SEC Enforcement mini-sweep charges hypothetical risk factors and other misleading cyber disclosures
On Tuesday, the SEC announced settled charges against four companies for “making materially misleading disclosures regarding cybersecurity risks and intrusions. The charges against the companies, Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd and Mimecast Limited, all resulted from an investigation of companies “potentially impacted by the compromise of SolarWinds’ Orion software and by other related activity.” (See this PubCo post and this PubCo post.) According to law.com, the SEC “began issuing sweep letters to potential SolarWinds hack victims back in 2021.” The SEC charged that each of these companies learned that the “threat actor” that was probably the cause of the SolarWinds hack had “accessed their systems without authorization, but each negligently minimized its cybersecurity incident in its public disclosures.” In two instances, the companies were alleged to have framed their disclosures as hypothetical or generic risks. Unisys was also charged with a disclosure controls violation. According to Sanjay Wadhwa, Acting Director of the SEC’s Division of Enforcement, “[a]s today’s enforcement actions reflect, while public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered….Here, the SEC’s orders find that these companies provided misleading disclosures about the incidents at issue, leaving investors in the dark about the true scope of the incidents.” Jorge G. Tenreiro, Acting Chief of the Crypto Assets and Cyber Unit, cautioned that “[d]ownplaying the extent of a material cybersecurity breach is a bad strategy….In two of these cases, the relevant cybersecurity risk factors were framed hypothetically or generically when the companies knew the warned of risks had already materialized. The federal securities laws prohibit half-truths, and there is no exception for statements in risk-factor disclosures.” The companies were each charged with violations of the Securities Act, the Exchange Act and related rules, and agreed to pay civil penalties ranging from $990,000 (Mimecast) to $4 million (Unisys). Commissioners Hester Peirce and Mark Uyeda dissented, contending that the SEC “needs to start treating companies subject to cyberattacks as victims of a crime, rather than perpetrators of one.”
Cooley Alert: “SEC Adopts EDGAR Next: What’s New About Next, and What Should SEC Registrants Do Now to Comply?”
In September, the SEC adopted changes to the EDGAR system designed primarily to enhance EDGAR security, specifically related to EDGAR filer access and account management. (See this PubCo post.) While the SEC has updated EDGAR several times, it’s been over ten years since the SEC updated EDGAR login, password and other account access protocols in any significant way. The new rules involve substantial updates to those processes. This new Cooley Alert, “SEC Adopts EDGAR Next: What’s New About Next, and What Should SEC Registrants Do Now to Comply?,” from our Public Companies group, is designed to help you through that transition.
SCOTUS denies cert. in case regarding agency independence
This PubCo post highlighted a petition for cert. filed this term to review the Fifth Circuit decision, Consumers’ Research v. Consumer Product Safety Commission. Below is a brief update on the outcome. The expectation was that, if the SCOTUS granted cert. in the case, the Court might take the opportunity to continue its shellacking of the administrative state. But would they? The case involved the concept of agency independence as established in a 1935 case, Humphrey’s Executor v. United States—more specifically, the president’s authority to remove commissioners of so-called “independent” agencies, in this instance, the Consumer Product Safety Commission. With the three-judge panel of the Fifth Circuit practically begging SCOTUS to review its decision, it sure seemed like a good bet that the Court would grant cert.
Are responses to failed say-on-pay votes consequential?
Are you ever surprised that more companies don’t fail their say-on-pay votes? Say on pay was adopted by the SEC under a Dodd-Frank mandate signed into law against the backdrop of the 2008 financial crisis. The mandate was enacted largely in reaction to the public’s railing against the runaway levels of compensation paid to some corporate executives despite poor performance by their companies, especially when those firms were viewed as contributors to the crisis itself. Say on pay was expected to help rein in excessive levels of compensation and, even though the vote was advisory only, ascribe some level of accountability to boards and compensation committees that set executive compensation levels. But, while say on pay may have driven more investor engagement—certainly a good thing—the anticipated say-on-pay challenge by shareholders to out-of-line pay packages did not really materialize. From the get-go, the average failure rate has only been about 2%. Instead, say-on-pay votes have served largely as confirmations of board decisions regarding executive compensation and not, in most cases, as the kind of rock-throwing exercises that many companies had feared and some governance activists had hoped. According to a 2011 Business Week article, Robert A.G. Monks, who founded ISS in 1985, concluded that say on pay was “‘at best a diversion and at worst a deception….You only have the appearance of reform, and it’s a cruel hoax.’” This paper, Failed Say on Pay: How Do Companies Course Correct after to a ‘No’ Vote?, from the Rock Center for Corporate Governance at Stanford University, with authors from Stanford and Equilar, looked at the 2% that fail the vote and what they did in response to pass muster with investors. But the underlying message is reflected in the authors’ questions: “Does this process reflect a healthy dynamic of the market correcting egregious practices, or does it simply reflect a standardization process whereby observed outlier practices are brought in line with industry norms? Do the changes companies make in response to a failed vote lead to substantive improvement in the managerial incentives of their pay programs?”
A few interesting items from the CCR proxy disclosure conference
Here are a few interesting snippets regarding shareholder proposals and Item 1.05 Form 8-K from this week’s 2024 Proxy Disclosure & 21st Annual Executive Compensation Conferences from CCR Corp. On the panels, the watchword of the day seemed to be consistency—given that some topics are increasingly required to be discussed in more than one SEC filing, location or context (e.g., cyber disclosures in the proxy and 10-K), the panelists urged the audience to make sure that the disclosures were consistent with each other and that the discussions of policies, charters and procedures were consistent with company’s conduct.
