Yesterday, the White House announced that President Trump has designated Commissioner Mark Uyeda as Acting Chair of the SEC. Commissioner Uyeda has served as an SEC Commissioner since June 2022 and has been with the SEC since 2006 — as SEC detailee to both the legislative and executive branches, senior Advisor to Chairman Jay Clayton, Counsel to Commissioners Michael S. Piwowar and Paul S. Atkins, and Assistant Director and Senior Special Counsel in the Division of Investment Management.
Acting Chair Uyeda will preside over a three-person Commission — presumably until Paul Atkins, who President Trump has said he will nominate as Chair, is confirmed. Reuters reports that Acting Chair Uyeda and Commissioner Peirce “are expected to kick-start a cryptocurrency policy overhaul as early as this week.” Stay tuned!
You know those little errors in the securities laws — the cross-reference to a vacated rule or typographical error — that don’t actually matter because it’s clear what it’s supposed to mean, but they bother you anyway? If you, like me, have some of those pet peeves, Chair Gensler has a parting gift for you!
On Friday afternoon, the SEC issued this final rule release to “correct errors that are technical in nature, including typographical errors and erroneous cross-references in various Commission rules and forms.” What type of corrections, you ask? Well, as an example, one of my biggest pet peeves — because I think it did cause confusion — was addressed.
Paragraph (a) of Item 5.08 of Form 8-K (Shareholder Director Nominations) was restated as follows:
(a) Where a registrant is required to include shareholder director nominees in the registrant’s proxy materials pursuant to either an applicable state or foreign law provision, or a provision in the registrant’s governing documents, then the registrant is required to disclose the date by which a nominating shareholder or nominating shareholder group must submit the notice on Schedule 14N required pursuant to § 240.14a–18.
This removes the first sentence of Item 5.08(a), which read:
If the registrant did not hold an annual meeting the previous year, or if the date of this year’s annual meeting has been changed by more than 30 calendar days from the date of the previous year’s meeting, then the registrant is required to disclose the date by which a nominating shareholder or nominating shareholder group must submit the notice on Schedule 14N (§ 240.14n–101) required pursuant to § 240.14a–11(b)(10), which date shall be a reasonable time before the registrant mails its proxy materials for the meeting.
Item 5.08 was adopted in connection with the SEC’s proxy access rules. The first sentence of Item 5.08(a) appears to be inoperative because it implements Rule 14a-11, which was vacated. However, the second sentence of Item 5.08(a) remains relevant, because it refers to Rule 14a18, which remains in effect. Rule 14a-18 applies to a company that is required, by state or foreign law or the company’s governing documents, to include shareholder director nominees in its proxy materials
So now it’s clear that an 8-K is to be filed under Item 5.08(a) within four business days after a company determines its anticipated meeting date if the company did not hold a prior year annual meeting or changed the annual meeting date by more than 30 calendar days from the previous year’s meeting AND is required to include shareholder director nominees in their proxy materials pursuant to state law, foreign law or the company’s governing documents (e.g., proxy access bylaw). This is helpful!
There were other fixes that were truly nits as well. Our more eagle-eyed members might appreciate these edits:
– Fixing the spelling of “indentures” in the heading of Item 601(b)(4) of Regulation S-K
– Replacing that errant “; and” with the appropriate period at the end of Item 5(a) of Part II of Form 10-Q
I’m curious! What’s your pet peeve error in the securities laws? Did it get fixed? Let me know at mervine@ccrcorp.com.
Join us tomorrow at 2 pm Eastern for our “ISS Policy Updates and Key Issues for 2025” webcast to hear ISS’s Marc Goldstein, Davis Polk’s Ning Chiu & Jasper Street Partners’ Rob Main discuss what transpired in 2024, ISS’s policy updates for 2025 meetings, other trends and themes expected to impact the 2025 proxy season and emerging issues for the coming year and beyond. This is one of our annual favorites you won’t want to miss!
Members of this site are able to attend this critical webcast at no charge. If you’re not yet a member, try a no-risk trial now. Our “100-Day Promise” guarantees that during the first 100 days as an activated member, you may cancel for any reason and receive a full refund. The webcast cost for non-members is $595. You can sign up by credit card online. If you need assistance, send us an email at info@ccrcorp.com – or call us at 800.737.1271.
