Cooley Alert: Federal Court Dismisses Bulk of SEC’s Complaint Against SolarWinds in Cyberattack Case

The 2020 SolarWinds hack was perhaps one of the worst cyberattacks in history, reportedly directed by the Russian intelligence service and affecting 18,000 customers, including some very well-known companies and about a dozen government agencies including the Treasury, Justice and Energy departments. Following the cyberattack, the SEC filed a complaint against SolarWinds and its Chief Information Security Officer, charging securities “fraud and  internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.”  (See this PubCo post.) SolarWinds and Brown then moved to dismiss the complaint for failure to state a claim.  On July 18, 2024, a federal district court issued a 107-page opinion, dismissing most of the SEC’s case against SolarWinds and its CISO.

In Ohio v. EPA, SCOTUS reinforces powerful role of judiciary in agency oversight

As has been widely discussed, the administrative state took quite a shellacking this last SCOTUS term. But as I noted earlier, it wasn’t just the elimination of Chevron deference in Loper Bright (see this PubCo post) or administrative enforcement proceedings seeking civil penalties in SEC v. Jarkesy (see this PubCo post).  There were at least a couple of other cases this term that contributed to the drubbing.  One of them, Corner Post, Inc. v. Board of Governors of the Federal Reserve System, had the effect of extending the statute of limitations under the Administrative Procedure Act (see this PubCo post).    Another case,  Ohio v. EPA, in which SCOTUS put a temporary hold on the “good neighbor” provision of the Clean Air Act because EPA failed to “reasonably explain” its action, might also be worth your attention.  In Ohio, Justice Neil Gorsuch, writing for the majority, concluded that enforcement of EPA’s rule should be stayed because the challengers were likely to prevail on the merits.  Why? Because EPA had provided an inadequate explanation for the continued application of the emission control measures in the plan in response to comments. Where have we heard this “failure-to-explain” theory recently?  How about Chamber of Commerce of the USA v. SEC, vacating the SEC’s share repurchase rule for, among other things, failure to respond to petitioners’ comments (see this PubCo post) or even National Association of Manufacturers v. SEC, vacating the 2022 rescission of certain proxy advisor rules for arbitrarily and capriciously failing to provide an adequate explanation to justify its change (see this PubCo post).  Justice Amy Coney Barrett dissented, joined by Justices Sonia Sotomayor, Elena Kagan and Ketanji Brown Jackson, contending that the majority opinion “risks the ‘sort of unwarranted judicial examination of perceived procedural shortcomings’ that might ‘seriously interfere with that process prescribed by Congress.’” As characterized by Professor Nicholas Bagley of the University of Michigan Law School in Michigan Law, in its “broad strokes,” the dissent asserted that “courts shouldn’t be in the business of fly-specking lengthy notice-and-comment records,” especially with the benefit of hindsight. The question, he continued, “is whether the agency has behaved arbitrarily and capriciously, and that’s a pretty demanding standard.” With this decision, SCOTUS amplifies the increasingly powerful role of the judiciary in overseeing federal agencies, adding to the decisions this term seeking to rein in the administrative state.

New Cooley Alert: SEC Reporting Implications for Publicly Traded Companies Impacted by CrowdStrike Defective Software Update

As you know, the recent CrowdStrike defective software update caused massive and, in some cases, systemic failures to computers and networks of CrowdStrike’s customers running certain Microsoft operating systems. If your company was affected by the CrowdStrike server-related outages, you will certainly want to review this new Cooley Alert, SEC Reporting Implications for Publicly Traded Companies Impacted by CrowdStrike Defective Software Update from our Cyber/Data/Privacy and our Public Companies Groups.

Are the floodgates about to open after the demise of Chevron deference?

Utah v. Julie A. Su, a new opinion from Fifth Circuit, concerns an appeal of the “weighty question”—post Chevron—of whether, as phrased by the Court, “ERISA allow[s] retirement plan managers to consider factors that are not material to financial performance when making investment decisions affecting workers’ retirement savings.”  Can ERISA fiduciaries “consider ‘collateral benefits’ when making investment decisions on behalf of the pension plans they manage”? In 2021, the Department of Labor adopted a new rule that interpreted ERISA to allow retirement plan managers to consider “‘the economic effects of climate change and other environmental, social, or governance factors’ in the event that competing investment options ‘equally serve the financial interests of the plan.’” That rule had effectively reversed a “midnight regulation” adopted by the prior Administration that “forbade ERISA fiduciaries from considering ‘non-pecuniary’ factors when making investment decisions.”  The new rule was immediately challenged by a group of states, companies and trade associations, claiming that the new rule was inconsistent with ERISA and arbitrary and capricious under the Administrative Procedure Act.  The district court, following the mandate of Chevron, deferred to the interpretation of the current DOL and rejected the challenge. Plaintiffs appealed.  And then…… SCOTUS overruled Chevron. In a new decision, a three-judge panel of the Fifth Circuit has elected not to answer that weighty question on appeal—not now at least: “Given the upended legal landscape, and our status as a court of review, not first view, we vacate and remand so that the district court can reassess the merits.”   Are we about to see a slew of these types of decisions revisiting agency regulations after the demise of Chevron? Time will tell.

