SEC Observations from Recent Cybersecurity Examinations Identify Best Practices

The SEC continues to focus on cybersecurity as an area of concern within the investment management industry.

On August 7, the US Securities and Exchange Commission’s (SEC’s) Office of Compliance Inspections and Examinations (OCIE) released a Risk Alert summarizing its observations from a recent cybersecurity-related examination of 75 firms—including broker-dealers, investment advisers, and investment companies (“funds”) registered with the SEC.

The SEC staff has made it clear that cybersecurity remains a high priority and is likely to be an area of continued scrutiny with the potential for enforcement actions. During a recent interview,[1] the SEC’s co-directors of Enforcement, Stephanie Avakian and Steven Peikin, stated their belief that “[t]he greatest threat to our markets right now is the cyber threat.” This pronouncement follows on the heels of OCIE’s identification of cybersecurity as one of its examination priorities for 2017,[2] OCIE’s release of a Risk Alert on the “WannaCry” ransomware virus,[3] and several significant Regulation S-P enforcement actions involving firms that failed to adequately protect customer information.[4]

This LawFlash details OCIE’s observations from its recent cybersecurity-related examination that were discussed in its Risk Alert.

OCIE’s Examination Identifies Common Issues

OCIE staff observed common issues in a majority of the firms and funds subject to examination. These common issues include the following:

  • Failure to reasonably tailor policies and procedures. Specifically, the examination found issues with policies and procedures that

    • incorporated only general guidance;

    • identified limited examples of safeguards for employees to consider; and

    • did not articulate specific procedures to implement policies.

  • Failure to adhere to or enforce policies and procedures. In some cases, policies and procedures were confusing or did not reflect a firm’s actual practices, including in the following areas:

    • Annual customer protection reviews not actually conducted on an annual basis

    • Policies providing for ongoing reviews to determine whether supplemental security protocols were appropriate performed only annually, or not at all

    • Policies and procedures creating contradictory or confusing instructions for employees[5]

    • Firms not appearing to adequately ensure that cybersecurity awareness training was provided and/or failing to take action where employees did not complete required cybersecurity training

  • Regulation S-P issues among firms that did not appear to adequately conduct system maintenance. Because Regulation S-P was enacted to safeguard the privacy of customer information, OCIE observed that issues arose where firms failed to install software patches to address security vulnerabilities and other operational safeguards to protect customer records and information.

  • Failure to fully remediate some of the high-risk observations that firms discovered when they conducted penetration tests and vulnerability scans.

Cyber Best Practices and Other Observations

OCIE identified elements of what it viewed as “robust” cybersecurity policies and procedures from its examinations. Such elements should be considered as best practices and instructive for broker-dealers, investment advisers, and funds in implementing, assessing, and/or enhancing existing cybersecurity-related policies and procedures. Such elements are as follows:

  • Maintenance of data, information, and vendor inventory, including risk classifications

  • Detailed cybersecurity-related instructions, including instructions related to penetration tests, access rights, and reporting guidelines for lost, stolen, or unintentionally disclosed sensitive information

  • Maintenance of prescriptive schedules and processes for testing data integrity and vulnerabilities, including patch management policies

  • Access controls for data and systems

  • Mandatory employee training upon onboarding and periodically thereafter

  • Engaged senior management

OCIE staff noted an overall improvement in firms’ awareness of cyber-­related risks and the implementation of certain cybersecurity practices since its previous Cybersecurity 1 Initiative.[6] Most notably, all broker-dealers, all funds, and nearly all investment advisers in the more recent examinations maintain written policies and procedures related to cybersecurity that address the protection of customer/shareholder records and information. This finding is in contrast to the Cybersecurity 1 Initiative, where OCIE found that comparatively fewer broker-dealers and investment advisers had adopted this type of written policies and procedures.

OCIE staff also noted the following:

  • Nearly all broker-dealers and many investment advisers and funds conducted periodic risk assessments, penetration tests, and vulnerability scans.

  • All broker-dealers and nearly all investment advisers and funds had a process in place for ensuring regular system maintenance.

  • All firms utilized some form of system, utility, or tool to prevent, detect, and monitor data loss as it relates to personally identifiable information.

  • All broker-dealers and a majority of investment advisers and funds maintained cybersecurity organizational charts and/or identified and described cybersecurity roles and responsibilities for the firms’ workforces.

  • Almost all firms either conducted vendor risk assessments or required that vendors provide the firms with risk management and performance reports (i.e., internal and/or external audit reports) and security reviews or certification reports.

  • Information protection programs at the firms typically included relevant cyber-related policies and procedures as well as incident response plans.

Key Takeaways

SEC-registered broker-dealers, investment advisers, and funds should evaluate their policies and procedures to determine whether there are gaps or areas that could be improved based on OCIE’s articulation of best practices. Firms and funds should further evaluate their policies and procedures to ensure that they reflect actual practices and are reasonably tailored to the particular firm’s business. As OCIE notes, effective cybersecurity requires a tailored and risk-based approach to safeguard information and systems.[7]

This post was written by Mark L. Krotoski,  Merri Jo Gillette , Sarah V. Riddell Martin Hirschprung and  Jennifer L. Klass of Morgan, Lewis & Bockius LLP.

Read more legal analysis at The National Law Review.

[1] Sarah Lynch, Exclusive: New SEC Enforcement Chiefs See Cyber Crime as Biggest Market Threat, (Jun. 8, 2017).

[2] OCIE, Examination Priorities for 2017 (Jan. 12, 2017).

[3] National Exam Program Risk Alert, Cybersecurity: Ransomware Alert (May 17, 2017).

[4] In re Morgan Stanley Smith Barney LLC, Exchange Act Release No. 78021, Advisers Act Release No. 4415 (Jun. 8, 2016); In re R.T. Jones Capital Equities Management Inc., Advisers Act Release No. 4204 (Sept. 22, 2015); and In re Craig Scott Capital LLC, Exchange Act Release No. 77595 (Apr. 12, 2016).

