In case you did not know it, October is Cybersecurity Awareness Month. Since 2004, October has been not only about pumpkin spice lattes, but also about raising awareness of cybersecurity threats. It is also a great time to roll out some cybersecurity-themed blog content.
Recently, the EY Center for Board Matters released its publication “How cyber governance and disclosures are closing the gaps in 2022,” in which it analyzes the cybersecurity-related disclosures of Fortune 100 companies. The EY report notes that, while there has been a trend toward more disclosure of cyber management and oversight, “there appears to be a gap between disclosures around material cybersecurity incidents, including the depth of the disclosures, as compared with the number and scale of cyber incidents reported in the news media and third-party reports.”
Key observation from the report include:
– Growing risks and greater stakeholder demands are leading companies to carefully address what they disclose about governance and management of cybersecurity.
– The SEC prioritized cybersecurity and is expected to finalize rules in early 2023 that will require new cybersecurity disclosures from public companies.
– Fortune 100 companies continue to increase disclosures in certain categories of cybersecurity risk management and oversight.
The report also highlights list ten leading practices in board cyber risk oversight for boards to consider.
– How to think about cybersecurity alongside other enterprise risks;
– The board’s role before, during, and after an incident;
– How to approach cybersecurity risks alongside other enterprise risks;
– When to escalate cybersecurity incidents to the board;
– Regulatory expectations for the board’s oversight of cybersecurity;
– Questions boards should ask; and
– How the SEC’s proposed rules will impact a company’s approach to cybersecurity.
The Above Board podcast is featured in MoFo’s Above Board Resource Center for directors and those who advise them.
In the latest Deep Dive with Dave podcast, I am joined by Keir Gumbs, Chief Legal Officer at Broadridge. During the 2022 proxy season, the Operations Subcommittee of the End-to-End Vote Confirmation Working Group provided end-to-end vote confirmation for the annual meetings of Fortune 500 companies and piloted an early stage vote entitlement reconciliation process. Keir Gumbs and I discuss:
– The end-to-end vote confirmation project during the 2022 proxy season.
– The outcomes from the end-to-end vote confirmation project.
– Key observations from the 2022 proxy season.
– Next steps on the topic of end-to-end vote confirmation.
Loss contingency disclosures are never easy, but there are some “do’s & don’ts” that can keep you out of hot water. This Troutman Pepper memo shares takeaways from a recent SEC enforcement action that show “what not to do.” Here’s more detail:
Between January and May 2018, defendants — the former CEO, the former CFO, and a former director of the Company — allegedly violated federal securities laws when they made false and misleading statements to outside auditors about an ongoing SEC investigation into the Company’s investment in a biotechnology company (the Biotech Investment). Despite knowing of the investigation and the SEC’s intention to recommend charging the Company with violating federal securities laws, the defendants told the auditors that they were not aware of “any situations where the company may not be in compliance with any federal or state laws or government or other regulatory body regulations.”
The veracity of this assertion was rendered false once it was discovered that, between March 2015 and November 2018, the SEC’s Division of Enforcement sent multiple subpoenas to the Company, its officers, and directors, requesting documents and seeking testimony related to the SEC’s investigation into the Biotech Investment. Moreover, in April 2017, the SEC’s Division of Enforcement sent a Wells notice to the Company notifying it of the SEC staff’s intention to recommend charges.
The memo goes on to note that the former CEO & CFO were also in trouble under anti-fraud rules for signing a Form 10-K and Form 10-Q that the SEC says omitted required “loss contingency” disclosure under GAAP. The defendants paid civil penalties and agreed to temporary D&O bans. The memo concludes:
Situations like the above are not isolated events. In today’s ecosystem, companies are more likely than ever to be faced with the potential for investigation or other enforcement action by any number of regulatory bodies — whether it be the SEC, FINRA, NASDAQ, DOJ, FTC, OSHA, and so on. In the face of such investigations or enforcement actions, companies often struggle with assessing when events have escalated such that they are subject to disclosure requirements. This assessment can be difficult, therefore it is crucial that companies undertake a diligent review and engage appropriate assistance to ensure the accuracy and rigor of that review.
Indeed, as noted by the SEC in its order, ”…[the Company and its officers] never conducted a good faith assessment as to whether the possible pending enforcement action needed to be disclosed. Instead, the Company and its officers did the opposite — they mislead [the Company’s] auditors and failed to disclose the existence and status of the SEC’s [] investigation.” Casting a blind eye will not aid in the avoidance scrutiny, but rather will heighten the degree of attention focused on each and every deficiency.
