What Are Key Action Items Stemming from the New SEC Guidance on Cybersecurity Disclosures?

On February 21, 2018, the Securities and Exchange Commission (“SEC”) issued Statement and Interpretive Guidance on Public Company Cybersecurity Disclosures.  The SEC previously addressed this topic in 2011 Disclosure Guidance: Topic No. 2.  According to SEC Chairman, Jay Clayton, the new interpretive guidance “reinforces and expands” the Division’s 2011 guidance and “addresses the importance of policies and procedures related to disclosure controls and procedures, insider trading and selective disclosures.”  In connection with the release of the new guidance, SEC Chairman has asked the Division of Corporation Finance to continue to “carefully monitor cybersecurity disclosures” as part of their review process, which is likely to lead to more SEC comments on cybersecurity disclosures.

The 2018 interpretive guidance provides a comprehensive overview of the SEC’s position on cybersecurity issues faced by public companies.  In addition to reminders about cybersecurity disclosure touchpoints (i.e., risk factors, management’s discussion and analysis of financial condition and results of operations, description of business, legal proceedings and financial statements), which are largely the same as disclosure reminders included in the 2011 guidance, the 2018 release makes it clear that the SEC places great emphasis on cybersecurity risk management policies and procedures and considers them to be “key elements of enterprise-wide risk management.”

In light of the new SEC guidance, public companies should:

  • re-evaluate the process that the company’s board of directors uses to discharge its responsibility for cybersecurity risk oversight;
  • review the company’s policies and procedures related to disclosure controls and procedures, insider trading and selective disclosures; and
  • consider whether the company’s cybersecurity risk factor and other disclosures need to be refreshed.

Board’s Responsibility for Cybersecurity Risk Oversight. Companies should review their cybersecurity risk management program and evaluate how the board of directors “engages with management on cybersecurity issues” to discharge its responsibility for cybersecurity risk oversight.    The 2018 release states that, to the extent cybersecurity risks are material to a company’s business, the proxy statement discussion of the board’s role in the risk oversight of the company should include “the nature of the board’s role in overseeing the management of that risk.”  Companies should also review their disclosures related to board risk oversight to determine whether such disclosures should be expanded to address the board’s responsibility for cybersecurity risk oversight.

Effective Disclosure Controls and Procedures. Companies should evaluate whether their controls and procedures include the protocols that will enable them to: “identify cybersecurity risks and incidents, assess and analyze their impact on a company’s business, evaluate the significance associated with such risks and incidents, provide for open communications between technical experts and disclosure advisors, and make timely disclosures regarding such risks and incidents.”  The SEC’s new guidance made it clear that (i) CEO’s and CFO’s certifications regarding the design and effectiveness of the company’s disclosure controls and procedures and (ii) disclosures regarding the companies’ conclusions on the effectiveness of their disclosure controls and procedures “should take into account the adequacy of controls and procedures for identifying cybersecurity risks and incidents and for assessing and analyzing their impact.”

Application of Insider Trading Prohibition to Cybersecurity Risks and Incidents. Companies should review their insider trading policies to make sure that the company has appropriate policies and procedures in place to prevent directors, officers, and other corporate insiders from trading in the company’s securities on the basis of material nonpublic information about its cybersecurity risks and incidents, prior to public disclosure of such risks or incidents.  The SEC release suggested that “while companies are investigating and assessing significant cybersecurity incidents, and determining the underlying facts, ramifications and materiality of these incidents, they should consider whether and when it may be appropriate to implement restrictions on insider trading in their securities.”

Selective Disclosures about Cybersecurity Risks and Incidents. Companies should review their Regulation FD policies and procedures to make sure that that disclosures of material nonpublic information related to cybersecurity risks and incidents are not made selectively in violation of Regulation FD.  The SEC release states that companies and persons acting or their behalf should not selectively disclose material, nonpublic information regarding cybersecurity risks and incidents in violation of Regulation FD before disclosing that same information to the public.

