What Are Key Action Items Stemming from the New SEC Guidance on Cybersecurity Disclosures?

On February 21, 2018, the Securities and Exchange Commission (“SEC”) issued Statement and Interpretive Guidance on Public Company Cybersecurity Disclosures.  The SEC previously addressed this topic in 2011 Disclosure Guidance: Topic No. 2.  According to SEC Chairman, Jay Clayton, the new interpretive guidance “reinforces and expands” the Division’s 2011 guidance and “addresses the importance of policies and procedures related to disclosure controls and procedures, insider trading and selective disclosures.”  In connection with the release of the new guidance, SEC Chairman has asked the Division of Corporation Finance to continue to “carefully monitor cybersecurity disclosures” as part of their review process, which is likely to lead to more SEC comments on cybersecurity disclosures.

The 2018 interpretive guidance provides a comprehensive overview of the SEC’s position on cybersecurity issues faced by public companies.  In addition to reminders about cybersecurity disclosure touchpoints (i.e., risk factors, management’s discussion and analysis of financial condition and results of operations, description of business, legal proceedings and financial statements), which are largely the same as disclosure reminders included in the 2011 guidance, the 2018 release makes it clear that the SEC places great emphasis on cybersecurity risk management policies and procedures and considers them to be “key elements of enterprise-wide risk management.”

In light of the new SEC guidance, public companies should:

  • re-evaluate the process that the company’s board of directors uses to discharge its responsibility for cybersecurity risk oversight;
  • review the company’s policies and procedures related to disclosure controls and procedures, insider trading and selective disclosures; and
  • consider whether the company’s cybersecurity risk factor and other disclosures need to be refreshed.

Board’s Responsibility for Cybersecurity Risk Oversight. Companies should review their cybersecurity risk management program and evaluate how the board of directors “engages with management on cybersecurity issues” to discharge its responsibility for cybersecurity risk oversight.    The 2018 release states that, to the extent cybersecurity risks are material to a company’s business, the proxy statement discussion of the board’s role in the risk oversight of the company should include “the nature of the board’s role in overseeing the management of that risk.”  Companies should also review their disclosures related to board risk oversight to determine whether such disclosures should be expanded to address the board’s responsibility for cybersecurity risk oversight.

Effective Disclosure Controls and Procedures. Companies should evaluate whether their controls and procedures include the protocols that will enable them to: “identify cybersecurity risks and incidents, assess and analyze their impact on a company’s business, evaluate the significance associated with such risks and incidents, provide for open communications between technical experts and disclosure advisors, and make timely disclosures regarding such risks and incidents.”  The SEC’s new guidance made it clear that (i) CEO’s and CFO’s certifications regarding the design and effectiveness of the company’s disclosure controls and procedures and (ii) disclosures regarding the companies’ conclusions on the effectiveness of their disclosure controls and procedures “should take into account the adequacy of controls and procedures for identifying cybersecurity risks and incidents and for assessing and analyzing their impact.”

Application of Insider Trading Prohibition to Cybersecurity Risks and Incidents. Companies should review their insider trading policies to make sure that the company has appropriate policies and procedures in place to prevent directors, officers, and other corporate insiders from trading in the company’s securities on the basis of material nonpublic information about its cybersecurity risks and incidents, prior to public disclosure of such risks or incidents.  The SEC release suggested that “while companies are investigating and assessing significant cybersecurity incidents, and determining the underlying facts, ramifications and materiality of these incidents, they should consider whether and when it may be appropriate to implement restrictions on insider trading in their securities.”

Selective Disclosures about Cybersecurity Risks and Incidents. Companies should review their Regulation FD policies and procedures to make sure that that disclosures of material nonpublic information related to cybersecurity risks and incidents are not made selectively in violation of Regulation FD.  The SEC release states that companies and persons acting or their behalf should not selectively disclose material, nonpublic information regarding cybersecurity risks and incidents in violation of Regulation FD before disclosing that same information to the public.

