I loved this Time interview with Sidley’s Holly Gregory and Kai Liekefett and Louis Pierro of Pierro, Connor & Strauss – discussing what is & isn’t accurate about Succession (they agree it’s pretty accurate overall). Yet another sign that corporate governance is becoming glamorous! Here’s an excerpt talking about something that everyone knows to be true but can’t say out loud when real clients are involved:
How do Kendall’s public allegations against his father impact Waystar’s proxy battle against Sandy and Stewy?
Liekefett: In the proxy fight world, we use a lot of terminology from political elections, and we are always concerned about the so-called ‘October Surprise.’ This is the ultimate October Surprise, and the nightmare of any defense attorney that something like this would happen shortly prior to the annual meeting. If that were to happen in my practice, we’d probably be dead in the water.
With that level of dysfunction — where the son of the CEO and chairman goes out and accuses his father of these kinds of wrongdoing — shareholders in 99 out of 100 situations would say, ‘O.K., enough said. I don’t even care who is right, father or son. The level of dysfunction here is so unbearable, that we need some adults in the boardroom. Anything is better than the status quo, we need some fresh faces here as directors.’ It would be the death knell of any proxy fight.
Join us tomorrow for the webcast – “Investment Stewardship: Understanding the ‘New Era’ of Expectations and Engagement” – to hear T. Rowe Price’s Donna Anderson, Davis Polk’s Ning Chiu, BlackRock’s Michelle Edkins and Neuberger Berman’s Caitlin McSherry take stock of how “investment stewardship” has changed…and how it’s stayed the same. This program will help you understand how stewardship teams are operating these days – and what that means for your board, your engagements, and your voting outcomes.
If you attend the live version of this 60-minute program, CLE credit will be available! You just need to submit your state and license number and complete the prompts during the program.
Members of this site are able to attend this critical webcast at no charge. If you’re not yet a member, subscribe now. The webcast cost for non-members is $595. You can renew or sign up online. If you need assistance, send us an email at info@ccrcorp.com – or call us at 800.737.1271.
This Skadden memo (pg. 6) outlines 10 steps for boards to take right off the bat when responding to allegations of executive misconduct. It also identifies these 4 common mistakes to avoid:
− Delaying the start of an investigation, or failing to investigate additional or related reports.
− Failing to consider external optics, including potential conflicts, with respect to oversight of review and outside advisers.
− Inconsistent communications, external or internal, and delayed disclosures.
I’ve been hearing some pushback from the securities law community about the need for so-called 10b5-1 “reform.” Here are some of the pointed questions that people are asking me and each other:
– Where are the SEC cases against insiders for entering into these plans when they are tainted with MNPI – which would violate the 10b5-1 safe harbor requirements?
– Why are we all jumping on the “10b5-1 reform” bandwagon when the SEC itself hasn’t found evidence of wrongdoing with these plans — as is evidenced by the dearth of enforcement cases?
– Why are we letting academic studies not supported by any meaningful SEC enforcement demonize 10b5-1 plans that have been used by individuals looking to do the right thing re: portfolio diversification and by companies looking to do the right thing by returning value to stockholders via stock buyback programs?
On a related note, some securities law practitioners are also starting to take issue with the terminology of so-called “cooling off” periods – and refer to them as, more accurately, “just in case I’m tainted” provisions. Said differently, what are insiders “cooling off” from? Being ice cold regarding MNPI on 10b5-1 execution date? It’s not universal, but some in-house folks view this as a biased and inaccurate term and are concerned that it is coloring public perceptions.
Ransomware attacks are getting more common – and responding to them is getting more difficult in light of attackers’ new techniques and regulators taking steps to discourage companies from paying. That’s according to this Milbank memo, which also points out that responding to these incidents continues to be a board issue because of the business & legal risks. In order to navigate these risks, board advisers need to have a high-level understanding of the issues and the response plan.
The memo delves into three assessments that could affect how to respond. Here’s an excerpt:
The fact that paying the ransom is not illegal in and of itself does not make deciding whether to pay any less difficult. Planning how to make that decision is key. Companies and their boards that have methodically pre-identified important factors in paying the ransom will be prepared to pragmatically and decisively address the problem when it arises. We recommend three assessments for victim companies deciding whether to pay: (i) the value of the breached data in light of modern ransomware attacks; (ii) the risks from paying the ransom; and (iii) negotiation and payment options.
