Yesterday, the SEC posted a notice of a second amendment to NYSE’s proposal to change Section 802.01D of the Listed Company Manual to allow the Exchange to commence immediate suspension and delisting procedures if a company changes its primary business focus. Together, the two amendments to the proposal make the following key changes:
– Add a requirement that any company that undertakes a change in its primary business focus must promptly provide notice of such change in writing;
– Clarify that the delisting procedure applies where the company has changed its primary business focus to a new area of business that is “substantially different” from the business it was engaged in at the time of its original listing or, as provided in the original filing, which was immaterial to its operations at the time of its original listing; and
– Clarify that NYSE would focus its analysis of a company’s suitability for continued listing after a change in operations on whether it would have accepted the listed company for initial listing if it had been engaged in its modified business at the time of original listing and on the qualitative aspects of the company’s suitability — not the quantitative standards for initial listing.
The SEC invites comments here, but also issued an order granting accelerated approval of the proposed listing rule changes, as amended.
The rite of passage to becoming a lawyer — the bar exam, including the Multistate Bar Exam, Multistate Essay Exam and Multistate Performance Test — is soon changing! Last week, the National Conference of Bar Examiners (the nonprofit organization that develops bar exam content for 54 of 56 US states and territories) announced that they are set to launch the “NextGen bar exam” in July 2026. The new exam is “designed to test the knowledge and skills needed by today’s new attorneys” and “the biggest change to the way lawyers are licensed in a generation.”
The NextGen bar exam will test a broad range of foundational lawyering skills, utilizing a focused set of clearly identified fundamental legal concepts and principles needed in today’s practice of law. The skills and concepts to be tested were developed through a multi-year, nationwide legal practice analysis, focused on the most important knowledge and skills for newly licensed lawyers. Designed to balance the skills and knowledge needed in litigation and transactional legal practice, the exam will reflect many of the key changes that law schools are making today.
Twenty states and one territory have already announced plans to use the new exam, with Florida the most recent. Connecticut, Guam, Maryland, Missouri, Oregon, and Washington will begin using the NextGen exam in 2026; Arizona, Iowa, Kentucky, Minnesota, Nebraska, New Mexico, Oklahoma, Tennessee, Vermont, and Wyoming will start in 2027; and Colorado, Florida, Illinois, Kansas, and Utah will make the switch in 2028. And more states and territories are expected to sign on in the next year.
The release touts the process used to develop the NextGen bar, saying NCBE surveyed over 14,000 attorneys and will engage in multiple phases of testing and statistical analysis to ensure the test is accurate and fair. Still, if I were a rising 2L or incoming law student, I’d be a bit nervous about being one of the NextGen bar exam’s early takers. I have to imagine it takes BarBri and the other bar study service providers out there some time to learn and adapt their teaching strategy — which seemed like a time-tested, well-oiled machine when I took the bar. Once rolled out in your state, this might call for some extra empathy for your incoming first-year associates when they’re waiting for bar results — especially in those states that are early adopters!
As this Cooley alert points out, considerations relating to filing an Item 1.05 Form 8-K are just the tip of the iceberg for companies grappling with systemic network failures after the recent CrowdStrike update. The memo raises some of the same issues I discussed in Monday’s blog and then moves on to a host of other disclosure implications. The alert suggests that impacted public companies consider the following actions:
– Ensure compliance with applicable policies and perform assessments to determine whether any impact from the CrowdStrike update is “material,” and whether any reporting is necessary or advisable. … [including] outside the context of Item 1.05 of Form 8-K … giving consideration to potentially providing voluntary disclosure related to the impact of the CrowdStrike update on the company’s operations via Item 8.01 of Form 8-K.
– Perform risk assessments and gap analyses to determine whether there are any shortcomings in systems and systems-related matters, including use of third parties and relevant oversight, monitoring, disaster recovery, and other practices.
– Update risk factors and other disclosures, including regarding systems downtime and/or reliance on third parties to operate critical business systems … [including] to specifically refer to the CrowdStrike update.
– Determine if the CrowdStrike update has had or is expected to have a material impact on the company, then consider if it should be discussed in the management’s discussion and analysis (MD&A) section of SEC filings, including as a known trend for future periods.
