Conflict Minerals Rule and Pay Ratio Rule… Are Changes Forthcoming?

Conflict Minerals Rule

Acting SEC Chairman Michael S. Piwowar issued a statement[1] on January 31, 2017 directing the SEC staff to reconsider whether the 2014 Guidance is still appropriate and whether any additional relief is appropriate. The statement also included a 45-day public comment period.

In addition, there has been a leaked draft executive order and rumors that President Donald Trump is going to issue an order that will temporarily suspend the conflict minerals rule for two years based on a “national security interests” rationale.

Additionally, a final ruling on the conflict minerals litigation may be looming. On February 10, 2017, the district court judge ordered the parties in the conflict minerals litigation to file a joint status report, on or before March 10, 2017, indicating whether any further proceedings are necessary, and whether the court should enter an order of final judgement to effectuate the circuit’s decision.

At the recent SEC Speaks conference, Shelly Parratt, acting director of the Division of Corporation Finance, stated that companies must continue to comply with the conflict minerals disclosure rules and that even though the SEC is seeking comments thereon, the rules remain in effect.

What the outcome of the above will ultimately be is unknown. The likelihood of the conflict minerals rule being completely overturned prior to the upcoming May 31st Form SD due date is slim. Accordingly, issuers should steam ahead in their due diligence efforts.

Pay Ratio Rule

A week after issuing the conflict minerals statement described above, Acting SEC Chairman Michael S. Piwowar issued a statement[2] on February 6, 2107 related to the pay ratio disclosure rule in which he explained that it was his “understanding that some issuers have begun to encounter unanticipated compliance difficulties that may hinder them in meeting the reporting deadline.” Therefore, Piwowar stated that he is seeking public comment within 45 days on any unexpected challenges that issuers have experienced as they prepare for compliance and whether relief is needed. In addition, Piwowar directed the SEC staff to reconsider the implementation of the pay ratio rule and whether additional guidance or relief may be appropriate.

At the recent SEC Speaks conference, Shelly Parratt, acting director of the Division of Corporation Finance, stated that companies must continue to comply with the pay ratio disclosure rules and that even though the SEC is seeking comments thereon, the rules remain in effect.

It seems likely that this disclosure rule will be revisited and could be changing.   Nevertheless, at this time, issuers should continue their work in preparing to comply with the pay ratio disclosure rules for the next proxy season.

[1] https://www.sec.gov/news/statement/reconsideration-of-conflict-minerals-rule-implementation.html

[2] https://www.sec.gov/news/statement/reconsideration-of-pay-ratio-rule-implementation.html

What Is Good Corporate Governance? A Commonsense Approach

It seems to be a very simple question that does not always produce a clear-cut response. A group of high profile executives, including CEOs of major US corporations, tried to reach consensus on commonsense principles that are “conducive to good corporate governance, healthy public companies and the continued strength of … public markets.” On July 21, 2016, they released Commonsense Principles of Corporate Governance for public companies to promote further conversation on corporate governance.

These principles do not break new ground in corporate governance – it was not the purpose; these principles serve as a compilation of best practices that provide a “basic framework for sound, long-term-oriented governance.” The authors acknowledge that given the differences among public companies “not every principle … will work for every company, and not every principle will be applied in the same fashion by all companies.” These principles should promote discussions at the executive and board levels. They are a must read for board members, C-suite executives and corporate secretaries. Some of these principles can also be used by private companies and large non-profit organizations. Continue reading “What Is Good Corporate Governance? A Commonsense Approach”

Non-GAAP Financial Measures – Agenda Item for Upcoming Audit Committee Meetings

On June 27, 2016, SEC Chair Mary Jo White delivered a speech, which focused, in part, on non-GAAP financial measures, which have become the new old “hot button” issue for the SEC. Chair White strongly urged companies to carefully consider the SEC’s new Compliance & Disclosure Interpretations (“C&DIs”) that were issued in May 2016 and to “revisit their approach to non-GAAP disclosures.” In addition, Chair White emphasized that appropriate controls should be considered and that audit committees should carefully oversee their company’s use of non-GAAP financial measures and disclosures.

