Tag: disclosure controls and procedures

SEC charges RR Donnelley with control failures related to cybersecurity incident

In this June Order, SEC Enforcement brought settled charges against R.R. Donnelley & Sons, a “global provider of business communications services and marketing solutions,” for control failures: more specifically, a failure to maintain adequate disclosure controls and procedures related to cybersecurity incidents and alerts and a failure to devise and maintain adequate internal accounting controls—more specifically, “a system of cybersecurity-related internal accounting controls sufficient to provide reasonable assurances that access to RRD’s assets—its information technology systems and networks, which contained sensitive business and client data—was permitted only with management’s authorization.” RRD agreed to pay over $2.1 million to settle the charges.  Interestingly, in a Statement, SEC Commissioners Hester Peirce and Mark Uyeda decried the SEC’s use of “Section 13(b)(2)(B)’s internal accounting controls provision as a Swiss Army Statute to compel issuers to adopt policies and procedures the Commission believes prudent,” not to mention its “decision to stretch the law to punish a company that was the victim of a cyberattack.”  

SEC charges SolarWinds and CISO with securities fraud and control failures

You remember the 2020 SolarWinds hack, perhaps one of the worst cyberattacks in history?  As NPR described it in 2021, we all regularly receive routine software updates like this one:

“‘This release includes bug fixes, increased stability and performance improvements’…. Last spring, a Texas-based company called SolarWinds made one such software update available to its customers. It was supposed to provide the regular fare—bug fixes, performance enhancements—to the company’s popular network management system, a software program called Orion that keeps a watchful eye on all the various components in a company’s network. Customers simply had to log into the company’s software development website, type a password and then wait for the update to land seamlessly onto their servers. The routine update, it turns out, is no longer so routine. Hackers believed to be directed by the Russian intelligence service, the SVR, used that routine software update to slip malicious code into Orion’s software and then used it as a vehicle for a massive cyberattack against America. ‘Eighteen thousand [customers] was our best estimate of who may have downloaded the code between March and June of 2020,’”

according to the Company’s CEO. And not just any customers—the Company determined that many very well-known companies and about a dozen government agencies were compromised, including the Treasury, Justice and Energy departments, the Pentagon and, ironically, the Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security. On Monday, the SEC announced that it had filed a complaint against SolarWinds and its Chief Information Security Officer, Timothy G. Brown, charging ‘fraud and  internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.”  In the complaint, the SEC charges that “SolarWinds’ public statements about its cybersecurity practices and risks painted a starkly different picture from internal discussions and assessments about the Company’s cybersecurity policy violations, vulnerabilities, and cyberattacks.” According to Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, the SEC’s enforcement action “underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”

SEC charges GTT with disclosure failures and control violations

This press release announces settled charges brought by the SEC against GTT Communications, Inc., a multinational telecommunications and internet service provider, for failure to disclose material information about “unsupported adjustments of more than $35 million” that had the effect of reducing COR, i.e., cost of revenue, and increasing reported operating income by at least 15% in three quarters from 2019 through 2020. According to the Order, in 2017 and 2018, GTT rapidly expanded its business through multiple acquisitions, but had difficulty absorbing and integrating the operations of the acquired, sometimes distressed, companies, especially with regard to accounting and controls.  As a result, GTT was never able to reconcile data from two critical operating systems used to determine COR, ultimately leading to data integrity issues in its financial statements. In an attempt to achieve some consistency between the two systems, the SEC alleged, the company began to make accounting adjustments that, in the absence of effective controls, were “highly uncertain” and devoid of proper support. Moreover, the SEC alleged, GTT failed to provide adequate disclosure about the adjustments. In addition to antifraud violations, the SEC charged GTT with control violations: although GTT knew that its systems were inadequate to accurately report COR, “GTT failed to implement and maintain policies and procedures designed to provide reasonable assurance that the COR reflected in GTT’s financial statements was based on reasonable support.”  However, because of GTT’s prompt self-reporting, remedial measures and substantial cooperation, the SEC did not impose a civil penalty.  But perhaps the real penalty can be found here: in 2021, GTT was delisted from the NYSE, terminated its Exchange Act registration and filed for bankruptcy. GTT emerged in 2022 as a private company owned by certain of its former creditors—but eligible to use “Fresh-Start Reporting.”

