According to a recent survey by Compliance Week & FTI Consulting, third party risk management (TPRM) tops the list of priorities for corporate compliance officers this year:
Compliance Week and FTI Consulting polled 151 legal and compliance decision-makers as part of an online survey benchmarking the use of technology in compliance conducted between February and March. Respondents to the survey largely represented the technology (13%), banking (13%), healthcare (10%), and manufacturing (7%) sectors. The survey asked respondents to choose all that applied from a list of top-of-mind risk areas they expected to require additional focus this year. TPRM was indicated by 62% of overall respondents, far ahead of litigation/regulatory exposure (45%); anti-bribery, anti-corruption (ABAC), anti-money laundering (AML), and fraud (38%); and environmental, social, and governance (ESG) matters (38%).
Survey respondents noted that TPRM is always a compliance priority, because of the lack of control over third parties compared with other areas of compliance risk that companies face. In keeping with the overall emphasis on TPRM, the survey also says it’s the top priority for employing compliance technologies, with 55% identifying TPRM as an area where compliance-related technologies were utilized.
Join us tomorrow at 2 pm eastern for the webcast – “Managing the New Buyback Disclosure Rules” – to hear Era Anagnosti of DLA Piper, Robert Evans of Locke Lord, Allison Handy of Perkins Coie, and Dave Lynn of Morrison Foerster and TheCorporateCounsel.net, address the new disclosure requirements and discuss their implications for public companies.
Members of this site are able to attend this critical webcast at no charge. If you’re not yet a member, try a no-risk trial now. Our “100-Day Promise” guarantees that during the first 100 days as an activated member, you may cancel for any reason and receive a full refund. The webcast cost for non-members is $595. You can sign up by credit card online. If you need assistance, send us an email at info@ccrcorp.com – or call us at 800.737.1271.
We will apply for CLE credit in all applicable states (with the exception of SC and NE which require advance notice) for this 1-hour webcast. You must submit your state and license number prior to or during the program using this form. Attendees must participate in the live webcast and fully complete all the CLE credit survey links during the program. You will receive a CLE certificate from our CLE provider when your state issues approval; typically within 30 days of the webcast. All credits are pending state approval.
In a recent Soundboard Governance blog, Doug Chia notes the top investor complaint with VSMs is the possibility that companies may be gaming the Q&A session by “cherry picking” the questions they answer in order to avoid the hard ones. The blog compares the different ways that two companies – “Hatfleld” and “McCoy” – handled their virtual annual meetings, and says that Hatfield did a pretty good job when it came to the transparency of its Q&A session:
It’s essential for companies to show its investors during the VSM Q&A session that they are trying to be as transparent as possible. One way Hatfield did this was by having all questions come in live by phone and letting each caller speak once their line was opened by the operator, like they do on talk radio. Based on the questions I heard, it didn’t seem like the company was screening the calls. (One caller opined that the entire accounting profession is a fraud!)
The members of management answered the questions on the spot in a way that didn’t sound scripted. Some of those answers were less than satisfying, but that’s going to happen whether the meeting is in-person or virtual-only. Another way Hatfield tried to convey transparency was by stating in its proxy statement that they would post answers to any pertinent questions not addressed during the Q&A session on their website sometime after the meeting.
The blog acknowledges that the limitations of the VSM format make it difficult to fully address investor concerns about the Q&A session’s transparency, but says that Hatfield handled investor Q&A much better than “McCoy” – which dealt with two questions that Doug submitted so poorly that he no longer feels skeptical about investor concerns that some companies are gaming the Q&A session at VSMs.
Doug’s blog is worth reading by anyone involved in planning a VSM, but I do have one minor quibble that may reflect the fact that Doug’s a bit younger than I am. He chose to use Hatfield & McCoy as pseudonyms for the two companies that served as his examples of good and bad VSM practices – but I think any of my fellow boomers would’ve seen Goofus & Gallant as the more obvious choice!
On Friday, the SEC announced that Mellissa Campbell Duru had been named Deputy Director for Legal and Regulatory Policy in the Division of Corporation Finance. Mellissa is an SEC veteran, but most recently served as a senior counsel for Covington & Burling. This excerpt from the SEC’s press release provides more information on her background:
At Covington & Burling, Ms. Duru worked in the Securities & Capital Markets practice, advising clients on securities regulation, capital markets transactions, and strategic corporate governance planning. She also served as a Vice Chair of the firm’s Environmental, Social, and Governance practice. Ms. Duru served at the SEC from 2004 to 2021, including as a Counsel to then-Commissioner Kara Stein, Special Counsel in the Division of Corporation Finance’s Office of Mergers and Acquisitions, and Cybersecurity Legal and Policy Advisor in the Division of Examinations. During her tenure, she also served as an SEC Brookings Institute Legislative Congressional Fellow in the Office of U.S. Senator Jack Reed. She began her SEC career in the Division of Corporation Finance’s Disclosure Review Program.
