On March 9, 2022, as you can read in this Meeting Notice, the SEC is meeting to consider rule making about “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.”

As a bit of background, on January 24, 2022, Chair Gary Gensler delivered a speech titled “Cybersecurity and Securities Laws” at the Northwestern Pritzker School of Law’s Annual Securities Regulation Institute.  He addressed cybersecurity from a variety of perspectives, including a discussion of what may be the very first “hack”, a telegraph scheme in France in 1834!  His remarks included this discussion of public company cybersecurity disclosures, which provides important insights for drafting risk factor and related cybersecurity disclosures in 34 Act reports:

Public Companies

Next, let me turn to public companies’ disclosure with respect to cyber risk and cyber events.

The basic bargain is this: Investors get to decide what risks they wish to take. Companies that are raising money from the public have an obligation to share information with investors on a regular basis.

Disclosure regimes evolve over the decades. Cybersecurity is an emerging risk with which public issuers increasingly must contend.

Thus, I’ve asked staff to make recommendations for the Commission’s consideration around companies’ cybersecurity practices and cyber risk disclosures. This may include their practices with respect to cybersecurity governance, strategy, and risk management.

A lot of issuers already provide cyber risk disclosure to investors. I think companies and investors alike would benefit if this information were presented in a consistent, comparable, and decision-useful manner.

In addition, I’ve asked staff to make recommendations around whether and how to update companies’ disclosures to investors when cyber events have occurred.

Make no mistake: Public companies already have certain obligations when it comes to cybersecurity disclosures. If customer data is stolen, if a company paid ransomware, that may be material to investors. As recent cases show, failure to make accurate disclosures of cybersecurity incidents and risks can result in enforcement actions.

You can find links to discussions of cybersecurity enforcement cases listed in this post about SEC enforcement priorities.

As always, your thoughts and comments are welcome!

Climate change has been a major and well publicized part of the SEC’s agenda in the last year.  As you can read on the climate change section of the SEC’s webpage, CorpFin focused on climate change in the review process, the Enforcement Division formed a climate change task force, and the Commission issued an Invitation to Comment on climate change related matters.

CorpFin comment letters have addressed climate change.  On September 22, 2021, the staff issued this sample letter to companies providing examples of the types of comments it is issuing.

A recent comment letter to CarMax Auto Funding LLC regarding a registration statement disclosure provides an example of a climate change comment:

Risk Factors, page 38

1. To the extent that you believe investors in these asset-backed securities may be impacted by climate related events, including, but not limited to, existing or pending legislation or regulation that relates to climate change, please consider revising your disclosure to describe these risks. See the Commission’s Guidance Regarding Disclosure Related to Climate Change, Interpretive Release No. 33-9106 (February 8, 2010).

The Interpretive Release mentioned in this comment, also known as FR 82, can be found here.

The company responded to this comment with modified risk factor disclosure.  You can find the modified risk factor and an example of a risk factor summary in the registration statement.

As always, your thoughts and comments are welcome.

The SEC was busy in the weeks before the holiday season, taking several significant actions.  Here is a summary you can use to explore each development.

Latest Reg Flex Agenda

The SEC published its latest regulatory agenda, which you can review here.  Key issues to be addressed in the near-term include climate change and human capital resources disclosures.  Cybersecurity risk governance is also on the agenda.

Proposed New Rules for 10b5-1 Plans

On December 15, 2021, the SEC proposed amendments to Rule 10b5-1 to “strengthen the affirmative defense to insider trading” provided by the rule.  Details are in this related Fact Sheet and the Proposed Rule.  One significant change would be a 120-day cooling-off period before trading could begin under a plan.

Proposed New Rules and Disclosures for Stock Buybacks

On December 15, 2021, the SEC proposed amendments to its rules requiring disclosure about repurchases of equity securities.  You can read more in this Fact Sheet and the Proposed Rule.  Companies would be required to provide a new Form SR before the end of the first business day following a buyback.  In addition, periodic disclosures would include disclosure of the objective of share repurchases and any related process.

CorpFin Announcement – Personally Identifiable Information in Rule 14a-8 Submissions

On December 17, 2021, CorpFin issued this Announcement requiring companies to redact all personally identifiable and any other related sensitive information from Rule 14a-8 submissions related to shareholder proposals.  The announcement also addresses how shareholder proponents should limit the amount of personally identifiable and sensitive information they include in correspondence to only information required to establish their eligibility to submit a proposal.

As always, your thoughts and comments are welcome!