The SEC’s mission with respect to non-GAAP financial measures has been the same since its adoption of non-GAAP rules in 2003 — “to eliminate the manipulative or misleading use of non-GAAP financial measures and, at the same time, enhance the comparability associated with the use of that information.” Although the SEC recognizes that “investors want non-GAAP information,” as Chair White mentioned in her speech, the concern is that instead of supplementing the GAAP information, non-GAAP financial measures have “become the key message to investors, crowding out and effectively supplanting the GAAP presentation.” To make her message crystal clear, Chair White also stated in her speech that the SEC is “watching this space very closely and [is] poised to act through the filing review process, enforcement and further rulemaking if necessary to achieve the optimal disclosures for investors and the markets.”

If a company uses non-GAAP financial measures, then the use of such measures and disclosures in the company’s SEC filings, earnings press releases, earnings calls and other presentations should be an agenda item for upcoming audit committee meetings. On June 28, 2016, the Center for Audit Quality issued a new publication, Questions on Non-GAAP Measures: A Tool for Audit Committees, which is designed to facilitate the conversation between audit committees and management about non-GAAP financial measures. Questions included in this publication focus on transparency, consistency, and comparability of non-GAAP financial measures. The publication also includes a few procedural questions that are important to assess whether appropriate controls exist with respect to the use and disclosure of non-GAAP financial measures.

SEC’s Views on Risk Factor Disclosures

On April 13, 2016, the SEC issued a Concept Release, Business and Financial Disclosure Required by Regulation S-K. In this release, which is part of the SEC’s initiative to review and improve its disclosure requirements, the SEC is seeking comments on whether its “business and financial disclosure requirements continue to elicit important information for investors and how registrants can most effectively present this information.” The Concept Release covers a wide range of topics, however, this blog post focuses on the SEC’s concerns about risk factor disclosures. Item 503(c) of Regulation S-K currently requires “disclosure of the most significant factors that make an investment in a registrant’s securities speculative or risky and specifies that the discussion should be concise and organized logically.”

Except for five specific examples of risk factors suggested by the SEC in Item 503(c) (the company’s lack of operating history, lack of profitable operations in recent periods, financial position, business or proposed business and lack of a market in the company’s securities), risk factor disclosure is principles-based. It is interesting to note that these five factors specified in Item 503(c) have not changed since the SEC published its initial guidance on risk factor disclosure in 1964. Continue reading “SEC’s Views on Risk Factor Disclosures”

EQUITY CROWDFUNDING HAS FINALLY ARRIVED – SEC ADOPTS FINAL RULES ON CROWDFUNDING

On October 30, 2015, the Securities and Exchange Commission (“SEC”), in a 3-1 vote of the SEC Commissioners, approved final rules to adopt Regulation Crowdfunding, which sets forth the framework by which companies can “equity crowdfund” – sell small amounts of securities (typically for a small purchase price) to a large number of investors over the Internet. The final rules, which will become effective 180 days after they are published in the Federal Register, follow the SEC’s adoption of proposed rules in October 2013 (which we previously blogged about). The SEC’s proposed rules were widely criticized as unworkable and elicited more than 480 comment letters that raised a host of concerns regarding, among other things, the effectiveness of the proposed rules in promoting capital formation and protecting investors.

Issuers and investors, particularly in the startup community, have been abuzz about equity crowdfunding since the Jumpstart Our Business Startups Act (“JOBS Act”) was enacted in April 2012.  Title III of the JOBS Act added Section 4(a)(6) to the Securities Act of 1933 (the “Securities Act”) to provide an exemption for equity crowdfunding transactions from the registration requirements of the Securities Act.  After seeing the success of non-equity crowdfunding – the Kickstarter fundraising campaigns of Pebble (~$20M raised) and Pono (~$6M raised) come to mind – it is understandable why issuers and investors have placed so much hope in the promise of equity crowdfunding.  With the SEC’s final rules in place, equity crowdfunding, with its numerous limitations and requirements, will shortly become a reality.

