On January 27, 2019, the Division of Corporation Finance posted an announcement regarding recommencement of operations. The Staff is returning to normal operations and anticipates addressing filings, submissions and other requests for staff action, absent compelling circumstances, in the order received by the Staff. Not surprisingly, the Staff warns that their response time to inquiries may be longer than ordinary. If assistance on an expedited basis is required, a request can be submitted, with contact information and the reason expedited treatment is believed necessary, to the Staff at CFEmergency@sec.gov.
With respect to pending registration statements, the Staff notes that some registrants omitted or removed delaying amendments from their registration statements consistent with the Division’s previously published Q&As. The Staff will consider requests to accelerate the effective date of those registration statements if they are amended to include a delaying amendment prior to the end of the 20 day period and acceleration is appropriate. In cases where the Staff believes it would be appropriate for a registrant to amend to include a delaying amendment, they will notify that registrant.
With respect to shareholder proposals, the Staff generally expects to respond to these requests in the order received. They recognize that companies may have impending print deadlines or that negotiations may have changed the need for the Staff’s views. If so, the Staff should be notified at shareholderproposals@sec.gov as soon as possible of any timing constraints or changes in circumstances that could help the Staff prioritize its responses.
In short, companies should expect delays and longer response times as the SEC ramps back up. But the Staff is willing to shift its resources and priorities if companies can demonstrate a compelling need due to impending deadlines or otherwise. Also, keep in mind that the reopening of the SEC is only assured at the moment until February 15.
Cboe’s letter was a direct response to an SEC Staff Letter, dated January 18, 2018, that set-forth the SEC’s various concerns and open questions on the viability of ETFs and cryptocurrency mutual funds. The Staff Letter was itself a reply to multiple registration statements filed on behalf of cryptocurrency investment funds and raised potential issues with:
(i) valuation
(ii) liquidity
(iii) custody
(iv) arbitrage
(v) price manipulation
(vi) fraud
concerning any cryptocurrency fund seeking to operate within the confines of the Investment Company Act of 1940. See SEC Staff Letter: Engaging on Fund Innovation and Cryptocurrency-related Holdings (January 18, 2018).
The SEC determined that “[u]ntil the questions identified [in the Staff Letter] can be addressed satisfactorily, we do not believe that it is appropriate for fund sponsors to initiate registration of funds that intend to invest substantially in cryptocurrency and related products.” Id. This proclamation likely explains why sponsors who previously filed registration statements for bitcoin ETFs have been withdrawing their submissions in recent months.
In its March 23rd letter, Cboe addressed each issue from the Staff Letter in turn, and provided comfort to the agency that the existing regulatory structure and developing market forces provide adequate investor protections to enable a launch of a bitcoin-based fund in the near future.
Valuation
The SEC previously stated that mutual funds and ETFs must value their assets on each business day in order to strike a net asset value (“NAV”). Cboe concurred, stressing the importance of the NAV calculation and its impact on “downstream processes” such as creation, redemption, and performance tracking. Cboe Letter, p. 4. The SEC specifically pointed to the complications arising from a “forked” blockchain, which occurs when a cryptocurrency protocol is modified by its supporting community, resulting in at least two, separated chains that continue to exist in parallel. See Locke Lord QuickStudy: SPLITCOIN: The Impact of the World’s Biggest Cryptocurrency Forking Into Two. Cboe noted that, at least with bitcoin, most valuation issues are closely comparable to those experienced with other, more traditional assets. Id. It pointed to “numerous robust indices”, “reliable price information available from the bitcoin futures market”, and “real-time trade data available 24 hours a day from a number of different trading platforms”, all of which “create reliable and robust valuation methodologies for bitcoin and potential for other cryptocurrencies.” Id. at 4-5. And while Cboe addressed the complications arising from “forks and air drops”,1 stating that they “can easily be accommodated for with proper policies and procedures in place, as has been done with the bitcoin futures contracts”, it did not shed any further light on how these complications will be addressed with future cryptocurrency valuation. Id. at 4.
