Category Archives: Enforcement

A Proxy Reminder – Enforcement Focus on Perks Disclosure Continues!

Enforcement, SEC Hot Topic

As companies prepare for their next proxy statement, the SEC Enforcement Division has sent a reminder to focus carefully on perks disclosures.  In the latest of its on-going series of perks related enforcement actions, on December 17, 2024, Express, Inc. was charged with failure to disclose $979,269 worth of perks paid to its CEO.  (You can read about earlier cases in this blog post.)

A majority of the undisclosed perks were related to the CEO’s authorized personal use of chartered aircraft.  The company did not use the appropriate definition of perks when analyzing these costs, which resulted in the disclosure failure.

In the related Accounting and Auditing Enforcement Release, the SEC noted that its 2006 amendments to executive compensation disclosure requirements in S-K Item 402 clarify that:

 “An item is not a perquisite or personal benefit, if it is integrally and directly related to the performance of the executive’s duties. Otherwise, an item is a perquisite or personal benefit if it confers a direct or indirect benefit that has a personal aspect, without regard to whether it may be provided for some business reason or for the convenience of the company, unless it is generally available on a non-discriminatory basis to all employees.”

The 2006 amendments also state that the idea of a benefit that is “integrally and directly related” to job performance is intended to be very narrow and distinguishes between something provided because the executive needs it to do their job (thus making it integrally and directly related to the performance of duties), and something provided for some other reason, even where that other reason can involve “both company benefit and personal benefit.”

According to the SEC, Express “incorrectly applied a standard whereby a business purpose would be sufficient to determine that certain items were not perquisites or personal benefits that required disclosure.”  This is very similar to the issue in an earlier case involving Dow Chemical.

Express self-reported and cooperated extensively with the Enforcement Division.  Based on these actions the company was not fined but did enter into a cease-and-desist order.  Express was delisted from the NYSE in March 2024 and in April 2024 filed for bankruptcy and terminated its registration.

As always, your thoughts and comments are welcome.

Another Channel Stuffing Disclosure Enforcement

Enforcement, Hot Topic

On November 12, 2024, the SEC announced yet another enforcement action focused on using sales incentives and similar strategies to achieve revenue targets without appropriate disclosure to investors about the use and impact of such strategies.  This action focuses on Elanco Animal Health Inc. (Elanco), which was spun off by Eli Lilly and Company in 2018. (You can read about earlier cases in this blog post.)

As is typical of this kind of case, it began with a surprise stock drop.  According to the SEC’s  Order:

“On May 7, 2020, Elaco announced an expected $160 million decline in revenue for the first and second quarters of 2020 that caused its share price to drop by over 13%. The statement cited the uncertainty of the COVID-19 pandemic and a ‘strategic change’ in Elanco’s inventory management practices – including reductions in channel inventory – as the reason for the decline. Elanco publicly stated that it had not anticipated a strategic change to reduce channel inventory levels when it started the year.”

What the company did not disclose was that from the first quarter of 2019 to the first quarter of 2020 it had relied on incentives to generate sales to distributors to meet revenue targets.  Internally Elanco referred to these sales as the “Quarter-End Incentivized Sales” or “Incentivized Sales.”   Achieving revenue targets was particularly important for Elanco as a newly public company.  As is usually the case, this practice could not go on indefinitely because inventory channels had become overstocked.

When management knows there is a potential problem on the horizon (e.g., failing to meet sales growth expectations, as in this case), the known-trend MD&A requirements of S-K Item 303 require that companies disclose:

“Known trends or uncertainties that have had or that the registrant reasonably expects will have a material favorable or unfavorable impact on net sales or revenues or income from continuing operations.”

Again, from the SEC’s Order:

“From May 2019 through May 2020, Elanco’s public disclosures misled investors by attributing its revenue and revenue growth to strong consumer demand for its products while failing to disclose the material impact of its Quarter-End Incentivized Sales and the reasonably likely risk that such sales practices could have a negative impact on revenue in future quarters.

Elanco’s use of Quarter-End Incentivized Sales created an uncertainty or event that was known to Elanco’s senior management and reasonably expected to have a material effect on its future revenues.”

