Tag: disclosure controls and procedures
SEC charges DXC with misleading non-GAAP disclosures and absence of non-GAAP disclosure controls
The SEC has announced settled charges against DXC Technology Company, a multi-national information technology company, for making misleading disclosures about its non-GAAP financial performance in multiple reporting periods from 2018 until early 2020. According to the Order, DXC materially increased its reported non-GAAP net income “by negligently misclassifying tens of millions of dollars of expenses ” as non-GAAP adjustments related to strategic transactions and integration and improperly excluding them from its reported non-GAAP earnings. In addition to misclassification, DXC allegedly failed to accurately describe the scope of the expenses included in the company’s non-GAAP adjustment, with the result that “its non-GAAP net income and non-GAAP diluted EPS in periodic reports and earnings releases were materially misleading.” What’s more, the SEC alleged, DXC’s disclosure committee “negligently failed to evaluate the company’s non-GAAP disclosures adequately,…and failed to implement an appropriate non-GAAP policy” or adequate disclosure controls and procedures specific to its non-GAAP financial measures. Consequently, DXC “negligently failed to evaluate the company’s non-GAAP disclosures adequately.” DXC agreed to pay a civil penalty of $8 million. According to the SEC’s Associate Director of Enforcement, “[i]ssuers that choose to report non-GAAP financial metrics must accurately describe those metrics in their public disclosures….As the order finds, DXC’s informal procedures and controls were not up to the task, and, as a result, investors were repeatedly misled about its non-GAAP financial performance.”
Ransomware attack—SEC charges misleading disclosures and disclosure control failure—again!
Last week, the SEC announced settled charges against Blackbaud, Inc., a provider of donor data management software to non-profit organizations, for misleading disclosures and disclosure control failures. According to the SEC, in May 2020, employees at the company discovered evidence of a ransomware attack. After an investigation, the company announced the incident and advised affected customers—specifying that sensitive donor data was not involved. But just a couple of weeks later, the SEC alleged, company personnel learned that the attacker had, in fact, accessed sensitive donor data for a number of customers—including bank account and social security numbers. But—you guessed it—it’s disclosure controls again! The personnel with knowledge of the scope of the breach “did not communicate this to Blackbaud’s senior management responsible for disclosures, and the company did not have policies or procedures in place designed to ensure they do so.” As a result, the SEC claimed, the company filed a Form 10-Q that still omitted mention of the exfiltration of sensitive donor data and framed its cybersecurity risk factor disclosure as purely hypothetical. The SEC viewed Blackbaud’s disclosure as misleading and its disclosure controls as inadequate and imposed a civil penalty of $3 million. According to the Chief of SEC Enforcement’s Crypto Assets and Cyber Unit, “Blackbaud failed to disclose the full impact of a ransomware attack despite its personnel learning that its earlier public statements about the attack were erroneous….Public companies have an obligation to provide their investors with accurate and timely material information; Blackbaud failed to do so.”
Workplace misconduct again! SEC charges failure of disclosure controls
Alleged workplace misconduct—and the obligation to collect information and report up about it—rears its head again in yet another case, this time involving Activision Blizzard, Inc. Just last month, in In re McDonald’s Corporation, the former “Chief People Officer” of McDonald’s Corporation was alleged to have breached his fiduciary duty of oversight by consciously ignoring red flags about sexual harassment and misconduct in the workplace. According to the court in that case, the defendant “had an obligation to make a good faith effort to put in place reasonable information systems so that he obtained the information necessary to do his job and report to the CEO and the board, and he could not consciously ignore red flags indicating that the corporation was going to suffer harm.” (See this PubCo post.) Now, the SEC has issued an Order in connection with a settled action alleging that Activision Blizzard, Inc., a videogame developer and publisher, violated the Exchange Act’s disclosure controls rule because it “lacked controls and procedures designed to ensure that information related to employee complaints of workplace misconduct would be communicated to Activision Blizzard’s disclosure personnel to allow for timely assessment on its disclosures.” In addition, the SEC alleged that the company violated the whistleblower protection rules by requiring, in separation agreements, that former employees “notify the company if they received a request from a government administrative agency in connection with a report or complaint.” As a result, Activision Blizzard agreed to pay a $35 million civil penalty. These cases suggest that company actions (or lack thereof) around workplace misconduct and information gathering and reporting about it have resonance far beyond employment law. It’s also noteworthy that this Order represents yet another case (see this PubCo post) where a “control failure” is a lever used by SEC Enforcement to bring charges against a company notwithstanding the absence of any specific allegations of material misrepresentation or misleading disclosure, a point underscored by Commissioner Hester Peirce in her dissenting statement, discussed below.