Under the final rules, an issuer may raise up to $1 million in a 12-month period in a crowdfunding offering conducted via a single intermediary – either a broker-dealer or a funding portal registered with the SEC.  An issuer engaging in a crowdfunding offering must complete and file with the SEC a newly-created Form C (similar to the Form 1-A offering statement under Regulation A, but with fewer required disclosures), which will require the disclosure of certain business and financial information including  financial statements of the issuer. Depending on the amount sought in the crowdfunding offering and whether an issuer has previously conducted a crowdfunding offering, the final rules will require that an issuer provide audited or reviewed financial statements.  For example, an offering of more than $500,000 of securities will require reviewed financial statements unless the issuer is not a first time issuer, in which case audited financial statements will be required.

The final rules also limit the amount of funds that an individual investor may invest in all crowdfunding offerings over a 12-month period, based on an investor’s annual income and net worth. Interestingly, despite criticism on the workability of the investment limitations set forth in the proposed rules, the final rules have more stringent limitations than those included in the proposed rules.  An investor with either annual income or net worth less than $100,000 can invest up to 5 percent of the lesser of annual income or net worth, or $2,000, whichever is greater, every 12 months. An investor with both annual income and net worth greater than $100,000 can invest up to 10 percent of the lesser of annual income or net worth every 12 months, subject to a cap of $100,000 in a 12-month period.   One effect of the limits will be that crowdfunding issuers may end up with numerous investors providing small investments – for example, an issuer raising $1 million would have 500 shareholders if the $2,000 limitation applied to those investors.

Only time will tell whether the regulatory environment created by the final rules will allow equity crowdfunding to reach the heights envisioned by many proponents. Among other reasons, the costs and compliance burden for issuers and the potential returns to investors are difficult to forecast at this time.  Regardless, many issuers, especially startups, now have an additional tool to raise capital in the United States. A more detailed summary of the final rules is provided below.

Sales Limitations

The following sales limitations apply to a crowdfunding offering:

  • An eligible issuer (see below for a description of ineligible issuers) is permitted to raise a maximum aggregate amount of $1 million through crowdfunding offerings in a 12-month period. In addition, entities controlled by, or under common control, with the issuer are aggregated for purposes of determining compliance with the offering ceiling.
  • Individual investors, over the course of a 12-month period, are permitted to invest in the aggregate across all crowdfunding offerings up to:
    • If either their annual income or net worth is less than $100,000, then the greater of: (1) $2,000, or (2) 5% of the lesser of their annual income or net worth.
    • If both their annual income and net worth are equal to or more than $100,000, then 10% of the lesser of their annual income or net worth, subject to a cap of $100,000 in a 12-month period.
  • The JOBS Act requires that the SEC adjust the issuer sales limitation and investor investment limitations not less than every five years to account for changes in the CPI.

Ineligible Issuers

The following issuers are not eligible to utilize a crowdfunding offering:

  • Non-U.S. companies.
  • Reporting companies under the Securities Exchange Act of 1934 (the “Exchange Act”).
  • Certain investment companies.
  • Companies that are disqualified under Regulation Crowdfunding’s disqualification rules (i.e., bad actors).
  • Companies that have failed to comply with the annual reporting requirements under Regulation Crowdfunding during the two years immediately preceding the filing of the offering statement (i.e., Form C).
  • Companies that have no specific business plan or have indicated their business plan is to engage in a merger or acquisition with an unidentified company or companies.

