The SEC’s 2019 enforcement action against Facebook highlighted the perils of hypothetical risk factors. Now, in In re Alphabet Securities Litig., (9th Cir.; 6/21) the 9th Circuit recently upheld disclosure claims against another tech titan premised on its alleged failure to update disclosure of a risk of a cyberbreach that was hypothetical when initially disclosed in a 10-K, but became very real by the time subsequent 10-Qs were filed. This Morrison & Foerster memo reviews the Court’s decision. This excerpt provides an overview of the complaint’s factual allegations:
The complaint alleged that in February 2018, Alphabet, Inc. (“Alphabet”), the holding company of Google LLC (“Google”), filed its 10-K for FY 2017. In the “risk factors” section, it listed potential consequences in the event third parties were to breach Google’s cybersecurity measures and obtain access to its users’ private data.
The complaint further alleged that in April 2018, the Alphabet CEO discovered that a bug had exposed Google user data for a three-year period. The company did not disclose the breach at the time. Further, it alleged that on April 23, 2018, and July 23, 2018, Alphabet filed 10-Qs, stating affirmatively that there had been “no material changes” to the risk factors set out in its 2017 10-K and made no disclosure about the data breach.
The WSJ published an article in October 2018 that disclosed the cyberbreach, Alphabet’s stock price took a hit, and the lawsuits soon followed. The District Court dismissed the plaintiffs’ complaint, but the 9th Circuit reversed. This excerpt from the memo lays out the Court’s reasoning:
The panel found it plausible that a reasonable investor reading the 10-Qs would have been misled by the company’s representation that there had been “no material changes” in the risk factors into believing that Google had not discovered a data breach. The panel relied on the Securities Exchange Commission’s guidance regarding the adequacy of cybersecurity-related disclosures as “judgments about the way the real world works” to inform its analysis of a
reasonable investor’s perspective.
Item 1A of Form 10-Q requires companies to update the risk factors disclosed in their 10-K filings to reflect any “material changes.” The Alphabet case makes it clear that when considering the perils of hypothetical risk factors, companies need to keep this updating requirement in mind if any of those risks have materialized since the 10-K was filed.
According to this Audit Analytics blog, “no” votes on auditor ratification proposals rose in 2020. Now, before we get carried away here, let’s start with the fact that support for these proposals is generally overwhelming – from January 1, 2018 to December 31, 2020, an average of 98% of votes were cast in favor of ratification. Still, these excerpts from the blog indicate that’s not the whole story:
– The occurrence of shareholders voting in large numbers against auditor ratification has been increasing. Over the last three years, there have been four instances when more than 40% of a company’s shareholders voted against ratification; three of those votes occurred in 2020.
– In 2020, there were 13 entities with more than 20% of shareholder votes cast against ratification. SPAR Group [SGRP], LM Funding America [LMFA], and Barnwell Industries [BRN] top this list, with more than 42% of votes against auditor ratification.
– Both SPAR Group and Barnwell Industries had previous votes where shareholders voted in large quantities against the company’s auditor. In 2019, 30.85% of SPAR Group’s shareholders voted against ratification. For Barnwell Industries, over 5% of shareholders voted against the company’s longstanding auditor in six of the last seven years. Worth noting, Barnwell Industries opted to change auditors in 2020.
Among the S&P 500, the blog says that incidence of no votes on ratification proposals is much lower. The blog includes a list of the 10 highest votes against ratification among the S&P 500, and notes that UDR (14%) and GE (11%) topped the list this year. UDR and GE were the only members of the S&P 500 with greater than 10% negative votes, and the 10th company on the list, Masco Corporation, received only a 7% vote against ratification.
Those numbers may seem low, but given the traditional levels of support for auditor ratification proposals, the blog says they are enough to “trigger a red flag.” So what do companies do in response to this “red flag”? While it is still rare for companies to change auditors in response to a large negative vote, that doesn’t necessarily mean that companies and their auditors don’t take notice. For instance, in an earlier blog, Audit Analytics cites academic research indicating that a high level of shareholder dissatisfaction with auditors leads to better audit quality.
Cooley’s Cydney Posner recently blogged this update on the status of litigation challenging California’s board gender diversity statute:
In Meland v. Padilla, a shareholder of a publicly traded company filed suit in federal district court seeking a declaratory judgment that SB 826, California’s board gender diversity statute, was unconstitutional under the equal protection provisions of the 14th Amendment. In April 2020, a federal judge dismissed that legal challenge on the basis of lack of standing.
On Monday, a three-judge panel of the 9th Circuit reversed that decision, allowing the case, now called Meland v. Weber, to go forward. The Court held that, because the plaintiff “plausibly alleged that SB 826 requires or encourages him to discriminate on the basis of sex, he has adequately alleged that he has standing to challenge SB 826’s constitutionality.”
Cydney’s blog also provides an overview of the potential constitutional issues raised by the California statute and the background of the litigation.
