Month-In-Brief: Securities Law

CURRENT MONTH (December 2023)

Incident Reporting for Material Cybersecurity Incidents Goes into Effect on December 18, 2023

By Dave Lynn, Partner, Goodwin Proctor; Senior Editor of TheCorporateCounsel.net

December 18, 2023 is the effective date for new Item 1.05 of Form 8-K, which requires companies to disclose, within four business days after determining that an incident is material, any cybersecurity incident that a company experiences that is determined to be material, describing the material aspects of its: (i) nature, scope, and timing; and (ii) the impact or reasonably likely impact of the incident on the company, including on the company’s financial condition and results of operations. But don’t expect a flood of Item 1.05 Form 8-Ks, because the materiality qualifier is the critical element of Item 1.05. And when I think about materiality in the Form 8-K context, I always go back to the Securities and Exchange Commission’s characterization of the items selected for disclosure in Form 8-K in the 2004 adopting release (which brought us a significantly expanded Form 8-K), and that is the notion that Form 8-K is intended to address the “unquestionably or presumptively material events” that a company faces. The most difficult part that I think we can all acknowledge is assessing whether a particular cybersecurity event is in fact material. To that end, I share with you some of my experiences from the “trenches” of determining whether cybersecurity events are material:

1. Beware of the Titanic Effect —When I was in college, I decided to drive my VW Rabbit up one of those enormous snow mounds that accumulate in parking lots during the winter (an astute reader/listener might ask themselves why I was driving a VW Rabbit, but that is a whole other story). My friend tried to discourage me from this endeavor, but I said to him something to the effect of “What could go wrong, it is only a little snow?” In response, he delivered the deadpan line, “Tell that to the Titanic.” I proceeded to try to drive into (not up) the snow mound, and it turned out to be rock-hard ice that ripped the front bumper and driving lights off the Rabbit. The moral of the story, other than that no one in their right mind should have ever given me a driver’s license, is that nothing is ever quite as it seems, particularly in the context of cybersecurity breaches. The Titanic effect is real in many cybersecurity breaches, in that one can easily misperceive the giant iceberg lurking under the surface as just some harmless floating ice. In many of the situations that I have observed over the years, the breach appears to be innocuous in the beginning, and then, as more investigation occurs, a much wider threat is identified, including situations where threat actors may still be active in a company’s systems. These evaluations do not happen overnight, so the materiality assessment must be ongoing as new facts come in. Parties involved in the evaluation—including management, directors, and outside advisors—need to make objective assessments of the risks associated with the breach and the potential consequences, and do so as quickly as possible. The last thing anyone wants to have happen is that a material cybersecurity incident is disclosed too late in the SEC’s eyes, simply because the Titanic effect clouded everyone’s judgment as to the size and scope of the breach.
2. The Benefit of Hindsight — As has become evident from the cybersecurity enforcement cases that the SEC has brought over the years and those investigations that remain ongoing, the SEC looks at the current disclosure of cybersecurity incidents with the benefit of 20/20 hindsight. The timing of disclosure decisions can invariably raise eyebrows when evaluating the situation two or three years later, after everyone has already observed what happened next after the breach was discovered. Therefore, I think it is always important to conduct a materiality assessment through this lens, trying to evaluate how this disclosure decision will look to future investigators under the range of possible scenarios. I recognize that this is a departure from focusing on the pure materiality considerations that we are all familiar with, but it is just a practical reality of where we are with this issue today.
3. Do Your Homework — I believe that one of the most important things that a company can do now to prepare itself for a potential Item 1.05 of Form 8-K disclosure situation is to draft a materiality framework that is specific to the company and can be applied to any potentially material cybersecurity breach that comes along. I have seen this approach work successfully in the past, because often it is difficult in the heat of a cybersecurity incident to come up with an approach to assessing materiality that works for that particular company. This does not have to be a lengthy policy or procedure—what I envision is a few pages of questions that can be asked to objectively assess the materiality of the circumstances.
4. Process Is Critical — It has been drilled into our heads from the SEC’s cybersecurity enforcement efforts that controls are king. This is an area where the SEC Staff expects to see robust disclosure and internal controls that are designed to get to the right result, i.e., timely and accurate disclosure of material cybersecurity incidents. I am by no means suggesting that companies go to extreme lengths to establish these controls—in a way, I think it is a mistake to treat Item 1.05 differently than any other Form 8-K disclosure item. Rather, I believe it is important to have in place measured and demonstrable controls that are designed to surface potentially material cybersecurity incidents to the decision-makers within the organization and to provide those decision-makers with the information they need to make correct disclosure decisions. This is something we have been doing with the many other Form 8-K items for the almost two decades since the SEC substantially expanded current reporting on Form 8-K.
5. Human, All Too Human — In my experience, perhaps the biggest impediment to timely and accurate cybersecurity incident disclosure is human nature. I am not trying to blame anyone here, but time and time again I have come across scenarios where folks in the IT function tend to want to downplay or delay telling anyone about a cybersecurity incident, because they have an honest belief that it is not so bad and that they can fix it before any harm is done. This approach is not surprising, given that the cybersecurity staff is inundated with attacks from all manner of threat actors all day, every day, so their natural reaction is to just deal with them and not overreact to the situation. It is this natural impulse that the disclosure controls need to overcome, so that information can “bubble up” through the organization about potentially material cybersecurity incidents. This is not an easy thing to solve for, and it takes a top-down, organization-wide approach to try to overcome the human nature element that threatens your timely material cybersecurity incident reporting.