[5] OCIE provides an example of confusing policies regarding remote customer access that appeared to be inconsistent with those for investor fund transfers, making it unclear to employees whether certain activity was permissible based on the policies.

[6] See, e.g., OCIE Cybersecurity Initiative (Apr. 15, 2014); see also National Exam Program Risk Alert, Cybersecurity Examination Sweep Summary (Feb. 3, 2015).

[7] For example, the National Institute of Standards and Technology Cybersecurity Framework 1.0 (Feb. 12, 2014) provides a useful flexible approach to assess and manage cybersecurity risk.

Using “Finders” to Find Capital: Avoiding Problems for Your Company

Raising money for your startup can be hard. Not every entrepreneur can walk into Silicon Valley with a business idea and walk out with multiple VC term sheets in hand. Sometimes the only path to financing your startup is through the hard work of pitching and cobbling together a group of angels and other individual investors. But that path takes time and can be frustrating. Potential investors may hesitate to commit or, even worse, give you the dreaded “you’re-too-early-for-us” response. The offer from a “finder” to introduce you to investors with cash sounds attractive. Why not, right? What’s the downside?

You can use a finder if their role is limited and their compensation is structured properly. But you can cause major problems for yourself and the finder if they’re too involved and paid commissions on the money raised. These are activities that only registered broker-dealers (persons or firms engaged in the business of buying and selling securities for themselves or others) can engage in. If your company uses a finder acting as a broker-dealer, you might find your fundraising round unraveling, and your finder might find themselves in trouble with the Securities and Exchange Commission (SEC).

A “true” finder

A “true” finder can be OK if they limit their role to making introductions, receive a flat or hourly consulting fee that is not contingent on the success of the offering, and avoid any active role in negotiating and completing the investment. Finders acting in this very limited capacity are not considered broker-dealers. As a result, true finders are largely unregulated under the securities laws and need not be registered with the state or federal government as broker-dealers. This area is murky, however, because there are not clear regulations and the rules of the road have been developed in court cases and case-by-case “no-action” letters from the SEC.

The real problem is that many finders do not limit their activities to mere introductions. These finders end up assisting in structuring and negotiating the offering, providing advice regarding the offering and investment, and even encouraging and inducing investors to invest. These activities make them a “broker” under the securities laws, and federal and state governments require that brokers be registered. Often the finder is not registered as a broker.

Finders also prefer success-based compensation, calculated as a percentage of the funds raised by the company, and companies prefer to pay finders only if and when they’re successful in helping to raise capital. Both courts and the SEC, however, take the position that such success-based compensation (also referred to as transaction-based compensation) is the telltale factor indicating whether a finder is acting as an unregistered broker-dealer.

So, what’s the risk?

For the company, using an unregistered broker-dealer to assist with an offering could create a rescission right in favor of the investors. If investors succeed in rescinding their investments, the company must return their money. For the finder acting as an unregistered broker-dealer, they could be subject to severe SEC sanctions and the company could void the finder’s engagement agreement, requiring return of the finder’s compensation. Moreover, even if a finder’s activities and compensation are perfectly legal, the relationship alone can still give rise to problems for the company. Any financial relationship with a finder must be disclosed to investors and listed on the company’s Form D filed with the SEC and state securities departments. Disclosure of such a relationship, again, even if perfectly legal, may nevertheless prompt some states to initiate an investigation.

The situation in Michigan, however, is even murkier. In the recent case Pransky v. Falcon Group, the Michigan Court of Appeals held that a “finder” as defined in the Michigan Uniform Securities Act, was not required to be registered with and regulated by the State of Michigan, even where the company agreed to pay success-based compensation. Michigan companies and finders, however, should not take the opinion as a green light to engage in a finder relationship, structured with success-based compensation, without fear of regulatory oversight. The trial court initially dismissed the case on summary judgment, and as a result there was no evidence in the record of whether or not the finder’s activities went beyond mere introductions. In addition, some commentators have criticized the court’s decision. Perhaps sensing such impending criticism, the Court of Appeals, in a footnote, cautioned that the “better course of action would be for finders acting pursuant to similar contracts to protect themselves by registering, at the very least, as broker-dealers; the line between a finder’s activities and that of a broker-dealer…is a thin one and persons acting under such contracts without being registered are inviting litigation.”

The bottom line

Using finders for raising capital is not the easy solution it appears to be at first glance. Worse yet, it can lead to significant problems. As the saying goes, nothing worth having is easy. If you don’t have a VC-backable business, you may have an even harder time raising capital than most. Regardless, when it comes to raising money for your startup, be your own “finder”. Network, hustle, and tell your story. No one is more effective than you at explaining your business and the investment opportunity.

For more legal analysis check out the National Law Review.

This post was written by Matthew W. Bower of  Varnum LLP.

Chairman Clayton Outlines His “Guiding Principles” for SEC

In remarks to the Economic Club of New York on July 12, 2017, SEC Chairman Jay Clayton outlined eight guiding principles for his chairmanship and identified certain areas in which such principles could be put into practice.  Chairman Clayton’s remarks – his first public speech as SEC Chairman – indicated his interest in, among other things, creating a Fixed Income Market Structure Advisory Committee to give advice to the SEC on regulatory issues impacting fixed income markets and coordinating with the U.S. Department of Labor (DoL) to bring “clarity and consistency” to the issue of standards of conduct for investment professionals, noting the DoL’s Fiduciary Rule is now partially in effect.

Guiding Principles

Clayton stated that the following principles will guide his SEC chairmanship:

• Principle 1: “The SEC’s mission is our touchstone.” Chairman Clayton stated that each tenet of the SEC’s three-part mission – (1) to protect investors, (2) to maintain fair, orderly, and efficient markets, and (3) to facilitate capital formation – is critical.

• Principle 2: “Our analysis starts and ends with the long-term interests of the Main Street investor.”  According to the Chairman, an assessment of whether the SEC is abiding by its threepart mission must focus on the impact of its actions on “Mr. and Ms. 401(k)” and whether the SEC’s actions further the long-term interests of such investors.

