All posts by George Wilson

A Regulation FD Double Down – DraftKings

Enforcement, SEC News

Back in April 2013, the SEC issued a Report of Investigation addressing dissemination of information via social media channels.  The report focused on a Netflix CEO’s use of social media to disclose information relevant to investors without previously telling investors that information would be released via social media.  In the report the SEC announced that social media disclosure of information was likely not public disclosure for purposes of Regulation FD, unless investors had previously been alerted that specific social media channels would be used to disseminate information to the public.

Unfortunately, on July 27, 2023, DraftKings’ public relations firm posted information about “really strong growth” on the personal X and LinkedIn accounts of the company’s CEO.  The company had not provided prior notice that social media accounts would be used to make information public.  DraftKings’ management instructed the public relations firm to remove the posts soon after they were published.  Given that the social media posts provided previously non-public information about growth and that the information was likely material, this was probably an inadvertent selective disclosure.

Regulation FD describes two types of selective disclosure, intentional and non-intentional.  Each type has a separate required time frame to make information public.  From Regulation FD:

(a) Whenever an issuer, or any person acting on its behalf, discloses any material nonpublic information regarding that issuer or its securities to any person described in paragraph (b)(1) of this section, the issuer shall make public disclosure of that information as provided in § 243.101(e):

(1) Simultaneously, in the case of an intentional disclosure; and

(2) Promptly, in the case of a non-intentional disclosure.

The term “promptly” is defined in the rule:

Promptly. “Promptly” means as soon as reasonably practicable (but in no event after the later of 24 hours or the commencement of the next day’s trading on the New York Stock Exchange) after a senior official of the issuer (or, in the case of a closed-end investment company, a senior official of the issuer’s investment adviser) learns that there has been a non-intentional disclosure by the issuer or person acting on behalf of the issuer of information that the senior official knows, or is reckless in not knowing, is both material and nonpublic.

If in fact the social media posts were non-intentional disclosures, “prompt” disclosure would have been appropriate.  Unfortunately, DraftKings did not make this information public until they did their regular earnings release seven days later.

The company entered into a cease-and-desist order and paid a civil money penalty of $200,000.

You can find more details, including discussion of the materiality of the information, how DraftKings’ policies related to the disclosures, and the impact of DraftKings’ cooperation during the investigation, in the SEC’s Press Release and the related Order.

As always, your thoughts and comments are welcome!

Insider Transaction and Beneficial Ownership Reporting – An Enforcement Reminder

Enforcement, Hot Topic

On September 25, 2024, the Enforcement Division announced settled actions against 23 companies and individuals relating to Section 16 and Section 13 reporting.  The various actions involved:

Failure of individuals to file Section 16 reports;

Failure of companies to report delinquent Section 16 reports; and

Failure of companies to file Forms 13D, 13G, 13F, and Section 16 reports.

The companies and individuals involved paid fines totaling $3.8 million.  The Enforcement Division included a link to a September 27, 2023 announcement of a similar sweep involving 11 cases, making it clear that this continues to be a focus of their work.

As always, your thoughts and comments are welcome.

Still an Enforcement Focus – More Attempts to Limit Whistleblower Protections

Enforcement, Hot Topic

On September 9, 2024, the SEC announced settled charges against seven companies for attempting to limit whistleblower rights through provisions in employment, separation and other agreements.  As you can read in the SEC’s Press Release and the related Orders, one  company tried to force employees to waive their right to whistleblower awards such as those the SEC pays to qualified whistleblowers.

This case is the latest in a litany of recent enforcement actions, including against J.P. Morgan for attempting to limit customers’ ability to blow the whistle and against D.E. Shaw and Co. L.P., Monolith Resources. and CBRE, Inc. for using employee agreements that violated whistleblower protection rules.

All these cases and the related civil penalties send direct and clear reminders to proactively review employment, termination and similar agreements to assure they do not run afoul of the whistleblower protection rules.

As always, your thoughts and comments are welcome!

