An Update on the SEC’s Cybersecurity Reporting Rules

As we pass the two-month anniversary of the effectiveness of the U.S. Securities and Exchange Commission’s (“SEC’s”) Form 8-K cybersecurity reporting rules under new Item 1.05, this blog post provides a high-level summary of the filings made to date.

Six companies have now made Item 1.05 Form 8-K filings. Three of these companies also have amended their first Form 8-K filings to provide additional detail regarding subsequent events. The remainder of the filings seem self-contained such that no amendment is necessary, but these companies may amend at a later date. In general, the descriptions of the cybersecurity incidents have been written at a high level and track the requirements of the new rules without much elaboration. It is interesting, but perhaps coincidental, that the filings seem limited to two broad industry groups: technology and financial services. In particular, two of the companies are bank holding companies.

Although several companies have now made reports under the new rules, the sample space may still be too small to draw any firm conclusions or decree what is “market.” That said, several of the companies that have filed an 8-K under Item 1.05 have described incidents and circumstances that do not seem to be financially material to the particular companies. We are aware of companies that have made materiality determinations in the past on the basis of non-financial qualitative factors when impacts of a cyber incident are otherwise quantitatively immaterial, but these situations are more the exception than the rule.

There is also a great deal of variability among the forward-looking statement disclaimers that the companies have included in the filings in terms of specificity and detail. Such a disclaimer is not required in a Form 8-K, but every company to file under Item 1.05 to date has included one. We believe this practice will continue.

Since the effectiveness of the new rules, a handful of companies have filed Form 8-K filings to describe cybersecurity incidents under Item 8.01 (“Other Events”) instead of Item 1.05. These filings have approximated the detail of what is required under Item 1.05. It is not immediately evident why these companies chose Item 8.01, but presumably the companies determined that the events were immaterial such that no filing under Item 1.05 was necessary at the time of filing. Of course, the SEC filing is one piece of a much larger puzzle when a company is working through a cyber incident and related remediation. It remains to be seen how widespread this practice will become. To date, the SEC staff has not publicly released any comment letters critiquing any Form 8-K cyber filing under the new rules, but it is still early in the process. The SEC staff usually (but not always) makes its comment letters and company responses to those comment letters public on the SEC’s EDGAR website no sooner than 20 business days after it has completed its review. With many public companies now also making the new Form 10-K disclosure on cybersecurity, we anticipate the staff will be active in providing guidance and commentary on cybersecurity disclosures in the coming year.

Recent FinCEN FAQs Provide Additional Guidance on Compliance

The US Financial Crimes Enforcement Network (FinCEN) released several new FAQs this month to provide further clarity on the Corporate Transparency Act’s (CTA) provisions.
Notably, FinCEN provided guidance on who is considered “primary responsible” for directing a filing, as well as what is necessary to qualify under the subsidiary exemption, among other matters.

The CTA’s requirements went into effect on January 1, 2024. As we’ve previously detailed, reporting companies formed prior to that date will be required to file their initial reports with FinCEN no later than January 1, 2025. A reporting company created during 2024 is required to file its initial report within 90 days of its creation or registration, and one created on or after January 1, 2025, will have 30 days to file its initial report. A previously registered company will need to update its registration within 30 days of a change in its beneficial ownership or other information reported to FinCEN. For detailed overviews of the CTA, please visit our earlier posts located here, here, and here.

Company Applicants: Who is “Primarily Responsible” for Directing a Filing?
The CTA requires that reporting companies formed on or after January 1, 2024, disclose their “company applicant.” An individual is a “company applicant” if (1) they directly file the company’s formation or registration documents with a secretary of state or similar office or (2) if more than one person is involved in the filing, they are primary responsible for directing or controlling the filing. A maximum of two individuals can be reported as company applicants.

The FAQs clarify that the person who signs the formation document, such as an incorporator, is not necessarily a company applicant. Instead, the rule focuses on the person responsible for making decisions about the filing, including how the filing is managed, what contents to include, and when and where filing will occur.

FinCEN provides three scenarios to illustrate the rule. In two of the scenarios, an attorney or a paralegal instructed by that attorney completes a company creation document using information provided by a client and sends the document to a corporate service provider to be filed with a secretary of state. In this scenario, the attorney will one of the company applicants, and the employee at the corporate service provider who directly filed the document with the secretary of state will be the other company applicant. In the third scenario, the attorney’s client initiated the company creation directly with the corporate service provider — in this case, the client will be a company applicant (as will the employee at the corporate service provider who directly filed the document).

