New mandated cybersecurity disclosure requirements appear to be imminent. Cybersecurity has become a critical issue for most companies, and almost all companies today face cybersecurity risks due to the substantial increases in the volume of data and information stored online, the rise of multiple platforms for accessing data and the sophistication of criminal hackers. Cyber incidents such as a data breach or an intrusion into a company’s systems can have very negative and expensive results. These risks are considerably higher for any company that stores personal information or that operates in a regulated industry such as financial services or health care. Despite this significant increase in cybersecurity risks and the liabilities associated with such cyber incidents, however, public companies to date have had very little guidance regarding their disclosure obligations in this area.

The primary guidance that the SEC has issued on cybersecurity disclosure to date has been the 2011 CF Disclosure Guidance:  Topic No. 2 (Cybersecurity) (the “Release”) issued by the SEC’s Division of Corporation Finance on October 13, 2011. This Release was helpful in that it gave some indication of the Division of Corporation Finance’s positions on cybersecurity issues and cyber incidents. The Release provided overall guidance, however, and did not provide detailed information or instructions on cyber disclosure. Additionally, the Release did not contain official SEC rules or regulations. Accordingly, companies could use the Release for broad principles but were still left to develop disclosure information about cybersecurity and other similar matters based on their own evaluations of what should be disclosed.

Under the Release, some of the items that public companies are advised to address include:

  1. review the adequacy of their disclosure regarding cybersecurity and cyber incidents on a regular basis;
  2. disclose the risks of cyber incidents in “Risk Factors” if these items are significant risk factors that would make an investment in the company speculative or risky;
  3. disclose known or threatened cyber incidents;
  4. address cybersecurity risks and cyber incidents in the Company’s Management’s Discussion and Analysis if the costs or other consequences associated with such incidents are reasonably likely to have a material effect on the Company’s results of operations, liquidity or financial condition or would cause reported financial information to not be indicative of future operating results or financial condition;
  5. disclose a cyber incident in “Description of Business” if the cyber incident materially affected the company’s products, services, relationships with customers or suppliers or competitive conditions;
    Continue Reading Get ready for increased cybersecurity disclosure requirements

The “Risk Factors” section of any disclosure document is vital to the protection of the issuer. Generations of securities lawyers and accountants have worked into the night to develop lists of risks that would make any sane potential investor run away screaming. Most of us have seen innumerable examples of conventional risk factors like competition, legal and regulatory changes, impact of the loss of key personnel and others. Many of these risk factors are virtually identical regardless of the issuer’s industry space, and it’s doubtful that many readers of disclosure materials pay much attention to these risk factors.

The new breed of public technology companies, however, present some novel and interesting risks. The disclosure of these risks still strives to protect the issuer and give the potential purchaser the relevant information necessary to make an informed investment decision, but they focus on areas that are quite different from the disclosures used by more conventional companies. These technology company disclosure documents still contain many conventional risk factors, but it’s interesting to see the new areas that are considered material risks for these companies.

Here are several of the key items that been used as material risk factors in recent technology company disclosure documents filed by prominent technology companies:

Data Security.  This is a very hot issue for most technology companies these days, especially in the social media space. Facebook is a great example, as it has data from close to 900 million users. LinkedIn has similar dynamics and issues on a smaller scale. A data breach for any of these companies would have huge legal ramifications, as state, Federal and international regulatory authorities and private plaintiffs would quickly react. LinkedIn recently experienced these negative ramifications first hand as it was sued for $5 million in connection with its recent data breach.  The potential damage to a company’s brand and credibility could also be significant.  Click here for language from the Facebook prospectus and the LinkedIn prospectus as good examples. The SEC also offered some guidance on this topic in “CF Disclosure Guidance Topic No. 2 – Cybersecurity”.
Continue Reading That sounds risky: New generation of risk factors for technology companies

Facebook’s IPO seemed like a sure thing only a short time ago. This iconic leader in the technology space led by a charismatic CEO seemed destined to have a blockbuster IPO. The IPO encountered a number of substantial problems and challenges, however, and the stock’s post-IPO performance has been far less than stellar, with none of the big increase in the stock price that was widely anticipated. This IPO is now widely viewed as flawed and as a failure in many respects.

 After three full trading days, Facebook’s shares are trading about 16% below the IPO price. The stock closed slightly above its IPO price on its first day of trading, but this only happened because the underwriters bought enough shares to support the stock. A variety of problems contributed to this poor debut, including the sale of large blocks of stock by existing Facebook shareholders, General Motors’ last minute decision to curtail substantial advertising on Facebook, a negative assessment of Facebook’s second quarter revenue forecast by analysts for the lead underwriter (which was allegedly only shared with potential large institutional purchasers), strange technical glitches at NASDAQ and the underwriters’ decision to increase both the number of shares sold and the offering price. Facebook’s final IPO prospectus can be found here.

