The potential liability from a material cyber-attack is wide-ranging. Accordingly, companies that experience network intrusions, system disruptions or unauthorized access to information databases must be prepared for a variety of potential consequences, each attended by its own costs: ■ Investigation and Remediation Costs. Cyber-attacks often take time to detect, investigate, and contain, resulting in significant investigation costs. For example, Sony Corporation reported approximately $41 million in costs related to the highly publicized cyber-attack on Sony Pictures in 2014, primarily for investigation and remediation activities. ■ Lost Business, Loss of IP, Disruption of Business Operations or Reputational Harm. Cyber-attacks may also result in a loss of intellectual property, cause significant disruption of business operations, erode investor confidence, drive away customers or disrupt relationships with partner businesses. In its 2016 study, Ponemon identified lost business as the biggest financial consequence of a data breach, at a cost of $3.97 million per breach. 2 The annual cost of cybercrime and theft of intellectual property in the U.S. is estimated to be nearly $100 billion, with global costs ranging between $450 billion and $600 billion. 3 ■ Notice Costs. If notice of the breach must be provided to consumers, the company will incur additional costs of mailing notification letters, providing credit monitoring services and operating a call center. ■ Legal Defense Costs. Companies must be prepared for potential legal liability as well. Breaches involving sensitive and confidential information often result in class action lawsuits by consumers or employees, or counter-party suits brought by business partners. Shareholder derivative or securities litigation may also follow a cyber-attack that causes a significant loss or negatively affects the company’s performance or stock price. Investigating and preparing to defend against these claims can be expensive even if no legal liability is ever imposed. ■ Regulatory Action. Cyber-attacks frequently draw the attention of regulators, including the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB), the Securities and Exchange Commission (SEC) and state attorneys general. Industryspecific regulators, such as banking agencies, healthcare or other financial or insurance regulators, and international regulators and data protection authorities may also get involved. The resulting investigations may result in penalties and orders requiring the company to take remedial action. Noteworthy Aspects of Cybersecurity Due Diligence in M&A In light of the magnitude of potential liability, cybersecurity due diligence in M&A transactions needs to be a core area of review. Like other diligence processes, there is no “one size fits all” approach. Instead, the extent of diligence will depend on a number of factors, including, for instance, the nature of the acquisition, the availability of resources, the nature of the target company’s business, the type(s) of information held and/or used by the target company, industry standards and the overall risk profile. The manner in which the diligence is performed will likewise vary. Diligence efforts will often include some 1 Gary D. Gerstman is a partner in Sidley’s Chicago office and a global co-leader of the firm’s Technology Industry Group. Geeta Malhotra is a litigation partner in Sidley’s Chicago office. Alan C. Raul, a partner in Sidley’s Washington, D.C. office, is the founder and leader of the firm’s Privacy, Data Security and Information Law practice. The views expressed in this article are those of the authors and do not necessarily reflect the views of the firm. 2 IBM and Ponemon Institute, “2016 Cost of Data Breach Study: United States” (June 2016), http://www-03.ibm.com/security/data-breach/. 3 CSIS Cyber Policy Task Force, “From Awareness to Action: A Cybersecurity Agenda for the 45th President,” at 5 (January 2017), https://csis-prod. s3.amazonaws.com/s3fs-public/publication/170110_Lewis_CyberRecommendationsNextAdministration_Web.pdf. SidleyPerspectives ON M&A AND CORPORATE GOVERNANCE Sidley Perspectives | FEBRUARY 2017 • 3 combination of document and information requests as well as discussions with key information security and privacy representatives. In addition, it can also include an in-depth review or testing of actual processes, procedures and systems. Privacy and data protection issues should often also be included in the diligence process to address personal information issues as well as data collection, use, transfer and analytic practices. The following provides a sample list of areas of inquiry to help inform an acquirer’s cybersecurity, privacy and data protection diligence: ■ Nature and use of information. The types and volume of information collected, used, maintained, shared and/or sold by the target, with a particular focus on information that could be deemed sensitive (e.g., financial data, IP or trade secrets, personally identifiable information, personal health information, etc.). ■ Representations regarding security and data. The representations made to, for instance, its customers, business partners and/or the public regarding security as well as its collection and treatment of sensitive data. ■ Policies and training. The policies, written procedures and trainings in place to help guide security and privacy issues, and how they are applied or administered in practice. ■ Organization and responsibility. The extent to which the target has employed individuals with defined cybersecurity and privacy roles and responsibilities, and dedicated resources to those roles. ■ Involvement at the top. The extent to which upper management and/or the Board of Directors are briefed regarding, and