Public Companies

The SEC Issues Disclosure Guidance on Cybersecurity

by Vanessa Schoenthaler on October 14, 2011

Yesterday the Division of Corporation Finance issued informal disclosure guidance detailing the staff’s views on disclosure obligations related to cybersecurity risks and cyber incidents.

This, the Division’s second issuance of such informal disclosure guidance, is most likely in response to a letter that Senator Rockefeller penned to Chairman Schapiro back in May. The Senator specifically requested that the Commission issue interpretive guidance on cybersecurity disclosures, and, in her response letter, Chairman Shapiro promised to seriously consider it.

Perhaps coincidentally, the guidance also coincides with President Obama’s proclamation of October 2011 as National Cybersecurity Awareness Month.

Cyber Incidents and Their Effects

Beginning with a general discussion of cyber incidents, the guidance notes that there has been an increase in focus on incidents that include:

  • gaining unauthorized access to digital systems for purposes of misappropriating assets or sensitive information, corrupting data and causing operational disruptions (e.g., the recent cyber attacks on EMC Corp.’s RSA unit, which cost the company $66 million in Q2); and
  • denial of service-type attacks (e.g., the Visa and MasterCard denial of services attacks that took place last year).

Among other things, cyber incidents like these have caused companies to incur:

  • remediation costs, including, for example, costs associated with liability for misappropriated assets or information, and costs related to incentives offered to maintain customer or partner relationships;
  • increased cybersecurity costs;
  • revenue losses;
  • litigation costs; and
  • reputational damage.

The Disclosure Guidance

The guidance notes that when assessing whether and to what extent cybersecurity risk and cyber incident disclosures are required, a company should consider both the materiality of the information and the applicability of the antifraud provisions of the federal securities laws.

It then goes on to review existing disclosure requirements that may trigger cybersecurity risk and cyber incident disclosures. It covers risk factors, financial statements and management’s discussion and analysis of financial conditions and results of operations the most extensively, but also touches on disclosure controls and procedures, a company’s description of business and legal proceeding disclosures.

Risk Factors

Beginning with risk factors the guidance reiterates the requirements of Item 503 of Regulation S-K and notes that disclosure of cybersecurity risk is required if cyber incidents are “among the most significant factors that make an investment in the company speculative or risky.” In making such a determination a company should take into consideration all relevant information, including:

  • the occurrence of prior cyber incidents;
  • their severity and frequency;
  • the probability of future cyber incidents;
  • the qualitative and quantitative magnitude of the risk, including, for example, the potential costs and other consequences of misappropriated assets or information, data corruption or operational disruptions; and
  • the adequacy of preventative measures taken to reduce cybersecurity risks in the context of the industry in which the company operates, and any risks to those preventative measures, including threatened attacks.

As with other risk factors, any cybersecurity risk factors should be specifically tailored to the company, detailing the nature of the risk and how it might impact the company. In other words avoid generic or boiler plate disclosure. Among other things such risk factors might include:

  • a discussion of attributes of the company’s business or operations that give rise to material cybersecurity risks;
  • the potential costs and consequences of cybersecurity risks;
  • if a company has outsourced operations and they have material cybersecurity risks, a discussion of those risks and how the company is addressing them;
  • a discussion of any cyber incidents experienced by the company that are individually or in the aggregate material, and a description of the potential costs and other consequences of those incidents;
  • a discussion of risks related to cyber incidents that may remain undetected for an extended period of time; and
  • a description of any relevant insurance coverage.

A company may have to explicitly disclose known or threatened cyber incidents and their potential costs and other consequences to place a discussion of its cybersecurity risks into context. However, the guidance notes that the Division is mindful of concerns that detailed disclosures may compromise security efforts by, among other things, providing would-be attackers with a “road map” through the company’s security system, and emphasizes that disclosure at that level of specificity is not required under the federal securities laws.

