Ransomware attack—SEC charges misleading disclosures and disclosure control failure—again!
Last week, the SEC announced settled charges against Blackbaud, Inc., a provider of donor data management software to non-profit organizations, for misleading disclosures and disclosure control failures. According to the SEC, in May 2020, employees at the company discovered evidence of a ransomware attack. After an investigation, the company announced the incident and advised affected customers—specifying that sensitive donor data was not involved. But just a couple of weeks later, the SEC alleged, company personnel learned that the attacker had, in fact, accessed sensitive donor data for a number of customers—including bank account and social security numbers. But—you guessed it—it’s disclosure controls again! The personnel with knowledge of the scope of the breach “did not communicate this to Blackbaud’s senior management responsible for disclosures, and the company did not have policies or procedures in place designed to ensure they do so.” As a result, the SEC claimed, the company filed a Form 10-Q that still omitted mention of the exfiltration of sensitive donor data and framed its cybersecurity risk factor disclosure as purely hypothetical. The SEC viewed Blackbaud’s disclosure as misleading and its disclosure controls as inadequate and imposed a civil penalty of $3 million. According to the Chief of SEC Enforcement’s Crypto Assets and Cyber Unit, “Blackbaud failed to disclose the full impact of a ransomware attack despite its personnel learning that its earlier public statements about the attack were erroneous….Public companies have an obligation to provide their investors with accurate and timely material information; Blackbaud failed to do so.”
SEC posts NYSE and Nasdaq proposals for clawback listing standards
It was just November last year when the SEC finally adopted rules to implement Section 954 of Dodd-Frank, the clawback provision. (Remember that Dodd-Frank dates to 2010 and the clawback rules were initially proposed by the SEC back in 2015.) The new rules directed the national securities exchanges to establish listing standards requiring listed issuers to adopt and comply with clawback policies and to provide disclosure about their policies and implementation. Under the rules, the clawback policy must provide that, in the event the listed issuer is required to prepare an accounting restatement—including a “little r” restatement—the issuer must recover the incentive-based compensation that was erroneously paid to its current or former executive officers based on the misstated financial reporting measure. (See this PubCo post.) The final rules required any covered exchanges to file proposed listing standards with the SEC no later than February 27, with the listing standards to be effective no later than one year after publication. On Tuesday, the SEC posted the listing standards proposed by Nasdaq and by the NYSE. They’re largely the same, with some differences, both tracking the SEC requirements closely. Both proposals are open for comment until 21 days after publication in the Federal Register.
Commissioner Uyeda’s prescription for addressing decline in number of public companies
The public/private company dichotomy has been a perennial discussion topic. (See, e.g., this PubCo post, this PubCo post, this PubCo post, this PubCo post and this PubCo post.) A statistic frequently tossed around is that there are about half as many public companies today as there were in 1996, and those that are around today are older and larger. And while the IPO market was in a bit of funk last year, the private markets have been viewed as consistently vibrant, with more capital raised in the private markets than in the public. But the question of why and how to address the decline in the number of public companies has been a point of contention: is excessive regulation of public companies a deterrent to going public or has deregulation of the private markets juiced their appeal, but sacrificed investor protection in the bargain? At the end of January, we heard from SEC Commissioner Caroline Crenshaw addressing the question of whether the securities laws governing private capital raises might be too lax. Now, SEC Commissioner Mark Uyeda is speaking his mind on the topic, presenting remarks at the at the “Going Public in the 2020s” conference at Columbia Law School.