Subsidiary Exemption: Is Partial Control of a Subsidiary’s Ownership Interests By an Exempt Entity Sufficient to Qualify for the Subsidiary Exemption?
The short answer is — no.

The CTA lists 23 categories of entities that are exempt from the beneficial ownership information (BOI) reporting requirements. A subsidiary of certain categories of exempt entities will also be exempt if the subsidiary is controlled or wholly owned, whether directly or indirectly, by one or more of such exempt entities.

The FAQs clarify what happens when the exempt entity partially controls the subsidiary. Partial control is insufficient for an entity to fall within the subsidiary exemption — a subsidiary’s ownership interests must be fully, 100% owned or controlled by the exempt entity to qualify for this exemption. Thus, control of ownership interests means that one or more exempt entities entirely control all of the ownership interests in the reporting company, in the same way that an exempt entity must wholly own all of a subsidiary’s ownership interests for the exemption to apply.

Selected Additional Matters Covered by the New FAQs
Reporting Company Ownership Subject to Dispute: If ownership of a reporting company is the subject of active litigation, all individuals who own or control (or claim to own or control) at least 25% of the company’s interests are considered beneficial owners, and BOI must be submitted for each individual (in addition to BOI for all individuals who exercise substantial control over the company). If, after the legal dispute is solved, the reporting company has different beneficial owners from those initially reported, an updated BOI report must be filed within 30 calendar days after the litigation is resolved.
Third-Party Couriers or Delivery Service Employees: Third-party courier or delivery service employees who solely deliver documents to a secretary of state are not company applicants, as long as the third-party courier, the delivery service employee, and the delivery service that employs them play no other roles in the creation or registration of the reporting company.
Automated Incorporation Service: An automated incorporation service’s employees are not company applicants if the service solely provides software, online tools, or generally applicable written guidance for the creation of a reporting company and its employees are not directly involved in filing creation documents.
No Photo on Identification Document for Religious Reasons: If a beneficial owner’s or company applicant’s identification document does not include a photograph for religious reasons, the reporting company may submit an image of that identification document when submitting its report, provided that the document is otherwise an acceptable type of identification. If the individual in question obtains a FinCEN identifier, then the burden of providing the identification document to FinCEN would fall on the individual and not on the company (which would only need to report the FinCEN identifier).
No Permanent Residential Address: When a reporting company must report an individual’s residential address, but no such permanent address is available, the reporting company should report the residential address that is current at the time of filing the report. If the address later changes, the reporting company must submit an updated report within 30 days from such change. The use of a FinCEN identifier by the individual will eliminate the company’s need to submit an updated report, although the individual would be required to update his or her address with FinCEN directly.

© 2024 ArentFox Schiff LLP

by: Evgeny Magidenko of ArentFox Schiff LLP

For more news on Corporate Transparency Act Compliance, visit the NLR Corporate & Business Organizations section.

Despite Record Year, SEC Must Improve Whistleblower Program to Align with White House Anti-Corruption Initiative

SEC Chair Gary Gensler announced on October 25th that in the 2023 fiscal year, the Commission received a record number of 18,000 whistleblower tips.

The SEC Whistleblower Program has grown rapidly and effectively since its inception in 2010 – the 2022 Fiscal Year set a record of 12,300 whistleblower tips. This was a near doubling of the 2020 tips, which set a record of 6,911.

The SEC transnational whistleblower program responds to individuals who voluntarily report original information about potential misconduct. If tips lead to a successful enforcement action, the whistleblowers are entitled to 10-30% of the recovered funds. The programs have created clear anti-retaliation protections and strong financial incentives for reporting securities and commodities fraud.

The U.S. Strategy on Countering Corruption is a White House initiative from December of 2021 that establishes the fight against corruption as a core tenant of national security interests. It outlines strategic pillars and objectives within each. The recommendations on improving the SEC’s whistleblower provisions as outlined below have the same goal of creating stronger processes to combat corruption.

Since the SEC Whistleblower Program was created in 2010, whistleblowers have played a crucial role in the SEC’s enforcement efforts. Overall, since the whistleblower program was established in 2010, “[e]enforcement actions brought using information from meritorious whistleblowers have resulted in orders for more than $6.3 billion in total monetary sanctions, including more than $4.0 billion in disgorgement of ill-gotten gains and interest, of which more than $1.5 billion has been, or is scheduled to be, returned to harmed investors,” according to the 2022 annual report.