are otherwise involved with, decisions relating to cybersecurity and privacy issues. ■ Incident history. The history of incidents experienced by the target, if any, and the actions taken by the target in response. ■ HR practices. The practices employed by human resources to, for instance, conduct background checks regarding employees (to identify potential red flags), educate employees (e.g., through trainings and the provision of policies) and work with IT to terminate access rights and prevent unauthorized system access as well as the taking or destruction of information upon departure. ■ Audits and assessments. The extent to which the target conducts audits, assessments or other cybersecurity or privacy-related reviews, and the feedback generated. ■ Technical controls and security measures. The technical controls and other protections that are in place. ■ Encryption practices. To the extent not covered by the controls-related inquiries, the encryption practices and controls employed by the target. ■ Legal and compliance history. The target’s legal and compliance obligations and history, including, for instance, the extent to which it complies with filing and disclosure obligations, or has been the subject of litigation, government inquiries or government enforcement proceedings. ■ International issues. Other significant international data transfer or cross-border issues, incidents, practices and/or policies. ■ Cybersecurity insurance. Whether the target has cyber insurance and, if so, the scope and coverage. ■ Third-party controls. The nature of its third-party relationships as well as the safeguards in place with respect to those third parties, including, for instance, whether the target tracks its third-party relationships, conducts diligence, incorporates cyber- or privacy-related contractual provisions, provides or requires training, limits system access and/or implements other controls. SidleyPerspectives ON M&A AND CORPORATE GOVERNANCE Sidley Perspectives | FEBRUARY 2017 • 4 Through its diligence efforts, the acquirer should focus on asking the right questions so it can understand potential risks and accurately assess value. Based on the results, it can then evaluate whether additional steps can or should be taken to help mitigate risk and/or address valuation issues (e.g., by implementing additional controls, considering cybersecurity insurance, incorporating specific representations and warranties or, in a private company transaction, requiring indemnification), or if no amount of remediation would be sufficient to address the identified issues (which may be a deal breaker, depending on the circumstances). In any transaction where the consideration being paid includes stock of the acquirer, the target company will need to assess carefully the extent of “reverse” due diligence that should be done on the acquirer. Similar to other areas, the level of “reverse” due diligence will depend upon the relative size of the parties and the amount of stock being delivered. In addition to possibly causing a material decline in the acquirer’s stock price, cybersecurity issues have the potential to undermine the benefits of the combination. For instance, if an acquirer does not have sufficient protections to satisfy representations made by the target company regarding the handling of information, there could be challenges integrating the target’s operations with the acquirer or leveraging the target’s information and systems as part of the combined organization. For these reasons, in many cases, a target company should consider performing “reverse” due diligence regarding the acquirer’s (i) use of information and representations to its customers and business partners regarding this use, (ii) policies and training, (iii) incident history and (iv) legal and compliance history. Depending on the outcome of these inquiries and the nature of the businesses being combined, a more in-depth review may be advisable. Protecting Privilege Companies experiencing a breach may become the target of lawsuits by government enforcement agencies, consumers, employees, shareholders or business partners. In a public company M&A transaction, the acquirer will inherit these liabilities without recourse to the seller. As a result, if there has been a material breach of the target’s systems or if cybersecurity risks are otherwise significant, an acquirer may benefit from a review by a cybersecurity technology consultant. Materials generated by the consultant may be subject to discovery unless the acquirer takes specific steps to conduct the work under privilege. Certain steps should be considered to enhance the likelihood that assertions of privilege and attorney work product will be sustained: ■ Consider appropriate non-disclosure and common interest agreements with the target. ■ The consultant should generally be retained by outside counsel, not by the acquirer. ■ The agreement and statement of work should be signed by outside counsel and should specify that the consultant has been engaged for the purpose of assisting the attorney in providing legal advice, and that the work is being performed at the direction of legal counsel and in anticipation of potential litigation and/or legal or regulatory proceedings. 4 ■ As much as possible, the point of contact for the consultant should be outside counsel or (if necessary) the acquirer’s general counsel. ■ Counsel should participate in communications and briefings between the consultant and the acquirer’s internal security personnel. ■ The consultant’s work flow should be directed by counsel, and the consultant’s reports should not be forwarded to the acquirer directly without reflecting or incorporating legal advice. 