I love this pic that I took in NYC recently, with apologies to those working on a federal holiday…although I’m working too, come to think of it…

– Broc Romanek

Recently, Senator Mark Warner wrote this letter (also see this article) to the SEC asking the agency to investigate whether Yahoo! adequately informed investors about its massive data breach – this focuses even more attention on a hot topic: cybersecurity disclosure. This Debevoise memo reviews the disclosure practices of Fortune 100 companies for data security breaches.  Here are some of the key findings:

– Most Fortune 100 companies make initial disclosures about a cyber incident through their periodic reports, rather than on a current report Form 8-K.

– Periodic reports typically reflected the cybersecurity event in updated risk factors, sometimes by directly calling out the event and other times by revising risk factors in light of it, though without specific reference to the event.

– Disclosures were typically contained in the “risk factors” section of periodic filings.  When disclosures did appear elsewhere, they were usually made in the financial statement footnotes, in MD&A, or – occasionally – in the discussion of legal proceedings or the business.

Board & CEO Views: What Makes a Good GC?

Recently, KPMG published these survey results that reveal how CEOs & boards perceive what makes a good general counsel. The answers suggest that the job requires a lot more than just being the company’s chief lawyer. Here are the five attributes that characterize a top GC:

– Business leader providing insightful commercial advice to the other senior executives and the board, based on sound legal principles.

– Risk manager being constantly alert to – and vigilant against – an increasingly broad array of global threats to the company, and handling them accordingly.

– Technology champion leading the change in mindset – from technology as a stand-alone, isolated specialism to the all-pervasive reality of doing business in the digital age.

– Key communicator adeptly handling communications with key stakeholders such as the board and investors, as well as effectively communicating with regulators and internal teams.

– Builder of corporate culture setting a tone of trust at the top & building a risk-aware culture in which compliance is not seen as a straitjacket, but as a source of competitive advantage.

If a GC’s Profile Increases, A Greater Risk to Privilege?

The changing role of today’s GC increases the risk to the attorney-client privilege. This recent blog by McDermott Will’s Michael Peregrine & Bill Schuman notes that the emerging best practice of giving the general counsel greater organizational prominence may create attorney-client privilege issues. Here’s an excerpt:

Despite its organizational benefits, the transformation of the general counsel’s role carries with it a significant potential cost. The challenges of attempting to attach the protections of the attorney-client privilege to business advice provided by the general counsel have long been acknowledged.

These challenges become more consequential as the general counsel’s internal communications increasingly extend to operational or strategic considerations, and not just purely legal matters. And the stakes are even higher now that the Justice Department and other enforcers have said they will hold accountable more individuals, for whom the privilege may be unavailable.

– John Jenkins

Yesterday, Corp Fin announced that it would no longer require companies to include “Tandy letter” representations in their responses to Staff comments.  In a Tandy letter, a company essentially represents that it won’t raise the SEC’s comment process as a defense in securities litigation. In its announcement, Corp Fin makes clear that the absence of Tandy letter language doesn’t mean that the SEC’s posture on that position has changed.

The Staff began to require this language in all response letters in 2004, when it made all comment & response letters publicly available. Back then, Broc blogged about the Staff’s reasons for imposing that new requirement:

Before August 2004, the SEC Staff only required this language when the Staff had an open Enforcement inquiry related to a particular company – but this selective approach became unworkable when response letters became universally available.

The change is effective immediately – so if you have a comment letter that you haven’t replied to yet, Corp Fin says you can forget about the Tandy letter request that’s in it.

Wells Fargo: Is There A Caremark Claim?

This blog from Christine Hurt at “The Conglomerate” ponders whether the unfolding scandal at Wells Fargo might support a Caremark claim against the directors for shortcomings in oversight.  Her answer?  As usual, probably not:

So, we have illegal activity.  The activity also does not seem isolated — over 5000 employees, possibly 2 million unauthorized accounts, over 500,000 unauthorized credit cards.  However, the Caremark case involved the company paying civil damages of $250 million in 1995.  Here, the fine is $185 million, which may be the largest fine levied by the brand-new CFPB, but isn’t that big in the scheme of things.  If more charges are brought, that would strengthen the claim.  I’m not sure I would be confident in a Caremark claim here, even though the activity is illegal and seems to be widespread.

