Issue link: https://digital.shearman.com/i/1512772
Shearman & Sterling LLP 13 | SEC Demands Stronger Disclosure Controls in Recent Enforcement Actions TYPES OF DISCLOSURE CONTROLS AT ISSUE IN ENFORCEMENT ACTIONS In reviewing the types of disclosure controls the SEC alleged were lacking in connection with the individual facts and circumstances that were the subject of its various recent enforcement actions, several key thematic concepts emerge. Sometimes, the disclosure controls charge is simply added to a separate and more specific count of failing to maintain effective internal control over financial reporting, usually in the context of material accounting irregularities that result in a restatement of prior financial statements. But in actions that do not relate to proper GAAP-compliant accounting, the SEC appears to have on its radar (at least) the following types of disclosure controls: • Upward reporting from company operations to disclosure decision-makers; • Review of company statements prepared at corporate level by operations personnel sufficiently familiar with the company's affairs; • Modeling the impact of a particular regulatory compliance failure; • Disclosing key business drivers in MD&A section of company filings; • Monitoring director independence; • Tracking perquisites; and • Tracking non-GAAP measures. Upward Reporting to Disclosure Decisionmakers. A common theme in the SEC's charges to date has been an alleged lack of upward reporting of disclosure- relevant information. This was highlighted in several recent enforcement actions relating to cybersecurity. Earlier this year, Blackbaud Inc., a California-based company specializing in data management software for non-profits, agreed to pay a $3 million penalty to settle charges for making allegedly misleading disclosures about a 2020 ransomware attack that impacted more than 13,000 customers and, separately, for failing to maintain adequate disclosure controls. 5 Eight weeks after becoming aware of the ransomware attack, Blackbaud announced that the attacker had not gained access to sensitive donor account information. According to the SEC's order, several days after this announcement, the company's technology and customer relations personnel discovered that the attacker had in fact gained access to donor account information and social security numbers. The SEC alleged that this discovery did not make its way up to senior management before Blackbaud filed its next Form 10-Q two weeks later, and therefore the filing did not correct the company's original announcement and misleadingly characterized the risk of data exfiltration as hypothetical. The SEC concluded that the company had failed to institute a process designed to ensure information flow about cybersecurity incidents involving the exposure of sensitive donor information from the business operations to the disclosure function. In 2021, Pearson plc, a U.K. educational publisher, agreed to pay a $1 million penalty to settle charges for making allegedly inadequate disclosure of a cyberattack and failing to maintain disclosure controls designed to assess such incidents from a disclosure perspective. 6 In that case, the SEC focused on the company's determination that public disclosure of the cyberattack incident, in which the attacker extracted usernames, passwords, and 11 million rows of sensitive student information, was unnecessary. The SEC also pointed to the fact that in the company's next quarterly report following the cyberattack, the company repeated risk factor language from prior reports that talked about how the "[r]isk of a data privacy incident . . . including a failure to prevent or detect a malicious attack, . . . could result in a major data privacy or confidentiality breach." According to the SEC, this implied, incorrectly, that no major breach had in fact occurred. The SEC found a lack of disclosure controls appropriately tailored to Pearson's risk profile that, had they been in place, would have made relevant disclosure personnel aware of the circumstances surrounding the breach. 5 In re Blackbaud Inc., Admin. Proc. No. 3-21339, https://www.sec.gov/ files/litigation/complaints/2023/comp-pr2023-48.pdf (March 9, 2023). 6 In re Pearson plc, Admin. Proc. No. 3-20462, https://www.sec.gov/ litigation/admin/2021/33-10963.pdf (Aug. 16, 2021).