– Be mindful of Regulation FD when communicating with analysts and investors regarding the impact of the CrowdStrike update on the company. … Confirming that there was or was not a material impact of an occurrence in one-off communications with analysts/investors could be deemed to be a selective disclosure of material nonpublic information in certain circumstances.
– Evaluate whether the CrowdStrike update has implications for the company’s internal controls and disclosure controls and procedures.
Normally, I would characterize some of these as more long-term considerations than the question of mandatory current reporting, but there are a number of factors at play that make these considerations just as time-sensitive as the 8-K question. First, further data gathering and assessment may be necessary to make an 8-K determination, and the situation is still evolving. For now, it appears that no companies have determined to quickly file an Item 1.05 8-K, and I only see one Item 8.01 8-K related to the incident (filed by CrowdStrike itself on Monday). Second, it’s late July, which means it’s crunch time for second quarter 10-Qs for many companies. We may start to see disclosures related to the CrowdStrike update in 10-Qs before we see them in 8-Ks (like this 10-Q, which notes under Part II, Item 5, “to date, we have experienced no negative impact to our IT systems related to the CrowdStrike software update”).
Thanks to John for finding and sharing this LinkedIn post from boardroom speaker and trainer Ralph Ward. In it, he argues that boards should adopt a “culture statement”:
This is a group contract on how the board behaves and its shared expectations. A culture statement goes beyond such items as corporate mission or vision statements. Instead, a board culture statement is a contract on the values your board itself should model. How does it work?
A board culture statement avoids generalities, and is unique to each board. … Hot topics to cover include… directors talking over each other and bullying… going around the CEO to staff… talking with investors… how to respectfully express dissent… adequate meeting preparation and knowledge… pushing personal agendas… confidentiality. Done right, a board culture statement gives clues on your board’s individual flash points, and how you’re fixing them (which is one reason such statements are rarely disclosed to the public).
He distinguishes these culture statements from vision or mission statements and notes that they don’t necessarily need to align with company culture.
Vision and mission statements also tend to address vague qualities like respect, integrity, honesty, and other Boy Scout merit badge matters. A board culture statement “avoids nebulous concepts and translates these into concrete, observable behaviors,” notes Anthony Goodman, head of the board effectiveness practice at Korn Ferry. …
Further, while “tone at the top” matters, realize that a board’s culture can be something quite different from the overall company culture. Brendan Keegan, a noted autosports entrepreneur and long-time director, writes “it’s less important for board members to perfectly align with the organization’s day-to-day culture.” The board is a group of outsiders who meet face-to-face irregularly, the opposite of your employee structure. They have unique chemistry and practical concerns to address.
Going further, he also seems to advocate quantifying directors’ compliance with these culture statements by measuring things like interruptions, rudeness or lack of involvement, saying, “Boards can’t change what isn’t measured.”
Last week, Dave shared his thoughts about how beneficial it is to network with new contacts and meet with old friends at a good old-fashioned in-person conference. This recent Korn Ferry insight points out that, in today’s job market, people are integrating in-person conference networking into their job search process. Apparently, 80% of positions are filled through networking! To that end, they shared these five tips for getting the most out of in-person conferences:
– Define your goals. Set clear objectives for what you hope to get out of attending the conference. – Get the guest list. Check the attendee roster in advance and make a list of your “must-meets.” – Get the word out. Let people know in advance that you’re attending. – Find a hook. “Establish a basis for connecting.” – Get a second meeting at the first. Where appropriate, schedule a follow-up meeting during the first meeting.
Once you do that, please let us know what excites you most about returning to in-person conferences with this anonymous poll. We’ll gather and rank responses by popularity for our “Game Show Lightning Round: All-Star Feud.” Responses will be hidden, so you’ll have to join day 1 of our Conferences (in San Francisco or virtually) to hear whether your response made the “most popular” list — and whether our “SEC All-Stars” guess your response!
Since the EU AI Act was published in the Official Journal of the EU on July 12, it will enter into force on August 1 (20 days after publication). This Wilson Sonsini alert says the Act will not apply immediately but in the phases below. (See the further timeline in the alert.)
