SEC charges DXC with misleading non-GAAP disclosures and absence of non-GAAP disclosure controls
The SEC has announced settled charges against DXC Technology Company, a multi-national information technology company, for making misleading disclosures about its non-GAAP financial performance in multiple reporting periods from 2018 until early 2020. According to the Order, DXC materially increased its reported non-GAAP net income “by negligently misclassifying tens of millions of dollars of expenses ” as non-GAAP adjustments related to strategic transactions and integration and improperly excluding them from its reported non-GAAP earnings. In addition to misclassification, DXC allegedly failed to accurately describe the scope of the expenses included in the company’s non-GAAP adjustment, with the result that “its non-GAAP net income and non-GAAP diluted EPS in periodic reports and earnings releases were materially misleading.” What’s more, the SEC alleged, DXC did not have a non-GAAP policy or adequate disclosure controls and procedures in place specific to its non-GAAP financial measures. Consequently, DXC “negligently failed to evaluate the company’s non-GAAP disclosures adequately.” DXC agreed to pay a civil penalty of $8 million. According to the SEC’s Associate Director of Enforcement, “[i]ssuers that choose to report non-GAAP financial metrics must accurately describe those metrics in their public disclosures….As the order finds, DXC’s informal procedures and controls were not up to the task, and, as a result, investors were repeatedly misled about its non-GAAP financial performance.”
Ransomware attack—SEC charges misleading disclosures and disclosure control failure—again!
Last week, the SEC announced settled charges against Blackbaud, Inc., a provider of donor data management software to non-profit organizations, for misleading disclosures and disclosure control failures. According to the SEC, in May 2020, employees at the company discovered evidence of a ransomware attack. After an investigation, the company announced the incident and advised affected customers—specifying that sensitive donor data was not involved. But just a couple of weeks later, the SEC alleged, company personnel learned that the attacker had, in fact, accessed sensitive donor data for a number of customers—including bank account and social security numbers. But—you guessed it—it’s disclosure controls again! The personnel with knowledge of the scope of the breach “did not communicate this to Blackbaud’s senior management responsible for disclosures, and the company did not have policies or procedures in place designed to ensure they do so.” As a result, the SEC claimed, the company filed a Form 10-Q that still omitted mention of the exfiltration of sensitive donor data and framed its cybersecurity risk factor disclosure as purely hypothetical. The SEC viewed Blackbaud’s disclosure as misleading and its disclosure controls as inadequate and imposed a civil penalty of $3 million. According to the Chief of SEC Enforcement’s Crypto Assets and Cyber Unit, “Blackbaud failed to disclose the full impact of a ransomware attack despite its personnel learning that its earlier public statements about the attack were erroneous….Public companies have an obligation to provide their investors with accurate and timely material information; Blackbaud failed to do so.”
DOJ and SEC bring charges for insider trading and fraudulent scheme using purported 10b5-1 plans
Government officials, especially those in SEC Enforcement, have been making noise about the potential for insider trading abuse of Rule 10b5-1 plans since at least 2007, when then-SEC Enforcement Chief Linda Thomsen expressed concern that “executives are taking advantage of a legal safe harbor to sell their stock and profit before their companies report bad news….[A]cademic studies suggest that the rule may be a cover for improper activity, Thomsen said. ‘We’re looking at this hard….If executives are in fact trading on inside information and using a plan for cover, they should expect the ‘safe harbor’ to provide no defense.’” (See this Cooley News Brief.) Now, in 2023, DOJ has unsealed an indictment against Terren Peizer, the executive chair of Ontrak, Inc., representing the first time, according to the press release, that DOJ has brought “criminal insider trading charges based exclusively on an executive’s use of 10b5-1 trading plans.” (Note, however, that the SEC did bring a case last year against executives of Cheetah Mobile related to sales under a purported 10b5-1 trading plan entered into while in possession of material nonpublic information. See this PubCo post.) DOJ charged that Peizer entered into a fraudulent scheme using 10b5-1 plans and engaged in insider trading, both of which charges carry stiff criminal penalties. DOJ said that the FBI is continuing to investigate this case. Not to be completely outdone—although it’s hard not to be outdone by the threat of serious jail time—the SEC has also filed a civil complaint against Peizer, charging that he engaged in insider trading in Ontrak shares using 10b5-1 plans as part of a scheme to evade insider trading prohibitions: when Peizer entered into the plans, the SEC alleged, he was aware of material nonpublic information about the company. As you probably know, to be effective in insulating an insider from potential insider trading liability, the 10b5-1 plan must be established when the insider is acting in good faith and not aware of MNPI. Creating the plan once the insider has learned of MNPI, as alleged in this case, would seem to defeat the whole purpose of the rule—to ensure an even playing field for all investors. The SEC alleged that Peizer sold more than $20 million of Ontrak stock, avoiding more than $12.7 million in losses. At the end of last year, Bloomberg reported that the SEC and DOJ were using data analytics “in a sweeping examination of preplanned equity sales by C-suite officials.” (See this PubCo post.) That effort appears to have paid off in this case; DOJ advises that this investigation was “part of a data-driven initiative led by the Fraud Section to identify executive abuses of 10b5-1 trading plans,” suggesting perhaps that this may not be the last prosecution we will see for abuse of 10b5-1 plans.
