Month: July 2023

SEC adopts final rules on cybersecurity disclosure [UPDATED]

[This post revises and updates my earlier post primarily to provide a more detailed discussion of the contents of the adopting release.]

At an open meeting on Wednesday last week, the SEC voted, three to two, to adopt final rules on cybersecurity disclosure. In his statement at the  open meeting, Commissioner Jaime Lizárraga shared the stunning statistics that, last year, 83% of companies experienced more than one data breach, with an average cost of in the U.S. of $9.44 million; breaches increased 600% over the last decade and total costs across the U.S. economy could run as high as trillions of dollars per year. Given the ubiquity, frequency and complexity of these threats, in March last year, the SEC proposed cybersecurity disclosure rules intended to help shareholders better understand cybersecurity risks and how companies are managing and responding to them.  Although a number of changes to the proposal were made in the final rules in response to objections that the proposal was too prescriptive and could increase companies’ vulnerability to cyberattack, the basic structure remains the same, with requirements for both material incident reporting on Form 8-K and periodic disclosure of material information regarding cybersecurity risk management, strategy and governance. According to SEC Chair Gensler, “[w]hether a company loses a factory in a fire—or millions of files in a cybersecurity incident—it may be material to investors….Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”

SEC adopts final rules on cybersecurity disclosure

In remarks to the audience at a Financial Times summit earlier this month, Gurbir Grewal, SEC Director of Enforcement, citing a recent poll from Deloitte, observed that over “a third of executives reported that their organization’s accounting and financial data was targeted by cyber adversaries last year.” As threats increase, Grewal maintained, cybersecurity is “foundational to maintaining the integrity of not just our securities markets, but our economy as a whole.”  (See this PubCo post.) Similarly, in remarks in January 2022, SEC Chair Gary Gensler suggested that the economic cost of cyberattacks could possibly be in the trillions of dollars, taking many forms, including denials-of-service, malware and ransomware. It’s also a national security issue.  He reminded us that “cybersecurity is a team sport,” and that the private sector is often on the front lines.  And, in his statement at the SEC open meeting yesterday morning, Commissioner Jaime Lizárraga shared the eye-opening stats that, last year, 83% of companies experienced more than one data breach, with an average cost of in the U.S. of $9.44 million; breaches increased 600% over the last decade. Given the ubiquity, frequency and complexity of these threats, in March last year, the SEC proposed cybersecurity disclosure rules intended to help shareholders better understand cybersecurity risks and how companies are managing and responding to them.  At an open meeting yesterday morning, the SEC voted, three to two, to adopt final rules on cybersecurity disclosure. Although a number of changes to the proposal were made in response to comments, the basic structure remains the same in the final rules, with requirements for both material incident reporting on Form 8-K and periodic disclosure of material information regarding cybersecurity risk management, strategy and governance. According to Gensler, “[w]hether a company loses a factory in a fire—or millions of files in a cybersecurity incident—it may be material to investors….Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”

House Republicans want to restructure the SEC…and sack the Chair

Some Republican House members are proposing a bill to “stabilize” the SEC, the SEC Stabilization Act (H.R. 4019). What do they mean by that?  First and foremost would be removal of the current “tyrannical”—their word, not mine—SEC Chair, Gary Gensler, “following his long series of abuses that have been permitted under the current SEC structure,” according to the bill sponsor’s press release.  (Hmmm, was that just performative?) The actual bill would establish the office of Executive Director and implement a structure similar to that of the bipartisan Federal Election Commission, increasing the size of the SEC to six, with an even party split, thus “protecting U.S. capital markets from any future destabilizing political agenda”—or ensuring permanent gridlock, depending on your point of view. 

GAO reports on conflict minerals compliance in 2022

The GAO has just issued its 2022 Report on Conflict Minerals, which examines companies’ conflict minerals compliance in 2022. As you probably know, the SEC’s conflict minerals rules were originally mandated by Congress in an attempt to limit the use of revenue from the trade in conflict minerals to fund the operations of armed groups in the DRC and adjoining countries. Under Dodd-Frank,  the GAO is required to assess periodically the effectiveness of the SEC’s conflict minerals rules in promoting peace and security in the DRC region. Are the SEC’s rules having any impact? Based on this report, it seems that the violence in the DRC has not abated: “overall peace and security in the eastern DRC has not improved since 2014 because of persistent, interdependent factors that fuel violence by non-state armed groups.” In 2020, the GAO reports, about 122 armed groups operated in the region, using revenue from the trade in conflict minerals as one source of funding. Experts view corruption as a contributing factor. The GAO observes that, in 2022, “armed groups continue to raise revenue from various sources, such as illegal taxation on citizens and the exploitation of natural resources,” such as conflict minerals.

“We’ve got some work still to do,” said SEC Chair

That’s what SEC Chair Gary Gensler said about the timeline for the final climate disclosure rules when asked on Monday (probably at the National Press Club), as reported by Reuters. (See this PubCo post, this PubCo post and this PubCo post.)  According to the SEC’s most recent rulemaking agenda, the final climate disclosure rules have a target date for adoption of October 2023. (See this PubCo post.) Gensler, however, Reuters reported, “said this was not hard and fast. ‘We’ve got some work still to do,’ Gensler said. ‘I don’t have a time. It’s really when the staff is ready and when the Commission is ready.’” October? IMHO, nah….

Could AI trigger a financial crisis?