I’ve blogged that AI is the next corporate governance frontier. Now, the White House Office of Science & Technology Policy has issued this “Blueprint for an AI Bill of Rights” – which can help boards & advisors spot issues that may develop into regulatory & reputational risks. This Eversheds Sutherland memo gives a helpful summary. Here’s an excerpt that describes the Blueprint’s key principles:
– Safe and effective systems – Automated systems should undergo extensive testing prior to deployment to determine potential risks and options for mitigating such risks. Businesses should consult experts and have diverse input to ensure the system is effectively designed for the intended goal. Systems should be redesigned when the design is harmful, or the AI system should not be deployed if it cannot be improved. Independent evaluators should be given access to automated systems to evaluate and document their safety and effectiveness to ensure the systems are operating as intended.
– Algorithmic discrimination protections – Automated systems should be designed in an equitable manner. The public should not face algorithmic discrimination based on any type of legally protected classification like race, ethnicity, sex, gender identity, or religion. AI systems should be proactively designed and assessed to protect against discrimination. AI systems should receive “algorithmic impact assessments” from independent evaluators on the potential disparate impacts.
– Data privacy – There should be built-in protections to shield the public from “abusive data practices” and people should have control over how their personal data is used by AI systems. Data collection should conform to reasonable expectations and only data that is strictly necessary for a specific context should be collected. The description of the intended use of the AI-derived data should be explained in non-technical language. Any consent request should be brief, be understandable in plain language. Enhanced protections and restrictions on data and inferences related to sensitive information collection and processing may be necessary. In addition, individuals should be free from unchecked AI-enabled surveillance and monitoring.
– Notice and explanation – People should be notified when AI is in use and told the extent of that use. The business should also explain how and why the particular outcome was reached and if any non-AI factors contributed to the outcome.
– Human alternatives, consideration, and fallback – The public should have the option to reject the use of AI and to choose a human alternative, where appropriate. Individuals also should have access to a person who can quickly consider and remedy any problems they encounter in relation to AI systems.
The memo points out that the Blueprint is non-binding and discretionary, and the White House says that future sector-specific guidance will likely be necessary. Some agencies (e.g., the DOL) and states are already looking for ways to compel disclosures on these topics. Eversheds predicts that organizations that engage in commercial surveillance or that use AI to profile customers (e.g., targeted ads) should be particularly attuned to whether their practices align with the Blueprint’s principles.
Companies and their advisors aren’t the only ones struggling to keep pace with SEC Chair Gary Gensler’s “front-loaded” rulemaking agenda – the Staff is also feeling the pressure, according to a recent report from the SEC’s inspector general and a related WSJ article.
This is not very surprising news given everything that is going on, but the report does provide some insight on “how the sausage is made.” And it shows that the Commission is facing challenges that are common across many organizations – for example, collaboration across departments, which is one of the most difficult things anywhere. Here’s an excerpt:
Despite management’s commitment to cross-functional collaboration and communication, personnel we met with (including those from the Division of Economic and Risk Analysis, the Division of Enforcement, and the Office of the General Counsel, among others) identified coordination and communication as a persistent challenge in the rulemaking process, particularly given potential overlaps in jurisdiction and differences in opinion.
We reported on such challenges in a management letter issued in September 2022. Specifically, we reported that, around December 2021, the Office of the Chair modified the process for coordinating internal reviews of draft agency rules, resulting in the Office of the Advocate for Small Business Capital Formation (OASB) and the Office of the Investor Advocate (OIAD) receiving only fatal flaw drafts of proposed rules for a brief period of time. This change was not formally documented or communicated, and the then-directors of OASB and OIAD were not aware of the change until after it took effect.
The report goes on to say that the OASB and OIAD were still able to carry out their responsibilities, but that these types of uncommunicated practices could hinder effective collaboration. You can certainly imagine people getting grumpy over this type of thing! The Staff is also worried that attrition and workload may lead to less time for research & analysis on rulemaking and may increase litigation risks, which are already circulating.
As a “consumer” of SEC rules, it is concerning that the Staff is experiencing these issues. A possible silver lining, as the Staff finalizes rules and thinks about the processes that will be necessary to comply, is that maybe these challenges will create even more empathy amongst the Staff for what companies are going through. I certainly hope that all of the hard-working folks at the SEC get the resources they need – and some appreciation for their efforts.
Yesterday, the DOJ announced that seven directors have resigned from corporate board positions in response to concerns by the Antitrust Division that their roles violated the Clayton Act’s prohibition on interlocking directorates. I blogged last month that inquiries were underway.
The DOJ’s press release identifies five companies – so far – that have lost directors as a result of the alleged interlocks (see this WSJ article for more color). In three instances, a director was serving simultaneously on the boards of two companies that could be deemed competitors. In two instances, investment firms were also implicated – because they had one or more representatives on the boards of potentially competing companies. John warned earlier this year that this Clayton Act issue could be a big problem for private equity, and that appears to be playing out.
The DOJ announcement offers these parting words:
Companies, officers, and board members should expect that enforcement of Section 8 will continue to be a priority for the Antitrust Division. Anyone with information about potential interlocking directorates or any other potential violations of the antitrust laws is encouraged to contact the Antitrust Division’s Citizen Complaint Center at 1-888-647-3258 or antitrust.complaints@usdoj.gov.
