Capital Markets & Public Companies Quarterly: SEC Issues Cybersecurity Guidance, BlackRock and Gender Diversity, and News from the SEC and NYSE

Overview


In a telling sign of current events, the SEC staff provided supplemental guidance related to the disclosure of cybersecurity risks and incidents, adding new commentary to its rules regarding disclosure and company controls. In addition, BlackRock, Inc. has joined other institutional investors in pushing for greater diversity in the boardroom.

Our quarterly update also covers an enforcement action challenging a company’s reliance on Rule 701, a no action letter interpreting recent SEC guidance on shareholder proposals and a new NYSE rule regarding the delivery of proxy materials.

In Depth


New SEC Statement and Guidance on Public Company Cybersecurity Disclosures

On February 26, 2018, the US Securities and Exchange Commission (SEC) staff released the Commission Statement and Guidance on Public Company Cybersecurity Disclosures. Coming on the heels of the Equifax data breach and ominously predating the more recent revelations from Facebook, the interpretive guidance does not create any new disclosure requirements; rather, it urges public companies to engage in a more robust disclosure of material cybersecurity risks and incidents and to consider how such disclosures may be prompted under existing disclosure requirements.

Supplementing the SEC’s 2011 guidance on cybersecurity disclosure, the new guidance summarizes the ways in which cybersecurity risks or incidents may be described in disclosures that are generally required of public companies within their periodic and current reports. While many companies have integrated cybersecurity disclosure into their annual and quarterly risk factor disclosure, the SEC staff’s guidance also illustrates that disclosure of cybersecurity risks and preventative measures may be appropriate throughout an issuer’s annual and/or quarterly report, including in sections dealing with business and operations, risk factors, legal proceedings, financial performance and corporate governance. The SEC staff requested that public companies tailor and contextualize their disclosure and avoid boilerplate or generic language. However, the SEC staff provided that the disclosures need not be so specific as to provide a roadmap for any bad actor seeking to penetrate a company’s cybersecurity protections.

The guidance also urges public companies to re-examine the sufficiency of their controls and procedures with regard to cybersecurity risks and incidents. After reminding public companies of their obligation to maintain disclosure controls and procedures, the guidance encourages public companies to develop a protocol for determining the potential materiality of any cyber risk or incident and emphasizes that the goals of effective disclosure are likely best served when information regarding the cybersecurity risks and incidents reaches the public company’s directors, officers and other persons responsible for developing and overseeing its disclosure controls and procedures. The SEC staff acknowledged that companies may require time to discern the true impact of a cybersecurity incident, while also cautioning time for consideration did not remove the company’s duty to timely disclose or to correct prior disclosures that become materially inaccurate.

The guidance ended by warning public companies against trading in its securities by corporate insiders with knowledge of a material non-public cybersecurity risk or incident, as evidenced by recent SEC enforcement activity. The SEC staff also warned of the related risk regarding the selective disclosure of cybersecurity incidents and the prohibitions of Regulation Fair Disclosure (FD) with regard to selective disclosure of material non-public information.

For more on this topic, see SEC Issues Cybersecurity Guidance to Public Companies published in Corporate Counsel. You can also get the latest updates on privacy and cybersecurity regulation from McDermott’s Global Privacy and Cybersecurity practice.

BlackRock Proxy Voting Guidelines Update

In February, BlackRock, Inc. (BlackRock) published updated proxy voting guidelines in which it stated that it would “expect boards to be comprised of a diverse selection of individuals” to facilitate an environment for constructive debate of competing views and opinions. In addition, the guidelines explicitly note that BlackRock “would normally expect to see at least two women directors on every board.” For companies that have not adequately accounted for diversity in its board composition, BlackRock “may vote against the nominating/governance committee members.”

The guidelines follow on Larry Fink’s annual letter to CEOs, in which he wrote that BlackRock will continue to “emphasize the importance of a diverse board,” and that “boards with a diverse mix of genders, ethnicities, career experiences, and ways of thinking have, as a result, a more diverse and aware mindset.” Following the release of the guidelines, Michelle Edkins, BlackRock’s global head of investment stewardship, has also sent letters to approximately 300 companies in the Russell 1000 that have fewer than two women on their boards, asking them to disclose how they are approaching diversity in their workplace. The letter advised that “a lack of diversity on the board undermines its ability to make effective strategic decisions. That, in turn, inhibits the company’s capacity for long-term growth.”

Through these actions, BlackRock joins other shareholders and shareholder groups that are taking a stronger position with regard to gender representation on public company boards. On March 21, 2018, the New York State Common Retirement Fund announced that it intends to oppose the re-election of all directors at hundreds of US corporate boards that have no women on their boards. Last year, proxy advisory firms Glass Lewis and Institutional Shareholder Services also released voting guidelines noting gender diversity issues in corporate boards, and expressed their intentions to highlight or generally discourage the re-election of boards with no women directors or support proposals requesting reports on a company’s efforts to diversify the board, respectively.

