It’s been a little over a year since the SEC’s requirement to disclose material cybersecurity incidents on Form 8-K went into effect, and this Proskauer report provides some insight into how companies have responded. The report reviewed 75 disclosures from 48 public companies over the past year, and here are some of the key findings:
– Since the SEC rules became effective, there has been a 60% increase in the number of cyber incidents disclosed by public companies.
– Fewer than 10% of the disclosed incidents include a description of the material impact of the incident. 78% of disclosures were made within eight days of discovery of the incident, with 42% of companies providing an update by issuing an updated Form 8-K after the initial disclosure.
– Third-party breaches had the widest ranging impact for public companies, with one in four breaches stemming from a third-party incident.
This excerpt from the report notes that threat actors are apparently “blowing the whistle” on companies that have been the victims of a cyber attack, but haven’t reported it:
In an aggressive move to pressure victims into paying ransoms, some threat actors have filed whistleblower reports with the SEC, claiming that companies have failed to report active incidents on Form 8-K. The threat actor then makes its “whistleblower” report public, attempting to publicly shame victims and encourage payment. While such tactics have failed each time, they have generated significant media attention, with over 40 news articles published in publications such as The Wall Street Journal, Bloomberg, Security Week and others.
FinCEN has posted its response to the latest decision from the 5th Circuit vacating its earlier stay of the district court’s preliminary injunction against enforcement of the Corporate Transparency Act. Here’s the gist of it:
On December 23, 2024, a panel of the U.S. Court of Appeals for the Fifth Circuit granted a stay of the district court’s preliminary injunction entered in the case of Texas Top Cop Shop, Inc. v. Garland, pending the outcome of the Department of the Treasury’s ongoing appeal of the district court’s order. FinCEN immediately issued an alert notifying the public of this ruling, and recognizing that reporting companies may have needed additional time to comply with beneficial ownership reporting requirements, FinCEN extended reporting deadlines.
On December 26, 2024, however, a different panel of the U.S. Court of Appeals for the Fifth Circuit issued an order vacating the Court’s December 23, 2024 order granting a stay of the preliminary injunction. Accordingly, as of December 26, 2024, the injunction issued by the district court in Texas Top Cop Shop, Inc. v. Garland is in effect and reporting companies are not currently required to file beneficial ownership information with FinCEN.
FinCEN notes that reporting companies are not subject to liability if they fail to make a beneficial ownership filing while the order remains in force, but they may continue to voluntarily submit beneficial ownership information reports.
If you’re in a jurisdiction that requires you to report your CLE compliance on a calendar year basis, then you may be scurrying around this week trying desperately to find the hours you need to get into compliance. I’ve been in that boat myself, and it’s made for some pretty long and boring New Year’s Eves. To make matters worse, I often ended up with some pretty irrelevant CLE courses to choose from, including such gems as “Litigating Truck Accidents in Ohio.”
If you’re looking for a more relevant way to pick up your CLE credits, check out our inventory of “on -demand” webcasts. These are eligible for credit in most states, and come in bite-sized, one-hour portions. Be sure to follow the instructions on the webcast’s home page in order to obtain credit. If you have questions about CLE credit, please visit our CLE FAQ page or contact our CLE provider: CEU Institute, accreditation@ceuinstitute.net.
Members of this site can access this content without any additional charge. If you’re not yet a member, try a no-risk trial now. Our “100-Day Promise” guarantees that during the first 100 days as an activated member, you may cancel for any reason and receive a full refund. The webcast cost for non-members is $595. You can sign up by credit card online. If you need assistance, send us an email at info@ccrcorp.com – or call us at 800.737.1271.
If you just clicked through your email about this morning’s blogs, this isn’t the blog you were expecting – and it’s not the one I originally wrote, because developments on the CTA front are breaking fast and furious. On Monday, the 5th Circuit granted the DOJ’s request for a stay of a district court decision preliminarily enjoining enforcement of the Corporate Transparency Act on constitutional grounds. But that stay has now been vacated by a new 5th Circuit merits panel. Here’s a Bloomberg Tax article on the latest decision.