This $6.3 billion recovered via sanctions is money that is put back into the pockets of investors and everyday Americans.

The SEC does not credit related enforcement actions to award notifications and sanctions in order to maintain the anonymity and confidentiality of whistleblowers, award notifications don’t tie to underlying enforcement action. The $6.3 billion does not include DOJ enforcement actions, which combined would show a much larger number.

Non-U.S. citizens who blow the whistle on potential securities frauds committed by publicly traded companies outside the United States are eligible to receive awards, as well as those whistleblowers who report violations of the Foreign Corrupt Practices Act. This anti-corruption legislation prohibits the payment of anything of value to foreign government officials in order to obtain a business advantage.

Whistleblowers from over 130 countries have used the SEC Whistleblower Program to report fraud in their workplace.

Despite the massive growth of tips received, many whistleblowers’ cases are dismissed by the SEC due to insubstantial filing errors and strict time parameters on forms, or reported to the news media, other U.S. government agencies, or international government workers in roles that are public abroad but private in the U.S.

Considering these narrow qualifications and to ensure that the process for qualifying as a whistleblower aligns with U.S. anti-corruption priorities, the National Whistleblower Center recommends that the program be improved by expanding the definition of voluntary, further the provisions of identity protection and rewards. These recommendations align with the White House drafted United States Strategy on Countering Corruption.

Whistleblowers identified in case investigations should be automatically eligible for rewards, rather than mandated to meet technical form requirements.

The SEC should maintain their “Three Conditions” qualifications standards and expand the definition of “voluntary.” The current language disqualifies whistleblowers who report fraud to the media, other government agencies, foreign law enforcement, or a U.S. embassy before the SEC, considering them “involuntary.” These restrictions dissuade potential whistleblowers from engaging with the program and thus interfere with federal anti-corruption objectives. The agency must ensure that whistleblowers who file complaints internally before coming to the SEC maintain award eligibility.

The SEC should not incentivize or require whistleblowers to report internally before filing claims with the agency, as this exposes them to retaliation. If a whistleblower was removed from their position, they could no longer provide the Commission with the most updated information, which would harm the investigation.

By establishing a consistent inter-agency protocol concerning whistleblowers who have participated in the crime they report, the SEC can further protect the confidentiality and anonymity of whistleblowers in all ongoing federal investigations surrounding their disclosures.

Whistleblowers must receive the full force of related action provisions and rewards if the company or agency they report is simultaneously being investigated by another branch of government.

SEC regulations should contain strict deadlines for paying awards. These regulations should be premised on the fact that the SEC and Justice Department investigators and prosecutors will know the identity and contributions of all whistleblowers who would qualify for a reward in a particular case.

In the IRS (Internal Revenue Service) Whistleblower Program, procedures require that their investigators file whether or not there was a whistleblower involved in the case at the time the case file is closed. Agents thus know who the whistleblowers are, and the agency can process a claim quickly. The integration of affidavits and statements from front-line investigators into the decision-making process accelerates the reward payout.

Wait times for awards received are another disincentivizing factor for blowing the whistle. The SEC should establish and abide by a strict deadline for paying awards to ensure that whistleblowers are compensated fully and promptly. Rewards should not have a cap limit.

Such changes reinforce the White House Strategy’s objective to “bolster the ability of civil society, media, and private sector actors to safely detect and expose corruption,” “curb illicit finance,” and “enhance enforcement efforts” in the name of “modernizing, coordinating, and resourcing U.S. Government efforts to fight corruption.”

Enhancing the program ensures that whistleblowers whose information successfully leads to enforcement action on money laundering crimes are rewarded, no matter how they provide the information.

Such provisions will demonstrate to international whistleblowers that the risk of blowing the whistle on fraud is worth taking and the United States will support them through the process.

This article was authored by Sophie Luskin.

Internal Investigations Are a Poe Substitute for Compliance

Happy Halloween! In honor of the holiday, we are taking our compliance message in a bit of a . . . spooky direction. But our message remains the same: International transactions are inherently high-risk; they require constant attention and oversight for your compliance to be effective; and it is always better to put your resources into compliance than to spend them on investigations.

Speaking of Halloween, here are some interesting facts about Edgar Allan Poe:

  • Poe ruined a promising start to an army career at West Point by spending his time writing mocking poems about his instructors rather than finishing his assigned work.
  • Poe often wrote only after placing a Siamese cat on his shoulder.
  • The Baltimore Ravens are the only major sports team to be named after a poem, Poe’s “The Raven.”
  • And most importantly, Poe turned down a promising career as a chief compliance officer. Don’t believe me? Check out this recently unearthed initial draft of “The Raven,” and decide for yourself!