A “Green” Enforcement Action

Enforcement

On September 10, 2024, the SEC announced a settled enforcement action against Keurig Dr Pepper, Inc. related to statements the company made in its 2019 and 2020 Form 10-Ks about the recyclability of its K-Cup coffee and tea pods.  In Item 1 of the company’s Form 10-K for the year ended December 31, 2020, the company said:

“In December 2020, we achieved our goal of making all K-Cup pods sold in the U.S. recyclable by the end of 2020, having converted all K-Cup pods sold in Canada to a recyclable format in 2018. The new pods are made of polypropylene #5 plastic, a material that is accepted curbside for recycling by many communities, and we have conducted extensive testing with municipal recycling facilities to validate that they can be effectively recycled. We continue to engage with municipalities and recycling facilities to advance the quantity and quality of recycled polypropylene and have committed $10 million toward the advancement of polypropylene recycling in the U.S. through the Polypropylene Recycling Coalition, an effort led by The Recycling Partnership and funded by leading brands, recyclers, converters and producers of polypropylene.”

According to the SEC’s Order what the company did not disclose in the 2019 and 2020 annual reports was that two large recycling companies “provided negative feedback concerning the commercial feasibility of curbside recycling of pods” and indicated that “they did not presently intend to accept pods for recycling.”

Without admitting or denying the findings Keurig Dr Pepper entered into a cease-and-desist order and paid a civil money penalty of $1,500,000.

An interesting aspect of this case is that it was brought under Section 13(a) of the 1934 Act and related Exchange Act Rule 13a-1, which relate to complete and accurate annual reports.

As always, your thoughts and comments are welcome.

FASB’s Conceptual Framework and a Related Chief Accountant Statement

FASB News

On July 12, 2024, the FASB issued the final chapter of its Conceptual Framework, finishing a process that has spanned decades.  The Conceptual Framework does not establish authoritative guidance.  In fact, all references to the Conceptual Framework were removed from the Codification in ASU 2024-02.  That said, the Conceptual Framework is a foundational part of the standard-setting process.

As you can read on the Concepts Statement section of the FASB’s webpage:

“The FASB Concepts Statements are intended to serve the public interest by setting the objectives, qualitative characteristics, and other concepts that guide selection of economic phenomena to be recognized and measured for financial reporting and their display in financial statements or related means of communicating information to those who are interested. Concepts Statements guide the Board in developing sound accounting principles and provide the Board and its constituents with an understanding of the appropriate content and inherent limitations of financial reporting.”

In this August 12, 2024, Statement, SEC Chief Accountant Dr. Paul Munter emphasized the importance of the Conceptual Framework in assuring that standard setting serves the public interest.  In the Statement Dr. Munter notes:

“Now that the updates to the Conceptual Framework are complete, it is important that the Board use it to guide its agenda-setting process and standard-setting deliberations, including to assist Board members in asking the right questions and objectively evaluating whether their views are consistent with the principles laid out in the Conceptual Framework.”

The Statement concludes with an emphasis on who the standard-setting process should serve:

“With the Conceptual Framework complete, the FASB’s focus on the guiding principles described in the Conceptual Framework can help it continue to develop high-quality accounting standards coupled with robust disclosures to best serve the needs of investors and protect the public interest.”

As always, your thoughts and comments are welcome.

ICFR Reporting and Acquisitions

Reporting

In the year a company completes an acquisition, ICFR reporting for the combined business can be problematic.  If the acquired company has been private, or has not built an ICFR evaluation process, it may not be practicable to include the acquired business in the acquiror’s assessment of ICFR, and, if applicable, in the auditor’s attestation report over ICFR.  This is particularly true when an acquisition happens near year end.

Interestingly, this situation is addressed not in Regulation S-X, but in a Sarbanes-Oxley C&DI:

Question 3 

Q: If a registrant consummates a material purchase business combination during its fiscal year, must the internal control over financial reporting of the acquired business be included in management’s report on internal control over financial reporting for that fiscal year?

A: As discussed above, we would typically expect management’s report on internal control over financial reporting to include controls at all consolidated entities. However, we acknowledge that it might not always be possible to conduct an assessment of an acquired business’s internal control over financial reporting in the period between the consummation date and the date of management’s assessment. In such instances, we would not object to management referring in the report to a discussion in the registrant’s Form 10-K or 10-KSB regarding the scope of the assessment and to such disclosure noting that management excluded the acquired business from management’s report on internal control over financial reporting. If such a reference is made, however, management must identify the acquired business excluded and indicate the significance of the acquired business to the registrant’s consolidated financial statements. Notwithstanding management’s exclusion of an acquired business’s internal controls from its annual assessment, a registrant must disclose any material change to its internal control over financial reporting due to the acquisition pursuant to Exchange Act Rule 13a-15(d) or 15d-15(d), whichever applies (also refer to the last two sentences in the answer to question 7). In addition, the period in which management may omit an assessment of an acquired business’s internal control over financial reporting from its assessment of the registrant’s internal control may not extend beyond one year from the date of acquisition, nor may such assessment be omitted from more than one annual management report on internal control over financial reporting.

