Developments in Securities Regulation, Corporate Governance, Capital Markets, M&A and Other Topics of Interest. MORE

The SEC announced settled charges against technology company NVIDIA Corporation for inadequate disclosures concerning the impact of cryptomining on the company’s gaming business.

The SEC’s order finds that, during consecutive quarters in NVIDIA’s fiscal year 2018, the company failed to disclose that cryptomining was a significant element of its material revenue growth from the sale of its graphics processing units (GPUs) designed and marketed for gaming. Cryptomining is the process of obtaining crypto rewards in exchange for verifying crypto transactions on distributed ledgers. As demand for and interest in crypto rose in 2017, NVIDIA customers increasingly used its gaming GPUs for cryptomining.

In two of its Forms 10-Q for its fiscal year 2018, NVIDIA reported material growth in revenue within its gaming business according to the SEC. NVIDIA had information, however, that this increase in gaming sales was driven in significant part by cryptomining. Despite this, NVIDIA did not disclose in its Forms 10-Q, as it was required to do, these significant earnings and cash flow fluctuations related to a volatile business for investors to ascertain the likelihood that past performance was indicative of future performance. The SEC’s order also finds that NVIDIA’s omissions of material information about the growth of its gaming business were misleading given that NVIDIA did make statements about how other parts of the company’s business were driven by demand for crypto, creating the impression that the company’s gaming business was not significantly affected by cryptomining.

Specifically, the SEC alleged that NVIDIA’s analysts and investors were interested in understanding the extent to which the company’s Gaming revenue was impacted by cryptomining, and routinely asked senior management about the extent to which increases in Gaming revenue during this time frame were driven by cryptomining. In light of the volatility of certain crypto asset prices during this time frame, investors and analysts probed the significance of cryptomining to NVIDIA’s Gaming business to determine how sustainable the contributions to the company’s largest specialized market would be going forward.

The SEC also addressed disclosure controls and procedures.  Even though NVIDIA had information indicating that cryptomining was a significant factor in the year-over-year growth in revenue for the company’s GPUs for Gaming in its GPU business segment during the relevant period, NVIDIA failed to maintain disclosure controls or procedures designed to ensure that information required to be disclosed in NVIDIA’s results of operations was reported as required by the MD&A provisions of Regulation S-K, Item 303.

NVIDIA did not admit or deny the SEC’s findings.

The SEC has released an illustrative letter that contains sample comments that the Division of Corporation Finance may issue to companies based on their specific facts and circumstances related to Russia’s invasion of Ukraine and related supply chain issues.

The SEC notes companies may have disclosure obligations under the federal securities laws related to the direct or indirect impact that Russia’s invasion of Ukraine and the international response have had or may have on their business. To satisfy these obligations, the Division of Corporation Finance believes that companies should provide detailed disclosure, to the extent material or otherwise required, regarding:

  • direct or indirect exposure to Russia, Belarus, or Ukraine through their operations, employee base, investments in Russia, Belarus, or Ukraine, securities traded in Russia, sanctions against Russian or Belarusian individuals or entities, or legal or regulatory uncertainty associated with operating in or exiting Russia or Belarus,
  • direct or indirect reliance on goods or services sourced in Russia or Ukraine or, in some cases, in countries supportive of Russia,
  • actual or potential disruptions in the company’s supply chain, or
  • business relationships, connections to, or assets in, Russia, Belarus, or Ukraine.

The SEC also notes financial statements may also need to reflect and disclose the impairment of assets, changes in inventory valuation, deferred tax asset valuation allowance, disposal or exiting of a business, de-consolidation, changes in exchange rates, and changes in contracts with customers or the ability to collect contract considerations. In addition, since Russia’s invasion of Ukraine, many companies have experienced heightened cybersecurity risks, increased or ongoing supply chain challenges, and volatility related to the trading prices of commodities regardless of whether they have operations in Russia, Belarus, or Ukraine that warrant disclosure.

The SEC urges companies to consider how these matters affect management’s evaluation of disclosure controls and procedures, management’s assessment of the effectiveness of internal control over financial reporting, and the role of the board of directors in risk oversight of any action or inaction related to Russia’s invasion of Ukraine, including consideration of whether to continue or to halt operations or investments in Russia and/or Belarus.

In Knight v. Miller et al the Delaware Court of Chancery considered, among other things, whether the acceptance of an equity grant violated fiduciary duties. The case was before the Court on a motion to dismiss.

The case deals with grants of equity compensation made to directors and officers of Universal Health Services, Inc. (“UHS” or the “Company”) during the market volatility taking place in March 2020 at the beginning of the COVID-19 pandemic. UHS stock reached its lowest point on March 18, 2020, closing at $67.69 per share. After announcement of federal COVID-19 relief legislation, the Company’s stock price had rebounded to a closing price of $100.13 per share by March 30, 2020.