Internal Investigations Are a Poe Substitute for Compliance

Once upon a midnight dreary, this Compliance Officer pondered, weak and weary,
Over a list of quaint and curious compliance chores —
While I nodded, nearly napping, suddenly there came a tapping,
As of someone gently rapping, rapping at my chamber door.
“Tis some auditor,” I muttered, “tapping at my chamber door —
Only this and nothing more.”

Ah, distinctly I remember, it was in the bleak December;
When fiscal-year matters come to the fore.
And compliance matters, are quite forgotten,
And talks of investigations, are verboten,
And as welcome as a lingering bedsore,

And yet the knocking — the knocking! — it was far from fleeting.
It thrilled me — it called to me — this was no account-busting lunch meeting!
It filled me with fantastic terrors never felt before.
So that now, to still the beating of my heart, I stood repeating,
“Tis some auditor entreating entrance at my chamber door —
Perhaps some senior officer pleading entrance at my chamber door —
This it is and nothing more.”

Presently my soul grew stronger; had I not mastered SOX? And regs much longer?
“Sir,” said I, “or Madam, truly your forgiveness I implore.
But the fact is I was dreaming, of internal controls, and ethics training,
And so faintly you came tapping, tapping at my chamber door,
That I scarce was sure I heard you” — here I opened wide the door —
Darkness there and nothing more.

Back into the chamber turning, all my soul within me burning,
Soon again I heard a tapping somewhat louder than before.
“Surely,” said I, “surely that is something at my window lattice;
Let me see, then, what threat there is, and this mystery explore —
Let my heart be still a moment and this mystery explore —
’Tis a mistaken Whistleblower and nothing more!”

Open here I flung the shutter, when, with many a flirt and flutter,
In there stepped a stately Raven, a Whistleblower like those of the days of yore.
Not the least obeisance made he; not a minute stopped or stayed he;
But, with mien of lord or lady, perched above my chamber door —
Perched upon a bust of Pallas just above my chamber door —
Perched, and sat, and nothing more.

Then this ebony bird beguiling my sad fancy into smiling,
By the grave and stern decorum of the countenance it wore.
“Though thy crest be shorn and shaven, thou,” I said, “art sure no craven,
Ghastly grim and ancient Whistleblower wandering from the Nightly shore —
Tell me what thy lordly report is from our subsidiaries far off-shore!”
Quoth the Whistleblower Raven: “Your Compliance is Nevermore.”

“Prophet!” said I, “thing of evil! — prophet still, if bird or devil!
By that Heaven that bends above us — by that God we both adore —
Tell this Compliance Officer with sorrow laden if, within our affiliates far offshore,
There are accounting violations or kickback given to dozens or more!
Or payments made to get our products to leave those foreign shores!
Quoth the Whistleblower Raven: “Your Compliance is Nevermore.”

And thus I realized that compliance is toughest when you operate in lands of many scores.
And the Raven, never flitting, still is sitting, still is sitting,
A Whistleblower whose incriminating red flags I ignored,
And his eyes have all the seeming, of an enforcer who is dreaming, of throwing subpoenas on our corporate floor;
And my wretched soul, like our poor compliance, from out that shadow that lies floating on the floor.
Shall be lifted — nevermore!

How Changing Beneficial Ownership Reporting May Impact Activism

The SEC in February proposed amendments to Regulation 13D-G to modernize beneficial ownership reporting requirements. Adoption of the amendments as proposed will accelerate the timing – and expand the scope – of knowledge of certain activist activities. The deadline for comments on the proposed rules was April 11 and final rules are expected to be released later this year.

The current reporting timeline creates an asymmetry of information between beneficial owners on the one hand and other stockholders and issuers on the other. The SEC proposal is seeking to eliminate this asymmetry and address other concerns surrounding current beneficial ownership reporting. The accelerated beneficial ownership reporting deadlines will result in greater transparency in stock ownership, allowing market participants to receive material information in a timely manner and potentially alleviating the market manipulation and abusive tactics used by some investors.

The shortened filing deadlines should benefit a company’s overall shareholder engagement activities. The investor relations team at a company will have a more accurate and up-to-date picture of its institutional investor base throughout the year, which should result in more timely outreach to such shareholders.

