The September-October Issue of the Deal Lawyers newsletter was just sent to the printer. It is also available now online to members of DealLawyers.com who subscribe to the electronic format. This issue’s article “Delaware’s Recent Controlling Stockholder Decisions” discusses recent cases that address:
– Identifying when a transaction involves a controlling stockholder;
– The standards of conduct and review applicable to a controller’s exercise of its voting power;
– The application of the entire fairness standard in transactional and nontransactional settings; and
– The procedural protections necessary to permit a controller transaction to be subject to review under the business judgment rule.
The Deal Lawyers newsletter is always timely & topical – and something you can’t afford to be without to keep up with the rapid-fire developments in the world of M&A. If you don’t subscribe to Deal Lawyers, please email us at sales@ccrcorp.com or call us at 800-737-1271.
I was lucky enough to stay in San Francisco for an extra day after our 2024 Proxy Disclosure & 21st Annual Executive Compensation Conferences to attend some sessions of the National Association of Stock Plan Professionals (NASPP) Annual Conference and Exhibition. During a panel featuring Alan Dye of Hogan Lovells and Section16.net and NASPP’s Executive Director Barbara Baksa on “Section 16 & Insider Compliance Today,” I was reminded of just how many things public companies, investment fund administrators, individuals (Section 16 officers and directors) and filing agents will need to do to prepare for EDGAR Next.
Luckily, shortly after the Conferences, Cooley released this helpful Q&A detailing next steps. After an overview of the changes, which Dave addressed when adopted, the alert dives into key dates:
– Compliance with EDGAR Next will be required on September 15, 2025.
– Starting on March 24, 2025, the EDGAR Filer Management dashboard will go live, and filers may begin to enroll on the dashboard, while still being able to file pursuant to the legacy filing process.
– Legacy filing processes on EDGAR will continue to be available through September 12, 2025.
– Also starting on March 24, 2025, compliance with the amended Form ID, which must be submitted through the dashboard, will be required.
– Filers may continue to enroll in the dashboard until December 19, 2025. Beginning December 22, 2025, filers that have not enrolled in EDGAR Next or received access through submission of an amended Form ID will be required to submit an amended Form ID to request access to their existing accounts. – A beta software environment for filer testing and feedback is open now. The beta includes a new EDGAR Filer Management website, a secure dashboard and beta versions of the APIs.
As you start to consider your 2025 to-do list, here are the alert’s suggestions for what companies should be doing to prepare:
– All individuals who make submissions on behalf of a company or its Section 16 officers and directors, or who manage their SEC codes, should obtain Login.gov account credentials well before March 24, 2025. This most likely will include members of the corporate secretary’s office and the financial reporting team.
– Take advantage of the beta environment to get familiar with the new dashboard. Login.gov credentials are required for access.
– Develop a process by which the company and its Section 16 officers and directors will authorize individuals to serve as account administrators. This could include powers of attorney from Section 16 filers or a less formal form of authorization. Once authorized, account administrators will be able to manage Section 16 filers’ EDGAR account on the dashboard, adding other account administrators, users and technical administrators and delegating authority to file, as needed.
– Update onboarding processes for new Section 16 officers and directors to include designating an account administrator(s) in the amended Form ID. Starting March 24, 2025, the amended Form ID becomes effective and must be submitted by an account administrator through the dashboard.
– Ensure central index keys (CIKs), CIK confirmation codes (CCCs), passphrases and passwords are current for the company and all Section 16 officers and directors. … All EDGAR access codes under legacy EDGAR – including passphrases, passwords and password modification authorization codes – will be deactivated on September 15, 2025. – Determine when the account administrator will enroll the company and Section 16 officers and directors in the new dashboard. For year-end companies, it is suggested to commence enrollment after the year-end reporting cycle is completed, but well before the September 15, 2025, compliance date.
– Determine which account administrator will be responsible for the annual confirmation and add the annual confirmation into year-end reporting processes.
This FCLTGlobal article reports the results of a survey of IR professionals on quarterly guidance practices. It concludes with this advice: “For companies still issuing quarterly guidance, even though it’s not required, nobody truly wants it, and it’s bad for your stock price, it’s time to start considering alternative ways to communicate with your investors.” The survey of US companies found that only 19% continue to provide quarterly guidance.
I don’t think it’s a surprise to our readers that this practice has been trending downward over the years. I was actually surprised at how much quarterly guidance rebounded coming out of 2020, although it just continued a steady decline from there. But the most surprising result to me was that 9% of respondents believe it’s legally required. I guess that shouldn’t come as such a shock; it does seem to be a common misconception that some sort of guidance is required to be provided to the market. The article debunks that and a few other myths about quarterly guidance.