Prior Cybersecurity Disclosures and Materiality Determinations. Companies should consider whether they need to “revisit or refresh” previous cybersecurity disclosures.  The SEC expects companies to disclose cybersecurity risks and incidents that are material to investors.  The SEC clarified that the materiality of cybersecurity risks or incidents generally depends upon: (i) the nature, extent, and potential magnitude of cybersecurity risks or incidents (for example, whether compromised information includes personally identifiable information, trade secrets or other confidential business information); as well as (ii) the range of harm that such cybersecurity incidents could cause (for example, harm to a company’s reputation, financial performance, and customer and vendor relationships, as well as the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities and non-U.S. authorities).

Although the SEC recognizes that a company may need time to “discern the implications of a cybersecurity incident,” and that ongoing internal and law enforcement investigation of a cybersecurity incident may be lengthy and may affect the scope of disclosure regarding the incident, the SEC believes that an ongoing internal or external investigation “would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.”   However, the SEC stated in the release that it does not expect companies to publicly disclose “specific, technical information about their cybersecurity systems, the related networks and devices, or potential system vulnerabilities in such detail as would make such systems, networks, and devices more susceptible to a cybersecurity incident.”

 

Nasdaq Is Advocating for U.S. Public Market Reform

In May 2017, Nasdaq published a report titled The Promise of Market Reform: Reigniting America’s Economic Engine.  The report stems from Nasdaq’s concern about the state of U.S. pubic markets, which have become “more complex and costly for issuers, particularly for publicly-listed small and medium growth companies and for private companies that might consider public offerings.”

The report emphasizes that “companies increasingly question whether the benefits of public ownership are worth the burdens” and warns that if such burdens are not addressed, it “could ultimately represent an existential threat to our markets” as “a growing number of companies have been choosing to remain private—and some public companies are reversing course and going private.”

But Nasdaq’s report does not just create an alarm, it sets forth a blueprint for “critically-needed reforms.”

The report identifies the following three specific problems and offers concrete solutions in these areas:

(i) a complex patchwork of regulation disincentivizes market participation and creates the need to reconstruct the regulatory framework;

(ii) a one-size-fits-all market structure deprives companies of the benefits they need to participate in public markets (particularly for small and medium growth companies), which can be fixed by modernizing the market structure; and

(iii) a culture in the investment community and in the mainstream media that values short-term returns that should be changed to promote long-termism.

For example, Nasdaq suggests that the reconstruction of the regulatory framework would involve: (i) reforming the proxy proposal process; (ii) reducing the burden of corporate disclosure; (iii) rolling back politically-motivated disclosure requirements; (iv) reducing the burden of meritless class action lawsuits; and (v) a tax reform to incentivize long-term investing.

The implementation of most Nasdaq-suggested reforms would involve a lengthy rulemaking process, but it’s important that a dialogue about these issues “among investors, public and private companies, industry groups, and policymakers” has been launched.

 

 

Advisory Committee Recommends Robust Diversity Disclosure to the SEC

On February 16, 2017, the Advisory Committee on Small and Emerging Companies (“Advisory Committee”) provided a recommendation to the SEC regarding corporate board diversity.

The Advisory Committee was organized in 2011 to provide the SEC with advice on its rules, regulations, and policies related to capital raising by emerging privately held small businesses and publicly traded companies with less than $250 million in public market capitalization; trading in the securities of such businesses and companies; and public reporting and corporate governance requirements to which such businesses and companies are subject.

The Advisory Committee discussed the corporate board diversity recommendation at its meetings held on October 5 and December 7, 2016, and the recommendation was approved by the members of the Advisory Committee at its meeting held on February 15, 2017.

The Advisory Committee emphasized that “board diversity has been associated with improved competitiveness and talent management, greater access to capital, more sustainable profits, and better relations with stakeholders and therefore plays an important role in capital formation for small and emerging companies.”

The current rule related to board diversity was adopted by the SEC in 2009 (Item 407(c)(2)(vi) of Regulation S-K) and requires public companies to disclose in their proxy statements whether diversity is considered in identifying nominees for the company’s board of directors, and if it is considered, how. Item 407 also requires that if a company has a policy with regard to the consideration of diversity in identifying director nominees, it needs to disclose how that policy is implemented and how its effectiveness is assessed.