Disclosure Requirements

An issuer conducting a crowdfunding offering is required to file certain information with the SEC on new Form C and to provide this information to investors and the applicable crowdfunding portal facilitating the offering. Among other things, in its offering documents, the issuer is required to disclose:

  • Information about officers and directors as well as owners of 20 percent or more of the issuer;
  • A description of the issuer’s business and the use of proceeds from the offering;
  • The price to the public of the securities or the method for determining the price, the target offering amount, the deadline to reach the target offering amount, and whether the issuer will accept investments in excess of the target offering amount;
  • Certain related-party transactions;
  • A discussion of the issuer’s financial condition; and
  • Financial statements of the issuer that are, depending on the amount offered and sold during a 12-month period:
  • If $100,000 or less, based on information from the issuer’s tax returns and certified by the principal executive officer,
  • If more than $100,000 and but not more than $500,00, reviewed by an independent public accountant, and
  • If more than $500,000, audited by an independent auditor, except that an issuer engaging in a crowdfunding offering for the first time would be permitted to provide reviewed rather than audited financial statements.
  • In any case, if audited financial statements of the issuer are available, then they must be provided.

Issuers are required to amend the offering document during the offering period to reflect material changes and provide updates on the issuer’s progress toward reaching the target offering amount.

In addition, issuers relying on the Regulation Crowdfunding exemption are required to file an annual report with the SEC and provide it to investors.  The reporting requirements will continue until:

  • the issuer is required to file reports under the Exchange Act;
  • the issuer has filed at least one annual report and has fewer than 300 holders of record;
  • the issuer has filed at least three annual reports and has total assets that do not exceed $10 million;
  • the issuer or another party purchases or repurchases all of the securities issued pursuant to the crowdfunding exemption), including any payment in full of debt securities or any complete redemption of redeemable securities; or
  • the issuer liquidates or dissolves in accordance with state law.

Crowdfunding Platforms

Each crowdfunding offering must be conducted exclusively through a single platform operated by an “intermediary” which is either a registered broker or a funding portal – a new type of SEC registrant. The rules require that such an intermediary:

  • Provide investors with educational materials;
  • Take measures to reduce the risk of fraud;
  • Make available information about the issuer and the offering;
  • Provide communication channels to permit discussions about offerings on the platform; and
  • Facilitate the offer and sale of crowdfunded securities.

The rules also prohibit a crowdfunding portal from:

  • Offering investment advice or making recommendations;
  • Soliciting purchases, sales or offers to buy securities offered or displayed on its platform;
  • Compensating promoters and others for solicitations or based on the sale of securities; and
  • Holding, possessing, or handling investor funds or securities.

The final rules provide a safe harbor under which crowdfunding portals can engage in certain activities, consistent with these restrictions.

Miscellaneous Restrictions

Securities acquired in a crowdfunding offering are generally subject to a one year holding period before they can be resold, subject to certain exceptions. Holders of securities acquired in a crowdfunding offering do not count toward the threshold that requires an issuer to register its securities with the SEC under Section 12(g) of the Exchange Act if the issuer is current in its annual reporting obligation, retains the services of a registered transfer agent and has less than $25 million in assets.

Sec Proposes Anticipated Rules on Pay-Versus-Performance Disclosure

On April 29, 2015, the SEC, in a 3-2 vote of the SEC Commissioners, approved proposed rules (the “pay-versus-performance disclosure”) that would require an issuer to disclose the relationship between the issuer’s executive compensation and the issuer’s financial performance. The proposed rules would implement a disclosure obligation required under Section 953(a) of the Dodd-Frank Act. Chair White noted, in the SEC press release announcing the proposed rules, that the pay-versus-performance disclosure “would better inform shareholders and give them a new metric for assessing a company’s executive compensation relative to its financial performance.”