In response to the original 5th Circuit ruling granting the stay, FinCEN announced a brief extension of the January 1, 2025 filing deadline to January 13, 2025. FinCEN hasn’t yet posted anything in response to the latest ruling vacating the stay. Isn’t this fun? We’re posting law firm memos on the evolving drama in our “Beneficial Ownership” Practice Area.
I recently came across a new study on classified boards, and I thought the results were a little surprising. Although these structures are more common among younger companies, it turns out that they remain fairly prevalent throughout corporate America. Here’s an excerpt from a CLS Blue Sky Blog post by the authors of the study:
The conventional belief suggests that classified boards are disappearing from corporate America, particularly among well-established firms in the S&P 1500 Index. However, more recent findings indicate that young firms are increasingly likely to go public with a classified board and that, while the costs of having a classified board become significantly higher as firms mature, firms rarely opt to declassify their boards. We expand on these findings by examining a more comprehensive sample of firms over an extended period, uncovering new evidence of how and why the use of classified boards has evolved and its implications for shareholder value.
The study found that the prevalence of classified boards among S&P 1500 companies declined from 58% in the early 1990s to 31% in 2020, while the prevalence of classified boards outside the S&P 1500 rose from 42% to 52% over the same period. The study also found that as companies mature, they increasingly discard the classified board structure.
That wasn’t always the case. In the 1990s, the use of classified boards declined only slightly as firms matured, but that began to change during the first decade of this century, with the usage of staggered boards declining from 65% of the youngest firms to 46% among the most mature. That trend accelerated between 2011-2020 – while 73% of newly public companies had classified boards, only 33% of mature firms retained them.
This recent Ideagen/Audit Analytics blog notes that although lengthy auditor tenure is an area of concern among governance advocates, two dozen public companies have had the same auditor for more than a century! So which audit firms have managed to hold on to their audit clients for more than 100 years? This excerpt provides the answer:
PricewaterhouseCoopers (PwC), Deloitte and Ernst & Young (EY) are the only members of the US centenarian club. PwC audited eight of these companies, Deloitte audited six and EY was the auditor of record for the remaining 10 companies. The longest audit tenure on record was BCE Inc.’s (formerly known as Bell Canada Enterprises, Inc.) relationship with Deloitte, which has spanned 144 years.
The blog lists each of the US public companies that has retained the same auditor for over 100 years and discloses the name of that auditor. It also points out that the number of public companies that have had the same auditor for more than a century has doubled since 2016.
It’s long been an open secret that many Reg D issuers opt not to file a Form D for their offerings. One reason may be that the SEC hasn’t made non-compliance with Form D filing requirements an enforcement priority. That changed on Friday, when the SEC announced settled enforcement proceedings against three issuers that failed to make required Form D filings. This excerpt from the SEC’s press release explains the agency’s rationale for the actions:
An issuer’s failure to follow the requirements to file a Form D (or amend its existing Form D filing) impedes the Commission’s ability to fully assess the scope of the Regulation D market, which is key to the Commission’s understanding of whether Regulation D is appropriately balancing the need for investor protection on one hand and the furtherance of capital formation on the other, particularly as it relates to small businesses.
It also harms the Commission’s ability to monitor and enforce compliance with the requirements of Regulation D and the ability of state securities regulators and self-regulatory organizations to monitor and enforce other securities laws and rules. In addition, it hampers the ability of investors and other market participants to understand whether companies are complying with federal securities laws in their offerings, to research and analyze the Regulation D market, and to report on capital-raising in industries that use Regulation D.
Each of the issuers agreed to cease and desist from failing to comply with Rule 503 of Regulation D and agreed to pay civil penalties ranging from $60,000 to $195,000. In addition, the order in each of these actions points out that the offerings at issue involved general solicitation, which made the statutory Section 4(a)(2) exemption unavailable. (Keith Bishop has posted some thoughts on this topic over on his blog).
If the SEC’s goal is improved compliance with Rule 503’s filing requirement, then I think that in addition to “message cases” like these, the SEC should take a hard look at the information that it asks issuers to provide in a Form D. There’s a lot of stuff in there only a bureaucrat could love, and most issuers regard Form D as the Securities Act’s version of a “TPS Report.” But the bottom line is that if you don’t file a Form D, you’re not complying with the law, and you aren’t going to get a lot of sympathy from the Division of Enforcement.
