SEC Press Release provides Compliance Checklist for Corporations

Takeaways

• The SEC collected a record $4.2 billion in penalties in enforcement actions in 2022, nearly three times the figure in 2021.
• Recent enforcement actions involving ESG issues, 10b5-1 plans and cybersecurity align with the SEC’s rulemaking initiatives on those topics.
• Increasingly, as part of settlements, the commission has insisted that companies retain an independent compliance consultant who will report back to the staff of the SEC’s Division of Enforcement on compliance-related undertakings.
• Accounting and disclosure issues, including earnings manipulation, sales practices that impact revenue disclosures and non-GAAP metrics, remain a high priority for enforcement.

The Enforcement Division of the U.S. Securities & Exchange Commission (SEC) recently reported a robust enforcement year with record-breaking results. The summary is an indicator of where the division is concentrating efforts, and thus a forward indicator of areas where companies need be sure they do not run afoul of securities laws.

In the fiscal year ended September 30, 2022, the division initiated 462 new enforcement actions, and 760 actions in total (including follow-on actions and cases involving missing and delinquent filings) and imposed $6.4 billion in penalties and disgorgement, according to the November 15, 2022, press release summarizing the results.

Notable Trends

Higher penalties and a higher penalty/disgorgement ratio. The Enforcement Division views significant penalties as one of its tools to deter future misconduct. Officials have said in recent public remarks that they believe penalties should be calibrated to convey to market participants that complying with the securities laws is less costly than violating them.

Mixed messages about cooperation. The division continues to emphasize the benefits of full cooperation. However, while we did see actions where cooperation resulted in no penalties, we also saw others where significant penalties were imposed despite self-reporting and cooperation. The division has emphasized that the amount of cooperation credit will depend on the facts and circumstances of a particular action.

Imposition of independent compliance consultants (ICCs). Increasingly, we have seen the division requiring parties to engage an ICC who will report back compliance-related findings to staff of the division as part of a settlement, especially in cases where there has not been enough time for the division to assess the effectiveness of the company’s compliance program.

Increased gatekeeper accountability. There is a continued focus on gatekeepers, including auditors and compliance and legal personnel. In one case, a former general counsel of a public company settled an action alleging unintentional misconduct.

Financial Fraud and Issuer Disclosure

The SEC views public company disclosures as the bedrock of the securities markets and it continues to view this area as an enforcement priority. In FY 2022, the SEC brought and obtained settlements in several cases that show how broad a view it is taking of necessary disclosures. For example:

• A mining company was alleged to have misled investors about a technology upgrade it claimed would reduce costs but ultimately increased them, and for failing to properly assess whether to disclose financial risks stemming from excessive discharges of mercury in Brazil.
• In a first-of-its-kind action against a multinational technology company, the defendant was charged with failing to disclose that rising sales of products designed for gaming were driven in part by cryptocurrency mining. Even though the company’s stated revenue and accounting were accurate, the SEC alleged that the Risks and Management Discussion and Analysis sections of its disclosures did not adequately disclose that earnings and cash flow fluctuations reflected in part the volatile crypto mining industry.

Earnings-per-share (EPS) initiative. The SEC continues to closely monitor earnings management practices, such as accounting adjustments that may be quantitively immaterial but impact EPS or earnings guidance in way that have a qualitatively material impact — e.g., a penny per share that was the difference between “making or missing” the quarter. This ongoing program, begun in 2020, leverages data analytics to generate leads about companies that are making post-quarter adjustments in discretionary accounts in order to round up reported EPS to meet or beat publicly announced earnings guidance.

In 2022, as part of this initiative, the SEC brought actions against two companies and charged senior executives in both actions. In one case, the SEC alleged that the company made unsupported reductions in a reserve account that allowed it to round up its EPS reporting, while in, the other case, the company allegedly pulled forward revenue and shipped customer orders without approval.

Sales practices disclosure cases. The SEC continues to monitor sales practices, including “pull-in” practices and order backlog management where the revenue recognition is correct under the Financial Accounting Standards Board’s rules, but disclosures surrounding financial performance — such as ability to meet revenue guidance, maintain year-over-year growth or have customer demand for a product — may be inaccurate or misleading.