• Principle 3: “The SEC’s historic approach to regulation is sound.” The SEC’s regulatory approach, focusing on disclosure and materiality, and using the SEC’s “extensive enforcement capabilities” as a “back-stop” to disclosure rules and oversight systems, is sound. In expressing his support for disclosure-based rules, Clayton asserted that informed decision-making by investors supports more accurate valuations of securities and more efficient allocation of capital.  As to the “back-stop,” the anti-fraud regime established by Congress and the SEC, Clayton noted the government’s “extensive enforcement capabilities on those who try to circumvent established investor protections or otherwise engage in deceptive or manipulative acts in the markets.”  Taking the foregoing into account, Chairman Clayton maintained that “wholesale changes” to the SEC’s fundamental regulatory approach would “not make sense.”

• Principle 4: “Regulatory actions drive change, and change can have lasting effects.”  Although Chairman Clayton endorsed the disclosure-based regime of the SEC, he cautioned that the incremental impact of regulatory changes to this regime has included a significantly expanded scope of required disclosures “beyond the core concept of materiality.”  He cited increased disclosure as among the factors that may make alternatives for raising capital increasingly attractive for small and medium-sized companies.  Chairman Clayton added that fewer small and mediumsized public companies may mean less liquid trading markets for those that remain public and, to the extent companies are not raising capital in public markets,  “the vast majority of Main Street investors will be unable to participate in their growth.”

• Principle 5: “As markets evolve, so must the SEC.”  Noting that technology and innovation are changing the way markets work and investors transact, Chairman Clayton stated that the SEC must take this “dynamic atmosphere” into account and “strive to ensure that our rules and operations reflect the realities of our capital markets.”   Further to this point, Clayton remarked that the evolution of capital markets presents opportunities for regulatory improvements and efficiencies and noted that the SEC is “adapting machine learning and artificial intelligence to new functions, such as analyzing regulatory filings.” Chairman Clayton cautioned, however, that implementing regulatory change has costs, including the “significant resources” spent by companies to build compliance systems.

• Principle 6: “Effective rulemaking does not end with rule adoption.”  Chairman Clayton stated that the SEC should review its rules “retrospectively,” and listen to investors and others as to areas in which rules are, or are not, functioning as intended.

• Principle 7: “The costs of a rule now often include the cost of demonstrating compliance.”  Chairman Clayton noted that the SEC must ensure that, at the time of adoption, the SEC has a “realistic version for how rules will be implemented,” as well as how the SEC will examine for compliance.  In this regard, according to Clayton, “[v]aguely worded rules can too easily lead to subpar compliance solutions or an overinvestment in control systems.”

• Principle 8: “Coordination is key.”  According to Chairman Clayton, coordination with, between, and among all of the various U.S. federal regulatory bodies, state securities regulators, selfregulatory organizations  and various other regulatory players “is essential to a well-functioning regulatory environment.”  To illustrate his point, Clayton cited the dual regulatory structure for over the-counter derivatives called for by the Dodd-Frank Act and working with the CFTC in this respect.  Chairman Clayton noted that cybersecurity is also an area where coordination is critical, adding that the SEC is working with “fellow financial regulators to improve our ability to receive critical information and alerts and react to cyber threats.”

Fixed Income Markets

In a portion of his remarks titled, “Putting Principles into Practice,” Chairman Clayton observed that the “time is right for the SEC to broaden its review of market structure to include specifically the efficiency, transparency, and effectiveness of our fixed income markets.”  The SEC, according to Clayton, must explore whether fixed income markets “are as efficient and resilient as we expect them to be, scrutinize our regulatory approach, and identify opportunities for improvement.”  In this connection, Chairman Clayton stated that he has asked the SEC staff to develop a plan for creating a Fixed Income Market Structure Advisory Committee.

Fiduciary Rule

Chairman Clayton also touched upon the DoL’s Fiduciary Rule, noting that he recently issued a statement seeking public input on standards of conduct for investment advisers and broker-dealers.  Chairman Clayton expressed hope that the SEC can “act in concert with our colleagues at the [DoL] in a way that best serves the long-term interests of Mr. and Ms. 401(k).”  He also noted that “any action will need to be carefully constructed, so that it provides appropriate and meaningful protections but does not result in Main Street investors being deprived of affordable investment advice or products.”

The transcript of Chairman Clayton’s remarks is available at:

Read more SEC news at the National Law Review.

This post was by the Investment Services Group of Vedder Price

U.S. Supreme Court Rules That An SEC Enforcement Claim For Disgorgement Is Subject To A Five-Year Statute Of Limitations

Today, the U.S. Supreme Court unanimously held that any claim for disgorgement in an SEC enforcement action must be commenced within five years of the date the claim accrued. The decision in Kokesh v. SEC, No. 16-529, resolved a split among Courts of Appeals whether the statute of limitations that applies to SEC enforcement actions seeking a penalty or forfeiture (28 U.S.C. § 2462) applies when disgorgement is sought. The Court had earlier applied that statute of limitations to claims by the SEC seeking a civil monetary penalty, and held that the limitations period begins to run when the violation occurs, not when it is discovered by the government. Gabelli v. SEC, 568 U.S. 442 (2013).

Supreme Court SCOTUS Class-Action WaiverThe five-year statute of limitations applies to “an action, suit or proceeding for the enforcement of any civil fine, penalty, or forfeiture.” The Court held that the imposition of disgorgement in an SEC enforcement action is a “penalty,” thus subject to the five-year limitations period. In reaching that conclusion, the Court noted that disgorgement is imposed as a consequence of violation of a public law, not because some individual was aggrieved. Another element of the Court’s reasoning was that when disgorgement is ordered in an enforcement action the remedy is not compensatory. Instead, disgorged profits are paid to the court, and it is within the discretion of the court to determine how and to whom the money will be distributed.

