Management Discussion and Analysis — “Known Uncertainties” Disclosures
The third quarter of 2014 brought a reminder that registrants must take care when considering disclosure in MD&A relating to “known uncertainties.” In August 2014 the SEC settled a civil suit with Bank of America arising from its alleged failure to disclose known uncertainties regarding potential increased costs related to mortgage loan repurchase claims resulting from mortgage loan sales from ’04 through ’08 by the bank and certain entities that it had acquired.
Annual MD&A requires disclosure of, and quarterly MD&A calls for disclosure of material changes in, among other things, “any known trends or any known demands, commitments, events or uncertainties” that are reasonably likely to result in material changes to the registrant’s liquidity and “any known trends or uncertainties” that have had or that the registrant reasonably expects will have a material impact on net sales, revenues or income. The real-time determination of whether an uncertainty is reasonably likely to have a material impact can be highly subjective, as it requires interpretation of ambiguous terms and often the assessment of a multitude of potential variables. MD&A disclosures are subject to subsequent scrutiny that has the benefit of hindsight, which militates in favor of erring on the side of caution in “known uncertainty” MD&A disclosure.
Board and Company Risk — A (Data) Breach of Fiduciary Duty?
While Target and Home Depot have stolen most of the headlines in 2014, high profile national retailers are not the only companies at risk for malicious system intrusion and data breach. Many smaller and middle market companies are appealing targets for cyber attackers.
In June 2014, SEC Commissioner Aguilar urged directors to address this risk, stating that “[e]ffective board oversight . . . is critical to preventing and effectively responding to cyber-attacks.” And directors may have additional cause to move cybersecurity to the top of their agenda. Recently, some courts have found potential liability for directors in shareholder derivative actions that allege a breach of fiduciary duty for failing to implement data protection, privacy and security programs. Unlike consumer class actions that have often failed to demonstrate – to the courts’ satisfaction – the harm suffered by breach victims, shareholders may be better able to show the harm they have suffered: declining stock values.
In the current environment, companies should be careful to appropriately disclose cybersecurity risks in their SEC filings (including their next Form 10-Q). Failure to do so may result in an SEC staff comment. The SEC has provided guidance on its views regarding disclosure obligations relating to cybersecurity risks and cyber incidents. See Division of Corporation Finance, Securities and Exchange Commission, CF Disclosure Guidance: Topic No. 2, Cybersecurity: http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm .
In addition, boards need to be active in protecting their companies, and themselves, from potential liability for data breaches. Actions that boards may want to consider include the following:
- Address cybersecurity risk as a global risk that affects every aspect of their company’s ecosystem.
- Familiarize themselves with the risk by identifying the unique cyber risks facing their business and the legal obligations implicated by these risks.
- Establish a company-wide risk framework, as well as a data governance team of officers and managers – such as CIOs or CISOs – tasked with the responsibility of implementing effective information security measures, policies and procedures. Such a team would need an adequate staff and budget.
- Seek to allocate risks appropriately, deciding whether certain risks should be avoided, mitigated or transferred through insurance.
- Place at least one technologically proficient member on the board who could offer insight into the company’s unique risks.
- Disclose the board’s risk assessment and mitigation plans in corporate filings.
“No Broken Windows” — Latest Enforcement Actions Reflect That All Violations Are Susceptible to SEC Enforcement
Roughly one year has passed since SEC Chairman Mary Jo White publicly declared that the agency would pursue “all types of violations of our federal securities laws, big and small,” comparing the new approach to the “no broken windows” policy used by New York City authorities to set a tone of legal compliance by combating even small crimes. Some of the SEC’s recent enforcement activity appears to reflect the SEC’s adoption of that approach.
Beneficial Ownership Reporting Crackdown
In a rare action focused on beneficial ownership reporting violations, the SEC recently announced enforcement actions against 28 insiders for failing to timely file Section 16(a) reports (Forms 3, 4 and 5) and Schedules 13D and 13G. The SEC took enforcement action against six issuers for not reporting the failures by insiders to comply with Section 16. This SEC action could usher in a new era of beneficial ownership enforcement.
Internal Controls Action
The SEC also recently alleged fraud on the part of the CEO and CFO of a reporting company that filed for bankruptcy in 2009 for failure to disclose known internal controls issues to its auditors and, with respect to the CEO, for misrepresenting his involvement in (and knowledge of the framework used in) evaluating internal controls. The case is unusual in that it advances a theory of fraud unaccompanied by any restatement of financials or allegations of accounting fraud, representing a further application of the SEC’s “no broken windows” approach to securities law enforcement. In light of the SEC’s charges, it may be appropriate for a company’s CEO and CFO to revisit their company’s internal controls review framework as well as their individual involvement in such review.
Are You Ready? New COSO Internal Control-Integrated Framework, Effective December 15, 2014
In May 2013, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its updated Internal Control-Integrated Framework (the “2013 Framework”). COSO announced that effective December 15, 2014, the 2013 Framework will supersede COSO’s 1992 Framework.