The grants in question were made at a meeting of the Compensation Committee on March 18, 2020.  The relevant meeting had been scheduled at least six months in advance of that date. The Defendants stated in their opening brief that the Company’s stock option grants, since 2014, have almost always been made at a meeting held in March, except for one meeting held in April.

The Plaintiff asserted that each of the Defendants named in this case had violated the duty of loyalty “by accepting the March 2020 Awards despite knowing that the March 2020 Awards were issued at strike prices that did not reflect the real value of the Company.”  The Plaintiff cited two cases for the proposition that a director or officer “can breach fiduciary duties . . . by accepting compensation that is clearly improper.” The Court noted there appeared to be a relative lack of case law fleshing out what might constitute “clearly improper.”

The Court noted Delaware courts have found that actions for breach of fiduciary duty for accepting compensation can survive a motion to dismiss where:

  • The compensation awarded was ultra vires, and the recipients knew it, or
  • Where compensation was repriced advantageously in light of confidential and sensitive business information which the recipients knew, and which they accordingly used to the company’s detriment.

The Court concluded that that in this circumstance that the Plaintiff must plead bad faith with respect to Defendant’s knowingly wrongful acceptance of compensation.  In other words, there must be a sufficient pleading of scienter to support a bad faith claim, which serves as a claim based on breach of the duty of loyalty.

The Court found there was an insufficient record to sustain even a claim that the Compensation Committee Defendants making the awards acted in bad faith, much less that the recipients’ acceptance violated that standard. All that was alleged was that option awards were made at what proved to be the bottom of the market.

The Court also noted the Plaintiff did not plead nonpublic facts known to the Company and the Defendants that gave rise to an inference of “clearly improper” compensation in the form of the March 2020 awards.

The SEC charged Vale S.A., a publicly traded Brazilian mining company and one of the world’s largest iron ore producers, with making false and misleading claims about the safety of its dams prior to the January 2019 collapse of its Brumadinho dam.

According to the SEC complaint, Vale:

  • improperly obtained stability declarations for the dam by knowingly using unreliable laboratory data;
  • concealed material information from its dam safety auditors;
  • disregarded accepted best practices and minimum safety standards;
  • removed auditors and firms who threatened Vale’s ability to obtain dam stability declarations; and
  • made false and misleading statements to investors.

The SEC complaint states Vale knowingly or recklessly suppressed the findings of its own retained experts. The Vale executives and employees who were responsible for monitoring the stability of Vale’s dams deceptively manipulated the processes that they supposedly safeguarded. Rather than confront the high reputational and economic costs arising from the unacceptable safety risks posed by its Brumadinho and other dams, Vale engaged in a pattern of deceptive acts designed to skirt the applicable regulatory requirements related to dam safety. Over a period of more than two years, from February 2016 through October 2018, Vale knowingly or recklessly obtained eight fraudulent and deceptive stability declarations in connection with corrupted audits of the Brumadinho dam.

At the time it obtained these stability declarations, the SEC alleges Vale knew they were based on unreliable and flawed laboratory data or a flagrant disregard for minimum standards of safety that Vale purported to follow. Vale knew that assessments of the Brumadinho dam, based on best engineering practices, had revealed that the dam did not even meet Vale’s own safety standards much less international standards for dam safety.

Vale obtained these fraudulent stability declarations through a pattern of deceptive acts. For example, Vale removed auditors when they refused to bend to Vale’s will and utilized “blackmail” to coerce other auditors to comply with Vale’s demands. Vale cut backroom deals with one of its auditors, which promised to issue stability declarations in exchange for lucrative contracts from Vale, so long as Vale agreed to undertake certain long-term corrective actions onthe dam – even though both Vale and the auditor knew that those corrective actions could not resolve the near-term safety risks posed by the Brumadinho dam.

According to the SEC, Vale’s deceit misled investors regarding several material issues: the stability of Vale’s dams; the nature of Vale’s safety practices in the wake of the Mariana dam disaster; and the actual risk of catastrophic financial consequences should any of its high-risk dams, like the Brumadinho dam, collapse.

Vale’s President and CEO perpetuated Vale’s false and misleading narrative when he falsely told investors at a meeting in Sao Paulo that Vale’s tailing dams are in a state of “impressive” quality. As reported in an April 10, 2018 article in Valor Econômico entitled, “The state of the dams today is ‘impeccable’, says Vale’s president,” the CEO stated, “As soon as I started as president, I thought about the state of the dams. If there was another accident like Mariana’s, my management would be short.” He continued, “I don’t know if this work was done after Mariana or if it was already like that, but today the dams are impeccable.”

The SEC’s allegations are from a recently filed complaint. No court has found the SEC’s allegations are true.