Perhaps most important among the Court’s rationales, the primary purpose of disgorgement ordered in an enforcement action is deterrence, and sanctions imposed to deter infractions of public laws are “inherently punitive.” The Court noted that the amount paid is often greater than the defendant’s gain so that the defendant is not, in all cases, merely restored to the status it would have occupied had it not broken the law.

The oral argument in the case included considerable colloquy on the source of a court’s power to order disgorgement in an SEC enforcement action. In its decision the Court stated, “Nothing in this opinion should be interpreted as an opinion on whether courts possess authority to order disgorgement in SEC enforcement proceedings . . . .” (Slip Op., p. 5, n. 3)

The obvious effect of the decision will be to require the SEC to be expeditious in filing cases seeking not only civil monetary penalties but also, now, disgorgement. The Court did not address whether the remedy of an injunction, which often has collateral consequences for the defendant, or of declaratory relief is subject to this statute of limitations. The Court also did not discuss the effect a tolling agreement would have on the running of the statute.

This post was written by Allan Horwich of Schiff Hardin LLP.

New Developments and Uncertainties for Conflict Minerals Disclosure

SEC conflict mineralsThe Securities and Exchange Commission (SEC) Division of Corporate Finance issued a new statement adding some uncertainty to company obligations and enforcement exposure under the SEC conflict minerals rule ahead of the May 31, 2017 filing deadline.  The statement is one of several moving pieces in an unprecedented wave of activity on conflict minerals in recent weeks.  Companies should review these developments and their approach to meeting legal obligations imposed by the SEC’s implementation of Section 1502 of Dodd Frank, alongside the broader expectations of customers, activists and investors.

Summary of Recent Developments

Highlights of the recent developments are listed below, followed by more detailed discussions on several of these key points.

  • On April 3, 2017 the U.S. District Court for the District of Columbia entered a final judgment in the conflict minerals litigation. The judgment put an end to the litigation and remanded the SEC rule to the agency for further action consistent with a 2014 decision from the U.S. Court of Appeals for the District of Columbia Circuit (D.C. Circuit) striking down a narrow portion of the SEC rule.

  • SEC Acting Chairman Michael Piwowar released a statement on April 7, 2017 questioning whether the SEC could reconcile the D.C. Circuit’s decision with Congress’s intent in Section 1502. The Acting Chairman concluded that in light of the “regulatory uncertainties” outlined in his statement, it is “difficult to conceive of a circumstance that would counsel in favor of enforcing” paragraph (c) of Item 1.01 of Form SD (i.e., the rule’s requirements to conduct due diligence and file a Conflict Minerals Report).

  • On the same day, the SEC’s Division of Corporate Finance released a separate statement reporting that the Acting Chairman had requested the Division’s consideration of the regulatory uncertainties facing the Commission. In response, the Division declared that it “will not recommend enforcement action” to the Commission for companies that only file disclosures related to their scoping and reasonable country of origin inquiry under the provisions of paragraphs (a) and (b) of Item 1.01 of Form SD, even if they are required to conduct due diligence and file a Conflict Minerals Report pursuant to paragraph (c).  The Division also declared that the statement is “subject to any further action that may be taken by the Commission, expresses the Division’s position on enforcement action only, and does not express any legal conclusion on the rule.”

  • Earlier this year, the SEC had announced plans to reconsider the SEC rule and requested public comments on all aspects of the rule. In the April 7, 2017 statement, the Acting Chairman reported that he had instructed SEC staff to begin work on a recommendation for future Commission action to consider, among other things, the public comments received in response to the January 31, 2017 request for comment.

  • Democratic lawmakers on the Senate Banking Committee have called on the SEC’s Inspector General to investigate whether the Acting Chairman exceeded his authority in asking staff to assess whether “additional relief” from the SEC rules is appropriate.

Other developments suggest changes to the conflict minerals requirements in the SEC rule or in Section 1502 are likely in the future.

  • On March 27, 2017 the State Department issued a broad request for stakeholder input to inform “recommendations” signaling a broader inter-agency effort to consider new approaches to addressing the responsible sourcing of minerals in the region. Comments are due to the Department of State by April 28, 2017.

  • President Donald Trump may still be considering the Presidential Memorandum that was circulated in February, which would seek to waive the SEC conflict minerals rule for up to two years based on national security interests.

  • In Congress, the Senate Subcommittee on Africa and Global Health Policy held a hearing on April 5, 2017 on the effects of Section 1502 on the Democratic Republic of the Congo (DRC) and the region, increasing speculation that legislation may soon be introduced to fully or partially repeal the conflict mineral provisions of Dodd-Frank.

Beyond Dodd Frank and the SEC rule, requirements for conflict minerals due diligence and disclosure are expanding in other contexts.

  • EPEAT, a leading environmental rating system for the procurement of electronic products used by the U.S. government and other institutional purchasers, announced a new standard for mobile phones (and in the future servers) that includes mandatory criteria for due diligence and public disclosure related to conflict minerals.

  • The European Council adopted a new conflict minerals regulation on April 3, 2017 focused on EU importers of covered minerals, metals, and their ores from “high risk” and “conflict affected” areas.

More Details

SEC Rule Litigation Wraps Up

On April 3, 2017 the U.S. District Court for the District of Columbia entered a final judgment remanding the SEC rule to the agency for further action consistent with the 2014 D.C. Circuit decision, as the parties to the legal challenge of the SEC’s conflict minerals rule requested. In the 2014 decision, the D.C. Circuit had held that the portion of the rule requiring issuers to describe their products as “not found to be DRC conflict free” was compelled speech in violation of the First Amendment to the U.S. Constitution. The SEC issued a partial stay of the rule in April 2014, providing that no company is required to describe its products using the SEC descriptors “DRC conflict free,” “not found to be ‘DRC conflict free,’” or “DRC conflict undeterminable” and staying the requirement to obtain an independent private sector audit as long as companies did not describe products as “DRC conflict free” in their disclosures. After requests for rehearing were denied and the D.C. Circuit reaffirmed its decision, the case was eventually remanded to the District Court and assigned to Judge Ketanji Brown Jackson, who entered the final judgment. The practical effect of the District Court’s final judgment is that any further changes to the conflict minerals requirements stemming from the case will be left to the discretion of the SEC (unless Congress or the Administration take action first) rather than handled in the courts.