4 See Genesco, Inc. v. Visa U.S.A., Inc., 302 F.R.D. 168 (M.D. Tenn. Mar. 10, 2014) (sustaining a claim of privilege over the work of a consultant hired by general counsel to assist with rendering legal advice in anticipation of litigation resulting from a data breach). SidleyPerspectives ON M&A AND CORPORATE GOVERNANCE Sidley Perspectives | FEBRUARY 2017 • 5 As with any other matter where it is important to maintain privilege, it is important to follow standard protocols: mark documents confidential, limit direct communication between the consultant and the acquirer and do not share the results of the consultant’s work with third parties. Although no privilege claims are certain to be absolute, taking these steps will decrease the potential of waiver and increase the likelihood that investigation materials are protected from discovery in any future litigation. NEWS5 JUDICIAL DEVELOPMENTS Delaware Court of Chancery Provides Appraisal Proceedings Primer Vice Chancellor Laster’s December 2016 Merion Capital L.P. v. Lender Processing Services, Inc. opinion provides an excellent primer on appraisal proceedings. The case notes that “fair value” is determined at the time of closing and reflects the target’s going-concern value (and, thus, should exclude synergies), makes clear that even where there has been no breach of fiduciary duty, a sale process may not yield a “fair value” and explains that courts may not simply defer to a deal price—even where the facts replicate those in prior cases where courts have deferred to the deal price—since the statute requires courts to “take into account all relevant factors.” In addition, the decision reminds us that both parties have the burden of providing their valuation (and its constituent elements) by a preponderance of the evidence. The opinion provides guidance regarding factors that favor deference to the deal price in an appraisal proceeding, such as (i) a robust pre-signing auction process that includes both strategic and financial bidders where there is a credible threat of competition among bidders, (ii) the absence of factors (e.g., regulatory uncertainty) that make it difficult to understand the target’s business and determine its value, (iii) the buyer having no significant leverage limitations or need to achieve internal return rates, (iv) true arm’s-length negotiations and the absence of conflict issues (e.g., the buyer is not a controlling stockholder, management has no incentive to favor the buyer over other bidders, the target provides the same information to all bidders, etc.), (v) a go-shop that is part of the target’s banker’s original plan for the sale process, where the parties contacted are reasonably likely to be interested in making a topping bid and see a realistic path to succeeding in outbidding the original buyer, (vi) the absence of target projections prepared in the ordinary course (i.e., unrelated to the transaction) and (vii) the target having no comparable peers. For litigators, the decision is a cautionary tale, since Vice Chancellor Laster declined to entertain post-trial arguments that synergies should be deducted in determining “fair value” because the target had not provided evidence regarding the amount of such synergies. Delaware Supreme Court Reverses Court of Chancery on the Issue of Director Independence In December 2016, the Delaware Supreme Court reversed the Court of Chancery’s dismissal of stockholder derivative claims that had been brought in connection with stock sales by certain directors and officers of Zynga Inc., including Zynga’s founder, former CEO/Chairman and controlling stockholder, Mark Pincus. Sandys v. Pincus (Del. Dec. 5, 2016). The plaintiff alleged that the insiders who participated in the sale had improperly traded on the basis of adverse material non-public information. 5 The following Sidley lawyers contributed to the research and writing of the pieces in this section: Zachary R. Burkart, Lauren E. Henderson, Claire H. Holland, Sacha N. Jamal, John P. Kelsh, Beth E. Peev, Hille R. Sheppard and Nilofer Umar. Although a court must “take into account all relevant factors,” Merion Capital sets forth several factors that favor deference to the deal price in an appraisal proceeding. SidleyPerspectives ON M&A AND CORPORATE GOVERNANCE Sidley Perspectives | FEBRUARY 2017 • 6 In evaluating whether pre-suit demand on the board would have been futile, the Delaware Supreme Court held that the complaint raised a reasonable doubt about the independence of a majority of the directors. In addition to the directors who had participated in the underlying stock sale, the Court held that the plaintiff had pleaded facts creating a reasonable doubt regarding the independence of three additional directors. Two of those directors had been designated by the board as non-independent directors under stock exchange listing rules, which the Court considered to be particularly relevant “[i]n the case of a company like Zynga, which has a controlling stockholder.” The Court noted that those directors, who were partners in a venture capital firm, also had other business ties to Pincus and another director who had participated in the stock sale. The Court held that a reasonable doubt existed regarding the independence of a third director because he allegedly co-owned an airplane with Pincus, which the Court characterized as an unusual asset that “require[d] close cooperation in use, which is suggestive of detailed planning indicative of a continuing, close personal friendship.” This case serves as a reminder that, particularly in the case of a controlled company, director independence under Delaware law must be carefully evaluated. Factors that should be considered include the designation of a director as non-independent under the applicable stock exchange listing rules and the