Are springing penalties a thing? SEC charges Plug Power with accounting, reporting and control failures

In this Order, the SEC brought settled charges against Plug Power, Inc., a provider of green hydrogen and hydrogen-fuel-cell solutions, for financial reporting, accounting and controls failures in connection with a variety of the Company’s complex business transactions. The failures required Plug to restate its financial statements for several years.   In the restatement, Company management identified a material weakness in internal control over financial reporting and ineffective disclosure controls and procedures, allegedly “due to Plug Power’s failure to maintain a sufficient complement of trained, knowledgeable personnel to execute their responsibilities for certain financial statement accounts and disclosures.  Despite these control deficiencies, the Company raised over $5 billion from investors during the relevant Filing Period.” According to the SEC, Plug’s “material weakness in ICFR and ineffective DCP have not been fully remediated,” and the Company is continuing its remediation efforts. Plug agreed to pay a civil penalty of $1.25 million and to implement a number of undertakings, including an undertaking “to fully remediate the Company’s material weakness in ICFR and ineffective DCP within one year” of the SEC’s Order.  Should Plug fail to comply with those undertakings, the Company will be required to pay a “springing penalty,” an additional civil penalty of $5 million.

SEC charges DXC with misleading non-GAAP disclosures and absence of non-GAAP disclosure controls

The SEC has announced settled charges against DXC Technology Company, a multi-national information technology company, for making misleading disclosures about its non-GAAP financial performance in multiple reporting periods from 2018 until early 2020.  According to the Order, DXC materially increased its reported non-GAAP net income “by negligently misclassifying tens of millions of dollars of expenses ” as non-GAAP adjustments related to strategic transactions and integration and improperly excluding them from its reported non-GAAP earnings. In addition to misclassification, DXC allegedly failed to accurately describe the scope of the expenses included in the company’s non-GAAP adjustment, with the result that “its non-GAAP net income and non-GAAP diluted EPS in periodic reports and earnings releases were materially misleading.”  What’s more, the SEC alleged, DXC’s disclosure committee “negligently failed to evaluate the company’s non-GAAP disclosures adequately,…and failed to implement an appropriate non-GAAP policy” or adequate disclosure controls and procedures specific to its non-GAAP financial measures. Consequently, DXC “negligently failed to evaluate the company’s non-GAAP disclosures adequately.” DXC agreed to pay a civil penalty of $8 million. According to the SEC’s Associate Director of Enforcement, “[i]ssuers that choose to report non-GAAP financial metrics must accurately describe those metrics in their public disclosures….As the order finds, DXC’s informal procedures and controls were not up to the task, and, as a result, investors were repeatedly misled about its non-GAAP financial performance.”

Ransomware attack—SEC charges misleading disclosures and disclosure control failure—again!

Last week, the SEC announced settled charges against Blackbaud, Inc., a provider of donor data management software to non-profit organizations, for misleading disclosures and disclosure control failures. According to the SEC, in May 2020, employees at the company discovered evidence of a ransomware attack.  After an investigation, the company announced the incident and advised affected customers—specifying that sensitive donor data was not involved. But just a couple of weeks later, the SEC alleged, company personnel learned that the attacker had, in fact, accessed sensitive donor data for a number of customers—including bank account and social security numbers.  But—you guessed it—it’s disclosure controls again! The personnel with knowledge of the scope of the breach “did not communicate this to Blackbaud’s senior management responsible for disclosures, and the company did not have policies or procedures in place designed to ensure they do so.”  As a result, the SEC claimed, the company filed a Form 10-Q that still omitted mention of the exfiltration of sensitive donor data and framed its cybersecurity risk factor disclosure as purely hypothetical.  The SEC viewed Blackbaud’s disclosure as misleading and its disclosure controls as inadequate and imposed a civil penalty of $3 million. According to the Chief of SEC Enforcement’s Crypto Assets and Cyber Unit, “Blackbaud failed to disclose the full impact of a ransomware attack despite its personnel learning that its earlier public statements about the attack were erroneous….Public companies have an obligation to provide their investors with accurate and timely material information; Blackbaud failed to do so.”  

