Tag: disclosure controls and procedures
SEC charges Becton Dickinson with misleading investors about regulatory risks and product sales
The SEC has announced settled charges against Becton, Dickinson and Company, a medical device manufacturer known as BD listed on the NYSE, for “repeatedly misleading investors about risks associated with its continued sales of its Alaris infusion pump and for overstating its income by failing to record the costs of fixing multiple software flaws with the pump.” In essence, the company failed to disclose that it needed, but did not have, FDA clearance for certain changes to the software for its Alaris product, sales of which contributed about 10% of BD’s profits. Without those changes, the product was potentially harmful to patients. “Rather than inform investors that these issues heightened the risk that the FDA would limit BD’s ability to continue selling Alaris,” the SEC charged, “BD made misleading statements in its periodic reports about its regulatory risks.” BD agreed to pay a $175 million civil penalty. Companies in the life sciences should take note that this is yet another recent Enforcement action aimed at a life science company’s alleged misleading statements, including hypothetical or generic risks, regarding regulatory (FDA) status; in charges announced earlier this month against Kiromic BioPharma, the SEC alleged that Kiromic had failed to disclose that the FDA had placed both of its INDs on clinical hold. (See this PubCo post.) According to Sanjay Wadhwa, Acting Director of SEC Enforcement, “BD repeatedly painted a misleading picture of its Alaris infusion pump for investors and then doubled down by keeping them in the dark when the device’s issues came to a head with the FDA in late 2019….Public companies have a fundamental duty to accurately disclose material business risks and should expect to be held accountable when they fall short in that regard.”
Happy Holidays!
SEC charges biopharma with misleading investors about status of INDs
The SEC has announced that it filed settled charges against Kiromic BioPharma and two of its executives for alleged failure to disclose in its public statements and filings, including in its public offering prospectus, material information about its investigational new drug applications filed with the FDA for two of its drug candidates—the only two product candidates in the company’s pipeline. What was that omitted information? That the FDA had placed both of its INDs on clinical hold, meaning that the proposed clinical investigations could not proceed until the company first corrected the deficiencies cited by the FDA. Instead of disclosing in its prospectus that the INDs had actually been placed on clinical hold, the company included a risk factor describing the “hypothetical risk of a clinical hold and the potential negative consequences” on the company’s business. In light of the company’s voluntary self-reporting, remediation and other proactive cooperation, there was no civil penalty for the company, but two executives, the then-CEO and then-CFO, agreed to pay civil penalties of $125,000 and $20,000. According to the Director of the SEC’s Fort Worth Regional Office, the resolution of these cases strikes “the right balance between holding Kiromic’s then-two most senior officers responsible for Kiromic’s disclosure failures while also crediting Kiromic for its voluntary self-report, remediation, proactively instituting remedial measures, and providing meaningful cooperation to the staff.”
SEC charges UPS with failure to take goodwill impairment charge require by GAAP
Last week, the SEC announced settled charges against United Parcel Service Inc. for failing to take an appropriate goodwill impairment charge for a poorly performing business unit, thus materially misrepresenting its earnings. As alleged by the SEC, instead of calculating the write-down based on the price UPS expected to receive to sell its Freight business unit—as required under GAAP—UPS relied on a valuation prepared by an outside consultant, but “without giving the consultant information necessary to conduct a fair valuation of the business.” According to the Associate Director of Enforcement, “[g]oodwill balances provide investors with valuable insight into whether companies are successfully operating the businesses they own….Therefore, it is essential for companies to prepare reliable fair value estimates and impair goodwill when required. UPS fell short of these obligations, repeatedly ignoring its own well-founded sale price estimates for Freight in favor of unreliable third-party valuations.” UPS was charged with making material representations in its reporting, as well as violations of the book and records, internal accounting controls, and disclosure controls provisions of the Exchange Act and related rules. UPS agreed to adopt training requirements for certain officers, directors and employees, retain an independent compliance consultant and pay a $45 million civil penalty.
Happy Thanksgiving!