I hope these tips are helpful to you as we move forward under the new current reporting requirements—and whatever you do, avoid those parking lot snow mounds this winter, they are dangerous to drive into!

Dave first published this blog on thecorporatecounsel.net on December 18, 2023. This version includes minor updates.

SEC Staff Report on Accredited Investor Definition

By Anna T. Pinedo, Partner, Mayer Brown

The Securities and Exchange Commission issued a staff report on the accredited investor definition on December 14. The Dodd-Frank Act directed the SEC to review the accredited investor definition every four years to determine whether the definition should be modified or adjusted. The definition was previously reviewed in 2015 and 2019. This report is the third such review. It emphasizes the increased reliance on exempt offerings and, consequently, the importance of the accredited investor definition since, among other things, it is central to the Rule 506 exemptions.

The Report notes that the SEC has limited information on the Regulation D market and lacks data regarding the number of natural persons who meet the financial qualifications in the accredited investor definition. The Report notes that the SEC’s estimates indicate that the percentage of US households that qualify as accredited investors has grown steadily since the definition was adopted, in large measure because the thresholds in the definition have not been adjusted to account for inflation. The Report also notes the expanded role of retirement savings as a factor with respect to the net worth prong of the definition.

The Report reviews a number of recent recommendations regarding the definition, including the recommendations from the 42^nd annual SEC Government-Business Forum on Small Business Capital Formation, which suggested expanding the definition to include additional measures of sophistication, and the 2023 NASAA recommendations to narrow the definition. The Report notes that the SEC’s Investor Advisory Committee recently considered the accredited investor definition at its September 2023 meeting, but the Committee did not provide its recommendations. The Report concludes by soliciting public comments.

FASB Expands Financial Statement Income Tax Disclosures

By Thomas W. White, Retired Partner, WilmerHale

The Financial Accounting Standards Board (FASB) has finalized a new accounting standard that expands the disclosures about income taxes to be included in financial statements under GAAP. An Accounting Standards Update (ASU) issued in December amends the existing income tax accounting standard in the following principal areas:

• Rate Reconciliation. The ASU requires entities to disclose more detailed information in reconciliations of their statutory income tax rates to their effective tax rates for federal, state, and foreign income taxes. Public business entities must provide a tabular reconciliation containing information about specific categories of information and provide additional information about reconciling items that meet a 5 percent quantitative threshold. Entities other than public business entities are required to provide certain qualitative disclosures rather than a tabular reconciliation.
• Income Taxes Paid. The ASU requires that all entities provide information about income taxes paid (net of refunds) that is disaggregated for federal, state, and foreign taxes and further disaggregated for specific jurisdictions where income taxes paid exceeds 5 percent of the total income taxes paid.

The standard will be effective for public business entities for annual periods beginning after December 15, 2024, and for other entities for annual periods beginning after December 15, 2025.

FASB Chair Richard Jones stated that the standard “responds to calls from investors for more transparent, decision-useful information about a company’s income taxes” and that it would “help investors better assess how a company’s operations and related tax risks and tax planning and operational opportunities affect the company’s tax rate and prospects for future cash flows.”