– Myth: It’s Good for the Stock. Research shows that quarterly guidance actually increases volatility and negatively impacts stock price.
– Myth: Investors Want It. Most large institutional investors don’t want quarterly guidance since they are generally holding for 2 to 4 years, not quarters.
– Myth: Everyone Is Doing It. Data (both from this survey and elsewhere) shows quarterly guidance is no longer “in vogue.”
I’m not so sure that the move from quarterly to annual guidance with quarterly updates really does much to move the needle on the age-old issue of short-term focus versus long-term focus. In fact, back in 2021, McKinsey argued that, for most companies, long-term guidance should mean “three-year targets (at a minimum) for revenue growth, margins, and return on capital.”
At our 21st Annual Executive Compensation Conference, Compensia’s Mark Borges discussed how granular SEC disclosure review staff comments have gotten on second-year pay-versus-performance disclosures and walked through some surprising comments where the SEC staff had clearly recalculated numbers and identified errors. I shared lessons from these comment letters on The Advisors’ Blog on CompensationStandards.com in early October. Here are those takeaways:
We knew from Corp Fin staff statements earlier this year that the disclosure review team might take a more detailed approach to reviewing year two PvP disclosures. So we were all warned that 2024 comments may delve into disclosure details and require you to respond with an analysis. We’re now starting to see that play out with new PvP comment letters recently becoming public. Here are some high-level thoughts about the comments and correspondence we’ve seen so far:
– Consistent with recent staff comments, the comment letters clarify that stating that no relationship exists (even if a particular measure is not used in setting compensation) isn’t compliant with Item 402(v)(5)(ii) — especially where a relationship may exist. The staff has stated that graphical depictions are useful. That seems particularly true when a registrant is struggling to provide narrative disclosure.
– The staff is comparing PvP table disclosures with the Tabular List and comparing PvP table components with numbers in the audited financial statements.
Multiple comment letters take issue with companies using the phrase “year-over-year” when describing the adjustment for the fair value of equity awards that vested during the year. In one case, the company was calculating CAP correctly and committed to providing more precise/descriptive headings in the reconciliation tables in footnotes to the PvP table in the future.
In another case, the staff commented on a company’s failure to present CAP calculations in a footnote. The staff could nonetheless tell from the Summary Compensation Table that the company was subtracting “All Other Compensation” from the SCT Total to calculate CAP and reminded the company of the specific adjustments required by the rule (relating to defined benefit and actuarial pension plan and stock and option award amounts).
– The staff is comparing the company’s stock performance graph. They are also reminding registrants of the need to list all the companies comprising the peer group if the company doesn’t use a published industry or line-of-business index.
– In one comment, the staff took the position that companies shouldn’t be taking advantage of Regulation S-K CDI 128D.03 and limiting footnote reconciliation disclosures to the most recent fiscal year if CAP values reported for prior years were revised in the latest proxy statement to correct errors.
Clearly the staff is indeed taking a detailed look at disclosures and diving into the calculations of CAP to confirm adjustments were made appropriately. In some cases, the calculation issues were actually related to transcription or calculation errors — pulling the wrong numbers from the SCT, failing to provide an average or improperly rounding. While Corp Fin didn’t hold up annual meetings and companies have generally committed to changes in future proxy statements (for a notable example, see this cursory response by Berkshire Hathaway), a clear takeaway here is to have your PvP numbers checked and rechecked by folks who know what values the table should be reporting.
Yesterday, the SEC announced charges against four current and former public companies for allegedly making materially misleading disclosures regarding cybersecurity risks and intrusions — all arising from the SEC’s investigation of public companies that were potentially impacted by the compromise of SolarWinds’ Orion software. The companies agreed to pay civil penalties ranging from $990,000 to $4 million. One company was also charged with disclosure controls and procedures violations. Here’s more from the announcement:
According to the SEC’s orders, Unisys, Avaya, and Check Point learned in 2020, and Mimecast learned in 2021, that the threat actor likely behind the SolarWinds Orion hack had accessed their systems without authorization, but each negligently minimized its cybersecurity incident in its public disclosures. The SEC’s order against Unisys finds that the company described its risks from cybersecurity events as hypothetical despite knowing that it had experienced two SolarWinds-related intrusions involving exfiltration of gigabytes of data. The order also finds that these materially misleading disclosures resulted in part from Unisys’ deficient disclosure controls.
The SEC’s order against Avaya finds that it stated that the threat actor had accessed a “limited number of [the] Company’s email messages,” when Avaya knew the threat actor had also accessed at least 145 files in its cloud file sharing environment. The SEC’s order against Check Point finds that it knew of the intrusion but described cyber intrusions and risks from them in generic terms. The order charging Mimecast finds that the company minimized the attack by failing to disclose the nature of the code the threat actor exfiltrated and the quantity of encrypted credentials the threat actor accessed.