The Advisory Committee believes that this existing disclosure requirement failed to generate information useful to stockholders, employees and customers in assessing board diversity. The Advisory Committee recommended that the SEC “amend Item 407(c)(2) of Regulation S-K to require issuers to describe, in addition to their policy with respect to diversity, if any, the extent to which their boards are diverse.” The Advisory Committee did not suggest using a specific definition of the term “diversity” and recognized that “the definition of diversity should be up to each issuer.” However, the Advisory Committee’s recommendation offered a clear disclosure enhancement by recommending that “issuers should include disclosure regarding race, gender, and ethnicity of each member/nominee as self-identified by the individual.”

The final recommendation of the Advisory Committee follows former SEC Chair Mary Jo White’s opinion on diversity disclosures. In her June 27, 2016 speech, Chair White stated that “[c]ompanies’ disclosures on board diversity in reporting under our current requirements have generally been vague and have changed little since the rule was adopted.” Chair White expressed her view that “the SEC has a responsibility to ensure that our disclosure rules are serving their intended purpose of meaningfully informing investors. This rule does not and it should be changed.”

It remains to be seen whether the SEC will propose new diversity disclosure requirements based on the Advisory Committee’s recommendation.

What Is Good Corporate Governance? A Commonsense Approach

It seems to be a very simple question that does not always produce a clear-cut response. A group of high profile executives, including CEOs of major US corporations, tried to reach consensus on commonsense principles that are “conducive to good corporate governance, healthy public companies and the continued strength of … public markets.” On July 21, 2016, they released Commonsense Principles of Corporate Governance for public companies to promote further conversation on corporate governance.

These principles do not break new ground in corporate governance – it was not the purpose; these principles serve as a compilation of best practices that provide a “basic framework for sound, long-term-oriented governance.” The authors acknowledge that given the differences among public companies “not every principle … will work for every company, and not every principle will be applied in the same fashion by all companies.” These principles should promote discussions at the executive and board levels. They are a must read for board members, C-suite executives and corporate secretaries. Some of these principles can also be used by private companies and large non-profit organizations. Continue reading “What Is Good Corporate Governance? A Commonsense Approach”

Non-GAAP Financial Measures – Agenda Item for Upcoming Audit Committee Meetings

On June 27, 2016, SEC Chair Mary Jo White delivered a speech, which focused, in part, on non-GAAP financial measures, which have become the new old “hot button” issue for the SEC. Chair White strongly urged companies to carefully consider the SEC’s new Compliance & Disclosure Interpretations (“C&DIs”) that were issued in May 2016 and to “revisit their approach to non-GAAP disclosures.” In addition, Chair White emphasized that appropriate controls should be considered and that audit committees should carefully oversee their company’s use of non-GAAP financial measures and disclosures.

The SEC’s mission with respect to non-GAAP financial measures has been the same since its adoption of non-GAAP rules in 2003 — “to eliminate the manipulative or misleading use of non-GAAP financial measures and, at the same time, enhance the comparability associated with the use of that information.” Although the SEC recognizes that “investors want non-GAAP information,” as Chair White mentioned in her speech, the concern is that instead of supplementing the GAAP information, non-GAAP financial measures have “become the key message to investors, crowding out and effectively supplanting the GAAP presentation.” To make her message crystal clear, Chair White also stated in her speech that the SEC is “watching this space very closely and [is] poised to act through the filing review process, enforcement and further rulemaking if necessary to achieve the optimal disclosures for investors and the markets.”

If a company uses non-GAAP financial measures, then the use of such measures and disclosures in the company’s SEC filings, earnings press releases, earnings calls and other presentations should be an agenda item for upcoming audit committee meetings. On June 28, 2016, the Center for Audit Quality issued a new publication, Questions on Non-GAAP Measures: A Tool for Audit Committees, which is designed to facilitate the conversation between audit committees and management about non-GAAP financial measures. Questions included in this publication focus on transparency, consistency, and comparability of non-GAAP financial measures. The publication also includes a few procedural questions that are important to assess whether appropriate controls exist with respect to the use and disclosure of non-GAAP financial measures.

