Tag: disclosure controls and procedures
Just in time for Thanksgiving, SEC charges Elanco with undisclosed stuffing—channel stuffing, that is
In this settled action, In the Matter of Elanco Animal Health, Inc., Elanco, a manufacturer and seller of animal health products, such as flea and tick medications, was charged with “failure to disclose material information concerning its sales practices that rendered statements it made about its revenue growth misleading.” As alleged by the SEC, “Elanco would entice distributors to make end-of-quarter purchases in excess of then-existing customer demand by offering them incentives such as rebates and extended payment terms. These incentives allowed Elanco to improve its revenue each quarter, but caused distributors to purchase products ahead of end-user demand. Without these Incentivized Sales, Elanco would have missed its internal revenue and core growth targets in each quarter in 2019.” Essentially, we’re talking here about channel stuffing. As the practice continued, it contributed over the period to “channel inventory increasing by over $100 million in gross value…during 2019, creating a build-up of excess inventory at distributors and a reasonably likely risk of a decrease in revenue and revenue growth in future periods. But, for each quarter during the Relevant Period, Elanco failed to disclose the significant impact of its Quarter-End Incentivized Sales and the reasonably likely risk that these sales practices could have a negative impact on revenue in future quarters.” The SEC charged that these disclosure failures rendered the positive statements that Elanco made about revenue materially misleading. And let’s not forget the disclosure controls violations. In settling the action, Elanco agreed to pay a civil money penalty of $15 million.
PLI panel offers hot tips on accounting and auditing issues
At the PLI Securities Regulation Institute last week, the accounting and auditing update panel provided some useful insights—especially for non-accountants. The panel covered the new requirements for segment reporting, the intensified focus on controls, PCAOB activities (including NOCLAR) and errors and materiality. Below are some takeaways.
SEC Enforcement mini-sweep charges hypothetical risk factors and other misleading cyber disclosures
On Tuesday, the SEC announced settled charges against four companies for “making materially misleading disclosures regarding cybersecurity risks and intrusions. The charges against the companies, Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd and Mimecast Limited, all resulted from an investigation of companies “potentially impacted by the compromise of SolarWinds’ Orion software and by other related activity.” (See this PubCo post and this PubCo post.) According to law.com, the SEC “began issuing sweep letters to potential SolarWinds hack victims back in 2021.” The SEC charged that each of these companies learned that the “threat actor” that was probably the cause of the SolarWinds hack had “accessed their systems without authorization, but each negligently minimized its cybersecurity incident in its public disclosures.” In two instances, the companies were alleged to have framed their disclosures as hypothetical or generic risks. Unisys was also charged with a disclosure controls violation. According to Sanjay Wadhwa, Acting Director of the SEC’s Division of Enforcement, “[a]s today’s enforcement actions reflect, while public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered….Here, the SEC’s orders find that these companies provided misleading disclosures about the incidents at issue, leaving investors in the dark about the true scope of the incidents.” Jorge G. Tenreiro, Acting Chief of the Crypto Assets and Cyber Unit, cautioned that “[d]ownplaying the extent of a material cybersecurity breach is a bad strategy….In two of these cases, the relevant cybersecurity risk factors were framed hypothetically or generically when the companies knew the warned of risks had already materialized. The federal securities laws prohibit half-truths, and there is no exception for statements in risk-factor disclosures.” The companies were each charged with violations of the Securities Act, the Exchange Act and related rules, and agreed to pay civil penalties ranging from $990,000 (Mimecast) to $4 million (Unisys). Commissioners Hester Peirce and Mark Uyeda dissented, contending that the SEC “needs to start treating companies subject to cyberattacks as victims of a crime, rather than perpetrators of one.”
SEC charges RR Donnelley with control failures related to cybersecurity incident
In this June Order, SEC Enforcement brought settled charges against R.R. Donnelley & Sons, a “global provider of business communications services and marketing solutions,” for control failures: more specifically, a failure to maintain adequate disclosure controls and procedures related to cybersecurity incidents and alerts and a failure to devise and maintain adequate internal accounting controls—more specifically, “a system of cybersecurity-related internal accounting controls sufficient to provide reasonable assurances that access to RRD’s assets—its information technology systems and networks, which contained sensitive business and client data—was permitted only with management’s authorization.” RRD agreed to pay over $2.1 million to settle the charges. Interestingly, in a Statement, SEC Commissioners Hester Peirce and Mark Uyeda decried the SEC’s use of “Section 13(b)(2)(B)’s internal accounting controls provision as a Swiss Army Statute to compel issuers to adopt policies and procedures the Commission believes prudent,” not to mention its “decision to stretch the law to punish a company that was the victim of a cyberattack.”
