When Delaware amended Section 102(b)(7) of the DGCL last year to permit charter amendments exculpating officers from damages liability for breaches of the duty of care, people wondered whether many companies would propose amendments during the 2023 proxy season and, more importantly, how stockholders would react to those proposals. This excerpt from a Weil memo on this year’s officer exculpation proposals provides some answers to those questions:
Between August 1, 2022, when the amendment to DGCL Section 102(b)(7) became effective and July 5, 2023, 279 Delaware corporations included a proposal in their proxy statement requesting stockholder approval for a charter amendment to adopt an exculpatory provision for officers. Stockholders approved such proposal at 221 (79.2%) companies and did not approve the proposals at 42 of the 279 companies (15.1%). The results of the votes at 17 companies remain outstanding at the time of this publication.
Generally, pursuant to Section 242 of the DGCL, a charter amendment requires the vote of a majority of the outstanding stock entitled to vote on the matter. For companies that require supermajority approval under their governing documents, the higher vote threshold proved to be a hurdle to stockholder approval. Specifically, 18 of the 42 proposals that failed required a supermajority vote, 13 of which would have passed had the Delaware default standard applied.
People also wondered how the proxy advisors would react to these proposals. The memo says that ISS generally supported them, while Glass Lewis usually opposed them. It says that as of July 5, 2023, ISS supported 80% of these officer exculpation proposals. Another interesting tidbit is that 38 of the 47 proposals that ISS recommended against passed anyway. The memo didn’t provide any hard data on Glass Lewis’s recommendations, but since Glass Lewis’s superpower appears to be opacity, that’s not a huge surprise.
A recent Wilson Sonsini blog provides another interesting data point for how officer exculpation proposals fared with investors this proxy season. The blog looked specifically at Silicon Valley 150 companies, and while it found that relatively few companies asked stockholders to approve officer exculpation charter amendments, those that did enjoyed a fairly high rate of success:
Of the 143 SV150 companies that are incorporated in Delaware, only nine companies, or approximately 6.3 percent, included an officer exculpation proposal in their proxy statement.[3] Of those nine proposals, five required the affirmative vote of a majority of the voting power of the outstanding stock entitled to vote on the proposal (the default voting requirement under the DGCL for an amendment to the charter), and four required the affirmative vote of a supermajority (generally, 66 2/3 percent) of the voting power of the outstanding stock entitled to vote on the proposal.
Seven of the nine proposals, or approximately 78 percent, passed. The failed proposals were comprised of two of the four proposals that required a supermajority vote and, although they both received significantly more affirmative votes than “against” votes, they failed to attain the affirmative vote of a supermajority of the voting power of the outstanding stock entitled to vote thereon.
The blog says that while only a handful of SV 150 companies asked their stockholders to approve officer exculpation amendments this year, the success those companies enjoyed will likely prompt a much larger number to take this step next year. Based on the data in Weil’s memo, I think that it’s probably going to be the case beyond Silicon Valley as well.
Last week, Dave blogged about the PCAOB’s rather dismal assessment of audit deficiencies. With the PCAOB’s Chair very publicly ripping auditors a new orifice about shortcomings in their performance, investors also must be up in arms about audit quality issues, right? Yeah, well, apparently not so much. According to Audit Analytics, the capital markets’ trusty “arbiters of materiality” continue to vote overwhelmingly in favor of auditor ratification proposals – and by “overwhelmingly,” I mean in proportions that rival Joseph Stalin’s performance at the Soviet polls. Here’s what Audit Analytics found:
Throughout the last four years, our analysis on shareholder votes reveals that, on average, nearly 98% of total votes are cast in favor of auditor ratification. Shareholder votes filed between January 1, 2020 and December 31, 2022, continued that trend for a fifth consecutive year. Votes against auditor ratification comprised nearly 2% of the total votes; abstained votes account for the remaining 0.4% of total shareholder votes cast.
Audit Analytics says that fewer than 5% of shareholder votes were cast against the auditor, 93% of the time for proposals made during 2020-2022, although the frequency of votes in which more than 5% were cast against ratification increased. It also highlights the handful of situations in which a high percentage of shareholders voted against ratification.
In remarks delivered to the Financial Stability Oversight Council on Friday, SEC Chair Gary Gensler addressed the status of the agency’s proposed climate change disclosure rules. He didn’t tip his hand as to the timing of any action by the SEC, but he did defend the agency’s authority to adopt rules mandating disclosures concerning the impact of climate change. Here’s an excerpt:
In response to the Great Depression and fraudulent practices of the time, President Roosevelt and Congress came together to enact the federal securities laws in which they established a basic bargain in our markets. Investors get to decide which risks to take, so long as public companies raising money from the public make what Roosevelt called “complete and truthful disclosure.”