DOJ and SEC bring charges for insider trading and fraudulent scheme using purported 10b5-1 plans
Government officials, especially those in SEC Enforcement, have been making noise about the potential for insider trading abuse of Rule 10b5-1 plans since at least 2007, when then-SEC Enforcement Chief Linda Thomsen expressed concern that “executives are taking advantage of a legal safe harbor to sell their stock and profit before their companies report bad news….[A]cademic studies suggest that the rule may be a cover for improper activity, Thomsen said. ‘We’re looking at this hard….If executives are in fact trading on inside information and using a plan for cover, they should expect the ‘safe harbor’ to provide no defense.’” (See this Cooley News Brief.) Now, in 2023, DOJ has unsealed an indictment against Terren Peizer, the executive chair of Ontrak, Inc., representing the first time, according to the press release, that DOJ has brought “criminal insider trading charges based exclusively on an executive’s use of 10b5-1 trading plans.” (Note, however, that the SEC did bring a case last year against executives of Cheetah Mobile related to sales under a purported 10b5-1 trading plan entered into while in possession of material nonpublic information. See this PubCo post.) DOJ charged that Peizer entered into a fraudulent scheme using 10b5-1 plans and engaged in insider trading, both of which charges carry stiff criminal penalties. DOJ said that the FBI is continuing to investigate this case. Not to be completely outdone—although it’s hard not to be outdone by the threat of serious jail time—the SEC has also filed a civil complaint against Peizer, charging that he engaged in insider trading in Ontrak shares using 10b5-1 plans as part of a scheme to evade insider trading prohibitions: when Peizer entered into the plans, the SEC alleged, he was aware of material nonpublic information about the company. As you probably know, to be effective in insulating an insider from potential insider trading liability, the 10b5-1 plan must be established when the insider is acting in good faith and not aware of MNPI. Creating the plan once the insider has learned of MNPI, as alleged in this case, would seem to defeat the whole purpose of the rule—to ensure an even playing field for all investors. The SEC alleged that Peizer sold more than $20 million of Ontrak stock, avoiding more than $12.7 million in losses. At the end of last year, Bloomberg reported that the SEC and DOJ were using data analytics “in a sweeping examination of preplanned equity sales by C-suite officials.” (See this PubCo post.) That effort appears to have paid off in this case; DOJ advises that this investigation was “part of a data-driven initiative led by the Fraud Section to identify executive abuses of 10b5-1 trading plans,” suggesting perhaps that this may not be the last prosecution we will see for abuse of 10b5-1 plans.
Be on the alert for California’s Climate Corporate Data Accountability bill
If you’re waiting with bated breath to find out what the SEC has in store for public companies in its final version of its climate disclosure regulations (see this PubCo post, this PubCo post and this PubCo post), you might also want to take a look at this California bill—the Climate Corporate Data Accountability Act (SB 253)—previously known as the Climate Corporate Accountability Act when it went belly up last year after sailing through one chamber of the legislature but coming up shy in the second (see this PubCo post). In fact, this year, the press release announces, the bill is part of California’s Climate Accountability Package, a “suite of bills that work together to improve transparency, standardize disclosures, align public investments with climate goals, and raise the bar on corporate action to address the climate crisis. At a time when rising anti-science sentiment is driving strong pushback against responsible business practices like risk disclosure and ESG investing,” the press release continues, “these bills leverage the power of California’s market to continue the state’s long tradition of setting the gold standard on environmental protection for the nation and the world.” If signed into law this time, the bill, which was introduced at the end of January and has a hearing scheduled in March, would mandate disclosure of GHG emissions data—Scopes 1, 2 and 3—by all U.S. business entities with total annual revenues in excess of a billion dollars that “do business in California.” The bill’s mandate would exceed, in several key respects, the requirements in the current SEC climate proposal. Whether this new bill will face the same fate as its predecessor remains to be seen.
ISS study finds percentage of racial/ethnic minority directors finally hits 20% mark
A study of companies in the Russell 3000 just released by ISS showed that, for the first time, directors who self-identified as racial and ethnic minorities accounted for 20% of all board directorships. The study found that each of the minority groups analyzed experienced growth in the percentage of director seats held, with the greatest growth (90% over the study period) occurring among African-American directors, who now hold 8.3% of all board seats in the study group. According to the Head of ISS Corporate Solutions, these percentages “represent a watershed moment for minority corporate directors broadly and Black directors in particular….The analysis shows the impact of increasing and continual institutional investor engagement with portfolio companies on matters around board diversity coupled with growing stakeholder pressure from various quarters over the past two years.” Still, as she told Reuters, “[w]hile this is a huge sea change in terms of the percentages, it still falls short of the ethnic breakdown of the U.S. population….It’s a watershed moment but probably not something to pat ourselves on the back too much about.”
