our Conferences – with so much going on at the SEC, you do not want to miss all of the insights that our incredible group of speakers bring to the table. Sign up today!
Issuers are now filing their Form 10-Qs and questions continue to arise about the new trading arrangement disclosure that is required in Item 5 of Part II of Form 10-Q. Item 408(a)(1) of Regulation S-K requires issuers to disclose whether, during the issuer’s last fiscal quarter, any director or officer adopted or terminated: (i) any contract, instruction or written plan for the purchase or sale of securities of the issuer intended to satisfy the affirmative defense conditions of Rule 10b5–1(c); and/or (ii) any “non-Rule 10b5–1 trading arrangement.”
One of the persistent questions during this reporting season has been whether any disclosure is required at all pursuant to Item 5 of Part II of Form 10-Q when no director or officer has adopted or terminated a Rule 10b5-1 trading arrangement or a non-Rule 10b5–1 trading arrangement during the quarter. The practice has been decidedly mixed on this point in the Form 10-Qs filed to date, with some issuers indicating “None” in response to Item 5 or omitting Item 5 in its entirety, while other issuers have included “negative” disclosure in response to Item 5, along the lines of: “None of the Company’s directors or officers adopted or terminated a Rule 10b5-1 trading arrangement or a non-Rule 10b5-1 trading arrangement during the Company’s fiscal quarter ended June 30, 2023.” In talking with other practitioners, it seems that advisers have different views on this particular point.
Emblematic of the debate, a member recently asked this question on our “Q&A Forum” (#11,752):
If a company didn’t adopt, terminate or modify any 10b5-1 plans in the prior quarter, do you think they have to include disclosure saying none were adopted in the 10-Q under the new rules or can the disclosure under that item just say ‘None’?
John responded:
Unfortunately, the Staff hasn’t weighed in on that issue, but I know that the use of the term “whether” in Item 408(a)(1) and (a)(2) has led some people to take the position that disclosure is required even if no plans were adopted or terminated. I have spoken to one practitioner who has said that his firm is encouraging inclusion of the item number and either a sub-caption such as “Rule 10b5-1 Plan Adoptions and Modifications” and saying “None” (“not applicable” doesn’t fit well) or a fuller statement such as “During the quarter ended [date], no director or officer adopted or terminated any Rule 10b5-1 trading arrangement or non-Rule 10b5-1 trading arrangement.”
Another member responded:
I agree that not applicable doesn’t fit well. Although I can see the argument that a definitive response is required because of the “whether” language in S-K 408, the instructions to Form 10-Q say that “any item which is inapplicable or to which the answer is negative may be omitted and no reference thereto need be made in the report.” It seems like there’s an argument that in this case the answer is “negative” (i.e. we had no insider trading arrangement activity) and thus we could omit the heading. Do you think the staff would accept that argument? I wonder if everyone is going to end up having this boilerplate in every 10-Q going forward that there was not such activity.
And John responded:
Personally, I think that’s a pretty good argument, but I also think the Staff’s willingness to accept it would turn on “whether” (sorry) it interpreted Item 408(a) to impose an affirmative disclosure obligation concerning the absence of any plan adoptions, terminations or modifications during the quarter. If so, then I don’t think it would construe that required disclosure as falling within the scope of the instruction permitting registrants to omit any disclosure to which the answer is negative.
I tend to be in the “negative” disclosure camp here, and have been advising issuers to include the disclosure in the absence of further guidance from the Staff. I do think there will be some evolution of this disclosure over time, so I doubt that the Staff will be issuing “gotcha” comments on this disclosure (or the lack thereof) in its reviews. In the meantime, I guess you will just have to pick a side in this scintillating debate!
The SEC, the North American Securities Administrators Association (NASAA), and the Wisconsin Department of Financial Institutions (DFI) will hold a joint public roundtable today at the DFI Headquarters beginning at 10:00 a.m. CT. SEC Chair Gary Gensler will provide pre-recorded remarks, and Commissioner Mark Uyeda will be in attendance. The roundtable will be webcast on SEC.gov. The focus of the roundtable is on issues relevant to retail investors.
As Liz noted last week on the Proxy Season Blog, BlackRock recently announced that it is extending its “voting choice” program to its largest ETF, with over $300 billion in assets under management. This move is expected to be in effect for the 2024 proxy season, assuming that the iShares Board approves it when it meets later this year. As a result of this move, more than half of BlackRock’s global index equity assets under management would be eligible for voting choice. Here’s more detail on what policies will apply:
Similar to our Voting Choice for pension funds, the ETF pilot will offer eligible investors a range of third-party policies to choose from, as well as the option to continue to vote according to the BlackRock Investment Stewardship policy. Eligible investors will be asked to select from these predefined policy options which will be used to split the ballots based on pro-rata fund ownership. Any investors that choose not to participate or are not eligible to participate will continue to have BlackRock Investment Stewardship vote their pro-rata shares. We believe we now offer the most options in the industry when it comes to voting policies catering to a wide range of investor preferences.