The SEC proposed rules and amendments regarding special purpose acquisition companies (SPACs), shell companies, and projections disclosure. The proposed new rules and amendments would, among other things:

  • Enhance disclosures and provide additional investor protections in SPAC initial public offerings and in business combination transactions between SPACs and private operating companies (de-SPAC transactions);
  • Address the treatment under the Securities Act of 1933 of business combination transactions involving a reporting shell company and amend the financial statement requirements applicable to transactions involving shell companies;
  • Provide additional guidance on the use of projections in SEC filings to address concerns about their reliability; and
  • Assist SPACs in assessing when they may be subject to regulation under the Investment Company Act of 1940.

SPAC Transactions

The proposed rules would require enhanced disclosure and provide additional investor protections in initial public offerings by SPACs and in de-SPAC transactions, including:

  • Enhanced disclosures regarding, among other things, SPAC sponsors, conflicts of interest, and dilution;
  • Additional disclosures on de-SPAC transactions, including with respect to the fairness of the transactions to the SPAC investors;
  • A requirement that the private operating company would be a co-registrant when a SPAC files a registration statement on Form S-4 or Form F-4 for a de-SPAC transaction;
  • A re-determination of smaller reporting company status within four days following the consummation of a de-SPAC transaction;
  • An amended definition of “blank check company” to make the liability safe harbor in the Private Securities Litigation Reform Act of 1995 for forward-looking statements, such as projections, unavailable in filings by SPACs and certain other blank check companies; and
  • A rule that deems underwriters in a SPAC initial public offering to be underwriters in a subsequent de-SPAC transaction when certain conditions are met.

Business Combinations Involving Shell Companies

The proposed rules applicable to business combination transactions involving shell companies, including SPACs, would:

  • Deem by rule that a business combination transaction involving a reporting shell company and another entity that is not a shell company constitutes a sale of securities to the reporting shell company’s shareholders for purposes of the Securities Act; and
  • Better align the required financial statements of private operating companies in transactions involving shell companies with those required in registration statements for initial public offerings.

Projections Disclosure

The proposed amendments to Item 10(b) of Regulation S-K would expand and update the Commission’s guidance on the presentation of projections of future economic performance in Commission filings to allow investors to better assess the reliability of the projections and whether they have a reasonable basis. The Commission proposed additional disclosure requirements to allow investors to better assess the basis of projections when they are used in SPAC business combination transactions.

Status of SPACs under the Investment Company Act of 1940

The proposed rule would address the status of SPACs as “investment companies” under the Investment Company Act. If the proposal is adopted, a SPAC that fully complies with the rule’s conditions would not need to register as an investment company under the Investment Company Act.

The proposed conditions include, among other things, that a SPAC must:

  • Maintain assets comprising only cash items, government securities, and certain money market funds;
  • Seek to complete a de-SPAC transaction after which the surviving entity will be primarily engaged in the business of the target company; and
  • Enter into an agreement with a target company to engage in a de-SPAC transaction within 18 months after its initial public offering and complete its de-SPAC transaction within 24 months of such offering.

While a SPAC would not be required to rely on the proposed rule, the proposed conditions are intended to align with the structures and practices that the SEC preliminarily believes would distinguish a SPAC that is likely to raise serious questions as to its status as an investment company from one that does not.

The SEC has proposed rules that would require registrants to provide certain climate-related information in their registration statements and annual reports. The proposed rules would require information about a registrant’s climate-related risks that are reasonably likely to have a material impact on its business, results of operations, or financial condition.

Content of the Proposed Disclosures

The proposed climate-related disclosure framework is modeled in part on the Task Force on Climate-Related Financial Disclosures (“TCFD”) recommendations, and also draws upon the Greenhouse Gas Protocol (“GHG Protocol”). In particular, the proposed rules would require a registrant to disclose information about:

  • The oversight and governance of climate-related risks by the registrant’s board and management;
  • How any climate-related risks identified by the registrant have had or are likely to have a material impact on its business and consolidated financial statements, which may manifest over the short-, medium-, or long-term;
  • How any identified climate-related risks have affected or are likely to affect the registrant’s strategy, business model, and outlook;
  • The registrant’s processes for identifying, assessing, and managing climate-related risks and whether any such processes are integrated into the registrant’s overall risk management system or processes;
  • The impact of climate-related events (severe weather events and other natural conditions as well as physical risks identified by the registrant) and transition activities (including transition risks identified by the registrant) on the line items of a registrant’s consolidated financial statements and related expenditures, and disclosure of financial estimates and assumptions impacted by such climate-related events and transition activities.
  • Scopes 1 and 2 greenhouse gas (“GHG”) emissions metrics, separately disclosed, expressed: o Both by disaggregated constituent greenhouse gases and in the aggregate, and o In absolute and intensity terms;
  • Scope 3 GHG emissions and intensity, if material, or if the registrant has set a GHG emissions reduction target or goal that includes its Scope 3 emissions; and
  • The registrant’s climate-related targets or goals, and transition plan, if any.