SEC Amplifies Enforcement Actions in 2023, Targets Diverse Market Sectors

By Tylandra Callands

The SEC reported that it significantly enhanced its enforcement activities in Fiscal Year 2023, marking a heightened commitment to safeguarding market integrity. The SEC filed 784 enforcement actions, a 3 percent increase from the previous year, with 501 being original standalone cases. These actions spanned a diverse range of sectors, tackling major fraud cases and emerging investor threats involving crypto asset securities and cybersecurity.

Following are key highlights:

Expanded Scope of Enforcement

The SEC targeted a wide array of market participants, including public companies, investment firms, gatekeepers, and social media influencers.

Record Financial Remedies

The SEC obtained $4.949 billion in financial remedies, indicating a rigorous pursuit of financial misconduct. This included significant amounts in disgorgement and civil penalties, highlighting the agency’s focus on both remediation and deterrence.

Historic Whistleblower Program Outcomes

The Whistleblower Program awarded nearly $600 million to whistleblowers, including a single record-breaking award of $279 million. The program received an unprecedented 18,000 tips, 50 percent more than in 2022.

Emphasis on Individual Accountability

About two-thirds of the SEC’s cases involved charges against individuals, reflecting a focus on personal responsibility. The SEC also barred 133 individuals from officer and director roles in public companies, the highest in a decade.

Broad Range of Misconduct Addressed

Enforcement actions covered various kinds of misconduct, including affinity frauds, Ponzi schemes, ESG-related cases, and violations of the Foreign Corrupt Practices Act.

Litigated Actions

Over 40 percent of standalone cases were pursued through litigation.

SEC Chair Gensler Makes Statement on Denial of Rulemaking Petition Submitted on behalf of Coinbase Global, Inc.

By Jason Hyatt, Latham & Watkins

On December 15, 2023, the Securities and Exchange Commission (“SEC”) denied a petition filed on behalf of Coinbase Global, Inc. requesting the SEC propose and adopt rules governing the regulation of securities offered and traded via digitally native methods, including rules identifying which digital assets are securities. In a statement in support of the SEC’s denial, Chair Gary Gensler confirmed that the existing securities regime appropriately governs crypto asset securities and identified three reasons for supporting the SEC’s decision to deny the petition.

Existing laws and regulations already apply to the crypto securities markets

Chair Gensler cited SEC v. W.J. Howey Co. and Reves v. Ernst & Young, noting that crypto assets should be considered securities if they meet the definition of an investment contract as set forth in Howey and that “Congress’s purpose in enacting the securities laws was to regulate investments, in whatever form they are made by whatever name they are called,” as held in Reves. Chair Gensler went on to say that to the extent a crypto asset is offered and sold as a security, then its offer or sale requires disclosure through the registration process, rejecting the petition’s assertion that it is not feasible to identify an “issuer” of crypto asset securities.

Additionally, Chair Gensler noted that the securities laws require securities intermediaries, such as broker-dealers, exchanges, clearing agencies, or transfer agents, to register with the SEC, and such laws apply to those dealing in crypto assets.

The SEC addresses the crypto securities markets through rulemaking as well.

Chair Gensler spoke about a number of ongoing initiatives to demonstrate that the SEC is actively thinking about the regulatory regime for crypto assets. Such initiatives include the Special Purpose Broker-Dealers Release—which provides a five-year period for certain broker-dealers to not be subject to SEC enforcement action for violating certain broker-dealer requirements with regard to activities in crypto asset securities, if such broker-dealer is operating within defined circumstances—as well as the SEC’s rule proposals and comment solicitations for Regulation Best Execution, Safeguarding Advisory Client Assets, Regulation Systems Compliance and Integrity, and Amendments Regarding the Definition of “Exchange.”

Chair Gensler also noted that several enforcement actions are pending, the results of which could provide the SEC with additional information and experience, and that it has and will continue to regularly engage with crypto asset market participants, such as by providing guidance and contributing to reports.

It is important to maintain Commission discretion regarding rulemaking priorities.

Chair Gensler stressed the importance of the SEC’s being able to maintain discretion on which aspects of the capital markets require updated regulation. While admitting the crypto asset market experiences “outsize[d] fraud, abuse, and noncompliance relative to its size,” Chair Gensler noted that the crypto markets represent only a small portion of the overall capital markets.