In this recent Cooley Alert, SEC Issues New Guidance on Cybersecurity Disclosure and Policies, we wrote that the SEC had not yet brought a formal enforcement proceeding for failure to make timely disclosure regarding cybersecurity risks and/or cyber incidents and asked whether an enforcement action might just be on the horizon? In that regard, we noted that, in 2017, the co-director of the SEC’s Enforcement Division had warned that, although the SEC was “not looking to second-guess good faith disclosure decisions,” enforcement actions were certainly possible in the right circumstances. Indeed, the co-director had cautioned that no one should mistake the absence of enforcement actions for an unwillingness by the SEC to pursue companies with inadequate cybersecurity disclosures before and after breaches or other incidents. Apparently, SEC Enforcement has now identified circumstances it considers to be “right”: today, the SEC announced “that the entity formerly known as Yahoo! Inc. has agreed to pay a $35 million penalty to settle charges that it misled investors by failing to disclose one of the world’s largest data breaches in which hackers stole personal data relating to hundreds of millions of user accounts.”
You, like me, may have been the recipient of many, many, many calls from various persons claiming to be from the IRS and threatening you with imprisonment. We all know that the IRS doesn’t make those types of calls and we ignore them. Apparently, some of those folks have now shifted agencies claiming to represent the SEC. This could be a little trickier.
In these survey results (courtesy of thecorporatecounsel.net), audit firm Deloitte provides data as of April 10 regarding pay-ratio disclosures for 294 companies in the S&P 500. Interestingly, so far at least, not many of the accommodations that the SEC deliberately included in the rule to provide “flexibility” have found favor with companies. For example, the survey showed that only 8% of companies used statistical sampling, a methodology initially suggested in comments by the AFL-CIO and adopted by the SEC in an effort to make the pay-ratio rule more palatable to companies. However, for this first year of reporting, many companies have opted to take a minimalist approach; whether that changes over time as companies become accustomed to the rule and more adventurous in its implementation remains to be seen.
The Center for Audit Quality has just issued Cybersecurity Risk Management Oversight: A Tool for Board Members. The tool offers questions that directors can ask of management and the auditors as part of their oversight of cybersecurity risks and disclosures. The questions are designed to initiate dialogue to clarify the role of the auditor in connection with cybersecurity risk assessment in the context of the audit of the financial statements and internal control over financial reporting (ICFR), and to help the board understand how the company is managing its cybersecurity risks.
As a general matter, SEC rules do not mandate companies to disclose details about the composition or location of their workforces; Reg S-K requires disclosure of only the number of employees, but no information about them. And the vast majority of companies provide little detail voluntarily. But now, as this article in the WSJ reports, companies are beginning to disclose more information about their workforces overseas, and the impetus for that disclosure is the new pay-ratio rule—all at a time when issues of overseas versus domestic employment are especially fraught.
It’s certainly a rare event, but both ISS and Glass Lewis have recommended voting against a proposal to ratify the appointment of GE’s auditor, KPMG, at the GE annual shareholders meeting. Most often, the issue of auditor ratification is not very controversial—in fact, it’s usually so tame that it’s one of the few matters at annual shareholders meetings considered “routine” (for purposes of allowing brokers to vote without instructions from the beneficial owners of the shares). Are we witnessing the beginning of a new trend?