On the first prong of evaluating whether paying the ransom makes sense because of the value of the stolen data, the memo suggests considering whether the captured data has been backed up or can be rebuilt, whether there are publicly available data keys that can decrypt locked data, and whether the company will face legal or regulatory claims, or reputational and relationship issues, if the stolen data is released to the public.
I’m thrilled to announce that we’ve made two great additions to our team:
Julie Gonzales has joined us as an Associate Editor after spending 16 years at a publicly traded company in the oil & gas industry, including as the Stock Plan Administrator, Corporate & Securities Paralegal and Assistant Corporate Secretary. Julie can be reached at jgonzales@ccrcorp.com.
Emily Sacks-Wilner is our newest Editor. Emily has spent time in fintech and at large firms, working closely with public companies and pre-IPO companies on numerous equity offerings, periodic SEC filings, M&A and corporate governance matters. Emily has also served as in-house M&A counsel for an S&P 500 company. She can be reached at eswilner@ccrcorp.com – and will be joining our blogging lineup soon!
Emily & Julie both bring tons of practical experience and have jumped in with very helpful contributions to our resources. I’m excited for you to get to know them. Feel free to drop them a welcome note!
The PCAOB recently published this 14-page summary of observations on its 2020 inspections of public accounting firms. The report highlights obstacles & good practices at audit firms, which can be helpful for audit committees to know when they’re engaging & overseeing auditors. Here’s one takeaway that’s good if you’re using a firm that’s inspected annually (which are listed on this page):
For the majority of the annually inspected audit firms, we identified fewer findings in 2020 compared to our 2019 inspections. In our triennially inspected audit firms, some improvements were noted, although deficiencies continue to remain high.
The report says that revenue recognition remains an area with room for improvement – so expect auditors to continue to be very focused on that. And, if your company has experienced a cybersecurity incident, the ICFR impact of that is going to get a second look during an inspection:
We continue to review audits of public companies that experienced a cybersecurity incident during the audit period. We observed in our reviews how the auditor considered the cybersecurity incident in their risk assessment process and, if applicable, in their response to identified risks of material misstatement.
In certain audits reviewed, the auditor evaluated he severity and impact of the cybersecurity incident but did not consider whether the incident affected their identification or assessment of risks of material misstatement; whether modifications to the nature, timing, or extent of audit procedures were necessary; and whether the incident could be indicative of one or more deficiencies in ICFR.
We’ve posted the transcript for our recent DealLawyers.com webcast: “Navigating De-SPACs in Heavy Seas.” This program provided a lot of great practical guidance on handling the increasingly complex and challenging De-SPAC process. Erin Cahill of PwC, Bill Demers of POINT BioPharma, Reid Hooper of Cooley and Jay Knight of Bass Berry & Simms addressed the following topics:
– Overview of the Current Environment for SPAC Deals
– Negotiating Key Deal Terms/Addressing Target Concerns
– The PIPE Market and Alternative Financing Methods
– Target Preparations to Go Public Through a SPAC
– Managing the Financing and Shareholder Approval Process
– Post-Closing Issues
We made this webcast available as a bonus to member of TheCorporateCounsel.net, and so we’ve posted the transcript on this site as well.
It is my favorite time of year – the leaves are changing colors, there is a slight chill in the air, and my thoughts inevitably turn to – cybersecurity? October is Cybersecurity Awareness Month, which has apparently been a thing since 2004. The overarching theme for Cybersecurity Awareness Month 2021 is “Do Your Part. #BeCyberSmart.”
I think the focus on cybersecurity awareness makes it a great time to take a close look at your cybersecurity disclosure practices. As this MoFo memo notes, the SEC certainly does not need the month of October to be made aware of cybersecurity matters, given that the Division of Enforcement has focused its attention in recent months on “the efficacy of cybersecurity disclosure controls and procedures, especially where sensitive personally identifiable information (PII) is compromised without appropriate remediation, escalation, and disclosure.” With the annual reporting season fast approaching, October is a great time to take a step back and look at both your disclosure controls and procedures and your overall disclosure profile when it comes to cybersecurity.
On the disclosure controls and procedures front, the MoFo memo suggests the following key features of effective cybersecurity controls and procedures:
Set forth steps to identify and investigate cybersecurity incidents;
Assess and analyze the impact of the incident on the company’s business and customers;
Ensure careful analysis of whether the cybersecurity incident is material, giving rise to disclosure obligations;
Refer potentially material cybersecurity incidents to appropriate committees, including the disclosure committee, for assessment and analysis;
Ensure that material cybersecurity incidents are reported to senior management and to the board of directors;
Ensure that material cybersecurity incidents are disclosed to investors and that existing disclosures are reviewed and, if necessary, updated if new facts render them incorrect or misleading;
Prescribe steps and deadlines to remediate incidents based on severity;
Address circumstances under which trading restrictions should be imposed on company personnel who are in possession of material non-public information (MNPI) regarding the incident; and
Provide for the issuance of a document preservation or litigation hold for material incidents or other incidents where the company anticipates litigation.
I think that it is also an opportune time between now and Halloween to review the cybersecurity disclosures in your SEC filings, particularly your cybersecurity risk factor disclosure. Some of the persistent areas of Staff focus through the comment letter process have been as follows:
Unbundling the Cybersecurity Risk. The Staff has often asked that a company break out cybersecurity risks into a separate risk factor, rather than including the risk in one risk factor that addresses a variety of other concerns that the issuer faces.
Addressing the Key Elements. The cybersecurity risk factor should address the types of cybersecurity threats that the company faces, and the extent to which the company has been impacted in a material way by actual breaches or other incidents. The cybersecurity risk factor should also address the risk that cyber incidents may go undetected for a long period of time, which could result in significant consequences. You should address preventative measures that have been established for the purpose of addressing cyber risks, and the risk that such measures may not be effective to avoid an incident. Risks are often raised by third-party access to the issuer’s IT systems, so the risk factor disclosure should address the extent to which access by vendors, outsourcing partiers or others might expose the issuer to a cyber attack. Risk factor disclosure should also address when an issuer has insurance coverage for cyber incidents, and the extent to which costs of a cyber attack could exceed that insurance coverage. The risk factor disclosure should highlight the actual and/or potential consequences of a cyber attack, which could include things like reputational harm, costs to remediate the impact of the attack, and costs for implementing protective measures.
Putting the Risk in Context. One frequent Staff comment asks that an issuer address in the risk factor actual or attempted cyber attacks, so that the reader can understand the risks as they apply in the context of the issuer’s business.
Avoiding Hypothetical Risk Factor Disclosure. With all of the warnings from the SEC and the Staff, it is now more important than ever to monitor all of the cybersecurity incidents that the company faces, so that you can accurately describe the cybersecurity threat in the risk factor without implying that the risks are only hypothetical. A good example of an emerging threat is the recent SolarWinds breach, which exposed companies to a potential threat through a “supply chain” attack, where the malicious software was inserted into the company’s patch prior to being distributed to customers.
As the SEC considers rulemaking in this area, companies should also consider the extent to which investors continue to look for the cybersecurity topic to be addressed from a governance perspective. We continue to see the evolution of disclosure in the proxy statement that addresses the extent to which the board and its committees oversee cybersecurity risks.
Last month, I blogged about the possibility of a large number of companies falling off of the Rule 15c2-11 cliff when amendments to the rule went into effect at the end of September. Rule 15c2-11 specifies the information that brokers must have to initiate or maintain quotations in OTC securities.
In the OTC Markets blog, we found some statistics which describe how companies were affected by the SEC rule change. OTC Markets notes that over 3,000 securities became eligible for public market maker price quotations on OTC Markets, after meeting the requirements of Rule 15c2-11 as amended. Meanwhile, 2,247 former “Pink No Information” securities shifted to the Expert Market tier, where securities may only be quoted on an unsolicited (customer order) basis. OTC Markets notes that “while this represents a large number of securities, it represented less than 5% of the total dollar volume.”
