This year’s PLI Securities Regulation Institute was a source for a lot of useful information and interesting perspectives. Panelists discussed a variety of topics, including climate disclosure (although no one shared any insights into the timing of the SEC’s final rules), proxy season issues, accounting issues, ESG and anti-ESG, and some of the most recent SEC rulemakings, such as pay versus performance, cybersecurity, buybacks and 10b5-1 plans. Some of the panels focused on these recent rulemakings echoed concerns expressed last year about the difficulty and complexity of implementation of these new rules, only this time, we also heard a few panelists questioning the rationale and effectiveness of these new mandates. What was the purpose of all this complication? Was it addressing real problems or just theoretical ones? Are investors really taking the disclosure into account? Is it all for naught? Pay versus performance, for example, was described as “a lot of work,” but, according to one of the program co-chairs, in terms of its impact, a “nothingburger.” (Was “nothingburger” the word of the week?) Aside from the agita over the need to implement the volume of complex rules, a key theme seemed to be the importance of controls and process—the need to have them, follow them and document that you followed them—as well as an intensified focus on cross-functional teams and avoiding silos. In addition, geopolitical uncertainty seems to be affecting just about everything. (For Commissioner Mark Uyeda’s perspective on the rulemaking process presented in his remarks before the Institute, see this PubCo post.) Below are just some of the takeaways, in no particular order.
In remarks this week before PLI’s 55th Annual Institute on Securities Regulation, SEC Commissioner Mark Uyeda shared his views about the disclosure rulemaking process. He observed that, since becoming a commissioner 16 months ago, the SEC has adopted five major disclosure rules—pay versus performance, clawbacks, amendments to rule 10b5-1, share repurchases and cybersecurity—and has identified four more that are in the works. He focused on four key issues: determining purpose, the need for re-proposals, scaling disclosure and considering rulemaking costs and burdens on a cumulative basis. As you might guess, Uyeda had some thoughtful criticisms of the rulemaking process and offered some potential remedies.
Corp Fin has announced a new intake system for requests from companies for no-action positions from the staff regarding companies’ intentions to exclude shareholder proposals under Rule 14a-8. In the announcement, Corp Fin indicates that Rule 14a-8 submissions and related correspondence must now be submitted using Corp Fin’s online shareholder proposal form, available at https://www.sec.gov/forms/shareholder-proposal, and that emailed materials will no longer be accepted. The announcement—and the form itself—emphasize that staff responses to these requests are only “informal, non-binding staff views” regarding exclusion of shareholder proposals.
In August 2021, the SEC filed a complaint in the U.S. District Court charging Matthew Panuwat, a former employee of Medivation Inc., an oncology-focused biopharma, with insider trading in advance of Medivation’s announcement that it would be acquired by a big pharma company. But it wasn’t your average run-of-the-mill insider trading case. Panuwat didn’t trade in shares of Medivation or shares of the acquiror, nor did he tip anyone about the transaction. No, according to the SEC, he engaged in what has been referred to as “shadow trading”; he used the information about his employer’s acquisition to purchase call options on another biopharma, which the SEC claimed was comparable to Medivation. (See this PubCo post.) Since then, we’ve seen the usual moves on the chess board (discussed briefly below). But what’s particularly interesting, as Alison Frankel pointed out in Reuters, is the amicus brief filed by the Investor Choice Advocates Network, a self-described “nonprofit, public interest organization focused on expanding access to markets by underrepresented investors and entrepreneurs.” In its brief, ICAN contended that the SEC’s invocation of the novel “shadow-trading” theory made this a “major questions” case—a judicial torpedo that we might begin to see fired with some regularity.
In August, the SEC posted a proposed Nasdaq rule change that would establish listing standards related to notification and disclosure of reverse stock splits. According to the Nasdaq proposal, the volume of reverse splits processed by Nasdaq has increased substantially from 94 in 2020, 31 in 2021and 196 in 2022 to 164 reverse splits—just as of June 23, 2023. In most cases, Nasdaq observed, the purpose of the reverse splits was to comply with Nasdaq’s $1 minimum bid price requirement to remain on the Capital Market tier. In light of this increased volume, Nasdaq proposed amendments to its listing rules to “enhance the ability for market participants to accurately process these events, and thereby maintain fair and orderly markets.” Failure to comply could result in a trading halt. Last week, the SEC approved the proposed rule change. It’s worth noting that, as a corollary to the new reverse split listing standards, Nasdaq has also submitted to the SEC a separate rule proposal to adopt a new regulatory halt procedure specific to securities in the process of a reverse split.
