On February 28, 2024, the SEC announced it will consider a final rule for climate-related disclosures on March 6, 2024. You can find the announcement and the agenda here. You can find information about the webcast of the meeting here.
As always, your thoughts and comments are welcome!
On January 16, 2024, the SEC announced a settled enforcement action against J.P. Morgan Securities LLC (JPMS) for violating whistleblower protection laws. As you can read in this post, we have blogged on a number of occasions about companies that have violated these laws by trying to restrict current and former employees from blowing the whistle. JPMS’s case involves a very different situation, trying to restrict a customer’s ability to blow the whistle. When advisory clients and brokerage customers received a credit or settlement of over $1,000 from JPMS, the company required them to sign an agreement to keep the details of the settlement and other information confidential. While the agreements permitted clients to respond to SEC inquiries, they limited their ability to blow the whistle to the SEC.
In the Press Release announcing the settlement, Enforcement Division Director Gurbir S. Grewal noted:
“For several years, it (JPMS) forced certain clients into the untenable position of choosing between receiving settlements or credits from the firm and reporting potential securities law violations to the SEC.”
You can read more about the settlement, in which JPMS entered into a cease and desist order, paid a $18 million fine and was censured, in the related Press Release and Order.
As always, your thoughts and comments are welcome!
As we discussed in this blog post, one of the challenges in the SEC’s July 2023 cybersecurity disclosure rules is determining when an Item 1.05 Form 8-K to disclose a material cybersecurity incident will be required. The Instructions for the 1.05 Form 8-K state:
Item 1.05 Material Cybersecurity Incidents.
(a) If the registrant experiences a cybersecurity incident that is determined by the registrant to be material, describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.
The instructions also state:
A registrant need not disclose specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident.
On December 18, 2023, V.F. Corporation, a marketer of “Active-Lifestyle Brands,” filed an Item 1.05 Form 8-K. After a description of the cybersecurity breach and its impact on the company’s operations, the Form 8-K includes this language about materiality:
As the investigation of the incident is ongoing, the full scope, nature and impact of the incident are not yet known. As of the date of this filing, the incident has had and is reasonably likely to continue to have a material impact on the Company’s business operations until recovery efforts are completed. The Company has not yet determined whether the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.
As always, your thoughts and comments are welcome!
When the SEC issued its new cybersecurity disclosure Final Rule, it created the new Item 1.05 Form 8-K requiring disclosure of material cybersecurity incidents. You can read more about the Final Rule and the Form 8-K, along with the related implementation timing, in this blog post.
One of the complex issues in the 1.05 Form 8-K is this instruction:
(c) Notwithstanding General Instruction B.1. to Form 8-K, if the United States Attorney General determines that disclosure required by paragraph(a)of this Item1.05 poses a substantial risk to national security or public safety, and notifies the Commission of such determination in writing, the registrant may delay providing the disclosure required by this Item 1.05 for a time period specified by the Attorney General, up to 30 days following the date when the disclosure required by this Item 1.05 was otherwise required to be provided. Disclosure may be delayed for an additional period of up to 30 days if the Attorney General determines that disclosure continues to pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing. In extraordinary circumstances, disclosure may be delayed for a final additional period of up to 60 days if the Attorney General determines that disclosure continues to pose a substantial risk to national security and notifies the Commission of such determination in writing. Beyond the final 60-day delay under this paragraph, if the Attorney General indicates that further delay is necessary, the Commission will consider additional requests for delay and may grant such relief through Commission exemptive order.
The FBI has established a process to request such disclosure delays on this webpage: FBI Guidance to Victims of Cyber Incidents on SEC Reporting Requirements. Interestingly, the guidance suggests that companies establish a relationship with the cyber squad at their local field office. It also notes that “delay requests won’t be processed unless they are received by the FBI immediately upon a company’s determination to disclose a cyber incident via 8k.”
On December 14, 2023, CorpFin issued four new Compliance and Disclosure Interpretations in Section 104B (C&DIs) that address questions about the delay process. The new C&DIs address issues including what a company should do if it contacts the Attorney General, but a determination is not made by the original due date for the Form 8-K. In this situation, the 8-K must be filed by its original due date. The C&DIs also clarify that consulting with the Department of Justice about a cyber security incident does not create a presumption that the incident is material.
To provide additional support for companies as they work to provide required cyber security disclosures, on December 14, 2023, CorpFin Director Eric Gerding published this Speech providing an overview of the new rules and specific thoughts about the cybersecurity incident disclosures on Form 8-K and the cybersecurity governance and risk management disclosures required in new Item 1C for Form 10-K. In his speech Director Gerding states:
“But I want to reassure companies and their representatives that our Division does not seek to make ‘gotcha’ comments or penalize foot faults. To the extent appropriate, we may issue forward-looking comments to companies or additional CDIs.”