Broc & John: Dodd-Frank Reform

Broc & I had a lot of fun taping our 3rd “news-like” podcast. This 6-minute podcast is about efforts in Congress to repeal Dodd-Frank & dinosaurs. I highly encourage you to listen to these podcasts when you take a walk, commute to work, etc. And as we tape more of these, it’s inevitable we’ll figure out how to be more entertaining…

This podcast is also posted as part of our “Big Legal Minds” podcast series. Remember that these podcasts are also available on iTunes or Google Play (use the “My Podcasts” app on your iPhone and search for “Big Legal Minds”; you can subscribe to the feed so that any new podcast automatically downloads…

– John Jenkins

Here’s something that Alan Dye blogged last week on his “Section 16.net Blog” :

Last Friday, the SEC initiated cease & desist proceedings against three outside directors of a now-defunct public company, Moon River Studios, alleging that each director failed to file a Form 3 within ten days of becoming a director and also failed to report an initial acquisition of issuer stock on Form 4 within two business days or on a Form 5 for the year in which the acquisition occurred. Two of the directors consented to the entry of a cease and desist order and agreed to pay a civil money penalty of $25,000. The third director did not offer to settle.

The case is interesting mainly because the directors were not charged with violations of any other provisions of the federal securities laws, which is unusual given that most Section 16(a) claims (other than those that resulted from the 2014 “sweeps”) are add-ons to more serious claims, usually involving fraud. At the same time the SEC initiated the cease and desist proceedings, though, it also filed a fraud action against three of the issuer’s executive officers, alleging that they misappropriated funds for personal use rather than using the funds to build and operate, in Savannah, Georgia, “the largest movie studio in North America.”

The case is also interesting because two of the directors, both of whom served on the issuer’s board for only a short time, are politically connected. One of the settling directors, David Paterson, is a former governor of New York. The non-settling director, Matthew Mellon, is a former chairman of the New York Republican Party Finance Committee.

Both of the settling directors filed a Form 3 and a Form 4 after the SEC commenced its investigation and after resigning from the issuer’s board. The SEC noted in its orders that the respondents’ “remedial acts” and “cooperation” shaped the terms of settlement.

Failure to Report Unregistered Sales: New SEC Enforcement Actions

Here’s news from this blog by Steve Quinlivan:

On two successive days, the SEC brought settled enforcement actions against issuers for failure to report sales of unregistered securities. Under Item 1.01 of Form 8-K, a registrant must disclose its entry into a material definitive agreement, not made in the ordinary course of business of the registrant, that provides for obligations that are material to and enforceable against the registrant.

Under Item 3.02 of Form 8-K, certain unregistered sales of equity securities must be reported. Likewise, under Item 2 of Form 10-Q, a registrant must furnish the information required by Item 701 of Regulation S-K as to all equity securities of the registrant sold by the registrant during the period covered by the report that were not registered under the Securities Act unless it was previously included in a Current Report on Form 8-K.

Also check out this blog by Steve about the SEC suspending a Regulation A+ offering…

Insider Trading: Supreme Court Hears Arguments on “Personal Benefit”

This Paul Weiss memo notes that the Supreme Court will hear oral arguments today in Salman v. United States – a case that could have a major impact on insider trading law.  Here’s an excerpt:

The question before the Court in Salman v. United States is technically a somewhat narrow one: whether a gift of confidential information to a trading friend or relative constitutes the type of personal benefit necessary to give rise to insider trading liability. The implications of the Court’s decision, however, will likely be far broader than that.

Salman provides the Court an opportunity to provide some much-needed clarity. It remains to be seen, however, whether the Court will try to limit its holding to the narrow set of facts presented or more broadly address the scope of the personal benefit requirement. The Court could even revisit the need for the personal benefit requirement altogether.

– John Jenkins

Following up on what Broc blogged about last week, Cooley’s Cydney Posner notes that Corp Fin has issued three new no-action letters addressing proxy access proposals – & so far, the play stands as called in H&R Block. The letters were issued in response to no-action requests from Microsoft, Cisco & WD-40.

