Disclosure Guidance

Subscribe to Disclosure Guidance via RSS

hacking a computerCybersecurity issues continue to be a hot topic for companies. As discussed in my prior blog posts, “Get ready for increased cybersecurity disclosure requirements” and “SEC pushes for disclosure of hacking incidents”, the SEC continues to focus on cybersecurity and data breach items and has now begun to encourage public companies to disclose them, even in the absence of applicable rules or regulations. The only official guidance from the SEC on cybersecurity disclosure continues to be the disclosure guidelines provided in October, 2011 in CF Disclosure Guidance:  Topic No. 2 – Cybersecurity (the “Release”). 

There has been some important movement on cybersecurity issues outside of the SEC. While this does not directly pertain to disclosure of these items, public companies should pay close attention to these developments since they may provide some valuable guidance in this area. These developments also confirm the importance of cybersecurity issues and support my position that the SEC will probably soon mandate additional disclosure requirements for cybersecurity items. 

On September 19, 2012 Senator John D. Rockefeller IV (D, West Va.) sent a letter to the CEOs of all Fortune 500 companies posing questions about these companies’ cybersecurity policies and related issues. His letter asked these companies to evaluate their roles and responsibilities in connection with cybersecurity legislation and reform and to work with the Federal government to successfully enact cybersecurity legislation. Responses to this letter are voluntary, but it is likely that most of these companies will respond in some fashion. The companies’ responses were requested by October 19, 2012. 

Senator Rockefeller has long been a very strong proponent of cybersecurity legislation, and he is clearly frustrated with the lack of progress in this area. He was instrumental in the introduction of both the Cybersecurity Act of 2010 and the Cybersecurity Act of 2012, both of which failed to gain Senate approval. The proposed Cybersecurity Act of 2012 was defeated by a filibuster in August 2012, and in his letter Senator Rockefeller attributes this filibuster to opposition from business and trade groups, particularly the United States Chamber of Commerce. He has supported President Obama’s proposed use of an executive order to enact cybersecurity protection outside of the legislative process, and he references this in his letter. Based on the language of his letter, however,
Continue Reading Cybersecurity issues continue to draw attention

Photo by Giandomenico Ricci

On September 12, 2012, Apple, Inc. held a highly anticipated conference at which it announced the upcoming release of the latest model of the iPhone. These types of conferences have been part of Apple’s standard operations for many years and seem to be a key element of its marketing strategy. Although attendance is limited to select persons, many Apple enthusiasts are able to keep up-to-date on an almost real-time basis by following any one of the numerous live blogs that usually cover the events. However, the manner in which these conferences are conducted, notably some of the information disclosed during the presentations, may inadvertently run afoul of Regulation FD

Regulation FD (Fair Disclosure) is an issuer disclosure rule that addresses selective disclosure. The regulation provides that when an issuer, or person acting on its behalf, discloses material nonpublic information to certain enumerated persons (in general, securities market professionals and holders of the issuer’s securities who may well trade on the basis of the information), it must make public disclosure of that information. The timing of the required public disclosure depends on whether the selective disclosure was intentional or non-intentional; for an intentional selective disclosure, the issuer must make public disclosure simultaneously; for a non-intentional disclosure, the issuer must make public disclosure promptly. Under the regulation, the required public disclosure may be made by filing or furnishing a Form 8-K, or by another method or combination of methods that is reasonably designed to effect broad, non-exclusionary distribution of the information to the public. 

As mentioned above, Regulation FD applies to disclosures of “material nonpublic” information about the issuer or its securities. The regulation does not define the terms “material” and “nonpublic,” but relies on existing definitions of these terms established in the case law. Generally speaking, information is material if “there is a substantial
Continue Reading Did Apple violate Regulation FD at its iPhone 5 release conference?

cybersecurity intrusionA number of well-known companies, including Zappos.com, Google, Quest Diagnostics, Eastman Chemcial and AIG, have recently experienced actual or potential intrusions into their computer systems and related confidential data. Some of these incidents have been active criminal attacks by sophisticated hackers, while others have resulted from situations such as lost or stolen laptops. The frequency and severity of hacking incidents have been steadily increasing.  In fact, virtually all companies today are subject to the risks of such incidents due to the widespread use of Internet and information technology. The advent of a substantial mobile workplace with workers accessing data remotely through smartphones, tablets, laptops and other devices has also multiplied companies’ risks in this area.  