The SEC was assigned an important role regarding that basic bargain and public disclosure. Under the securities laws, though, the SEC is merit neutral. Investors get to decide what investments they make and risks they take based upon those disclosures. The SEC focuses on the disclosures about, not the merits of, the investment.
The SEC has no role as to climate risk itself. But we do have an important role in helping to ensure that public companies make full, fair, and truthful disclosure about the material risks they face.
Already today, issuers are making climate risk disclosures, and investors are making investment decisions based on those disclosures. Indeed, a majority of the top thousand issuers by market cap already make such disclosures, including what’s known as Scope 1 and Scope 2 greenhouse emissions. Further, investors representing tens of trillions of dollars in assets are making decisions relying on those disclosures.
I’m not very good at reading tea leaves, so I’ll leave it to you to decide whether to there’s any significance to Chair Gensler’s decision not to refer to Scope 3 disclosures – the most controversial part of the SEC’s rule proposal – in his remarks. The closest he came to discussing the timing of Commission action on the proposal in his comments was when he said that the SEC was “considering carefully” the 15,000+ comments received on the proposal and that it would consider adjustments that the Staff and the Commissioners consider appropriate.
We’ll have the latest on climate disclosure practices & the status of the SEC’s climate disclosure rule proposals at our “Proxy Disclosure & 20th Annual Executive Compensation” Conferences, which take place September 20th – 22nd, as well as our “2nd Annual Practical ESG Conference,” which takes place on September 19th. The “2nd Annual Practical ESG Conference” can be conveniently bundled with the “Proxy Disclosure & 20th Annual Executive Compensation” Conferences. Register today to ensure that you don’t miss out on our panelists critical insights!
Chair Gensler’s remarks before the FSOC weren’t the only place where the SEC’s rulemaking power was defended last week. In fact, I couldn’t resist channeling my inner Eric Cartman this morning after reading the SEC’s spirited defense of its broad authority to adopt disclosure rules that begins on p. 97 of the Cybersecurity Disclosure Rules Adopting Release. Here’s an excerpt:
Disclosure to investors is a central pillar of the Federal securities laws. The Securities Act of 1933 “was designed to provide investors with full disclosure of material information concerning public offerings of securities.” In addition, the Securities Exchange Act of 1934 imposes “regular reporting requirements on companies whose stock is listed on national securities exchanges.” Together, the provisions of the Federal securities laws mandating release of information to the market—and authorizing the Commission to require additional disclosures—have prompted the Supreme Court to “repeatedly” describe “the fundamental purpose” of the securities laws as substituting “a philosophy of full disclosure for the philosophy of caveat emptor.”
This bedrock principle of “[d]isclosure, and not paternalistic withholding of accurate information, is the policy chosen and expressed by Congress.”362 Moreover, “[u]nderlying the adoption of extensive disclosure requirements was a legislative philosophy: ‘There cannot be honest markets without honest publicity. Manipulation and dishonest practices of the market place thrive upon mystery and secrecy.’”
The discussion goes on to identify specific statutory provisions granting the SEC broad disclosure authority, and also provides numerous examples of where the agency has exercised that authority.
The SEC’s claim to broad rulemaking authority has been challenged by conservatives in recent years, and I suspect that the arguments the agency makes in the 10 pages that it devotes to this topic in the release are likely to resurface in much expanded form in the lawsuits that are likely to arise challenging many of the rules on its current agenda.
Think long and hard before clicking “send” on an email or text message in which you’ve embedded an emoji, because this recent Foley blog says that if you opt to add this little bit of fun to your message, you might have just created a binding contract:
In this age of digital communication, it was only a matter of time before emojis found their way into legally binding documents. Emojis are now being used as a means of expression and communication in various spheres of life, including the discussion of contracts. In fact, a Canadian court recently ruled that a thumbs-up emoji counted as a contractual agreement (read more here).
Whether or not the sender meant “message received” or they were actually agreed to the contract terms, the recipient assumed the thumbs up was a green light to move forward, and the court agreed. Startup founders deal with contracts on a regular basis, from investors to vendors to outside service providers, and one wrong thumbs-up could potentially spell trouble.
The blog goes on to address the factors which might result in the creation of a binding contract through the use of an emoji, but a better alternative may be to just act like a grownup and steer clear of their use in any setting where creating a binding contract is even a remote possibility. Or, if you can’t bring yourself to do that, then at least use my man Shruggie here ¯\_(ツ)_/¯ as your default emoji option.