On October 29, 2021, SEC Commissioner Elad L. Roisman delivered a speech to the Los Angeles County Bar titled “Cybersecurity: Meeting the Emerging Challenge.”  In this speech he addresses important cybersecurity matters, beginning with this introductory section – “Understanding that You May be a Victim.”

“Before I go further, it’s important to acknowledge a point that is sometimes overlooked in discussions about cybersecurity.  In the case of cyber-crimes, companies are the targets and victims.  The last thing a company wants is to suffer this kind of criminal and illegal attack.  But, today, the threat of a cyber-attack is so constant and significant for every market participant that it should be viewed as a substantial likelihood.

The SEC has imposed specific obligations on particular registrants relating to certain cybersecurity risks.  But it’s undeniable that our registrants, who have more general obligations under the securities laws—such as to serve the best interests of clients or to shareholders—also are accountable for taking measures to prevent and mitigate damage from these threats as part of their broader responsibilities.

Accordingly, it has become increasingly important for market participants to work with counsel and other experts on preparing for potential cyber-attacks before they happen—that is, devising a plan for monitoring for cyber threats, responding to potential breaches, and understanding when information must be reported outside the company and to whom.”

After this assertion that cyber-attack should be viewed as a risk with a “substantial likelihood” and that companies should take measures to address this risk, he discusses cybersecurity risk for a variety of entities that the SEC regulates, including exchanges, SRO’s, advisors, broker dealers and others.

In the section addressing public issuers, he reviews the SEC’s 2018 Release “Commission Statement and Guidance on Public Company Cybersecurity Disclosures.”  In a related footnote he mentions that the Division of Corporation Finance “blazed trail” for this release with Disclosure Guidance Topic 2.  He reminds issuers that disclosure requirements in areas including risk factors, description of the business and MD&A may create obligations to disclose cybersecurity-related matters.  He also mentions that the 2018 Release focuses on  the importance of disclosure controls and procedures.  (See this post for an enforcement case about cybersecurity-related disclosure controls and procedures.)

Commissioner Roisman also discusses internal accounting controls over cybersecurity risk, mentioning the SEC’s 2018 “21(a) Report” that focused on cases where companies had been victimized in cybersecurity-related fraud.  That report, which did not enforce against the victim companies, reminded companies that internal accounting controls should address these kinds of risks.

Commissioner Roisman notes that the SEC’s rulemaking agenda includes issuer cybersecurity matters, but that no formal rulemaking has taken place yet.  He provides these thoughts about possible rulemaking:

“But I will let you know some of the things that I would be looking for as I consider any additional rules in this area.  First, we need to define any new legal obligations clearly.  Second, we need to make sure that these obligations do not create inconsistencies with requirements established by our sister government agencies.  Third, we should recognize that some registrants have greater resources than others, and we should not try to set the resource requirements for an entity.  And finally, because issuers’ businesses vary, the cybersecurity-related risks they face also will vary, and therefore a principles-based rule would likely work best.”

Commissioner Roisman’s thoughts provide helpful insights that can lead to action steps as we address cybersecurity risk going forward.

As always, your thoughts and comments are welcome!

As we have blogged about on previous occasions, the SEC Enforcement Division is actively watching for companies that fail to adequately disclose executive perks.  In a recent case against ProPetro Holding Corp., an oilfield services company, and its former CEO, the SEC underscored this point in their enforcement agenda.

The Press Release announcing this case states:

“The SEC’s order finds that Redman (the former CEO) caused ProPetro to incur $380,594 worth of personal and travel expenses unrelated to the performance of his duties as CEO. He also failed to disclose to company personnel that he had pledged all of his ProPetro stock in two private real estate transactions. During the same period, ProPetro failed to properly disclose $47,591 in additional, authorized perks it paid to Redman.”

As you can read in the related AAER, use of a company aircraft for personal trips and use of a company credit card for personal expenses were major parts of this case.

As is typical in these cases, ProPetro and Redman agreed to cease and desist from further violations, and the former CEO agreed to pay a $195,046 penalty. The order notes ProPetro’s significant cooperation with the agency’s investigation as well as its very extensive remedial efforts, including “hiring an entirely new management team with significant public company experience, hiring additional finance department personnel, installing several new directors, and developing new controls, policies, and procedures concerning perks.”  The company did not pay a penalty.

These steps go well beyond company actions and SEC’s sanctions in other cases, such as when Dow Chemical was required to hire an independent consultant to conduct a review of its policies, procedures, controls, and training relating to perks.

As always, your thoughts and comments are welcome!

