Category: Corporate Governance
Corp Fin issues new CDIs on delaying Form 8-Ks for material cybersecurity incidents
Corp Fin has just released some new CDIs, summarized below, relating to material cybersecurity incidents. As you know, in July, the SEC voted, three to two, to adopt final rules on cybersecurity disclosure, which includes a requirement for material incident reporting on Forms 8-K and 6-K. Compliance with the 8-K and 6-K incident disclosure requirements will be required for all companies other than smaller reporting companies beginning on December 18, 2023. SRCs will have an additional 180 days deferral. (See this PubCo post.) The new CDIs can all be found under the caption Exchange Act Forms, in a new Section 104B, Item 1.05 Material Cybersecurity Incidents. Summaries are below, but each CDI number is linked to the CDI on the SEC website, so you can easily read the version in full.
The CAQ has some ideas for improving audit committee disclosure
The Center for Audit Quality, working with Ideagen Audit Analytics, has just released a new edition of its annual Audit Committee Transparency Barometer, which, over the past ten years, has measured the robustness of audit committee disclosures in proxy statements among companies in the S&P Composite 1500. Why is that important? According to the CAQ, “numerous studies have identified a positive correlation between increased communication of audit committee oversight through disclosures in the proxy statement and increased audit quality.” Not to mention the interest of investors and other stakeholders in better disclosure. The bottom line, according to the CAQ, is that the level of voluntary transparency has continued to increase steadily in most core areas of audit committee responsibility, such as oversight of the external auditor, as well as in evolving areas, such as cybersecurity risk and ESG. But it could still stand some improvement. In light of the “current environment of economic uncertainty, geopolitical crises, and new ways of working,” the CAQ encourages audit committees to jettison boilerplate and “tell their story through tailored disclosures in the proxy statement…. For audit committees to enhance their disclosures, they should provide further discussion not just of what they do in their oversight of the external auditor but also how they do it.” In the Barometer, the CAQ offers some specific ideas on just how audit committees can improve their disclosure and enhance its utility.
SEC’s Fall 2023 Reg-Flex Agenda is out—climate disclosure rules delayed again
The SEC’s Fall 2023 Reg-Flex Agenda—according to the preamble, compiled as of August 22, 2023, reflecting “only the priorities of the Chair”—has now been posted. And it’s Groundhog Day again. All of the Corp Fin agenda items made an appearance before on the last agenda and, in most cases, several agendas before that. Do I hear a sigh of relief? Of course, the new agenda is a bit shorter than the Spring 2023 agenda, given the absence of regulations that have since been adopted, including cybersecurity risk governance (see this PubCo post) and modernization of beneficial ownership reporting (see this PubCo post). At first glance, the biggest surprise—if it’s on the mark, that is—is that the target date for final action on the SEC’s controversial climate disclosure proposal has been pushed out until April 2024. Keep in mind that it is only a target date, and the SEC sometimes acts well in advance of the target. For example, the cybersecurity proposal had a target date on the last agenda of October 2023, but final rules were adopted much earlier in July. I confess that my hunch was that we would see final rules before the end of this year, but adoption this year looks increasingly unlikely (especially given that the posted agenda for this week’s open meeting does not include climate). Not surprisingly, there’s nothing on the agenda about a reproposal of the likely-to-be vacated (?) share repurchase rules, although, at the date that the agenda was compiled, the possibility of vacatur was not yet known. (See this PubCo post.) Describing the new agenda, SEC Chair Gary Gensler observed that “[w]e are blessed with the largest, most sophisticated, and most innovative capital markets in the world. But we cannot take this for granted. Even a gold medalist must keep training. That’s why we’re updating our rules for the technology and business models of the 2020s. We’re updating our rules to promote the efficiency, integrity, and resiliency of the markets. We do so with an eye toward investors and issuers alike, to ensure the markets work for them and not the other way around.”
What special issues should Comp Committees think about next year?