Prior Cybersecurity Disclosures and Materiality Determinations. Companies should consider whether they need to “revisit or refresh” previous cybersecurity disclosures.  The SEC expects companies to disclose cybersecurity risks and incidents that are material to investors.  The SEC clarified that the materiality of cybersecurity risks or incidents generally depends upon: (i) the nature, extent, and potential magnitude of cybersecurity risks or incidents (for example, whether compromised information includes personally identifiable information, trade secrets or other confidential business information); as well as (ii) the range of harm that such cybersecurity incidents could cause (for example, harm to a company’s reputation, financial performance, and customer and vendor relationships, as well as the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities and non-U.S. authorities).

Although the SEC recognizes that a company may need time to “discern the implications of a cybersecurity incident,” and that ongoing internal and law enforcement investigation of a cybersecurity incident may be lengthy and may affect the scope of disclosure regarding the incident, the SEC believes that an ongoing internal or external investigation “would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.”   However, the SEC stated in the release that it does not expect companies to publicly disclose “specific, technical information about their cybersecurity systems, the related networks and devices, or potential system vulnerabilities in such detail as would make such systems, networks, and devices more susceptible to a cybersecurity incident.”

 

Nasdaq Is Advocating for U.S. Public Market Reform

In May 2017, Nasdaq published a report titled The Promise of Market Reform: Reigniting America’s Economic Engine.  The report stems from Nasdaq’s concern about the state of U.S. pubic markets, which have become “more complex and costly for issuers, particularly for publicly-listed small and medium growth companies and for private companies that might consider public offerings.”

The report emphasizes that “companies increasingly question whether the benefits of public ownership are worth the burdens” and warns that if such burdens are not addressed, it “could ultimately represent an existential threat to our markets” as “a growing number of companies have been choosing to remain private—and some public companies are reversing course and going private.”

But Nasdaq’s report does not just create an alarm, it sets forth a blueprint for “critically-needed reforms.”

The report identifies the following three specific problems and offers concrete solutions in these areas:

(i) a complex patchwork of regulation disincentivizes market participation and creates the need to reconstruct the regulatory framework;

(ii) a one-size-fits-all market structure deprives companies of the benefits they need to participate in public markets (particularly for small and medium growth companies), which can be fixed by modernizing the market structure; and

(iii) a culture in the investment community and in the mainstream media that values short-term returns that should be changed to promote long-termism.

For example, Nasdaq suggests that the reconstruction of the regulatory framework would involve: (i) reforming the proxy proposal process; (ii) reducing the burden of corporate disclosure; (iii) rolling back politically-motivated disclosure requirements; (iv) reducing the burden of meritless class action lawsuits; and (v) a tax reform to incentivize long-term investing.

The implementation of most Nasdaq-suggested reforms would involve a lengthy rulemaking process, but it’s important that a dialogue about these issues “among investors, public and private companies, industry groups, and policymakers” has been launched.

 

 

Conflict Minerals Rule and Pay Ratio Rule… Are Changes Forthcoming?

Conflict Minerals Rule

Acting SEC Chairman Michael S. Piwowar issued a statement[1] on January 31, 2017 directing the SEC staff to reconsider whether the 2014 Guidance is still appropriate and whether any additional relief is appropriate. The statement also included a 45-day public comment period.

In addition, there has been a leaked draft executive order and rumors that President Donald Trump is going to issue an order that will temporarily suspend the conflict minerals rule for two years based on a “national security interests” rationale.

Additionally, a final ruling on the conflict minerals litigation may be looming. On February 10, 2017, the district court judge ordered the parties in the conflict minerals litigation to file a joint status report, on or before March 10, 2017, indicating whether any further proceedings are necessary, and whether the court should enter an order of final judgement to effectuate the circuit’s decision.

At the recent SEC Speaks conference, Shelly Parratt, acting director of the Division of Corporation Finance, stated that companies must continue to comply with the conflict minerals disclosure rules and that even though the SEC is seeking comments thereon, the rules remain in effect.

What the outcome of the above will ultimately be is unknown. The likelihood of the conflict minerals rule being completely overturned prior to the upcoming May 31st Form SD due date is slim. Accordingly, issuers should steam ahead in their due diligence efforts.