Prohibitions of certain AI systems: The first set of rules to kick in will be those prohibiting certain applications of AI (e.g., AI systems that exploit individuals’ vulnerabilities, untargeted scraping of facial images from the internet or CCTV footage to create facial recognition databases). These rules will start to apply as of February 2025.
General-purpose AI (GPAI) models: The requirements in relation to new GPAI models will start to apply one year after the entry into force of the AI Act, i.e., by August 2025. There will be an additional two-year grace period for GPAI models that are already on the EU market at that time (i.e., providers of GPAI models placed on the EU market before August 2025 will have an additional two years to comply, until August 2027).
High-risk AI (HRAI) systems: The rules for some HRAI systems and AI systems with specific transparency risk will start to apply by August 2026. If the HRAI system is part of a product that is subject to EU health and safety laws (e.g., toys) the rules will apply a year later (i.e., by August 2027). Operators of HRAI systems that are already offered in the EU before the application of the AI Act will need to comply with the AI Act only in the event of a significant design change (e.g., changes in the AI system’s intended purpose). As an exception to this, if the HRAI system offered in the EU is intended to be used by public authorities, the providers and deployers will need to comply with the rules by August 2030, regardless of whether there has been a significant design change or not.
The alert warns: “Once the AI Act starts to apply, it will introduce a swathe of new obligations for companies providing, distributing, importing, and using AI systems and GPAI models in the EU, subject to hefty fines of up to EUR 35 million or seven percent of the total worldwide annual turnover, whichever is higher.”
These new obligations and fines have gotten the attention of US securities regulators. At SEC Speaks in April, SEC Staff characterized the Act as “a comprehensive risk-based legal regime governing AI across the EU” that “will have implications for public companies that provide or deploy AI systems in the EU” and specifically noted that penalties include “up to 7% of global revenue” and violations can “result in withdrawal of the AI system from the market.” The Staff said that some companies are generally disclosing that they may be impacted by the Act and reminded companies of the need to tailor disclosure to address how the company will be particularly impacted based on its facts and circumstances.
On Friday, the SEC announced the creation of the Interagency Securities Council. The Council includes representatives from more than 100 departments and agencies at the federal, state and local levels.
The Council’s purpose is to ensure that law enforcement and regulatory agencies at all levels of government are working together to combat financial fraud and provide a means to share information with law enforcement officials who don’t frequently deal with securities law violations. During quarterly meetings, members will “participate in discussions with experts on emerging threats, hear from investigators conducting and supervising investigations, and explore case study examples of agencies employing innovative approaches to combat financial fraud.”
ICYMI, last week, Delaware Governor John Carney signed into law SB 313, the controversial 2024 DGCL amendments. The most hotly contested change put in place by the legislation is new Section 122(18) of the DGCL, which is intended to address the Chancery Court’s decision in West Palm Beach Firefighters v. Moelis, (Del. Ch.; 2/24), but the amendments also respond to issues raised by several other recent Chancery Court decisions. Advocates of the legislation contend that it is necessary to address “rogue” decisions by the Chancery Court that were inconsistent with market practice, while critics argue that it makes seismic changes to the DGCL without sufficient deliberation, raises a number of unanswered questions and reopens many governance issues that were long thought to be settled.
With all of the controversy surrounding the 2024 DGCL amendments and their potentially profound impact on Delaware corporations, you won’t want to miss today’s DealLawyers.com webcast – “2024 DGCL Amendments: Implications & Unanswered Questions” – from 2 to 3 pm ET.Steven Haas of Hunton Andrews Kurth, Julia Lapitskaya of Gibson Dunn, and Eric Klinger-Wilensky of Morris Nichols will address the following:
– Overview of the DGCL amendments
– Implications for governance agreements
– Implications for acquisition agreements
– Fiduciary duties v. contractual obligations
– Unanswered questions
Members of DealLawyers.com are able to attend this critical webcast at no charge. If you’re not yet a member, subscribe now. If you need assistance, send us an email at info@ccrcorp.com – or call us at 800.737.1271.
We will apply for CLE credit in all applicable states (with the exception of SC and NE, which require advance notice) for this 60-minute webcast. You must submit your state and license number prior to or during the program using this form. Attendees must participate in the live webcast and fully complete all the CLE credit survey links during the program. You will receive a CLE certificate from our CLE provider when your state issues approval, typically within 30 days of the webcast. All credits are pending state approval.