Similar to the GHG Protocol, the proposed rules would define:

  • Scope 1 emissions as direct GHG emissions from operations that are owned or controlled by a registrant;
  • Scope 2 emissions as indirect GHG emissions from the generation of purchased or acquired electricity, steam, heat, or cooling that is consumed by operations owned or controlled by a registrant;
  • Scope 3 emissions as all indirect GHG emissions not otherwise included in a registrant’s Scope 2 emissions, which occur in the upstream and downstream activities of a registrant’s value chain. Upstream emissions include emissions attributable to goods and services that the registrant acquires, the transportation of goods (for example, to the registrant), and employee business travel and commuting. Downstream emissions include the use of the registrant’s products, transportation of products (for example, to the registrant’s customers), end of life treatment of sold products, and investments made by the registrant.

Presentation of the Proposed Disclosures

The proposed rules would require a registrant (both domestic and foreign private issuers):

  • To provide the climate-related disclosure in its registration statements and Exchange Act annual reports;
  • To provide the Regulation S-K mandated climate-related disclosure in a separate, appropriately captioned section of its registration statement or annual report, or alternatively to incorporate that information in the separate, appropriately captioned section by reference from another section, such as Risk Factors, Description of Business, or Management’s Discussion and Analysis (“MD&A”);
  • To provide the Regulation S-X mandated climate-related financial statement metrics and related disclosure in a note to the registrant’s audited financial statements;
  • To electronically tag both narrative and quantitative climate-related disclosures in Inline XBRL; and
  • To file rather than furnish the climate-related disclosure.

Attestation for Scope 1 and Scope 2 Emissions Disclosure

The proposed rules would require an accelerated filer or a large accelerated filer to include, in the relevant filing, an attestation report covering, at a minimum, the disclosure of its Scope 1 and Scope 2 emissions and to provide certain related disclosures about the service provider. As proposed, both accelerated filers and large accelerated filers would have time to transition to the minimum attestation requirements.

Phase-In Periods and Accommodations for the Proposed Disclosures

The proposed rules include:

  • A phase-in for all registrants, with the compliance date dependent on the registrant’s filer status;
  • An additional phase-in period for Scope 3 emissions disclosure;
  • A safe harbor for Scope 3 emissions disclosure;
  • An exemption from the Scope 3 emissions disclosure requirement for a registrant meeting the definition of a smaller reporting company (“SRC”); and
  • A provision permitting a registrant, if actual reported data is not reasonably available, to use a reasonable estimate of its GHG emissions for its fourth fiscal quarter, together with actual, determined GHG emissions data for the first three fiscal quarters, as long as the registrant promptly discloses in a subsequent filing any material difference between the estimate used and the actual, determined GHG emissions data for the fourth fiscal quarter.

The proposed rules would be phased in for all registrants, with the compliance date dependent upon the status of the registrant as a large accelerated filer, accelerated or nonaccelerated filer, or SRC, and the content of the item of disclosure. For example, assuming that the effective date of the proposed rules occurs in December 2022 and that the registrant has a December 31st fiscal year-end, the compliance date for the proposed disclosures in annual reports, other than the Scope 3 disclosure, would be:

  • For large accelerated filers, fiscal year 2023 (filed in 2024);
  • For accelerated and non-accelerated filers, fiscal year 2024 (filed in 2025); and
  • For SRCs, fiscal year 2025 (filed in 2026).

Registrants subject to the proposed Scope 3 disclosure requirements would have one additional year to comply with those disclosure requirements.

Governance Disclosure

Board Oversight

The proposed rules would require a registrant to disclose a number of board governance items, as applicable, including:

  • requiring a registrant to identify any board members or board committees responsible for the oversight of climate-related risks;
  • requiring disclosure of whether any member of a registrant’s board of directors has expertise in climate-related risks, with disclosure required in sufficient detail to fully describe the nature of the expertise:
  • requiring a description of the processes and frequency by which the board or board committee discusses climate-related risks;
  • disclosing how the board is informed about climate-related risks, and how frequently the board considers such risks;
  • requiring disclosure about whether and how the board or board committee considers climate-related risks as part of its business strategy, risk management, and financial oversight; and
  • requiring disclosure about whether and how the board sets climate-related targets or goals and how it oversees progress against those targets or goals, including the establishment of any interim targets or goals.

Management Oversight

The proposed rules would require a registrant to disclose a number of items, as applicable, about management’s role in assessing and managing any climate-related risks, including:

  • requiring disclosure regarding whether certain management positions or committees are responsible for assessing and managing climate-related risks and, if so, to identify such positions or committees and disclose the relevant expertise of the position holders or members in such detail as necessary to fully describe the nature of the expertise;
  • requiring disclosure about the processes by which the responsible managers or management committees are informed about and monitor climate-related risks; and
  • requiring disclosure about whether the responsible positions or committees report to the board or board committee on climate elated risks and how frequently this occurs.