In remarks on Monday to the National Press Club, SEC Chair Gary Gensler, after first displaying his math chops—can you decipher “the math is nonlinear and hyper-dimensional, from thousands to potentially billions of parameters”?—discussed the potential benefits and challenges of AI, which he characterized as “the most transformative technology of our time,” in the context of the securities markets. When Gensler taught at MIT, he and a co-author wrote a paper on some of these very issues, “Deep Learning and Financial Stability,” so it’s a topic on which he has his own deep learning. The potential for benefits is tremendous, he observed, with greater opportunities for efficiencies across the economy,  greater financial inclusion and enhanced user experience. The challenges introduced are also numerous— and quite serious—with greater opportunity for bias, conflicts of interest, fraud and platform dominance undermining competition. Then there’s the prospective risk to financial stability altogether—another 2008 financial crisis perhaps? But not to worry—Gensler assured us, the SEC is on the case.

Hey, it’s “ESG month”—House ESG Working Group takes on shareholder proposal process

“ESG month” may not be exactly what you think. It’s the moniker, according to Politico, ascribed to the plan of the House Financial Services Committee, reflected in this interim report from its ESG Working Group, “to spend the next few weeks holding hearings and voting on bills designed to send a clear signal: Corporations, in particular big investment managers, should think twice about integrating climate and social goals into their business plans.”  But this is not just another generic offensive in the culture wars; according to Politico, this effort is more targeted—aimed not at major brands of beer or amusement parks, but rather at the processes that some argue activists use to pressure companies to address ESG concerns, as well as the “firms that play big roles in ESG investing.”   At the first of six hearings on July 12, Committee Chair Patrick McHenry maintained that the series of hearings and related proposed legislation was not about “delivering a message,” but was rather about protecting investors and keeping the markets robust and competitive. First item up? Reforms to the proxy process to prevent activists from diverting attention from core issues; while he supported shareholder democracy, he believed that democracy should reflect the say of the shareholders, not external parties that, in his view, exploit the existing process to impose their beliefs. The Working Group appears to have identified the shareholder proposal process as instrumental in promoting ESG concerns. Will this spotlight have any impact?

Federal district court upholds forum selection provision for claims under Section 10(b)

You probably remember the 2020 major cyberattack—reportedly perpetrated by a foreign government—of SolarWinds, a Delaware public company that “provides software products used to monitor the health and performance of information-technology networks.” The hack of the company’s software systems affected thousands of clients, including several government agencies. After the company disclosed the cyberattack, its stock price plummeted. Litigation ensued.  One of the cases, Sobel v. Thompson, brought in a Texas federal district court, was a derivative lawsuit in which the plaintiff stockholder claimed, on behalf of the company, that the company’s officers and directors failed to disclose known cybersecurity deficiencies in the company’s periodic and other reporting prior to the cyberattack—a case under Exchange Act Section 10(b).  The defendants moved to dismiss the case on the basis of forum non conveniens.  Why? Because the company’s charter included a forum-selection provision making the Delaware Chancery Court the exclusive forum for derivative litigation. The Court dismissed the case, notwithstanding the plaintiff’s contention that, in light of the federal courts’ exclusive jurisdiction over Exchange Act claims, enforcement of the charter provision would effectively preclude him from bringing his derivative Exchange Act claims in any forum.  We have previously seen cases addressing enforcement of Delaware forum-selection clauses in the context of claims regarding allegedly false or misleading proxy statement disclosures under section 14(a), and there, the circuits are split.  Per Alison Frankel’s piece in Reuters, this case may be novel in that it addresses the application of a forum-selection provision in the context of claims under Section 10(b). Will this case—and, should it be widely followed, others like it—effectively put the kibosh on derivative Section 10(b) claims?

Cooley Alert: Will SCOTUS’ affirmative action decision affect your company’s DEI policies?

Many questions have been raised about the direct and indirect impact of the SCOTUS decision in in Students for Fair Admissions, Inc. v. President and Fellows of Harvard College (decided with Students for Fair Admissions, Inc. v. University of North Carolina, et al.), that using race as a factor in college admissions violates the Equal Protection Clause of the Constitution. This excellent Cooley Alert, Supreme Court’s Affirmative Action in Education Ruling Leaves Employment Diversity Initiatives Untouched—for Now, from members of Cooley’s Employment Group, provides many of the answers.

Disney decision to speak out on issue of social significance within board’s business judgment

Boards and their advisors seeking to navigate the culture wars and their often conflicting pressures from a variety of stakeholders and outside groups may find some comfort and guidance in this recent decision from the Delaware Chancery Court in Simeone v. The Walt Disney Company.  The case involved a books-and-records demand from a stockholder asserting a potential breach of fiduciary duty by Disney’s directors and officers in their determination to publicly oppose Florida’s so-called “Don’t Say Gay” bill. Originally, Disney was silent on the bill. However, following reproaches from employees and other creative partners, Disney’s board deliberated at a special meeting, and the company changed course and publicly criticized the bill.  The Court declined to grant the plaintiff’s books-and-records request, concluding that the plaintiff had not provided a credible basis from which to infer wrongdoing and thus had not “demonstrated a proper purpose to inspect books and records.” Rather, the Court concluded, the Disney board had made a business decision to reverse course—“a decision that cannot provide a credible basis to suspect potential mismanagement irrespective of its outcome.”  Under Delaware’s business judgment rule, directors have “significant discretion to guide corporate strategy—including on social and political issues.”  Importantly, the Court confirmed that, in exercising its business judgment, a board may take into account the interests of non-stockholder corporate stakeholders where those interests are “rationally related” to building long-term value.