The SEC also included the failure of Elanco’s disclosure controls and procedures in the enforcement.

One important aspect of this case relates to revenue recognition accounting.  There was no issue with how and when Elanco recognized revenue.  No accounting issues were raised in the AAER.  This enforcement is all about disclosure.

Elanco entered into a Cease-and-Desist Order and paid a $15,000,000 civil money penalty.

As always, your thoughts and comments are welcome!

Enforcement Division 2024 Results

Enforcement, SEC News

On November 22, 2024, the SEC published a summary of the Enforcement Division’s fiscal-year 2024 results.  As it has in prior years, the results were published in a Press Release and accompanying Addendum where you can find all the details about types and numbers of cases.

In fiscal year 2024 the Division filed 583 total enforcement actions, a 26 percent decline from 2023.  The 583 total actions included 431 “stand-alone” actions and 93 “follow-on” administrative proceedings to bar or suspend individuals.

Continuing its focus on gatekeepers, during 2024 the SEC obtained 124 officer and director bars.

The SEC obtained orders for $8.2 billion in financial remedies in 2024, the highest amount in SEC history.

If you would like to get in in-depth perspective on the report, you can listen to our InSecurities podcast episode in which hosts Chris Ekimoff and Kurt Wolfe discuss the results with former SEC Enforcement Director Gurbir Grewal.

As always, your thoughts and comments are welcome!

Enforcement for Cybersecurity Risk Disclosure Shortfalls

Enforcement

On October 22, 2024, the SEC announced settled enforcement actions against four companies focused on disclosures about cybersecurity risks and actual cybersecurity intrusions.  The four companies were Avaya Holdings Corp., Check Point Software Technologies Ltd, Mimecast Limited, and Unisys Corp.  All four of the cases have their roots in the SolarWind’s Orion software cybersecurity hack.

According to the SEC all four of the companies downplayed the impact of cybersecurity events.  In the SEC’s Press Release Jorge G. Tenreiro, Acting Chief of the Crypto Assets and Cyber Unit, stated, “In two of these cases, the relevant cybersecurity risk factors were framed hypothetically or generically when the companies knew the warned of risks had already materialized.”  This is a recurring issue in cybersecurity cases and SEC comments.  In another of the cases the company described a breach as having involved access to a limited number of email messages when in fact the company knew that 145 files, some of which involved sensitive company information, had been breached.  The Unisys Corp. case also focused on deficient disclosure controls and procedures.

You can read more details about each case and find links to each Order in the SEC’s Press Release.

All the companies entered into cease-and-desist orders and paid fines ranging from $990,000 to $4 million.

As always, your thoughts and comments are welcome!

A Regulation FD Double Down – DraftKings

Enforcement, SEC News

Back in April 2013, the SEC issued a Report of Investigation addressing dissemination of information via social media channels.  The report focused on a Netflix CEO’s use of social media to disclose information relevant to investors without previously telling investors that information would be released via social media.  In the report the SEC announced that social media disclosure of information was likely not public disclosure for purposes of Regulation FD, unless investors had previously been alerted that specific social media channels would be used to disseminate information to the public.

Unfortunately, on July 27, 2023, DraftKings’ public relations firm posted information about “really strong growth” on the personal X and LinkedIn accounts of the company’s CEO.  The company had not provided prior notice that social media accounts would be used to make information public.  DraftKings’ management instructed the public relations firm to remove the posts soon after they were published.  Given that the social media posts provided previously non-public information about growth and that the information was likely material, this was probably an inadvertent selective disclosure.

Regulation FD describes two types of selective disclosure, intentional and non-intentional.  Each type has a separate required time frame to make information public.  From Regulation FD:

(a) Whenever an issuer, or any person acting on its behalf, discloses any material nonpublic information regarding that issuer or its securities to any person described in paragraph (b)(1) of this section, the issuer shall make public disclosure of that information as provided in § 243.101(e):

(1) Simultaneously, in the case of an intentional disclosure; and

(2) Promptly, in the case of a non-intentional disclosure.