existence of business or close personal ties. Delaware Supreme Court Holds That a Merger Extinguished a Limited Partner’s Standing to Pursue a Derivative Claim In El Paso Pipeline GP Company, L.L.C. v. Brinckerhoff (Del. Dec. 20, 2016), the Delaware Supreme Court overturned a decision by the Court of Chancery and held that a limited partner lacked standing to bring derivative claims after the partnership had been acquired by merger. The derivative claims related to two transactions in which ownership interests dropped down from El Paso Corporation to a master limited partnership (MLP) which had as its sole general partner El Paso Pipeline GP Company, LLC, a wholly-owned subsidiary of El Paso Corp. Due to El Paso Pipeline’s conflict in the transaction, a conflicts committee approved the transactions. A limited partner who believed the MLP overpaid for the assets filed suit claiming that El Paso Pipeline and the conflicts committee violated their duties to act in good faith. After the trial but before the ruling, the MLP was acquired by merger. The defendants moved to dismiss the suit arguing that the merger terminated the plaintiff’s standing because the claims were derivative and the plaintiff no longer had an ownership interest in the MLP, which is required to sue derivatively. The Court of Chancery held that the plaintiff maintained standing after the merger because the claims were not exclusively derivative. The Court of Chancery found that both the MLP and the limited partners suffered damages. On appeal, however, the Delaware Supreme Court reversed the Court of Chancery’s holding and found that the plaintiff’s claim was exclusively derivative in nature because the plaintiff failed to show individual injury distinct from the damages suffered by the MLP. The Supreme Court held that the merger terminated both the plaintiff’s stake in the MLP and the plaintiff’s standing to bring a suit on behalf of the MLP. According to the Supreme Court, the limited partner retained an adequate remedy—challenging the merger through a direct claim asserting an unfair price or unfair dealing. SidleyPerspectives ON M&A AND CORPORATE GOVERNANCE Sidley Perspectives | FEBRUARY 2017 • 7 Delaware Law Protects Informed Directors Who Took Reasonable Steps to Address Data Security Deficiencies In a recent shareholder derivative case, a Georgia federal court dismissed claims filed against Home Depot’s directors and officers relating to a 2014 large-scale security breach. In re The Home Depot, Inc. Shareholder Derivative Litigation (N.D. Ga. Nov. 30, 2016). Plaintiffs’ primary claim was that defendants breached their duty of loyalty by (i) implementing inadequate internal controls to protect Home Depot against data security risks and (ii) dissolving a board committee designed to address those risks, and allocating responsibility for those risks to the Audit Committee without amending its charter. Plaintiffs also alleged that defendants violated Section 14(a) of the Securities Exchange Act of 1934 by omitting from Home Depot’s 2014 and 2015 proxy statements information regarding the security risks and the board’s decision not to amend the Audit Committee’s charter. Applying Delaware law, the Court rejected the claims, noting plaintiffs failed to make a pre-suit demand and failed to meet the demand doctrine’s futility requirement with respect to each claim. The Court’s analysis focused on the duty of loyalty claim and plaintiffs’ inability to meet the burden of showing that the board “consciously failed to act in the face of a known duty to act.” The board and the Audit Committee were informed of the data security deficiencies, and Home Depot instituted a plan to fix these deficiencies before the breach occurred. This response, even if it was “probably too slow,” demonstrated that defendants did not consciously fail to act. The Section 14(a) claim failed because plaintiffs did not specify with particularity the proxy statement language that was false or misleading or made so by omission of a material fact relating to the Audit Committee’s charter and the data security threats Home Depot faced. The Court also dismissed a corporate waste claim alleged by plaintiffs. This case suggests that, in making decisions regarding data security risks, directors will be protected by the business judgment rule if they inform themselves of such risks and take reasonable steps to protect the company, even if such actions may be perceived as untimely or ultimately insufficient to prevent a security breach. Difficult in Delaware to Challenge Transactions That Have Been Approved by Disinterested and Fully-Informed Stockholders The Delaware Court of Chancery recently followed the Delaware Supreme Court’s 2015 decision in Corwin v. KKR Fin’l Holdings to dismiss a pension fund’s post-closing damages action challenging a private equity firm’s acquisition of Solera Holdings. In re Solera Holdings, Inc. S’holder Litig. (Del. Ch. Jan. 5, 2017). The case involved a breach of fiduciary duty claim against the eight members of Solera’s board who approved the merger. The Court applied the business judgment rule to the directors’ decision after finding that the merger had been approved “in a fully-informed and uncoerced vote” by a disinterested majority of Solera’s stockholders. The decision reaffirms that Delaware courts will give great deference to transactions approved by disinterested and fully-informed stockholders and will dismiss claims at the pleading stage when warranted. It also highlights the importance of providing quality disclosure in M&A deals to support the notion that the stockholder vote was “fully-informed.” The ruling also clarifies an open question regarding the stockholder ratification defense: a stockholder challenging a transaction’s