Just in time for Thanksgiving, SEC charges Elanco with undisclosed stuffing—channel stuffing, that is
In this settled action, In the Matter of Elanco Animal Health, Inc., Elanco, a manufacturer and seller of animal health products, such as flea and tick medications, was charged with “failure to disclose material information concerning its sales practices that rendered statements it made about its revenue growth misleading.” As alleged by the SEC, “Elanco would entice distributors to make end-of-quarter purchases in excess of then-existing customer demand by offering them incentives such as rebates and extended payment terms. These incentives allowed Elanco to improve its revenue each quarter, but caused distributors to purchase products ahead of end-user demand. Without these Incentivized Sales, Elanco would have missed its internal revenue and core growth targets in each quarter in 2019.” Essentially, we’re talking here about channel stuffing. As the practice continued, it contributed over the period to “channel inventory increasing by over $100 million in gross value…during 2019, creating a build-up of excess inventory at distributors and a reasonably likely risk of a decrease in revenue and revenue growth in future periods. But, for each quarter during the Relevant Period, Elanco failed to disclose the significant impact of its Quarter-End Incentivized Sales and the reasonably likely risk that these sales practices could have a negative impact on revenue in future quarters.” The SEC charged that these disclosure failures rendered the positive statements that Elanco made about revenue materially misleading. And let’s not forget the disclosure controls violations. In settling the action, Elanco agreed to pay a civil money penalty of $15 million.
PLI panel offers hot tips on accounting and auditing issues
At the PLI Securities Regulation Institute last week, the accounting and auditing update panel provided some useful insights—especially for non-accountants. The panel covered the new requirements for segment reporting, the intensified focus on controls, PCAOB activities (including NOCLAR) and errors and materiality. Below are some takeaways.
SEC Enforcement mini-sweep charges hypothetical risk factors and other misleading cyber disclosures
On Tuesday, the SEC announced settled charges against four companies for “making materially misleading disclosures regarding cybersecurity risks and intrusions. The charges against the companies, Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd and Mimecast Limited, all resulted from an investigation of companies “potentially impacted by the compromise of SolarWinds’ Orion software and by other related activity.” (See this PubCo post and this PubCo post.) According to law.com, the SEC “began issuing sweep letters to potential SolarWinds hack victims back in 2021.” The SEC charged that each of these companies learned that the “threat actor” that was probably the cause of the SolarWinds hack had “accessed their systems without authorization, but each negligently minimized its cybersecurity incident in its public disclosures.” In two instances, the companies were alleged to have framed their disclosures as hypothetical or generic risks. Unisys was also charged with a disclosure controls violation. According to Sanjay Wadhwa, Acting Director of the SEC’s Division of Enforcement, “[a]s today’s enforcement actions reflect, while public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered….Here, the SEC’s orders find that these companies provided misleading disclosures about the incidents at issue, leaving investors in the dark about the true scope of the incidents.” Jorge G. Tenreiro, Acting Chief of the Crypto Assets and Cyber Unit, cautioned that “[d]ownplaying the extent of a material cybersecurity breach is a bad strategy….In two of these cases, the relevant cybersecurity risk factors were framed hypothetically or generically when the companies knew the warned of risks had already materialized. The federal securities laws prohibit half-truths, and there is no exception for statements in risk-factor disclosures.” The companies were each charged with violations of the Securities Act, the Exchange Act and related rules, and agreed to pay civil penalties ranging from $990,000 (Mimecast) to $4 million (Unisys). Commissioners Hester Peirce and Mark Uyeda dissented, contending that the SEC “needs to start treating companies subject to cyberattacks as victims of a crime, rather than perpetrators of one.”
SEC charges RR Donnelley with control failures related to cybersecurity incident
In this June Order, SEC Enforcement brought settled charges against R.R. Donnelley & Sons, a “global provider of business communications services and marketing solutions,” for control failures: more specifically, a failure to maintain adequate disclosure controls and procedures related to cybersecurity incidents and alerts and a failure to devise and maintain adequate internal accounting controls—more specifically, “a system of cybersecurity-related internal accounting controls sufficient to provide reasonable assurances that access to RRD’s assets—its information technology systems and networks, which contained sensitive business and client data—was permitted only with management’s authorization.” RRD agreed to pay over $2.1 million to settle the charges. Interestingly, in a Statement, SEC Commissioners Hester Peirce and Mark Uyeda decried the SEC’s use of “Section 13(b)(2)(B)’s internal accounting controls provision as a Swiss Army Statute to compel issuers to adopt policies and procedures the Commission believes prudent,” not to mention its “decision to stretch the law to punish a company that was the victim of a cyberattack.”