In its responses, Corp Fin continues to refuse to concur in “substantial implementation” arguments for exclusion of shareholder proposals to amend existing access bylaws, but takes a different view on proposals relating to the initial implementation of those bylaws:

In one of the Corp Fin responses to no-action requests posted yesterday, the shareholder proposal requested adoption of amendments to the company’s existing proxy access bylaw, identifying in the proposal specific changes characterized as essential elements for substantial implementation. The request for no-action suffered the same fate as H&R Block, as Corp Fin was unable to concur that the proposal to amend could  be excluded under Rule 14a-8(i)(10). As of now, the score for proposals to amend existing proxy access bylaws for H&R Block and progeny:  company-0 proponent-2.

However, where the proposal related to initial adoption of proxy access, Corp Fin has continued to grant no-action relief and permit exclusion, even where the proponent has identified specific elements of the proposal that he views to be essential.

There are still two no-action requests from Oshkosh & Walgreens Boots Alliance that are awaiting a response from the Staff that could impact the Rule 14a-8(i)(10) analysis.

Audit Committees: More Voluntary Disclosure in 2016

According to this EY study, voluntary audit-related disclosure by Fortune 100 audit committees continued to trend upward during 2016. Here’s a summary of some key findings:

– 50% of companies disclosed factors considered by the audit committee when assessing the qualifications & work quality of the external auditor increased to 50%, up from 42% in 2015. In 2012, only 17% of audit committees disclosed this information.

– 73% of companies disclosed the audit committee’s belief that the choice of external auditor was in the best interests of the company or shareholders; in 2015, this percentage was 63%. In 2012, only 3% of companies made this disclosure.

–  The audit committees of 82% of the companies explicitly stated that they are responsible for the appointment, compensation & oversight of the external auditor; in 2012, only 42% of audit committees provided such disclosures.

– 31% of companies provided information about the reasons for changes in fees paid to the external auditor compared to 21% the previous year.  From 2012 to 2016, the percentage of companies disclosing information to explain changes in audit fees rose from 9% to 31%.

– 53% of companies disclosed that the audit committee considered the impact of changing auditors when assessing whether to retain the current auditor. This was a 6 percentage point increase over 2015. In 2012, this disclosure was made by 3% of the Fortune 100 companies.

– Over the past five years, the number of companies disclosing that the audit committee was involved in the selection of the lead audit partner has grown dramatically, up to 73% in 2016. In 2015, 67% of companies disclosed this information, while in 2012, only 1% of companies did so.

– 51% of companies disclosed that they have three or more financial experts on their audit committees, up from 47% in 2015 and 36% in 2012.

T+2 Proposal: Will Firm Commitments Have to Toe the Line?

Broc recently blogged about the SEC’s proposal to move to a T+2 settlement cycle. Now Brian Pitko blogs that the proposal creates uncertainty about whether the exception provided under the current T+3 regime for firm commitment offerings will continue. Here’s an excerpt:

As currently formulated, Rule 15c6-1 provides an exception under Rule 15c6-1(c) for “firm commitment offerings registered under the Securities Act or the sale to an initial purchaser by a broker-dealer participating in such offering” which allows such offerings to rely on an extended T+4 settlement cycle instead of the standard T+3 settlement.

The proposed rules, however, seek comment on whether the settlement cycle timeframe under Rule 15c6-1(c) should be similarly shortened to T+3 or T+2 in conjunction with the broader proposed change to Rule 15c6-1 and how such changes would impact “risk, costs or operations of retaining the current provision for firm commitment offerings but shortening the settlement cycle to T+2 for regular-way transactions, as proposed.”

– John Jenkins

Steve Quinlivan recently blogged about the SEC’s second whistleblower retaliation case – the first was 2014’s Paradigm proceeding.  Here’s an excerpt describing the facts behind the latest action:

Shortly after his favorable 2014 mid-year review, the whistleblower raised concerns to his managers, to the company’s internal complaint hotline, and to the SEC that IGT’s publicly-reported financial statements may have been misstated due to IGT’s cost accounting model relating to its used parts business. As part of the whistleblower’s job function, he had been tasked with evaluating the pricing methodology for used parts used by IGT, but he did not oversee the company’s accounting functions.