As I mentioned in the blog yesterday, as part of the cybersecurity rulemaking, the SEC adopted new Item 1.05(a) of Form 8-K, which specifies that if an issuer experiences a cybersecurity incident that is determined by the company to be material, the company must describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the issuer, including its financial condition and results of operations. The Item 1.05 Form 8-K must be filed within four business days of determining that an incident was material, subject to limited exceptions.
A number of commenters on the proposed rules had suggested that the SEC include a provision allowing for a delay in the filing of the Form 8-K when there is an active law enforcement investigation or the disclosure otherwise implicates national security or public safety. For example, Debevoise suggested in its comment letter that the Commission “delay reporting of a cybersecurity incident that is the subject of a bona fide investigation by law enforcement,” because such “delay in reporting may not only facilitate such an investigation, it may be critical to its success.”
The Commission decided to not adopt a broad law enforcement delay provision in the final rules, but it did provide for delays in the Form 8-K deadline for two specific circumstances that are worth drilling down on.
First, paragraph (d) of Item 1.05 indicates that if a company is subject to the FCC’s notification rule for breaches of customer proprietary network information (CNPI), the company may delay providing the disclosure required by Item 1.05 for such period that is applicable under the notification rule and in no event for more than seven business days after notification required under that provision has been made, so long as the company notifies the SEC in correspondence submitted via the EDGAR system no later than the date when the disclosure required by Item 1.05 was otherwise required to be provided. This notification requirement specifically relates telecommunications carriers and VoIP providers, so it will have fairly limited application.
Second, paragraph (c) of Item 1.05 provides a framework for delaying the filing of an Item 1.05 Form 8-K if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the SEC of such determination in writing. Paragraph (c) specifies that if the Attorney General determines that disclosure required by paragraph (a) of Item 1.05 poses a substantial risk to national security or public safety, and notifies the SEC of such determination in writing, the company may delay providing the disclosure required by Item 1.05 for a time period specified by the Attorney General, up to 30 days following the date when the disclosure required by Item 1.05 was otherwise required to be provided. Disclosure may be delayed for an additional period of up to 30 days if the Attorney General determines that disclosure continues to pose a substantial risk to national security or public safety and notifies the SEC of such determination in writing. In extraordinary circumstances, disclosure may be delayed for a final additional period of up to 60 days if the Attorney General determines that disclosure continues to pose a substantial risk to national security and notifies the Commission of such determination in writing. If the Attorney General indicates that further delay is necessary, the SEC will consider additional requests for delay and may grant such relief through exemptive orders.
The SEC notes in the adopting release that it consulted with the Department of Justice to establish an interagency communication process to allow for the Attorney General’s determination to be communicated to the SEC in a timely manner. The SEC notes that the Department of Justice will notify the affected company that communication to the SEC has been made, so that the company may delay filing its Form 8-K.
The SEC indicates that the delay provision for substantial risk to national security or public safety is separate from Exchange Act Rule 0-6, which provides for the omission of information that has been classified by an appropriate department or agency of the Federal government for the protection of the interest of national defense or foreign policy. The SEC indicates that if the information a company would otherwise disclose on an Item 1.05 Form 8-K or pursuant to Item 106 of Regulation S-K or Item 16K of Form 20-F is classified, the company should comply with Exchange Act Rule 0-6.
It seems to me that the delay provision for substantial risk to national security or public safety will likely not often be invoked. While general disclosure about a cybersecurity breach is sometimes a concern from a law enforcement perspective, only rarely do circumstances occur where a breach would meet the threshold for constituting a substantial risk to national security or public safety. So while it is helpful that the Commission did listen to commenters concerns and adopt these two specific delay provisions, they are unlikely to be a factor in the disclosure decisions for a wide range of public companies facing cybersecurity breaches.
Recently, the PCAOB published a Staff report that shows a year-over-year increase in the number of audits with deficiencies at audit firms that the PCAOB inspected in 2022, which is in fact the second year in a row that the PCAOB has observed an increase in audits with deficiencies. In announcing the report, the PCAOB notes:
According to the report, PCAOB staff expects approximately 40% of the audits reviewed will have one or more deficiencies that will be included in Part I.A of the individual audit firm’s inspection report, up from 34% in 2021 and 29% in 2020.
Part I.A of the PCAOB’s inspection reports discusses deficiencies, if any, that were of such significance that PCAOB staff believes the audit firm, at the time it issued its audit report(s), had not obtained sufficient appropriate audit evidence to support its opinion on the public company’s financial statements and/or internal control over financial reporting.
The 2022 update and preview report also highlights questions that audit committees should consider in discussions with independent auditors in light of increased PCAOB inspection findings. These questions include the following:
– Has our audit engagement been inspected, and, if so, would you share the results? Were there any audit areas that required significant discussions with the PCAOB that did not result in a comment form?
