Once again, a “control failure” is a lever used by SEC Enforcement to bring charges against a company, this time for failure to timely disclose a cybersecurity vulnerability. Yesterday, the SEC announced settled charges against a real estate settlement services company, First American Financial Corporation, for violation of the requirement to maintain adequate disclosure controls and procedures “related to a cybersecurity vulnerability that exposed sensitive customer information.” This action follows charges regarding control violations against GE (see this PubCo post), HP, Inc. (see this PubCo post) and Andeavor (see this PubCo post) where, instead of attempting to make a case about funny accounting or, in Andeavor, a defective 10b5-1 plan, the SEC opted to make its point by, among other things, charging failure to maintain and comply with internal accounting controls or disclosure controls and procedures. Companies may want to take note that charges related to violations of the rules regarding internal controls and disclosure controls seem to be increasingly part of the SEC’s Enforcement playbook, making it worthwhile for companies to make sure that their controls are in good working order. Perhaps we should pirate the Matt Levine mantra, “everything is securities fraud” (see this PubCo post): how ’bout “everything is also a control failure”?
On Monday, the SEC announced settled charges against Under Armour, Inc., a manufacturer of sports apparel, for misleading investors by failing to disclose material information about its “revenue management practices.” According to the Order, Under Armour had established a reputation for consistent revenue growth that exceeded analysts’ consensus estimates. But when internal forecasts began to indicate that it would miss those estimates, the company sought to close the gap by accelerating—“pulling forward”—existing orders that had been scheduled by customers for future quarters. Although this practice continued for six quarters, the SEC charged, the company failed to disclose this pull-forward practice as a driver of its revenue growth nor did it disclose the “known uncertainty” that this practice created with regard to revenues in future quarters. It’s worth noting that the SEC’s charges related solely to disclosure failures; the Order expressly indicated that the SEC did “not make any findings that revenue from these sales was not recorded in accordance with [GAAP].” Under Armour agreed to pay $9 million to settle the action.
At the end of last week, the SEC announced that it had filed settled charges against eight companies for failing to disclose in their Form 12b-25 filings (Form NT Notification of Late Filing) that their late filings of periodic reports were caused by an anticipated restatement or correction of prior financial reporting. The staff detected the violations through the use of data analytics in an initiative aimed at Form 12b-25 filings that were soon followed by announcements of financial restatements or corrections. According to Melissa Hodgman, the new (again) Acting Director of Enforcement (following the abrupt resignation of the prior Director), “[a]s today’s actions show, we will continue to use data analytics to uncover difficult to detect disclosure violations….Targeted initiatives like this allow us to efficiently address disclosure abuses that have the potential to undermine investor confidence in our markets if left unaddressed.” Is it just more “broken windows”? Maybe, maybe not. The Associate Director of Enforcement hit on a central problem from the SEC’s perspective with deficiencies of this type: “In these cases, due to the companies’ failure to include required disclosure in their Form 12b-25, investors relying on the deficient Forms NT were kept in the dark regarding the unreliability of the company’s financial reporting or anticipated material changes in operating results.” These charges should serve as a reminder that completing the late notification is not, to borrow a phrase, a trivial pursuit and could necessitate substantial time and attention to provide the narrative and quantitative data that, depending on the circumstances, could be required.
On Friday of last week, the SEC announced that it had filed a complaint charging AT&T, Inc. and three of its Investor Relations executives with violations of Reg FD as a result of one-on-one disclosures of AT&T’s “projected and actual financial results” to a number of Wall Street research analysts by the three executives. In March 2016, the SEC alleges, AT&T learned that, as a result of a “steeper-than-expected decline in smartphone sales,” AT&T’s first quarter revenues would fall short of analysts’ estimates by over a $1 billion. The three IR executives were then asked to contact the analysts whose estimates were too high to “walk” them down. This case illustrates the tightrope that IR personnel walk when talking one-on-one with analysts in the context of Reg FD.