NYSE proposes to limit the use of reverse stock splits to regain price compliance
Not to be outdone by Nasdaq, the NYSE is now also proposing to take on the challenge of repeated reverse stock splits. More specifically, the NYSE proposes to limit the circumstances under which a listed company may use a reverse stock split to regain compliance with the minimum price criteria. Of course, Nasdaq has recently proposed or adopted similar rule changes limiting the use of reverse stock splits to satisfy the minimum bid price requirement. (See the SideBar below.) Although the NYSE had said in May that it had not experienced the same increased volume of reverse stock splits as Nasdaq, the exchanges are apparently seeking some consistency in their approaches to these issues.
In new GAO report, some distressing news about SEC’s conflict minerals rules and violence in DRC
“Conflict Minerals—Peace and Security in Democratic Republic of the Congo Have Not Improved with SEC Disclosure Rule.” That is the title of the final required report of the U.S. Government Accountability Office, the last of 17 reports provided in response to the statutory mandate of the 2010 Dodd-Frank Act. As you probably know, the SEC’s conflict minerals rules were originally mandated by Congress in Section 1502 of Dodd-Frank in an attempt to limit the use of revenue from the trade in conflict minerals to fund the operations of armed groups that have wreaked violence in the DRC and adjoining countries. Under Dodd-Frank, the GAO is required to assess periodically the effectiveness of the SEC’s conflict minerals rules in promoting peace and security in the DRC region. While the blunt conclusions of this year’s report are, to say the least, very discouraging—even devastating—on so many levels, they should not come as a complete surprise: in 2022, the GAO also reported that the violence in the DRC had not abated: “overall peace and security in the region has not improved since 2014 because of persistent, interdependent factors that fuel violence by non-state armed groups.” (See this PubCo post.) But that assessment was not showcased in the title as it is this year. This time, as Liz Dunshee so aptly phrased it on thecorporatecounsel.net, the report “did not bury the lede.” This year, the GAO found that, not only had the rule not curtailed the level of violence in the DRC, in some areas, the rule was actually associated with a spread of violence. That is, if the report’s findings are accurate, not only are we not helping the problem; in some contexts, such as gold mining, we’re actually exacerbating it. It’s worth noting that, as the GAO reports, the “SEC disagreed with some of GAO’s findings and raised concerns about some of its methodology and analyses. In response, GAO made certain adjustments that did not materially affect its findings.” Will the disturbing conclusions of the report propel Congress to reexamine Section 1502?
Out of compliance with NYSE listing standards? Better fork over your unpaid fees
The NYSE has proposed a new rule change: if a company is out of compliance with a continued listing standard and it owes the NYSE any unpaid fees, the NYSE will not review a compliance plan submitted by that company and, instead, will “immediately commence suspension and delisting procedures if such fees are not paid in full by the plan submission deadline or at the time of any required periodic review of such plan.”
Is there a place for more inside directors on corporate boards?
In this article in the Harvard Business Review, a law professor from the University of Calgary makes “The Case for More Company Insiders on Boards.” From the end of World War II to the 1970s, he observes, the composition of most boards of U.S. companies was predominantly insider—75% of board directors were insiders in the decade after World War II. But, he maintains, that changed “in the wake of the rising distrust of all American institutions” after Viet Nam and Watergate in the 1970s, as new concepts of corporate governance emerged and the NYSE began to adopt listing rule changes, such as a requirement for independent audit committees. And after the Enron and WorldCom financial scandals of the 2000s, further changes in corporate governance requirements and expectations for board independence ultimately made the overwhelming prevalence of independent directors on corporate boards and committees de rigueur. By 2005, the author reports, 75% of directors of large U.S. public companies were independent and, as of 2023, that percentage had risen to 85%. But is that necessarily a good thing? Maybe not so much, the author contends. Rather, he maintains, the “empirical research on director independence suggests…that business leaders should re-consider the merits of inside directors.”
SEC approves Nasdaq proposal related to bid price compliance periods and reverse splits
In July, the SEC posted a Nasdaq rule change proposal to “modify the application of the bid price compliance periods where a listed company takes an action to achieve compliance with the bid price requirement and that action causes noncompliance with another listing requirement.” (See this PubCo post.) The proposed rule change was designed to address instances where, to regain compliance with the minimum bid price required by Nasdaq listing rules, a listed company implements a reverse stock split; however, while the reverse split may bring the company into compliance with the minimum bid price requirement, it may also, at the same time, lead to non-compliance with another listing rule—particularly, the requirements for the number of publicly held shares and number of public holders, triggering a new deficiency process with a new time period for the company to seek to regain compliance. That’s excessive, Nasdaq said, and too confusing for investors, possibly adversely affecting investor confidence in the market. Because Nasdaq believed it was inappropriate for a company to receive additional time to cure non-compliance with the newly violated listing standard, it sought, with the proposal, to eliminate the additional compliance period that would otherwise result from the newly created deficiency. But by August, the SEC hadn’t yet approved the proposal and extended the deadline for approval. Now, Nasdaq has filed Amendment No. 2 to the proposal—primarily clarifications—and the SEC has just given its approval to the proposal as amended. As a result, companies will need to carefully calculate the potential impact of a reverse split on other listing requirements to avoid these consequences where possible.
You must be logged in to post a comment.