IGT conducted an internal investigation with the assistance of outside counsel and determined that its reported financial statements contained no misstatements. Approximately three months after the whistleblower raised his concerns, IGT terminated him.

The SEC did not appear to find fault with the company’s accounting, so the proceeding underscores the fact that a whistleblower doesn’t have to be right to be protected.

As this Orrick memo notes, the SEC also tagged AB Inbev last week for confidentiality language in a separation agreement that did not contain a carve-out for SEC communications. The SEC believed that the absence of this language in the confidentiality provision impeded the whistleblower from communicating directly with it.

Webcast: “Board Refreshment & Recruitment”

Board diversity will be one among many topics during tomorrow’s webcast – “Board Refreshment & Recruitment” – featuring Wilson Sonsini’s Lydia Beebe, Davis Polk’s Ning Chiu, Spencer Stuart’s Julie Daum, South Jersey Industries’ Gina Merritt-Epps and Global Governance Consulting’s Susan Wolf analyze the latest director recruitment and board evaluation practices. The webcast topics include:

1. When & how should boards be planning for succession in advance of any vacancies
2. What are investors looking for in terms of board refreshment
3. Should retirement age/ term limits be used as tools to help the process
4. What skills are boards looking for as they recruit new members
5. How does the increasing push for diverse boards play into recruitment – what is the controversy over diversity disclosure
6. What roles do director evaluations play in board refreshment processes and what are some of the leading practices (3rd party vs. peer evals, etc.)

Our October Eminders is Posted!

We have posted the October issue of our complimentary monthly email newsletter. Sign up today to receive it by simply inputting your email address!

– John Jenkins

On Wednesday, the SEC proposed shortening the standard settlement cycle for most market transactions from 3 business days after the trade date to just two – known as “T+2” (here’s the 148-page proposing release). A significant number of European countries already use T+2 – & the SEC’s Investor Advisory Committee is already clamoring for T+1!

Technology keeps enabling further reductions in the settlement cycle. I remember back in the day when moving off of “T+5” was a big deal…

More on “Auditor Independence: SEC Settles 1st Violation Caused By Personal Relationships”

Last week, I blogged about the SEC’s first enforcement action against an auditor – EY – for auditor independence violations due to personal relationships. This blog by Davis Polk’s Ning Chiu raises the question about how this impacts the clients of the auditor (also see this blog). Here’s an excerpt:

EY’s policies require that activities with clients to include a “valid business purpose” with expectations that “meaningful business discussions” will take place and forbade gifts or hospitality that are beyond what is customary. The SEC, however, still faulted the audit firm for ignoring various red flags, such as the fact that two senior EY partners noted back in 2012 that the coordinating partner’s expense spending was double that of the next highest individual but did not investigate, and there was no follow-up responses to the issuer’s questions about the expenses it was billed in 2014.

EY already had policies and procedures assessing their employees’ independence from audit clients, which included training and certification and addressed possible familial, employment and financial relationships that are expressly prohibited under SEC rules. As part of the remedial efforts from both cases, additional procedures have been instituted that will require the audit firm’s engagement team members to ask management of an issuer whether they are aware of any “close relationships” between members of the audit engagement team and any individuals employed by “or associated with” the issuer.

Also note the SEC’s Enforcement Director – Andrew Ceresney – recently gave this speech on auditors & auditing.

Auditor Independence: PwC Settle $5 Billion Lawsuit

Speaking of auditor independence, Francine McKenna has been writing about the $5 billion lawsuit against PwC that was settled recently. Here’s an excerpt from this blog:

Right now I’d like to take an opportunity to document some interesting information about how the financial side of the firms, in this case PwC, works. Because the TBW v. PwC case went to trial, and a verdict could have included an assessment of punitive damages, we witnessed a highly illuminating series of motions and partial disclosures about PwC’s finances and how they manage them. This kind of information has not been made public by any Big 4 firm in a potential “tipping point” case for at least thirty years.