Liquidity
Bitcoin market liquidity appears to be a particular concern for the SEC. Cboe addressed this by noting that while there are certain aspects that separate cryptocurrencies from traditional assets, “almost all of the issues related to liquidity are substantively identical to those of other commodities” and each fund should be analyzed “on a case by case basis.” Id. at 5. Cboe’s classification of cryptocurrencies as “commodities” parallels recent analyses of this technology by the Commodities Futures Trading Commission (“CFTC”) and federal courts. See Locke Lord QuickStudy: Regulators…Mount Up! Federal District Court Formally Recognizes Cryptocurrencies as Commodities and Designates the CFTC as a Leading Fraud Regulator. While Cboe noted that the current bitcoin futures trading volumes “may not currently be sufficient to support [cryptocurrency ETFs] seeking 100% long or short exposure to bitcoin”, Cboe expects those volumes to grow comparable to other commodities, allowing the ETFs to uses bitcoin futures contracts as a reference asset. Id. at 5. The prevalence and growth of bitcoin exchanges was also cited as supporting liquidity demands.
Custody
Regarding custody issues, Cboe first argues that, to the extent the funds are holding cryptocurrency future contracts that are settled in cash – which are the only such cryptocurrency futures contracts currently on the market – there should be no “disparate treatment” between cryptocurrencies and other commodities supported through similar means. Id. at 5-6. Accordingly, “a regulated AAA credit rated clearing house should be permitted to act as custodian for a Cryptocurrency [ETF].” Id. at 5. For funds that contemplate holding digital currencies directly, or seek physical settlement of cryptocurrency future contracts, Cboe points to firms like Gemini Trust Company, LLC as having the capability to act as custodian for such fund assets. Cboe also took this analysis a step further, requesting that, if the SEC saw custodial standards as an important issue, it promulgate specific standards to allow the industry to build to those specifications. Id. at 6.
Arbitrage and Price Manipulation
For arbitrage and price manipulation, Cboe requested that cryptocurrency funds be treated in the same manner as existing ETFs holding commodities or associated futures contracts. Id. Based on discussions with existing bitcoin market makers and authorized participants, Cboe also believes that the spot and over-the-counter markets easily support the arbitrage mechanism for alignment of the fund with bitcoin prices. Id. Cboe relies on this arbitrage mechanism as providing the proper market forces to reduce price manipulation risks comparable with other commodities markets. Id. at 6-7. It also noted that Cboe has specifically “undertaken significant measures to detect and prevent manipulation in the bitcoin futures market” with its own cryptocurrency futures. Id. at 7. This includes a comprehensive surveillance sharing agreement and strict position limits. Id.
Fraud
While Cboe did not appear to directly address the SEC’s concerns about potential fraud issues, it did raise the increased role the CFTC has taken with respect to cryptocurrencies, now viewed as commodities, which includes direct fraud regulation of cryptocurrency future contracts and indirect fraud regulation over spot and over-the-counter digital currency transactions. See Locke Lord QuickStudy: Regulators…Mount Up! Federal District Court Formally Recognizes Cryptocurrencies as Commodities and Designates the CFTC as a Leading Fraud Regulator.
In sum, one of the largest players in the industry has taken up the SEC’s hesitant offer to open the derivatives door to cryptocurrencies and the larger public. It is likely that, in time, that door will be opened completely.
https://www.sec.gov/divisions/investment/noaction/2018/cryptocurrency-011818.htm
—
[1] An “air drop” is when a cryptocurrency platform releases new coins by creating and directly transferring them to users, as opposed to traditional currency mining.