On February 28, 2023, Lamb Weston Holdings, Inc., a global producer, distributor, and marketer of frozen potato products, acquired LW EMEA, an entity previously accounted for using the equity method.  Item 9A in the company’s Form 10-K for their fiscal year ended May 28, 2023, included this disclosure about the exclusion of the acquired company from the ICFR evaluation:

Our management, under the supervision and with the participation of our Chief Executive Officer and Chief Financial Officer and oversight of the Board of Directors, assessed the effectiveness of our internal control over financial reporting as of May 28, 2023. Management based this assessment on criteria for effective internal control over financial reporting described in Internal Control – Integrated Framework (2013) issued by the Committee of Sponsoring Organizations of the Treadway Commission. Management’s assessment included evaluation of elements such as the design and operating effectiveness of key financial reporting controls, process documentation, accounting policies, and our overall control environment. Management’s assessment of internal control over financial reporting as of May 28, 2023 excludes internal control over financial reporting related to LW EMEA (acquired February 28, 2023), which accounted for 7% of consolidated net sales and 30% of consolidated total assets as of and for the year ended May 28, 2023. Based on this assessment, management concluded that, as of May 28, 2023, our internal control over financial reporting was effective to provide reasonable assurance regarding the reliability of financial reporting and the preparation of consolidated financial statements for external reporting purposes in accordance with GAAP. We reviewed the results of management’s assessment with the Audit and Finance Committee of our Board of Directors.

As always, your thoughts and comments are welcome!

Cybersecurity Event Disclosures – New C&DIs and an Announcement Addressing Selective Disclosure Concerns

SEC News

On June 24, 2024, CorpFin issued five new C&DIs addressing cybersecurity incident reporting on Form 8-K Item 1.05.  The C&DIs focus on situations where a company has experienced an attack such as a ransomware attack.  For example, C&DI 104B.05 states that if a company experiences an attack and makes a ransomware payment before a materiality determination is made, it must still make a materiality determination, and if the incident is material report it on Form 8-K Item 1.05.  New C&DI 104B.07 states that if insurance provides a recovery of all or a substantial portion of the payment, a materiality assessment based on both quantitative and qualitative considerations must still be made. And C&DI 104B.08 makes the point that the size of a ransomware payment is not the only factor in making a materiality determination.  Qualitative aspects such as potential reputational harm could make a cybersecurity incident material even in breaches where the financial impact is relatively small.

In another cybersecurity event disclosure development, on June 20, 2024, Erik Gerding, CorpFin Division Director, issued an Announcement titled “Selective Disclosure of Information Regarding Cybersecurity Incidents.”  In the Announcement Mr. Gerding states:

“Apparently, some companies are under the impression that if they experience a material cybersecurity incident, the Commission’s new rules prohibit them from discussing that incident beyond what was included in the Item 1.05 Form 8-K disclosing the incident.  That is not the case.”

Mr. Gerding notes that:

“Nothing in Item 1.05 prohibits a company from privately discussing a material cybersecurity incident with other parties or from providing information about the incident to such parties beyond what was included in an Item 1.05 Form 8-K.”

The Announcement then summarizes various concerns companies may have surrounding how Regulation FD may apply to disclosures to third parties such as vendors, customers or other companies that could be impacted by a similar incident.  After a brief review of applicable Regulation FD considerations, he then explores ways to avoid selective disclosure concerns, including a reminder that Regulation FD applies only to certain parties outside a company and that the use of confidentiality agreements can mitigate selective disclosure concerns.