In particular, the proposed rules would amend Item 402 of Reg. S-K by adding a new Item 402(v) which would require issuers to disclose, in each proxy or information statement requiring executive compensation disclosure under Item 402 of Reg. S-K, the following:

  • the executive compensation “actually paid” to the issuer’s principal executive officer (“PEO”);
  • the executive compensation “actually paid” to the issuer’s named executive officers (“NEOs” ), expressed as an average for all such NEOs;
  • the issuer’s total shareholder return (“TSR” ); and
  • the TSR of a peer group of issuers.

Like all disclosures required under Item 402 of Reg. S-K, the pay-versus-performance disclosure would be subject to the say-on-pay advisory vote.

Compensation Actually Paid

Under the proposed rules, the executive compensation “actually paid” by an issuer means the total compensation for a particular executive disclosed in the summary compensation table adjusted by certain amounts related to pensions and equity awards. The adjusted disclosure represents an attempt by the SEC to reflect the compensation awarded to, or earned by, such executive officer in a particular year of service. In order to calculate the compensation “actually paid” to a particular executive officer, the total compensation disclosed for such executive officer in the summary compensation table would be adjusted to:

  • deduct the aggregate change in the actuarial present value of all defined benefit and actuarial pension plans reported in the Summary Compensation Table;
  • add back the actuarially determined service cost for services rendered by the executive officer during the applicable year;
  • exclude the grant date value of any stock and option awards granted during the applicable year that are subject to vesting; and
  • add back the value at vesting of stock and option awards that vested during the applicable year, computed in accordance with the fair value guidance in FASB ASC Topic 718.

An issuer would need to include footnotes to the pay-versus-performance summary table (see below for the form table) which describes the amounts excluded from and added to the total compensation reported in the summary compensation and the issuer’s vesting date valuation assumptions used (if materially different from the grant date assumptions disclosed in the issuer’s financial statements).

In addition to the required disclosure, an issuer would be permitted to make disclosures to capture the issuer’s specific situation and industry, provided that any supplemental disclosure is not misleading and not presented more prominently than the required pay-versus-performance disclosure. Examples of supplemental disclosure provided in the proposed rules include the disclosure of “realized pay” or “realizable pay” or additional years of data beyond the time periods required.

Peer Group

The peer group utilized for the TSR comparison would be the same peer group used by the issuer in its stock performance graph or in describing the issuer’s benchmarking compensation practices in its CD&A.

Format

The pay-versus-performance disclosure must be provided in tabular form as set forth below.

Year(a) Summary Compensation Table Total For PEO(b) Compensation Actually Paid to PEO(c) Average Summary Compensation Table Total for non PEO Named Executive Officers(d) Average Compensation Actually Paid to non PEO Named Executive Officers(d) Total Shareholder Return(f)

Peer Group Total Shareholder Return

(g)

Following the pay-versus-performance disclosure table, the issuer would be required to describe the relationship between the issuer’s executive compensation actually paid and the issuer’s TSR and the relationship between the issuer’s TSR and the peer group’s TSR.

Issuers will generally need to make the pay-versus-performance disclosure for its five (or three years, in the first applicable filing following the effectiveness of the proposed rule) most recently completed fiscal years.  However, smaller reporting companies will only need to make the disclosure for three years (or two years, in the first applicable filing following the effectiveness of the proposed rule).  In addition, a smaller reporting company would not be required to (i) disclose amounts relating to pensions (consistent with current executive compensation disclosure obligations); nor (ii) present the TSR of a peer group in its pay-versus-performance disclosure.

XBRL

Companies would be required to tag the pay-versus-performance disclosure using XBRL.  Smaller reporting companies would not be required to comply with the tagging requirement until the third filing in which the pay-versus-performance disclosure is provided.

Companies to which Disclosure Requirement Applies

The proposed pay-versus-performance disclosure rules would apply to all reporting companies, except registered investment companies, foreign private issuers and emerging growth companies.

Conclusion

It is unclear whether the pay-versus-performance disclosure will be adopted (and in effect) in time for the 2016 proxy season.  The SEC is seeking comments on the proposed rules for 60 days following their publication in the Federal Register.

