Boards Should Put Time and Resources into Cybersecurity Issues – It Is Good for Business and Works as a Defense Strategy

We have previously blogged about Commissioner Aguilar’s recommendations at a NYSE conference, “Cyber Risks and the Boardroom” on what boards of directors should do to ensure that their companies are appropriately considering and addressing cyber threats. On October 20, 2014, the United States District Court for the District of New Jersey dismissed a derivative lawsuit (Palkon v. Holmes, Case No. 2:14-CV-01234) filed against directors and certain officers, including General Counsel, of Wyndham Worldwide Corporation (WWC). The Court’s opinion can be viewed as a real life validation of the principles outlined in the Commissioner’s speech. Continue reading

ISS Guidelines for 2015 Proxy Season – More Holistic Review of Board Leadership Structure

On November 6, 2014, ISS released its 2015 proxy voting guidelines which update its benchmark policy recommendations. The updated policies will be effective for shareholder meetings held on or after February 1, 2015. Benchmark policy changes include ISS’ adoption of a more holistic approach to shareholder proposals calling for independent board chairs. ISS has focused on board leadership because shareholder proposals related to this issue have become quite frequent. ISS also cited a recent study finding that “retention of a former CEO in the role of chair may prevent new CEOs from making performance gains by dampening their ability to make strategic changes at the company” as one of the reasons for the policy update.

ISS has updated its “Generally For” policy with respect to such proposals to add new governance, board leadership, and performance factors to the analytical framework and to look at all of the factors in a holistic manner. Factors, which are not explicitly considered under the current policy, include the “absence/presence of an executive chair, recent board and executive leadership transitions at the company, director/CEO tenure, and a longer (five-year) total shareholder return (TSR) performance period.”

Under the new policy, ISS would recommend to generally vote “FOR” shareholder proposals requiring that the chairman’s position be filled by an independent director, taking into consideration the following:

  • The scope of the proposal (i.e., whether the proposal is precatory or binding and whether the proposal is seeking an immediate change in the chairman role or the policy can be implemented at the next CEO transition);
  • The company’s current board leadership structure (ISS may support the proposal under the following scenarios: the presence of an executive or non-independent chair in addition to the CEO; a recent recombination of the role of CEO and chair; and/or departure from a structure with an independent chair);
  • The company’s governance structure and practices (ISS will consider the overall independence of the board, the independence of key committees, the establishment of governance guidelines, board tenure and its relationship to CEO tenure; the review of the company’s governance practices may include, but is not limited to, poor compensation practices, material failures of governance and risk oversight, related-party transactions or other issues putting director independence at risk, corporate or management scandals, and actions by management or the board with potential or realized negative impact on shareholders);
  • Company performance (ISS’ performance assessment will generally consider one-, three, and five-year TSR compared to the company’s peers and the market as a whole); and
  • Any other relevant factors that may be applicable.

Board Oversight of Political Contributions Is Gradually Becoming a Corporate Governance Standard

On September 24, 2014, the Center for Political Accountability and the Zicklin Center for Business Ethics Research published their fourth annual index of corporate political disclosure and accountability (2014 Index), which focuses on political spending disclosure of the top 300 companies in the S&P 500 Index. The 2014 Index reviews companies’ political transparency and oversight practices and policies disclosed on their websites and describes:

 

  • the ways that companies manage, oversee and disclose political spending;
  • the specific spending restrictions that many companies have adopted; and
  • the policies and practices that need the greatest improvement.

The 2014 Index demonstrates that a majority of reviewed companies continues to have some level of board oversight of their political contributions and expenditures; however, the percentage of such companies is going down as the number of reviewed companies increases (the 2014 Index reviewed 300 top companies in the S&P 500 Index compared to 200 reviewed companies in 2012 and 2013). For example,

  • 55% of companies said that their boards of directors regularly oversee corporate political spending compared to 62% of companies in 2013 and 56% in 2012;
  • 37% of companies said that a board committee reviews company policy on political spending compared to 57% of companies in 2013 and 49% in 2012; and
  • 44% of companies said that a board committee reviews company political expenditures compared to 56% of companies in 2013 and 45% in 2012.