As the risks have increased, the SEC has been recently increasing the pressure on public companies to disclose “hacking” and other cyberintrustion incidents in their regulatory filings. There are still no SEC rules governing such disclosure, but I believe that this has clearly become a high priority disclosure item. I also foresaw these increased cybersecurity disclosure requirements in my prior blog post (“Get Ready for Increased Cybersecurity Disclosure Requirements”). Public companies that experience a hacking or other cyberintrustion incident should carefully review the recent actions taken by the SEC and other public companies that have experienced these incidents.

The SEC took a major step in encouraging disclosure of hacking and other cybersecurity items with its issuance of “2011 CF Disclosure Guidance:  Topic No. 2 (Cybersecurity)” (the “Release”) in October 2011. This Release only provided general guidance on disclosure of cyberincidents. The SEC has not yet developed any rules or regulations on cybersecurity or hacking incident disclosure, although we believe that such rules and regulations will be enacted at some point soon. In any case, based on recent events it appears that the Commission is strongly encouraging such disclosure despite the lack of existing rules and, in some cases, engaging in de facto rulemaking.

Companies tend to resist disclosure of hacking incidents for several
Continue Reading SEC pushes for disclosure of hacking incidents

Finally, we have had some recent bipartisanship in Congress.  The only problem, of course, is that the recent bipartisanship further burdened public companies with additional disclosure requirements.  As Broc Romanek noted in his blog last week, Congress overwhelmingly passed the Iran Threat Reduction and Syria Human Rights Act of 2012 requiring public companies to disclose to the SEC its dealings with Iran. 

As we have been blogging about for nearly a year, Congress has picked up a bad habit of burdening public companies in advancing an agenda that has nothing to do with the protection of investors.  These so called “social disclosures” (many of which are really “political” – or politically motivated – disclosures) while arguably related to important issues, burden public companies with specific tasks to compile and disclose certain information.  These same burdens, however, are not placed on private companies.  Yet, Congressman Darrell Issa, the Chairman of the House Committee on Oversight and Government Reform, has been demanding to know why there are fewer public companies today as compared to a decade ago. 

To be fair, I note that the House has recently passed (in bipartisan fashion) HR 4078, Red Tape Reduction and Small Business Job Creation Act, which would limit the ability of the SEC to add more regulatory burden on public companies, but given recent Congressional acts, HR 4078 appears more “Do as I say and not as I do.”  For example, Congress passed the American Jobs Creation Act of 2004, which requires public companies to disclose in its Form 10-K if the company incurs a specific type of tax penalty from the IRS involving abusive or tax avoidance (shelter) transactions.  More recently, as everyone is keenly aware, laws have passed pertaining to conflict minerals, mine safety, and executive compensation pay ratios.  Laws that have been proposed, but have not passed (yet), include
Continue Reading You asked for it: Bipartisan agreement in congress

New mandated cybersecurity disclosure requirements appear to be imminent. Cybersecurity has become a critical issue for most companies, and almost all companies today face cybersecurity risks due to the substantial increases in the volume of data and information stored online, the rise of multiple platforms for accessing data and the sophistication of criminal hackers. Cyber incidents such as a data breach or an intrusion into a company’s systems can have very negative and expensive results. These risks are considerably higher for any company that stores personal information or that operates in a regulated industry such as financial services or health care. Despite this significant increase in cybersecurity risks and the liabilities associated with such cyber incidents, however, public companies to date have had very little guidance regarding their disclosure obligations in this area.