Five Nutshell Questions about Cybersecurity for the Board of Directors

 

CybersecurityOn April 29, 2016, the Council of Institutional Investors (CII) published its new Special Report, Prioritizing Cybersecurity: Five Investor Questions for Portfolio Company Boards. 

To facilitate effective cybersecurity risk oversight by the board, CII has suggested five questions that a board of directors needs to be able to answer:

  1. How are the company’s cyber risks communicated to the board, by whom, and with what frequency?
  2. Has the board evaluated and approved the company’s cybersecurity strategy?
  3. How does the board ensure that the company is organized appropriately to address cybersecurity risks? Does management have the skill sets it needs?
  4. How does the board evaluate the effectiveness of the company’s cybersecurity efforts?
  5. When did the board last discuss whether the company’s disclosure of cyber risk and cyber incidents is consistent with SEC guidance?

Continue reading “Five Nutshell Questions about Cybersecurity for the Board of Directors”

SEC’s Views on Risk Factor Disclosures

On April 13, 2016, the SEC issued a Concept Release, Business and Financial Disclosure Required by Regulation S-K. In this release, which is part of the SEC’s initiative to review and improve its disclosure requirements, the SEC is seeking comments on whether its “business and financial disclosure requirements continue to elicit important information for investors and how registrants can most effectively present this information.” The Concept Release covers a wide range of topics, however, this blog post focuses on the SEC’s concerns about risk factor disclosures. Item 503(c) of Regulation S-K currently requires “disclosure of the most significant factors that make an investment in a registrant’s securities speculative or risky and specifies that the discussion should be concise and organized logically.”

Except for five specific examples of risk factors suggested by the SEC in Item 503(c) (the company’s lack of operating history, lack of profitable operations in recent periods, financial position, business or proposed business and lack of a market in the company’s securities), risk factor disclosure is principles-based. It is interesting to note that these five factors specified in Item 503(c) have not changed since the SEC published its initial guidance on risk factor disclosure in 1964. Continue reading “SEC’s Views on Risk Factor Disclosures”

Crowdfunding Is Something Worth Explaining to Investors

coins-912719_1920

On October 30, 2015, the Securities and Exchange Commission (SEC) adopted new Regulation Crowdfunding to implement the requirements of the Jumpstart Our Business Startups Act. Regulation Crowdfunding prescribes rules governing the offer and sale of securities under Section 4(a)(6) of the Securities Act and provides a framework for the regulation of registered funding portals and broker-dealers that issuers are required to use as intermediaries in the offer and sale of securities in reliance on Section 4(a)(6). Regulation Crowdfunding is generally effective May 16, 2016, except for rules related to the registration of funding portals and amendments to Form ID, which became effective on January 29, 2016.

The SEC issued an Investor Bulletin, Crowdfunding for Investors on February 16, 2016 to educate investors about Regulation Crowdfunding and to explain this new investing opportunity — securities–based crowdfunding, which is different from websites raising funds and offering in-kind consideration for financial contributions. Starting May 16, 2016, the general public will have an opportunity to invest in start-ups and early stage companies and receive equity consideration for their investments. Continue reading “Crowdfunding Is Something Worth Explaining to Investors”

Are you a US private company looking for capital? Regulation A+ may be your answer.

The amended Regulation A became effective on June 19, 2015, and the SEC has recently provided helpful guidance about it.  On June 18, 2015, the SEC made available “Amendments to Regulation A: A Small Entity Compliance Guide” summarizing provisions of the new Regulation A, and on June 23, 2015, the SEC issued new Compliance and Disclosure Interpretations (C&DIs) clarifying certain provisions of the new Regulation A.

The new Regulation A mandated by the JOBS Act is often dubbed as Regulation A+, as a sign of significant improvement over the old Regulation A, which was rarely used as a capital-raising vehicle. The new Regulation A+ provides for two tiers of offerings:

  • Tier 1, for offerings of securities of up to $20 million in a 12-month period, with not more than $6 million in offers by selling security-holders that are affiliates of the issuer; and
  • Tier 2, for offerings of securities of up to $50 million in a 12-month period, with not more than $15 million in offers by selling security-holders that are affiliates of the issuer.