We will apply for CLE credit in all applicable states (with the exception of SC and NE which require advance notice) for this 60-minute webcast. You must submit your state and license number prior to or during the program using this form. Attendees must participate in the live webcast and fully complete all the CLE credit survey links during the program. You will receive a CLE certificate from our CLE provider when your state issues approval; typically within 30 days of the webcast. All credits are pending state approval.
This program will also be eligible for on-demand CLE credit when the archive is posted, typically within 48 hours of the original air date. Instructions on how to qualify for on-demand CLE credit will be posted on the archive page.
I’m excited to announce the launch of “Mentorship Matters with Dave & Liz” – a new podcast series available to members of TheCorporateCounsel.net. Dave Lynn and I will be sharing our perspectives on mentorship and career development – which we hope can help those looking for guidance on their own career path, as well as those who are looking for ideas on how to support people who are newer to the field.
Dave and I will be sharing our own stories and interviewing people in the community. We look forward to building on the support to our members that we provide through The Mentor Blog – and adding to our manypodcastofferings across our sites.
We blogged last fall about an NYSE rule proposal that would make it more difficult for companies to use repeated reverse stock splits to maintain compliance with continued listing standards. The SEC designated January 15th as the date by which it would either approve or disapprove, or institute proceedings to determine whether to disapprove, the proposed rule change. In the meantime, the NYSE amended its rule filing twice – here’s Amendment No. 2. The SEC didn’t receive any additional comments.
On January 15th, the SEC approved the rule change, as modified by Amendment No. 2, on an accelerated basis. Here’s more detail:
The Exchange now proposes to amend Section 802.01C to limit the circumstances under which a listed company that fails to meet the Price Criteria may be provided a compliance period under Section 802.01C. Specifically, the Exchange proposes that, notwithstanding the general ability of a listed company to utilize a reverse stock split as a mechanism for regaining compliance with the Price Criteria, if a listed company’s security fails to meet the Price Criteria and the company (i) has effected a reverse stock split over the prior one-year period13 or (ii) has effected one or more reverse stock splits over the prior two-year period with a cumulative ratio of 200 shares or more to one, then the company shall not be eligible for any compliance period specified in Section 802.01C and the Exchange will immediately commence suspension and delisting procedures with respect to such security in accordance with Section 804.00 of the Manual.
The Exchange also proposes to amend Section 802.01C to prohibit a listed company from effectuating a reverse stock split, for purposes of regaining compliance with the Price Criteria or otherwise, if the effectuation of such reverse stock split results in the company’s security falling below the continued listing requirements of Section 802.01A of the Manual (Distribution Criteria for Capital or Common Stock (including Equity Investment Tracking Stock)). If a listed company effectuates a reverse stock split notwithstanding this limitation, the company would not be eligible to follow the procedures outlined in Sections 802.02 and 802.03 of the Manual and the Exchange would immediately commence suspension and delisting procedures with respect to such security in accordance with Section 804.00 of the Manual.
Note that this new rule applies to a listed company even if the company was in compliance with the Price Criteria at the time of its prior reverse stock split.
I blogged yesterday about an enforcement action in which the SEC brought charges under the negligence-based antifraud provision of Securities Act Section 17 (specifically, Section 17(a)(3)), based only on grants of restricted stock to directors under an equity incentive plan. I have usually not paid much attention to these charges in complaints because in many cases there is a larger population of award recipients, but this one jumped out at me.
A member reminded me that this is an easy charge for the Enforcement Division to tack on, because not only does it not require scienter, but it can be predicated on either an offer or a sale. Having a registration statement on file is considered an “offer” – and an S-8 is low-hanging fruit. Most public companies have an S-8 on file, so it’s common for Enforcement to add this to its list of charges in an action. (Even if the only people actually receiving awards were directors!)
Programming Note: In observance of Martin Luther King Jr. Day, we will not be publishing blogs on Monday. We’ll return Tuesday.
Earlier this week, the SEC announced what I am pretty sure is the first “AI washing” case against a public company. (Please correct me if I’m wrong – we like to keep a solid record here.) Here’s more detail:
According to the SEC’s order, Presto made false and misleading claims about Presto Voice in Commission filings and public statements from November 2021 through May 2023. The order found that Presto’s statements regarding the technology powering Presto Voice were misleading because Presto failed to disclose that, for a period of time, the AI speech recognition technology in all units of Presto Voice that the company had then deployed was owned and operated by a third party.
