Category: Corporate Governance

The PCAOB suggests some questions for audit committee members

The PCAOB has posted a 2023 audit committee resource that identifies a number of questions that audit committees may want “to consider amongst themselves or in discussions with their independent auditors, particularly given today’s economic and geopolitical landscape.”  The topics include the risk of fraud, risk assessment and internal controls, auditing and accounting risks, digital assets, M&A activities, use of the work of other auditors, talent and its impact on audit quality, independence, critical audit matters and cybersecurity. Audit committee members will certainly want to review the resource in its entirety, but, to give you a flavor, summarized below are some of the questions.

Some highlights of the 2023 PLI Securities Regulation Institute

This year’s PLI Securities Regulation Institute was a source for a lot of useful information and interesting perspectives. Panelists discussed a variety of topics, including climate disclosure (although no one shared any insights into the timing of the SEC’s final rules), proxy season issues, accounting issues, ESG and anti-ESG, and some of the most recent SEC rulemakings, such as pay versus performance, cybersecurity, buybacks and 10b5-1 plans. Some of the panels focused on these recent rulemakings echoed concerns expressed last year about the difficulty and complexity of implementation of these new rules, only this time, we also heard a few panelists questioning the rationale and effectiveness of these new mandates. What was the purpose of all this complication? Was it addressing real problems or just theoretical ones? Are investors really taking the disclosure into account? Is it all for naught?  Pay versus performance, for example, was described as “a lot of work,” but, according to one of the program co-chairs, in terms of its impact, a “nothingburger.”  (Was “nothingburger” the word of the week?) Aside from the agita over the need to implement the volume of complex rules, a key theme seemed to be the importance of controls and process—the need to have them, follow them and document that you followed them—as well as an intensified focus on cross-functional teams and avoiding silos. In addition, geopolitical uncertainty seems to be affecting just about everything. (For Commissioner Mark Uyeda’s perspective on the rulemaking process presented in his remarks before the Institute, see this PubCo post.) Below are just some of the takeaways, in no particular order.

SEC charges SolarWinds and CISO with securities fraud and control failures

You remember the 2020 SolarWinds hack, perhaps one of the worst cyberattacks in history?  As NPR described it in 2021, we all regularly receive routine software updates like this one:

“‘This release includes bug fixes, increased stability and performance improvements’…. Last spring, a Texas-based company called SolarWinds made one such software update available to its customers. It was supposed to provide the regular fare—bug fixes, performance enhancements—to the company’s popular network management system, a software program called Orion that keeps a watchful eye on all the various components in a company’s network. Customers simply had to log into the company’s software development website, type a password and then wait for the update to land seamlessly onto their servers. The routine update, it turns out, is no longer so routine. Hackers believed to be directed by the Russian intelligence service, the SVR, used that routine software update to slip malicious code into Orion’s software and then used it as a vehicle for a massive cyberattack against America. ‘Eighteen thousand [customers] was our best estimate of who may have downloaded the code between March and June of 2020,’”

according to the Company’s CEO. And not just any customers—the Company determined that many very well-known companies and about a dozen government agencies were compromised, including the Treasury, Justice and Energy departments, the Pentagon and, ironically, the Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security. On Monday, the SEC announced that it had filed a complaint against SolarWinds and its Chief Information Security Officer, Timothy G. Brown, charging ‘fraud and  internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.”  In the complaint, the SEC charges that “SolarWinds’ public statements about its cybersecurity practices and risks painted a starkly different picture from internal discussions and assessments about the Company’s cybersecurity policy violations, vulnerabilities, and cyberattacks.” According to Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, the SEC’s enforcement action “underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”

Gensler talks climate with the Chamber

In his introduction to a conversation late last week with SEC Chair Gary Gensler on “Climate Disclosure Developments: The SEC, California, and EU Extraterritoriality,” the President and CEO of the U.S. Chamber of Commerce’s Center for Capital Markets, observed that, although companies have voluntarily responded to investors by increasingly disclosing information on climate, now policymakers in different states and across the globe are working to impose a plethora of mandatory reporting requirements for climate disclosure. The thing is, they’re not consistent. While the Chamber supported disclosure of material climate information, he cautioned that the actions by these policymakers have created a real risk that companies will face duplicate, differing, overlapping and even conflicting requirements. The SEC’s proposal to enhance standardization of climate disclosure might offer some real relief on that score, and that makes it all the more important, he said, for the SEC to act within its authority. The potential for public companies to become ensnared in this labyrinth of overlapping and conflicting regulation was the apparent subject of this conversation.  In the end, however, Gensler’s steady focus was on the remit of the SEC under U.S. law. Risks to issuers arising out of inconsistency with California and the EU—well, not so much.