The stock’s performance suggests that the underwriters’ original valuation ($34 per share) was only slightly higher than the company’s valuation as perceived by investors. The decision to take the IPO price to $38 per share increased the valuation beyond this perceived fair value. The subsequent decline in the stock value has taken the stock price down to a level that the market perceives is reasonable.

While Facebook’s current and prospective problems are daunting, the company was able to raise a huge amount of money at a premium to its actual value, so the IPO transaction was beneficial to the company. This is understandable given the tremendous demand for the stock that existed prior to the IPO, even in light of the problems that existed. The post-IPO results so far, while disappointing when compared to other technology IPOs, are short term and will correct themselves if the company increases its value. I’m actually surprised that the IPO price was as low as it was given the extremely high profile of this offering, but the significant negative factors that surrounded the offering contributed to this. In any case the company’s final valuation was still a huge multiple of historical earnings.

Continue Reading The Facebook IPO – From Sure Thing to Big Mess

One of the most well-known and popular Internet companies, Groupon, Inc., has again encountered significant accounting problems. These problems appear to be potentially severe. This situation is very negative for Groupon, but it also has troubling ramifications for the entire technology industry and especially for technology companies that have recently gone public. There is

On February 13, 2012, the Securities and Exchange Commission issued a No-Action Letter to the Fenwick & West LLP law firm. This No-Action Letter is good news for private companies that are approaching the statutory 500 shareholder limit (which would generally require them to register as public reporting companies under Section 12(g) of the Securities Exchange Act of 1934). Exceeding this limit can be very painful for a company, as it may be forced to register its class of shares under the Securities Exchange Act of 1934, which would require significant disclosures of information (the same as if it had undertaken an initial public offering) without realizing any of the benefits of public company status. The No-Action Letter will allow private companies to issue certain equity-based compensation to employees, directors and some consultants without triggering the reporting requirements of the 500 shareholder limit. Fenwick’s original request for the No Action Letter (which describes the background of this situation) can be found here.

Fenwick is the law firm that represents Facebook in its current initial public offering. Fenwick had previously sought and obtained similar relief specifically for Facebook in 2008. In this No-Action Letter, however, Fenwick obtained a much broader exemption from the SEC on this issue. Since the No-Action Letter was issued to the law firm rather than to a single company, the relief from these public reporting requirements should be very broad and should be applicable to any company whose situation is close enough to that described by Fenwick in its request for the No-Action Letter.

The situation that Fenwick used here involved “restricted stock units” (“RSUs”). RSU’s as described by Fenwick in the No Action Letter are equity compensation vehicles that generally entitle the holder to receive shares of a company’s common stock if certain future conditions are met before the RSUs expire. These RSUs are widely used by some companies, but there was a question regarding whether the issuance of an RSU caused the recipient to become a shareholder of the company, thus increasing the number of total shareholders and potentially causing the company to exceed the 500 shareholder limit.
Continue Reading SEC’s No-Action Letter is good news for pre-IPO companies

Risks of Cyber Attacks

If you are an executive for a public company, new SEC guidance requires you to consider cybersecurity in your ongoing periodic reports.  As evidenced by the barrage of news reports over the past couple of years, cyber incidents have become very significant events for all types of companies.  A recent example was the data breach of Sony Corporation’s Playstation Network.  These cyber incidents can cause companies to spend substantial amounts of money and time to attempt to reduce or correct the associated damage, including significant reputational damage.  All companies must make significant capital investments for systems and measures designed to prevent future cyber incidents or at least mitigate their harmful effects. Unfortunately, the number of cyber incidents will continue to increase, and the tactics used by hackers will become more sophisticated and harder to prevent and control.

Congress Gets Involved

Last year, a group of U.S. senators recognized that cybersecurity incidents and the associated costs were a major risk for many companies and that many public companies were not adequately disclosing these events. The Senators also recognized the growing risks of cybersecurity and cyber incidents, and that there was very little guidance for public companies on their disclosure responsibilities in connection with cybersecurity. These senators wrote a letter to SEC Chairman Shapiro asking for some interpretative guidance on how to address disclosure of cybersecurity and cyber incidents and the associated risks and economic effects.

SEC Sets Expectations

In response to the Senate inquiry, the SEC recently issued CF Disclosure Guidance:  Topic No. 2 (the “Disclosure Guidance”), which set forth the SEC’s expectations of public company cybersecurity disclosure. Public companies of all sizes and industries should
Continue Reading New Cybersecurity Disclosure Obligations for SEC Filings

Some of the best known names in technology were able to conduct initial public offerings during 2011. These included technology companies like LinkedIn, Pandora, Groupon, Zillow, Demand Media and others. This will likely continue tomorrow as one of the most highly anticipated technology company offerings of the year (Zynga, a developer of online games for Facebook) is scheduled to price its IPO tonight.