approval has the burden of pleading that the vote was not fully informed and must identify a deficiency in a disclosure document before having the opportunity to conduct discovery. The Court rejected arguments that it is unfair to require plaintiffs to plead disclosure deficiencies before obtaining discovery, explaining that “plaintiffs must plead claims before receiving discovery in American civil litigation all the time,” and making clear that the preferred time to address disclosure claims is before the stockholder vote. In re Solera Holdings: A stockholder challenging approval of a transaction has the burden of pleading that the vote was not fully informed and must plead disclosure deficiencies before conducting discovery. SidleyPerspectives ON M&A AND CORPORATE GOVERNANCE Sidley Perspectives | FEBRUARY 2017 • 8 M&A DEVELOPMENTS Presidential Order Blocks Cross-Border M&A Deal Over National Security Concerns On December 2, 2016, upon the recommendation of the Committee on Foreign Investment in the United States (CFIUS), then President Barack Obama issued a rare executive order blocking a proposed takeover of a German semiconductor manufacturer’s U.S. business by a German LLC, a special purpose vehicle beneficially owned by Chinese investors. The deal was to be financed in part by a member of an investment fund specifically established by the Chinese government to promote the development of China’s integrated circuit industry. The deal was subject to clearance by CFIUS and the German Federal Ministry of Economics and Energy. Obama prohibited the acquisition of the U.S. business citing “credible evidence” that, by acquiring control of the business, the investment fund backing the purchasers might take action that threatens to impair U.S. national security. The order defined the U.S. business broadly to consist of a California corporation and its equity interests and any asset of that corporation and its German parent corporation that is “used in, or owned for the use in or benefit of, the activities in interstate commerce in the United States…including without limitation any interest in any patents issued by, and any interest in any patent applications pending with, the United States Patent and Trademark Office.” CFIUS and Obama concluded that the transaction posed a risk to U.S. national security that could not be resolved through mitigation measures. The U.S. Department of the Treasury issued a statement explaining that Obama’s decision was based on, among other things, the military applications of the overall body of knowledge and experience of the U.S. business relating to semiconductor technology. Even though the order was atypical and fact-specific, it serves as a reminder that CFIUS will scrutinize cross-border M&A deals, particularly attempted acquisitions of U.S. technologies by Chinese state-owned entities. Seller Defeats Fraud Claim with Anti-Reliance Clause IAC Search, LLC v. Conversant LLC (f/k/a ValueClick, Inc.) (Del. Ch. Nov. 30, 2016) is the latest case in which the Delaware Court of Chancery scrutinized an anti-reliance clause providing that the buyer is not relying on any representations outside of the purchase agreement. An anti-reliance clause is a powerful tool in seller’s arsenal because it can eliminate seller’s liability for statements made outside of the purchase agreement, including those that were fraudulently made. In IAC, the seller owned a collection of websites that generated revenue by selling advertising. The seller put performance metrics of the websites in the data room, and the buyer relied on those metrics to determine the purchase price. Specifically, the buyer relied on the unsold space metrics (known as remnant inventory) because the buyer thought it could bring the remnant inventory levels in line with the buyer’s other website assets. However, the purchase agreement did not include a representation on this point. Postclosing, the buyer learned that the remnant inventory levels were not stated correctly, which impeded its plans for increasing revenues. The buyer sued for fraud based on the false metric, and the Delaware Court of Chancery dismissed the claims finding that they were barred by the anti-reliance clause. The buyer argued that the anti-reliance clause was defective because it did not include a statement by the buyer releasing the seller from liability for the buyer’s reliance on information obtained during due diligence. The Court rejected this argument and limited the requirements for an effective anti-reliance clause to those set forth in its 2016 FdG Logistics decision (discussed in our April 2016 issue of Sidley Perspectives). The Court held that the anti-reliance clause Parties to cross-border M&A deals should analyze early on how review by CFIUS and other regulators may impact deal timing and certainty. IAC adds to a growing body of decisions providing guidance on how to draft effective anti-reliance clauses in M&A deals governed by Delaware law. SidleyPerspectives ON M&A AND CORPORATE GOVERNANCE Sidley Perspectives | FEBRUARY 2017 • 9 was effective because, in addition to the standard integration clause in the purchase agreement, the buyer expressly acknowledged in the purchase agreement that the seller made no representations about information provided during due diligence except for the express representations in the purchase agreement. The Court found that those clauses, in combination, created a “clear anti-reliance clause to bar fraud claims based on extracontractual statements made during due diligence.” Delaware Court of Chancery Refers $2.5 Billion Working Capital Dispute to Independent Accountant Chicago Bridge & Iron Company N.V. (CB&I) and Westinghouse Electric Company LLC were hired to build two nuclear power plants. To