MD&A Lessons Learned from Broadwind Energy

On February 5, 2015, the Securities and Exchange Commission charged Broadwind Energy, Inc. (Broadwind), its former Chief Executive Officer and its Chief Financial Officer for accounting and disclosure violations that, as the SEC stated in its press release, “prevented investors from knowing that reduced business from two significant customers had caused substantial declines in the company’s long-term financial prospects.”  The penalties were not earth-shattering: subject to the court’s approval, Broadwind agreed to pay, $1 million penalty and its former CEO and its CFO agreed to pay approximately $700,000 in combined disgorgement and penalties.

The SEC brought various charges, including, but not limited to, the violation of Section 17(a)(2) of the Securities Act (in connection with an offering conducted by Broadwind) and the violation of Section 13 of the Exchange Act and Rule 13a-14 under such act, but this case is interesting because it deals with the eternal question that public company management and their securities lawyers are dealing with every day: how much disclosure is enough disclosure for the investors to make a reasonable decision whether to buy or sell the company’s securities?

Broadwind’s fact pattern, as outlined in the SEC’s complaint filed in the U.S. District Court for the Northern District of Illinois, makes it clear that during the third quarter of 2009, Broadwind began to plan more definitively for the impairment of its subsidiary’s intangible assets related to contracts with two major customers and Broadwind’s internal documents identified an expected impairment charge of $48 million related to the contract with one of such customers.  Broadwind shared this expectation and these documents with its outside audit firm, its investment bankers and the subsidiary’s primary lender. Broadwind also incorporated impairment in its planning for the upcoming audit of 2009 financial results. Broadwind’s revenues from the two major customers declined 43% and 25%, respectively, for the nine months ended September 30, 2009 compared to the same period ended September 30, 2008.

The SEC argued that Broadwind’s disclosure in the Management’s Discussion and Analysis of Financial Condition and Results of Operations (MD&A) section of its Form 10-Q for the third quarter of 2009 was materially misleading.  Such disclosure read, in part, as follows:

[A] continued economic slowdown may result in impairment to our fixed assets, goodwill and intangible assets. We perform an annual goodwill impairment test during the fourth quarter of each year, or more frequently when events or circumstances indicate that the carrying value of our assets may not be recovered. The recession that has occurred during 2008 and 2009 has impacted our financial results and has reduced purchases from certain of our key customers. We may determine that our expectations of future financial results and cash flows from one or more of our businesses has decreased or a decrease in stock valuation may occur, which could result in a review of our goodwill and intangible assets associated with these businesses. Since a large portion of the value of our intangibles has been ascribed to projected revenues from certain key customers, a change in our expectation of future cash from one or more of these customers could indicate potential impairment to the carrying value of our assets.

Item 303 of Regulation S-K requires a public company to disclose in its MD&A “any known trends or any known demands, commitments, events or uncertainties that will result in or that are reasonably likely to result in the registrant’s liquidity increasing or decreasing in any material way.”  MD&A also requires a description of “any known trends or uncertainties that have had or that the registrant reasonably expects will have a material favorable or unfavorable impact on net sales or revenues or income from continuing operations.”

The SEC’s position outlined in the complaint is that, based on the revenue decline combined with the customers’ lower forecasts of revenue and other developments, Broadwind and its CEO (the CFO started at Broadwind in mid-August 2009) “should have known that the intangible assets were impaired.” However, Broadwind “failed to disclose the impairment of its assets in Form 10-Q” for the quarter ended September 30, 2009, but instead used a “generalized risk disclosure of the possibility of such a charge.”  The SEC also stated in its complaint that if Broadwind had conducted impairment testing in connection with its Form 10-Q for the 3rd quarter 2009, Broadwind would have concluded that its contracts with two significant customers were fully impaired and recorded impairment charges of approximately $60 million in connection with such contracts.” Broadwind ultimately disclosed the impairment in its Form 10-K for the fiscal year ended December 31, 2009. Following the disclosure of the impairment charge, the stock price declined by 29%.