For clients and shareholders who authorize BlackRock to vote on their behalf, we remain steadfast in our focus on their long-term financial interests. The majority of currently eligible clients continue to entrust BlackRock’s investment stewardship team with this important responsibility, consistent with BlackRock’s fiduciary duties as an asset manager.
Since its launch in 2022, BlackRock Voting Choice has attracted more than 70 newly committed clients, representing $223 billion of AUM.5 As of March 31, 2023, $555 billion in index equity client assets are committed to BlackRock Voting Choice (up from $452 billion as of September 30, 2022). See www.blackrock.com/votingchoice for more details.
If you do not have access the Proxy Season Blog or all of the other great resources on TheCorporateCounsel.net, sign up today.
Last week, SEC Chair Gary Gensler testified before the U.S. Senate Appropriations Subcommittee on Financial Services and General Government about the SEC’s Fiscal Year 2024 budget request. In his written testimony, Chair Gensler noted:
We’ve seen tremendous growth and change in our markets. More people than ever are participating—trading and using tools and technologies that were unavailable even a few years ago.
For example, from 2017 to 2022, the number of clients of registered investment advisers grew nearly 70 percent from 34 million to 57 million. During that same period, average daily trading in the equity markets more than doubled from more than 30 million transactions to more than 77 million.
Technology is rapidly transforming our markets and business models. These changes range from electronic trading and the cloud to artificial intelligence and predictive data analytics, just to name a few. There has been dynamic change in communications to and among investors, from Reddit forums to celebrity influencers. Further, we’ve seen the Wild West of the crypto markets, rife with noncompliance, where investors have put hard-earned assets at risk in a highly speculative asset class.
Such growth and rapid change also mean more possibility for wrongdoing. As the cop on the beat, we must be able to meet the match of bad actors. Thus, it makes sense for the SEC to grow along with the expansion and increased complexity in the capital markets.
I am proud of this agency. I am proud of our dedicated staff. It has done remarkable work with limited resources. With funding to meet the scale of our mission, we can be an even stronger advocate for the American public—investors and issuers alike.
Further, while recent market volatility raises many important issues for policymakers and the American public, it is also a reminder of the SEC’s need to be adequately resourced.
Gensler spoke in support of the President’s FY 2024 request of $2.436 billion for SEC operations. He noted that FY 2023 funding would bring the agency’s staffing back above where it was seven years ago, and the agency is continuing to work to fill 400 new positions. Gensler notes that the SEC is expected to be approximately 3 percent larger this year than it was in FY 2016. With respect to the Division of Corporation Finance, Gensler notes that staffing levels remain approximately 17% below FY 2016 levels, while the number of public companies has increased by 18% to 7,836. The testimony notes that the SEC is on track to move its DC headquarters, with $39.6 million requested for the moving and build out costs.
Back in April, Meredith blogged about SEC Chair Gensler’s testimony before the House Committee on Financial Services on the topic of AI, when he mentioned that he had asked the Staff for recommendations on rule proposals regarding the use of AI and predictive data analytics for robo-advisers and brokerage app. In a speech last week before the National Press Club, Gensler took a much deeper dive into the topic of generative AI, which started with this slightly modified disclaimer:
As is customary, I’d like to note that my views are my own as Chair of the Securities and Exchange Commission, and I’m not speaking on behalf of my fellow Commissioners or the SEC staff. Nor for or by a generative AI model.
In the speech, Gensler traces the roots of the current generative AI model that is creating so much buzz, and talks about the risks and opportunities created by generative AI. He focuses in particular on the topics of privacy, intellectual property and rent extractions and financial stability.
The SEC’s Office of Structured Disclosure recently published the draft Share Repurchases (SHR) taxonomy, which will be used for tagging data when the SEC’s new share repurchase disclosure requirements go into effect. The SEC is seeking comments on the draft taxonomy. The public comment period ends on September 8, 2023.
This week, the SEC posted a Sunshine Act Notice for an open meeting of the Commissioners to be held next Wednesday, July 26th. On the agenda is the highly-anticipated rulemaking on cybersecurity risk management, strategy, governance, and incident disclosure. Back in March of last year, John blogged about the proposed rules, which, among other things, proposed to amend Form 8-K to require a registrant to disclose certain information within four business days after it determines that it has experienced a material cybersecurity incident.
I won’t try to speculate about how the final rules may differ from the proposed form. This seems like a particularly challenging topic to tackle — with the understandably heightened sensitivity involving companies who are themselves victims in a cybersecurity incident — and trying to thread the needle to address improved disclosure for investor protection. While this proposal may not have received as many comments as the seemingly record-breaking climate proposal, commenters — and Commissioner Peirce — voiced several concerns about certain aspects of the cybersecurity proposal that I’m sure the Corp Fin Staff has been spending this time carefully considering.