resolve litigation over which party was responsible for project delays and severe cost overruns, CB&I agreed to sell the CB&I subsidiary designing the nuclear power plants to Westinghouse for $0 with the prospect of deferred payments. The deal also involved Westinghouse assuming all current and potential liabilities (including any cost overruns) and a working capital adjustment. At closing, CB&I estimated the working capital amount and suggested a payment by Westinghouse to CB&I of $428 million. Post-closing, Westinghouse calculated a working capital amount that suggested a payment by CB&I of $2.15 billion. CB&I computed its number based on changes that occurred between when the target was set and closing. Westinghouse considered those changes but also argued that the working capital balance sheet did not comply with GAAP. For example, CB&I assumed 100% collectability of an outstanding receivable for purposes of computing target working capital that Westinghouse contended should have been reduced by 30% to comply with GAAP. The Delaware Court of Chancery referred the determination of GAAP compliance to the independent accountant. Chicago Bridge & Iron Co. N.V. v. Westinghouse Elec. Co. LLC (Del. Ch. Dec. 5, 2016). The Court’s decision was based on language in the purchase agreement— specifically, the broad powers granted to the independent accountant, the language of the financial statement representation and the wording of the working capital adjustment carve-out from the survival period. In light of this decision, sellers should, if they have leverage in the transaction, insert a provision that the purpose of the working capital adjustment is to measure changes so that the buyer cannot argue post-closing that the purpose is to guarantee an absolute amount of working capital in accordance with GAAP. In addition, the scope of the authority of the independent accountant should be clearly spelled out to reduce litigation costs. A court would typically analyze a GAAP compliance determination as a breach of the financial statement representation whereas an independent accountant would likely consider it as part of the working capital adjustment. This has an economic impact because the financial statement representation is typically subject to a deductible and cap. That distinction was even more important in this case because it involved a no indemnity deal, so if the Court had decided the GAAP compliance issue in favor of CB&I, then Westinghouse would have had no recourse. REGULATORY DEVELOPMENTS SEC Continues to Take Enforcement Action Against Companies for Using Severance Agreements That Impede Whistleblowing In January 2017 and December 2016, the SEC announced settlements with four companies whose separation or severance agreements allegedly had the potential to impede employee communications with the SEC in violation of the Dodd-Frank Act’s whistleblower provision, for example, by having employees waive financial incentives for reporting problems to the The decision highlights the importance of carefully drafting purchase agreement provisions that may be implicated by working capital disputes. SidleyPerspectives ON M&A AND CORPORATE GOVERNANCE Sidley Perspectives | FEBRUARY 2017 • 10 SEC. In the wake of these settlements, we have seen shareholder demands from plaintiffs’ counsel who are reviewing SEC filings and demanding that companies review provisions in confidentiality agreements, employment agreements, retirement agreements, codes of conduct, employment policies, severance agreements and the like to confirm that they do not contain language that could be construed by the SEC as prohibiting employees from communicating with the SEC about possible securities law violations and accepting financial awards for providing information. For more information, see our Sidley Update from August 2016 about previous SEC enforcement actions against companies with employee agreements that impede whistleblowing. New DOL Guidance on Proxy Voting and Shareholder Engagement May Lead to Increased Shareholder Activism On December 28, 2016, the Department of Labor (DOL) issued an interpretive bulletin providing guidance for ERISA employee benefit plan fiduciaries on (i) proxy voting, (ii) maintenance of and compliance with written statements of investment policy and (iii) shareholder engagement with their publicly-traded portfolio companies. The release updates the DOL’s 2008 guidance in this area and clarifies that plan fiduciaries may undertake certain activities (e.g., participating in proxy contests, adopting proxy voting policies and engaging with management) consistent with their fiduciary duties to manage plan assets. Furthermore, the bulletin specifically identifies a number of topics that are appropriate subjects for plan shareholder involvement, such as Environmental, Social and Governance (ESG) issues like climate change, sustainability, workplace diversity and equal opportunity. The DOL released the bulletin because it was concerned that its earlier guidance had been misunderstood in a way that dissuaded plan fiduciaries from voting on proxies or exercising shareholders’ rights, especially with respect to ESG issues. In order to resolve another ambiguity created by the 2008 release, the DOL also clarified that fiduciaries are not required to complete a cost-benefit analysis for votes in most scenarios. As a result, some commentators claim that the DOL’s actions endorse activist policies and that its guidance may lead to an increased level of activism by plan fiduciaries in the future. SEC Staff Issues FAST Act-Mandated Report on the Modernization and Simplification of Regulation S-K The SEC Staff issued a report to Congress in November 2016 that includes specific recommendations to the SEC as