SEC charges Compass Minerals with disclosure violations resulting from “deficient disclosure process”
Toward the end of last month, the SEC announced settled charges against Compass Minerals International, Inc., for alleged disclosure violations that were “the consequence of a deficient disclosure process.” In the Order, the SEC alleged that Compass misrepresented the impact of a technology upgrade at its Goderich mine—the world’s largest underground salt mine—which the company had claimed would lead to cost savings, but actually led to increased costs and below-expectation results. Central to the case, however, was the purported failure of the company’s disclosure controls that resulted in the misleading statements: “statements to investors were not reviewed by personnel who were sufficiently knowledgeable about both Compass’s operations and its disclosure obligations.” The company was also charged with failing to disclose the potential financial risks arising out of the company’s contamination of a river in Brazil with excessive discharges of mercury, a failure the SEC also attributed to inadequate disclosure controls. According to Melissa Hodgman, Associate Director of the Division of Enforcement, “[w]hat companies say to investors must be consistent with what they know. Yet Compass repeatedly made public statements that did not jibe with the facts on—or under—the ground at Goderich….By misleading investors about mining costs in Canada and failing to analyze the potential financial consequences of its environmental contamination in Brazil, Compass fell far short of what the federal securities laws require.” Compass agreed to pay $12 million to settle the charges.
SEC charges company for alleged misstatements regarding director independence and disclosure control failures
As we head into a new proxy season, this SEC order involving settled charges against Leaf Group Ltd. might be a good case to keep in mind. In this case, the SEC charged that Leaf did not adequately identify and analyze—and did not maintain effective disclosure controls and procedures to identify and analyze— whether some of its directors were “independent” and whether there were “interlocking relationships between its directors and executive officers,” which led to “material misstatements and omissions in certain of its public filings,” including its proxy statement. As part of the settlement, Leaf was ordered to pay a civil penalty of $325,000. The company’s alleged failings as outlined in the order might serve to augment your seasonal checklist for examining issues of director independence.
Commissioner Roisman talks cybersecurity
On Friday, in remarks before the L.A. County Bar Association, SEC Commissioner Elad Roisman addressed some of the challenges associated with cybersecurity and cyber breaches and similar events. In his presentation, Roisman considers cybersecurity in a variety of contexts, such as the exchanges, investment advisers and broker-dealers, but his discussion of cybersecurity in the context of public companies is of most interest here. Although the SEC has imposed some principles-based requirements and issued guidance about cybersecurity disclosure, Roisman believes that there is more in the way of guidance and even rulemaking that the SEC should consider “to ensure that companies understand [the SEC’s] expectations and investors get the benefit of increased disclosure and protections by companies.”
SEC charges company with disclosure controls violation as a result of cybersecurity failure
Once again, a “control failure” is a lever used by SEC Enforcement to bring charges against a company, this time for failure to timely disclose a cybersecurity vulnerability. Yesterday, the SEC announced settled charges against a real estate settlement services company, First American Financial Corporation, for violation of the requirement to maintain adequate disclosure controls and procedures “related to a cybersecurity vulnerability that exposed sensitive customer information.” This action follows charges regarding control violations against GE (see this PubCo post), HP, Inc. (see this PubCo post) and Andeavor (see this PubCo post) where, instead of attempting to make a case about funny accounting or, in Andeavor, a defective 10b5-1 plan, the SEC opted to make its point by, among other things, charging failure to maintain and comply with internal accounting controls or disclosure controls and procedures. Companies may want to take note that charges related to violations of the rules regarding internal controls and disclosure controls seem to be increasingly part of the SEC’s Enforcement playbook, making it worthwhile for companies to make sure that their controls are in good working order. Perhaps we should pirate the Matt Levine mantra, “everything is securities fraud” (see this PubCo post): how ’bout “everything is also a control failure”?
SEC charges HP with failure to disclose known trends and uncertainties
Enforcement has certainly been busy at the end of the SEC’s fiscal year, with disclosure violations receiving their fair of attention. In this action against HP Inc., the company was charged with failing to disclose known trends and uncertainties regarding the impact of sales and inventory practices, as well as failure to maintain adequate disclosure controls and procedures. HP was ordered to pay a penalty of $6 million.
SEC Commissioner Jackson sees cyber threat as a corporate governance issue
In remarks on Thursday of last week to the Tulane Corporate Law Institute, SEC Commissioner Robert Jackson discussed what he termed to be “the most pressing issue in corporate governance today: the rising cyber threat.” To support his characterization, Jackson reports that, in 2016, there were over 1,000 data breaches with an aggregate cost of over $100 billion, according to the Identity Theft Resource Center. And the issue has “rocketed to the top of the corporate agenda”: “One recent study showed that nearly two-thirds of executives identified cyber threats as a top-five risk to their company’s future. That shows how quickly this has become a board-level issue.”
New SEC guidance on cybersecurity disclosure
Yesterday, the SEC announced that it had adopted—without the scheduled open meeting, which was abruptly cancelled with only a cryptic statement—long-awaited new guidance on cybersecurity disclosure. The guidance addresses disclosure obligations under existing laws and regulations, cybersecurity policies and procedures, disclosure controls and procedures, insider trading prohibitions and Reg FD and selective disclosure prohibitions in the context of cybersecurity. The new guidance builds on Corp Fin’s 2011 guidance on this topic (see this Cooley News Brief), adding in particular new discussions of policies and insider trading. While the guidance was adopted unanimously, some of the Commissioners were not exactly enthused about it, viewing it as largely repetitive of the 2011 guidance—and hardly more compelling. Anticlimactic? See if you agree.
You must be logged in to post a comment.