Issue link: https://digital.shearman.com/i/1512772
Shearman & Sterling LLP SEC Demands Stronger Disclosure Controls in Recent Enforcement Actions | 14 And in the First American action discussed above, also brought in 2021, the SEC similarly pointed to a lack of management awareness. The SEC found that senior executives making disclosure decisions had insufficient information to fully evaluate the company's disclosure response to a cybersecurity vulnerability that had exposed 800 million sensitive documents and the magnitude of the resulting risk. Specifically, the SEC alleged that the company's executives approved a public statement about the vulnerability without having been made aware that the company's information security personnel had actually identified the vulnerability months earlier and failed to take remedial action. According to the SEC, the company's Chief Information Security Officer and Chief Information Officer had learned of the full extent of the vulnerability and the lack of prior remediation but did not make the company's senior executives aware, despite numerous opportunities. As the most recent example, the SEC also included a disclosure controls charge based on an alleged lack of upward reporting in the complaint it filed against enterprise software maker SolarWinds on October 30, 2023. 7 Added to charges for allegedly false or misleading public disclosures about the company's cybersecurity profile, the disclosure controls charge faulted the company for having an incident response policy that provided for a classification of risks based on the impact to customers, allegedly resulting in only incidents that impacted multiple customers being reported upward to the disclosure function. According to the SEC, this led to multiple cybersecurity issues going unreported that had the potential to materially impact SolarWinds, but which the company determined at the time did not yet impact multiple customers. Review of Company Disclosures by Knowledgeable Personnel. Effective disclosure controls also include the review of company disclosures by individuals within the organization who are familiar with the underlying facts. In a September 2022 settlement order, mining company Compass Minerals International Inc. agreed to pay a $12 million penalty to settle a number of charges, including that the company's deficient disclosure controls led its CEO and CFO to make misleading statements about the cost savings from a new mining system. While the SEC did not allege that the CEO and CFO had made intentionally misleading statements, it found that their statements were not reviewed by personnel sufficiently knowledgeable about both Compass's operations and its disclosure obligations. This resulted in statements that addressed the potential benefits of mine upgrades without fully taking into account the upgrade's likely continuing costs. In addition to the financial penalty, the order also required Compass to retain an independent consultant to review and make recommendations concerning its disclosure controls, suggesting that the SEC may have harbored deeper concerns about the quality of the control environment. Modeling Impact of Particular Regulatory Compliance Failure. The Compass Minerals action also spotlighted another type of related disclosure controls failure—the lack of an assessment by company personnel of the potential liability resulting from non-compliance with applicable regulations. This related to environmental issues caused by a company facility in Brazil. The SEC alleged that Compass did not adequately assess the financial consequences of the facility's failures to comply with environmental regulations, which could have resulted in penalties up to and including suspension of the facility's operating permit and potential liability to third parties. Effective disclosure controls, the SEC argued, would have assessed the probability of these risks materializing and attempted to quantify their impacts. Disclosing Key Business Drivers in MD&A. Item 303 of Regulation S-K requires companies to discuss in their management's discussion and analysis (MD&A), among other things, material changes in results of operations. This discussion must identify any significant elements which do not arise from or are not necessarily representative of the company's ongoing business. The SEC's recent enforcement actions aimed at disclosure controls suggest that it is currently concerned that companies may be underreporting the exposure of their results to volatility in cryptocurrencies—not entirely unlike 7 SEC v. SolarWinds Corp., Civil Action No. 23-cv-9518, https://www.sec. gov/files/litigation/complaints/2023/comp-pr2023-227.pdf (S.D.N.Y 2023).