The term “promptly” is defined in the rule:

Promptly. “Promptly” means as soon as reasonably practicable (but in no event after the later of 24 hours or the commencement of the next day’s trading on the New York Stock Exchange) after a senior official of the issuer (or, in the case of a closed-end investment company, a senior official of the issuer’s investment adviser) learns that there has been a non-intentional disclosure by the issuer or person acting on behalf of the issuer of information that the senior official knows, or is reckless in not knowing, is both material and nonpublic.

If in fact the social media posts were non-intentional disclosures, “prompt” disclosure would have been appropriate.  Unfortunately, DraftKings did not make this information public until they did their regular earnings release seven days later.

The company entered into a cease-and-desist order and paid a civil money penalty of $200,000.

You can find more details, including discussion of the materiality of the information, how DraftKings’ policies related to the disclosures, and the impact of DraftKings’ cooperation during the investigation, in the SEC’s Press Release and the related Order.

As always, your thoughts and comments are welcome!

Insider Transaction and Beneficial Ownership Reporting – An Enforcement Reminder

Enforcement, Hot Topic

On September 25, 2024, the Enforcement Division announced settled actions against 23 companies and individuals relating to Section 16 and Section 13 reporting.  The various actions involved:

Failure of individuals to file Section 16 reports;

Failure of companies to report delinquent Section 16 reports; and

Failure of companies to file Forms 13D, 13G, 13F, and Section 16 reports.

The companies and individuals involved paid fines totaling $3.8 million.  The Enforcement Division included a link to a September 27, 2023 announcement of a similar sweep involving 11 cases, making it clear that this continues to be a focus of their work.

As always, your thoughts and comments are welcome.

Still an Enforcement Focus – More Attempts to Limit Whistleblower Protections

Enforcement, Hot Topic

On September 9, 2024, the SEC announced settled charges against seven companies for attempting to limit whistleblower rights through provisions in employment, separation and other agreements.  As you can read in the SEC’s Press Release and the related Orders, one  company tried to force employees to waive their right to whistleblower awards such as those the SEC pays to qualified whistleblowers.

This case is the latest in a litany of recent enforcement actions, including against J.P. Morgan for attempting to limit customers’ ability to blow the whistle and against D.E. Shaw and Co. L.P., Monolith Resources. and CBRE, Inc. for using employee agreements that violated whistleblower protection rules.

All these cases and the related civil penalties send direct and clear reminders to proactively review employment, termination and similar agreements to assure they do not run afoul of the whistleblower protection rules.

As always, your thoughts and comments are welcome!

A “Green” Enforcement Action

Enforcement

On September 10, 2024, the SEC announced a settled enforcement action against Keurig Dr Pepper, Inc. related to statements the company made in its 2019 and 2020 Form 10-Ks about the recyclability of its K-Cup coffee and tea pods.  In Item 1 of the company’s Form 10-K for the year ended December 31, 2020, the company said:

“In December 2020, we achieved our goal of making all K-Cup pods sold in the U.S. recyclable by the end of 2020, having converted all K-Cup pods sold in Canada to a recyclable format in 2018. The new pods are made of polypropylene #5 plastic, a material that is accepted curbside for recycling by many communities, and we have conducted extensive testing with municipal recycling facilities to validate that they can be effectively recycled. We continue to engage with municipalities and recycling facilities to advance the quantity and quality of recycled polypropylene and have committed $10 million toward the advancement of polypropylene recycling in the U.S. through the Polypropylene Recycling Coalition, an effort led by The Recycling Partnership and funded by leading brands, recyclers, converters and producers of polypropylene.”

According to the SEC’s Order what the company did not disclose in the 2019 and 2020 annual reports was that two large recycling companies “provided negative feedback concerning the commercial feasibility of curbside recycling of pods” and indicated that “they did not presently intend to accept pods for recycling.”

Without admitting or denying the findings Keurig Dr Pepper entered into a cease-and-desist order and paid a civil money penalty of $1,500,000.