INVESTOR ACCUMULATION OF SHARES BEFORE DISCLOSURE

Although issuers will likely view the proposed rules as beneficial, many commentators have predicted a negative impact on shareholder activism. Under the current reporting requirements, certain activist investors may benefit by having both additional time to accumulate shares before disclosing such activities and potentially more flexibility in strategizing with other investors.

Many commentators have argued that the proposed shorter timeline for beneficial ownership reporting will negatively impact an activist shareholder’s ability to accumulate shares of an issuer at a potentially lower price than if market participants had more timely knowledge of such activity and intent. In many cases a company’s stock price is impacted once an investor files a Schedule 13D with clear activist intent. This can even occur in some cases once a Schedule 13G is filed by a known activist investor without current activist intent.

If the shorter reporting deadlines reduce such investors’ profit, it is expected that an investor’s incentive to accumulate stock in order to initiate change at a company will also be reduced. Activists instead may be encouraged to engage more with management. In other words, the shorter reporting period may deter short-term activists and encourage more long-term focused activism.

TIMING OF ISSUER RESPONSE

The shorter reporting deadlines are also expected to result in management having earlier notice of any takeover attempt and to give a company the opportunity to react more quickly to any such attempt. There is potential for this to lead to increased use of low-threshold poison pills. But the SEC stated in the proposed rules release that it believes the risk of abundant reactionary low-threshold poison pills is overstated due to scrutiny of such poison pills from courts and academia, limitations imposed by state law and the unlikelihood that the beneficial ownership would trigger the low-threshold poison pills.

Companies that have low-threshold poison pills – such as one designed to protect a company’s net operating losses – may want to review them to confirm that the proposed rules would not be expected to have any impact. For example, such poison pills may link the definition of beneficial ownership to the SEC rules, including Schedule 13D and 13G filings.

‘GROUP’ REPORTING

Another proposed change expected to affect shareholder activism is the expanded definition of ‘group’ for the purposes of reporting under Schedule 13D. The current rules require an explicit agreement between two or more persons to establish a group for purposes of the beneficial ownership reporting thresholds.

Commentators believe that under the current rules, certain investors seeking change at a company may share the fact that they are accumulating shares of a company with other shareholders or activists, which can then act on this information before the general public is aware; in other words, before public disclosure in and market reaction to the Schedule 13D filing. This activity may result in near-term gains for the select few involved before uninformed shareholders can react.

Under the SEC’s proposed amended Rule 13d-5, persons who share information with another regarding an upcoming Schedule 13D filing are deemed to have formed a group within the meaning of Section 13(d)(3) regardless of whether an explicit agreement is in place, and such concerted action will trigger reporting requirements. This proposed change is expected to benefit companies and shareholders overall by preventing certain investors from acting in concert on information not known to a company and its other shareholders.

The full impact of the proposed rule changes on shareholder activism cannot be accurately predicted, but we believe that at a minimum, issuers will find it beneficial to have more regularly updated information on their institutional investor base for, among other things, their shareholder engagement efforts.

© 2022 Jones Walker LLP

Illinois House Bill Requires Corporations to Report to Secretary of State

House Bill 3394, approved by the Governor on August 27, 2019 and effective immediately (Public Act 100-589), amends the Business Corporation Act of 1983 (“BCA”) to add new Section 8.12 and amend Section 14.05.

New BCA Section 8.12 provides that domestic and foreign corporations, as soon as possible but not later than January 1, 2021, to report to the Secretary of State, on its Annual Report:

  1. Whether the corporation is a publicly held domestic or foreign corporation with its principal executive office located in Illinois
  2. Data on specific qualifications, skills and experience that the corporation considers for its board of directors, nominees for the board of directors and executive officers
  3. Whether each member of the corporation’s board of directors self-identifies as a minority person and, if so, which race or ethnicity to which the member belongs
  4. Other information

New BCA Section 8.12 also requires the Secretary to State to make the information public and report the information to the University of Illinois which is to review the reported information and publish, on its website, a report that provides aggregate data on the demographic characteristics of the boards of directors and executive officers of corporations filing an annual report for the preceding year along with an individualized rating (establish by the University of Illinois assessing the representation of women and minorities on corporate boards)  for each such corporation. The University of Illinois’ is also required to identify strategies for promoting diversity and inclusion among boards of directors and corporate executive officers.

BCA Section 14.05 as amended adds new Sections 14.05(k) and 14.05(l).  New BCA Section 14.05(k) requires each corporation or foreign corporation to state on its Annual Report whether the corporation has outstanding shares listed on a major United States stock exchange and is thereby subject to the reporting requirements of new BCA Section 8.12.  New BCA Section 14.05(l) requires corporations subject to new BCA Section 8.12 to provide the information required by new BCA Section 8.12.