For additional commentary on BlackRock’s proxy voting guidelines and other examples of the influence of pension funds and asset managers on corporate governance, see the March issue of Corporate Law & Governance Update.

Rule 701 Enforcement Action

On March 12, 2018, the SEC instituted cease-and-desist proceedings against Credit Karma, Inc., a San Francisco-based financial technology company, for the unregistered issuance of $13.8 million in stock options to its employees without following the financial information and risk disclosure requirements of Rule 701 of the Securities Act.

Under Rule 701, a private company may issue its securities to employees pursuant to a written compensatory benefit plan without registering the securities under the Securities Act. The number of securities that may be annually issued under Rule 701 is limited by the dollar amount of the offering, the total assets of the company and the number of its securities that are outstanding. If the value of securities issued over a 12-month period exceeds $5 million, the company must provide its employees information regarding the risks associated with an investment in the securities and certain financial statements of the company. According to the order, Credit Karma attempted to rely on Rule 701, but failed to follow these disclosure requirements. Per the order, Credit Karma agreed to pay a civil money penalty of $160,000.

In the current climate of emerging companies, one that continues to reward employees with grants of stock, options and (perhaps) tokens, coins or other securities, the order is a reminder of the SEC’s willingness to investigate and enforce violations of Rule 701 and other exemptions from registration. The order is also a reminder that exemptions from registration may come with “strings attached” and companies should remain vigilant of how their actions may trigger additional regulatory requirements.

SEC No-Action Letter Permits Omission of Shareholder Proposal in Reliance of Rule 14a-8(i)(5)

Following the SEC’s recent interpretive guidance on shareholder proposals (as covered in our last quarterly update), on February 22, 2018, the SEC staff issued a no-action letter permitting the omission of a shareholder proposal under Rule 14a-8(i)(5) of the Exchange Act, also known as the “economic relevance” exception. The permitted exclusion may mark the return to relevance of a substantive exclusion which had been largely rejected by the courts and the SEC.

The “economic relevance” exception permits a company to exclude a proposal that “relates to operations which account for less than 5 percent of the company’s total assets at the end of its most recent fiscal year, and for less than 5 percent of its net earnings and gross sales for its most recent fiscal year, and is not otherwise significantly related to the company’s business.” After the District Court for the District of Columbia’s decision in Lovenheim v. Iroquois Brands, Ltd., 618 F. Supp. 554 (D.D.C. 1985), the SEC staff has narrowed its application of the exception to allow only the exclusion of proposals that touch on matters “not significantly related to the issuer’s business.” This more limited reading has largely negated company attempts to exclude proposals that raise issues of social significance, even when the subject matter falls below the economic thresholds set forth in the rule. However, it appears that Staff Legal Bulletin No. 14I may have brought this exclusion back to life.

The shareholder proposal at issue, which was submitted to Dunkin’ Brands Group, Inc., requested that the board issue a report assessing the environmental impacts of continuing to use the company’s K-Cup Pods brand packaging. The no-action letter highlighted the following grounds for permitting the omission of the proposal:

(1) the proposal relates to operations that account for less than 5 percent of the Company’s total assets at the end of its most recent fiscal year;

(2) the proposal relates to operations that account for less than 5 percent of the Company’s net earnings and gross sales for its most recent fiscal year;

(3) the proposal’s significance to the company’s business is not apparent on its face; and

(4) the proponent of the proposal has not demonstrated that the subject matter of the proposal is otherwise significantly related to the company’s business.

Assuming these conditions are satisfied, the SEC may permit the omission of a shareholder proposal under the “economic relevance” exception.

NYSE Amends Requirement for Delivery of Proxy Materials

On March 1, 2018, the SEC approved a New York Stock Exchange (NYSE) proposed rule change, limiting the requirement that public companies physically deliver proxy materials to NYSE. The amendments to Section 402.01 and Section 204.00(B) of the NYSE Listing Manual eliminate the requirement for listed companies to provide physical copies of proxy materials to the NYSE, so long as the proxy materials are included in an electronic SEC filing available on EDGAR. The only caveat to this rule applies where the proxy materials are available on EDGAR, but were “not filed pursuant to Schedule 14A” under the Securities Exchange Act of 1934 (such as proxy materials filed on Form S-4 or by foreign private issuers that file proxy materials under Form 8-K or Form 6-K), in which case the company must provide the NYSE with information sufficient to identify such EDGAR filing not later than the date on which the material is sent or given to any security holders using one of the means specified in Section 204.00(A).

Any listed company that does not include proxy materials in their entirety in an SEC filing on EDGAR must provide the NYSE with three copies of the definitive proxy materials not later than the date on which the materials are sent or given to any security holder.