In this Viewpoint, Issues Facing Compensation Committees in 2024, comp consultant Pay Governance takes a look at how the current economic and geopolitical uncertainty, together with an “onslaught” of new SEC rules, may affect Comp Committee considerations and discussions regarding executive compensation in the new year—unbelievably, only a month or so away. The authors divide their list of new issues into three topics: “Goal Setting and Performance Measurement, Long-Term Incentive (LTI) Design, and Corporate Governance.” This post identifies highlights, but reading their Viewpoint in full is highly recommended.
Corp Fin issues new CDIs regarding the proxy rules
On Friday, Corp Fin released some new CDIs, summarized below, relating to the proxy rules. The CDIs can all be found under the caption Proxy Rules and Schedule 14A, and all are new with one exception for a newly revised CDI under Rule 14a-6. Universal proxy is once again a hot topic, and there are three new CDIs on universal proxy to add to your collection. (You might recall that Corp Fin issued new CDIs on universal proxy in August and December last year. See this PubCo post and this PubCo post.) Summaries are below, but each CDI number below is linked to the CDI on the SEC website, so you can easily read the version in full.
SEC reports Enforcement stats for fiscal 2023 —with big contributions from whistleblowers
The SEC has announced its Enforcement stats for fiscal 2023, which revealed that the SEC filed 784 total enforcement actions, up 3% from the 760 filed in fiscal 2022. However, the level of financial remedies declined in fiscal 2023 to $4.9 billion from a record $6.4 billion last year. Nevertheless, it was still the second highest amount in SEC history. (Of course, you might recall that Gurbir S. Grewal, Director of the Division of Enforcement, said last year that the SEC didn’t expect to break last year’s records and set new ones every year because they “expect behaviors to change. We expect compliance.”) Of those financial recoveries, in fiscal 2023, the SEC distributed $930 million to harmed investors, representing the second consecutive year of distributions in excess of $900 million. But the standout statistics this year related to the SEC’s whistleblower program, where new records were set with whistleblower awards totaling almost $600 million, and 18,000 whistleblower tips in fiscal 2023, about 50% more tips than were received in fiscal 2022. A new record was also set with a $279 million award to one whistleblower. Overall, in fiscal 2023, the SEC received over “40,000 tips, complaints, and referrals in total,” a 13% increase over last year. According to SEC Chair Gary Gensler, the “investing public benefits from the Division of Enforcement’s work as a cop on the beat….Last fiscal year’s results demonstrate yet again the Division’s effectiveness—working alongside colleagues throughout the agency—in following the facts and the law wherever they lead to hold wrongdoers accountable.” Grewal added that “[i]nvestor protection and enhancing public trust in our markets requires that we work with a sense of urgency, using all the tools in our toolkit. As today’s results make clear, that’s precisely what the Enforcement Division did in fiscal year 2023….Whether it was by leveraging risk-based initiatives, seeking robust remedies, rewarding cooperation, protecting whistleblowers, or returning nearly a billion dollars to harmed investors, the Enforcement Division stood up for the investing public.”
SEC charges Charter Communications with controls violation related to 10b5-1 plans for company buybacks
Yesterday, the SEC announced a settled action against Charter Communications for “violating internal accounting controls requirements when it engaged in stock buybacks not authorized by its board of directors.” More specifically, the Board had authorized the company to conduct stock buybacks using Rule 10b5-1 plans, but the SEC contended that Charter’s plans contained a provision that permitted too much discretion—allowing Charter to “change the total dollar amounts available to buy back stock and to change the timing of buybacks after the plans took effect.” As a result, the SEC concluded, the plans did not satisfy Rule 10b5-1. But this was not a case about insider trading. Rather, the SEC charged, because the plans did not satisfy Rule 10b5-1, the buybacks were effectively unauthorized. And that was a problem of ineffective internal accounting controls (which, the SEC maintained, aren’t necessarily just about accounting). According to Melissa Hodgman, Associate Director of Enforcement, “[c]ompanies whose boards authorize buybacks using Rule 10b5-1 plans must have controls that reasonably assure that their trading plans meet all of the rule’s conditions….This includes the fundamental requirement that, to benefit from the protection of Rule 10b5-1, traders have to relinquish their ability to influence the amount or timing of trades after their trading plans go into effect.” Charter agreed to pay a civil penalty of $25 million. Commissioners Hester Peirce and Mark Uyeda dissented.