Mellissa fills the position previously held by Erik Gerding prior to his appointment as Director of Corp Fin earlier this year.
A recent SEC Institute blog points out that there are three changes from the SEC’s 2020 overhaul of the MD&A disclosure requirements that have become frequent topics for Staff comments:
– Critical accounting estimate disclosures
– Quantitative and qualitative disclosures about material changes
– Meaningfully addressing liquidity and capital resources
The blog suggests that one reason for this may be simple fact that a lot of companies simply aren’t updating their disclosures to comply with the new requirements, noting that “old and obsolete beliefs that disclosure changes will attract negative attention from the SEC create resistance that is difficult to overcome,” even when it comes to complying with new disclosure requirements. The blog also offers up some links to its prior commentary on these topics to help companies understand what the Staff is looking for when it comes to MD&A disclosures.
As Liz mentioned last week in her blog about the 2 year sentence for a former product manager at Coinbase who illegally traded in tokens, in early May, the jury returned a guilty verdict in what has been referred to as the first “insider trading” conviction involving NFTs. But, rather than charge insider trading, the U.S. Attorney’s Office actually relied on wire fraud and money laundering charges, which avoided the question of whether the NFTs constituted securities. This Norton Rose Fulbright alert summarizes the facts of the case:
According to the indictment, at the time of the alleged offenses, Nathaniel Chastain was an employee of OpenSea, the largest online market for NFTs. OpenSea typically featured certain NFTs on its homepage, and changed the featured NFT multiple times each week. Chastain was responsible for selecting the NFT to be featured on OpenSea’s homepage, and OpenSea kept this information confidential until the selected NFT appeared on its homepage. The publicity from being featured on OpenSea’s homepage often resulted in substantial increases in the price that buyers were willing to pay for that NFT, as well as the prices of other NFTs made by that same creator. Chastain was alleged to have used his knowledge of upcoming featured NFTs to purchase those NFTs, or other NFTs made by the same creator, in advance of the NFT being featured on OpenSea’s homepage. Chastain then sold those NFTs shortly after they were featured, by which time they had often doubled or even tripled in value, resulting in substantial profit to Chastain.
. . . Chastain’s conviction was not based on trading in any security or commodity, but on the somewhat creative theory of prosecution that Chastain had misappropriated OpenSea’s property, in the form of its confidential business information regarding which NFTs would be featured on OpenSea’s homepage. The government argued that, based on Carpenter v. United States, 484 U.S. 19 (1987), a case involving securities rather than digital assets, because OpenSea employees were obliged to keep this information confidential and use it only for the benefit of OpenSea, Chastain’s conduct defrauded OpenSea of its property, i.e., its confidential business information.
As Liz has blogged, in the Coinbase case, the SEC filed a parallel complaint, which did allege that the trading violated Section 10(b) of the Exchange Act and Rule 10b-5 thereunder and will turn on whether the crypto assets are securities. Per this article from Proskauer, there the defendants argue that secondary market trades involving crypto tokens are not securities transactions, even if the tokens were investment contracts at issuance, since there are “no binding promises running from the developers to the tokenholders.”
As the Jim Hamilton blog recently highlighted, Better Markets, the nonprofit organization focused on Wall Street reform, released a fact sheet last month arguing that the SEC needs to do a comprehensive analysis of the exempt offering framework, the expansion of which, it argues, has come at the expense of the public markets and investor protection. Citing the failed WeWork IPO versus a $100 million private placement by Theranos for which only a Form D was filed, the fact sheet suggests that “the public market framework has proven its merit, while exempt offerings pose major risks.” Here are the stats they cite regarding the relative size of public versus private capital raises:
More than two-thirds of new capital raising in the U.S. securities markets occurs in private markets that are largely unregulated, opaque, and inaccessible to the public. The SEC estimates that in 2019, “registered offerings accounted for $1.2 trillion (30.8 percent) of new capital, compared to approximately $2.7 trillion (69.2 percent) . . . raised through exempt offerings.” Over the past decade, there has been a steady increase in Regulation D offerings,” the most relied upon exemption under the Securities Act.
While the fact sheet calls for more action, it highlights the following “positive steps” on the SEC’s agenda:
The SEC has listed several proposed rules for consideration by the Commission in its Fall Agenda that could reevaluate the role exempt offerings play in our capital markets. They include amendments to Regulation D and improvements to Form D, the currently almost meaningless filing that accompanies offerings under rule 506 D; changes to the definition of shareholder of record that helps determine which companies must file periodic reports with the SEC about their operations and financial condition; and adjustments to the Rule 144 holding period, which governs the resale of restricted securities issued in private offerings.
Dave has blogged about the SEC’s agenda with respect to Regulation D, statements by Commissioner Crenshaw and the SEC’s Investor Advisory Committee discussing the growth of the private markets earlier this year. Does the SEC face obstacles in proposing related rulemaking?