SEC brings settled charges against Roadrunner—no, not the cartoon character—for accounting fraud
Here’s another earnings management case from SEC Enforcement, this time against Roadrunner Transportation Systems, Inc., a shipping and logistics company formerly traded on the NYSE, involving a veritable pu pu platter of alleged financial manipulations. As charged in the SEC’s Order, from July 2013 through January 2017, the company engaged in an “accounting fraud scheme by manipulating its financial reports to hit prior earnings guidance and analyst projections.” Among other things, Roadrunner was alleged to have improperly deferred and stretched out expenses over multiple quarters to minimize their impact on earnings, failed to write down worthless assets and uncollectable receivables, and manipulated earnout liabilities related to its numerous acquisitions. The company agreed to pay disgorgement of just over $7 million, with prejudgment interest of approximately $2.5 million—except that the company paid nothing additional: the penalties were deemed satisfied by the settlement payment the company made in connection with prior private securities litigation.
DOJ announces nationwide voluntary self-disclosure policy
On Wednesday, the DOJ announced a new Voluntary Self-Disclosure Policy, which sets out the criteria for determining when a company is deemed to have made a voluntary self-disclosure of misconduct to a US Attorney’s Office and how the company might benefit from a “resolution under more favorable terms.” According to the press release, the policy is intended to provide “transparency and predictability to companies and the defense bar concerning the concrete benefits and potential outcomes in cases where companies voluntarily self-disclose misconduct, fully cooperate, and timely and appropriately remediate. The goal of the policy is to standardize how VSDs are defined and credited by USAOs nationwide, and to incentivize companies to maintain effective compliance programs capable of identifying misconduct, expeditiously and voluntarily disclose and remediate misconduct, and cooperate fully with the government in corporate criminal investigations.”
Extra hours to file Form 144—should the deadline be extended for all filings, Uyeda asks?
A couple of days ago, the SEC amended Reg S-T to extend the filing deadline for Form 144 from 5:30 p.m. to 10:00 p.m. Eastern Time. You may remember that, in June last year, the SEC adopted amendments to require electronic submission of several forms that could then be submitted on paper, including, for reporting companies, Form 144 (beginning April 13, 2023). (See this PubCo post.) Form 144 was then transformed into an online fillable document, similar to Form 4, designed to facilitate electronic filing and to be machine-readable and available for automated and efficient analysis. Prior to this week’s amendment to Reg S-T, a Form 144 submitted by direct transmission after 5:30 p.m. was deemed filed the next business day. Under the new amendments, effective March 20, a “Form 144 that otherwise complies with applicable filing requirements that is submitted by direct transmission after 5:30 p.m., but no later than 10:00 p.m., will be deemed filed the same business day.”
Did the SEC’s rule changes succeed in transforming the risk factors section? What about climate risk?
Remember back in 2020, when the SEC adopted major amendments to Reg S-K designed to modernize the descriptions of business, legal proceedings and risk factors? You might recall that the SEC had long grumbled about “the lengthy and generic nature of the risk factor disclosure presented by many registrants”; to address that concern, the SEC instituted a number of requirements and “incentives” to encourage companies to be, um, more succinct. (See this PubCo post.) Among these changes were a new requirement to include a risk factor summary if the risk factor section exceeded 15 pages and changing the disclosure standard from “most significant” factors to “material” factors. In addition, because the SEC considered untailored, generic risks to be less informative and to contribute to increased length, it sought to discourage their use by requiring companies to organize the risk factors under relevant headings, with generic risk factors located at the end under a separate caption, “General Risk Factors.” So how’d that go? Did the rule changes achieve their purpose? Apparently, not so much—at least not at the largest public companies—according to this paper, published on the Harvard Law School Forum on Corporate Governance, from a group of authors from Deloitte and the USC Marshall School of Business. The authors also drilled down more specifically on risk factors related to climate change, where the increase in prevalence was dramatic (and probably also contributed to the increased length of risk factor sections in general).
You must be logged in to post a comment.