Pay Ratio Rule

A week after issuing the conflict minerals statement described above, Acting SEC Chairman Michael S. Piwowar issued a statement[2] on February 6, 2107 related to the pay ratio disclosure rule in which he explained that it was his “understanding that some issuers have begun to encounter unanticipated compliance difficulties that may hinder them in meeting the reporting deadline.” Therefore, Piwowar stated that he is seeking public comment within 45 days on any unexpected challenges that issuers have experienced as they prepare for compliance and whether relief is needed. In addition, Piwowar directed the SEC staff to reconsider the implementation of the pay ratio rule and whether additional guidance or relief may be appropriate.

At the recent SEC Speaks conference, Shelly Parratt, acting director of the Division of Corporation Finance, stated that companies must continue to comply with the pay ratio disclosure rules and that even though the SEC is seeking comments thereon, the rules remain in effect.

It seems likely that this disclosure rule will be revisited and could be changing.   Nevertheless, at this time, issuers should continue their work in preparing to comply with the pay ratio disclosure rules for the next proxy season.

[1] https://www.sec.gov/news/statement/reconsideration-of-conflict-minerals-rule-implementation.html

[2] https://www.sec.gov/news/statement/reconsideration-of-pay-ratio-rule-implementation.html

Advisory Committee Recommends Robust Diversity Disclosure to the SEC

On February 16, 2017, the Advisory Committee on Small and Emerging Companies (“Advisory Committee”) provided a recommendation to the SEC regarding corporate board diversity.

The Advisory Committee was organized in 2011 to provide the SEC with advice on its rules, regulations, and policies related to capital raising by emerging privately held small businesses and publicly traded companies with less than $250 million in public market capitalization; trading in the securities of such businesses and companies; and public reporting and corporate governance requirements to which such businesses and companies are subject.

The Advisory Committee discussed the corporate board diversity recommendation at its meetings held on October 5 and December 7, 2016, and the recommendation was approved by the members of the Advisory Committee at its meeting held on February 15, 2017.

The Advisory Committee emphasized that “board diversity has been associated with improved competitiveness and talent management, greater access to capital, more sustainable profits, and better relations with stakeholders and therefore plays an important role in capital formation for small and emerging companies.”

The current rule related to board diversity was adopted by the SEC in 2009 (Item 407(c)(2)(vi) of Regulation S-K) and requires public companies to disclose in their proxy statements whether diversity is considered in identifying nominees for the company’s board of directors, and if it is considered, how. Item 407 also requires that if a company has a policy with regard to the consideration of diversity in identifying director nominees, it needs to disclose how that policy is implemented and how its effectiveness is assessed.

The Advisory Committee believes that this existing disclosure requirement failed to generate information useful to stockholders, employees and customers in assessing board diversity. The Advisory Committee recommended that the SEC “amend Item 407(c)(2) of Regulation S-K to require issuers to describe, in addition to their policy with respect to diversity, if any, the extent to which their boards are diverse.” The Advisory Committee did not suggest using a specific definition of the term “diversity” and recognized that “the definition of diversity should be up to each issuer.” However, the Advisory Committee’s recommendation offered a clear disclosure enhancement by recommending that “issuers should include disclosure regarding race, gender, and ethnicity of each member/nominee as self-identified by the individual.”

The final recommendation of the Advisory Committee follows former SEC Chair Mary Jo White’s opinion on diversity disclosures. In her June 27, 2016 speech, Chair White stated that “[c]ompanies’ disclosures on board diversity in reporting under our current requirements have generally been vague and have changed little since the rule was adopted.” Chair White expressed her view that “the SEC has a responsibility to ensure that our disclosure rules are serving their intended purpose of meaningfully informing investors. This rule does not and it should be changed.”

It remains to be seen whether the SEC will propose new diversity disclosure requirements based on the Advisory Committee’s recommendation.

Time to Review Your Severance Agreements

In August 2016, the SEC issued cease-and-desist orders against two different companies for using severance agreements which required exiting employees to waive their ability to obtain monetary awards under the SEC’s whistleblower program.

According to the SEC’s order regarding BlueLinx Holdings Inc., beginning prior to August 12, 2011 and continuing through the present, BlueLinx entered into severance agreements with departing employees. While the agreements were not uniform, most contained language prohibiting the departing employees from divulging confidential information, unless compelled to do so by law or legal process. In or about June 2013, BlueLinx reviewed and revised each of its outstanding severance agreements and added provisions which (i) required such former employees to waive their rights to monetary recovery should they file a charge or complaint with the SEC or other federal agencies, and (ii) required such former employees to notify the company’s legal department prior to disclosing any financial or business information to any third parties.