The PCAOB suggests some questions for audit committee members
The PCAOB has posted a 2023 audit committee resource that identifies a number of questions that audit committees may want “to consider amongst themselves or in discussions with their independent auditors, particularly given today’s economic and geopolitical landscape.” The topics include the risk of fraud, risk assessment and internal controls, auditing and accounting risks, digital assets, M&A activities, use of the work of other auditors, talent and its impact on audit quality, independence, critical audit matters and cybersecurity. Audit committee members will certainly want to review the resource in its entirety, but, to give you a flavor, summarized below are some of the questions.
Some highlights of the 2023 PLI Securities Regulation Institute
This year’s PLI Securities Regulation Institute was a source for a lot of useful information and interesting perspectives. Panelists discussed a variety of topics, including climate disclosure (although no one shared any insights into the timing of the SEC’s final rules), proxy season issues, accounting issues, ESG and anti-ESG, and some of the most recent SEC rulemakings, such as pay versus performance, cybersecurity, buybacks and 10b5-1 plans. Some of the panels focused on these recent rulemakings echoed concerns expressed last year about the difficulty and complexity of implementation of these new rules, only this time, we also heard a few panelists questioning the rationale and effectiveness of these new mandates. What was the purpose of all this complication? Was it addressing real problems or just theoretical ones? Are investors really taking the disclosure into account? Is it all for naught? Pay versus performance, for example, was described as “a lot of work,” but, according to one of the program co-chairs, in terms of its impact, a “nothingburger.” (Was “nothingburger” the word of the week?) Aside from the agita over the need to implement the volume of complex rules, a key theme seemed to be the importance of controls and process—the need to have them, follow them and document that you followed them—as well as an intensified focus on cross-functional teams and avoiding silos. In addition, geopolitical uncertainty seems to be affecting just about everything. (For Commissioner Mark Uyeda’s perspective on the rulemaking process presented in his remarks before the Institute, see this PubCo post.) Below are just some of the takeaways, in no particular order.
SEC charges SolarWinds and CISO with securities fraud and control failures
You remember the 2020 SolarWinds hack, perhaps one of the worst cyberattacks in history? As NPR described it in 2021, we all regularly receive routine software updates like this one:
“‘This release includes bug fixes, increased stability and performance improvements’…. Last spring, a Texas-based company called SolarWinds made one such software update available to its customers. It was supposed to provide the regular fare—bug fixes, performance enhancements—to the company’s popular network management system, a software program called Orion that keeps a watchful eye on all the various components in a company’s network. Customers simply had to log into the company’s software development website, type a password and then wait for the update to land seamlessly onto their servers. The routine update, it turns out, is no longer so routine. Hackers believed to be directed by the Russian intelligence service, the SVR, used that routine software update to slip malicious code into Orion’s software and then used it as a vehicle for a massive cyberattack against America. ‘Eighteen thousand [customers] was our best estimate of who may have downloaded the code between March and June of 2020,’”
according to the Company’s CEO. And not just any customers—the Company determined that many very well-known companies and about a dozen government agencies were compromised, including the Treasury, Justice and Energy departments, the Pentagon and, ironically, the Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security. On Monday, the SEC announced that it had filed a complaint against SolarWinds and its Chief Information Security Officer, Timothy G. Brown, charging ‘fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.” In the complaint, the SEC charges that “SolarWinds’ public statements about its cybersecurity practices and risks painted a starkly different picture from internal discussions and assessments about the Company’s cybersecurity policy violations, vulnerabilities, and cyberattacks.” According to Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, the SEC’s enforcement action “underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”
You must be logged in to post a comment.