Subsequently, Presto did deploy Presto Voice units powered by its own AI speech recognition technology with certain customers, but it falsely claimed that its own AI product eliminated the need for human order-taking. In fact, the vast majority of drive-thru orders placed through this version of Presto Voice required human intervention. The SEC’s order also found that Presto misleadingly disclosed its reported rate of orders completed without human intervention using this technology.
The SEC had previously brought charges against two investment advisors earlier this year and against at least one former founder and CEO, relating to private fundraising activity. As Dave predicted last March, it was only a matter of time before we’d see an action against a public company. Outgoing SEC Chair Gary Gensler has been talking about “AI washing” quite a bit – and he shared disclosure tips for artificial intelligence topics back in September (see this Baker Donelson memo for additional insights on preparing AI disclosures).
With all that build-up, I was a little surprised to see that the remedy in this inaugural action was merely a cease-and-desist order. The SEC did not impose a civil penalty – even though the fact pattern included a lot of the SEC’s favorite enforcement topics. For example, the company was a de-SPAC, and – wait for it – the order says that the company had no disclosure controls and procedures:
During this time period, Presto had no established process for drafting, reviewing, or approving periodic or current reports required to be filed with the Commission. Although Presto adopted a policy for review of press releases in December 2023, it never implemented disclosure controls and policies and procedures for reviewing periodic or current reports required to be filed by the company. As a result, Presto did not have an established process to ensure that the information required to be disclosed in its filings was recorded, processed, summarized, and reported accurately, or that information required to be disclosed by the company was accumulated and communicated to Presto’s management for timely assessment and disclosure pursuant to applicable rules and regulations. The result of this failure is that no one at Presto was formally responsible for ensuring that the information disclosed in Presto’s Commission filings was accurate.
I’d like to think this is a sign of brighter days ahead when it comes to leniency for deficient DCPs. What’s more likely is that it was unrealistic to collect a fine here. The SEC said the company cooperated, and it has since deregistered.
In addition to our “Artificial Intelligence” Practice Area on this site for governance and disclosure issues, we have a new resource. If you’re looking for direction on other compliance issues arising from AI, cyber, and other emerging technologies, make sure to check out our new “AI Counsel” blog! John and Zachary are sharing best practices and providing alerts about evolving issues for front-line risk management and compliance professionals.
Earlier this week, the SEC announced settled charges based on disclosure a hospitality services company made about its investigation into a completed ransomware incident. Here’s more detail from the complaint:
[The company stated that the cybersecurity incident] resulted in “potential exposure of certain employee personal information.” Ashford went on to state, “[w]e have completed an investigation and have identified certain employee information that may have been exposed, but we have not identified that any customer information was exposed.”
Ashford, however, knew or should have known that, contrary to its public disclosures, customer information was exposed, because, as Ashford knew or should have known, the files exfiltrated in the September 2023 Cyber Incident did contain customer information, including but not limited to sensitive personally identifiable information (“PII”) and financial information for some of Ashford’s customers.
This will be one of the final – if not the final – cyber enforcement action announced under outgoing Chair Gary Gensler’s leadership, and we don’t know yet whether it will continue to be an area of focus. But for now, the settlement underscores the need to pay close attention to the details of any cybersecurity incident disclosure. Here are 4 reasons why:
1. The Enforcement Division pays attention to cyber disclosures, even if they are outside of the new(ish) line-item requirements. Here, the incident and initial disclosure occurred prior to compliance date for reporting material cybersecurity incidents on Form 8-K. The disclosures appeared in the company’s discussion of litigation proceedings in its periodic reports, as well as in a risk factor in the company’s Form 10-K. Following the initial disclosure, the Staff reached out to the company to request additional information, which the company voluntarily provided, but it also continued to repeat the disclosure in subsequent filings until August 2024, when it removed language that it had “not identified any customer information was disclosed” and stated that it had notified affected individuals.
2. The investigation really dug into the terms and execution of the company’s incident response plan, in order to determine whether the company “knew or should have known” that the disclosure was materially false and misleading. In this case, the SEC said that the file names in the list suggested that the files contained sensitive customer information. For example, hundreds of file names contained titles such as “guest incident report” and “guest folio” with a corresponding customer name and/or date of their stay. However, when the company contacted employees whose departments maintained those files and asked them whether they kept customer PII, they did not have them review the file trees for the compromised data and apparently did not involve the employees in the incident response plan. The SEC said that had the employees seen the file tree, they would have known there was PII, and that the company’s response was inconsistent with its incident response plan.