SEC charges SolarWinds and CISO with securities fraud and control failures
You remember the 2020 SolarWinds hack, perhaps one of the worst cyberattacks in history? As NPR described it in 2021, we all regularly receive routine software updates like this one:
“‘This release includes bug fixes, increased stability and performance improvements’…. Last spring, a Texas-based company called SolarWinds made one such software update available to its customers. It was supposed to provide the regular fare—bug fixes, performance enhancements—to the company’s popular network management system, a software program called Orion that keeps a watchful eye on all the various components in a company’s network. Customers simply had to log into the company’s software development website, type a password and then wait for the update to land seamlessly onto their servers. The routine update, it turns out, is no longer so routine. Hackers believed to be directed by the Russian intelligence service, the SVR, used that routine software update to slip malicious code into Orion’s software and then used it as a vehicle for a massive cyberattack against America. ‘Eighteen thousand [customers] was our best estimate of who may have downloaded the code between March and June of 2020,’”
according to the Company’s CEO. And not just any customers—the Company determined that many very well-known companies and about a dozen government agencies were compromised, including the Treasury, Justice and Energy departments, the Pentagon and, ironically, the Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security. On Monday, the SEC announced that it had filed a complaint against SolarWinds and its Chief Information Security Officer, Timothy G. Brown, charging ‘fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.” In the complaint, the SEC charges that “SolarWinds’ public statements about its cybersecurity practices and risks painted a starkly different picture from internal discussions and assessments about the Company’s cybersecurity policy violations, vulnerabilities, and cyberattacks.” According to Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, the SEC’s enforcement action “underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”
SEC charges GTT with disclosure failures and control violations
This press release announces settled charges brought by the SEC against GTT Communications, Inc., a multinational telecommunications and internet service provider, for failure to disclose material information about “unsupported adjustments of more than $35 million” that had the effect of reducing COR, i.e., cost of revenue, and increasing reported operating income by at least 15% in three quarters from 2019 through 2020. According to the Order, in 2017 and 2018, GTT rapidly expanded its business through multiple acquisitions, but had difficulty absorbing and integrating the operations of the acquired, sometimes distressed, companies, especially with regard to accounting and controls. As a result, GTT was never able to reconcile data from two critical operating systems used to determine COR, ultimately leading to data integrity issues in its financial statements. In an attempt to achieve some consistency between the two systems, the SEC alleged, the company began to make accounting adjustments that, in the absence of effective controls, were “highly uncertain” and devoid of proper support. Moreover, the SEC alleged, GTT failed to provide adequate disclosure about the adjustments. In addition to antifraud violations, the SEC charged GTT with control violations: although GTT knew that its systems were inadequate to accurately report COR, “GTT failed to implement and maintain policies and procedures designed to provide reasonable assurance that the COR reflected in GTT’s financial statements was based on reasonable support.” However, because of GTT’s prompt self-reporting, remedial measures and substantial cooperation, the SEC did not impose a civil penalty. But perhaps the real penalty can be found here: in 2021, GTT was delisted from the NYSE, terminated its Exchange Act registration and filed for bankruptcy. GTT emerged in 2022 as a private company owned by certain of its former creditors—but eligible to use “Fresh-Start Reporting.”
Are springing penalties a thing? SEC charges Plug Power with accounting, reporting and control failures
In this Order, the SEC brought settled charges against Plug Power, Inc., a provider of green hydrogen and hydrogen-fuel-cell solutions, for financial reporting, accounting and controls failures in connection with a variety of the Company’s complex business transactions. The failures required Plug to restate its financial statements for several years. In the restatement, Company management identified a material weakness in internal control over financial reporting and ineffective disclosure controls and procedures, allegedly “due to Plug Power’s failure to maintain a sufficient complement of trained, knowledgeable personnel to execute their responsibilities for certain financial statement accounts and disclosures. Despite these control deficiencies, the Company raised over $5 billion from investors during the relevant Filing Period.” According to the SEC, Plug’s “material weakness in ICFR and ineffective DCP have not been fully remediated,” and the Company is continuing its remediation efforts. Plug agreed to pay a civil penalty of $1.25 million and to implement a number of undertakings, including an undertaking “to fully remediate the Company’s material weakness in ICFR and ineffective DCP within one year” of the SEC’s Order. Should Plug fail to comply with those undertakings, the Company will be required to pay a “springing penalty,” an additional civil penalty of $5 million.
