On Wednesday, the PCAOB announced that it approved the adoptionof an amendment to PCAOB Rule 3502 to provide that an individual accountant can be held liable for substantially and negligently contributing to their firm’s violations of PCAOB laws, rules, and standards. Here’s the explanation of the change from the PCAOB’s press release:
For decades under PCAOB and predecessor auditing standards, auditors have been required to exercise reasonable care any time they perform an audit, and the failure to do so constitutes “negligence.”
Previously, however, Rule 3502 allowed the PCAOB to hold associated persons liable for contributing to a registered firm’s violation only when they did so “recklessly” – which represents a greater departure from the standard of care than negligence. This means even when a firm commits a violation negligently, an associated person of that firm who directly and substantially contributed to the firm’s violation could be sanctioned by the PCAOB only if the PCAOB were to show that the associated person acted recklessly.
As adopted, the updated rule changes Rule 3502’s liability standard from recklessness to negligence, aligning it with the same standard of reasonable care auditors are already required to exercise anytime they are executing their professional duties. Similarly, the U.S. Securities and Exchange Commission already has the ability to bring enforcement actions against associated persons when they negligently cause firm violations.
At the same time, the updated rule maintains Rule 3502’s requirement that an associated person must have contributed to the firm’s violation both “directly and substantially” in order to be held liable.
I’m sure John wasn’t the only person who, when this amendment was proposed, had concerns that lowering the bar for actions against individuals might spur increased efforts by auditors to protect their firms & themselves — with attendant increased costs for public companies. Wednesday’s statement by PCAOB Chair Erica Williams tried to assuage those concerns with this comment:
There is no reason this amended rule should cost auditors significant time, resources, or money, because auditors are already prohibited from being negligent today as part of their requirement to exercise reasonable care and competence any time they perform an audit. Similarly, the U.S. Securities and Exchange Commission (SEC) already has the ability to seek penalties in enforcement actions against associated persons when they negligently cause firm violations.
As I’ve said before, if you are doing what you are already supposed to be doing, this amended rule would not affect you. If you are not, there may be consequences.
It seems proxy statements aren’t the only filing type commonly containing XBRL tagging errors this year. This Public Chatter Blog from Perkins Coie picks up on the recent statement from the SEC’s Office of Structured Disclosure flagging observations by SEC Staff that a number of filers have used incorrect tagging practices in 10-Ks and 10-Qs filed in 2024. The statement encourages filers to review their EPS tagging in particular, specifically identifying the following incorrect practices:
– Creating custom tags such as BasicAndDilutedEarningsPerShare to tag this amount;
– Tagging this amount only once using one of the two standard tags; and
– Tagging this amount using a standard tag that was deprecated in 2022.
The data should be tagged using GAAP Financial Reporting taxonomy elements us-gaap:EarningsPerShareBasic and us-gaap:EarningsPerShareDiluted. In filings where basic and diluted EPS have the same value and are presented only once on the face of the income statement, an entity should tag that amount twice using both tags.
The blog says “without fixing the tags, apparently the data is useless to end users” and “the upshot is that the SEC’s Division of Economic and Risk Analysis is monitoring this stuff.” It also acknowledges that this might not be very understandable to folks unfamiliar with tagging practices. If that’s you, share the SEC statement with your financial reporting folks and anyone who works on or confirms XBRL tagging.
Check out John’s latest “Timely Takes” Podcast featuring Orrick’s J.T. Ho & his monthly update on securities & governance developments. This month J.T. and John discuss:
The SEC’s New Focus on International Big Tech and the FCPA
New DOJ Whistleblower Reward Programs
The IRS’s Proposed Guidance on the Stock Buyback Excise Tax
The Recent SCOTUS Decision on the Private Right of Action for MD&A Omissions
SEC Guidance on Non-Material Cybersecurity Events
As always, if you have insights on a securities law, capital markets or corporate governance issue, trend or development that you’d like to share in a podcast, we’d love to hear from you. You can email me at mervine@ccrcorp.com and/or John at john@thecorporatecounsel.net.
The SEC’s litigation against SolarWinds has gotten a lot of attention — largely due to the high-profile nature of the breach that brought issues to light and the SEC’s decision to individually charge the company’s CISO. As Liz shared, much of the original 68-page complaint boiled down to the basic notion that disclosures can’t be materially misleading, but, in mid-May, the parties presented oral arguments on the defendants’ motion to dismiss that, together with the SEC’s amended complaint, give us a better picture of the SEC’s allegations. This HLS blog from Jenner & Block says the SEC is also arguing that the company’s cybersecurity weaknesses amounted to internal accounting control failures.