On November 17, 2021, the SEC took two proxy-related actions.  The Commission:

1. Adopted a Final Rule that requires the use of universal proxy cards in contested director elections.
2. Proposed rules that would rescind two 2020 rules applicable to proxy voting advice.

Universal Proxy Final Rule

In a 4 to 1 vote the Commission adopted a Final Rule that requires all parties in a contested director election to use a universal proxy card, that is, a card that includes all director nominees.  In the related Press ReleaseChair Gensler said:

“These amendments address concerns that shareholders voting by proxy cannot vote for a mix of dissident and registrant nominees in an election contest, as they could if voted in person SEC.  Today’s amendments will put these candidates on the same ballot. They will put investors voting in person and by proxy on equal footing. This is an important aspect of shareholder democracy.”

You can read more about the requirements for universal proxy cards and related procedural changes in this Fact Sheet and the related Final Rule.  The rules will be effective for contested director elections held after August 31, 2022.

Proxy Voting Advice Rules

The Commission voted to propose rules that would rescind two 2020 rules related to proxy voting advice.  The proposed rules would rescind, for proxy advisory firms, conditions to the availability of two exemptions from informational and filing requirements in the proxy rules.

According to the related Press Release:

“Investors and others have expressed concerns that these conditions will impose increased compliance costs on proxy voting advice businesses and impair the independence and timeliness of their proxy voting advice.”

You can read more in this Fact Sheet and the related Proposed Rule.

As always, your thoughts and comments are welcome!

On November 3, 2021, CorpFin issued Shareholder Proposals: Staff Legal Bulletin No. 14L to provide information about Rule 14a-8 – Shareholder Proposals.  The new Staff Legal Bulletin, or SLB, rescinds old SLBs 14I, 14J and 14K.

The first section of the new SLB:

“outlines the Division’s views on Rule 14a-8(I)(7), the ordinary business exception, and Rule 14a-8(i)(5), the economic relevance exception.”

The discussion of these issues surrounds the significant social policy exception and micromanagement.

The SLB also republishes with some “primarily technical, conforming changes,” earlier SLB guidance about using graphics and images, and proof of ownership letters.

Lastly, the new SLB includes new guidance about using email for submission of proposals, delivery of notice of defects, and responses to those notices.

You can gain perspective about the changes in the SLB in this Statement from Chair Gary Gensler and this Statement from Commissioners Peirce and Roisman.

As always, your thoughts and comments are welcome.

While the SEC has been working on its climate change and ESG rule proposal (see more below), the IFRS Foundation has been actively considering the need for a new sustainability standards board.  This September 2020 “Consultation Paper” provided background and sought input about creating a separate sustainability standards board.  In February 2021, the Foundation announced their intention to formally consider establishing a new board.  One month later, this March 2021 statement set out the strategic direction for the proposed new board.

The Foundation’s work came to fruition quickly.  On November 3, 2021, at the 26th UN Climate Change Conference of the Parties (COP26) in Glasgow, the IFRS Foundation Trustees announced that they have formed the International Sustainability Standards Board or ISSB.  This Board will focus on building a “global baseline of high-quality sustainability standards to meet investors information needs.”

In addition to the creation of the ISSB, the Foundation also announced that the Climate Disclosure Standards Board and the Value Reporting Foundation will consolidate with the ISSB.  The Climate Disclosure Standards Board is an initiative of the Carbon Disclosure Project (CDP).  The Value Reporting Foundation was formed via the recent consolidation of the Sustainability Accounting Standards Board and the International Integrated Reporting Council.

The IFRS Foundation has already begun foundational work on standard setting, forming a Technical Readiness Working Group to develop prototype climate and general disclosure requirements.  You can review progress so far in this “Summary of the Technical Readiness Working Group’s Programme of Work.”

While all this is happening in the international realm, the SEC is continuing to work on its approach to climate change and ESG reporting.  Chair Gary Gensler made this clear in his speech “Prepared Remarks Before the Principles for Responsible Investment ‘Climate and Global Financial Markets’ Webinar”:

“Companies and investors alike would benefit from clear rules of the road. I believe the SEC should step in when there’s this level of demand for information relevant to investors’ decisions.

Thus, I have asked SEC staff to develop a mandatory climate risk disclosure rule proposal for the Commission’s consideration by the end of the year.

I think we can bring greater clarity to climate risk disclosures.

…

I believe, though, we should move forward to write rules and establish the appropriate climate risk disclosure regime for our markets, as we have in prior generations for other disclosure regimes.”

While it now appears that this proposal may happen in early 2022, the SEC is clearly working to establish its own reporting standards.

As always, your thoughts and comments are welcome!