In Corner Post, SCOTUS takes another swipe at the administrative state

This term, SCOTUS delivered two big wallops to the administrative state in the decisions eliminating Chevron deference (Loper Bright Enterprises v. Raimondo and Relentless, Inc. v. Dept of Commerce, see this Pubco post) and the use of administrative enforcement proceedings seeking civil penalties ( SEC v. Jarkesy, see this PubCo post). But that wasn’t all.  There were at least a couple of other cases this term that reflected the same kind of skepticism toward the administrative state.  They might be worth your attention.  One of them, Corner Post, Inc. v. Board of Governors of the Federal Reserve System, discussed below, concerned the statute of limitations under the Administrative Procedure Act. For our purposes, though, the potentially critical repercussion of Corner Post was articulated in the dissent by Justice Ketanji Brown Jackson, who argued that the case effectively decimated the limitations period for facial challenges to agency regulations, setting up the potential for a never-ending series of challenges to long-standing regulations and perhaps even, yes, gaming of the system.

Nasdaq toughens up suspension and delisting process for SPACs

Nasdaq has just filed a proposal, Notice of Filing and Immediate Effectiveness of Proposed Rule Change to Amend Certain Procedures Related to the Suspension and Delisting of Acquisition Companies, designed to address the suspension and delisting process applicable to Acquisition Companies, companies such as SPACs with business plans to complete one or more acquisitions, as described in Rule IM-5101-2. The rule changes would apply to an Acquisition Company that “fails to (i) complete one or more business combinations satisfying the requirements set forth in Listing Rule IM-5101-2(b) (“Business Combination”) within 36 months of the effectiveness of its IPO registration statement; or (ii) meet the requirements for initial listing following the Business Combination.” The proposal would also “limit the Hearings Panels authority to review the Nasdaq Staff’s decision in these instances to a review for factual error only.” Nasdaq also proposes to clarify Listing Rule 5810(c)(1) (with no substantive change) to improve transparency and readability.  The rule changes will be operative for Staff Delisting Determination letters issued on or after October 7, 2024.

Is a delay in the cards for California’s climate accountability laws? [SideBar updated 7/27]

You might recall that, in 2023, California Governor Gavin Newsom signed into law two bills related to climate disclosure: Senate Bill 253, the Climate Corporate Data Accountability Act, and SB261, Greenhouse gases: climate-related financial risk. SB 253 mandates disclosure of GHG emissions data—Scopes 1, 2 and 3—by all U.S. business entities (public or private) with total annual revenues in excess of a billion dollars that “do business in California.” SB 253 has been estimated to apply to about 5,300 companies. SB 253 requires disclosure regarding Scopes 1 and 2 GHG emissions beginning in 2026, with Scope 3 (upstream and downstream emissions in a company’s value chain) disclosure in 2027. SB 261, with a lower reporting threshold of total annual revenues in excess of $500 million, requires subject companies to prepare reports disclosing their climate-related financial risk in accordance with the TCFD framework and describing their measures adopted to reduce and adapt to that risk. SB 261 has been estimated to apply to over 10,000 companies. SB 261 requires that preparation and public posting on the company’s own website commence on or before January 1, 2026, and continue biennially thereafter. Notably, the laws exceed the requirements of the SEC’s climate disclosure regulations because, among other things, one of the laws covers Scope 3 emissions, and they both apply to both public and private companies that meet the applicable size tests. (For more information about these two laws, see this PubCo post.) Interestingly, even when Newsom signed the bills, he raised a number of questions. (See this PubCo post.) Specifically, on SB 253, Newsom said “the implementation deadlines in this bill are likely infeasible, and the reporting protocol specified could result in inconsistent reporting across businesses subject to the measure. I am directing my Administration to work with the bill’s author and the Legislature next year to address these issues. Additionally, I am concerned about the overall financial impact of this bill on businesses, so I am instructing CARB to closely monitor the cost impact as it implements this new bill and to make recommendations to streamline the program.” Similarly, on SB261, Newsom said that “the implementation deadlines fall short in providing the California Air Resources Board (CARB) with sufficient time to adequately carry out the requirements in this bill,” and made a similar comment about the overall financial impact of the bill on businesses. So it was fairly predictable that something of a do-over was in the cards. Now, as reported here and here by Politico, Newsom has proposed a delay in the compliance dates for each bill until 2028. A spokesperson for Newsom “said the proposal ‘addresses concerns’ about cost, timeline and the ‘entirely new and significant workload for the state and the entities covered by these new requirements.’”