The SEC was similarly criticized for alleging that the “internal accounting controls” provisions of the Exchange Act apply to cybersecurity controls and suggesting that companies and individuals can be charged with a securities violation for failing to protect company assets from cybersecurity attacks. Section 13(b)(2)(B), which was enacted as part of the Foreign Corrupt Practices Act in response to concerns about bribery of foreign officials by US business interests, requires public companies to maintain internal accounting controls “sufficient to provide reasonable assurances that . . . access to assets is permitted only in accordance with management’s general or specific authorization.”
In response to the SEC’s inclusion of this claim, the US Chamber of Commerce and Business RoundTable filed an amicus brief arguing that cybersecurity controls are unrelated to the reliability of financial reporting for purposes of the statute and that the use of this charge would unfairly penalize companies that are victims of a cyberattack. […]
The SEC also sought to defend their allegation that Defendants violated the internal accounting controls provision of the Exchange Act by failing to “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances” to prevent unauthorized access of SolarWinds’ assets—i.e., its software code and technology infrastructure.
The SEC’s amended complaint expounded on this novel charge, explaining that “[t]he cybersecurity controls at issue here were ‘internal accounting controls’ in that they were plans, procedures, and records of SolarWinds concerned with the safeguarding of corporate assets. Cybersecurity policies must be designed and implemented to provide shareholders with reasonable assurances that access to corporate assets—including technology assets, computer code and software for distribution to customers—are limited to authorized users, and thus support the twin goals of corporate accountability and management stewardship over corporate assets underlying Rule 13(b)(2)(B).”
While the court seemed to question the SEC’s position here during oral arguments, the blog warns that more disclosure actions are likely to come if the Enforcement Division is successful. It recommends that companies take a cautious approach to how they describe cybersecurity practices and ensure the CISO’s responsibility for disclosure and controls is clearly defined.
As John shared in March, one of the unique aspects of the litigation challenging the SEC’s final climate disclosure rules is that the SEC’s rulemaking was being challenged by both sides of the aisle. Challengers included not only Red State AGs, the U.S. Chamber of Commerce and energy companies saying the rule went too far, but also the NRDC and The Sierra Club saying the rule didn’t go far enough. The litigation only got more complicated when the U.S. Chamber of Commerce moved to intervene in The Sierra Club’s challenge to the rules, which put the Chamber in the position of both challenging the rules and defending them in the consolidated litigation.
As this Cooley PubCo blog points out, the NRDC and the Sierra Club have now filed unopposed motions seeking voluntary dismissal of their petitions for review, both saying they’re planning to focus their limited resources to advocate for further disclosure outside of the litigation. The blog says, “the authority of the SEC to adopt the final rules will not be without support” since AGs of various states have filed a successful motion to intervene on behalf of the SEC, and “presumably, these states will not be challenging whether the SEC went far enough.
John speculated early on that the lottery system may have been a factor in the environmental groups’ decision to file the lawsuit. It may have been a factor in the decision to move for voluntary dismissal as well — after the challenges that were filed in six different circuits were consolidated in the Eighth Circuit which, as Dave noted, is comprised of conservative-leaning judges, similar to the Fifth Circuit.
In the latest addition to the ongoing debate over proposed 2024 amendments to the DGCL, a group of prominent law professors recently submitted a letter to the Delaware Legislature opposing the proposed changes to Section 122(18) of the DGCL intended to address the Chancery Court’s decision in the Moelis litigation invalidating certain governance provisions contained in a stockholders agreement. This excerpt provides the gist of their concerns:
The Proposal would do more than simply overturn Moelis. It would allow corporate boards to unilaterally contract away their powers without any shareholder input. It would also exempt such contracts from Section 115, thereby creating a separate class of internal corporate claims—including claims of breach of fiduciary duty—that could be arbitrated and decided under non-Delaware law. These would be the most consequential changes to Delaware corporate law of the 21st century, and they should not be made hastily—if at all.
Proponents of the Proposal argue that the Moelis decision struck down a common practice of Delaware corporations and that the Proposal merely restores the status quo ante. Not so. The contract in Moelis was far from typical, especially for public corporations, and the Moelis decision only held that certain of its provisions contravened the board-centric model of governance codified in Section 141(a). Those provisions could only be adopted in the corporate charter, and thus only after a majority of shareholders—who invested in reliance on Section 141(a)—gave their approval.
The professors argue that instead of “hastily rewriting the rules,” the better path would be to wait for the Delaware Supreme Court to weigh in on the issues raised by the Moelis decision.