The primary guidance that the SEC has issued on cybersecurity disclosure to date has been the 2011 CF Disclosure Guidance:  Topic No. 2 (Cybersecurity) (the “Release”) issued by the SEC’s Division of Corporation Finance on October 13, 2011. This Release was helpful in that it gave some indication of the Division of Corporation Finance’s positions on cybersecurity issues and cyber incidents. The Release provided overall guidance, however, and did not provide detailed information or instructions on cyber disclosure. Additionally, the Release did not contain official SEC rules or regulations. Accordingly, companies could use the Release for broad principles but were still left to develop disclosure information about cybersecurity and other similar matters based on their own evaluations of what should be disclosed.

Under the Release, some of the items that public companies are advised to address include:

  1. review the adequacy of their disclosure regarding cybersecurity and cyber incidents on a regular basis;
  2. disclose the risks of cyber incidents in “Risk Factors” if these items are significant risk factors that would make an investment in the company speculative or risky;
  3. disclose known or threatened cyber incidents;
  4. address cybersecurity risks and cyber incidents in the Company’s Management’s Discussion and Analysis if the costs or other consequences associated with such incidents are reasonably likely to have a material effect on the Company’s results of operations, liquidity or financial condition or would cause reported financial information to not be indicative of future operating results or financial condition;
  5. disclose a cyber incident in “Description of Business” if the cyber incident materially affected the company’s products, services, relationships with customers or suppliers or competitive conditions;
    Continue Reading Get ready for increased cybersecurity disclosure requirements

The “Risk Factors” section of any disclosure document is vital to the protection of the issuer. Generations of securities lawyers and accountants have worked into the night to develop lists of risks that would make any sane potential investor run away screaming. Most of us have seen innumerable examples of conventional risk factors like competition, legal and regulatory changes, impact of the loss of key personnel and others. Many of these risk factors are virtually identical regardless of the issuer’s industry space, and it’s doubtful that many readers of disclosure materials pay much attention to these risk factors.

The new breed of public technology companies, however, present some novel and interesting risks. The disclosure of these risks still strives to protect the issuer and give the potential purchaser the relevant information necessary to make an informed investment decision, but they focus on areas that are quite different from the disclosures used by more conventional companies. These technology company disclosure documents still contain many conventional risk factors, but it’s interesting to see the new areas that are considered material risks for these companies.

Here are several of the key items that been used as material risk factors in recent technology company disclosure documents filed by prominent technology companies:

Data Security.  This is a very hot issue for most technology companies these days, especially in the social media space. Facebook is a great example, as it has data from close to 900 million users. LinkedIn has similar dynamics and issues on a smaller scale. A data breach for any of these companies would have huge legal ramifications, as state, Federal and international regulatory authorities and private plaintiffs would quickly react. LinkedIn recently experienced these negative ramifications first hand as it was sued for $5 million in connection with its recent data breach.  The potential damage to a company’s brand and credibility could also be significant.  Click here for language from the Facebook prospectus and the LinkedIn prospectus as good examples. The SEC also offered some guidance on this topic in “CF Disclosure Guidance Topic No. 2 – Cybersecurity”.
Continue Reading That sounds risky: New generation of risk factors for technology companies

The SEC Division of Corporate Finance recently issued guidance to smaller financial institutions concerning Management’s Discussion and Analysis and accounting policy disclosures. The guidance can be found in CF Disclosure Guidance: Topic No. 5, dated April 20, 2012 and amounts to rules to follow for future filings that should not be ignored.

The Division

Recent comments from SEC commissioner Luis Aguilar indicate that the SEC may consider new rules that would require public companies to disclose political expenditures. In his recent speech from February 24, 2012, Commissioner Aguilar informally called on the SEC to adopt political spending disclosure rules in light of the landmark U.S. Supreme Court Case, Citizens United v. Federal Election Commission, which struck down federal restrictions on corporate political spending as unconstitutional. Although public companies are still restricted from directly contributing corporate funds to political candidates, they are permitted to contribute funds for campaign advertisements that support or oppose political candidates. Additionally, companies may contribute to independent organizations that engage in political advertising or lobbying.