3. As support for its allegation that the statements were material, the SEC cited to risk factor disclosure that said, “protection of business partners, employees and company data is critically important to [it].” (In other words, in addition to ensuring your cyber disclosure is accurate, it’s also important to vet language in your risk factors to ensure that you aren’t overstating the importance of particular issues.)
4. The allegedly problematic disclosures first appeared in a Form 10-Q filed in November 2023, which wasn’t that long ago, and the company is no longer a registered issuer. The SEC investigated and settled these charges rather quickly and pursued the settlement even though the company deregistered. It assessed a modest penalty of $115k, which took into account the company’s cooperation. The company didn’t admit or deny the allegations.
Lastly, it was interesting to note the charges tied to equity awards and a Form S-8 registration statement. In addition to charges under Section 13(a) of the Exchange Act, the SEC brought a charge under Section 17(a)(3) of the Securities Act, which prohibits engaging in any transaction “which operates or would operate as a fraud or deceit upon the purchaser.” The charge seems to be based on the company’s grants of stock and deferred stock to its directors under an equity incentive plan registered on Form S-8. As we’ve noted previously in the July-August 2021 issue of The Corporate Counsel newsletter (and elsewhere), the SEC’s Enforcement Division isn’t shy about claims based on Form S-8 registration statements, but it may still come as a surprise to some people that this charge was in play when the only “purchasers” in this case were directors who presumably had full information.
Side note: In footnote 2 of the 2018 concept release on compensatory security offerings, the SEC shed light on the parameters of the “no-sale” theory for compensatory grants. I didn’t dig into the details of the restricted stock grants in the case at hand, but it appears the SEC considered the directors to be “purchasers” – which implies that the “no-sale” position was a “no-go.” So, remember to be cautious if you are ever looking to rely on that theory.
If your company suffers a cybersecurity attack, one of the many things you may have to worry about is proving that your board did enough to prevent the incident in the first place. This Skadden memo explains how Delaware fiduciary duties apply to cybersecurity oversight – and suggests approaches to a few common areas of cyber risk:
First, in a world of expanding supply chain risks and “shadow IT,” boards should oversee company processes to track technology assets and understand associated threats. This could be satisfied, for example, via an IT asset mapping exercise, where the organization evaluates the location and interconnections among its various IT devices and networks to understand on what its IT systems depend and what is most critical. The board will want to ensure that management is aware of any technology blind spots, like unmanaged IT assets, and how the company addresses potential blind spots.
Second, regulators increasingly expect companies to adopt clear roles and responsibilities for cybersecurity and IT governance. The chain of command and authority should be clear and should ultimately route up to the board.
Third, boards need to understand to what extent their organization’s IT depends on other companies or specific pieces of technology. Several recent cases have highlighted the ways in which attacks on the software supply chain can have cascading effects far beyond the initial attack. In some sectors, such as financial services, regulators already expect boards to receive summaries or full reports of IT dependency that help pinpoint critical systems or third-party service providers.
If these three dimensions are not accounted for in a company’s governance procedures, officers and directors could face probing questions about the quality and sufficiency of their cybersecurity oversight.
The Skadden team notes that good records are critical to proving that the board acted in good faith to establish and monitor systems for cybersecurity risks, especially since plaintiffs are frequently using books and records demands as a prelude to litigation. They offer these recommendations:
– Consider delegating cybersecurity and data privacy oversight to a board committee and review that committee’s charter to consider specific cybersecurity language.
– Take steps to establish monitoring and compliance systems for cybersecurity issues and pay ongoing attention to them. This may include consulting legal counsel and other experts to identify where risks may arise and how best to monitor them.
– Directors should receive reports from management regarding internal and external cybersecurity events at whatever intervals make sense for a particular company.
– Coordinate with management and advisers regarding compliance with new cybersecurity disclosure rules and regulations.
– Given stockholders’ increasingly frequent demands to inspect corporate books and records as a prelude to litigation, boards should document their efforts and processes in sufficient detail to demonstrate the attention they have paid to understanding and overseeing risk and compliance systems and their responses to any cybersecurity issues that have arisen.
As expected, the SEC has announced that it’s monitoring the impact of the California wildfires on capital markets and lists contact info for the divisions that affected companies can call if they have questions. The announcement also warns against scams and links to summaries of what the DHS, FEMA, and the U.S. government are doing to help wildfire victims.
We continue to hope for the best for all of our members and friends who are affected by this disaster.