SEC Statements Following Final Judgment

In his April 7 statement following the District Court’s final judgment, the Acting Chairman questioned whether the SEC could reconcile the D.C. Circuit’s decision with Congress’s intent in Section 1502. He noted that the Commission will now be called upon to determine how to address the D.C. Circuit’s decision – including whether Congress’s intent in Section 1502 can be achieved through a descriptor that avoids the constitutional defect identified by the court – and how that determination affects overall implementation of the SEC rule. According to the Acting Chairman, because “the primary function of the extensive and costly requirements for due diligence on the source and chain of custody of conflict minerals set forth in paragraph (c) of Item 1.01 of Form SD is to enable companies to make the disclosure found to be unconstitutional,” along with other “regulatory uncertainties,” it is “difficult to conceive of a circumstance that would counsel in favor of enforcing” paragraph (c). On the same day, the SEC Division of Corporate Finance released a statement echoing the Acting Chairman’s concerns and announcing that “it will not recommend enforcement action” to the Commission for companies that conduct and report on a reasonable country of origin inquiry pursuant to paragraphs (a) and (b) of Item 1.01 of Form SD but do not go on to conduct heightened due diligence and file a Conflict Minerals Report pursuant to paragraph (c).

The legal effect of these two SEC statements is unclear. The Division’s position on enforcement is not binding on the Commission, and even though it appears that the Division and the Acting Chairman coordinated with respect to their recent statements, it is not clear that the SEC is of “one mind” with respect to conflict minerals implementation. For example, it is reported that SEC Commissioner Kara Stein commented in response to the Acting Chairman’s statement that the action “engages in de facto rulemaking” and “represents a troubling attack not only on the Commission process, but also on the restraints of government power.”  Moreover, the SEC has not modified the rule or explicitly changed its 2014 partial stay of the rule. Therefore the rule remains in effect, including, if necessary based on the results of a company’s reasonable country of origin inquiry, the requirement to conduct due diligence and file a Conflict Minerals Report as an exhibit to Form SD by May 31, 2017 pursuant to paragraph (c) of Item 1.01 of From SD. A decision by a reporting company to disregard any applicable requirements to conduct due diligence or file a Conflict Minerals Report should be very carefully considered.

In the meantime, companies should continue to monitor for potential activity in response to the SEC’s statements, which could include potential legal action by interested social justice organizations or renewed Congressional requests that the SEC Inspector General conduct an internal inquiry.

SEC Request for Comment

In January the Acting Chairman issued several statements regarding reconsideration of the conflict minerals rule. The statements, available here and here, direct staff to consider whether the 2014 guidance (i.e., the statements issued in conjunction with the partial stay of the rule’s requirements following the 2014 D.C. Circuit decision) is still appropriate and whether any additional relief is appropriate. The statement titled “Reconsideration of Conflict Minerals Rule Implementation” suggests that the current rule and general withdrawal from the region “may undermine U.S. national security interests by creating a vacuum filled by those with less benign interests.” The statements requested comments on “all aspects of the rule and guidance.” Comments were requested  within 45 days of the statements (by March 17, 2017). According to the Acting Chairman, the SEC staff has been instructed to begin work on a recommendation for future Commission action to consider, among other items, the comments received as part of the SEC’s consideration of potential changes to the rule or guidance.

State Department Seeks Recommendations

The Department of State on March 27, 2017 published a request for comments from stakeholders to inform “recommendations of how best to support responsible sourcing of tin, tantalum, tungsten and gold.” In the brief notice, the Department provides a high level overview of U.S. efforts to break the link between armed groups and minerals in the Africa Great Lakes Region. The State Department may be seeking stakeholder input on further actions that could be taken to further responsible sourcing to inform ongoing discussions within the Administration (and in Congress) on alternative approaches to the current Dodd Frank due diligence and disclosure framework. Comments are due to the Department of State by April 28, 2017.

Potential Presidential Action

A draft Presidential Memorandum circulated in early February 2017 indicates that the White House may seek to temporarily waive the requirements of the conflict minerals rule. Under the Dodd-Frank Act the SEC “shall revise or temporarily waive” the requirements of the conflict minerals rule if the President transmits to the SEC a determination that such revision or waiver is “in the national security interest of the United States and the President includes the reasons therefor;” and establishes a date within two years that the exemption expires. The draft Presidential Memorandum states that the conflict minerals rule has caused harm to some parties in the region, thereby contributing to instability in the region and threatening the national security interest of the United States. The draft Memorandum directs the SEC to temporarily waive the requirements of the conflict minerals rule for two years and directs the Secretaries of State and Treasury to propose a plan for addressing human rights violations and funding of armed groups in the Democratic Republic of the Congo or an adjoining country within 180 days of the Memorandum.

The draft Presidential Memorandum raises a number of questions without clear answers. For example, it is unclear whether or when the SEC would be required to act as directed by the Memorandum, and whether an SEC action would be subject to notice and comment rulemaking or judicial review. Also unclear is how a temporary suspension of the SEC rule would affect efforts to incorporate conflict minerals reporting obligations into public and private procurement requirements or independent certifications such as EPEAT. The Administration has not indicated whether or when it might move forward with a final memorandum.

New EPEAT Procurement Criteria

Conflict minerals due diligence is also being integrated into institutional procurement criteria for certain electronic products. EPEAT is a leading environmental rating system for electronics that a wide variety of institutional purchasers (including federal, state and some foreign governments) have incorporated into procurement requirements. The Federal Acquisition Regulation (FAR) currently requires federal agencies to procure EPEAT-registered electronic products and prescribes language that must be used in procurement contracts for goods and services. EPEAT is in the process of expanding its registry to cover two new product categories and both are expected to include new mandatory criteria on conflict minerals.