Be a hero, not a zero: remember the Clayton Act when you send out your D&O questionnaires, and get out in front of this issue with your directors. Our 95-page “D&O Questionnaire Handbook” includes a sample question to identify relationships that could be problematic, and you can use this enforcement sweep to explain why you’re adding it now.
If you’re already aware of potential interlocks, it would be prudent to address them sooner rather than later. For example, if your company identifies as a competitor in its disclosures a company where one of your directors sits on the board, that could put you in the DOJ’s cross-hairs. You may need to have some difficult conversations, and consider a succession plan if the director wants to stay on the other board.
Here’s a blog I shared this morning on CompensationStandards.com. I’m confident this is also of interest to readers here, because several esteemed members emailed me within minutes of the SEC posting its notice for next week’s open meeting (thanks, y’all)! Make sure to watch CompensationStandards.com for ongoing guidance on the new rules – and what you need to do:
Yesterday, the SEC posted a Sunshine Act Notice for an open meeting of the Commissioners to be held next Wednesday, October 26th. Corp Fin Staff will also be attending – Renee Jones, Erik Gerding, Elizabeth Murphy, Lindsay McCord, and others. After years of anticipation, the agenda includes:
The Commission will consider whether to adopt rules to implement of Section 10D of the Securities Exchange Act, as added by Section 954 of the Dodd-Frank Wall Street Reform and Consumer Protection Act.
We had a great session at our Executive Compensation Conference last week about what you need to think about when reviewing and updating your clawback policy in light of recent enforcement activity and these expected final rules. If you missed it, you can still get access to the on-demand archives of this session and all of the other practical guidance from our Conferences by emailing sales@ccrcorp.com. Stay tuned for more guidance as we receive and analyze the final rules.
In the meantime, here are some of my latest entries on this topic from our “Advisors’ Blog” on CompensationStandards.com – and more helpful info is available in our “Clawbacks” Practice Area on that site:
John blogged last week about a tech glitch that caused the SEC to reopen the comment period on 11 rulemaking proposals and one request for comment. On Tuesday, the SEC’s order was published in the Federal Register, which began the 14-day clock for the reopened comment periods. The window closes on November 1st.
What does that mean for the timeline for these proposals? We can’t know for sure whether or when they’ll be adopted, but here are the general next steps after November 1st:
– SEC Staff moves forward with making sure all submitted comments are received and reviewing any additional comments that were submitted during the reopened period.
– SEC Staff continues with its process of drafting the final rules & adopting releases for the affected proposals, considering all comments.
– The Commissioners can then consider whether to approve each proposed rule (what they consider will include proposal modifications that are drafted by the Staff in response to public comments).
The SEC’s Acting Chief Accountant Paul Munter published another statement last week to focus on the gatekeeping responsibilities of auditors – this time, in relation to fraud detection. He expressed concern in light of recent developments and conversations that auditors are passing the buck on fraud detection. In his view, that’s not okay, because:
Auditors must plan and perform an audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud.
The statement urges auditors not to treat PCAOB Auditing Standard 2401 as an “exhaustive checklist” for fraud risk considerations and related responses. The implication is that maybe that’s been happening.
Mr. Munter identifies “good practices” that presumably go beyond auditors’ current approach to fraud detection. Companies can expect auditors to get nosier about these topics – and possibly others – as auditors work these points into their “New & Improved Fraud Detection Checklist.” His (paraphrased) suggestions include:
– Auditors should consider publicly-available information (including from new sources available during the course of the audit) and objectively evaluate how such information impacts risk assessment and the audit response. For example, auditors should evaluate whether publicly-available information contradicts information received from management.
– Are employees required to annually certify acknowledgement of a code of ethics? That’s a good start, but auditors should also consider whether that is a meaningful demonstration of the company’s commitment to integrity and ethical values. For example, are employees able to anonymously share their views on the company’s tone at the top through, for example, a culture survey? How are the survey results obtained and shared with leadership?
– Is the company’s whistleblower hotline simply a compliance checkbox, or does the issuer have a culture that encourages whistleblowers who see something to actually say something? For example, an auditor may want to discuss with the audit committee the nature of the whistleblower hotline’s operation.
– An auditor should also pay close attention to an issuer’s approach to its own fraud risk assessment as this can provide insight when evaluating the issuer’s control environment.
– Technology plays an increasingly important role in the audit and automated tools and techniques may assist the auditor in applying the fraud lens. Access to granular data and information can increase transparency into underlying transactions, which through the use of technology may provide useful insights to assist with identifying unusual or unexpected relationships or assisting auditors in performing more robust planning analytics.
This is an interesting backdoor nudge from the OCA Staff on corporate culture practices. I guess that as the “bad guys” continue to get more sophisticated, fraud detection has to keep pace – even if it means that code of ethics & whistleblower expectations go beyond what regulations expressly require.