– Broc Romanek

As noted in this NY Times article, MarketWatch article and Reuters article, CEO John Stumpf and the (now former) head of community banking for Wells Fargo have agreed to forfeit unvested equity awards to the tune of $41 million and $19 million, respectively (the CEO also agreed to forego bonuses for this year, nor draw any salary while an internal investigation is ongoing). These actions by the board more than effectuate what the company’s clawback policy would have otherwise required. The look of clawbacks going forward, perhaps? Here’s the related Form 8-K that Wells Fargo filed yesterday.

Here’s five notable items:

– The board was able to impose an “unvested equity” clawback that was much easier than clawing back dollars/stock that had already been delivered into the executive’s hands.
– Avoids possible need for the executive to amend past tax returns & file for a credit under Code Section 1341 (which Mike Melbinger has discussed in a few blogs).
– Necessary PR move, as the board was under a lot of pressure to show responsiveness. This came at little immediate cost to the company or the CEO (merely cancelling unvested equity awards for Stumpf). In theory, these forfeited awards could be made up in the future.
– We’ll see whether this situation leads to a restatement for the company. So far, news reports suggest it’s immaterial to the company’s financials. “Restatement” is such a subjective term as the numbers of “formal” restatements – those deemed material enough for an Item 4.02 8-K – are way, way down. In comparison, revision restatements (stealth?) are over 70% of all restatements now.
– Maybe a good lesson for drafting future clawback policies: don’t provide for a clawback triggered only upon a restatement…

Members of CompensationStandards.com might want to check out this blog that I posted yesterday: “Does Wells Fargo Prove That All This Governance Stuff Is Just a Charade?“…

Our Executive Pay Conferences: Only 3 Weeks Left! Clawbacks will be tackled during our upcoming “Tackling Your 2017 Compensation Disclosures: Proxy Disclosure Conference” & “Say-on-Pay Workshop: 13th Annual Executive Compensation Conference” to be held October 24-25th in Houston and via Live Nationwide Video Webcast. Here are the agendas – 20 panels over two days.

Register Now: Huge changes are afoot for executive compensation practices with pay ratio disclosures on the horizon. We are doing our part to help you address all these changes – and avoid costly pitfalls – by offering a reasonable rate to help you attend these critical conferences (both of the Conferences are bundled together with a single price). So register now.

SEC’s ALJs: SCOTUS Denies Cert

Speaking of Enforcement, the US Supreme Court denied cert a few days ago in the Tilton case that challenged the SEC’s ALJ system…

SEC’s Simplification Proposal: Comment Deadline Extended

The SEC has extended the deadline for comments for its disclosure simplification proposal to November 2nd. Here’s the comments received so far…

– Broc Romanek

Here’s a blog that Mike Melbinger recently wrote on CompensationStandards.com: It’s September, welcome back to “school”. As we all begin to prepare for setting 2017 compensation and the 2017 proxy season, among the issues that executives and compensation professionals should consider – and consider raising with compensation committees – is the subtle change ISS made to its policies for executive compensation early this year. This change appeared in the January 2016 FAQs, but that was too late for most companies to do anything about it. However, the change will be fully effective for the upcoming proxy season.

65. Would a legacy employment agreement that is automatically extended (e.g., has an evergreen feature) but is not otherwise amended warrant an adverse vote recommendation if it contains a problematic pay practice?

Automatically renewing/extending agreements (including agreements that do not specify any term) are not considered a best practice, and existence of a problematic practice in such a contract is a concern. However, if an “evergreen” employment agreement is not materially amended in manner contrary to shareholder interests, it will be evaluated on a holistic basis, considering a company’s other compensation practices along with features in the existing agreement.

Companies and committees should be conscious of the fact that ISS is taking a firmer approach to problematic pay practices in “grandfathered” agreements, including “evergreen” agreements with problematic pay practices. In fact, the 2016 U.S. Executive Compensation Policies, Frequently Asked Questions, does not include the phrase “grandfathered.”