We previously blogged about a petition which was submitted by a group of ten law professors in response to the Supreme Court’s opinion in Citizens United asking the SEC to consider adopting rules that would require public companies to make disclosures about their political contributions. The petition was prompted by, among other things, the Court’s assertion that procedures of corporate democracy would be a means by which shareholders could monitor the use of corporate assets for political purposes and also effect corporate change where such political purposes were inconsistent with shareholder interests. As the petitioners pointed out, the Court’s reasoning is partially based on the assumption that shareholders have access to information concerning a company’s political spending. While certain companies voluntarily make political spending disclosures in their public filings with the SEC, there are currently no rules or regulations that require a company to make such disclosures.
Continue Reading Are more disclosure requirements for public companies in the works?

As mentioned on Brock and Dave’s Blog and a recent article by Bloomberg, the conflict minerals disclosure required by the Dodd-Frank Act appears to be close to final.  These proposed rules are highly controversial because of the estimated high costs for public companies to comply with the new rules compared to the small perceived benefit to investors.  In fact, we have previously blogged regarding the likelihood that the SEC has grossly underestimated the compliance costs.

Under the proposed conflict minerals rules, companies must disclose whether certain minerals used in production chains originate from the Democratic Republic of the Congo or its neighboring countries.  Minerals sourced from these areas of central Africa often fund militia and other military groups’ operations which have exacerbated internal conflicts and human rights violations.   Congress believes that by requiring these disclosures public companies may be encouraged to seek alternative sources, materials, or suppliers to project a more socially responsible image to consumers.

In a letter to the SEC, Senator Leahy and other members of Congress have taken issue with the proposed final rules apparently circulating around the Capitol.  In the letter, the Senator and his colleagues have informed the SEC that they believe the proposed final rules contravenes Congress’s legislative intent by allowing the conflict mineral reports to be “furnished” rather than “filed.”  The difference, of course, is not just semantics.  Items “filed” in periodic reports are subjected to liability under the Securities Act of 1933, including Section 11 and Section 12(a)(2), because the information is incorporated by reference into Securities Act registration statements.  Items “furnished” are subject only to liability under the Securities Exchange Act of 1934, primarily Rule 10b-5.  Because Section 11 liability presents essentially “strict liability” for issuers, it would be much easier for a plaintiff to win a judgment against an issuer for faulty conflict minerals disclosure if the disclosure is “filed” rather than “furnished.”

Whether or not the legislative intent espoused by Senator Leahy in his letter is correct, we believe the foundation of the entire law is flawed.  As we have blogged before, we strongly disagree with the increasing frequency in which social policy has been weaved
Continue Reading Conflict minerals rule may be reaching a conclusion

Risks of Cyber Attacks

If you are an executive for a public company, new SEC guidance requires you to consider cybersecurity in your ongoing periodic reports.  As evidenced by the barrage of news reports over the past couple of years, cyber incidents have become very significant events for all types of companies.  A recent example was the data breach of Sony Corporation’s Playstation Network.  These cyber incidents can cause companies to spend substantial amounts of money and time to attempt to reduce or correct the associated damage, including significant reputational damage.  All companies must make significant capital investments for systems and measures designed to prevent future cyber incidents or at least mitigate their harmful effects. Unfortunately, the number of cyber incidents will continue to increase, and the tactics used by hackers will become more sophisticated and harder to prevent and control.

Congress Gets Involved

Last year, a group of U.S. senators recognized that cybersecurity incidents and the associated costs were a major risk for many companies and that many public companies were not adequately disclosing these events. The Senators also recognized the growing risks of cybersecurity and cyber incidents, and that there was very little guidance for public companies on their disclosure responsibilities in connection with cybersecurity. These senators wrote a letter to SEC Chairman Shapiro asking for some interpretative guidance on how to address disclosure of cybersecurity and cyber incidents and the associated risks and economic effects.

SEC Sets Expectations

In response to the Senate inquiry, the SEC recently issued CF Disclosure Guidance:  Topic No. 2 (the “Disclosure Guidance”), which set forth the SEC’s expectations of public company cybersecurity disclosure. Public companies of all sizes and industries should
Continue Reading New Cybersecurity Disclosure Obligations for SEC Filings