For example, the division brought a case last year, later settled, against a cloud computing and virtualization company that allegedly did not properly disclose (i) its order backlog management practices, which enabled the company to push revenue into future quarters by delaying deliveries to customers and (ii) the company’s slowing performance relative to its projections. Again, the financial accounting itself was not challenged, only the misleading overall financial picture these practices were alleged to have created.

Cybersecurity and Compliance

Most of the key cybersecurity cases brought in FY 2022 concerned broker-dealers and investment advisers. However, the SEC has repeatedly emphasized the importance it places public companies having appropriate systems to assess vulnerabilities and meet disclosure obligations during a cybersecurity incident.

A proposed SEC rulemaking would require:

• reporting material cybersecurity incidents on Form 8-K within four business days of discovery, disclosing updates on previously reported cyber incidents on Forms 10-K and 10-Q,
• disclosing the company’s policies and procedures concerning cybersecurity risks,
• maintaining internal controls over information systems that are used (not just owned) by the company, and
• disclosing board members with cybersecurity expertise.

Even before rules are finalized, these proposals are likely indicators of the SEC’s expectations.

We expect continued SEC enforcement activity in this area in 2023.

Environmental, Social and Governance (ESG) Issues

The division has focused attention on ESG issues for public companies, as well as investment products and strategies. The SEC has applied principles from existing law and regulations concerning materiality and accuracy of disclosures to challenge what it believes to misleading statements and “greenwashing.” In March 2021, the division created a Climate and ESG Task Force that is charged with analyzing ESG voluntary disclosures companies make in filings and proactively identifying ESG-related misconduct.

In one notable ESG enforcement action, the SEC litigated against a publicly traded South American metals and mining company, alleging that it made false and misleading claims to local governments, communities and investors about the safety of its dams prior to the collapse of one in Brazil, which caused environmental and social harm. The SEC’s complaint cited several market and financial factors to support its assertion that the disclosures were material, including that the dam failure led to $4 billion decline in the company’s market cap; its ADRs traded on the New York Stock Exchange lost more than 25% of their value; and its credit rating was downgraded to junk status.

Proposed ESG rules in the pipeline at the SEC could make enforcement easier for the commission. In addition, in 2023, we expect the Climate and ESG Task Force within the Enforcement Division to continue to analyze voluntary ESG disclosures in filings and proactively identify ESG-related misconduct.

Market Abuses: 10b5-1 Plans

As we have mentioned above, in 2022, the Enforcement Division brought cases in areas that are the subject of SEC rulemakings to reinforce the need for additional, and likely more prescriptive, regulation. One such area was 10b5-1 predetermined stock sales plans for insiders. The SEC has proposed a rulemaking that would significantly alter the Rule 10b5-1 requirements, aimed at curbing perceived abuses.

In one enforcement action in FY 2022, the SEC charged a public company’s executives with insider trading, alleging that they established a 10b5-1 plan after becoming aware of a significant decline in the revenue from the company’s largest advertising partner. The settlement included several undertakings that align with aspects of the SEC’s proposed rulemaking on 10b5-1 plans, including, for example, an agreement to include a 120-day cooling off period (i.e., when trading is prohibited) after the adoption or modification of a 10b5-1 plan.

Non-GAAP Financial Reporting

The Enforcement Division and the Division of Corporation Finance continue to scrutinize non-GAAP financial metrics and related disclosures and internal controls. The SEC has made it clear that, if a company presents non-GAAP metrics, they must be appropriately labeled, accurate and consistent, and any assumptions or judgment calls should be disclosed.

For example, the SEC sued a multinational health care company alleging that it entered into intra-company foreign exchange transactions for the sole purpose of generating foreign exchange gains, or avoiding foreign exchange losses, on revenue received in foreign currencies using a non-GAAP conversion process. That had the effect of materially misstating the company’s net income, the suit charged. The SEC also found that the company did not have adequate internal controls to monitor and quantify the difference between the non-GAAP and GAAP calculations of the foreign exchange gains and losses.