We cover a lot of “shareholder activism” developments over on DealLawyers.com, so in early January, John blogged there about the Chancery Court’s decision in Kellner v. AIM Immunotech (Del. Ch.; 12/23) addressing a challenge to advance notice bylaw amendments. Vice Chancellor Will upheld certain amendments but struck down others. This recent Morgan Lewis law flash says plaintiff firms are back at it, having “recently filed several virtually identical complaints in the Delaware Court of Chancery challenging often used public company advance notice bylaws as facially invalid.” The alert says none of these suits appear to arise from any active director nomination process at the defendant companies, and the potential plaintiffs’ attorney fee seems to be what’s motivating their filing.
Consider yourself on notice — now’s the time to review your bylaws if you haven’t already! Take a look at our prior blogs on identifying and modifying offending provisions and how to make sure that advance notice bylaws incorporate the latest protective features without going so far that the bylaw will be struck down when it’s enforced.
Thanks to this Toppan Merrill blog for highlighting that large accelerated filers are required to submit filing fee data in iXBRL starting July 31, 2024 (July 31, 2025 for all other filers).
In a previous blog post, we outlined the initial phases of the SEC’s Filing Fees and Payment Method Modernization final rule. The mandate changed how filing fees in registration statements, fee bearing proxies and tender offers were disclosed and disseminated. While the new fee table layout launched on Jan 31, 2022, we still see instances of fee tables that do not match the specific instructions presented in the final rule or provided in the SEC Forms. During this initial phase, filers have had the option to construct fee tables in HTML without following the explicit instructions of the rules and form instructions.
Beginning July 31, 2024, large accelerated filers are required to submit the fee data in Inline XBRL (iXBRL) format, with all other filers phased in beginning July 31, 2025. Once filers are mandated to file with iXBRL tagging, the layout and requirements for the fee tables must be followed in order for the filing to be accepted by EDGAR.
The blog then walks through how tables need to be formatted for tagging (and filing acceptance), which may require changes to common practices. Here are two examples, but there are many more tips for preparers of filing fee tables — even if you don’t handle XBRL tagging.
Currently: Filers typically list Unallocated (Universal) Shelf at the bottom of the individually listed securities in the fee table.
In iXBRL format: The Unallocated (Universal) Shelf line will be listed first, followed by each listed class nested below.
Currently: Footnote references are allowed in any table cell or table head in HTML format.
In iXBRL format: A single footnote reference is allowed per listed security, excluding nested Unallocated (Universal) Shelf, listed within the table. Footnote references are not allowed in column heads or within the ‘totals’ cell(s). The same footnote cannot be referenced on multiple rows.
The SEC also previously posted“How do I” guidance shortly after the voluntary compliance period under the SEC’s Filing Fee Modernization Rule began. The announcement provides contact information for the Staff but strongly encourages filers to review these resources before reaching out.
With the stay order and pending litigation surrounding the final climate rule, we realize that our work to prepare sample climate disclosure might be a “hurry up and wait” situation, but we’re nonetheless very excited that our 64-page Annotated Sample Climate Disclosure is now available to members of TheCorporateCounsel.net (posted in our “Climate Change” Practice Area). It includes example text and tables, along with annotated guidance on key elements of the final rules applicable to large accelerated filers for the first year of disclosures – whenever that will be.
We hope these sample disclosures serve as a good starting point for discussion – since sometimes getting started is the hardest part – or something to compare against your existing disclosures to see what you’ll need to add to address all required disclosures, if and when the rules are effective.
If you are not a member of TheCorporateCounsel.net, you can sign up online or contact Sales@CCRcorp.com.
Last week, the WSJ reported that paragraph (c) of Item 1.05 of Form 8-K has been invoked “several times” since the SEC’s new cybersecurity disclosure rules went into effect in December. Paragraph (c) provides a framework for delaying the filing of an Item 1.05 Form 8-K if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the SEC of such determination in writing.
The article says that Matthew Olsen, assistant attorney general for national security, whose office has been delegated the responsibility for handling these determinations, reported at the WSJ’s “Tech Live: Cybersecurity” conference that “on a number of occasions, the Justice Department has delayed companies’ disclosures because making the attacks public would create substantial risks and raise national-security concerns,” without giving any numbers.
As the article notes, when the final rules were adopted, there were doubts about how easy or practical it would be for companies to avail themselves of the delay provisions. I think much of that concern was assuaged by the December guidance released by multiple agencies — the FBI’s Guidance to Victims of Cyber Incidents on SEC Reporting Requirements: Request a Delay, plus multipleCDIs from the SEC Staff, and a statement from Corp Fin Director Erik Gerding — which evidenced that necessary interagency channels of communication were being forged and processes being created for these delay provisions to work. I can’t say I’m happy to hear that there have been cyber incidents that presented national security concerns, but for companies that may need to seek this relief, it’s good to know that there’s some precedent for it.