Financial Statements

With respect to a company’s financial statements the guidance notes that, based on the nature and severity of an actual or potential cyber incident, disclosure may be required in a number of different areas, for example:

  • prior to a cyber incident costs associated with preventative measures may have to be disclosed, such as cost related to internal use software (ASC 350-40, Internal-Use Software);
  • remediation costs associated with the occurrence of cyber incident may also have to be disclosed, such as incentives offered to maintain customer or partner relationships (ASC 605-50, Customer Payments and Incentives);
  • a cyber incident may also require disclosure of loss contingencies for asserted and unasserted claims, such as claims related to warranties, breach of contract, product recalls and replacements, and indemnification of counterparty losses (ASC 450-20, Loss Contingencies);
  • a cyber incident may result in a company having diminished future cash flows, requiring consideration of impairments to assets, such as goodwill, customer-related intangible assets, trademarks, patents, capitalized software or other long-lived assets associated with software or hardware, and inventory;
  • the impact of a cyber incident may not be immediately known, requiring a company to develop estimates to account for future financial implications, such as estimates of warranty liability, allowances for product returns, capitalized software costs, inventory, litigation and deferred revenue (ASC 275-10, Risks and Uncertainties); and
  • where a cyber incident is discovered after the balance sheet date, a company should consider whether disclosure of  a subsequent event is necessary (ASC 855-10, Subsequent Events).

Management’s Discussion & Analysis (MD&A)

MD&A disclosure may be warranted if the costs or other consequences of a known or potential cyber incident represent a material event, trend or uncertainty that is reasonably likely to have  a material effect on a company’s results of operations, liquidity or financial condition, or would cause the company’s financial information not to be necessarily indicative of future operating results or financial conditions.

Disclosure Controls and Procedures

If a cyber incident poses a risk to a company’s ability to record, process, summarize and report the information required to be disclosed in its filings, the company should consider whether there are deficiencies in its disclosure controls and procedures rendering them ineffective.

Description of Business

Disclosure in a company’s “Description of Business” section may be warranted if a cyber incident materially affect the company’s products, services, customer or supplier relationships, or competitive conditions.

Legal Proceedings

“Legal Proceedings” disclosure may be warranted if a company is party to a material pending legal proceeding that involves a cyber incident.

Current Reports and Road Maps

Finally, the securities laws are designed to “elicit disclosure of timely, comprehensive and accurate information about risks and events that a reasonable investor would consider important to an investment decision.” Accordingly, the guidance notes that a company with an effective shelf registration statement on file should consider whether it needs to disclose a material cyber incident on a Form 8-K (or Form 6-K) in order to maintain the accuracy and completeness of its disclosure information.

2 comments

The SEC Releases its 29th Annual Forum on Small Business Capital Formation Report

by Vanessa Schoenthaler on June 14, 2011

Earlier today the Securities and Exchange Commission released its Final Report from the 29th Annual Forum on Small Business Capital Formation held in November 2010.

This year’s forum yielded 36 recommendations from three working groups and a number of written recommendations submitted by organizations concerned with small business capital formation.

Participation was down slightly, with a total of 60 participants in the three working groups, as compared to 72 last year, and with 37% voting to rank each of the final recommendations, as compared to 44% last year.

There are a few proposals that show up each year, but many of this year’s recommendations focus on Regulation A, the requirements of Exchange Act Section 12(g) and scaled reporting/eligibility requirements for smaller issuers.  The top 5 recommendations include proposals that the Commission:

  • specifically consider the impact of Dodd-Frank Act rulemaking on small business investing;
  • adopt a private offering exemption that does not prohibit the general solicitation of, or advertising to, purchasers that do not need the protections afforded by Securities Act registration;
  • provide better scaling of reporting requirements for smaller companies;
  • exempt companies with a market capitalizations of less $250 million from Section 404(b) of the Sarbanes-Oxley Act (we already know that this one was rejected in April); and
  • increase the permissible offering amount under Regulation A and the number of shareholders that trigger registration under Section 12(g) of the Exchange Act (As an aside: both Fortune and PeHUB are reporting today that there’s a bill in the works that may actually take care of the latter portion of this proposal, by increasing Section 12(g)’s shareholder trigger requirement from its current level of 500 holders of record to 1,000 holders of record exclusive of accredited investors and employees holding stock options.).

(Download File)

2 comments

Quote of the Day: Abysmal Lack of Diversity in Corporate Boardrooms

by Vanessa Schoenthaler on May 2, 2011

“Today, the Alliance for Board Diversity released a report, Missing Pieces: Women and Minorities on Fortune 500 Boards — 2010 Alliance for Board Diversity Census, that confirmed what many of us have known for some time. The abysmal statistics regarding the lack of diversity in Corporate America are growing worse. …

[I]n the Fortune 100, between 2004 and 2010, white men increased their share of board seats in corporate America from 71.2% to 72.9%. Minorities and women shared the remainder with very few seats occupied by Asian Pacific Islanders, Hispanics or minority women in particular.