Whistleblowers: You May Need to Review Severance & Other Agreements

Speaking of changes to agreements, these memos posted in our “Whistleblowers” Practice Area give similar advice to this excerpt from Bryan Pitko’s blog:

As part of the settlement, the company agreed to amend its severance agreements to make clear that employees may report possible securities law violations to the SEC and other federal agencies without prior approval and without having to forfeit any resulting whistleblower award, and make reasonable efforts to contact former employees who had executed severance agreements, following the adoption of the whistleblower rules, to notify them that former employees are not prohibited from providing information to the SEC staff or from accepting SEC whistleblower awards. The defendant did not admit or deny the SEC findings in the enforcement action.

The terms of recent settlements should serve as reminder to any company that falls within the SEC’s enforcement jurisdiction (a significantly broader group that just public companies) to consider including provisions in severance and confidentiality agreements to explicitly provide that an employee may communicate with the SEC (and other federal agencies) about potential securities law violations without company approval (notwithstanding other confidentiality and disclosure obligations in the agreement). Likewise, for pre-existing severance and confidentiality agreements with employees, companies should consider broad communications highlighting that any agreements with former employees will not be interpreted as restricting such former employee’s ability to provide information to the SEC or accept SEC whistleblower awards.

Whistleblowers: Sean McKessy Lands at Whistleblower Speciality Firm

Recently, the SEC’s first Chief of its Whistleblower Office – Sean McKessy – announced he was leaving. He has now landed at Phillips & Cohen, a law firm that specializes in helping whistleblowers. Jane Norberg was promoted today to Chief of the SEC’s Whistleblower office – she served as the Deputy under Sean…

As noted in Ning’s blog, the SEC’s Enforcement Director – Andrew Ceresney recently gave this speech about the agency’s whistleblower program – including some interesting data. Ceresney also gave this recent speech on auditors & auditing…

– Broc Romanek

Here’s an excerpt from this “D&O Diary Blog” about how few companies are disclosing cybersecurity & data breach incidents in their SEC filings (which could be a concern for investors – and for D&O underwriters):

According to a September 19, 2016 Wall Street Journal article entitled “Corporate Judgment Call: When to Disclose You’ve Been Hacked,” nothwithstanding the long-standing SEC disclosure guidelines, companies are being hacked more frequently but are not disclosing these incidents in their periodic reports to the SEC. The article cites a recent Audit Analytics report, in which the firm reviewed the filings of nearly 9,000 reporting companies during the period January 2010 to the present. The report found that only 95 of these companies had informed the SEC of a data breach. However, according to the Privacy Rights Clearinghouse, the number of data breaches during that period experienced by all U.S. businesses – including both public and private companies – totaled 2,642.

The most important consideration accounting for this apparent discrepancy is the question of “materiality.” If the company believes that the incident or incidents it experienced are not “material” within relevant reporting obligation standards, then, many companies apparently are concluding that they have no obligation to report the incident.

Significantly, while only a small number of companies have reported cyber incidents in their periodic reports, a greater number are reporting data breaches and other incidents to other regulators. The Journal article cites the Audit Analytics report as stating that about 300 publicly traded U.S. companies have reported cybersecurity incidents to a state regulator or directly to affected consumers over the past six years.

Obviously, whether or not any potentially reportable item is “material” and therefore subject to disclosure is a judgment call of a type that corporate officials have long been called upon to make. The concern is that these types of judgment calls can be subject to hindsight scrutiny. In that regard, it is probably worth noting that to date the SEC has not yet brought a regulatory enforcement action against a company that failed to disclose a cyberincident – but, the Journal article notes, SEC officials “have not ruled out doing so.”

Disclosing “Risks”: Breaking Down Apple’s Tax Uncertainties

This blog by the “SEC Institute” does a great job of analyzing the various ways that Apple discloses the “uncertainties” related to its international tax situation, including risk factors, MD&A and financial statement disclosures…

Tomorrow’s Webcast: “Middle Market Deals – If I Had Only Known”

Tune in tomorrow for the DealLawyers.com webcast – “Middle Market Deals: If I Had Only Known” – to hear Joe Feldman of Joseph Feldman Associates talk about how to best avoid post-closing deal surprises for a mid-market deal. Please print these “Course Materials” in advance.

– Broc Romanek