Would “reframing” ESG restore its appeal?

In this Comment from a Reuters magazine, the author attempts to rescue the underlying environmental, social and governance principles from the often disparaged term, “ESG.” ESG, he observes, was “[o]riginally conceived as a financial tool to frame how corporations disclose their impact and investment,” but has now become a term that is “fraught with debate, lacks a clear definition and is often misunderstood.” However, he contends, people actually associate many of the values and concepts underlying ESG with business success.  Perhaps the term should be retired, he suggests, in favor of something less freighted.  “Responsible business” might do the trick—especially “responsible business” that correlates with positive corporate performance.

SEC’s Spring 2024 agenda delays most actions until 2025

As reported by Bloomberglaw.com, during an interview in February on “Balance of Power” on Bloomberg Television, SEC Chair Gary Gensler said that he does not intend to “rush” the SEC’s agenda “to get ahead of possible political changes in Washington,” that is, in anticipation of the November elections. According to Bloomberg, Gensler insisted that he’s “‘not doing this against the clock….It’s about getting it right and allowing staff to work their part.’” The SEC has just posted the new Spring 2024 Agenda and, looking at the target dates indicated on the agenda, it appears that Gensler is a man true to his word. The only new item (relevant to our interests here) slated for possible adoption this year is a distinctly apolitical proposal about EDGAR Filer Access and Account Management. And, while a few proposals are targeted for launch (or relaunch) this year—two related to financial institutions and, notably, a proposal for human capital disclosure—most are also put off until April next year—post-election, that is, when the agenda might look entirely different. (Of course, the SEC sometimes acts well in advance of the target.) According to the SEC’s preamble, the items listed in the Regulatory Flexibility Agenda for Spring 2024 “reflect only the priorities of the Chair.”  In addition, information on the agenda was accurate as of May 1, 2024, the date on which the SEC staff completed compilation of the data.  In his statement on the agenda, Gensler said that “[i]n every generation since the SEC’s founding 90 years ago, our Commission has updated rules to meet the markets and technologies of the times. We work to promote the efficiency, integrity, and resiliency of the markets. We do so to ensure the markets work for investors and issuers alike, not the other way around. We benefit in all of our work from robust public input regarding proposed rule changes.”

In SEC v. Jarkesy, SCOTUS puts kibosh on administrative enforcement proceedings for civil penalties

Near the end of its term, SCOTUS decided SEC v. Jarkesy, the case challenging the constitutionality of the SEC’s administrative enforcement proceedings. There were three questions presented, and Jarkesy had been successful in the appellate court on all three:

“Whether statutory provisions that empower the Securities and Exchange Commission (SEC) to initiate and adjudicate administrative enforcement proceedings seeking civil penalties violate the Seventh Amendment.   

Whether statutory provisions that authorize the SEC to choose to enforce the securities laws through an agency adjudication instead of filing a district court action violate the nondelegation doctrine.   

Whether Congress violated Article II by granting for-cause removal protection to administrative law judges in agencies whose heads enjoy for-cause removal protection.”

Had SCOTUS broadly decided that the statute granting authority to the SEC to elect to use ALJs violated the nondelegation doctrine, the case had the potential to be enormously significant in limiting the power of the SEC and other federal agencies beyond the question of ALJs. After all, Jarkesy had contended that, in adopting the provision in Dodd-Frank permitting the use of ALJs but by providing no guidance on the issue, “Congress has delegated to the SEC what would be legislative power absent a guiding intelligible principle” in violation of that doctrine. A column in the NYT discussing  Jarkesy explained that, if “embraced in its entirety, the nondelegation doctrine could spell the end of agency power as we know it, turning the clock back to before the New Deal.” And in Bloomberg, Matt Levine wrote that “a total victory on the nondelegation argument…could mean that all of the SEC’s rulemaking (and every other regulatory agency’s rulemaking) is suspect, that every policy decision that the SEC makes is unconstitutional. Much of U.S. securities law would need to be thrown out, or perhaps rewritten by Congress if they ever got around to it. Stuff like the SEC’s climate rules would be dead forever.” (For a discussion of the nondelegation doctrine, see the SideBar in this PubCo post.) But that didn’t happen. During oral argument, the Justices did not even give lip service to the nondelegation question—the discussion was instead focused almost entirely on the question of whether the SEC’s use of an ALJ deprived Jarkesy of his Seventh Amendment right to a jury trial (see this PubCo post).  In its decision, the majority held that, in the SEC’s action seeking civil penalties against Jarkesy for securities fraud, Jarkesy was entitled to a jury trial under the Seventh Amendment. And, “[s]ince the answer to the jury trial question resolve[d] this case,” SCOTUS did “not reach the nondelegation or removal issues.” Nevertheless, it was yet another strike against the administrative state.