Risk Management Disclosure

The proposed rules would require a registrant to describe any processes the registrant has for identifying, assessing, and managing climate-related risks.  When describing the processes for identifying and assessing climate-related risks, the registrant would be required to disclose, as applicable:

  • How it determines the relative significance of climate-related risks compared to other risks;
  • How it considers existing or likely regulatory requirements or policies, such as GHG emissions limits, when identifying climate-related risks;
  • How it considers shifts in customer or counterparty preferences, technological changes, or changes in market prices in assessing potential transition risks; and
  • How it determines the materiality of climate-related risks, including how it assesses the potential size and scope of any identified climate-related risk.

When describing any processes for managing climate-related risks, a registrant would be required to disclose, as applicable:

  • How it decides whether to mitigate, accept, or adapt to a particular risk;
  • How it prioritizes addressing climate-related risks; and
  • How it determines how to mitigate a high priority risk.

Scope 3 Emissions Disclosure Safe Harbor

The SEC is proposing a targeted safe harbor for Scope 3 emissions data in light of the unique challenges associated with that information. The proposed safe harbor would provide that disclosure of Scope 3 emissions by or on behalf of the registrant would be deemed not to be a fraudulent statement unless it is shown that such statement was made or reaffirmed without a reasonable basis or was disclosed other than in good faith. The safe harbor would extend to any statement regarding Scope 3 emissions that is disclosed pursuant to proposed subpart 1500 of Regulation S-K and made in a document filed with the Commission.

Targets and Goals Disclosure

If a registrant has set climate-related targets or goals, the proposed rules would require it to disclose them, including, as applicable, a description of:

  • The scope of activities and emissions included in the target;
  • The unit of measurement, including whether the target is absolute or intensity based;
  • The defined time horizon by which the target is intended to be achieved, and whether the time horizon is consistent with one or more goals established by a climate-related treaty, law, regulation, policy, or organization;
  • The defined baseline time period and baseline emissions against which progress will be tracked with a consistent base year set for multiple targets;
  • Any interim targets set by the registrant; and
  • How the registrant intends to meet its climate-related targets or goals.

The SEC has issued proposed rules on disclosure of cybersecurity incidents.  Specifically, the SEC is proposing to:

  • Amend Form 8-K to add Item 1.05 to require registrants to disclose information about a cybersecurity incident within four business days after the registrant determines that it has experienced a material cybersecurity incident;
  • Amend Forms 10-Q and 10-K to require registrants to provide updated disclosure relating to previously disclosed cybersecurity incidents, as specified in proposed Item 106(d) of Regulation S-K. We also propose to amend these forms to require disclosure, to the extent known to management, when a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate;
  • Amend Form 10-K to require disclosure specified in proposed Item 106 regarding:
    • A registrant’s policies and procedures, if any, for identifying and managing cybersecurity risks;
    • A registrant’s cybersecurity governance, including the board of directors’ oversight role regarding cybersecurity risks; and
    • Management’s role, and relevant expertise, in assessing and managing cybersecurity related risks and implementing related policies, procedures, and strategies.
  • Amend Item 407 of Regulation S-K to require disclosure about if any member of the registrant’s board of directors has cybersecurity expertise.
  • Amend Item 407 of Regulation S-K to require disclosure about if any member of the registrant’s board of directors has cybersecurity expertise.
  • Require that the proposed disclosures be provided in Inline XBRL.

Form 8-K Reporting

New Item 1.05 of Form 8-K will require a registrant to disclose the following information about a material cybersecurity incident, to the extent the information is known at the time of the Form 8-K filing:

  • When the incident was discovered and whether it is ongoing;
  • A brief description of the nature and scope of the incident;
  • Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose;
  • The effect of the incident on the registrant’s operations; and
  • Whether the registrant has remediated or is currently remediating the incident.

The SEC is proposing to amend General Instruction I.A.3.(b) of Form S-3 and General Instruction I.A.2 of Form SF-3 to provide that an untimely filing on Form 8-K regarding new Item 1.05 would not result in loss of Form S-3 or Form SF-3 eligibility.

The SEC is also proposing to amend Rules 13a-11(c) and 15d-11(c) under the Exchange Act to include new Item 1.05 in the list of Form 8-K items eligible for a limited safe harbor from liability under Section 10(b) or Rule 10b-5 under the Exchange Act. In 2004, when the Commission adopted the limited safe harbor, the Commission noted its view that the safe harbor is appropriate if the triggering event for the Form 8-K requires management to make a rapid materiality determination.