Thus, even though there are more qualified diverse candidates for corporate board seats than ever before, fewer of these candidates are being chosen for corporate board seats. Even though our nation has grown more diverse, the corporate boardroom is proving resistant to change. …”

Commissioner Luis A. Aguilar, Statement on Growing Lack of Diversity in the Corporate Boardroom

3 comments

The Proposed Amendments to the Definition of Accredited Investor and Other Odds and Ends

by Vanessa Schoenthaler on February 1, 2011

Last week the Securities and Exchange Commission issued proposed amendments to conform the definition of accredited investor to the requirements of Section 413(a) of the Dodd-Frank Wall Street Reform and Consumer Protection Act. As amended, the definition would read:

Any natural person whose individual net worth, or joint net worth with that person’s spouse, at the time of purchase, exceeds $1,000,000, excluding the value of the primary residence of such natural person, calculated by subtracting from the estimated fair market value of the property the amount of debt secured by the property, up to the estimated fair market value of the property.

An interesting tidbit from the footnotes of the proposing release: in fiscal year 2010 the Commission received 17,593 initial Form D filings, of those 16,856, or 96%, claimed an exemption that relies on the definition of an accredited investor.

The Commission is soliciting comments on a number of aspects of the new definition, which are due on or before March 11, 2011. Of particular note, at the Commission’s January 25, 2011 open meeting, both Commissioners Casey and Paredes expressed interested in hearing comments on whether the amended definition should “grandfather” existing investors who were accredited at the time of their initial investment, but who may no longer be accredited under the new definition, to allow those investors to make follow-on investments.

An Extension of Comment Periods

On Friday the Commission announced that it was extending the comment period for its proposed rules on disclosures related to conflict minerals, mine safety and payments made in connection with resource extractions through March 2, 2011. The original comment period was set to expire on January 31, 2011. The extension is being issued in response to several requests for additional time to “allow for the collection of information and improve the quality of responses” by interested persons. Each of the extending releases, available here, here and here, references a representative sample of letters that have made a request for additional time.

The Cost of Implementing Dodd-Frank

Also on Friday Representatives Randy Neugebauer, Chairman of the Subcommittee on Oversight and Investigations, and Spencer Bachus, Chairman of the House Financial Services Committee, issued a joint letter to the Commission, and several other federal agencies, seeking information regarding the estimated costs associated with implementing and executing the Dodd-Frank Act. The Commission has until February 10, 2011 to respond.

(Download File)

The Commission continues to suffer from budgetary constraints and is currently operating on the basis of a continuing resolution that temporarily extends its fiscal year 2010 budget through March 4, 2011. As a result, the Commission has been forced to scale back or delay a number of Dodd-Frank initiatives, among other things.

1 comment

The Commission May Not Be So Quick to Grant Your Next Confidential Treatment Request

by Vanessa Schoenthaler on November 3, 2010

The Office of Inspector General has been conducting an audit of the Securities and Exchange Commission’s processes and procedures for handling confidential treatment requests under Securities Act Rule 406 and Exchange Act Rule 24b-2.  In September OIG released its final report containing eight recommendations designed to improve these processes and procedures; the Commission has agreed, or partially agreed, with seven of them and will provide OIG with a written action plan to address the agreed upon recommendations by November 12, 2010.

A Brief Overview of Confidential Treatment Requests

There are generally two types of confidential treatment requests, those made pursuant to:

  • Securities Act Rule 406 or Exchange Act Rule 24b-2 with respect to information required to be filed with the Commission, such as a material agreement filed as an exhibit to a registration statement or periodic report; and
  • Rule 83 of the Commission’s Rules of Practice with respect to information not required to be filed with the Commission, such as supplemental information provided in the context of the comment and review process.

Requests Made Pursuant to Securities Act Rule 406 or Exchange Act Rule 24b-2

When making a request for confidential treatment pursuant to Securities Act Rule 406 or Exchange Act Rule 24b-2 the request must:

  • be sufficiently narrow, so that only information eligible for exemption under the Freedom of Information Act is covered;
  • contain legal and factual analyses substantiating the exemption;
  • contain an affirmative representation as to the confidentiality of the information; and
  • set forth the duration for which the exemption is being sought;

The Commission will not generally grant a request for confidential treatment with respect to information that is specifically required to be disclosed under applicable securities laws or information that is material to investors.