Last week, Allison Lee, Acting Chair of the SEC, directed the staff of Corp Fin to “enhance its focus on climate-related disclosure in public company filings.” Yesterday, the SEC announced that the new climate focus would not be limited to Corp Fin—the SEC has created a new Climate and ESG Task Force in the Division of Enforcement. According to the press release, the initial focus of the Task Force will be to identify any material gaps or misstatements in issuers’ disclosure of climate risks under existing rules, giving us all another reason to excavate the staff’s 2010 interpretive guidance regarding climate change. (You may recall that the guidance addressed in some detail how existing disclosure obligations, such as the Reg S-K requirements for business narrative and risk factors, could apply to climate change. See this PubCo post.) Apparently, however, the remit of the Task Force goes beyond climate to address other ESG issues. Lee said that the Task Force is designed to bolster the efforts of the SEC as a whole in addressing climate risk and sustainability, which “are critical issues for the investing public and our capital markets.”
Disclosure of executive perks is once again in the SEC Enforcement spotlight. Just last year, there were two actions against companies for disclosure failures regarding perks—Hilton Worldwide Holdings Inc. (see this PubCo post) and Argo Group International Holdings, Ltd. (see this PubCo post). Now, Enforcement has brought settled charges against Gulfport Energy Corporation, a gas exploration and production company that filed for Chapter 11 in November, and its former CEO, Michael G. Moore, for failure to disclose some of the perks provided to Moore as well as related-person transactions involving Moore’s son. The case serves as a reminder that the analysis of whether a benefit is a disclosable perk can be complicated.
The SEC has just filed a complaint against Sequential Brands Group, Inc., a brand management company, for failing to take timely and appropriate goodwill impairment charges as required by GAAP and the federal securities laws, despite “clear evidence of goodwill impairment” (according to the press release). As a result, the SEC alleges, the company “materially understated its operating expenses and net loss and materially overstated its income from operations, goodwill, and total assets” in its SEC filings, turning “a net loss into income” for financial statement purposes.
SEC brings settled charges against GE for disclosure violations and inadequate accounting and disclosure controls
Right on the heels of the SEC’s action against Cheesecake Factory for misleading public statements regarding its financial performance (see this PubCo post) comes this settled action against General Electric Company—also for misleading public statements about its financial performance. In this action, the SEC alleged that GE failed to provide material information that would have allowed investors to understand how it was generating profits and cash flow in two key segments, power and insurance, the quality of those earnings and the underlying risks. And, as challenges in these segments were later disclosed, the company’s stock price fell almost 75%. As reported in the WSJ, the SEC and DOJ were “investigating GE’s accounting for about two years after the company disclosed large write-downs tied to its insurance business and its power business. The SEC had warned GE in September that it was preparing civil charges, and GE said it had set aside $100 million to resolve the matter.” That reserve turned out to be somewhat optimistic—a bit like some of GE’s insurance reserves—as the final civil penalty was actually $200 million. It’s worth noting here that, as stated in GE’s 8-K regarding the settlement, in its Order, the SEC “makes no allegation that prior period financial statements were misstated. This settlement does not require corrections or restatements of GE’s previously reported financial statements, and GE stands behind its financial reporting.” That is, in the end, the charges were not about funny accounting—even though some might question certain of the judgments—they were about the disclosures about the accounting, the controls over the accounting and the controls over the disclosures.
Failure to disclose perks seems to be a fairly attractive target for SEC Enforcement these days. In another fiscal year-end action, Enforcement has charged Hilton Worldwide Holdings Inc. with failure to disclose in its proxy statements various perks and personal benefits provided to its executive officers. This action has the distinction of being the result of the staff’s use of risk-based data analytics to uncover potential violations related to corporate perks. The case serves as a reminder that the analysis of whether a benefit is a disclosable perk can be complicated and is not the same as the “business purpose” test used for tax purposes.
Enforcement has certainly been busy at the end of the SEC’s fiscal year, with disclosure violations receiving their fair of attention. In this action against HP Inc., the company was charged with failing to disclose known trends and uncertainties regarding the impact of sales and inventory practices, as well as failure to maintain adequate disclosure controls and procedures. HP was ordered to pay a penalty of $6 million.