The markets remained fairly receptive to these technology IPOs throughout 2011. This is impressive given the general poor state of the capital markets and the high degree of skepticism that greeted many transactions in other industries. Companies from many other industries found themselves either shut out of the capital markets or unable to easily access capital.

Many of these high profile technology companies have been able to maintain or show an increase from their IPO price. Based on recent information, LinkedIn, Groupon and Zillow are all trading well above their IPO prices. This is again impressive given the overall status of the capital markets. Not all technology companies have been successful in the public arena, however, as Pandora, Demand Media and others currently trade well below their IPO prices. The general feeling among investors seems to be that they are satisfied with most of these technology companies for now, but there is also an undercurrent of skepticism.

Of course, the most highly anticipated technology IPO (and one of the most highly anticipated IPOs in history) may occur in 2012 if Facebook elects to proceed with its offering. There is no way to tell if this will happen, but there have been an increasing number of signs that Facebook is going in this direction.

All of these public technology companies face some serious fundamental questions and issues, and the resolution of these questions and issues will determine the long-term success or failure of these technology companies as public entities. The questions surrounding these companies mainly relate to basic business issues such as the long-term viability of their business models and their ability to establish and maintain sustainable and profitable business operations over time. Even though investors
Continue Reading Technology IPOs – Where Do We Go From Here?

The economic events of recent years have hit small companies particularly hard. While virtually everyone has suffered, small companies endured a double hit as they experienced substantial challenges to sales and profitability as well as a widespread inability to raise capital. This inability to raise capital was made worse by these economic events, but the current capital raising regulatory structure was also a major contributing factor. Fortunately these negative events appear to have generated some potential changes in the small company capital raising arena that could be very beneficial. These changes still face a number of challenges, but momentum appears to be building in their favor.

Small companies have historically faced a number of significant regulatory challenges and compliance requirements when raising capital. Some of these problems are the result of outdated compliance requirements that do not reflect the current small company situation. Other problems have resulted from “one size fits all” compliance requirements that do not contemplate the special needs of small companies and the economic restrictions under which many of them operate. The net result has been that small companies have been restricted in many situations in their ability to raise capital. This has been a particular problem in connection with public securities offerings by small companies.

In response to these concerns, several legislators in both the House and the Senate have submitted legislative proposals that are designed to ease the regulatory burdens on small companies in the capital raising process and to ensure that such regulatory burdens correctly reflect small companies’ situations. One significant proposal would increase the offering limits for Regulation A offerings from the current $5 million level to $50 million. Regulation A has been available as an exemption from registration under the Securities Act of 1933 for a long time, but historically it has not been used very often. This is probably primarily due to the relatively low offering limit. Regulation A contains some fairly substantial benefits for issuers, including the ability to solicit indications of potential interest from investors before an offering by use of several forms of media (although state laws may have an impact here). A substantially increased upper limit on Regulation A offerings could be a significant advantage to small companies’ capital raising efforts.
Continue Reading Positive Events in Small Company Capital Raising Arena

We have recently experienced some of the worst financial and economic conditions that we (hopefully) will see in our lifetimes. Most of us have been touched personally by these conditions. It appears that economic and financial conditions will continue to get better, but these situations have created some ongoing challenges that will continue to face early stage companies and entrepreneurs even under better conditions. 

The apparent changes in the traditional roles of the venture capital, private equity and angel investing models are some of the changes that will impact early stage companies. This appears to be the “new normal” for the financing of early stage companies.  Financing from venture capital and angel investor sources has historically been a vital source of funding for early stage companies.  Most early stage companies are not able to qualify for bank financing and are too early for private equity financing. Venture capital and angel investor financing traditionally stepped into this gap and gave these companies the critical financing that they needed to survive and expand. Private equity firms tended to remain out of the early stage financing arena until a company had reached a certain level of revenues or profitability.

This traditional financing model has changed.  Many private equity firms have shifted their investment focus to an even more mature class of companies. There has been a concurrent shift in focus by venture capital firms as many of them have also shifted their investment focus to more mature companies and are subjecting target companies to stricter investment criteria.

These shifts in investment focus are understandable, but they have significantly reduced the availability of crucial funding sources for early stage companies. These shifts happened at a very tough time for most small companies as they tried to recover from bad economic conditions.  This reduction in financing opportunities coupled with the overall slow pace of the economic recovery has caused a dire situation for many early stage companies and entrepreneurs.  Fortunately several events have occurred that should help to fill this financing gap.
Continue Reading Financing Early Stage Companies–Dealing With the “New Normal”