to how to modernize and simplify certain Regulation S-K disclosure requirements. The recommendations are intended to (i) reduce the costs and burdens on registrants while still providing material information to investors and (ii) improve investors’ ability to read and navigate public filings. The report was mandated by Section 72003 of the Fixing America’s Surface Transportation (FAST) Act which directed the SEC to review Regulation S-K’s requirements in consultation with the SEC’s Investor Advisory Committee and Advisory Committee on Small and Emerging Companies. Some noteworthy recommendations in the report are summarized below: MD&A. To eliminate repetition, the SEC Staff proposed revising Item 303(a) to require period-to-period comparisons in the MD&A for only the two most recent fiscal years presented in the financial statements along with a hyperlink to the previous year’s annual report for the third period-to-period comparison required by the rule. It also recommended replacing the requirement to disclose a contractual obligations table in the MD&A with a requirement to include a hyperlink to the relevant financial statement notes in the same filing that provide substantially similar disclosure along with a narrative discussion of liquidity The report follows several other recent actions taken by the SEC to streamline its disclosure requirements as part of its Disclosure Effectiveness Initiative, including the release of a comprehensive concept release in April 2016 discussed in a previous Sidley Update. SidleyPerspectives ON M&A AND CORPORATE GOVERNANCE Sidley Perspectives | FEBRUARY 2017 • 11 that would describe any material changes to the company’s contractual obligations and its ability to pay such obligations over time. Exhibits. The SEC Staff proposed expanding Item 601 to require companies to file a description of their securities as a Form 10-K exhibit (it is currently only required to be filed as an exhibit to registration statements). It also recommended permitting the omission of attachments and schedules filed with exhibits unless they contain information that is material to investors and not otherwise publicly disclosed. The SEC Staff is accepting public comments on the recommendations made in the report. Pursuant to the FAST Act, the SEC has 360 days after release of the report to propose rules implementing the recommendations. As noted in the report, several of the recommendations contemplate proposed rule changes that would need to be published for public comment prior to being implemented. GAO Issues Report on the Current State of the Proxy Advisory Industry In November 2016, the Government Accountability Office (GAO) issued a report to the Chairman of the U.S. Senate Committee on Banking, Housing and Urban Affairs regarding the role and influence of proxy advisory firms in shareholder voting and corporate governance practices. The report followed a GAO study from June 2007, and it discusses (i) the influence proxy advisory firms may have on voting and corporate governance, (ii) how proxy advisory firms develop and apply policies to make vote recommendations and (iii) the SEC’s oversight of proxy advisory firms. The report found that the influence proxy advisory firms exert on shareholder voting and corporate governance has grown over the past 10 years due to the greater amount of shares that institutional investors now own compared to individuals and to the existence of more complex voting issues, such as say-on-pay and shareholder activism. The study did show, however, that there are mixed opinions as to the extent of the influence and that smaller institutions without in-house research staff may be more inclined to follow the opinion of proxy advisory firms than their larger counterparts. In fact, studies from 2009, 2010 and 2013 estimated that influence on institutional shareholders ranged from 6 to 25 percent. Lastly, the report notes that even though the advisory firms have taken measures to increase transparency, issuers still claim that sometimes they did not understand the rationale behind voting recommendations. CORPORATE GOVERNANCE DEVELOPMENTS Delaware Court of Chancery Invalidates Bylaw Requiring Supermajority Vote to Remove Directors The Delaware Court of Chancery recently struck down a provision of Nutrisystem Inc.’s bylaws which required the vote of at least two-thirds of the corporation’s outstanding stock to remove directors. Frechter v. Zier (Del. Ch. Jan. 24, 2017). The Court held that the bylaw provision is inconsistent with Section 141(k) of the Delaware General Corporation Law (DGCL) which provides that “[a]ny director or the entire board of directors may be removed, with or without cause, by the holders of a majority of the shares then entitled to vote at an election of directors,” subject to certain exceptions not applicable in the case. Vice Chancellor Glasscock found that the statutory language unambiguously requires a simple majority stockholder vote for the removal of directors. Delaware corporations should review the director removal provisions in their governing documents to ensure consistency with DGCL Section 141(k). Based on data from SharkRepellent, nearly 10% of S&P 500 companies have supermajority voting requirements to remove directors. These companies should consider reviewing their governing documents in light of the Nutrisystem ruling. SidleyPerspectives ON M&A AND CORPORATE GOVERNANCE Sidley Perspectives | FEBRUARY 2017 • 12 BlackRock Letter Encourages Focus on Long-Term Value Creation On January 24, 2017, Larry Fink, BlackRock’s founder, chairman and CEO, released his annual letter to the CEOs of the world’s leading companies and advocated for governance practices that maximize long-term value creation. BlackRock expects the