According to the SEC’s order regarding Health Net, Inc., beginning prior to August 12, 2011 and continuing through October 22, 2015, Health Net entered into severance agreements with departing employees. In August 2011, after the whistleblower rules were adopted, Health Net updated its form of severance agreement to add language which prohibited former employees from filing an application for, or accepting, a whistleblower award from the SEC. This language was contained in severance agreement entered into from approximately August 2011 to June 2013. In June 2013, Health Net updated its form of severance agreement to remove the SEC-specific language; however, Health Net retained language that removed the financial incentive for reporting information. On October 22, 2015, Health Net updated its form of severance agreement and struck the restrictive language related to monetary awards.

The SEC charged each of BlueLinx and Health Net with violating Rule 21F-17 under the Exchange Act. Rule 21F-17, adopted pursuant to the Dodd-Frank Act, provides that “[n]o person may take any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement. . .with respect to such communications.”

BlueLinx consented to the SEC’s cease-and-desist order without admitting or denying the findings. BlueLinx agreed to include in all of its severance agreements after the date of the order language which makes it clear that employees may report possible securities law violations to the SEC and other federal agencies without BlueLinx’s prior approval and without having to forfeit any resulting whistleblower award. In addition, BlueLinx agreed to make reasonable efforts to contact former employees who had executed severance agreements from August 12, 2011 through the present to notify them that BlueLinx does not prohibit former employees from providing information to the SEC staff without notice to BlueLinx or from accepting SEC whistleblower awards. In addition, BlueLinx agreed to pay the SEC a civil penalty of $265,000.

Health Net also consented to the SEC’s cease-and-desist order without admitting or denying the findings. Health Net agreed to make reasonable efforts to inform former employees who signed severance agreements from August 12, 2011 through October 22, 2015 that Health Net does not prohibit former employees from seeking and obtaining a whistleblower award from the SEC under Section 21F of the Exchange Act. In addition, Health Net agreed to pay the SEC a civil penalty of $340,000.

In light of the above orders, companies should review new and existing severance agreements that they have or enter into with former employees to make sure that such documents do not restrict such former employees’ ability to provide information to the SEC or from accepting SEC whistleblower awards. The mere existence of such restrictive language in severance agreements in and of itself could be found to be a violation of Section 21F of the Exchange Act.

What Is Good Corporate Governance? A Commonsense Approach

It seems to be a very simple question that does not always produce a clear-cut response. A group of high profile executives, including CEOs of major US corporations, tried to reach consensus on commonsense principles that are “conducive to good corporate governance, healthy public companies and the continued strength of … public markets.” On July 21, 2016, they released Commonsense Principles of Corporate Governance for public companies to promote further conversation on corporate governance.

These principles do not break new ground in corporate governance – it was not the purpose; these principles serve as a compilation of best practices that provide a “basic framework for sound, long-term-oriented governance.” The authors acknowledge that given the differences among public companies “not every principle … will work for every company, and not every principle will be applied in the same fashion by all companies.” These principles should promote discussions at the executive and board levels. They are a must read for board members, C-suite executives and corporate secretaries. Some of these principles can also be used by private companies and large non-profit organizations. Continue reading “What Is Good Corporate Governance? A Commonsense Approach”

Non-GAAP Financial Measures – Agenda Item for Upcoming Audit Committee Meetings

On June 27, 2016, SEC Chair Mary Jo White delivered a speech, which focused, in part, on non-GAAP financial measures, which have become the new old “hot button” issue for the SEC. Chair White strongly urged companies to carefully consider the SEC’s new Compliance & Disclosure Interpretations (“C&DIs”) that were issued in May 2016 and to “revisit their approach to non-GAAP disclosures.” In addition, Chair White emphasized that appropriate controls should be considered and that audit committees should carefully oversee their company’s use of non-GAAP financial measures and disclosures.

