Issue link: https://digital.shearman.com/i/1512772
Shearman & Sterling LLP SEC Demands Stronger Disclosure Controls in Recent Enforcement Actions | 12 The cybersecurity vulnerability had exposed a large number of documents, some of which contained social security numbers and other non-public personal information. The SEC characterized the company as lacking "any disclosure controls and procedures relating to cybersecurity" even though the company's core real estate transactions business involved voluminous data storage. Notably, the SEC did not allege that this lack of disclosure controls had in fact resulted in inadequate disclosures. The second case was brought earlier this year against Activision Blizzard, a video game maker, in the aftermath of allegations of widespread workplace misconduct and employee attrition at the company. 4 The SEC faulted the company for not including information about employee complaints of workplace misconduct among the information that business unit leaders were required to report to the company's disclosure committee. As a result, the SEC argued, the company's management and disclosure personnel did not have sufficient information about complaints of workplace misconduct to assess the related risks, whether material issues existed that warranted disclosure to investors, or whether the disclosures made to investors in connection with these risks were sufficient. To establish the disclosure relevance of information about workplace misconduct, the SEC pointed to risk factor statements in the company's reports about its dependence on its ability to retain qualified personnel in an industry characterized by high employee mobility. There is also a more philosophical question here. Critics of the SEC's $35 million penalty for Activision Blizzard, including one of the SEC's own Commissioners, questioned whether the SEC should be in the business of bringing charges against companies when it finds no fraud, misrepresentations, omissions or investor harm. This view doubts that purely controls- based enforcement is good policy and suggests it is inconsistent with the SEC's mission as a disclosure regulator. A countervailing view would argue that there is nothing revolutionary about having the SEC's role evolve from policing corporate disclosures to policing the controls that underlie those disclosures. Auditors, to draw an analogy to the world of accounting, spend a great deal of their time auditing the robustness of the internal controls over the financial reporting process. By that measure, if accurate and complete disclosure to investors is the goal, enforcing high quality disclosure controls could be a more effective use of scarce regulatory resources than trying to identify individual disclosure inaccuracies. Underlying this debate is, at heart, a fundamental disagreement about the primary cause for false or misleading disclosures that regulators should focus on. In a fraud-based paradigm, disclosures are deficient when management makes the wrong call, either because of willful disregard for the truth or because of bias towards concluding that inconvenient information is not material. An alternative paradigm focuses on the complexity of large organizations and the resulting challenges in ensuring the timely flow of relevant information for assessment by disclosure decision- makers. In this alternative paradigm, disclosures can fall short even when management is not animated by bias or fraudulent intent, but is simply unaware of disclosable information. The continuing increase in disclosure controls-based enforcement actions signals a view from the SEC that management unawareness is a more serious disclosure problem than previously thought, especially for information outside of financial statements—for which seasoned public companies already undergo an annual audit of the effectiveness of their internal controls. 4 In re Activision Blizzard, Admin. Proc. No. 3-21294, https://www.sec. gov/files/litigation/admin/2023/34-96796.pdf (Feb. 3, 2023).