SEC charges company for alleged misstatements regarding director independence and disclosure control failures
As we head into a new proxy season, this SEC order involving settled charges against Leaf Group Ltd. might be a good case to keep in mind. In this case, the SEC charged that Leaf did not adequately identify and analyze—and did not maintain effective disclosure controls and procedures to identify and analyze— whether some of its directors were “independent” and whether there were “interlocking relationships between its directors and executive officers,” which led to “material misstatements and omissions in certain of its public filings,” including its proxy statement. As part of the settlement, Leaf was ordered to pay a civil penalty of $325,000. The company’s alleged failings as outlined in the order might serve to augment your seasonal checklist for examining issues of director independence.
On Friday, in remarks before the L.A. County Bar Association, SEC Commissioner Elad Roisman addressed some of the challenges associated with cybersecurity and cyber breaches and similar events. In his presentation, Roisman considers cybersecurity in a variety of contexts, such as the exchanges, investment advisers and broker-dealers, but his discussion of cybersecurity in the context of public companies is of most interest here. Although the SEC has imposed some principles-based requirements and issued guidance about cybersecurity disclosure, Roisman believes that there is more in the way of guidance and even rulemaking that the SEC should consider “to ensure that companies understand [the SEC’s] expectations and investors get the benefit of increased disclosure and protections by companies.”
Once again, a “control failure” is a lever used by SEC Enforcement to bring charges against a company, this time for failure to timely disclose a cybersecurity vulnerability. Yesterday, the SEC announced settled charges against a real estate settlement services company, First American Financial Corporation, for violation of the requirement to maintain adequate disclosure controls and procedures “related to a cybersecurity vulnerability that exposed sensitive customer information.” This action follows charges regarding control violations against GE (see this PubCo post), HP, Inc. (see this PubCo post) and Andeavor (see this PubCo post) where, instead of attempting to make a case about funny accounting or, in Andeavor, a defective 10b5-1 plan, the SEC opted to make its point by, among other things, charging failure to maintain and comply with internal accounting controls or disclosure controls and procedures. Companies may want to take note that charges related to violations of the rules regarding internal controls and disclosure controls seem to be increasingly part of the SEC’s Enforcement playbook, making it worthwhile for companies to make sure that their controls are in good working order. Perhaps we should pirate the Matt Levine mantra, “everything is securities fraud” (see this PubCo post): how ’bout “everything is also a control failure”?
Enforcement has certainly been busy at the end of the SEC’s fiscal year, with disclosure violations receiving their fair of attention. In this action against HP Inc., the company was charged with failing to disclose known trends and uncertainties regarding the impact of sales and inventory practices, as well as failure to maintain adequate disclosure controls and procedures. HP was ordered to pay a penalty of $6 million.
In remarks on Thursday of last week to the Tulane Corporate Law Institute, SEC Commissioner Robert Jackson discussed what he termed to be “the most pressing issue in corporate governance today: the rising cyber threat.” To support his characterization, Jackson reports that, in 2016, there were over 1,000 data breaches with an aggregate cost of over $100 billion, according to the Identity Theft Resource Center. And the issue has “rocketed to the top of the corporate agenda”: “One recent study showed that nearly two-thirds of executives identified cyber threats as a top-five risk to their company’s future. That shows how quickly this has become a board-level issue.”
Yesterday, the SEC announced that it had adopted—without the scheduled open meeting, which was abruptly cancelled with only a cryptic statement—long-awaited new guidance on cybersecurity disclosure. The guidance addresses disclosure obligations under existing laws and regulations, cybersecurity policies and procedures, disclosure controls and procedures, insider trading prohibitions and Reg FD and selective disclosure prohibitions in the context of cybersecurity. The new guidance builds on Corp Fin’s 2011 guidance on this topic (see this Cooley News Brief), adding in particular new discussions of policies and insider trading. While the guidance was adopted unanimously, some of the Commissioners were not exactly enthused about it, viewing it as largely repetitive of the 2011 guidance—and hardly more compelling. Anticlimactic? See if you agree.
by Cydney Posner With the spotlight now on non-GAAP financial measures, companies might find this article in CFO.com to be particularly useful. The article provides practical guidance to help companies establish effective disclosure controls and procedures for non-GAAP financial measures.