SEC charges SolarWinds and CISO with securities fraud and control failures
You remember the 2020 SolarWinds hack, perhaps one of the worst cyberattacks in history? As NPR described it in 2021, we all regularly receive routine software updates like this one:
“‘This release includes bug fixes, increased stability and performance improvements’…. Last spring, a Texas-based company called SolarWinds made one such software update available to its customers. It was supposed to provide the regular fare—bug fixes, performance enhancements—to the company’s popular network management system, a software program called Orion that keeps a watchful eye on all the various components in a company’s network. Customers simply had to log into the company’s software development website, type a password and then wait for the update to land seamlessly onto their servers. The routine update, it turns out, is no longer so routine. Hackers believed to be directed by the Russian intelligence service, the SVR, used that routine software update to slip malicious code into Orion’s software and then used it as a vehicle for a massive cyberattack against America. ‘Eighteen thousand [customers] was our best estimate of who may have downloaded the code between March and June of 2020,’”
according to the Company’s CEO. And not just any customers—the Company determined that many very well-known companies and about a dozen government agencies were compromised, including the Treasury, Justice and Energy departments, the Pentagon and, ironically, the Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security. On Monday, the SEC announced that it had filed a complaint against SolarWinds and its Chief Information Security Officer, Timothy G. Brown, charging ‘fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.” In the complaint, the SEC charges that “SolarWinds’ public statements about its cybersecurity practices and risks painted a starkly different picture from internal discussions and assessments about the Company’s cybersecurity policy violations, vulnerabilities, and cyberattacks.” According to Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, the SEC’s enforcement action “underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”
SEC charges GTT with disclosure failures and control violations
This press release announces settled charges brought by the SEC against GTT Communications, Inc., a multinational telecommunications and internet service provider, for failure to disclose material information about “unsupported adjustments of more than $35 million” that had the effect of reducing COR, i.e., cost of revenue, and increasing reported operating income by at least 15% in three quarters from 2019 through 2020. According to the Order, in 2017 and 2018, GTT rapidly expanded its business through multiple acquisitions, but had difficulty absorbing and integrating the operations of the acquired, sometimes distressed, companies, especially with regard to accounting and controls. As a result, GTT was never able to reconcile data from two critical operating systems used to determine COR, ultimately leading to data integrity issues in its financial statements. In an attempt to achieve some consistency between the two systems, the SEC alleged, the company began to make accounting adjustments that, in the absence of effective controls, were “highly uncertain” and devoid of proper support. Moreover, the SEC alleged, GTT failed to provide adequate disclosure about the adjustments. In addition to antifraud violations, the SEC charged GTT with control violations: although GTT knew that its systems were inadequate to accurately report COR, “GTT failed to implement and maintain policies and procedures designed to provide reasonable assurance that the COR reflected in GTT’s financial statements was based on reasonable support.” However, because of GTT’s prompt self-reporting, remedial measures and substantial cooperation, the SEC did not impose a civil penalty. But perhaps the real penalty can be found here: in 2021, GTT was delisted from the NYSE, terminated its Exchange Act registration and filed for bankruptcy. GTT emerged in 2022 as a private company owned by certain of its former creditors—but eligible to use “Fresh-Start Reporting.”
Are springing penalties a thing? SEC charges Plug Power with accounting, reporting and control failures
In this Order, the SEC brought settled charges against Plug Power, Inc., a provider of green hydrogen and hydrogen-fuel-cell solutions, for financial reporting, accounting and controls failures in connection with a variety of the Company’s complex business transactions. The failures required Plug to restate its financial statements for several years. In the restatement, Company management identified a material weakness in internal control over financial reporting and ineffective disclosure controls and procedures, allegedly “due to Plug Power’s failure to maintain a sufficient complement of trained, knowledgeable personnel to execute their responsibilities for certain financial statement accounts and disclosures. Despite these control deficiencies, the Company raised over $5 billion from investors during the relevant Filing Period.” According to the SEC, Plug’s “material weakness in ICFR and ineffective DCP have not been fully remediated,” and the Company is continuing its remediation efforts. Plug agreed to pay a civil penalty of $1.25 million and to implement a number of undertakings, including an undertaking “to fully remediate the Company’s material weakness in ICFR and ineffective DCP within one year” of the SEC’s Order. Should Plug fail to comply with those undertakings, the Company will be required to pay a “springing penalty,” an additional civil penalty of $5 million.
You must be logged in to post a comment.