Disclosure about Cybersecurity Incidents in Periodic Reports

Proposed Item 106(d)(1) of Regulation S-K would require registrants to disclose any material changes, additions, or updates to information required to be disclosed pursuant to Item 1.05 of Form 8-K in the registrant’s quarterly report filed with the Commission on Form 10-Q or annual report filed with the Commission on Form 10-K for the period (the registrant’s fourth fiscal quarter in the case of an annual report) in which the material change, addition, or update occurred.

In order to assist registrants in developing updated incident disclosure in its periodic reports, proposed Item 106(d)(1) provides the following non-exclusive examples of the type of disclosure that should be provided, if applicable:

  • Any material impact of the incident on the registrant’s operations and financial condition;
  • Any potential material future impacts on the registrant’s operations and financial condition;
  • Whether the registrant has remediated or is currently remediating the incident; and
  • Any changes in the registrant’s policies and procedures as a result of the cybersecurity incident, and how the incident may have informed such changes.

Disclosure of a Registrant’s Risk Management, Strategy and Governance Regarding Cybersecurity Risks

Risk Management and Strategy

Proposed Item 106(b) would require registrants to disclose its policies and procedures, if it has any, to identify and manage cybersecurity risks and threats, including: operational risk; intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy laws and other litigation and legal risk; and reputational risk.

Specifically, proposed Item 106(b) of Regulation S-K would require disclosure, as applicable, of whether:

  • The registrant has a cybersecurity risk assessment program and if so, provide a description of such program;
  • The registrant engages assessors, consultants, auditors, or other third parties in connection with any cybersecurity risk assessment program;
  • The registrant has policies and procedures to oversee and identify the cybersecurity risks associated with its use of any third party service provider (including, but not limited to, those providers that have access to the registrant’s customer and employee data), including whether and how cybersecurity considerations affect the selection and oversight of these providers and contractual and other mechanisms the company uses to mitigate cybersecurity risks related to these providers;
  • The registrant undertakes activities to prevent, detect, and minimize effects of cybersecurity incidents;
  • The registrant has business continuity, contingency, and recovery plans in the event of a cybersecurity incident;
  • Previous cybersecurity incidents have informed changes in the registrant’s governance, policies and procedures, or technologies;
  • Cybersecurity related risk and incidents have affected or are reasonably likely to affect the registrant’s results of operations or financial condition and if so, how; and
  • Cybersecurity risks are considered as part of the registrant’s business strategy, financial planning, and capital allocation and if so, how.

Governance

Proposed Item 106(c) would require disclosure of a registrant’s cybersecurity governance, including the board’s oversight of cybersecurity risk and a description of management’s role in assessing and managing cybersecurity risks, the relevant expertise of such management, and its role in implementing the registrant’s cybersecurity policies, procedures, and strategies.

Specifically, as it pertains to the board’s oversight of cybersecurity risk, disclosure required by proposed Item 106(c)(1) would include a discussion, as applicable, of the following:

  • Whether the entire board, specific board members or a board committee is responsible for the oversight of cybersecurity risks;
  • The processes by which the board is informed about cybersecurity risks, and the frequency of its discussions on this topic; and
  • Whether and how the board or board committee considers cybersecurity risks as part of its business strategy, risk management, and financial oversight.

Proposed Item 106(c)(2) would require a description of management’s role in assessing and managing cybersecurity-related risks and in implementing the registrant’s cybersecurity policies, procedures, and strategies. This description would include, but not be limited to, the following information:

  • Whether certain management positions or committees are responsible for measuring and managing cybersecurity risk, specifically the prevention, mitigation, detection, and remediation of cybersecurity incidents, and the relevant expertise of such persons or members;
  • Whether the registrant has a designated a chief information security officer, or someone in a comparable position, and if so, to whom that individual reports within the registrant’s organizational chart, and the relevant expertise of any such persons;
  • The processes by which such persons or committees are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents; and
  • Whether and how frequently such persons or committees report to the board of directors or a committee of the board of directors on cybersecurity risk.

Disclosure Regarding the Board of Directors’ Cybersecurity Expertise

The SEC proposes to amend Item 407 of Regulation S-K by adding paragraph (j) to require disclosure about the cybersecurity expertise of members of the board of directors of the registrant, if any. If any member of the board has cybersecurity expertise, the registrant would have to disclose the name(s) of any such director(s), and provide such detail as necessary to fully describe the nature of the expertise. The proposed Item 407(j) disclosure would be required in a registrant’s proxy or information statement when action is to be taken with respect to the election of directors, and in its Form 10-K.

