In a recent speech, Commissioner Kara Stein addressed a number of disclosure related concerns, including cyber disclosures and ESG disclosures. Just as many of us had been reading about a decline in the number of SEC Staff comments regarding the use of non-GAAP measures in SEC filings, Commissioner Stein’s remarks seemed to focus renewed attention on this issue. Commissioner Stein cited studies that show that approximately 97% of S&P 500 companies cite at least one non-GAAP metric in their reports. In addition to echoing prior Staff concerns regarding the possibility that the use of non-GAAP measures may be misleading or may “disguise financial performance,” Commissioner Stein raised a new issue—the lack of uniform standards for non-GAAP measures. Hopefully, such concerns can be allayed with more detailed disclosures, rather than prescriptive standards regarding frequently used non-GAAP measures. Commissioner Stein also focused on “key performance indicators” (KPIs). While remarks from Commission Staff representatives in recent months have indicated that attention is being paid during disclosure reviews on the use of “tailored” performance measures reported by registrants, Commissioner Steins’ comments appear to reflect some intensified focus. Commissioner Stein noted that more and more companies are provided tailored measures of financial performance, which may include same store sales, sales per square foot, customer churn rates, sales conversion rates, customer retention, etc. Stein also noted that non-GAAP measures and KPIs appear to be used in the private markets, with forward-looking adjustments, such as cost savings. While noting that many of these measures may be used by the key decision makers within companies to track the companies’ performance and, therefore, may provide useful insights for investors, the lack of transparency regarding the calculation of many such measures, the lack of comparability as to such measures, and the possible selective use of such measures may raise investor protection concerns. See the full text of the Commissioner’s remarks here.
Last week, the Securities and Exchange Commission published an investigative report.
The report discusses the Commission’s investigation of nine public companies that were subject to cyber breaches. The breaches involved email compromises that directed the companies to send money to third parties.
The Commission found that in many instances the recipients at the companies failed to follow or did not understand their companies’ controls and processes.
The Commission notes that public companies are required to have internal accounting controls in place that provide reasonable assurance that transactions are executed with, or that access to company assets is permitted only with, management’s authorization. Companies should reassess their internal accounting controls in light of the risks associated with cyber incidents and consider whether their controls are effective. In addition, companies should conduct appropriate training for employees. Although the Commission did not pursue enforcement action against the companies that are the subject of the report, it is clear that Commission may in the future review the sufficiency of internal accounting controls in connection with cyber breaches and may take enforcement action for internal control failings.
Wednesday, October 17, 2018
1:00 p.m. – 2:00 p.m. EDT
During this session, Partners Michael L. Hermsen and Anna T. Pinedo will review the accommodations available to foreign private issuers, or non-U.S. domiciled companies, that choose to access the U.S. capital markets. We will discuss assessing a company’s status as a foreign private issuer, the initial registration and ongoing disclosure requirements for foreign private issuers, liability considerations, and related topics. The speakers also will address recent developments significant to foreign private issuers, including:
- Staff guidance regarding the foreign private issuer definition;
- Areas of focus for SEC comments in anticipation of upcoming 20-Fs and 40-Fs, including cyber security matters;
- Disclosure simplification;
- Exhibits, HTML and XBRL for foreign private issuers and IFRS filers; and
- Areas of likely SEC focus in the coming months.
Wolters Kluwer will provide CLE credit. For more information, or to register for this session, please visit the event website.
In a recent speech, SEC Commissioner Kara Stein commented on the importance of cybersecurity. The Commissioner noted that encouraging adoption of written policies and procedures, voluntary frameworks and non-binding guidance was not sufficient. She noted that boards of directors have a fiduciary duty to shareholders to monitor and oversee risk, including cybersecurity oversight. She seems to suggest that just as Commission rules require disclosure regarding financial experts, it would be reasonable for there to be some disclosure as to whether boards have an independent director with expert knowledge of technology and cybersecurity. Otherwise, boards should retain experts to provide advice. The Commissioner suggests independent directors meet with the company’s chief information security officer at least twice a year in executive session. She notes that boards should assess company disclosures regarding cyber risks. Finally, she suggests that the board ought to consider how well prepared the company is to respond to a breach, the resiliency of its infrastructure, and the procedures that will be implemented to recover and resume operations.