As always, your thoughts and comments are welcome!
SolarWinds Corporation, a provider of IT infrastructure management software products, completed its IPO in the fall of 2018. In its IPO registration statement and periodic reporting, the company disclosed lengthy cybersecurity risk factors. For example, in its December 31, 2019 Form 10-K, the company included this risk factor:
If we sustain system failures, cyberattacks against our systems or against our products, or other data security incidents or breaches, we could suffer a loss of revenue and increased costs, exposure to significant liability, reputational harm and other serious negative consequences.
We are heavily dependent on our technology infrastructure to sell our products and operate our business, and our customers rely on our technology to help manage their own IT infrastructure. Our systems and those of our third-party service providers are vulnerable to damage or interruption from natural disasters, fire, power loss, telecommunication failures, traditional computer “hackers,” malicious code (such as viruses and worms), employee or contractor theft or misuse, and denial-of-service attacks, as well as sophisticated nation-state and nation-state-supported actors (including advanced persistent threat intrusions). The risk of a security breach or disruption, particularly through cyberattacks or cyber intrusion, including by computer hacks, foreign governments, and cyber terrorists, has generally increased the number, intensity and sophistication of attempted attacks, and intrusions from around the world have increased. In addition, sophisticated hardware and operating system software and applications that we procure from third parties may contain defects in design or manufacture, including “bugs” and other problems that could unexpectedly interfere with the operation of our systems.
Because the techniques used to obtain unauthorized access or to sabotage systems change frequently and generally are not identified until they are launched against a target, we may be unable to anticipate these techniques or to implement adequate preventative measures. We may also experience security breaches that may remain undetected for an extended period and, therefore, have a greater impact on the products we offer, the proprietary data contained therein, and ultimately on our business.
The foregoing security problems could result in, among other consequences, damage to our own systems or our customers’ IT infrastructure or the loss or theft of our or our customers’ proprietary or other sensitive information.
(Note: Balance of the risk factor is omitted.)
This risk factor provides a general discussion of cybersecurity risk. It does not address the nature and extent of actual cybersecurity risks facing the company, any specific steps the company is taking to address cybersecurity risk, or the strengths and weaknesses of the company’s cybersecurity defenses.
After the company experienced a major cybersecurity breach, these issues were at the center of the SEC’s charges against the company and, interestingly, the company’s Chief Information Security Officer (“CISO”). According to the SEC’s Press Release and the related Complaint, the company was aware that its defenses against cybersecurity attacks were weak and that the company was extremely vulnerable to cyberattack.
The Press Release states:
“SolarWinds’ public statements about its cybersecurity practices and risks were at odds with its internal assessments, including a 2018 presentation prepared by a company engineer and shared internally, including with Brown (The CISO), that SolarWinds’ remote access set-up was ‘not very secure’ and that someone exploiting the vulnerability ‘can basically do whatever without us detecting it until it’s too late,’ which could lead to ‘major reputation and financial loss’ for SolarWinds.”
Similarly, as described in the Press Release and Complaint, in 2018 and 2019 the CISO made presentations that stated the “current state of security leaves us in a very vulnerable state for our critical assets” and that “[a]ccess and privilege to critical systems/data is inappropriate.”
SolarWinds’ public statements about its cybersecurity practices and risks were very different from its internal discussions and documentation. As companies implement the SEC’s new cybersecurity disclosures, there are clear lessons in this case.
The Press Release and Complaint provide more details and discussion.
As always, your thoughts and comments are welcome!
When a company presents a non-GAAP measure investors generally should ask, “Is this non-GAAP measure presented to try and make things look better than the story the related GAAP measure tells?” For example, in this SEC enforcement against ADT, the company presented adjusted EBITDA in the headline of its earnings release, highlighting a 7% increase, but did not mention that the company’s GAAP loss had increased from $(141) to $(157) million until later in the release. Highlighting a positive change in a non-GAAP measure while the comparable GAAP measure deteriorates raises significant questions. In addition, ADT did not follow Regulation S-K Item 10(e), which clearly applies to a company’s earnings release, and requires that GAAP measures be presented with equal or greater (OK, really greater) prominence than the comparable non-GAAP measure.
In an interesting twist on this process, as discussed in a recent enforcement release, a company disclosed a non-GAAP measure that was not as positive as the related GAAP measure, but used a classic revenue manipulation strategy to make the non-GAAP measure look more positive.
In the headline for its third-quarter 2016 earnings release, Newell Brands said:
Newell Brands Announces Third Quarter Results
Net Sales Growth of 158.5%; Core Sales Growth of 3.0%
New Strategic Plan Transformation into Action
Raises 2016 Guidance to Top Half of Range
Provides 2017 Initial Outlook
At first glance, all appears reasonable with this headline. In particular, placing GAAP sales growth before the non-GAAP measure “core sales growth” follows the S-K Item 10(e) requirements discussed above, and avoids the frequent “equal or greater prominence” non-GAAP measure comment.