Putting aside the speculation about when it was the right time for Broadwind to conduct the impairment testing, it has been the SEC’s position for more than a decade that MD&A “trends” disclosure should include the “[q]uantification of the material effects of known material trends and uncertainties,” which can promote better understanding of whether the company’s past performance is indicative of future performance.  The SEC’s 2003 Interpretive Release: Commission Guidance Regarding MD&A (Release No. 33-8350) made it clear that “[a]scertaining this indicative value depends to a significant degree on the quality of disclosure about the facts and circumstances surrounding known material trends and uncertainties in MD&A. … Quantitative disclosure should be considered and may be required to the extent material if quantitative information is reasonably available.”

In light of the current 10-K season, the SEC’s complaint in SEC v. Broadwind is a timely reminder that “boiler plate” generalized MD&A disclosure regarding known trends may be inadequate and misleading if management had an opportunity to provide more detailed and meaningful information.

ISS’ FAQs on Equity Plan Data Verification – Roadmap for Proxy Statement Disclosures

If you have a proposal to adopt or amend the company’s equity plan in the proxy statement that you file with the SEC after September 8, 2014, then you can use a new data verification portal recently launched by Institutional Shareholder Services Inc. (ISS) to verify key data points underlying ISS’ evaluation of the plan. ISS explains on its website the mechanics of registering for the Equity Plan Data Verification and requesting modifications after reviewing data points posted by ISS.

One of the most interesting pieces of information provided by ISS in connection with the new portal is Appendix A to the FAQs on Equity Plan Data Verification because it lists the questions that ISS includes in its evaluation of equity plans. The questions are divided into several categories: (i) equity plan provisions, (ii) outstanding stock and convertibles, (iii) equity grant activity, and (iv) shares reserved and outstanding under equity compensation programs.

Listed below are certain questions from each category. Some of these questions can be used as a roadmap for proxy statement disclosures related to equity plan proposals in order to facilitate ISS’ review and evaluation of the plan.

Equity Plan Provisions:

  • Is stock option repricing permitted without shareholder approval?
  • Are cash buyouts of underwater stock options permitted without shareholder approval?
  • Does the plan provide for share recycling, whereby the plan’s share reserve is reduced by the net number of shares delivered through equity awards, not the gross number underlying the original awards?
  • Does the plan contain an evergreen provision, pursuant to which the plan’s share reserve is automatically increased annually?
  • What stock acquisition percentage triggers a change-in-control under the plan?
  • Does the plan provide for tax gross-ups on equity awards?

Outstanding Stock and Convertibles:

  • How many common shares are outstanding (includes all classes of common stock) as of the record date?
  • How many common shares are issuable upon (i) exercise of outstanding warrants, (ii) conversion of outstanding convertible debt, and (iii) conversion of outstanding convertible equity?
  • How many weighted average common shares were outstanding in the past 3 fiscal years, as used in the computation of basic EPS?

Equity Grant Activity:

  • What is the total number of time-vesting options/SARs and full value awards granted in the past 3 fiscal years?
  • What is the number of performance-based options/SARs that vested in the past 3 fiscal years?
  • What is the total number of performance-based full value awards earned in the past 3 fiscal years?

Shares Reserved and Outstanding under Equity Compensation Programs:

  • How many shares are reserved under the proposed new plan or pursuant to the plan amendment?
  • How many shares remain available for grant under all equity compensation plans?
  • How many shares are subject to outstanding awards?

Cybersecurity as an Investment Risk

PricewaterhouseCoopers LLP (PwC) and Investor Responsibility Research Center Institute (IRRCi) have weighed in on the cybersecurity issue from an investor’s point of view in their paper called What investors need to know about cybersecurity: How to evaluate investment risks. Cybersecurity has been on the public company disclosure radar screen since the SEC’s guidance released in 2011, but PwC’s and IRRCi’s paper states that cybersecurity disclosures “rarely provide differentiated or actionable information for investors.”