On March 24, 2017, EPEAT and Underwriters Laboratory published an EPEAT standard for mobile phones. The mobile phone standard lays out three criteria (one required, two optional) related to conflict minerals. The new standard requires manufacturers to “provide a public disclosure relevant to due diligence performed in accordance with an internationally recognized standard to determine whether the supply chain for the product contains conflict minerals necessary to the functionality or production of their products.” If a manufacturer finds that the supply chain does contain conflict minerals necessary to the functionality or production of its product, the manufacturer must prepare the “relevant disclosures related to SEC requirements under Dodd-Frank and the SEC rule or related to the OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas.”

Significantly, these requirements apply to all manufacturers registering mobile phone products under the standard, regardless of whether they are SEC registrants. There are two optional conflict minerals criteria, both relating to conflict minerals sourcing. An EPEAT server standard is also under development and, if adopted, is expected to include conflict minerals provisions.

New EU Conflict Minerals Regulation 

In early April, the European Union took the final steps to adopt a new conflict minerals regulation aimed at stopping the financing of armed groups in “high risk” and “conflict affected” areas. The Council adopted the regulation on April 3, 2017, following approval by the European Parliament in early March.

The regulation, the first version of which was introduced in March 2014, establishes an approach that is fundamentally different than that under the Dodd-Frank Act and the SEC rule. Unlike the U.S. scheme, supply chain due diligence requirements under the EU regulation do not extend to downstream users of the metals, including importers of products containing those metals, and instead focus entirely on mandatory due diligence requirements for importers of the minerals, metals, and their ores. The geographic scope of the regulation also extends to conflict-affected and high-risk areas globally, extending beyond the DRC and adjoining countries covered by Dodd-Frank and the SEC rule.

Importers will be covered by the new due diligence requirements as of January 1, 2021. The new EU requirements are likely to enhance due diligence on the sourcing of conflict minerals from the DRC and other regions. Although downstream users or importers of products containing tin, tantalum, tungsten or gold would not be subject to mandatory due diligence requirements, the Commission is expected to address conflict minerals in non-binding guidance under the EU Non-Financial Reporting Directive that will set forth the methodology and topics for disclosures by companies covered by the Directive.

© 2017 Beveridge & Diamond PC

Dodd-Frank Rollback Begins – Congress Overturns SEC’s Resource Extraction Issuer Payment Disclosure Rule

SEC resource extractionLast week, Congress utilized the Congressional Review Act (CRA) to pass a joint resolution that disapproves Rule 13q-1 adopted by the SEC,1which would have implemented the resource extraction issuer payment disclosure provisions of Section 1504 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. The disapproval resolution has been sent to President Trump for his signature, which he is expected to sign.2

Under the SEC’s rule, a public company that qualified as a “resource extraction issuer” would have been required to publicly disclose in an annual report on Form SD information relating to any single “payment” or series of related “payments” made by the issuer, its subsidiaries or controlled entities of $100,000 or more during the fiscal year covered by the Form SD to a “foreign government” or the U.S. Federal government for the “commercial development of oil, natural gas, or minerals” on a “project”-by-“project” basis. Resource extraction issuers were not required to comply with the rule until their first fiscal year ending on or after September 30, 2018 and their first report on Form SD was not due until 150 days after such fiscal year end.

As a result of the disapproval resolution (assuming President Trump signs, and does not veto, the resolution), issuers that expected to be subject to the SEC’s rule can cease their compliance preparations. Under the CRA, a disapproved rule may not be reissued in substantially the same form or as a new rule that is substantially similar to the disapproved rule unless specifically authorized by a subsequently enacted law. Despite the disapproval resolution and the CRA, Dodd-Frank Section 1504’s mandate for the SEC to adopt a resource extraction disclosure rule remains intact unless and until Section 1504 is repealed. In light of the CRA’s prohibition on the reissuance of a substantially similar rule, the rule’s contested history3 and the expected reintroduction of the Financial CHOICE Act, which if enacted into law in the form introduced during the previous session of Congress would repeal Section 1504, the SEC is unlikely to commence the rulemaking process for resource extraction issuer payment disclosures for a third time.

Some public companies may still have to disclose similar payment information as required under the SEC’s rule pursuant to international resource extraction disclosure laws (for example, the EU Accounting Directive, the EU Transparency Directive and Canada’s Extractive Sector Transparency Measures Act).

1. H.J.Res.41, available at

2. The White House, Press Release, H.J. Res. 38, H.J. Res. 36, H.J. Res. 41, H.J. Res. 40, H.J. Res. 37 – Statement of Administration Policy (Feb. 1, 2017), available at….

3. For a brief discussion of the legal challenges to the rulemaking process, see our client alert dated December 17, 2015, SEC Re-Proposes Disclosure Rules for Payments by Resource Extraction Issuers.

Golden Leash Rule, Say-on-Pay, Form 10-K Summaries: Proxy Season Guide to 2017

SEC proxy seasonAs another year comes to a close, it is time for public companies to become acquainted with the securities law and business developments of the past year to position themselves for success in 2017. Below is a summary of current and anticipated changes that may impact reporting requirements and disclosure regulations for the upcoming 2017 proxy season, along with a review of the 2016 proxy season.

NEW FOR 2017

Frequency Votes for Say-on-Pay

After Jan. 21, 2011, public companies were required to hold an advisory vote regarding the frequency of which say-on-pay votes would occur, which could not be in excess of every six years. Therefore in 2017, many companies will need to include an agenda item for the frequency vote at their annual meeting. Following the vote, companies will need to include the results of the frequency for which say-on-pay votes will be held in their Form 8-K under Item 5.07(b).