Proposed Item 407(j) would not define what constitutes “cybersecurity expertise,” given that such expertise may cover different experiences, skills, and tasks. Proposed Item 407(j)(1)(ii) does, however, include the following non-exclusive list of criteria that a registrant should consider in reaching a determination on whether a director has expertise in cybersecurity:

  • Whether the director has prior work experience in cybersecurity, including, for example, prior experience as an information security officer, security policy analyst, security auditor, security architect or engineer, security operations or incident response manager, or business continuity planner;
  • Whether the director has obtained a certification or degree in cybersecurity; and
  • Whether the director has knowledge, skills, or other background in cybersecurity, including, for example, in the areas of security policy and governance, risk management, security assessment, control evaluation, security architecture and engineering, security operations, incident handling, or business continuity planning.

Proposed Item 407(j)(2) would state that a person who is determined to have expertise in cybersecurity will not be deemed an expert for any purpose, including, without limitation, for purposes of Section 11 of the Securities Act, as a result of being designated or identified as a director with expertise in cybersecurity pursuant to proposed Item 407(j). This proposed safe harbor is intended to clarify that Item 407(j) would not impose on such person any duties, obligations, or liability that are greater than the duties, obligations, and liability imposed on such person as a member of the board of directors in the absence of such designation or identification.

 

The SEC has issued a rule proposal to reduce risks in the clearance and settlement of securities. Specifically, the proposed changes would:

  • Shorten the standard settlement cycle for securities transactions from two business days after trade date (T+2) to one business day after trade date (T+1);
  • Eliminate the separate T+4 settlement cycle for firm commitment offerings priced after 4:30 p.m.;
  • Improve the processing of institutional trades by proposing new requirements for broker-dealers and registered investment advisers intended to improve the rate of same-day affirmations; and
  • Facilitate straight-through processing by proposing new requirements applicable to clearing agencies that are central matching service providers (CMSPs).

Reducing time between the execution of a securities transaction and its settlement reduces risk. The standard settlement cycle for securities transactions was shortened from T+5 to T+3 in 1993, and from T+3 to T+2 in 2017. In each past instance, shortening the settlement cycle promoted investor protection, risk reduction, and increases in operational efficiency.

According to the SEC, two recent episodes of increased market volatility – in March 2020 following the outbreak of the COVID-19 pandemic, and in January 2021 following heightened interest in certain “meme” stocks – highlighted potential vulnerabilities in the U.S. securities market that shortening the standard settlement cycle and improving institutional trade processing can mitigate.

The SEC has proposed comprehensive changes to Regulation 13D-G and Regulation S-T to modernize the beneficial ownership reporting requirements and improve their operation and efficacy. Specifically, the SEC has proposed to:

  • revise the current deadlines for Schedule 13D and Schedule 13G filings;
  • amend Rule 13d-3 to deem holders of certain cash-settled derivative securities as beneficial owners of the reference covered class;
  • align the text of Rule 13d-5, as applicable to two or more persons who act as a group, with the statutory language in Sections 13(d)(3) and (g)(3) of the Exchange Act;
  • set forth the circumstances under which two or more persons may communicate and consult with one another and engage with an issuer without concern that they will be subject to regulation as a group with respect to the issuer’s equity securities; and
  • require that Schedules 13D and 13G be filed using a structured, machine-readable data language.

To address concerns that the current deadlines for Schedule 13D and Schedule 13G filings are creating information asymmetries in today’s market, the SEC has proposed to:

  • Revise the Rule 13d-1(a) filing deadline for the initial Schedule 13D to five days after the date on which a person acquires more than 5% of a covered class of equity securities;
  • Amend Rules 13d-1(e), (f) and (g) to shorten the filing deadline for the initial Schedule 13D required to be filed by certain persons who forfeit their eligibility to report on Schedule 13G in lieu of Schedule 13D to five days after the event that causes the ineligibility;
  • Revise the filing deadline under Rule 13d-2(a) for amendments to Schedule 13D to one business day after the date on which a material change occurs;
  • Amend Rules 13d-1(b) and (d) to shorten the deadline for the initial Schedule 13G filing for Qualified Institutional Investors (“QIIs”) and exempt investors to within five business days after the last day of the month in which beneficial ownership first exceeds 5% of a covered class;
  • Amend the deadline in Rule 13d-1(c), which permits passive investors to file an initial Schedule 13G in lieu of Schedule 13D within 10 days after acquiring beneficial ownership of more than 5% of a covered class, to five days after the date of such an acquisition;
  • Revise the filing deadlines required for amendments to Schedule 13G in Rule 13d-2(b) to five business days after the end of the month in which a reportable change occurs;
  • Amend Rule 13d-2(c) to shorten the filing deadline for Schedule 13G amendments filed pursuant to that provision to five days after the date on which beneficial ownership first exceeds 10% of a covered class, and thereafter upon any deviation by more than 5% of the covered class, with these requirements applying if the thresholds were crossed at any time during a month; and
  • Amend Rule 13d-2(d) to revise the filing deadline for Schedule 13G amendments filed pursuant to that provision from a “promptly” standard to one business day after the date on which beneficial ownership exceeds 10% of a covered class, and thereafter upon any deviation by more than 5% of the covered class.