The SEC’s mission with respect to non-GAAP financial measures has been the same since its adoption of non-GAAP rules in 2003 — “to eliminate the manipulative or misleading use of non-GAAP financial measures and, at the same time, enhance the comparability associated with the use of that information.” Although the SEC recognizes that “investors want non-GAAP information,” as Chair White mentioned in her speech, the concern is that instead of supplementing the GAAP information, non-GAAP financial measures have “become the key message to investors, crowding out and effectively supplanting the GAAP presentation.” To make her message crystal clear, Chair White also stated in her speech that the SEC is “watching this space very closely and [is] poised to act through the filing review process, enforcement and further rulemaking if necessary to achieve the optimal disclosures for investors and the markets.”

If a company uses non-GAAP financial measures, then the use of such measures and disclosures in the company’s SEC filings, earnings press releases, earnings calls and other presentations should be an agenda item for upcoming audit committee meetings. On June 28, 2016, the Center for Audit Quality issued a new publication, Questions on Non-GAAP Measures: A Tool for Audit Committees, which is designed to facilitate the conversation between audit committees and management about non-GAAP financial measures. Questions included in this publication focus on transparency, consistency, and comparability of non-GAAP financial measures. The publication also includes a few procedural questions that are important to assess whether appropriate controls exist with respect to the use and disclosure of non-GAAP financial measures.

Five Nutshell Questions about Cybersecurity for the Board of Directors

 

CybersecurityOn April 29, 2016, the Council of Institutional Investors (CII) published its new Special Report, Prioritizing Cybersecurity: Five Investor Questions for Portfolio Company Boards. 

To facilitate effective cybersecurity risk oversight by the board, CII has suggested five questions that a board of directors needs to be able to answer:

  1. How are the company’s cyber risks communicated to the board, by whom, and with what frequency?
  2. Has the board evaluated and approved the company’s cybersecurity strategy?
  3. How does the board ensure that the company is organized appropriately to address cybersecurity risks? Does management have the skill sets it needs?
  4. How does the board evaluate the effectiveness of the company’s cybersecurity efforts?
  5. When did the board last discuss whether the company’s disclosure of cyber risk and cyber incidents is consistent with SEC guidance?

Continue reading “Five Nutshell Questions about Cybersecurity for the Board of Directors”

SEC’s Views on Risk Factor Disclosures

On April 13, 2016, the SEC issued a Concept Release, Business and Financial Disclosure Required by Regulation S-K. In this release, which is part of the SEC’s initiative to review and improve its disclosure requirements, the SEC is seeking comments on whether its “business and financial disclosure requirements continue to elicit important information for investors and how registrants can most effectively present this information.” The Concept Release covers a wide range of topics, however, this blog post focuses on the SEC’s concerns about risk factor disclosures. Item 503(c) of Regulation S-K currently requires “disclosure of the most significant factors that make an investment in a registrant’s securities speculative or risky and specifies that the discussion should be concise and organized logically.”

Except for five specific examples of risk factors suggested by the SEC in Item 503(c) (the company’s lack of operating history, lack of profitable operations in recent periods, financial position, business or proposed business and lack of a market in the company’s securities), risk factor disclosure is principles-based. It is interesting to note that these five factors specified in Item 503(c) have not changed since the SEC published its initial guidance on risk factor disclosure in 1964. Continue reading “SEC’s Views on Risk Factor Disclosures”

Crowdfunding Is Something Worth Explaining to Investors

coins-912719_1920

On October 30, 2015, the Securities and Exchange Commission (SEC) adopted new Regulation Crowdfunding to implement the requirements of the Jumpstart Our Business Startups Act. Regulation Crowdfunding prescribes rules governing the offer and sale of securities under Section 4(a)(6) of the Securities Act and provides a framework for the regulation of registered funding portals and broker-dealers that issuers are required to use as intermediaries in the offer and sale of securities in reliance on Section 4(a)(6). Regulation Crowdfunding is generally effective May 16, 2016, except for rules related to the registration of funding portals and amendments to Form ID, which became effective on January 29, 2016.

The SEC issued an Investor Bulletin, Crowdfunding for Investors on February 16, 2016 to educate investors about Regulation Crowdfunding and to explain this new investing opportunity — securities–based crowdfunding, which is different from websites raising funds and offering in-kind consideration for financial contributions. Starting May 16, 2016, the general public will have an opportunity to invest in start-ups and early stage companies and receive equity consideration for their investments. Continue reading “Crowdfunding Is Something Worth Explaining to Investors”