The large difference between the GAAP and non-GAAP sales growth rates raises a number of questions. The earnings release notes that the GAAP sales growth is primarily due to the impact of an acquisition. The question that naturally arises is, “what would have happened to sales without the acquisition?”
Below is the rationale for the company’s presentation of “core sales growth.” In its non-GAAP measure disclosures Newell Brands says:
“The company’s management believes that core sales provides a more complete understanding of underlying sales trends by providing sales on a consistent basis as it excludes the impacts of acquisitions (other than the Jarden acquisition, which is included in core sales on a pro forma basis starting in the second quarter of 2016), planned or completed divestitures, the deconsolidation of the company’s Venezuelan operations and changes in foreign currency from year-over-year comparisons.”
This presents a reasonable rationale for the presentation of the non-GAAP measure, and, in fact, the non-GAAP measure presents a reasonably positive picture.
This seemed true until September 29, 2023, when the SEC released an Accounting and Auditing Enforcement Release describing how Newell and its former CEO engaged in a classic revenue manipulation scheme – channel stuffing or “pull-forwards” – designed to inflate this non-GAAP measure. According to the AAER:
“During the last month of each quarter in the Relevant Period, Newell employees determined that its sales were inadequate to achieve management goals, including internal targets, guidance to investors, or analyst estimates. As part of an effort to achieve those goals, Polk (the former CEO) was made aware of and approved plans to pull forward sales scheduled for subsequent quarters. To do so, Newell employees identified orders scheduled for delivery early the following quarter and obtained customer permission to deliver those orders in the current quarter. Newell employees then informed Polk of the volume of orders that had been pulled forward.”
Many companies have used this strategy to try and maintain a sales growth rate. As we discussed in this post about Under Armour (where you can find links to a number of similar cases), this is not an unusual kind of fraud. In this case, however, it is interesting that the strategy was used specifically to manipulate the non-GAAP measure for “core sales growth.”
The company and the former CEO both entered into cease and desist orders and paid fines of $12,500,000 and $110,000, respectively.
As always, your thoughts and comments are welcome!
On December 4, 2023, SEC Chief Accountant Dr. Paul Munter issued a Statement titled “The Statement of Cash Flows: Improving the Quality of Cash Flow Information Provided to Investors.” In his introduction Dr. Munter notes:
“Unfortunately, we have observed that preparers and auditors may not always apply the same rigor and attention to the statement of cash flows as they do to other financial statements, which may impede high quality financial reporting for the benefit of investors.”
He also discusses the importance of cash flow information to investors and that the statement of cash flows has consistently been one of the higher frequency areas of restatements.
The statement addresses several statement of cash flow considerations including:
Dr. Munter’s conclusion makes the point:
“The statement of cash flows represents a critical piece of a complete picture of an issuer’s financial health and operations. Issuers and auditors have a responsibility, under securities laws and professional standards, to apply the same high level of care and professionalism to the preparation, review, and audit of the statement of cash flows as is required for the other financial statements.”
As always, your thoughts and comments are welcome!
On November 22, 2023, the SEC postponed the effective date of its Share Repurchase Disclosure Modernization rule. The postponement was in the wake of an opinion by the U.S. Court of Appeals for the Fifth District in Chamber of Com. of the USA v SEC. You can read more in the SEC’s Announcement. The rule has been stayed pending further Commission action. Companies do not need to comply with the new rule at this time. It would have required daily share repurchase disclosures for the first full fiscal quarter that began on or after October 1, 2023.
As always, your thoughts and comments are welcome.
In two recent posts we discussed enforcement actions against Monolith Resources and CBRE, Inc. for violating the SEC’s whistleblower protection rules. On September 29, 2023, the SEC announced its latest such case, this one against D.E.Shaw and Co. L.P., for using employment agreements that violated the whistleblower protection rules. This violation resulted in a $10,000,000 civil penalty along with a cease-and-desist order.
You can read more details in the related Order.
All these cases send direct and clear reminders to proactively review employment, termination and similar agreements to assure they do not run afoul of the whistleblower protection rules.
As always, your thoughts and comments are welcome!
On September 27, 2023, the Enforcement Division announced settled enforcement orders against six individuals and five companies based on Section 16 and Forms 13D and 13G reporting failures. The individuals and companies paid fines ranging from $115,000 to $200,000. Sanja Wadhwa, Deputy Director of the SEC’s Division of Enforcement, said:
“Today’s enforcement action should serve to remind SEC filers that reporting obligations under the securities laws are not optional, and there are consequences for failing to file required forms in a timely manner.”
This enforcement sweep is very similar to a September 2014 sweep. You can read more in this Press Release, where you can find links to the individual orders.
As always, your thoughts and comments are welcome!