– Has the engagement partner been inspected on other engagements? If so, what were the results of that inspection?
– What is the audit firm doing to address overall increased inspection findings?
– Are there any audit procedures that are unnecessarily complicated or not “straightforward” because management is not providing clear, supportable information?
PCAOB Chair Erica Williams released a statement on the Staff report, saying: “Let me be clear: a 40% Part I.A deficiency rate is completely unacceptable. The PCAOB will continue demanding firms do better and deliver the high-quality audits investors deserve.”
Earlier this week, I delved into the new disclosure required under Item 5 of Part II of Form 10-Q that is responsive to Item 408(a)(1) of Regulation S-K, which requires issuers to disclose whether, during the issuer’s last fiscal quarter, any director or officer adopted or terminated: (i) any contract, instruction or written plan for the purchase or sale of securities of the issuer intended to satisfy the affirmative defense conditions of Rule 10b5–1(c); and/or (ii) any “non-Rule 10b5–1 trading arrangement.”
The questions just keep rolling in on this new disclosure requirement, and a member recently asked this question on our “Q&A Forum” (#11,757):
Pursuant to Item 408(a)(3), the disclosure provided pursuant to Item 408(a)(1) and (2) must be provided in an Interactive Data File as required by 17 CFR 232.405 (Rule 405 of Regulation S–T) in accordance with the EDGAR Filer Manual. When no director or officer has adopted or terminated a Rule 10b5-1 trading arrangement or a non-Rule 10b5-1 trading arrangement during the quarter and the issuer discloses “none” or includes “negative” disclosure in response to Item 5 of Part II of Form 10-Q, should this disclosure be tagged?
John responded “Yes” to this inquiry.
Why we need Inline XBRL tagging of this sort textual disclosure is beyond me, but that is a whole other debate there. I must admit that I have never been president of the XBRL fan club. Nevertheless, you will want to get this right so you can continue to check the “Yes” box on the cover page of your periodic reports in response to the question “Indicate by check mark whether the registrant has submitted electronically every Interactive Data File required to be submitted pursuant to Rule 405 of Regulation S-T (§232.405 of this chapter) during the preceding 12 months (or for such shorter period that the registrant was required to submit such files).”
Yesterday, the SEC adopted, by a 3-2 vote, amendments to its rules that will require periodic disclosures regarding cybersecurity risk management, strategy and governance, as well as current disclosure on Form 8-K of material cybersecurity incidents.
Specifically, under the amendments, issuers will be required to:
Disclose, on a current basis pursuant to new Item 1.05 of Form 8-K, any cybersecurity incident that an issuer experiences that is determined to be material, describing the material aspects of its: (i) nature, scope, and timing; and (ii) impact or reasonably likely impact;
Describe, on a periodic basis pursuant to new Item 106 of Regulation S-K, the issuer’s processes, if any, for the assessment, identification, and management of material risks from cybersecurity threats, and describe whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business strategy, results of operations, or financial condition;
Describe, on a periodic basis pursuant to new Item 106 of Regulation S-K, the board’s oversight of risks from cybersecurity threats; and
Describe, on a periodic basis pursuant to new Item 106 of Regulation S-K, management’s role in assessing and managing material risks from cybersecurity threats.
Similar disclosure requirements will apply to foreign private issuers.
The final rules will be effective 30 days following publication of the adopting release in the Federal Register. With respect to the periodic disclosures required by Item 106 of Regulation S-K, all issuers must provide such disclosures beginning with annual reports for fiscal years ending on or after December 15, 2023. With respect to compliance with the current disclosure requirements for material cybersecurity incidents required by Item 1.05 of Form 8-K, all issuers (other than smaller reporting companies) must begin complying 90 days after publication of the adopting release in the Federal Register or December 18, 2023, whichever is later. Smaller reporting companies have an additional 180 days from the non-smaller reporting company compliance date, so those issuers must begin complying with Item 1.05 of Form 8-K, on 270 days after publication of the adopting release in the Federal Register or June 15, 2024, whichever is later.
The SEC made several significant changes from the proposing release in response to comments. With respect to current reporting of cybersecurity incidents pursuant to Item 1.05 of Form 8-K, the SEC narrowed the scope of the disclosure, added a limited delay for disclosures that would pose a substantial risk to national security or public safety, required certain updated incident disclosure in an amended Form 8-K rather than in Forms 10-Q and 10-K and omitted the proposed aggregation of immaterial incidents for materiality analyses. The SEC also streamlined the proposed disclosure elements related to risk management, strategy and governance, and the SEC did not adopt the proposed requirement to disclose board cybersecurity expertise.