It is our understanding that Form 14.05, Illinois Annual Report, is currently being amended to reflect these changes.


© Horwood Marcus & Berk Chartered 2020. All Rights Reserved.

For more on corporate reporting requirements, see the National Law Review Corporate & Business Organizations law page.

California Secretary Of State Issues First Board Gender Quota Report But Is Something Missing?

Yesterday was the first of several deadlines under California’s unprecedented legislationSB 826, imposing gender quota requirements on all publicly-held domestic or foreign corporations whose principal executive offices are located in California.  This legislation also required the Secretary of State’s office to publish a report on its website no later than July 1, 2019 documenting those corporations subject to the law “who [sic] have at least one female director”.

The Secretary of State did, in fact, publish a report yesterday listing 538 corporations, their jurisdiction of incorporation, street address, phone number and stock exchange.  Oddly missing from the list was any indication of the number of female directors (if any) even though the law clearly requires that information.  It is also unclear why the Secretary of State chose to publish address and telephone information when that information was not required to be in the report.

The Secretary of State’s office did publish an explanation of its methodology that basically consisted of searches of Securities and Exchange Commission and other public filings.  The explanation includes this warning as well:

“Note that federal filing deadlines for filing the annual SEC Form 10-K (60, 75 or 90 days after the end of the fiscal year) differ from the California deadline for filing the Publicly Traded Disclosure Statement (150 days from the end of the fiscal year) so there may be gaps in available data.”

The Secretary of State has modified its corporate disclosure statement to require publicly traded companies to disclose if they have one or more female directors on their current Boards of Directors.  Given the definition of “female” in the statute (an individual who self-identifies her gender as a woman, without regard to the individual’s designated sex at birth), I wouldn’t be surprised to see a question concerning gender identification appearing on Directors and Officer questionnaires.

 

© 2010-2019 Allen Matkins Leck Gamble Mallory & Natsis LLP
For more on corporate compliance, please see the National Law Review Corporate & Business Organizations page.

Importance of Making Sure Your Corporate Status is Up to Date

On September 8, 2015, the United States Civilian Board of Contract Appeals (CBCA) dismissed a claim for lack of jurisdiction when it determined that a contractor was not in good standing at the time of the filing, and thus it could not file the claim.

Western States Federal Contracting, LLC (Western States) filed a protest seeking damages from the Department of Veterans Affairs (VA). The VA filed a motion to dismiss, asserting that Western States did not have the right to sue because it was not in good standing in its state of incorporation due to unpaid taxes in the amount of $981.

On several occasions, the CBCA ordered Western States to show that it was in good standing and had the right to sue. Although Western States was not in good standing in Delaware, where it was incorporated, Western States first attempted to show it was in good standing in Arizona, where it was conducting business. CBCA rejected this showing and ordered Western States to show it was in good standing in Delaware. Western States was unable to make this showing.

After Western States paid its overdue tax bill, and regained its good standing in Delaware, it argued that its good standing status should be retroactive. The CBCA found that Western States did not have standing to pursue its damages claim because it was not in good standing when it filed its appeal.

In addition to the having the capacity to sue and be sued, here are three other primary reasons why keeping your business in good standing status is good for business.

1. Lenders, Vendors, and Others Might Require a Good Standing Certificate

Lenders sometimes require good-standing status in order to approve new financing. They generally view a loss of good standing status as an increased risk which may increase the cost of financing or even limit the ability to obtain financing. Other businesses might require a Certificate of Good Standing for certain transactions, requests for proposals (RFPs) or contracts. Or, you may need one to sell the business, for real estate closings, or for mergers, acquisitions, or expansions. If a business can’t provide a Certificate of Good Standing, it raises a compliance “red flag” that indicates something’s wrong with the company’s state status.

2. Keeping Your Business Good Standing Often Saves Money in the Long Run

If a business doesn’t maintain its good-standing status, the state likely will make an involuntary adverse status change for the company, labeling it as “delinquent,” “void,” “suspended” or “dissolved,” depending on the state and the compliance problem. The most common reasons for losing good standing include a missed annual report, problems regarding the company’s registered agent-and-office, or unpaid fees or franchise taxes. The cost of fixing these mistakes can add up; preventing these mistakes is not expensive. By simply keeping your LLC or corporation in good standing, you could help:

  • Keep overall operating costs lower—filing on time avoids extra fees and fines from sapping your budget.