SEC charges DXC with misleading non-GAAP disclosures and absence of non-GAAP disclosure controls
The SEC has announced settled charges against DXC Technology Company, a multi-national information technology company, for making misleading disclosures about its non-GAAP financial performance in multiple reporting periods from 2018 until early 2020. According to the Order, DXC materially increased its reported non-GAAP net income “by negligently misclassifying tens of millions of dollars of expenses ” as non-GAAP adjustments related to strategic transactions and integration and improperly excluding them from its reported non-GAAP earnings. In addition to misclassification, DXC allegedly failed to accurately describe the scope of the expenses included in the company’s non-GAAP adjustment, with the result that “its non-GAAP net income and non-GAAP diluted EPS in periodic reports and earnings releases were materially misleading.” What’s more, the SEC alleged, DXC’s disclosure committee “negligently failed to evaluate the company’s non-GAAP disclosures adequately,…and failed to implement an appropriate non-GAAP policy” or adequate disclosure controls and procedures specific to its non-GAAP financial measures. Consequently, DXC “negligently failed to evaluate the company’s non-GAAP disclosures adequately.” DXC agreed to pay a civil penalty of $8 million. According to the SEC’s Associate Director of Enforcement, “[i]ssuers that choose to report non-GAAP financial metrics must accurately describe those metrics in their public disclosures….As the order finds, DXC’s informal procedures and controls were not up to the task, and, as a result, investors were repeatedly misled about its non-GAAP financial performance.”
Ransomware attack—SEC charges misleading disclosures and disclosure control failure—again!
Last week, the SEC announced settled charges against Blackbaud, Inc., a provider of donor data management software to non-profit organizations, for misleading disclosures and disclosure control failures. According to the SEC, in May 2020, employees at the company discovered evidence of a ransomware attack. After an investigation, the company announced the incident and advised affected customers—specifying that sensitive donor data was not involved. But just a couple of weeks later, the SEC alleged, company personnel learned that the attacker had, in fact, accessed sensitive donor data for a number of customers—including bank account and social security numbers. But—you guessed it—it’s disclosure controls again! The personnel with knowledge of the scope of the breach “did not communicate this to Blackbaud’s senior management responsible for disclosures, and the company did not have policies or procedures in place designed to ensure they do so.” As a result, the SEC claimed, the company filed a Form 10-Q that still omitted mention of the exfiltration of sensitive donor data and framed its cybersecurity risk factor disclosure as purely hypothetical. The SEC viewed Blackbaud’s disclosure as misleading and its disclosure controls as inadequate and imposed a civil penalty of $3 million. According to the Chief of SEC Enforcement’s Crypto Assets and Cyber Unit, “Blackbaud failed to disclose the full impact of a ransomware attack despite its personnel learning that its earlier public statements about the attack were erroneous….Public companies have an obligation to provide their investors with accurate and timely material information; Blackbaud failed to do so.”
Workplace misconduct again! SEC charges failure of disclosure controls
Alleged workplace misconduct—and the obligation to collect information and report up about it—rears its head again in yet another case, this time involving Activision Blizzard, Inc. Just last month, in In re McDonald’s Corporation, the former “Chief People Officer” of McDonald’s Corporation was alleged to have breached his fiduciary duty of oversight by consciously ignoring red flags about sexual harassment and misconduct in the workplace. According to the court in that case, the defendant “had an obligation to make a good faith effort to put in place reasonable information systems so that he obtained the information necessary to do his job and report to the CEO and the board, and he could not consciously ignore red flags indicating that the corporation was going to suffer harm.” (See this PubCo post.) Now, the SEC has issued an Order in connection with a settled action alleging that Activision Blizzard, Inc., a videogame developer and publisher, violated the Exchange Act’s disclosure controls rule because it “lacked controls and procedures designed to ensure that information related to employee complaints of workplace misconduct would be communicated to Activision Blizzard’s disclosure personnel to allow for timely assessment on its disclosures.” In addition, the SEC alleged that the company violated the whistleblower protection rules by requiring, in separation agreements, that former employees “notify the company if they received a request from a government administrative agency in connection with a report or complaint.” As a result, Activision Blizzard agreed to pay a $35 million civil penalty. These cases suggest that company actions (or lack thereof) around workplace misconduct and information gathering and reporting about it have resonance far beyond employment law. It’s also noteworthy that this Order represents yet another case (see this PubCo post) where a “control failure” is a lever used by SEC Enforcement to bring charges against a company notwithstanding the absence of any specific allegations of material misrepresentation or misleading disclosure, a point underscored by Commissioner Hester Peirce in her dissenting statement, discussed below.
You must be logged in to post a comment.