SEC Approves NASDAQ’s “Golden Leash Rule”

In July 2016, the SEC approved NASDAQ’s “Golden Leash Rule.” This rule requires listed companies to disclose material terms of any agreement between a director or director nominee and any entity or person other than the company, regarding any amount of compensation or payment related to the director’s service on the board or the director nominee’s candidacy. The “Golden Leash Rule” requires annual disclosure in the companies’ proxy or on its website. The “Golden Leash Rule” became effective Aug. 1, 2016.

Form 10-K Summaries

In July 2016, the SEC issued an interim final amendment to the Fixing America’s Surface Transportation Act, creating Item 16 on Form 10-K allowing companies the option to include a summary of the information included in the Form 10-K. While no previous rule prohibited summaries, most issuers simply included a table of contents with hyperlinks to items in their reports. This rule provides issuers some flexibility when preparing the Form 10-K.

CEO Pay Ratio Disclosure Rule

For the first fiscal year beginning on or after Jan. 1, 2017, companies will need to comply with the SEC’s long-anticipated final rule implementing Section 953(b) of the Dodd-Frank Act, which requires all public companies to disclose the pay ratio between their CEO’s annual total compensation and the annual total compensation of the companies’ “median” employee. However, companies will not be required to include pay ratio disclosures in their proxy statements until 2018. With the exception of smaller reporting companies, emerging growth companies, foreign private issuers, and registered investment companies, all reporting companies will have to disclose their pay ratio. The pay ratio disclosure must be included in any filing that requires executive compensation disclosure under Item 402 of Regulation S-K, which includes registration statements, proxy and information statements, and annual reports on Form 10-K. Even though uncertainty may loom around the viability of Dodd-Frank with President-elect Donald Trump’s transition underway, companies should continue to prepare pay ratio disclosures in anticipation for the 2018 proxy season. The Final Pay Ratio Disclosure Rule is available here.


Glass Lewis Updates

Glass, Lewis & Co. (Glass Lewis) recently published its 2017 Proxy Season Guidelines. The guidelines include a number of changes, a summary of which is outlined below.

Director Overboarding. Beginning February 2017, Glass Lewis will implement its policy regarding director board commitments. Glass Lewis will issue negative recommendations for directors that serve on more than five public company boards and company executives that serve on a total of two public company boards, including his or her own.

Governance for Newly Public Companies. For newly public companies, Glass Lewis will recommend against directors and members of governance committees who adopt provisions causing shareholders’ rights to become “severely restricted indefinitely.” Provisions such as anti-takeover mechanisms, including poison pills or classified boards, along with exclusive forum and fee-shifting provisions will all be considered for such recommendations.

Board Self-Assessment. Glass Lewis has updated its views regarding board evaluations to account for director skills and how those skills align with company strategy, as opposed to merely relying on tenure and age. Glass Lewis has further taken the stance that shareholders are better equipped to measure the board’s composition and approach to corporate governance.

Gender Pay Disclosure. Glass Lewis issued a new policy for reviewing companies’ gender pay equity, on a case-by-case basis. Upon review, Glass Lewis will generally recommend proposals requesting greater disclosure where inattention and inadequate policies expose the company to risk.

In its update, Glass Lewis also noted its support for proxy access and the management of environmental and social risks.

A copy of the full Glass Lewis Proxy Season Guidelines is available here.

ISS Updates

Institutional Shareholder Services (ISS) also updated its proxy voting policy guidelines for 2017, which will affect shareholder meetings taking place after Feb. 1, 2017. The guidelines set forth a number of updates:

Director Overboarding. Similarly to Glass Lewis, ISS will also implement its policy regarding director overboarding, establishing the threshold for overboarding to five public boards for directors who are not company executives. The policy for overboarding of company executives threshold will remain at three total boards, including his or her own.

Undue Restrictions. A new ISS policy recognizes shareholders’ ability to amend bylaws as a fundamental right. Under the policy, ISS will vote against or withhold recommendation for members of the governance committee if the company’s charter imposes “undue restrictions” on shareholders’ rights to amend the bylaws. ISS also recognized complete prohibitions on binding shareholder proposals and share ownership requirements beyond the requirements of Rule 14a-8 as being undue restrictions on shareholders’ rights. ISS will generally recommend against governance committee members whose company has any of these provisions in its charter as well.

Unilateral Governance Changes. ISS updated its policy for governance of newly public companies to include consideration for any reasonable sunset provision when issuing recommendations against directors who have adopted charter or bylaw amendments that ISS views as materially adverse to shareholder rights or that implement a multi-class capital structure affording unequal voting rights prior to or in connection with an IPO.

Shareholder Ratification of Non-Employee Director Pay Program. As a result of recent highly publicized lawsuits involving excessive non-employee director compensation, ISS will consider qualitative factors such as the presence of problematic pay practices relating to director compensation and the quality of disclosures surrounding director compensation, when evaluating whether to recommend ratification programs regarding non-employee director compensation.

A copy of the full ISS 2017 Proxy Voting Guidelines is available here.


During the 2016 proxy season, proxy access remained the predominant topic for the second consecutive year. In fact, shareholders submitted over 200 proxy access resolutions during the 2016 proxy season. The SEC’s 2010 proxy access rule, Rule 14a-11, provided that a shareholder was eligible to nominate proxy access candidates if the shareholder held at least 3 percent of the voting power for at least three years and was not prohibited from proposing a candidate under law or the company’s governing documents. Although this rule was vacated by the U.S. Court of Appeals for the D.C. Circuit in 2011 for being arbitrary, many shareholder proposals are still based on both Rule 14a-11 and the SEC’s amendments to Rule 14a-8. At the end of June 2016, over 250 companies, with 190 S&P 500 firms, established proxy access rights through voluntary adoptions and negotiated withdrawals. As a result, proxy access proposals continue to drive change and mold standard market terms.