This CLS Blue Sky Blog post and paper by Alexander I. Platt of the University of Kansas School of Law suggests that the SEC may not have legal authority to impose ongoing disclosure obligations on unicorns as was suggested by Commissioner Crenshaw. He also authored a paper for the Michigan Law Review in August of last year that questioned the SEC’s authority to mandate a “look-through” to the beneficial owners for purposes of the shareholder count under 12(g) of the Exchange Act.
Plus, as Liz blogged, the departing members of the SEC’s Small Business Capital Formation Advisory Committee shared parting thoughts in February of this year urging the SEC to continue to focus on five objectives—one of which was recognizing the importance of the private markets for small business growth. Nonetheless, addressing risks posed by the growth of the private markets has been a recent topic of interest for the SEC, and we’ll eagerly await the Spring 2023 Reg Flex agenda to see where these topics sit.
Liz and Lawrence recently blogged that the climate change rules are still under consideration at the SEC, and final rules may be delayed until later this year. Companies often wait until a final rule is adopted before preparing for a new disclosure regime, but for many reasons, that didn’t seem wise with the climate change proposal (and the time to comply with PVP really confirmed that for me). With many recommending companies prepare early—including this blog—did they actually heed that advice?
This Deloitte survey seems to suggest that they did. Here is an excerpt from the forward with promising stats in terms of preparedness for the final rules, if adopted this year:
We released an ESG readiness report in March 2022, at which time 21% of executives indicated that their companies had established a cross-functional working group—made up of executives across finance, accounting, risk, legal, sustainability and other business leaders—to drive strategic attention to ESG for the business. A similar profile of respondents surveyed recently noted that progress in establishing a cross-functional working group has nearly tripled to 57%.
ESG readiness and external assurance remain valuable tools in preparation and can make a significant impact on a company’s governance and reporting processes and controls. Our recent findings show that nearly all (96%) executives plan to seek external assurance for the next reporting cycle, with 61% already seeking external assurance and 35% seeking external assurance for the first time. These findings indicate that more mature ESG programs typically have key components of an effective governance structure like ESG councils and assurance processes in place.
While companies are actively working to meet the growing need for high-quality ESG performance metrics, some challenges remain. When surveyed, 35% of executives reported that their greatest challenge is the accuracy and completeness of data, and another 25% cited access to quality data as the greatest challenge. To ameliorate this, 99% of companies are somewhat or very likely to invest in more technologies and tools over the next 12 months.
Those numbers on external assurance and new technology investments are impressive to me! Keep in mind that 300 executives at publicly owned companies with a minimum annual revenue requirement of $500 million or more were surveyed in August and September 2022 for these stats. I’m sure the numbers would be very different with a different set of respondents. To that point, ISS recently released an article that concluded: “most corporates are unprepared to integrate complex climate-related considerations in their strategy and disclosures.” But still, the survey results may make an important point for any laggards out there—given these moves, there may be less empathy for those who procrastinate.
Unlike the positive developments on climate change preparedness, John recently blogged that many boards aren’t entirely comfortable with their companies’ level of cyber-readiness and even boards that include a cyber expert face challenges in effectively overseeing cyber issues. This article from the CPA Journal provides a timely list of key considerations to allow boards, audit committees or cybersecurity committees to quickly understand the status of their organization’s cybersecurity program. Here are a few of the recommendations:
Inventory and categorization of all assets. A complete, accurate, timely list of all assets should be available upon demand. This list should include internal (within the company) and external (outsourced, cloud) assets. Each asset should be categorized by its risk in order to prioritize controls, including vulnerability remediation. The primary oversight concern is that if management cannot identify the assets it is responsible for, how can it protect them?
Quality of internal audit comments. Directors can learn a lot about their organizations through the internal audit reports performed and the issues raised by those reports. From an oversight perspective, it is essential that such reports have an independent review, appropriate scope, and recommendations that add value to the organization. The inherent complexity of technology and its continued evolution causes managerial control challenges. Even when a prior security issue has been remediated, technological advances may require that a new control be implemented.
Managing accounts. The number, type, and utilization of user and system accounts can be a leading indicator of how well an organization manages these accounts. If administered properly, access, accountability, and monitoring accounts enable organizational activity while protecting data. Considerations include the number and percentage of users designated as privileged, stale users (accounts not used within a specific time), and generic accounts (not assigned to individuals). From an oversight perspective, primary concerns are the effectiveness of administering user privileges to enforce organizational controls and ensuring accountability for activities over protected digital resources.
Confirming the assurance provided by penetration testing. There are various definitions, forms, and scopes related to penetration testing. The idea is to simulate an attack that an intruder could conduct. Often directors are presented with results that summarize technical vulnerabilities. From an oversight perspective, directors should ensure that the scope of what was tested is clear. This should include not only which assets were tested but scope limitations, assumptions, and other factors that could provide a false sense of security when reviewing testing results.