The paper suggests that cybersecurity risk should be one of the elements in an investor’s decision-making process to diversify the investor’s portfolio. For example, even if an investor holds securities of retail, financial services and aerospace & defense companies, such industry diversification may still be vulnerable because all these industries are more likely to be targeted in cyber attacks than others. One of the solutions suggested by the paper is that investors should be better informed about the company’s “preparedness to respond quickly to contain or mitigate the potential harm” from a cyber attack.

The paper provides a list of questions, responses to which should enable investors to evaluate the company’s level of vulnerability to potential cyber attacks. Some of the questions included in the paper are listed below. Such questions can also serve as a roadmap for public company disclosure regarding cybersecurity:

  • Does the organization have a Security & Privacy executive that reports to a senior level position within the company? What are the skills, experiences and qualifications of this executive?
  • Does the organization have a documented cybersecurity strategy that is regularly reviewed and updated? How is the board engaged in the cybersecurity strategy and review process?
  • Does the organization perform periodic risk assessments and technical audits of its security posture?
  • Does the “tone at the top” seem to make security a priority?
  • What is the organization doing to address security with its business partners?
  • Does the organization have a response plan for a cyber incident? Is it tested regularly through simulations and table top exercises? Does it include testing with key 3rd party relationships?

Commissioner Aguilar Shares His Views on Directors’ Oversight of Cyber-Risk Management

On June 10, 2014, Commissioner Luis A. Aguilar spoke at a NYSE conference, “Cyber Risks and the Boardroom,” about what boards of directors should do to ensure that their companies are appropriately considering and addressing cyber threats.

Commissioner Aguilar was concerned that “there may be a gap that exists between the magnitude of the exposure presented by cyber-risks and the steps, or lack thereof, that many corporate boards have taken to address these risks.” Commissioner Aguilar stressed that boards should, among other matters:

  • review annual budgets for privacy and IT security programs;
  • assign roles and responsibilities for privacy and security; and
  • receive regular reports on breaches and IT risks.

Boards should also:

  • have a clear understanding of who at the company has primary responsibility for cybersecurity risk oversight and for ensuring the adequacy of the company’s cyber-risk management practices; and
  • put time and resources into making sure that management has developed a well-constructed response plan that is consistent with best practices for a company in the same industry (including a consideration of whether and how cyber-attacks should be disclosed to customers and to investors).

Commissioner Aguilar suggested that one conceptual roadmap boards should consider is the Framework for Improving Critical Infrastructure Cybersecurity, released by the National Institute of Standards and Technology (NIST) in February 2014. The NIST Cybersecurity Framework provides companies with a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk consisting of five concurrent and continuous functions:

(i)                 identify known cybersecurity risks to the company’s infrastructure;

(ii)               develop safeguards to protect the delivery and maintenance of infrastructure    services;

(iii)             implement methods to detect the occurrence of a cybersecurity event;

(iv)             develop methods to respond to a detected cybersecurity event; and

(v)               develop plans to recover and restore the company’s capabilities that were impaired as a result of a cybersecurity event.

Boards should work with management to assess their corporate policies to ensure how they measure up to the Framework’s guideline.

Commissioner Aguilar emphasized that cyber-risk is part of a board of director’s overall risk oversight responsibilities, in addition to liquidity and operational risks facing the company. Generally, the board’s risk oversight function lies either with the full board or is delegated to the board’s audit committee. But the board’s audit committee may not have the expertise, support, or skills necessary to add oversight of a company’s cyber-risk management to its agenda. Some boards create a separate enterprise risk committee.

There is obviously no “one-size-fits-all” way to address cybersecurity issues at the board level and each company should evaluate its board composition and determine what would be the most effective way for its board to oversee cyber-risk management.