Quotes from the SEC staff emphasized the importance of not downplaying the extent of a cybersecurity breach and that corporate victims of cyberattacks must not “further victimize their shareholders or other members of the investing public by providing misleading disclosures.”
The enforcement announcements are clearly still rolling in — in the new fiscal year! — so you won’t want to miss our upcoming webcast “SEC Enforcement: Priorities and Trends” at 2 pm ET on Wednesday, November 13, featuring Hunton’s Scott Kimpel, Locke Lord’s Allison O’Neil and Quinn Emanuel’s Kurt Wolfe. They’ll discuss the following topics, among others:
– SEC Enforcement Activities in 2024 and Priorities for 2025 – Implications of Jarkesy for SEC’s Enforcement Program – Monetary and Non-Monetary Penalties – Accounting and Disclosure Actions – Actions Targeting “Internal Controls” – Self-Reporting and Cooperation Credit – Coordination with DOJ Investigations
Commissioner Peirce and Uyeda’s joint dissenting statement — taking the position that SEC is regulating by enforcement with these settlements and citing immaterial, undisclosed details to support the charges — is worth a standalone blog. First, it thoroughly discusses the disclosures and omissions the SEC considered to be problematic and why the Commissioners don’t believe these altered the ‘total mix’ of information.
With respect to Avaya, the Commission highlights “the likely attribution of the [cyberattack] to a nation-state threat actor” as an example of omitted material information. [I]n its 2023 rulemaking on cybersecurity incident disclosure (the “2023 Cybersecurity Rule”), neither investors nor the Commission expressed a view that the identity of the threat actor is material information … Not a single one of the 150-plus comment letters submitted on the proposal requested disclosure of the identity of the threat actor. …
Although the Form 8-K requirements for disclosing material cybersecurity incidents, which were adopted as part of the 2023 Cybersecurity Rule, did not yet apply to Mimecast, it filed three Form 8-Ks related to the intrusion of the Orion software on its network. In the third Form 8-K, Mimecast filed its three-page incident report for the cyberattack as an exhibit. Mimecast’s efforts to inform its investors would not be rewarded; the Commission finds fault with its disclosures. …
The Commission highlights Mimecast’s failure to disclose that “the threat actor had accessed a database containing encrypted credentials for approximately 31,000 [of 40,000] customers.” … Mimecast disclosed, without providing a percentage or number, that encrypted customer credentials had been accessed. …
With respect to disclosure of exfiltrated source code, Mimecast stated in its incident report that the threat actor had downloaded a “limited number” of its source code repositories but the company believed that the downloaded code was “incomplete and would be insufficient to build and run any aspect of the Mimecast service.” The Commission finds that these statements were materially misleading because Mimecast did not disclose that the threat actor had exfiltrated “58% of its exgestion source code, 50% of its M365 authentication source code, and 76% of its M365 interoperability source code, representing the majority of the source code for those three areas.” … Similar to the Avaya case, such information is “details regarding the incident itself” that do not need to be disclosed.
Next, the dissent highlights how the issues identified in the enforcement action may shape disclosure under Item 1.05 of Form 8-K.
Companies reviewing today’s proceedings reasonably could conclude that the Commission will evaluate their Item 1.05 disclosure with a hunger for details that runs contrary to statements in the adopting release. To avoid being second-guessed by the Commission, companies may fill their Item 1.05 disclosures with immaterial details about an incident, or worse, provide disclosure under the item about immaterial incidents. The Commission staff has already identified the latter practice as an issue, and today’s proceedings may exacerbate the problem.
Finally, do go read the full dissent for its detailed discussion of the enforcement actions involving hypothetical and generic risk factors — drawing parallels to portions of the SolarWinds case that were dismissed and raising concerns that bringing “hypothetical” risk factor charges may result in companies including immaterial, specific disclosures in risk factors just to avoid these types of charges.
In late September, John blogged about the latest Regulation FD enforcement action, which arose out of the use of a social media account of the CEO of DraftKings to disseminate material non-public information about the company. This Freshfields blog has some timely reminders on Regulation FD in light of this enforcement action.
First, social media channels do not automatically constitute “broad dissemination” but may — if the company takes certain steps.
In its guidance from 2013, the SEC made clear that dissemination of information through social media (without more) does not constitute broad dissemination of this information. Pursuant to that guidance, companies may disclose MNPI through social media channels only if sufficient steps were taken to alert investors and the market that such social medial channels will be used for the dissemination of MNPI. Methods of appropriate notice could be references to such social media channels in their periodic reports or press releases.
Second, prompt broad dissemination is appropriate when a company discovers an unintentional selective disclosure — although the initial disclosure may still be a Regulation FD violation.