  • Prevent a state from administratively dissolving the LLC or corporation (and then having to try for a reinstatement) or worse yet, have to start all over again because your LLC or corporation has been permanently “purged”.

  • Maintain the limited liability protection that an LLC, corporation, or other business entity provides.

  • Preserve your rights to your LLC’s or corporation’s legal name in state records.

  • Keep your business poised for sudden contract opportunities, bids, or deals with other companies that require a Certificate of Good Standing to pursue or seal the deal.

3. Good Standing Helps When You Expand Into Other States

When you form your LLC or corporation, the state generally considers you to be “organizing” a business “entity.” Your business entity (e.g., LLC, corporation) has the right to do business in the state of organization only. If you want to expand and do business in other states, you’ll need to register to transact business in those states, too. Usually, the new state(s) ask for a Certificate of Good Standing from your formation state (or your “domestic” state) before they’ll let you register.

Checking Your Good Standing

Still, it’s not always easy to know which regulations and obligations apply to your corporation or LLC. Compliance can seem complicated or costly at times. Regulations change. And it can be difficult to keep track of the various deadlines your company must meet.  However, compliance can be done easily and inexpensively, relative to the cost of noncompliance.  We recommend that at least annually, you or your legal counsel should confirm that your LLC or corporation is in good standing in its state of formation as well as every state with which you are conducting business.

All states allow steps to be taken for a not-in-good-standing corporation or LLC to restore its standing, and that if good standing is restored, generally it will be as if the corporation or LLC had consistently remained in good standing.

© 2015 Odin, Feldman & Pittleman, P.C.

Taking Control of Cybersecurity: A Practical Guide for Officers and Directors

Foley and Lardner LLP

Major cybersecurity attacks of increased sophistication — and calculated to maximize the reputational and financial damage caused to the corporate targets — are now commonplace. These attacks have catapulted cybersecurity to a top priority for senior executives and board members.

To help these decision makers get their arms around cybersecurity issues, Foley Partners Chanley T. Howell, Michael R. Overly, and James R. Kalyvas have published a comprehensive white paper entitled: Taking Control of Cybersecurity — A Practical Guide for Officers and Directors.

The white paper describes very practical steps that officers and directors should ensure are in place or will be in place in their organizations to prevent or respond to data security attacks, and to mitigate the resulting legal and reputational risks from a cyber-attack. The authors provide a blueprint for managing information security and complying with the evolving standard of care. Checklists for each key element of cybersecurity compliance and a successful risk management program are included.

Excerpt From Taking Control of Cybersecurity: A Practical Guide for Officers and Directors

Sony, Target, Westinghouse, Home Depot, U.S. Steel, Neiman Marcus, and the National Security Agency (NSA). The security breaches suffered by these and many other organizations, including most recently the consolidated attacks on banks around the world, combined with an 80 percent increase in attacks in just the last 12 months, have catapulted cybersecurity to the top of the list of priorities and responsibilities for senior executives and board members.

The devastating effects that a security breach can have on an enterprise, coupled with the bright global spotlight on the issue, have forever removed responsibility for data security from the sole province of the IT department and CIO. While most in leadership positions today recognize the elevated importance of data security risks in their organization, few understand what action should be taken to address these risks. This white paper explains and demystifies cybersecurity for senior management and directors by identifying the steps enterprises must take to address, mitigate, and respond to the risks associated with data security.

Officers and Directors are Under a Legal Obligation to Involve Themselves in Information Security

The corporate laws of every state impose fiduciary obligations on all officers and directors. Courts will not second-guess decisions by officers and directors made in good faith with reasonable care and inquiry. To fulfill that obligation, officers and directors must assume an active role in establishing correct governance, management, and culture for addressing security in their organizations.

Download This White Paper

ARTICLE BY

The Affordable Care Act—Countdown to Compliance for Employers, Week 1: Going Live with the Affordable Care Act’s Employer Shared Responsibility Rules on January 1, 2015

Mintz Levin Law Firm

Regulations implementing the Affordable Care Act’s (ACA) employer shared responsibility rules including the substantive “pay-or-play” rules and the accompanying reporting rules were adopted in February.  Regulations implementing the reporting rules in newly added Internal Revenue Code Sections 6055 and 6056 came along in March. And draft reporting forms (IRS Forms 1094-B, 1094-C, 1095-B and 1095-C) and accompanying instructions followed in August.