An interesting aspect of this case is that it was brought under Section 13(a) of the 1934 Act and related Exchange Act Rule 13a-1, which relate to complete and accurate annual reports.

As always, your thoughts and comments are welcome.

Loops Do Close

Enforcement

Several years ago, on May 3, 2021, the SEC announced a settled enforcement action against Under Armour, Inc.  The starting point for this case was a 23% stock price drop when Under Armour disclosed that their revenue growth rate, historically over 20%, had fallen to 12% for the fourth quarter of 2016.  According to the SEC’s Accounting and Auditing Enforcement Release, the company used sales “pull forwards” to hide this slowing revenue growth rate from mid-2015 to the end of 2016.  The company paid a $9 million civil penalty and entered into a cease-and-desist order.

In this kind of case the SEC’s enforcement is usually only part of the story.  In a Form 8-K filed on June 20, 2024, more than three years after the SEC action, the company reported a settlement in related class action litigation:

Item 8.01. Other Events.

As previously disclosed, since early 2017 Under Armour, Inc. (the “Company”) has been engaged in securities class action litigation in the United States District Court for the District of Maryland (the “District Court”) under the caption In re Under Armour Securities Litigation, Case No. 17-cv-00388-RDB (the “Consolidated Securities Action”). The complaint asserted claims regarding the Company’s disclosures and accounting practices in connection with its sales between the third quarter of 2015 and the fourth quarter of 2016, specifically asserting claims under Sections 10(b) and 20(a) of the Securities Exchange Act of 1934, as amended (the “Exchange Act”), against the Company and Mr. Plank and under Section 20A of the Exchange Act against Mr. Plank.

On June 20, 2024, the Company and Mr. Plank entered into a Memorandum of Understanding (the “MOU”) with plaintiffs containing the material terms of a settlement resolving the Consolidated Securities Action. The parties intend to prepare a formal stipulation of settlement describing the terms of the proposed settlement, which will be presented to the District Court for preliminary approval in the coming weeks. Following preliminary approval of the proposed settlement by the District Court and a notice and review period for Class members, plaintiffs will seek final approval of the proposed settlement from the District Court. The settlement is not an admission of fault or wrongdoing by the Company or Mr. Plank.

The MOU provides that the Company will pay or will cause to be paid an amount equal to $434 million to the members of the class in the Consolidated Securities Action, which includes all persons and entities who purchased or otherwise acquired Class A and Class C common stock of Under Armour between September 16, 2015 and November 1, 2019(subject to certain exclusions) (the “Class”). As of March 31, 2024, the Company reported $858.7 million of cash and cash equivalents on its consolidated balance sheets, and no drawings on its $1.1 billion revolving credit facility.

As always, your thoughts and comments are welcome!

Yet Another Cybersecurity Enforcement Action

Enforcement, Hot Topic

On June 18, 2024, the SEC announced a settled enforcement action against R.R. Donnelly & Sons Co. focused on both ICFR and disclosure controls and procedures related to cybersecurity risk.  As you can read in the related Order, the company used an outside service provider to help monitor cybersecurity matters.  The service provider notified the company’s security personnel about a “network ransomware intrusion.”  Based in part on input from the service provider, R.R. Donnelly did not take further action or conduct a deeper investigation.  In this case the SEC maintains that R.R. Donnelly did not maintain effective ICFR related to cybersecurity risk because the company did not have appropriate controls to respond to these warnings.  In addition, the Order maintains that the company’s disclosure controls and procedures did not appropriately inform management responsible for making disclosure decisions about cybersecurity incidents.

The company, which cooperated with the SEC in the investigation, entered into a cease-and-desist order and paid a $2.125 million civil penalty.

In reaction to this enforcement, Commissioners Hester M. Peirce and Mark T. Uyeda gave a Statement titled “Hey, look, there’s a hoof cleaner! Statement on R.R. Donnelley & Sons, Co.,” which provides an interesting discussion of administrative versus accounting controls related to cybersecurity issues.

You can read about earlier cybersecurity related enforcement actions in this post which involves a CISO and this post which also mentions disclosure controls and procedures.

As always, your thoughts and comments are welcome!