Requests Made Pursuant to Rule 83 of the Commission’s Rules of Practice

As with a request for confidential treatment made pursuant to Securities Act Rule 406 or Exchange Act Rule 24b-2, a request made pursuant to Rule 83 of the Commission’s Rules of Practice must be sufficiently narrow so as only to include information eligible for exemption under the FOIA.  However, it is not necessary to substantiate a request for confidential treatment made pursuant to Rule 83 until such time as a FOIA request is made.  Additionally, it is possible to request that the Commission return any supplemental materials, thus rendering them unavailable for production in a FOIA request.  The Commission will generally do so provided returning the materials is consistent with the protection of investors and the provisions of the FOIA. Any request for confidential treatment that is granted under Rule 83 will expire after 10 years, unless renewed prior to its expiration.

How the OIG’s Recommendations Might Apply

Two of the OIG’s eight recommendations focus on the processes and procedures for the Commission’s initial screening and selective full review of requests for confidential treatment that are based on the required disclosures causing competitive harm and not being necessary for the protection of investors.  Specifically, that such requests are overly broad, use conclusory statements and contain boilerplate language.  The Commission has agreed, or partially agreed, to address these recommendations by revising its internal processes and procedures.  So as to avoid delay, or even further review, issuers should also consider whether they have fully addressed these concerns in their next confidential treatment request.

Be the first to comment

The SEC Proposes New Rules for Shareholder Advisory Votes on Say-on-Pay and Golden Parachutes

by Vanessa Schoenthaler on October 19, 2010

Yesterday the Securities and Exchange Commission proposed a new set of rule amendments designed to implement the say-on-pay and golden parachutes provisions of Section 951 of the Dodd-Frank Act.

The proposed rules would require companies subject to the Commission’s proxy rules (which includes U.S. issuers, non-U.S. issuers that do not qualify as foreign private issuers and foreign private issuers that voluntarily subject themselves to the Commission’s proxy rules) to provide their shareholders:

  • at the first annual or other shareholder meeting taking place on or after January 21, 2011, and at least once every three years thereafter, with a separate advisory vote on the compensation of those executive officers for whom compensation disclosure is required in the company’s proxy solicitation materials;
  • at the first annual or other shareholder meeting taking place on or after January 21, 2011, and at least once every six years thereafter, with a separate advisory vote on the frequency of the advisory vote on executive compensation, to determine whether it should take place every year, every other year or every three years; and
  • in any proxy or consent solicitation materials to approve a  merger, acquisition or similar transaction, with a separate advisory vote on golden parachute compensation for executive officers, with disclosure in both tabular and narrative formats.

Importantly: the initial shareholder advisory vote on executive compensation and the initial shareholder advisory vote on the frequency of the vote on executive compensation must be included in a company’s proxy statement for the first annual or other shareholder meeting taking place on or after January 21, 2011, regardless of the Commission’s adoption of the proposed implementing rules.

Therefore any proxy solicitation materials, whether preliminary or definitive, for a shareholder meeting taking place on or after January 21, 2011, even if filed prior to that date, must include separate resolutions for shareholders to vote on executive compensation and the frequency of future executive compensation votes.

This is not the case for the advisory vote on golden parachutes; shareholder resolutions for shareholders to vote on golden parachutes are not required to be included in a merger or acquisition proxy statement until after the Commission adopts implementing rules.

The Commission made clear its view that a proxy card for any shareholder advisory vote on the frequency of executive compensation votes should only provide a shareholder with four choices: (1) that the shareholder advisory vote on executive compensation should occur every year; (2) that the shareholder advisory vote on executive compensation should occur every two years; (3) that the shareholder advisory vote on executive compensation should occur every three years; or (4) that the shareholder is abstaining from voting on the matter.

The Commission also pointed out that under the amended exchange rules, for issuers listed on a national securities exchange, broker discretionary voting of uninstructed shares would not be permitted for shareholder advisory votes on executive compensation and shareholder advisory votes on the frequency of votes on executive compensation

On the first read-through, other notable proposals in the Commission’s release include recommendations that:

  • shareholder advisory votes on executive compensation and shareholder advisory votes on the frequency of votes on executive compensation not trigger the required filing of a preliminary proxy statement;
  • smaller reporting companies not be exempt from the proposed shareholder advisory votes or additional disclosure requirements (but without altering existing scaled disclosure requirements related to compensation disclosure) ; and
  • registration statements containing disclosure relating to mergers and similar transactions, going-private transactions and tender-offers include both tabular and narrative disclosure regarding golden parachute compensation for executive officers.