SEC brings settled charges against Roadrunner—no, not the cartoon character—for accounting fraud
Here’s another earnings management case from SEC Enforcement, this time against Roadrunner Transportation Systems, Inc., a shipping and logistics company formerly traded on the NYSE, involving a veritable pu pu platter of alleged financial manipulations. As charged in the SEC’s Order, from July 2013 through January 2017, the company engaged in an “accounting fraud scheme by manipulating its financial reports to hit prior earnings guidance and analyst projections.” Among other things, Roadrunner was alleged to have improperly deferred and stretched out expenses over multiple quarters to minimize their impact on earnings, failed to write down worthless assets and uncollectable receivables, and manipulated earnout liabilities related to its numerous acquisitions. The company agreed to pay disgorgement of just over $7 million, with prejudgment interest of approximately $2.5 million—except that the company paid nothing additional: the penalties were deemed satisfied by the settlement payment the company made in connection with prior private securities litigation.
DOJ announces nationwide voluntary self-disclosure policy
On Wednesday, the DOJ announced a new Voluntary Self-Disclosure Policy, which sets out the criteria for determining when a company is deemed to have made a voluntary self-disclosure of misconduct to a US Attorney’s Office and how the company might benefit from a “resolution under more favorable terms.” According to the press release, the policy is intended to provide “transparency and predictability to companies and the defense bar concerning the concrete benefits and potential outcomes in cases where companies voluntarily self-disclose misconduct, fully cooperate, and timely and appropriately remediate. The goal of the policy is to standardize how VSDs are defined and credited by USAOs nationwide, and to incentivize companies to maintain effective compliance programs capable of identifying misconduct, expeditiously and voluntarily disclose and remediate misconduct, and cooperate fully with the government in corporate criminal investigations.”
SEC Enforcement’s “EPS Initiative” chalks up another one
Last week, the SEC announced settled charges against Gentex Corporation, a manufacturer of digital vision, connected car, dimmable glass and fire protection products, and its former Chief Accounting Officer and current CFO, Kevin Nash, related to financial reporting, books-and-records and internal accounting controls violations. Allegedly, these violations were the consequence of deficiencies in the company’s accounting practices for its bonus programs, which practices allowed the company to manage its earnings by adjusting its accruals for bonuses to ensure that publicly reported EPS was in line with consensus EPS estimates—without the required accounting analysis or adequate supporting documentation. According to the SEC, had the company not reduced the accrual for bonuses, it “would have missed consensus EPS estimates by one penny.” Gentex was ordered to pay a civil money penalty of $4 million and Nash to pay $75,000. These charges represent yet another case resulting from SEC Enforcement’s “Earnings-Per-Share Initiative,” which applies risk-based data analytics to detect potential violations from earnings management, among other things.
SEC floats dialing back climate disclosure rules
The SEC has apparently let it be known—or perhaps a few reporters are especially intrepid—that it may well pare down and loosen up some of its proposed rules on climate disclosure (see this PubCo post, this PubCo post and this PubCo post). In this article in Politico and this article in the WSJ, “three people familiar with the matter” and “people close to the agency” told reporters that SEC Chair Gary Gensler is “considering scaling back a potentially groundbreaking climate-risk disclosure rule that has drawn intense opposition from corporate America.” According to Politico, SEC officials “stress that no decision has yet been made,” so time will tell where the final rulemaking will end up.