In addition, instead of an amendment obligation arising for Schedule 13G filers upon the occurrence of “any change” in the facts previously reported regardless of the materiality of such change, the SEC has proposed to revise Rule 13d-2(b) to require that an amendment to a Schedule 13G be filed only if a “material change” occurs. Further, the SEC has proposed to amend Rule 13(a) of Regulation S-T to permit Schedules 13D and 13G, and any amendments thereto, that are submitted by direct transmission on or before 10 p.m. eastern time on a given business day to be deemed to have been filed on the same business day. This amendment would provide additional time for beneficial owners to prepare and submit their Schedule 13D or Schedule 13G filings.

According to the SEC, the proposed amendments would align the text of Rule 13d-5, as applicable to two or more persons who act as a group, with the statutory language in Sections 13(d)(3) and (g)(3) of the Exchange Act. By conforming the rule text to Sections 13(d)(3) and 13(g)(3), the proposed amendments to Rule 13d-5 are intended to remove the potential implication that an express or implied agreement among group members is a necessary precondition to the formation of a group under those provisions of the Exchange Act and, by extension, Regulation 13D-G. In connection with those proposed amendments, the SEC has proposed to add a new provision in Rule 13d-5 that would affirm that if a person, in advance of filing a Schedule 13D, discloses to any other person that such filing will be made and such other person acquires securities in the covered class for which the Schedule 13D will be filed, then those persons are deemed to have formed a group within the meaning of Section 13(d)(3).

In addition, the SEC has proposed amendments that would revise Rule 13d-6 to set forth additional exemptions from Sections 13(d) and (g). Specifically, new Rule 13d-6(c) would set forth the circumstances under which two or more persons may communicate and consult with one another and engage with an issuer without concern that they will be subject to regulation as a group with respect to the issuer’s equity securities.

More specifically, proposed Rule 13d-6(c) would provide that two or more persons will not be deemed to have acquired beneficial ownership of, or otherwise beneficially own, an issuer’s equity securities as a group solely because of their concerted actions related to an issuer or its equity securities, including engagement with one another or the issuer, provided they meet certain conditions. Such interactions, depending upon the level of coordination and degree to which the persons advocate in furtherance of a common purpose or goal, could be found to satisfy the “act as” a group standard under Section 13(d)(3) or 13(g)(3) for the purpose of “holding” a covered class. To help ensure that the exemption is available only where such persons independently determine to take concerted actions, the proposed exemption would be available only if such persons are not directly or indirectly obligated to take such actions (e.g., pursuant to the terms of a cooperation agreement or joint voting agreement).

The SEC has proposed amendments to Form PF, the confidential reporting form for certain SEC-registered investment advisers to private funds, to:

  • Require new current reporting of certain events for large hedge fund advisers and advisers to private equity funds;
  • Decrease the reporting threshold for large private equity advisers; and
  • Revise reporting requirements for large private equity advisers and large liquidity fund advisers.

New Current Reporting for Large Hedge Fund Advisers and Advisers to Private Equity Funds

Currently, Form PF requires advisers to file Form PF months after their quarter- and yearends, depending on the size and type of private funds they advise.

The proposal would require large hedge fund advisers to file current reports within one business day of the occurrence of one or more reporting events with respect to their qualifying hedge funds pertaining to certain extraordinary investment losses, significant margin and counterparty default events, material changes in prime broker relationships, changes in unencumbered cash, operations events, and events associated with withdrawals and redemptions.

The proposal also would require advisers to private equity funds to file current reports within one business day of the occurrence of one or more reporting events pertaining to the execution of adviser-led secondary transactions, implementation of general partner or limited partner clawbacks, removal of a fund’s general partner, termination of a fund’s investment period, or termination of a fund.

The proposal is designed to allow the SEC and FSOC to receive more timely information about certain events that may signal distress at qualifying hedge funds and private equity funds or market instability.

Large Private Equity Adviser Reporting

The proposed amendments would reduce the threshold for reporting as a large private equity adviser from $2 billion to $1.5 billion in private equity fund assets under management. According to the SEC, lowering this threshold will enable the Commission and FSOC to receive reporting from a similar proportion of the U.S. private equity industry based on committed capital as when Form PF was initially adopted.

Additionally, the proposal would amend section 4 of Form PF for large private equity advisers to gather more information regarding fund strategies, use of leverage and portfolio company financings, controlled portfolio companies (“CPCs”) and CPC borrowings, fund investments in different levels of a single portfolio company’s capital structure, and portfolio company restructurings or recapitalizations.

The proposed amendments are designed to provide useful empirical data to FSOC to better assess the extent to which private equity funds or their advisers may pose systemic risk and to inform the Commission in its regulatory programs for the protection of investors.