SEC Approves PCAOB’s Auditing Standard No. 18, Related Parties

On October 21, 2014, the SEC approved Auditing Standard No. 18, Related Parties of the Public Company Accounting Oversight Board (PCAOB), as well as amendments to certain PCAOB auditing standards regarding significant unusual transactions and other related amendments to PCAOB auditing standards. Auditing Standard No. 18 supersedes the PCAOB’s auditing standard AU sec. 334, Related Parties, which was issued in 1983. Auditing Standard No. 18 is designed to “strengthen auditor performance requirements for identifying, assessing, and responding to the risks of material misstatement associated with a company’s relationships and transactions with its related parties.”

The new auditing standard requires the auditor to:

  • Perform specific procedures to obtain an understanding of the nature of the relationships between the company and its related parties and of the terms and business purposes, if any, of transactions involving related parties.
  • Evaluate whether the company has properly identified its related parties and relationships and related party transactions by testing the accuracy and completeness of management’s identification, taking into account information gathered during the audit.
  • Perform specific procedures if the auditor determines that a related party or relationship or transaction with a related party previously undisclosed to the auditor exists.
  • Perform specific procedures regarding each related party transaction that is either required to be disclosed in the financial statements or determined to be a significant risk (i.e., a “risk of material misstatement that requires special audit consideration”).
  • Communicate to the audit committee the auditor’s evaluation of the company’s identification of, accounting for, and disclosure of its relationships and transactions with related parties, and other significant matters arising from the audit regarding the company’s relationships and transactions with related parties.

The new auditing standard and amendments are effective for audits of financial statements for fiscal years beginning on or after December 15, 2014.

Broker-Dealers Ignoring Red Flags Lead to SEC Releases and Enforcement Action

In October 2014, the SEC’s Division of Trading & Markets issued FAQs to remind broker-dealers of their obligation to conduct a reasonable inquiry when selling securities in an unregistered transaction in reliance on Section 4(a)(4) of the Securities Act. The FAQs explain that “[i]n order to rely on the Section 4(a)(4) exemption, a broker-dealer must conduct a “reasonable inquiry” into the facts surrounding a proposed unregistered sale of securities before selling the securities to form reasonable grounds for believing that a selling customer’s part of the transaction is exempt from Section 5.  . . . [W]hen conducting a reasonable inquiry into whether the transaction would violate Section 5, it is not sufficient for the broker-dealer merely to accept self-serving statements of his sellers and their counsel without reasonably exploring the possibility of contrary facts.  Nor, where there are indicia of an illegal distribution of securities, can a broker-dealer claim that its sales of a security were exempt from registration simply because the stock certificates lack a restrictive legend or a clearing firm or transfer agent raises no objections to the sales.” The FAQs provide a list of factors that the SEC will consider in assessing the reasonableness of a broker-dealer’s inquiry and its reliance on the Section 4(a)(4) exemption.

Simultaneously with the issuance of the FAQs, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert which summarized deficiencies which OCIE observed in examining 22 broker-dealers. Among other matters, the examinations uncovered deficiencies related to controls put in place to comply with obligations related to sales of securities, including the performance of a reasonable inquiry in connection with unregistered sales of securities in reliance on Section 4(a)(4) of the Securities Act.

In conjunction with the FAQs and the Risk Alert, the SEC announced an enforcement action against certain current and former E*Trade subsidiaries (the “Subsidiaries”) for ignoring red flags in connection with the sale of unregistered penny stocks. The SEC’s order finds that the Subsidiaries were not entitled to rely on the Section 4(a)(4) exemption because they did not perform a “reasonable inquiry.” The Subsidiaries agreed to settle the SEC’s charges by paying back more than $1.5 million in disgorgement and prejudgment interest from commissions they earned on the improper sales. They also must pay a combined penalty of $1 million.

In light of the above, broker-dealers should reexamine their policies and procedures related to the sale of unregistered securities and provide training to their personnel concerning what constitutes a “reasonable inquiry.”

NYSE Proposes New Global Market Capitalization Test for Listing Companies

On September 30, 2014, the SEC published an NYSE amendment, effective as of such publication, to adopt a new initial listing standard, and to eliminate all but one of the current NYSE initial listing standards, for US operating companies.