You remember the 2020 SolarWinds hack, perhaps one of the worst cyberattacks in history? As NPR described it in 2021, we all regularly receive routine software updates like this one:
“‘This release includes bug fixes, increased stability and performance improvements’…. Last spring, a Texas-based company called SolarWinds made one such software update available to its customers. It was supposed to provide the regular fare—bug fixes, performance enhancements—to the company’s popular network management system, a software program called Orion that keeps a watchful eye on all the various components in a company’s network. Customers simply had to log into the company’s software development website, type a password and then wait for the update to land seamlessly onto their servers. The routine update, it turns out, is no longer so routine. Hackers believed to be directed by the Russian intelligence service, the SVR, used that routine software update to slip malicious code into Orion’s software and then used it as a vehicle for a massive cyberattack against America. ‘Eighteen thousand [customers] was our best estimate of who may have downloaded the code between March and June of 2020,’”
according to the Company’s CEO. And not just any customers—the Company determined that many very well-known companies and about a dozen government agencies were compromised, including the Treasury, Justice and Energy departments, the Pentagon and, ironically, the Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security. On Monday, the SEC announced that it had filed a complaint against SolarWinds and its Chief Information Security Officer, Timothy G. Brown, charging ‘fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.” In the complaint, the SEC charges that “SolarWinds’ public statements about its cybersecurity practices and risks painted a starkly different picture from internal discussions and assessments about the Company’s cybersecurity policy violations, vulnerabilities, and cyberattacks.” According to Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, the SEC’s enforcement action “underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”
In his introduction to a conversation late last week with SEC Chair Gary Gensler on “Climate Disclosure Developments: The SEC, California, and EU Extraterritoriality,” the President and CEO of the U.S. Chamber of Commerce’s Center for Capital Markets, observed that, although companies have voluntarily responded to investors by increasingly disclosing information on climate, now policymakers in different states and across the globe are working to impose a plethora of mandatory reporting requirements for climate disclosure. The thing is, they’re not consistent. While the Chamber supported disclosure of material climate information, he cautioned that the actions by these policymakers have created a real risk that companies will face duplicate, differing, overlapping and even conflicting requirements. The SEC’s proposal to enhance standardization of climate disclosure might offer some real relief on that score, and that makes it all the more important, he said, for the SEC to act within its authority. The potential for public companies to become ensnared in this labyrinth of overlapping and conflicting regulation was the apparent subject of this conversation. In the end, however, Gensler’s steady focus was on the remit of the SEC under U.S. law. Risks to issuers arising out of inconsistency with California and the EU—well, not so much.
As discussed in this PubCo post, on October 18, a three-judge panel of the Fifth Circuit denied the petitions filed by the Alliance for Fair Board Recruitment and the National Center for Public Policy Research challenging the SEC’s final order approving the Nasdaq listing rules regarding board diversity and disclosure. The new listing rules adopted a “comply or explain” mandate for board diversity for most listed companies and required companies listed on Nasdaq’s U.S. exchange to publicly disclose “consistent, transparent diversity statistics” regarding the composition of their boards. (See this PubCo post.) Given that, by repute, the Fifth Circuit is the circuit of choice for advocates of conservative causes, the decision to deny the petition may have taken some by surprise—unless, that is, they were aware, as discussed in the WSJ and Reuters, that the three judges on this panel happened to all be appointed by Democrats. Yesterday, the Petitioners filed a petition requesting a rehearing en banc by the Fifth Circuit, where Republican presidents have appointed 12 of the 16 active judges. Not that politics has anything to do with it, of course.
As you know, the SEC has proposed a sweeping set of regulations for disclosure on climate (see this PubCo post, this PubCo post and this PubCo post), and we anxiously wait to see what the final rules have in store (obviously not happening in October as the SEC had previously targeted). One controversial part of that proposal draws on the Greenhouse Gas Protocol, requiring disclosure of a company’s Scopes 1 and 2 greenhouse gas emissions, and, for larger companies, Scope 3 GHG emissions if material (or included in the company’s emissions reduction target), with a phased-in attestation requirement for Scopes 1 and 2 data for large accelerated filers and accelerated filers. There haven’t been many complaints about the Scope 1 and Scope 2 requirements, but Scope 3 is another matter. According to the SEC, some commenters indicated that, for many companies, Scope 3 emissions represent a large proportion of overall GHG emissions, and therefore, could be material. However, those emissions result from the activities of third parties in the company’s “value chain,” making collection of the data much more difficult and much less reliable. In two articles published in the Harvard Business Review—“Accounting for Climate Change” and “We Need Better Carbon Accounting. Here’s How to Get There”—Robert Kaplan and Karthik Ramanna from Harvard Business School and the University of Oxford, respectively, propose another idea—the E-liability accounting system. The GHG protocol is, at this point, deeply embedded. Would the E-liability system work? Should the SEC or other regulators make room for a different concept?