In the wake of some welcome news for the cybersecurity community late last week came a widespread and nearly economy-stopping tech outage on Friday morning that impacted many industries, including airlines, banks & hospitals, and government entities, like school districts & courthouses. While many whose lives and jobs were impacted by the outage are likely most concerned that a software update at one company could put so many businesses temporarily out of commission, we securities lawyers are thinking about what disclosures may need to be made — and what lawsuits may follow.
While CrowdStrike announced that the occurrence wasn’t “a security incident or cyberattack,” impacted companies should remember that the definitions of “cybersecurity incident” and “information systems” for purposes Item 1.05 of Form 8-K are very broad.
Cybersecurity incident means an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.
Information systems means electronic information resources, owned or used by the registrant, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of the registrant’s information to maintain or support the registrant’s operations.
The adopting release also noted that the word “unauthorized” is meant to be broadly interpreted:
One commenter sought clarification of whether the definition encompasses accidental incidents, such as chance technology outages, that do not involve a malicious actor, while another commenter advocated broadening the definition to any incident materially disrupting operations, regardless of what precipitated it. …
We are also retaining “unauthorized” in the incident definition as proposed. In general, we believe that an accidental occurrence is an unauthorized occurrence. Therefore, we note that an accidental occurrence may be a cybersecurity incident under our definition, even if there is no confirmed malicious activity. For example, if a company’s customer data are accidentally exposed, allowing unauthorized access to such data, the data breach would constitute a “cybersecurity incident” that would necessitate a materiality analysis to determine whether disclosure under Item 1.05 of Form 8-K is required.
The SEC has noted on its homepage that it is monitoring for market-related impacts of this “widespread IT disruption.” Maybe at some point the Staff will also clarify how to apply the “cybersecurity incident” definition to outages like this. In the meantime, companies will need to gather facts internally and assess with counsel whether their situation meets the definition of “cybersecurity incident” with the guidance we do have — including the adopting release and CDIs.
While it appears here, based on public reporting to date, that no data has been exposed nor systems accessed, this broad interpretation of “unauthorized” to include “accidental” has people scratching their heads, wondering whether including this type of software glitch in the universe of 8-K triggering events renders the “security” aspect of the rules meaningless. That said, some impacted companies clearly had issues with the “availability” of their information systems. If companies determine that a cybersecurity incident has occurred, they will need to assess whether it is material.
Whenever a company determines it has experienced a “cybersecurity incident,” it then needs to assess whether that incident is material based on company-specific facts and circumstances. The SEC Staff recently made clear that immaterial incidents should not be reported under Item 1.05 and that immaterial cybersecurity incidents or early disclosure should be reported under a different item of Form 8-K — like 8.01 for Other Events. For companies that get to the materiality step, keep in mind that the SEC has made clear that the materiality assessment is not limited to the incident’s impact on the company’s financial condition and results of operation.
– Corp Fin Director Erik Gerding’s recent statement about reporting immaterial incidents and some of the 5 new CDIs on Item 1.05 included guidance on assessing materiality.
– The adopting release also included a discussion of materiality and listed qualitative factors to consider.
– This WilmerHale resource (see especially page 22) does a great job of summarizing quantitative considerations, qualitative considerations and factors that are NOT relevant based on the adopting release and the firm’s experience helping companies evaluate disclosure obligations under the 2011 Staff Guidance and 2018 Interpretive Guidance.
This is an evolving area and one where it’s important to be able to think on your feet but also avoid rushing to conclusions. Our Proxy Disclosure & Executive Compensation Conferences include a panel dedicated to addressing the real-time reporting of cyber incidents during which attendees will hear from Tamara Brightwell of Wilson Sonsini, Howard Dicker of Weil Gotshal, Sophia Hudson of Kirkland & Ellis, and Bill Ridgway of Skadden. Our panel on navigating 10-K updates will also be addressing how companies approached cybersecurity disclosures in 10-Ks. We hope you join us in person! Register soon (this week, actually) by visiting our online store or by calling us at 800-737-1271 to get the early bird rate!