It’s not over till it’s over: Petition filed for rehearing en banc on Nasdaq board diversity rule

As discussed in this PubCo post, on October 18, a three-judge panel of the Fifth Circuit denied the petitions filed by the Alliance for Fair Board Recruitment and the National Center for Public Policy Research challenging the SEC’s final order approving the Nasdaq listing rules regarding board diversity and disclosure. The new listing rules adopted a “comply or explain” mandate for board diversity for most listed companies and required companies listed on Nasdaq’s U.S. exchange to publicly disclose “consistent, transparent diversity statistics” regarding the composition of their boards.  (See this PubCo post.)  Given that, by repute, the Fifth Circuit is the circuit of choice for advocates of conservative causes, the decision to deny the petition may have taken some by surprise—unless, that is, they were aware, as discussed in the WSJ and Reuters, that the three judges on this panel happened to all be appointed by Democrats.  Yesterday, the Petitioners filed a petition requesting a rehearing en banc by the Fifth Circuit, where Republican presidents have appointed 12 of the 16 active judges.  Not that politics has anything to do with it, of course.

Is there an alternative to Scope 3?

As you know, the SEC has proposed a sweeping set of regulations for disclosure on climate (see this PubCo post, this PubCo post and this PubCo post), and we anxiously wait to see what the final rules have in store (obviously not happening in October as the SEC had previously targeted). One controversial part of that proposal draws on the Greenhouse Gas Protocol, requiring disclosure of a company’s Scopes 1 and 2 greenhouse gas emissions, and, for larger companies, Scope 3 GHG emissions if material (or included in the company’s emissions reduction target), with a phased-in attestation requirement for Scopes 1 and 2 data for large accelerated filers and accelerated filers. There haven’t been many complaints about the Scope 1 and Scope 2 requirements, but Scope 3 is another matter. According to the SEC, some commenters indicated that, for many companies, Scope 3 emissions represent a large proportion of overall GHG emissions, and therefore, could be material. However, those emissions result from the activities of third parties in the company’s “value chain,” making collection of the data much more difficult and much less reliable. In two articles published in the Harvard Business Review—“Accounting for Climate Change” and “We Need Better Carbon Accounting. Here’s How to Get There”—Robert Kaplan and Karthik Ramanna from Harvard Business School and the University of Oxford, respectively, propose another idea—the E-liability accounting system. The GHG protocol is, at this point, deeply embedded. Would the E-liability system work? Should the SEC or other regulators make room for a different concept?

Relentless Inc. v. Dept. of Commerce: SCOTUS grants cert. to another case about Atlantic herring—and Chevron deference

On October 13, SCOTUS granted cert. in the case of Relentless, Inc. v. Dept of Commerce, a case about whether the National Marine Fisheries Service has the authority to require herring fishing vessels to pay some of the costs for onboard federal observers who are required to monitor regulatory compliance.  Does that ring a bell?  Probably, because it’s exactly the same issue on which SCOTUS has already granted cert. in Loper Bright Enterprises v. Raimondo. (See this PubCo post.) Why grant cert. in this case too?  It’s been widely reported that the reason was to allow Justice Kenji Brown Jackson, who had recused herself on Loper Bright, to participate in what will likely be a very important decision: whether the Court should continue the decades-long deference of courts, under Chevron U.S.A., Inc. v. Nat. Res. Def. Council, to the reasonable interpretations of statutes by agencies (such as the National Marine Fisheries Service or, as has happened fairly often, the SEC, see this Cooley News Brief). The question presented is “ [w]hether the Court should overrule Chevron or at least clarify that statutory silence concerning controversial powers expressly but narrowly granted elsewhere in the statute does not constitute an ambiguity requiring deference to the agency.” The decision could narrow, or even completely undo, that deference. The grant of cert provided that the two cases will be argued in tandem in the January 2024 argument session. Mark your calendars.

