Now back to work, SEC Enforcement once again takes up the issue of internal control over financial reporting. In this instance, the SEC announced settled charges against four public companies for failing to remediate internal control weaknesses—for years! We’re talking seven to ten years. The companies seemed to be under the misimpression that, as long as they disclosed the material weaknesses, they were in the clear. But they learned the hard way that that was not the case. According to Melissa Hodgman, an Associate Director in Enforcement, “Companies cannot hide behind disclosures as a way to meet their ICFR obligations. Disclosure of material weaknesses is not enough without meaningful remediation. We are committed to holding corporations accountable for failing to timely remediate material weaknesses.”
In case you were questioning whether the SEC continues (assuming it reopens at some point) to address the inappropriate use of non-GAAP financial measures with the same level of gravity as in prior years, you might take note of this recent (cusp of SEC shutdown) enforcement action against ADT. In the proceeding, the SEC sought a cease-and-desist order, alleging that the company violated the non-GAAP disclosure requirements. Interestingly, however, the allegations did not involve any of the more thorny issues regarding individually tailored recognition measures that the SEC sometimes considers misleading, but rather the more prosaic “equal or greater prominence” requirements.
SEC issues Section 21(a) investigative report regarding the implications of cyberscams for internal controls
Today, the SEC issued an investigative report under Section 21(a) that advises public companies subject to the internal accounting controls requirements of Exchange Act Section 13(b)(2)(B) of the need to consider cyber threats when implementing internal accounting controls. The report investigated whether a number of defrauded public companies “may have violated the federal securities laws by failing to have a sufficient system of internal accounting controls.” Although the SEC decided not to take any enforcement action against the nine companies investigated, the SEC determined to issue the report “to make issuers and other market participants aware that these cyber-related threats of spoofed or manipulated electronic communications exist and should be considered when devising and maintaining a system of internal accounting controls as required by the federal securities laws. Having sufficient internal accounting controls plays an important role in an issuer’s risk management approach to external cyber-related threats, and, ultimately, in the protection of investors.”
Here’s a reminder from the SEC: interim financial statements included in Forms 10-Q are required to be “reviewed” by outside auditors. On Friday, in a first enforcement proceeding of its kind, the SEC announced charges against five companies that had filed their 10-Qs with their quarterly financial statements prior to review by their independent external auditors.
SEC enforcement action for materially misleading projections in the face of red flags and other actions
In case anyone needed a reminder from the SEC, this case against Sonus Networks, its CFO and VP of Sales may well serve as one: per the SEC’s Associate Director of Enforcement, a company needs to have a “reasonable basis” if it makes public projections or estimates about future financial results: “The investing community expects that when companies choose to provide public financial projections, there is a reasonable basis underpinning those projections….When a company ignores red flags or takes steps to make public financial projections inaccurate we will take appropriate action.”
This SEC Order, In the Matter of The Dow Chemical Company, is a great refresher—at Dow’s expense, unfortunately for Dow—on the analysis required to determine whether or not certain expenses and benefits are perquisites or personal benefits that must be disclosed in the Summary Comp Table in the proxy statement. As you probably know, the analysis for determining whether an item is a disclosable “perk” can be very tricky to apply, especially when it involves the use of corporate jets by executives and their friends and families. The SEC claims that Dow applied the wrong standard altogether in its analysis, failing to disclose over a five-year period $3M in CEO perks and understating the CEO’s disclosed perks by an average of 59%. Dow settled the charges for a fine of $1.75M and also undertook to engage an independent consultant that would perform a review of Dow’s policies, procedures and controls and conduct training related to the determination of perks.
In this recent Cooley Alert, SEC Issues New Guidance on Cybersecurity Disclosure and Policies, we wrote that the SEC had not yet brought a formal enforcement proceeding for failure to make timely disclosure regarding cybersecurity risks and/or cyber incidents and asked whether an enforcement action might just be on the horizon? In that regard, we noted that, in 2017, the co-director of the SEC’s Enforcement Division had warned that, although the SEC was “not looking to second-guess good faith disclosure decisions,” enforcement actions were certainly possible in the right circumstances. Indeed, the co-director had cautioned that no one should mistake the absence of enforcement actions for an unwillingness by the SEC to pursue companies with inadequate cybersecurity disclosures before and after breaches or other incidents. Apparently, SEC Enforcement has now identified circumstances it considers to be “right”: today, the SEC announced “that the entity formerly known as Yahoo! Inc. has agreed to pay a $35 million penalty to settle charges that it misled investors by failing to disclose one of the world’s largest data breaches in which hackers stole personal data relating to hundreds of millions of user accounts.”