The 1992 Framework has been widely used by public companies (and, in the case of accelerated filers and large accelerated filers, by their registered public accounting firm in connection with their attestation) to assess the effectiveness of internal control over financial reporting.
Many companies are moving forward with adoption of the 2013 Framework to meet the December 15, 2014 deadline in COSO’s guidance. Not all companies will be in a position to meet the December 15 deadline, however, so many companies are expected to continue to use the 1992 Framework in connection with their Form 10-K for the year ending December 31, 2014.
The SEC staff has indicated that the longer issuers continue to use the 1992 framework, the more likely they are to receive questions from the staff about whether the issuer’s use of the 1992 Framework satisfies the SEC’s requirement for a “suitable, recognized framework,” especially after the Dec. 15, 2014 transition date.
In a 2013 speech, the SEC’s Chief Accountant said “the staff would monitor the transition [to the 2013 Framework] and determine whether any SEC action would be necessary or appropriate at some point in the future.” The staff has reportedly stated that it doesn’t intend to challenge companies - at least in the near-term - that don’t transition to the 2013 Framework by December 15, 2014. The SEC’s positions with respect to the transition are not entirely clear, and companies that do not fully transition in 2014 should be prepared to disclose that fact to investors and regulators and potentially to provide some explanation regarding their plans on a going forward basis. Each company and its auditor should focus on whether the company can adopt the 2013 Framework by the transition date or whether it would be appropriate for the company to continue to use the 1992 Framework in connection with the Form 10-K for the year ending December 31, 2014.
Regardless of which framework a company uses, in light of the SEC’s recent charges against a CEO (as discussed above) for, among other things, misrepresenting his involvement in (and knowledge of the framework used in) evaluating internal controls, CEO’s and CFO’s should be knowledgeable regarding the framework used in their company’s internal controls review and should be appropriately involved in such review.
On September 22, 2014, the SEC announced that it expected to award between $30 and $35 million to a foreign whistleblower who provided the SEC with information regarding an ongoing fraud. The SEC’s whistleblower program was established in 2012 and provides monetary awards to individuals who come forward with original information that leads to an enforcement action in which over $1 million in sanctions is ordered. The range for awards is between 10% and 30% of the money collected, and the SEC has considerable authority to determine the amount of the whistleblower bounty within that range. This award will be the SEC’s largest in the history of the whistleblower program, more than doubling the previous high of $14 million.
Given the increased attention that the SEC’s award may bring to the SEC’s whistleblower program, companies should review their internal whistleblower policies and programs as part of enhancing a corporate culture of securities law compliance and open communication. In this regard, companies should consider encouraging employees to report compliance concerns internally, providing incentives to employees for reporting concerns internally and including readily accessible internal reporting mechanisms.
Exclusive Forum Bylaws Gain Momentum: More Court Support
Public corporations are frequently subject to expensive shareholder litigation for which shareholders indirectly bear the costs. As an illustration of the litigious environment, 97.5% of takeover transactions valued at over $100 million in 2013 reportedly resulted in shareholder litigation, up from 39% in 2005.
As plaintiffs’ counsel have sought (i) forums that may provide generous plaintiff's counsel fee awards and (ii) to make litigation more chaotic and uncertain in an effort to make settlement more appealing, it has become common for corporate action to be challenged in multiple jurisdictions.
A 2010 Delaware court decision proposed a potential solution to the problem of forum shopping when it suggested the use of an exclusive forum clause, stating: “[I]f boards of directors and shareholders believe that a particular forum would provide an efficient and value-promoting locus for dispute resolution, then corporations are free to respond with charter provisions selecting an exclusive forum for intra-entity disputes.”
In 2013, the Delaware Court of Chancery upheld exclusive forum bylaws adopted by two boards. Decisions in several cases outside of Delaware have suggested that many foreign courts will respect exclusive forum bylaws, particularly if they are adopted on a “clear day” (in advance of any dispute). Not all courts agree with this approach, however. Notably, in California there is a split – a California state court has followed Delaware’s lead in enforcing forum selection provisions in corporate bylaws, but a federal court in California has held a forum selection bylaw to be unenforceable.
The third quarter of 2014 saw positive developments for forum selection bylaws. In September 2014, the Delaware Court of Chancery upheld a board-adopted forum section bylaw even though the chosen forum was North Carolina, not Delaware, and the bylaw was adopted on the same day that the merger at issue in the litigation was announced. Also in September 2014, the U.S. District Court for the Southern District of Ohio invoked federal procedural law to enforce a board-adopted forum selection bylaw. The court noted that such bylaws can promote “cost and efficiency benefits that inure to the corporation and its shareholders by streamlining litigation into a single forum.”
Boards concerned about the potential cost and inefficiency of multi-forum litigation may want to consider adoption of an exclusive forum bylaw.
and cannot be used by any taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer.