When boards name a new audit committee chair, does previous service on a company’s audit committee make a difference? That’s the focus of a recent academic study and it finds that internal successors to the audit committee chair role are better positioned to perform well in the role compared to external successors. A key finding of the study is that the risk of misstating financial reports is less likely when newly appointed audit committee chairs are internal successors. Here’s the abstract from the study:
We investigate whether new audit committee (AC) chairs provide more effective monitoring of the financial reporting process when they have firm-specific knowledge, proxied for by prior service on the firm’s AC. Consistent with practitioner and governance experts’ views on the importance of firm-specific knowledge, we find that firms are less likely to misstate their financial statements when new AC chairs previously served on the AC. This effect is stronger in the first two years of the AC chair’s succession period and when the incoming AC chair has more prior service on the AC. AC chair industry, accounting, and supervisory expertise, as well as prior experience as an AC chair at a different firm, do not compensate for a lack of firm-specific knowledge. These findings contribute to the literature on the AC chair’s role in the financial reporting process, suggesting that AC chair succession planning is important for financial reporting outcomes.
To a certain degree, internal successors seem like a fairly logical choice for the audit committee chair since they have a foundation of company-specific knowledge. Although some advocate for external successors, as they can offer a fresh perspective with some bringing previous experience as an audit committee chair at another company, it’s somewhat surprising that the study found this external experience doesn’t offset the lack of company-specific knowledge.
Based on the study’s findings, succession planning for a potential internal successor to the audit committee chair role appears all the more important. For companies that have mandatory director retirement policies, charting when directors will reach retirement can certainly help identify potential skill and leadership needs as part of the board succession planning process. For more about board succession generally, check out our “Board Succession” Practice Area and our “Board Succession Planning” Checklist.
When we blog about audit firms, it’s frequently about the Big Four, which tend to dominate audit firm market share for larger public companies. A recent Audit Analytics blog provides a look at audit firm market share for smaller companies. For SEC filers with revenue between $10 million and $150 million, Audit Analytics found the Big Four audit less than a quarter of this small company market.
When it comes to audit firm tenure at smaller companies, the tenure is lower than what is found at mid- or large-cap companies. Audit Analytics found that smaller companies with revenue between $10 – $150 million have an average audit firm tenure just short of eight years, whereas large companies with revenue over $1 billion have an average audit firm tenure of almost 24 years. The blog notes there are reasons shorter tenure is commonly found with smaller companies. First, small companies are usually young companies, thus lowering the average tenure. Also, smaller companies with less financial resources are more likely to shop around to lower their audit fees, while growing companies may change audit firms as their needs evolve.
Compared to audit related matters, at times, shareholder meetings can send folks on a wild ride – here’s an entry about a meeting disruption in the UK from a couple of weeks ago.
Last week, I blogged on our “Proxy Season Blog” about virtual annual shareholder meetings. A lot of in-house folks fell in love with the “virtual only” format – but others hated it. Investors continue to at least want the option to attend in-person meetings, although some also liked being able to access meetings without traveling.
At this point, the extent to which virtual or hybrid meetings will continue is anyone’s guess. Please participate in our anonymous poll to help start that conversation:
Yesterday, the SEC announced that it settled charges against a title insurance company for alleged disclosure controls and procedures violations in connection with a cybersecurity vulnerability. The issue here was that alleged inadequate disclosure controls and procedures resulted in management not having all relevant information about the vulnerability when it assessed the company’s disclosure response and the magnitude of the resulting risk. Although the company’s information security team performed a security assessment of one of its applications and identified the vulnerability, it then allegedly didn’t inform the company’s senior IT management of the vulnerability or remediate it in accordance with company policies until several months later. The SEC’s press release provides a summary:
According to the SEC’s order, on the morning of May 24, 2019, a cybersecurity journalist notified First American of a vulnerability with its application for sharing document images that exposed over 800 million images dating back to 2003, including images containing sensitive personal data such as social security numbers and financial information. In response, according to the order, First American issued a press statement on the evening of May 24, 2019, and furnished a Form 8-K to the Commission on May 28, 2019. However, according to the order, First American’s senior executives responsible for these public statements were not apprised of certain information that was relevant to their assessment of the company’s disclosure response to the vulnerability and the magnitude of the resulting risk. In particular, the order finds that First American’s senior executives were not informed that the company’s information security personnel had identified the vulnerability several months earlier, but had failed to remediate it in accordance with the company’s policies. The order finds that First American failed to maintain disclosure controls and procedures designed to ensure that all available, relevant information concerning the vulnerability was analyzed for disclosure in the company’s public reports filed with the Commission.
‘As a result of First American’s deficient disclosure controls, senior management was completely unaware of this vulnerability and the company’s failure to remediate it,’ said Kristina Littman, Chief of the SEC Enforcement Division’s Cyber Unit. ‘Issuers must ensure that information important to investors is reported up the corporate ladder to those responsible for disclosures.’
Without admitting or denying the findings in the SEC’s order, First American agreed to cease and desist from violations of Exchange Act Rule 13a-15 and to pay a $487,000 penalty. This action relates to disclosure controls and procedures but the cybersecurity connection is interesting since cybersecurity risk governance is among the items listed in the latest SEC Reg Flex Agenda.
Following recent high-profile cyberattacks involving SolarWinds, Colonial Pipeline and others, the White House issued a memo to executive business leaders urging companies to take immediate actions to help protect not only companies themselves, but also customers and the broader economy. The memo follows the Executive Order signed by the President in May that was intended to strengthen the federal government’s cybersecurity defenses.
Among other recommendations, the White House memo urges businesses to adopt the five best practices outlined in the President’s Executive Order, including multifactor authentication, endpoint detection, endpoint response, encryption, and a skilled, empowered security team. In additional to operational and technical matters, this Jenner & Block memo includes a couple of helpful reminders for legal teams:
Importance of a Multi-Functional Team: Cybersecurity and information protection are broad efforts encompassing many different skills within a company. Legal counsel should be included in the team to advise about the application of relevant laws, regulations, and policies, and to prepare for potential litigation and enforcement actions.
Importance of Legal Privilege: Companies should consider how to maximize the application of legal privilege to internal factfinding efforts that are designed to address potential legal exposure from cybersecurity and data protection rules.
Recently, Deputy Attorney General Lisa Monaco also spoke up about increased risk of ransomware attacks, urging disclosure and cooperation with the FBI. This CNBC piece provides a summary of her remarks.
Tune in tomorrow for our webcast – “Cyber, Data & Social: Getting in Front of Governance” – to hear Melissa Krasnow of VLP Law Group, Lisa Beth Lentini Walker of Lumen Worldwide Endeavors, Sue Serna of Serna Social and Heidi Wachs of Stroz Friedberg/Aon discuss what boards need to know about cyber, data & social – risks & opportunities, monitoring new threats, managing compliance with changing laws & different jurisdictions, social media oversight, director liability issues and more!
We will apply for CLE credit in all applicable states for this 1-hour webcast. You must submit your state and license number prior to or during the program. Attendees must participate in the live webcast and fully complete all the CLE credit survey links during the program. You will receive a CLE certificate from our CLE provider when your state issues approval; typically within 30 days of the webcast. All credits are pending state approval.
No registration is necessary – and there is no cost – for this webcast for our members. If you are not yet a member, sign-up now to access the program. You can sign up online, send us an email at info@ccrcorp.com – or call us at 800.737.1271.
Yesterday, the SEC announced that Renee Jones will serve as Corp Fin’s next Director. Renee most recently served as Professor of Law and Associate Dean for Academic Affairs at Boston College Law School, where she taught courses in corporations, securities regulation, startup company governance, and financial regulation. Previously, she represented private and public companies on corporate and securities matters at Boston law firm, Hill & Barlow. Coming in from academia isn’t entirely new, as John Coates was a long-time academic when he was appointed as the Division’s Acting Director, but traditionally the head of Corp Fin has been a practitioner.
Along with Renee’s appointment, after having served as Corp Fin’s Acting Director since February 2021, John Coates was named SEC General Counsel. Both appointments are effective June 21st.
It’s hard to believe it’s been a year since Marty passed away. In this podcast, Dave Lynn pays tribute to his great friend with a compilation of “greatest hits.” I hope you enjoy it as much as I did.
With news about cyber attacks seeming to crop up almost daily, considerations about potential ransomware attacks extend beyond information security officers. Alston & Bird recently issued a memo addressing considerations about ransomware attacks for the general counsel. Among other things, one of the items covered in the memo relates to how increased ransom payments have placed strains on the insurance industry. The memo warns that companies may encounter a more rigorous underwriting and renewal process than they’ve experienced in prior years.
Indeed, as companies seek to acquire new cyber-insurance policies or renew existing ones, the insurers’ enhanced diligence procedures may require additional disclosures or the implementation of new or more stringent cybersecurity procedures to meet the insurer’s standards. Policies can often require a checklist of specific security controls to be in place and periodically tested for effectiveness, for example, which are designed to mitigate the risk of ransomware.
Other insurers are taking different approaches. Just this week, one European insurer announced that it will no longer issue cyber-insurance policies in France that reimburse insureds for ransom payments.
There is also the risk that an insured company may find that its policy’s pre-approval process for the retention of outside counsel, forensic experts, ransom payment facilitators, and even the potential ransom payment itself is in tension with the company’s interest in a swift and immediate response to a ransomware event. The extent to which the policy includes recovery costs can pose an additional challenge if a policy does not treat expenses related to the forensic investigation, ransom payment itself (if applicable), and rebuilding affected systems as covered recovery costs.
Last year’s Rule 14a-8 amendments may or may not be here to stay. The Senate “fast-track” deadline under the Congressional Review Act – which could have undone the amendments – expired at the end of May, according to Daniel Pérez of the GW Regulatory Studies Center. Now though, Rule 14a-8 is among the items listed in the SEC’s new Reg Flex Agenda – which was posted Friday as part of a federal agency-wide reveal of the new Administration’s plans for rulemaking.
The Rule 14a-8 amendments are listed in the Reg Flex Agenda’s section for “proposed rulemaking” – targeting April 2022 for a proposal. Among other items included in the agenda’s proposed rulemaking stage, with some targeted to potentially come along quickly, are:
– Human Capital Management disclosure – October 2021
– Enhanced cybersecurity risk governance disclosure – October 2021
– SPACs – April 2022
– Proxy Voting Advice – April 2022
And, among items included in the pre-rule stage are the exempt offerings framework and gamification (out of the Division of Trading & Markets).
The SEC’s regulatory agenda is non-binding and doesn’t really mean a lot other than it identifies the SEC Chair’s priorities. Stay tuned, these agendas tend to change over time.
As for Rule 14a-8, the rule amendments adopted last fall remain intact and are currently effective – although the Commission adopted a transition period that says the final amendments first apply to any proposal submitted for meetings held on or after January 1, 2022. We’ll be following any Commission action or agency statements about the rulemaking closely and will be sure to blog about it.
To get up to speed on the Rule 14a-8 amendments before a shareholder proposal lands on your desk, check out our “Shareholder Proposals Handbook”- it’s been updated and incorporates the 14a-8 amendments, members can access it at no charge right here on TheCorporateCounsel.net.