Under Regulation FD, if a company unintentionally selectively discloses MNPI, it should remediate the violation by broadly disseminating the information “promptly.” For purposes of Regulation FD, promptly means “as soon as reasonably practicable (but in no event after the later of 24 hours or the commencement of the next day’s trading on the New York Stock Exchange) after a senior official of the issuer… learns that there has been a non-intentional disclosure by the issuer or person acting on behalf of the issuer of information that the senior official knows, or is reckless in not knowing, is both material and nonpublic.”
KPMG recently released the latest edition of its CEO Outlook analyzing insights shared by over 1,300 CEOs at large companies globally. The survey shows that, in today’s environment, CEOs are primarily focused on “anticipating and staying ahead of compound volatility…strategically allocating capital to address near-term risks such as cyber and geopolitics that can cause abrupt business disruption in the short term, while making long-term investments in generative artificial intelligence and mergers and acquisitions to spur future growth.” KPMG coined this term “compound volatility” which it describes as “the combination of near-term risks to growth and the structural changes to the US economy that raise the cost of doing business with little margin for error on strategy development and execution.”
– 78% of CEOs were confident in their company’s growth prospects over the next three years
– Top risks identified were cost of living, cybercrime, cybersecurity and talent
– 70% of CEOs identified GenAI as a top investment priority, particularly in IT, sales and marketing and finance and accounting
– 72% said GenAI won’t significantly impact the number of jobs but will require upskilling
One of the biggest changes in survey responses year-over-year relates to return-to-office plans. This year, almost 80% of CEOs envisioned a full return to office over the next three years (up from only 34% saying so a year ago).
Speaking of “compound volatility,” this summer KPMG also released an in-depth guide to accounting for economic disruption with guidance on how various balance sheet and income statement line items and other disclosures may be impacted. KPMG encourages management teams to be proactive when it comes to considering how volatility impacts their financial statements and financial reporting:
During periods of economic disruption, it is crucial for companies to promptly identify the potential financial statement impacts and consider the accounting and disclosure consequences. Regulators place a strong emphasis on high-quality financial reporting during these times and closely scrutinize the sufficiency and timeliness of related disclosures. Transparency becomes particularly important, especially when it comes to estimation uncertainties and the underlying basis for critical judgments used in financial reporting.
The guide has chapters on:
– Revenue
– Financial assets, derivatives & hedging
– Inventory
– Goodwill and indefinite-lived intangibles
– Long-lived assets, leases and equity method investments
– Liabilities
– Compensation and benefits
– Income taxes
– Financial statement presentation, disclosures & MD&A
Each chapter starts with a description of how the relevant topic may be impacted by economic disruption and lists example questions to consider, with cross-references to the sections that address each question. Here’s an excerpt on compensation and benefits:
In response to economic disruption, companies may take actions related to compensation and benefits that have an impact on financial reporting. Examples include:
– providing revised or new compensation arrangements;
– evaluating existing compensation arrangements to determine if any specific terms, conditions or estimates have been affected;
– making modifications to compensation and benefit arrangements; and
– taking workforce actions that could result in pension or postretirement curtailments or settlements, or the need to pay severance and other postretirement benefits.
The following are example questions to consider that are specific to economic disruption and the potential impact to compensation and benefits and associated accounts (not exhaustive).
– Have either of the following related to share-based payments been affected: the probability assessment for performance-based awards; and/or the volatility input used to value awards on the grant date?
– Have any share-based payment awards been modified (e.g. changes to vesting criteria or strike price) and/or are discretionary clauses or claw back provisions starting to be included in awards?
– Have termination benefits (voluntary or involuntary) been offered or implemented?
– Has a significant event occurred (e.g. plan amendment, curtailment or termination) that could cause an interim remeasurement of defined benefit pension or postretirement plan assets and obligations?
– Have new or revised sick leave or paid time off policies been implemented or have furlough arrangements been offered to employees?
In the latest “Understanding Activism with John & J.T.” podcast, John and Orrick’s J.T. Ho were joined by Jim McRitchie, one of the leading voices in retail investor activism. Topics covered during this 37-minute podcast include:
– Collaboration among investors to influence corporate governance
– Top retail investor priorities for next year’s proxy season
– Deciding which companies receive shareholder proposals
– Measuring a proposal’s success
– Important factors in deciding whether to settle a proposal
– How companies can respond constructively to shareholder proposals
– How investors can maximize their ability to influence corporate governance
– Impact of election and changes at the SEC
John and JT’s objective with this podcast series is to share perspectives on key issues and developments in shareholder activism from representatives of both public companies and activists. They’re continuing to record new podcasts, and I think you’ll find them filled with practical and engaging insights from true experts – so stay tuned!