Workplace misconduct again! SEC charges failure of disclosure controls
Alleged workplace misconduct—and the obligation to collect information and report up about it—rears its head again in yet another case, this time involving Activision Blizzard, Inc. Just last month, in In re McDonald’s Corporation, the former “Chief People Officer” of McDonald’s Corporation was alleged to have breached his fiduciary duty of oversight by consciously ignoring red flags about sexual harassment and misconduct in the workplace. According to the court in that case, the defendant “had an obligation to make a good faith effort to put in place reasonable information systems so that he obtained the information necessary to do his job and report to the CEO and the board, and he could not consciously ignore red flags indicating that the corporation was going to suffer harm.” (See this PubCo post.) Now, the SEC has issued an Order in connection with a settled action alleging that Activision Blizzard, Inc., a videogame developer and publisher, violated the Exchange Act’s disclosure controls rule because it “lacked controls and procedures designed to ensure that information related to employee complaints of workplace misconduct would be communicated to Activision Blizzard’s disclosure personnel to allow for timely assessment on its disclosures.” In addition, the SEC alleged that the company violated the whistleblower protection rules by requiring, in separation agreements, that former employees “notify the company if they received a request from a government administrative agency in connection with a report or complaint.” As a result, Activision Blizzard agreed to pay a $35 million civil penalty. These cases suggest that company actions (or lack thereof) around workplace misconduct and information gathering and reporting about it have resonance far beyond employment law. It’s also noteworthy that this Order represents yet another case (see this PubCo post) where a “control failure” is a lever used by SEC Enforcement to bring charges against a company notwithstanding the absence of any specific allegations of material misrepresentation or misleading disclosure, a point underscored by Commissioner Hester Peirce in her dissenting statement, discussed below.
Delaware VC Laster finds a “black swan”—a fiduciary duty of oversight for officers
In In re McDonald’s Corporation, defendant David Fairhurst, who formerly served as Executive Vice President and Global Chief People Officer of McDonald’s Corporation, contested a stockholders’ claim that he had breached his fiduciary duty of oversight by arguing that there is no fiduciary duty of oversight for officers, only for directors. VC Laster of the Delaware Chancery Court responded this way: “That observation is descriptively accurate, but it does not follow that officers do not owe oversight duties. For centuries dating back to the Roman satirist Juvenal, Europeans used the phrase ‘black swan’ as a figure of speech for something that did not exist. Then in the late eighteen century, Europeans arrived on the shores of Australia, where they found black swans. The fact that no one had seen one before did not mean that they could not or did not exist…. Framed in terms of the issue in this case, decisions recognizing director oversight duties confirm that directors owe those duties; those decisions do not rule out the possibility that officers also owe oversight duties.” With that—and a lengthy exposition—Laster confirmed that Fairhurst did indeed have a duty of oversight, much like the Caremark duties applicable to corporate directors.
Audit committee oversight of ESG fraud risk
In this article, accounting firm Deloitte observes that boards and managements often experience “denial” when the topic of fraud risk arises—no one wants to feel that the trust they place in their own employees is actually misplaced. Still, fraud risk is one topic that typically finds its way onto the agendas of audit committees. Deloitte advises that, with the current attention to ESG and in anticipation of new rulemaking from the SEC on disclosure related to climate, human capital and other ESG-related topics (see this PubCo post), “fraud risk in this area should be top of mind for audit committees and a focal point in fraud risk assessments overseen by the audit committee.” While audit committees focus primarily on financial statement fraud risk, Deloitte suggests that audit committees should consider expanding their attention to fraud risk related to ESG, an area that is “not governed by the same types of controls present in financial reporting processes,” and, therefore, may be more susceptible to manipulation. In their oversight capacity, audit committees have a role to play, Deloitte suggests, by engaging with “management, including internal audit, fraud risk specialists, and independent auditors to understand the extent to which fraud risk is being considered and mitigated.”
You must be logged in to post a comment.