The amendment provides for a global market capitalization test to serve as a new initial listing standard for US operating companies. The global market capitalization test requires that a listing operating company have a minimum total global market capitalization of $200 million at the time of initial listing. A company that is already publicly traded at the time it applies to list on the NYSE must meet the $200 million global market capitalization requirement for at least 90 consecutive trading days immediately preceding the date on which it receives clearance to submit an application to list on the NYSE.

The amendment also eliminates four of the NYSE’s five current initial listing standards for US operating companies: (1) the valuation/revenue with cash flow test, (2) the pure valuation/revenue test, (3) the affiliated company test, and (4) the assets and equity test.

Despite the proposed global market capitalization test, companies listing must also meet both the existing distribution requirements of Section 102.01A, and the stock price and market value of publicly-held shares requirements of Section 102.01B, of the Listed Company Manual. In addition, companies listing under the proposed global market capitalization test must comply with all other applicable NYSE listing rules.

The notes relating to the amendment highlight that Nasdaq and Nasdaq Global Market have a competitive advantage over the NYSE under existing listing standards, particularly with respect to pre-revenue research and development companies. The amendment, and the implementation of the global market capitalization test, is the NYSE’s attempt to level the playing field.

Is the SEC Doing Enough to Promote Capital Formation?

If you believe Commissioner Daniel M. Gallagher, the answer is an emphatic “no”, at least with respect to small businesses. On September 17, 2014, at a Heritage Foundation event, Commission Gallagher gave a speech criticizing the Securities and Exchange Commission’s failure to adequately promote capital formation by small businesses:

[S]adly, we at the SEC are not doing nearly enough to ensure that small businesses have the access to capital that they need to grow. We layer on rule after rule until it becomes prohibitively expensive to access the public capital markets.

After noting that not all of the regulatory burden is the SEC’s fault as “much of the ever-growing rulebook is a direct result of congressional mandates,” Commissioner Gallagher makes a number of recommendations for the SEC. Highlights include recommendations to:

  • Withdraw the proposed amendments to Regulation D. (Commission Gallagher did not support the proposed amendments as he stated in the SEC’s July 10, 2013 open meeting.)
  • Consider more deeply Regulation D, including considering broadening the blue sky exemption to help make the choice between the various exemptions available under Regulation D more meaningful.  According to Commissioner Gallagher, nearly all Regulation D offerings are conducted under Rule 506, even though 2/3 of the offerings are small enough that they could have been conducted pursuant to Rule 504 or 505, because Rule 506 offerings are exempt from blue sky regulations.
  • Analyze the secondary market for private company shares, where innovation has slowed. “We need more facilities to improve trading among accredited investors in the private secondary market.”
  • Finish implementing the JOBS Act’s reforms to Regulation A and couple the reforms with the formation of venture exchanges (national exchanges with listing rules tailored for smaller companies, including those issuing shares issued pursuant to Regulation A). Commission Gallagher noted that the SEC had proposed a robust set of rules, including blue sky preemption in certain larger Regulation A Offerings. (Commissioner Gallagher also noted, with respect to the proposal for blue sky exemption, that an “outpouring of anger from state regulators . . . wasn’t unexpected. After all, state regulators have been “protecting” investors from investment opportunities that are too risky for decades – I’m sure the Massachusetts residents who missed out on the offering of Apple Computer in 1980 because of their regulator’s concerns about the risk know this all too well.”)
  • Reconsider the current thresholds for scaled disclosure and the amount of disclosure that is required at each level – including having two tiers of scaling: significant scaling of disclosure for “nanocap” companies (i.e., companies with market capitalizations of up to $50 million) and moderate scaling for “microcap” companies with market capitalizations of $50 million to $300 million.

Coincidently, the SEC released its 2014 – 2018 Strategic Plan on September 19, 2014, two days after Commissioner Gallagher’s speech. Featured on the cover of the Strategic Plan is the SEC’s mission statement – “Protecting investors, maintaining fair, orderly, and efficient markets, and facilitating capital formation” (emphasis added).

But, judging by the SEC’s own Strategic Plan and its current rulemaking agenda, it is unlikely that the SEC will be vigorously addressing many of Commissioner Gallagher’s concerns regarding capital formation for small businesses in the near future.

ISS’ FAQs on Equity Plan Data Verification – Roadmap for Proxy Statement Disclosures

If you have a proposal to adopt or amend the company’s equity plan in the proxy statement that you file with the SEC after September 8, 2014, then you can use a new data verification portal recently launched by Institutional Shareholder Services Inc. (ISS) to verify key data points underlying ISS’ evaluation of the plan. ISS explains on its website the mechanics of registering for the Equity Plan Data Verification and requesting modifications after reviewing data points posted by ISS.

One of the most interesting pieces of information provided by ISS in connection with the new portal is Appendix A to the FAQs on Equity Plan Data Verification because it lists the questions that ISS includes in its evaluation of equity plans. The questions are divided into several categories: (i) equity plan provisions, (ii) outstanding stock and convertibles, (iii) equity grant activity, and (iv) shares reserved and outstanding under equity compensation programs.

Listed below are certain questions from each category. Some of these questions can be used as a roadmap for proxy statement disclosures related to equity plan proposals in order to facilitate ISS’ review and evaluation of the plan.

Equity Plan Provisions:

  • Is stock option repricing permitted without shareholder approval?
  • Are cash buyouts of underwater stock options permitted without shareholder approval?
  • Does the plan provide for share recycling, whereby the plan’s share reserve is reduced by the net number of shares delivered through equity awards, not the gross number underlying the original awards?
  • Does the plan contain an evergreen provision, pursuant to which the plan’s share reserve is automatically increased annually?
  • What stock acquisition percentage triggers a change-in-control under the plan?
  • Does the plan provide for tax gross-ups on equity awards?

Outstanding Stock and Convertibles:

  • How many common shares are outstanding (includes all classes of common stock) as of the record date?
  • How many common shares are issuable upon (i) exercise of outstanding warrants, (ii) conversion of outstanding convertible debt, and (iii) conversion of outstanding convertible equity?
  • How many weighted average common shares were outstanding in the past 3 fiscal years, as used in the computation of basic EPS?

Equity Grant Activity:

  • What is the total number of time-vesting options/SARs and full value awards granted in the past 3 fiscal years?
  • What is the number of performance-based options/SARs that vested in the past 3 fiscal years?
  • What is the total number of performance-based full value awards earned in the past 3 fiscal years?

Shares Reserved and Outstanding under Equity Compensation Programs:

  • How many shares are reserved under the proposed new plan or pursuant to the plan amendment?
  • How many shares remain available for grant under all equity compensation plans?
  • How many shares are subject to outstanding awards?

Cybersecurity as an Investment Risk

PricewaterhouseCoopers LLP (PwC) and Investor Responsibility Research Center Institute (IRRCi) have weighed in on the cybersecurity issue from an investor’s point of view in their paper called What investors need to know about cybersecurity: How to evaluate investment risks. Cybersecurity has been on the public company disclosure radar screen since the SEC’s guidance released in 2011, but PwC’s and IRRCi’s paper states that cybersecurity disclosures “rarely provide differentiated or actionable information for investors.”

The paper suggests that cybersecurity risk should be one of the elements in an investor’s decision-making process to diversify the investor’s portfolio. For example, even if an investor holds securities of retail, financial services and aerospace & defense companies, such industry diversification may still be vulnerable because all these industries are more likely to be targeted in cyber attacks than others. One of the solutions suggested by the paper is that investors should be better informed about the company’s “preparedness to respond quickly to contain or mitigate the potential harm” from a cyber attack.

The paper provides a list of questions, responses to which should enable investors to evaluate the company’s level of vulnerability to potential cyber attacks. Some of the questions included in the paper are listed below. Such questions can also serve as a roadmap for public company disclosure regarding cybersecurity:

  • Does the organization have a Security & Privacy executive that reports to a senior level position within the company? What are the skills, experiences and qualifications of this executive?
  • Does the organization have a documented cybersecurity strategy that is regularly reviewed and updated? How is the board engaged in the cybersecurity strategy and review process?
  • Does the organization perform periodic risk assessments and technical audits of its security posture?
  • Does the “tone at the top” seem to make security a priority?
  • What is the organization doing to address security with its business partners?
  • Does the organization have a response plan for a cyber incident? Is it tested regularly through simulations and table top exercises? Does it include testing with key 3rd party relationships?

SIFMA Issues Guidance on Rule 506(c) Verification

On June 23, 2014, the Securities Industry and Financial Markets Association (“SIFMA”) issued a memorandum (the “Memorandum”) containing guidance for broker-dealers and investment advisers with respect to verifying the status of purchasers as accredited investors in connection with offerings made pursuant to Rule 506(c) (Reg D offerings utilizing general solicitation, as we have previously blogged about).

Pursuant to Rule 506(c), an issuer utilizing general solicitation for a Reg D offering must, among other things, take reasonable steps to verify that purchasers in the offering are accredited investors. The reasonable verification requirement is a separate condition from the condition that all purchasers in a Rule 506(c) offering must be accredited investors, and the requirement has generated significant commentary.

The Rule 506(c) adopting release provided four non-exclusive safe harbor methods that an issuer can utilize for such reasonable verification, two of which require the issuer to obtain detailed financial information from a purchaser. An issuer may also rely on the written confirmation of a purchaser’s accredited investor status issued by a registered broker-dealer or investment adviser, licensed attorney or certified public accountant. Any such third party must, however, take reasonable steps to verify the purchaser’s accredited investor status before providing written confirmation to the issuer.

To this end, the Memorandum provides two verification methods for broker-dealers and investment advisers to use in verifying natural persons as accredited investors that SIFMA believes satisfies the “reasonable verification” requirement.

One verification method (the “account balance method”) is essentially a determination by the broker-dealer or investment adviser of the purchaser’s net worth. For a broker-dealer or investment adviser to utilize the account balance method, a purchaser must have been a client of the broker-dealer or investment adviser for at least six months, must have (either individually or together with a spouse, if applicable) at least $2 million in cash and marketable securities in the purchaser’s account prior to making the investment in the Rule 506(c) offering, must make certain representations (pursuant to purchaser representations provided by SIFMA as part of the Memorandum) regarding, among other things, the purchaser’s indebtedness, and the broker-dealer or investment adviser must be unaware of any facts to indicate that the client is not an accredited investor.

The other method (the “investment amount method”) uses the purchaser’s investment amount as a proxy for the purchaser’s status as an accredited investor. For a broker-dealer or investment adviser to utilize the investment amount method, a purchaser must have been a client of the broker-dealer or investment adviser for at least six months, must invest, or unconditionally commit to fund, at least $250,000 in a Rule 506(c) offering, which commitment is callable in whole at any time, must make certain representations (pursuant to purchaser representations provided by SIFMA as part of the Memorandum) including, among other things, that the investment in the Rule 506(c) offering is less than 25% of the purchaser’s net worth (either individually or together with a spouse), and the broker-dealer or investment adviser must be unaware of any facts to indicate that the client is not an accredited investor and, in the case of a commitment, the broker-dealer or investment adviser has knowledge that the purchaser has fulfilled a call under a prior commitment.

The Memorandum also provides a method for broker-dealers and investment advisers to use in verifying legal entities (i.e., corporations, LLCs, etc.) as accredited investors. For a broker-dealer or investment adviser to utilize this method, a purchaser-entity must be named on the broker-dealer’s or investment adviser’s current list of clients that qualify as “institutional accounts” as defined in FINRA Rule 4512(c)(3)or as Qualified Institutional Buyers (which are required to have investible assets of at least $100 million), or the purchaser-entity must make an investment in the Rule 506(c) offering in excess of $5 million and must provide a written representation that it was not formed for the purpose of making that investment and that it has made at least one prior investment in securities (whether in a primary offering or in the secondary market).

If issuers begin to use Rule 506(c) offerings with increasing frequency, SIFMA’s guidance in the Memorandum may be an important guidepost for broker-dealers and investment advisers and other third parties (e.g., attorneys and accountants) in assisting issuers to comply with the “reasonable verification” requirement set forth in Rule 506(c). This guidance may also be useful to issuers and other market participants.