companies in which it invests to: (i) understand and adapt their strategies in light of changes relating to globalization and technology, (ii) devote attention to Environmental, Social and Governance (ESG) issues like sustainability of operations, environmental factors that affect the business and the company’s role as a member of the community and (iii) engage in stock buybacks only when the company is confident that the return will exceed the cost of capital and long-term returns of investing in future growth. The letter also notes that BlackRock supports government policies that promote the goal of long-term value creation, including tax reform, infrastructure investment and stronger retirement systems. Specifically, Mr. Fink proposes a capital gains regime that rewards long-term investing by changing the long-term holding period from 1 year to 3 years and by adopting a decreasing tax rate for each year of ownership thereafter. Furthermore, he encourages companies to improve their internal training and education programs to improve the skills and earning potential of their employees. Finally, Mr. Fink suggests ways to combat the retirement crisis, particularly for the millions of workers at smaller companies who are not covered by employer-provided plans, by using tools such as (i) auto-enrollment and auto-escalation, (ii) pooled plans for small businesses, (iii) educating employees on preparing for retirement and improving their financial literacy and (iv) potentially even mandatory contribution plans like the models used in Canada or Australia. The letter serves as a reminder that boards and management of public companies should familiarize themselves with the guidelines and policies of their institutional investors to be in a position to explain conformity with (or deviations from) their expectations. CEOs should be prepared to explain how long-term value creation factored into their annual strategic plans and confirm that such plans have been approved by the board. SIDLEY EVENTS NACD Event: Living With Activist Nominees on Your Board February 9 | Chicago, IL Sidley will host a National Association of Corporate Directors (NACD) event at its Chicago office on February 9 entitled Living With Activist Nominees on Your Board. Beth Peev (formerly Flaming), a partner in our Chicago office, will moderate a panel of experienced directors from large public companies discussing practical advice for boards to function effectively following a proxy fight or negotiated settlement which has resulted in an activistnominated director joining the board. Anyone interested in attending should contact Kathy Hendrickson at the NACD at email@example.com. Sidley Chicago General Counsel Roundtable June 6 | Chicago, IL Sidley will host its 10th annual General Counsel Roundtable in Chicago on June 6. This program is limited to general counsel and chief legal officers. Anyone interested in attending should contact firstname.lastname@example.org. SidleyPerspectives ON M&A AND CORPORATE GOVERNANCE Sidley Perspectives | FEBRUARY 2017 • 13 Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship. Attorney Advertising - Sidley Austin LLP, One South Dearborn, Chicago, IL 60603. 312 853 7000. Sidley and Sidley Austin refer to Sidley Austin LLP and affiliated partnerships as explained at sidley.com/disclaimer. AMERICA • ASIA PACIFIC • EUROPE sidley.com SIDLEY RESOURCES The Federal Trade Commission (FTC) approved new thresholds for premerger notification under the Hart-Scott-Rodino (HSR) Act, effective February 27, 2017, applicable to transactions closing on or after such date. The FTC also approved new thresholds for interlocking directorates under Section 8 of the Clayton Act which became effective on January 26, 2017. For details, see our recent Sidley Update entitled FTC Announces HSR Premerger Notification and Clayton Act §8 Thresholds. Sidley lawyers authored the U.S. and EU chapters of the 13th edition of The International Comparative Legal Guide to: Merger Control 2017, a guide which provides corporate counsel and international practitioners with comprehensive legal analysis of the merger control laws and regulations in 50 jurisdictions. Bill Blumenthal, a partner in our Washington, D.C. office, and Marc Raven, a partner in our Chicago office, authored the U.S. chapter. Steve Spinks and Ken Daly, partners in our Brussels office, authored the EU chapter. Sidley published a Corporate Governance Report on January 3 entitled Proxy Access Reaches the Tipping Point: Adopted by Just Over 50% (251) of S&P 500 Companies as of December 31, 2016. As discussed in the report, in just over two years proxy access has become a majority practice among S&P 500 companies, proving again the effectiveness of private ordering by shareholders to enhance their rights. As a follow-up to our previous Sidley Corporate Governance Reports on proxy access, the report provides an update on (i) recent shareholder proposals seeking specified revisions to existing proxy access provisions (so-called “fix-it” proposals), including a new appendix summarizing revisions sought by fix-it proposals, corresponding voting results, company responses and SEC Staff no-action determinations, (ii) the first attempt to utilize proxy access at a U.S. public company—which was promptly withdrawn, (iii) new questions relating to proxy access that ISS will consider for purposes of its recently updated QualityScore corporate governance ratings tool and (iv) other recent developments in the area. The report also includes an updated appendix which highlights, on a company-by-company basis, the various detailed terms of proxy access provisions adopted by 342 companies in 2015 and 2016, including the terms adopted by 79 additional companies since our September 2016 report.