On Friday, the Staff issued 21 FAQs for recipients of its recent letter requesting certain companies to voluntarily provide information concerning the SolarWinds cyberattack. The FAQs provide answers to questions concerning, among other things, the scope and limitations of the “amnesty” that the Division of Enforcement is prepared to provide and how to respond to certain inquiries contained in the original letter.
Companies that received the letter should read the FAQs carefully and should also be sure to check out this blog from Perkins Coie. While the FAQs are all helpful, I think that for many companies, the Staff’s first FAQ raises the question they asked most often:
1. I received a notification from Zix Mail, is it legitimate?
The SEC uses Zix Mail service for sending encrypted messages in connection with its confidential investigations, including this one. When we send an encrypted message via Zix Mail, the recipient receives a notification message from Zix Mail. An authentic notification of a message from Zix Mail will:
i. Be sent only from sec.notification@zixmessagecenter.com
ii. Direct you to a link starting with “https://web1.zixmail.net”
The backstory here is that many companies that received the original email from the Division of Enforcement weren’t sure that it was legit, and some of them reached out to the Staff to confirm that it came from the SEC. After reading FAQ #1, can you blame them? Based on the SEC’s description of its email blast, this thing couldn’t have looked more like a phishing attempt if the Zix Mail email address had ended in “@hacker.ru”.
A few months ago, I blogged about the possibility that 13(d) reform might be on the SEC’s agenda. In a speech delivered last week, SEC Chair Gary Gensler confirmed that he has the beneficial ownership reporting rules in his sights. Here’s an excerpt:
In 1968, our Congress mandated that large shareholders of public companies disclose information that helps the public understand their ability to influence or control that company. Under current rules, beneficial owners of more than 5 percent of a public company’s equity securities who have control intent have 10 days to report their ownership.
We haven’t updated that deadline in over 50 years. Those rules might’ve been appropriate for the 1970s, but I have my doubts about whether they continue to make sense given the rapidity of current markets and technologies. I’ve asked staff how we might update these rules, including possibly shortening reporting deadlines.
Activists aren’t going to be thrilled with that development, but public companies and those who represent them are likely to continue their vocal support of a move to shorten filing deadlines. Chair Gensler went on to reference his desire for greater transparency concerning derivative swaps on individual companies that “provide exposure to the company without traditional equity ownership,” so perhaps an expansion of the definition of “beneficial ownership” under Section 13(d) to encompass these derivative positions might also be on the table.
The EDGAR system was closed on Friday, June 18th in observance of the new Juneteenth federal holiday. Since President Biden had signed the legislation only the day before, the decision to close EDGAR was made in a very short timeframe. Apparently, that resulted in a little internal confusion, and some filers who made filings after 5:30 pm on June 17th receiving a June 18th filing date. Since EDGAR was closed, that filing date doesn’t work, so on Friday, the SEC announced that those filers will have their filing dates automatically adjusted to June 21st.
I blogged 3 years ago that it was getting difficult for CEOs to stay silent on hot social and political issues. Fast forward to today, and open letters have taken off as a mainstay of corporate political activism. Research suggests that they’re viewed as a somewhat “safe” way to respond to consumer & employee expectations without sacrificing shareholder value. But signs are emerging that investors and other stakeholders are starting to pay closer attention to follow-through.
Last year in particular, hundreds of companies vowed to combat systemic racism against Black Americans in the wake of George Floyd’s murder. It’s difficult to keep track of which companies made a commitment, what the commitment was, and whether they’ve followed through. Various “pledge trackers” sprung up in the fall, but they haven’t been maintained with real-time data.
One economist says that in the aggregate, companies pledged to put somewhere between $50 – 65 billion toward DEI efforts over a multi-year time frame. Now, he’s submitted an SEC rulemaking petition to urge that companies be required to disclose progress on their commitments. So far, he says, only $500 million has been spent. He argues it doesn’t matter whether investors care about this info, because compelling disclosure would be in the public interest and is within the Commission’s authority. That’s a bold position to take, in light of recent Commissioner statements about the SEC’s role and materiality.
Some investors do seem to care about racial equity commitments, though. We’ve been blogging throughout this proxy season about shareholder proposals requesting EEO-1 reports and racial equity audits. These proposals have become more common this year – and have been getting solid support. Shareholders seem to be moving from requesting simple demographics data to requesting data that allows them to understand & evaluate company efforts to promote equity. The level of support for these proposals, while typically below a majority at this point, implies that a sizable portion are starting to view the info as relevant.
The Commission hasn’t given any indication that it would take up this rulemaking petition, but the letter raises awareness of what could be an emerging disclosure risk. This DealBook column predicts that “strongly worded letters” are only going to become more common. With reputational risks & investor materiality assessments constantly evolving – and expectations that “ESG”-type commitments will be accurate – securities & corporate governance counsel should have a seat at the table when companies are crafting these high-minded statements. You want to ensure anything that’s released aligns with the company’s stated values and what it is actually doing & planning to do.
You may also want to start tracking your company’s follow-through, if you’re not doing that already – see this PracticalESG blog for ways to do that – and be prepared for inquiries like this one from Majority Action.
Last month, Lynn blogged that the SEC was nearing the $1 billion mark for lifetime awards under its whistleblower program. This Arnold & Porter memo says that FY 2021 will also set a record of its own: with more than 3 months left, the Commission has awarded $370 million, compared to the $175 million record from last year. The memo was published prior to the SEC’s latest announcements this week of a $5.3 million award and a $1 million award.
The memo delves in to how the whistleblower program works – and says that recent orders may show a willingness to grant more awards. There has also been a huge increase in the number of tips lately, which may lead to more investigations. The memo says that companies can prepare for the possibility of whistleblower activity by considering:
– Risk Assessments. Consider conducting risk assessments related to internal reporting structures to make sure that all reports—not just those going to an internal hotline—are captured, triaged, and investigated if appropriate. Use internal whistleblower information to get ahead of a potential problem with the regulators or law enforcement. Companies that are able to conduct thorough internal investigations showing a clear, robust response to an internal tip will be better able to effectively self-correct and have a defensible position if regulators or law enforcement get involved.
– Annual Training. Consider if annual training is appropriately robust and targeted to middle management to ensure that tips received outside of the employee hotline or formal reporting mechanisms are identified, logged, and triaged. This is particularly important given that 81% of SEC whistleblower awardees reported their concerns internally, including in many instances to their direct supervisor, before or at the same time as reporting to the Commission. If all tips are not identified and centrally reviewed, it is a lost opportunity for a company to self-correct an issue.
– Internal Reporting Mechanisms in a Post-Covid World. As more companies are pivoting back to an in-person workforce, consider a refresh on internal reporting mechanisms as well as related training. Record-breaking numbers of tips were reported to the SEC during the pandemic. This may have been because of a breakdown in internal reporting mechanisms for a remote workforce. Consider a fresh internal reporting campaign to refocus a returning workforce, whether it be full-time in the office, continuing remote, or some hybrid. The statistics show that the current mechanisms for internal reporting may not be effective anymore.
– Anti-Retaliation Policies and Training. Ensure that whistleblower anti-retaliation polices and training are up-to-date. Now is the time for companies to review anti-retaliation policies to ensure they are clear and concise. Annual training should be conducted to ensure that everyone understands what retaliation is and knows the steps that can and cannot be taken once someone reports internally or to the government. Zero tolerance policies that are advertised to the workforce can help employees get comfortable reporting internally rather than straight to the governmental authorities.
– Domestic and International Policies. Review and update both domestic and international policies. In light of the purported award in the PAC case, companies should be aware that whistleblower tips may arise from and with respect to any part of their business, including activity overseas. In FY 2020, 11% of whistleblower submissions to the Commission were submitted from non-US countries. Since the inception of the program, the SEC has received tips from whistleblowers in 130 countries. Properly and consistently implemented robust internal reporting mechanisms and whistleblower policies provides an additional safeguard for compliance with US and international laws and regulations.
The merger between the International Integrated Reporting Council (IIRC) and the Sustainability Accounting Standards Board (SASB) has now closed – and the combined organization will now be known as the Value Reporting Foundation. The deal is an effort to simplify the ESG reporting landscape by aligning disclosure tools from two of the major players. From the press release:
The Value Reporting Foundation is a global nonprofit organization that offers a comprehensive suite of resources designed to help businesses and investors develop a shared understanding of enterprise value — how it is created, preserved or eroded over time. The resources — including Integrated Thinking Principles, the Integrated Reporting Framework and SASB Standards — can be used alone or in combination, depending on business needs. These tools, already adopted in over 70 countries, comprise the 21st century market infrastructure needed to develop, manage and communicate strategy that creates long-term value and drives improved performance.
As I blogged last fall when this merger was announced, the VRF also intends to support other organizations such as the IFRS Foundation. There seems to be an acknowledgement that there are too many players in the “reporting framework” space right now. That makes it difficult for companies to determine what’s important to disclose and difficult for investors to compare disclosures.
The Value Reporting Foundation may have more global reach & influence than the IIRC or SASB had on their own – with SASB gaining a lot of acceptance in the US but not oversees, and the inverse being true for IIRC. Michael Bloomberg, who is the chair of the TCFD and who has been a SASB supporter since its early days, is also a Chair Emeritus of the new organization. It remains to be seen whether or how any of these standards will get adopted by national regulators.
All of the existing resources from the IIRC and SASB remain available on their websites for now – but you can also visit the new VRF website for more tools.
We’re regularly posting new podcasts for members! In this 25-minute episode, Dave Lynn and McKesson’s Jim Brashear take a deep dive in to the SEC’s new requirements for electronic signatures for SEC filings. Topics include:
