Public Companies Update – November One-Minute Reads

Appeals court orders SEC to repair share repurchase rules

Our May 2023 One-Minute Reads discussed the Securities and Exchange Commission’s adoption of final rules regarding share repurchase disclosures. In response, the US Chamber of Commerce brought a suit in the US Court of Appeals for the Fifth Circuit against the SEC to prevent implementation of these new share repurchase rules.

One argument proffered by the petitioners in the case was that the SEC acted arbitrarily and capriciously in adopting the final rules by not considering comments or conducting a proper cost benefit analysis. On October 31, the three-judge panel issued its opinion and granted the petition, holding that the SEC violated the Administrative Procedure Act by acting arbitrarily and capriciously for failing to substantiate the rule’s benefits and costs and applying inconsistent logic. Importantly, the court did not vacate the rule – it instead remanded the rule back to the SEC for 30 days to attempt to repair the defects. Now we wait and see whether the SEC can adequately repair the defects or if the court ultimately will vacate the rule. For more information on the rules, see this May 8 Cooley client alert and this May 8 Cooley PubCo blog post. To learn more about the suit, refer to this November 2 Cooley PubCo blog post.

SEC charges CISO in enforcement action

In June, SolarWinds filed an 8-K in which it announced that certain of its current and former executive officers and employees, including its chief information security officer (CISO), received “Wells Notices” from the SEC in connection with the investigation into the prominent Russian cyberattack against the company. Then, on October 30, the SEC announced charges against the company and its CISO for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities. Per the press release, the SEC’s filing alleges that during the two-year period between the company’s October 2018 initial public offering and the December 2020 announcement of the cyberattack, “SolarWinds allegedly misled investors by disclosing only generic and hypothetical risks at a time when the company and [the CISO] knew of specific deficiencies in SolarWinds’ cybersecurity practices as well as the increasingly elevated risks the company faced at the same time.”

The filing is the latest SEC enforcement action highlighting the use of hypothetical risk factors when a risk has come to fruition, as well as yet another action in which the SEC has focused on inadequate controls. SEC Division of Enforcement Director Gurbir S. Grewal noted that the enforcement action “underscores [the SEC’s] message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.” Notably, the complaint implies the SEC found it important that the CISO was an officer at the time of these events and signed sub-certifications attesting to the adequacy of the company’s cybersecurity internal controls. For more information about the enforcement action, refer to this November 1 Cooley PubCo blog post.

Gensler talks climate after California representatives request Scope 3 reporting requirements

On October 26, SEC Chair Gary Gensler spoke with the US Chamber of Commerce’s Center for Capital Markets Competitiveness on recent climate disclosure developments. In his introduction to the conversation, the center's president and CEO highlighted his concern that climate requirements being imposed by several different jurisdictions will result in companies facing duplicate, differing, overlapping and even conflicting requirements. In responding to this critique, Gensler noted the SEC’s remit to improve the capital markets for investors and issuers, not to regulate climate, and repeatedly hammered home that the SEC is focused on US law as interpreted by US courts, not other jurisdictions. The discussion then turned to the SEC’s proposal, with Gensler discussing the contents of the 16,000 comment letters the SEC has received on it, followed by some back-and-forth on the benefits of certain aspects of the proposal, including the Scope 3 reporting requirement. For a detailed summary of the discussion, refer to this October 30 Cooley PubCo blog post.

On the topic of the Scope 3 requirement included in the SEC’s proposal (but separate from the discussion), 26 California representatives in Congress sent a letter to Gensler in mid-October urging inclusion of Scope 3 reporting requirements in the final rules, reasoning that the additional cost of compliance for companies subject to California’s new climate disclosure laws will be negligible. For more information on the California rules, refer to our October One-Minute Reads.

SEC approves Nasdaq proposal regarding reverse stock splits

Our August One-Minute Reads discussed Nasdaq’s filing of a proposed rule change with the SEC to establish listing standards related to notification and disclosure of reverse stock splits. On November 1, the SEC issued an order approving the proposal. Under existing Nasdaq listing rules, a reverse stock split qualifies as a “Substitution Listing Event,” which previously has required companies to notify Nasdaq no later than 15 calendar days prior to implementation of the event. Companies also had been required to make “prompt disclosure” of “any material information that would reasonably be expected to affect the value of its securities or influence investors’ decisions,” which, Nasdaq states, includes reverse stock splits.

Under the approved listing rules, a reverse stock split no longer qualifies as a “Substitution Listing Event,” and a company conducting a reverse split is required to notify Nasdaq about certain details of the reverse split by submitting a complete Company Event Notification Form at least five business days (no later than 12:00 pm Eastern Time) before the anticipated market effective date. The new listing rules also require public disclosure about the reverse stock split in a Regulation FD-compliant manner at least two business days (no later than 12:00 pm ET) before the anticipated market effective date, while additional provisions would require timely notice to Nasdaq’s MarketWatch Department, as with other news. These changes will be reflected in new Rules 5250(b)(4) and 5250(e)(7), new Rule IM-5250-3, and amended Rule 5250(b)(1). Compliance with these notification and disclosure requirements will be required for Nasdaq to process a reverse stock split. In addition, Nasdaq notes that if a company attempts to effect a reverse stock split while failing to satisfy these requirements, or provides incomplete or inaccurate information, “Nasdaq will halt the stock in accordance with the procedure set forth in [Nasdaq] Equity 4, Rule 4120(a)(1), which provides Nasdaq with the authority to halt trading to permit the dissemination of material news.” For more information about the rule change, refer to this November 6 Cooley PubCo blog post.

SEC settles charges for unauthorized stock repurchase program

On November 14, the SEC announced settled charges against Charter Communications for violating internal accounting controls requirements relating to its stock repurchase program. Per the press release, the SEC claims that Charter’s board authorized certain buybacks using trading plans conforming to SEC Rule 10b5-1, but the SEC found that “from 2017 to 2021, Charter used plans that included ‘accordion’ provisions, which company personnel described as giving Charter flexibility” allowing them company “to change the total dollar amounts available to buy back stock and to change the timing of buybacks after the plans took effect.” According to the order, “because Charter’s trading plans did not meet the conditions of Rule 10b5-1, the company’s buybacks did not comport with the board’s authorizations.” The order further found that Charter’s use of trading plans that did not conform to Rule 10b5-1 resulted from insufficient internal accounting controls to analyze whether the discretion the accordion provisions provided was consistent with the board’s authorizations.

As with the SolarWinds action described above, this is another in a long list of recent enforcement actions that have applied the internal control provisions of Section 13 of the Exchange Act expansively as the basis for charges. Charter agreed to pay a $25 million penalty to settle the charges. Dissenting from the order, SEC Commissioners Hester Peirce and Mark Uyeda argued that the controls found to be lacking were not accounting controls, but, rather legal controls, which are not covered by the section of the Exchange Act used as the basis for the charges. For more information on the SEC action, refer to this November 15 Cooley PubCo blog post.

Corp Fin announces new intake system for no-action requests

On November 7, the SEC’s Division of Corporation Finance announced a new intake system for no-action requests from companies seeking to exclude a shareholder proposal under Rule 14a-8 of the Exchange Act. Under Rule 14a-8(j), a company intending to exclude a shareholder proposal must file its reasons with the SEC no later than 80 calendar days before it files its definitive proxy statement with the SEC. Per the announcement, Rule 14a-8 submissions and related correspondence must be submitted using an online shareholder proposal form. This marks a departure from past practice, which includes emailing no-action requests and related correspondence to a monitored account, and also requires disclosure of the company’s anticipated proxy print date. Notably, submission of the new online form is not effective to transmit the correspondence to the proponent, as required by Rule 14a-8(j), and a separate email or message will be needed. For more information on the new intake system, refer to this November 8 Cooley PubCo blog post.

Report highlights trends in cybersecurity breach disclosures

In October, Audit Analytics published an informative report on trends in cybersecurity breach disclosures based on a review of data from 2011 through 2022. In addition to providing an overview on the state of cyber breach disclosures over this 12-year period, the report provides information on the method of disclosure, types of cyber breaches, information compromised, records lost, cyber time frame and cyber costs. Among many others, some highlights include:

1. In 2022, 125 cyber breaches were disclosed by public companies, compared to 195 in 2021, marking the sharpest decline over the 12-year period.
2. Only 34% of cyber incidents initially were disclosed in an SEC filing, most commonly in a Form 8-K or Form 6-K.
3. The percentage of disclosed cyber breaches related to unauthorized access increased to 69% in 2022 from 48% in 2021, followed by cyber breaches related to ransomware as a distant second at 17%.
4. On average, companies took 96 days to disclose a breach after it was discovered in 2022, up 2.5 weeks from 2021.

Of course, this data precedes the SEC’s new cybersecurity rules imposing specific requirements for the disclosure of cyber incidents. See this August 2 Cooley client alert for more information on the new rules.