4 comments

Got A Calculator?

by Vanessa Schoenthaler on October 13, 2010

You’d better double-check those compensation figures before filing your next disclosure document or you may be needlessly inviting additional SEC scrutiny.

On Monday The Boston Globe ran a follow-up piece to an earlier story in which it identified 34 Massachusetts-based public companies which reported incorrect compensation figures for reasons such as “typos, mistakes in addition and other inadvertent blunders.”

Most of the companies, when initially interviewed, stated that they had no intention of correcting the errors, which they all viewed as immaterial.  However, in its follow-up piece, the Globe indicated that the Commission now plans to look into a number of the cases.  One law school professor interviewed for the piece even suggested that the Commission consider questioning the companies’ certifying accountants. … Surely they had calculators?

Be the first to comment

Reading The SEC’s Tea Leaves: A Preview of Possible Staff Disclosure Comments

by Vanessa Schoenthaler on October 12, 2010

With an onslaught of Dodd-Frank activity looming, the third quarter earnings season officially underway and the year-end fast approaching, wouldn’t it be nice to have some indication of what the Securities and Exchange Commission will focus on when reviewing upcoming year-end filings?  Well there’s certainly no shortage of options, but the Commission’s Chief Accountant, Wayne Carnall, may have just given us a clue, at least with respect to financial disclosures.

As reported in CFO.com, Carnall, in a recent accounting-industry speech, named several areas that are of particular interest to the Commission and likely to be the focus of future staff comment letters.* Among them, Carnall pointed to disclosure regarding short-term liquidity.  No surprises there; just last month the Commission proposed a new set of rule amendments that would require companies to provide greater quantitative and qualitative disclosure of short-term borrowing during a reporting period.

Carnall also indicated that the Commission will increase its focus on the credentials and experience of those preparing and auditing the financial statements of companies with operations in developing countries.  For example the Commission has recently issued comments such as:

We note that your operations are in [a developing county] but your audit report was signed by an audit firm based in [the United States]. In this regard, please describe for us how the U.S. auditor performed the audit of [your foreign] operations.  In your response, please tell us whether another foreign audit firm assisted in the audit. If so, please tell us the name of the other firm, whether the other firm is registered with the PCAOB, and the extent to which audit work was performed by the other firm.

Other named areas of Commission focus included disclosure regarding the calculation of contingent liabilities, non-cash charges involving impairment to goodwill and deferred tax assets, and the consistency and accuracy of non-GAAP disclosure.

What about non-financial disclosures?  Carnall didn’t touch on any, but Director Meredith Cross, in recent testimony before the House Committee on Financial Services, indicated:

Executive compensation disclosure review remains a focal point of the Division’s review program and the staff continues to comment on ways that companies can enhance their disclosure.

___________________________________

*Of course the Commission disclaims responsibility for the public statements of its employees, so Carnall’s predictions may not actually reflect future Commission policy.

Be the first to comment

How Important is a CEO’s Education to Company Performance?

by Vanessa Schoenthaler on September 25, 2010

Not very, according to a recent academic study that looks at whether a CEO’s educational background has a significant affect on a company’s long-term performance (as measured by indicators like return on assets and stock returns) and finds “… virtually no evidence of a systematic relationship between CEO education and long-term firm performance”.

The study also takes a look at the relationship between educational background and a company’s decision to replace its CEO–finding that companies replace poorly performing CEOs regardless of education–and at the role education plays in choosing a successor.  In sum, the authors conclude:

CEO education is not significantly related to firm performance … results suggest that education is a poor proxy for CEO ability. Nevertheless education does play an important role in CEO hiring decisions; boards still use educational qualifications as criteria in evaluating potential CEOs.

If there’s no correlation between a CEO’s education and a company’s performance, then why rely on educational background in the CEO selection process at all?  The study’s authors suggest that perhaps the difficulty of evaluating qualities like leadership ability and interpersonal skills lead a board to rely on more discernible measures, like the ranking of a school attended or the level of education attained.  This seems entirely functional; candidates have to be sorted by some means and educational background often serves that role.  Still, those involved in the selection process need to be mindful of the weight assigned to a potential CEO’s educational background and of how early in the process they apply the educational filter to narrow their pool of potential candidates.

Be the first to comment

How Information Flows Though the Twitterverse

by Vanessa Schoenthaler on September 13, 2010

Somewhat related to my prior post, and definitely cool, check out this post over at the Hubspot Blog which offers visual representations of the different ways information spreads through the twitterverse:

Be the first to comment

← Previous Entries