With these regulations and forms, and a handful of other, related guidance items (e.g., a final rule governing waiting periods), the government has assembled a basic—but by no means complete—compliance infrastructure for employer shared responsibility. But challenges nevertheless remain. Set out below is a partial list of items that are unresolved, would benefit from additional guidance, or simply invite trouble.

1.  Variable Hour Status

The ability to determine an employee’s status as full-time is a key regulatory innovation. It represents a frank recognition that the statute’s month-by-month determination of full-time employee status does not work well in instances where an employee’s work schedule is by its nature erratic or unpredictable. We examined issues relating to variable hour status in previous posts dated April 14July 20, and August 10.

An employee is a “variable hour employee” if—

Based on the facts and circumstances at the employee’s start date, the employer cannot determine whether the employee is reasonably expected to be employed on average at least 30 hours of service per week during the initial measurement period because the employee’s hours are variable or otherwise uncertain.

The final regulations prescribe a series of factors to be applied in making this call. But employers are having a good deal of difficulty applying these factors, particularly to short-tenure, high turnover positions. While there are no safe, general rules that can be applied in these cases, it is pretty easy to identify what will not work: classification based on employee-type (as opposed to position) does not satisfy the rule. Thus, it is unlikely that a restaurant that classifies all of its hourly employees, or a staffing firm that classifies all of its contract and temporary workers, as variable hour without any further analysis would be deemed to comply. But if a business applies the factors to, and applies the factors by, positions,  it stands a far greater chance of getting it right.

2.  Common Law Employees

We addressed this issue in our post of September 3, and since then, the confusion seems to have gotten worse. Clients of staffing firms have generally sought to take advantage of a special rule governing offers of group health plan coverage by unrelated employers without first analyzing whether the rule is required.

While staffing firms and clients have generally been able to reach accommodation on contractual language, there have been a series of instances where clients have sought to hire only contract and temporary workers who decline coverage in an effort to contain costs. One suspects that, should this gel into a trend, it will take the plaintiff’s class action bar little time to respond, most likely attempting to base their claims in ERISA.

3.  Penalties for “legacy” HRA and health FSA violations

A handful of promoters have, since the ACA’s enactment, offered arrangements under which employers simply provided lump sum amounts to employees for the purpose of enabling the purchase of individual market coverage. These schemes ranged from the odd to the truly bizarre. (For example, one variant claimed that the employer could offer pre-tax amounts to employees to enroll in subsidized public exchange coverage.) In a 2013 notice, the IRS made clear that these arrangements, which it referred to as “employer payment plans,” ran afoul of certain ACA insurance market requirements. (The issues and penalties are explained in our June 2 post.) Despite what seemed to us as a clear, unambiguous message, many of these schemes continued into 2014.

Employers that offered non-compliant employer-payment arrangements in 2014 are subject to penalties, which must be self-reported. For an explanation of how penalties might be abated, see our post of April 21.

4.  Mergers & Acquisitions

While the final employer shared responsibility regulations are comprehensive, they fail to address mergers, acquisitions, and other corporate transactions. There are some questions, such as the determination of an employer’s status as an applicable large employer, that don’t require separate rules. Here, one simply looks at the previous calendar year. But there are other questions, the answers to which are more difficult to discern. For example, in an asset deal where both the buyer and seller elect the look-back measurement method, are employees hired by the buyer “new” employees or must their prior service be tacked? The IRS invited comments on the issue in its Notice 2014-49.

Taking a page from the COBRA rules, the IRS could require employers to treat sales of substantial assets in a manner similar to stock sales, in which case buyers would need to carry over or reconstruct prior service. While such a result might be defensible, it would also impose costly administrative burdens. Currently, this question is being handled deal-by-deal, with the “answers” varying in direct proportion to the buyer’s appetite for risk.

5.  Reporting

That the ACA employer reporting rules are in place, and that the final forms and instructions are imminent should give employers little comfort. These rules are ghastly in their complexity. They require the collection, processing and integration of data from multiple sources—payroll, benefits admiration, and H.R., among others. What is needed are expert systems to track compliance with the ACA employer shared responsibility rules, populate and deliver employee reports, and ensure proper and timely delivery of employee notices and compliance with the employer’s transmittal obligations. These systems are under development from three principal sources: commercial payroll providers, national and regional consulting firms, and venture-based and other start-ups that see a business opportunity. Despite the credentials of the product sponsors, however—many of which are truly impressive—it is not yet clear in the absence of actual experience that any of their products will work. It is not too early for employers to contact their vendors and seek assurances about product delivery, reliability, and performance.