As companies grew in 2016, so did the need to properly assess, implement and maintain internal controls over financial reporting (ICFR) pursuant to Rule 13a-15. ICFR is the process by which public companies provide reasonable assurance to the public that its financial statements are prepared in accordance with GAAP and are ultimately reliable. To comply, the SEC requires an annual management report of the company’s ICFR effectiveness, including disclosure of any material weakness that may create a possibility for the company to be unable to promptly detect or prevent a material misstatement on its financial statements, in Form 10-K. Companies should implement accounting controls designed to mitigate financial reporting risk and regularly evaluate any deficiencies. This is particularly important in light of revenue reporting rules issued by the Financial Accounting Standards Board becoming effective for public companies in 2018 and as new accounting standards are issued.

The comment periods have expired for other proposed changes to incentive-based compensation arrangements, the securities transaction settlement cycle, disclosure of payments by resource extraction issuers, pay-for-performance, hedging disclosure, and clawbacks. These changes have not been finalized. At this time, there is no anticipated date for implementation of these policies, so there will be no effect on 2017 filings.


Exemptions to Facilitate Intrastate and Regional Securities Sales and Offerings

In October 2016, the SEC adopted its final rule modernizing the existing intrastate offering framework by implementing amendments to Rule 147 under the Securities Act of 1933. The SEC’s amended Rule 147 provides a safe harbor under Section 3(a)(11) for issuers organized and principally doing business within a single state to offer and make sales of securities to resident purchasers of the same state. The amendments allow companies to raise money from investors within their state without simultaneously registering the offer and sale at the federal level.

The SEC’s new Rule 147A will expand the safe harbor to issuers that maintain a principal place of business in a different state from where it is incorporated and permit issuers to offer and make sales to residents in the state where it operates. Under Rule 147A, issuers will also be able to make offers across state lines, but sales remain limited to residents of the state.

The final rule also repealed Rule 505 and expanded Rule 504 of Regulation D, by increasing the aggregate amount of securities that may be offered and sold in any 12-month period from $1 million to $5 million. Additionally, the final rule disqualifies certain bad actors from participation in offerings under Rule 504. Through these amendments, the SEC sought to facilitate issuers’ capital raising efforts and provide additional investor protections.

Rule 147 and new Rule 147A will be effective on April 20, 2017. The amendments to Rule 504 will be effective on January 20, 2017. The removal of Rule 505 will be effective on May 22, 2017. All other amendments will be effective on May 22, 2017. The final rules are available here.

Supreme Court Decides First Insider Trading Case in Decades: Salman v. United States

In December 2016, after 20 years without a decision regarding the scope of insider trading, the Supreme Court held that even when no financial or tangible benefit is received, insider trading may arise when a tipper makes a “gift” of confidential information to a friend or relative, in Salman v. United States, No. 15-628 (U.S. Dec. 6, 2016). Although the tipper received no physical benefit from providing the information to the tippee, the Supreme Court found that the personal benefit received from bestowing a “gift” of confidential information to a family member or friend was enough for conviction, thus paving a smoother path for prosecutors seeking conviction.

The Supreme Court relied on the “personal benefit test” established in the seminal 1983 case Dirks v. SEC, 463 U.S. 646 (1983) but declined to clarify the scope of the “personal benefit test.” Additionally, the Supreme Court expressly rejected the Second Circuit’s decision in United States v. Newman, 773 F.3d 438 (2d Cir. 2014), which held that the government must prove that a tippee knew an insider received a personal benefit in exchange for disclosing confidential information, and any benefit received must be sufficiently consequential. While the Supreme Court only narrowly expanded the “personal benefit test” in Salman, it rejected the government’s argument that a gift to “anyone” satisfies the “personal benefit test” potentially providing for a distinction between disclosures to friends and family and those to market professionals. The Salman opinion can be found here.

Mutual Funds/Investment Companies: Rule 22e-4 and Swing Pricing

In October 2016, the SEC adopted its final Rule 22e-4. This new rule requires mutual funds and registered open-end management investment companies, including open-end exchange-traded funds (ETFs) to create a liquidity risk management program, in order to reduce the risks associated with fund redemption obligations. The liquidity risk management program must include periodic review of a fund’s liquidity risk, classification of the liquidity of fund portfolio investments, determination of a highly liquid investment minimum, a limitation on illiquid investments, and board oversight. The rule also permits open-end funds, excluding ETFs and money market funds to use swing pricing, which allows funds to adjust their net asset value per share in order to pass on the costs associated with trading activity to purchasing and redeeming shareholders. The rule requires board approval and periodic review of the funds’ swing factor upper limit and swing threshold. Companies will need to comply with the new Rule 22e-4 beginning on or after Jan. 17, 2017 and access to swing pricing will become available Nov. 19, 2018. The final rule is available here.

Investment Company Reporting Modernization

In October 2016, the SEC adopted new forms and amendments to modernize the reporting and disclosure requirements for registered investment companies. Form N-PORT, a new monthly reporting form requires registered funds other than money market funds to provide portfolio-wide and position-level holdings data. Reporting requirements include data related to the pricing of portfolio securities, information regarding repurchase agreements, securities lending activities, counterparty exposure, terms of derivatives contracts, and portfolio level and position level risk measures, to the SEC on a monthly basis. Form N-CEN will require registered investment companies to annually report certain census-type information as well. Finally, the SEC is adopting amendments to Forms N-1A, N-3 and N-CSR to require certain disclosures regarding securities lending activities. Collectively, these amendments will enhance investors’ ability to use and analyze data to ultimately make more informed investment decisions. The rule becomes effective Jan. 17, 2017, and most funds will be required to begin filing new Forms N-PORT and N-CEN after June 1, 2018. The final rule is available here.

Universal Proxy

In October 2016, the SEC proposed changes to the proxy rules requiring the use of universal proxy cards during a contested election. During a proxy contest, the proposal would require proxy contestants to provide shareholders a proxy card with the names of management and dissident director nominees listed. Similar to voting in person, the proposal would give shareholders the ability to vote for their preferred combination of board candidates through proxy. The proposal aims to remedy shareholders’ current inability to combine nominees to create their own slate during a contested election. The comment period for the proposal ends Jan. 9, 2017.

© 2016 Dinsmore & Shohl LLP. All rights reserved.