Under Regulation A+, an entity organized under the laws of the United States or Canada with its principal place of business in the United States or Canada that is not subject to Section 13 or 15(d) of the Securities Exchange Act of 1934 immediately prior to the offering is considered an eligible issuer for the purposes of Regulation A+. The new C&DIs clarify such eligibility requirement and provide that the following companies are eligible to benefit from the provisions of Regulation A+:

  • A company with headquarters located in the United States or Canada, but whose business primarily involves managing operations that are located outside such countries; provided its officers, partners, or managers primarily direct, control and coordinate the issuer’s activities from the United States or Canada.
  • A company that was previously required to file reports with the SEC under Section 15(d) of the Exchange Act, but that has since suspended its Exchange Act reporting obligation; provided the company has satisfied the statutory provisions for suspension in Section 15(d) of the Exchange Act or the requirements of Exchange Act Rule 12h-3.
  • A voluntary filer under the Exchange Act, i.e., a filer that is not obligated to file Exchange Act reports pursuant to either Section 13 or 15(d) of the Exchange Act.
  • A private wholly-owned subsidiary of an Exchange Act reporting company parent; provided such reporting company parent is not a guarantor or co-issuer of the securities of the private wholly-owned subsidiary.

Generally, Regulation A+ has been viewed as a vehicle that private companies can use to raise money to expand their business or to buy out a shareholder. In the new C&DIs, the SEC also clarified that Regulation A+ can be relied upon by an issuer for business combination transactions, such as a merger or acquisition. However, the SEC indicated that Regulation A+ would not be available for business acquisition shelf transactions.

Regulation A+ allows issuers to “test-the-waters” by trying to determine whether there is any interest in a contemplated securities offering. Rule 255 of Regulation A+ requires companies to include certain mandatory cautionary statements in such “test-the-waters” communications. The SEC has previously recognized the issuers interest in using social media (for example, Twitter) to communicate with security holders, and the new C&DIs permits an issuer to “test the waters” in a Regulation A+ offering on a platform that limits the number of characters or amount of text that can be included, and thus technically prevents the inclusion in such communication of the Rule 255 information. The SEC has solved this problem by allowing the use of an active hyperlink to satisfy the requirements of Rule 255 in the following circumstances:

  • The electronic communication is distributed through a platform that has technological limitations on the number of characters or amount of text that may be included in the communication;
  • Including the required statements in their entirety, together with the other information, would cause the communication to exceed the limit on the number of characters or amount of text; and
  • The communication contains an active hyperlink to the required statements that otherwise satisfy Rule 255 and, where possible, prominently conveys, through introductory language or otherwise, that important or required information is provided through the hyperlink.

However, if an electronic communication is capable of including the entire required statements, along with the other information, without exceeding the applicable limit on number of characters or amount of text, the SEC considers the use of a hyperlink to the required statements to be inappropriate. This approach is consistent with the SEC’s position on other communications with shareholders under the Securities Act and Exchange Act rules.

Under Regulation A+, state securities (Blue Sky) registration requirements are not preempted for Tier 1 offerings, but such preemption exists for primary offerings of securities by the issuer or secondary offerings by selling security-holders in Tier 2 offerings. The new C&DIs make it clear that Blue Sky registration and qualification requirements are not preempted with respect to resales of securities purchased in a Tier 2 offering. Resales of securities purchased in a Tier 2 offering must be registered, or offered or sold pursuant to an exemption from registration, with state securities regulators.

The Alphabet Soup of Raising Capital: Regulation A or Regulation D — What Would You Prefer?

On June 19, 2015, amended Regulation A recently adopted by the SEC will become effective. The new Regulation A, mandated by the JOBS Act and often dubbed as Regulation A+, is a significant improvement over the old Regulation A, which was rarely used as a capital raising vehicle. The old Regulation A permits unregistered offerings of up to $5 million of securities in any 12-month period, including no more than $1.5 million of securities offered by security holders of the company. Permissible thresholds of Regulation A+ are much higher. It provides for two tiers of offerings: “Tier 1, for offerings of securities of up to $20 million in a 12-month period, with not more than $6 million in offers by selling security-holders that are affiliates of the issuer; and Tier 2, for offerings of securities of up to $50 million in a 12-month period, with not more than $15 million in offers by selling security-holders that are affiliates of the issuer.”