As always, your thoughts and comments are welcome!

inSecurities Podcast Explores Recent U.S. Supreme Court Decisions

SEC Hot Topic, SEC News

Recent U.S Supreme Court decisions have addressed how the SEC can use its administrative court processes for fraud cases and ended the Chevron doctrine, which had created a presumption that courts must rely on an agency’s interpretations of ambiguous statutes.  In this episode of the inSecurities podcast, hosts Chris Ekimoff and Kurt Wolfe provide an understandable, inciteful and thorough discussion of the issues in both these areas and how the Court’s decisions may affect practice.

As always, your thoughts and comments are welcome!

Loops Do Close

Enforcement

Several years ago, on May 3, 2021, the SEC announced a settled enforcement action against Under Armour, Inc.  The starting point for this case was a 23% stock price drop when Under Armour disclosed that their revenue growth rate, historically over 20%, had fallen to 12% for the fourth quarter of 2016.  According to the SEC’s Accounting and Auditing Enforcement Release, the company used sales “pull forwards” to hide this slowing revenue growth rate from mid-2015 to the end of 2016.  The company paid a $9 million civil penalty and entered into a cease-and-desist order.

In this kind of case the SEC’s enforcement is usually only part of the story.  In a Form 8-K filed on June 20, 2024, more than three years after the SEC action, the company reported a settlement in related class action litigation:

Item 8.01. Other Events.

As previously disclosed, since early 2017 Under Armour, Inc. (the “Company”) has been engaged in securities class action litigation in the United States District Court for the District of Maryland (the “District Court”) under the caption In re Under Armour Securities Litigation, Case No. 17-cv-00388-RDB (the “Consolidated Securities Action”). The complaint asserted claims regarding the Company’s disclosures and accounting practices in connection with its sales between the third quarter of 2015 and the fourth quarter of 2016, specifically asserting claims under Sections 10(b) and 20(a) of the Securities Exchange Act of 1934, as amended (the “Exchange Act”), against the Company and Mr. Plank and under Section 20A of the Exchange Act against Mr. Plank.

On June 20, 2024, the Company and Mr. Plank entered into a Memorandum of Understanding (the “MOU”) with plaintiffs containing the material terms of a settlement resolving the Consolidated Securities Action. The parties intend to prepare a formal stipulation of settlement describing the terms of the proposed settlement, which will be presented to the District Court for preliminary approval in the coming weeks. Following preliminary approval of the proposed settlement by the District Court and a notice and review period for Class members, plaintiffs will seek final approval of the proposed settlement from the District Court. The settlement is not an admission of fault or wrongdoing by the Company or Mr. Plank.

The MOU provides that the Company will pay or will cause to be paid an amount equal to $434 million to the members of the class in the Consolidated Securities Action, which includes all persons and entities who purchased or otherwise acquired Class A and Class C common stock of Under Armour between September 16, 2015 and November 1, 2019(subject to certain exclusions) (the “Class”). As of March 31, 2024, the Company reported $858.7 million of cash and cash equivalents on its consolidated balance sheets, and no drawings on its $1.1 billion revolving credit facility.

As always, your thoughts and comments are welcome!

Yet Another Cybersecurity Enforcement Action

Enforcement, Hot Topic

On June 18, 2024, the SEC announced a settled enforcement action against R.R. Donnelly & Sons Co. focused on both ICFR and disclosure controls and procedures related to cybersecurity risk.  As you can read in the related Order, the company used an outside service provider to help monitor cybersecurity matters.  The service provider notified the company’s security personnel about a “network ransomware intrusion.”  Based in part on input from the service provider, R.R. Donnelly did not take further action or conduct a deeper investigation.  In this case the SEC maintains that R.R. Donnelly did not maintain effective ICFR related to cybersecurity risk because the company did not have appropriate controls to respond to these warnings.  In addition, the Order maintains that the company’s disclosure controls and procedures did not appropriately inform management responsible for making disclosure decisions about cybersecurity incidents.

The company, which cooperated with the SEC in the investigation, entered into a cease-and-desist order and paid a $2.125 million civil penalty.

In reaction to this enforcement, Commissioners Hester M. Peirce and Mark T. Uyeda gave a Statement titled “Hey, look, there’s a hoof cleaner! Statement on R.R. Donnelley & Sons, Co.,” which provides an interesting discussion of administrative versus accounting controls related to cybersecurity issues.

You can read about earlier cybersecurity related enforcement actions in this post which involves a CISO and this post which also mentions disclosure controls and procedures.

As always, your thoughts and comments are welcome!