One thing I’m not sure about is whether the cease-and-desist orders in these cases are regarded as an “order, judgment, or decree of any court of competent jurisdiction. . . enjoining such person for failure to comply with Rule 503. . . ” If so, the issuers also would be prohibited under Rule 507 from relying on Reg D absent a waiver from the SEC. My gut tells me that they are, but I’d think that’s something the SEC might highlight in its press release, which it didn’t do. If any SEC enforcement lawyers out there can enlighten me, I’d appreciate it – and I’ll update the blog.
On Friday, the SEC announced that EDGAR will be closed on Tuesday and Wednesday. The announcement noted that Christmas Eve is being treated as a federal holiday this year. Here’s the other relevant info from the SEC’s announcement:
Please be aware that on December 24, 2024 and December 25, 2024:
– EDGAR filing websites will not be operational.
– Filings will not be accepted in EDGAR.
– EDGAR Filer Support will be closed.
Filings required to be made on Tuesday, December 24 and Wednesday, December 25 will be considered timely if filed on December 26, 2024, EDGAR’s next operational business day.
This is our last blog before the holidays begin, and I know that this time of year makes a lot of people nostalgic, especially geriatrics like me. So, for my fellow boomers and our Gen X readers, here’s a link to a website featuring something that many of us remember fondly from our childhoods – decades of the Sears Holiday “Wishbook” and other holiday catalogues. Even if you’re not a boomer, I bet you’ll have fun visiting the National Toy Hall of Fame’s website. You’re sure to find at least a few of your childhood favorites here.
Merry Christmas and Happy Hanukkah to all those who celebrate! We’ll be back after the 25th, but blogging will be lighter than usual over the holidays.
I shared some D&O questionnaire considerations on The Proxy Season Blog in early December that I thought would be worth distributing more widely here since, after the holidays, proxy season will be “full steam ahead!” While SEC and US stock exchange rules don’t require significant adjustments to questionnaires this year, you may want to consider some potential updates — per this Bryan Cave blog and this Thompson Hine alert — given recent developments. Here are a few:
– In the section on director independence, expand the list of examples of material relationships to include close friendships or other close social ties with management, in light of the SEC settlement with a public company director, as discussed in our October 7, 2024 post.
– In the section on director expertise, collect information sufficient to assess the board’s skills cybersecurity expertise, even though the new rules do not require discussion of board-level expertise in this area.
– In the section on beneficial ownership, highlight or clarify the need to disclose margin loans or other form of pledges of issuer securities, in light of Carl Icahn’s settlement with the SEC, as discussed in our August 20, 2024 post. In addition, companies may wish to request confirmation that insiders have either not entered into, or terminated, any 10b5-1 or non-10b5-1 trading arrangements (as defined in Reg. S-K Item 408(c)) during the preceding fiscal year.
– In the section on Forms 4 and 5, remind insiders of the importance of reporting late or missed transactions, as well as the need to timely notify the company of changes in beneficial ownership, in light of the recent SEC enforcement sweep, as discussed in our October 3, 2024 post.
– In the undertakings: include the consent of the director for the disclosure regarding diversity for purposes of the Nasdaq diversity matrix or other disclosure a company may wish to make on this topic (and consider identifying any state law disclosure requirements, if applicable); and include the consent of the director or nominee to be included in the company’s proxy materials, as well as a nominee in a dissident’s proxy materials, should that become applicable, in light of universal proxy card rules.
– The SEC recently adopted amendments (collectively referred to as “EDGAR Next”) intended to enhance EDGAR’s security. Among other new requirements, applicants for EDGAR access will be required to disclose if the applicant, the account administrator(s), or the individual signing the Form ID has been convicted of or civilly or administratively enjoined, barred, suspended, or banned as a result of a federal or state securities violation. Companies may want to consider adding a question to their D&O questionnaires to address this new EDGAR Next requirement. Additionally, as the EDGAR Next question is not limited to the past 10 years, companies should carefully consider where to place the question in their D&O questionnaires.
For Nasdaq-listed companies, don’t forget to assess your approach to board diversity disclosures and update accordingly! And, as always, for 100+ pages of practical guidance, check out our “D&O Questionnaires Handbook.”