However, will Regulation A+ become a more popular choice for smaller companies than Regulation D in raising capital? Is Regulation A+ a workable compromise between the company’s need to have access to capital and the SEC’s goal of investor protection?

Rule 506 of Regulation D is one of the most widely used capital raising exemptions under the US securities laws. The main reason of its popularity is its flexibility. Although Rule 506 does not provide an opportunity for selling security holders to participate in the offering as Regulation A+ does, Rule 506 does not have any caps on the dollar amount that can be raised. In addition, any company: public or private, US or foreign can raise capital under Rule 506. However, only a US or Canadian issuer that is not (i) a reporting company under the Securities Exchange Act of 1934 immediately prior to the offering, (ii) an investment company, or (iii) a blank check company is considered an “eligible issuer” under Regulation A+. Note that “bad actor” disqualification applies to both Rule 506 and Regulation A+ offerings. Also, a company that had its registration revoked under Section 12(j) of the Exchange Act within five years before the filing of the offering statement or that has been delinquent in filing required reports under Regulation A+ during the two years before the filing of the offering statement (or for such shorter period that the issuer was required to file such reports) is not eligible to do an offering under such Regulation.

In some instances, Regulation A+ appears to be more accommodating than Rule 506. For example, Rule 506 allows an unlimited number of accredited investors as purchasers (with Rule 506(b) also permitting up to 35 non-accredited investors), and Tier 1 of Regulation A+ does not have any limitation on the number or type of investors. Tier 2 also does not have any limitations on the number of investors, but imposes a per-investor cap for non-accredited investors (unless the securities are listed on a national exchange) of the aggregate purchase price to be paid by the purchaser for the securities to be no more than 10% of the greater of annual income or net worth for individual investors or revenue or net assets most recently completed fiscal year for entities.  In addition, Regulation A+ allows issuers to “test-the-waters” by trying to determine whether there is any interest in a contemplated securities offering (assuming such practice is allowed under applicable blue sky laws for Tier 1 offerings), while the traditional Rule 506(b) does not allow for general solicitation and advertising (Rule 506(c) permits general solicitation and advertisement).

The biggest downside of Regulation A+ structure is that blue sky registration requirements are not preempted for Tier 1 offerings, which significantly limits the use of Tier 1 for offerings in multiple states. Such preemption exists for Rule 506 offerings as well as Tier 2 of Regulation A+ offerings. But the welcomed flexibility of doing nationwide offerings under Tier 2 comes with a heavy price tag of ongoing reporting. After a Tier 2 offering, an issuer must file with the SEC annual reports on Form 1-K, semi-annual reports on Form 1-SA and current reports on Form 1-U (within 4 business days of the event). The SEC also noted that companies may “voluntarily” file quarterly financial statements on Form 1-U, but the practical effect of desired compliance with Rules 15c2-11 and Rule 144 to maintain placement of quotes by market makers and resales of securities, will lead to “voluntary” quarterly reporting becoming essentially mandatory.

Rule 506 offerings are usually accompanied by private placement memoranda, or PPMs, (even when offerings are solely to accredited investors) to protect issuers from Rule 10b-5 liability under the Exchange Act. There is no prescribed format for such PPMs and they are not reviewed by the SEC. In connection with Regulation A+ offerings, an issuer must file Form 1-A (a “mini” registration statement) through EDGAR with the SEC (first-time issuers are eligible to initially do a non-public submission of a draft of Form 1-A). Such Forms 1-A are subject to the SEC review and comment process, which increases the cost of the transaction and extends the time from the beginning of the transaction and the closing.

The good news is that Regulation A+ provides a new way for smaller companies to raise capital and get some liquidity in their securities. However, if a company is confident that it can raise money through the traditional Rule 506 private placement, it may still want to avoid the SEC review process, the hassle of blue sky compliance under Tier 1 or ongoing reporting obligations of Tier 2 introduced by Regulation A+.