Workplace misconduct again! SEC charges failure of disclosure controls

Alleged workplace misconduct—and the obligation to collect information and report up about it—rears its head again in yet another case, this time involving Activision Blizzard, Inc. Just last month, in In re McDonald’s Corporation, the former “Chief People Officer” of McDonald’s Corporation was alleged to have breached his fiduciary duty of oversight by consciously ignoring red flags about sexual harassment and misconduct in the workplace.  According to the court in that case, the defendant “had an obligation to make a good faith effort to put in place reasonable information systems so that he obtained the information necessary to do his job and report to the CEO and the board, and he could not consciously ignore red flags indicating that the corporation was going to suffer harm.” (See this PubCo post.) Now, the SEC has issued an Order in connection with a settled action alleging that Activision Blizzard, Inc., a videogame developer and publisher, violated the Exchange Act’s disclosure controls rule because it “lacked controls and procedures designed to ensure that information related to employee complaints of workplace misconduct would be communicated to Activision Blizzard’s disclosure personnel to allow for timely assessment on its disclosures.” In addition, the SEC alleged that the company violated the whistleblower protection rules by requiring, in separation agreements, that former employees “notify the company if they received a request from a government administrative agency in connection with a report or complaint.”  As a result, Activision Blizzard agreed to pay a $35 million civil penalty. These cases suggest that company actions (or lack thereof) around workplace misconduct and information gathering and reporting about it have resonance far beyond employment law. It’s also noteworthy that this Order represents yet another case (see this PubCo post) where a “control failure” is a lever used by SEC Enforcement to bring charges against a company notwithstanding the absence of any specific allegations of  material misrepresentation or misleading disclosure, a point underscored by Commissioner Hester Peirce in her dissenting statement, discussed below.

SEC charges Compass Minerals with disclosure violations resulting from “deficient disclosure process”

Toward the end of last month, the SEC announced settled charges against Compass Minerals International, Inc., for alleged disclosure violations that were “the consequence of a deficient disclosure process.”   In the Order, the SEC alleged that Compass misrepresented the impact of a technology upgrade at its Goderich mine—the world’s largest underground salt mine—which the company had claimed would lead to cost savings, but actually led to increased costs and below-expectation results.  Central to the case, however, was the purported failure of the company’s disclosure controls that resulted in the misleading statements: “statements to investors were not reviewed by personnel who were sufficiently knowledgeable about both Compass’s operations and its disclosure obligations.” The company was also charged with failing to disclose the potential financial risks arising out of the company’s contamination of a river in Brazil with excessive discharges of mercury, a failure the SEC also attributed to inadequate disclosure controls.  According to Melissa Hodgman, Associate Director of the Division of Enforcement, “[w]hat companies say to investors must be consistent with what they know. Yet Compass repeatedly made public statements that did not jibe with the facts on—or under—the ground at Goderich….By misleading investors about mining costs in Canada and failing to analyze the potential financial consequences of its environmental contamination in Brazil, Compass fell far short of what the federal securities laws require.” Compass agreed to pay $12 million to settle the charges. 

SEC charges company for alleged misstatements regarding director independence and disclosure control failures

As we head into a new proxy season, this SEC order involving settled charges against Leaf Group Ltd. might be a good case to keep in mind.  In this case, the SEC charged that Leaf did not adequately identify and analyze—and did not maintain effective disclosure controls and procedures to identify and analyze— whether some of its directors were “independent” and whether there were “interlocking relationships between its directors and executive officers,” which led to “material misstatements and omissions in certain of its public filings,” including its proxy statement. As part of the settlement, Leaf was ordered to pay a civil penalty of $325,000. The company’s alleged failings as outlined in the order might serve to augment your seasonal checklist for examining issues of director independence.

Commissioner Roisman talks cybersecurity

On Friday, in remarks before the L.A. County Bar Association, SEC Commissioner Elad Roisman addressed some of the challenges associated with cybersecurity and cyber breaches and similar events. In his presentation, Roisman considers cybersecurity in a variety of contexts, such as the exchanges, investment advisers and broker-dealers, but his discussion of cybersecurity in the context of public companies is of most interest here. Although the SEC has imposed some principles-based requirements and issued guidance about cybersecurity disclosure, Roisman believes that there is more in the way of guidance and even rulemaking that the SEC should consider “to ensure that companies understand [the SEC’s] expectations and investors get the benefit of increased disclosure and protections by companies.”