Fifth Circuit denies petition challenging Nasdaq’s board diversity rule

On Friday, August 6, 2021, the SEC approved a Nasdaq proposal for new listing rules regarding board diversity and disclosure, accompanied by a proposal to provide free access to a board recruiting service. The new listing rules adopted a “comply or explain” mandate for board diversity for most listed companies and required companies listed on Nasdaq’s U.S. exchange to publicly disclose “consistent, transparent diversity statistics” regarding the composition of their boards.  (See this PubCo post.) As anticipated, a court challenge to these rules didn’t take long to materialize. On Monday, August 9, the Alliance for Fair Board Recruitment filed a slim petition under Section 25(a) of the Exchange Act in the Fifth Circuit Court of Appeals—the Alliance has its principal place of business in Texas—for review of the SEC’s final order approving the Nasdaq rule.  (See this PubCo post.) That petition was soon followed by a new petition challenging the rules filed by the National Center for Public Policy Research and subsequently transferred to the Fifth Circuit where the earlier filed petition was pending. (See this PubCo post.) Yesterday, a three-judge panel of the Fifth Circuit—by repute, the Circuit of choice for advocates of conservative causes—denied those petitions, in effect upholding Nasdaq’s board diversity listing rules. According to the unanimous decision,  “AFBR and NCPPR have given us no reason to conclude that the SEC’s Approval Order violates the Exchange Act or the APA.” The case is Alliance for Fair Board Recruitment, National Center for Public Policy Research v. SEC.  

Is political corruption securities fraud?

You remember Matt Levine’s mantra in his “Money Stuff” column on Bloomberg: “everything is securities fraud”? “You know the basic idea,” he says, a

“company does something bad, or something bad happens to it. Its stock price goes down, because of the bad thing. Shareholders sue: Doing the bad thing and not immediately telling shareholders about it, the shareholders say, is securities fraud. Even if the company does immediately tell shareholders about the bad thing, which is not particularly common, the shareholders might sue, claiming that the company failed to disclose the conditions and vulnerabilities that allowed the bad thing to happen. And so contributing to global warming is securities fraud, and sexual harassment by executives is securities fraud, and customer data breaches are securities fraud, and mistreating killer whales is securities fraud, and whatever else you’ve got. Securities fraud is a universal regulatory regime; anything bad that is done by or happens to a public company is also securities fraud, and it is often easier to punish the bad thing as securities fraud than it is to regulate it directly.” (Money Stuff, 6/26/19)  

(See this PubCo post.) But here’s a new one—bribery and political corruption as securities fraud. As described in this press release, in the fiscal-year-end enforcement crush, the SEC brought settled charges against Exelon Corporation, a utility services holding company, and its subsidiary, electric utility company Commonwealth Edison Company (ComEd), and filed a complaint against ComEd’s former CEO alleging “fraud in connection with a multi-year scheme to corruptly influence and reward the then-Speaker of the Illinois House of Representatives.” Exelon and ComEd agreed to settle the charges, with Exelon paying a civil penalty of $46.2 million.  The charges against the CEO are headed for trial.  So how is this securities fraud? According to the Chief of the SEC Enforcement Division’s Public Finance Abuse Unit, the CEO’s “remarks to investors about ComEd’s lobbying efforts hid the reality of the long-running political corruption scheme in which they were engaged….When corporate executives speak to investors, they must not mislead by omission.”

SEC charges executives with fraudulent revenue recognition practices

As part of its fiscal-year-end enforcement surge, the SEC filed charges against three former executives of Pareteum Corporation, a telecommunications and cloud software company, for fraudulent revenue recognition practices—a settled action against the former controller and a complaint against the former CFO and former Chief Commercial Officer (also, formerly CEO).  As described in the complaint, the SEC charged the former executives with orchestrating a fraudulent scheme to overstate revenue by recording revenue from non-binding purchase orders and concealing the practice from the company’s auditors. From 2018 through mid-2019, the SEC alleged, the defendants’ improper revenue recognition practices resulted in the company’s overstating revenue by “approximately $12 million for fiscal year 2018 (60% of the ultimately restated revenue), and by approximately $30 million for the first and second quarters of 2019 (91% of the ultimately restated revenue).” In addition, the former CFO, the SEC charged, did not establish sufficient internal accounting controls to assess whether revenue should be recognized under GAAP. According to the press release, Pareteum previously settled with the SEC on accounting and disclosure fraud charges in 2021 and filed for bankruptcy in 2022. Notably, the U.S. Attorney’s Office for the SDNY has announced parallel criminal charges against the former CFO and CCO. According to the Associate Director of Enforcement for the SEC’s Philadelphia Regional Office, as the SEC alleged in its complaint, “Pareteum’s executives artificially inflated Pareteum’s revenue numbers to create the illusion of robust revenue growth….Investors should be able to trust public companies to issue truthful and accurate financial statements, and we will hold accountable any executives who abuse that trust and defraud investors.”