The New
Disclosure and Control Procedures
| Regulatory Item |
SEC Guidance |
| Item 503(c) – Risk Factors |
Companies should consider the following to determine whether disclosure of cybersecurity risks is necessary:
If a company has experienced a specific cybersecurity incident, it may not be enough to disclose the potential risk of another incident occurring. The company should discuss in further detail the occurrence and its consequences, alongside a broader discussion of cybersecurity risks inherent in the company’s business or industry. |
| Item 303 – MD&A of Financial Condition and Results of Operation | In disclosing information the company’s management believes necessary to understanding its financial condition and results of operations, management may want to consider whether the costs of cybersecurity (such as loss of IP, reputational harm, and cybersecurity insurance) and the potential risks and consequences of an incident could further inform management’s discussion and analysis. In addition, the SEC expects companies to consider cybersecurity issues and their impact on each of the company’s reportable segments. |
| Item 101 – Description of Business |
The SEC expects companies to discuss cybersecurity incidents or risks if it would materially affect a company’s products, services, relationships with customers or suppliers, or competitive conditions. |
| Item 103 – Legal Proceedings |
Any litigation arising out of a cybersecurity incident must be properly disclosed. For example, if a company is hacked and all of its customers’ information is stolen, the company must disclose any material litigation, including suits brought by the affected customers against the company. |
| Financial Statement Disclosures | A company’s financial reporting and controls system should be designed so that information relating to the financial impact of a cybersecurity incident is reflected on the financial statements in a timely manner. For example, an operational event such as a hack could result in a possible loss contingency requiring financial statement accrual or disclosure. |
| Item 407(h) – Board Risk Oversight | If cybersecurity risks are material to the company’s business, the discussion on the Board’s risk oversight should include a discussion on the Board’s role in overseeing cybersecurity risks. |
Takeaways
Given the increased magnitude and frequency of cybersecurity incidents, public companies should revisit their cybersecurity disclosures and disclosure controls and procedures. Despite the criticism by some that the SEC’s new guidance does not go far enough,4 that guidance should serve as a wake-up call for companies that have not yet put in place a comprehensive cybersecurity disclosure policy. A public company without such a policy is urged to put one in place so that it is in a position to timely report and to alert investors of any data breaches or other cybersecurity incidents. Those public companies that have a cybersecurity disclosure policy in place should review and update that policy, having in mind that cybersecurity incidents are becoming more and more common and that increased attention by the SEC and others on cybersecurity disclosure is assured. In addition to disclosure and governance considerations, companies should continue to treat the subject of cybersecurity as a critical operational issue deserving of focused attention.
1 SEC Rel. Nos. 33-10459; 34-82746, located here.
2 CF Disclosure Guidance Topic No. 2, Cybersecurity located here
3 Public companies are required to maintain effective disclosure controls and procedures pursuant to Exchange Act Rules 13a-15 and 15d-15.
4 https://www.law360.com/articles/1014661/new-sec-cybersecurity-guidance-dinged-by-dems-as-rehash
Much has already been written about the SEC’s enforcement action involving Yahoo’s failure to adequately disclose a cyberbreach.1 I am writing about something that the SEC’s announcement and order did not address and therefore has not been written about.
On April 24, 2018, the SEC announced a settlement with Altaba Inc., which formerly was Yahoo! Inc., under which Altaba agreed to pay $35 million and take certain remedial actions to resolve claims that Yahoo violated the federal securities law by failing to make timely disclosures until September 2016 related to a 2014 data breach of its user database.2 The SEC’s announcement and order focused (i) on Yahoo’s misleading risk factor, noting that identifying the potential of future data breaches is misleading when a material one has already occurred, (ii) on the failure to disclose the consequences of the data breach as a known trend and uncertainty in MD&A, and (iii) on the misrepresentation arising from a representation as to the absence of data breaches in a merger agreement filed as an exhibit to an Exchange Act report.3 The SEC also noted the deficiency in Yahoo’s disclosure controls and procedures, indicating that the procedures were insufficient to ensure that cyber events identified by the information technology officials were appropriately evaluated for potential disclosures.4
The SEC’s Yahoo enforcement action did not address the failure of Yahoo’s financial statements to include disclosure (and possibly an accrual) under Accounting Standards Codification 450-20 for the potential loss contingencies resulting from the 2014 data breach. Not much imagination typically is required to foresee the potential for significant liabilities arising from a massive cyberbreach and therefore the importance of considering the financial statement implications of that breach among other required disclosures. In this respect, the Yahoo enforcement action has similarities to the 2017 SEC enforcement action against General Motors for inadequate accounting controls that prevented GM from properly assessing the impact on its financial statements of its defective ignition switch problems.5 Both actions provide the same lesson regarding the need for proper controls so that operational problems, like cyberbreaches and defective ignition switches, in addition to the more obvious litigation matters, are brought to the attention of the company officials in a position to evaluate the need for disclosure and the impact on the financial statements.
In both the Yahoo and GM actions, the loss contingencies involved unasserted claims that, under ASC 450-20, required an assessment as to whether claims were probable and, if so, whether a material loss was reasonably possible (i.e., more than remote). If this test is met, disclosure is required, with a quantification of the estimated loss or range of loss if an estimate can be made. In addition, if the loss is both probable and can be estimated, the estimated amount must be accrued as a charge to income. Applying ASC 450-20 to these types of situations can involve difficult judgments and the SEC indicated in its announcement of the Yahoo settlement that it does not second guess good faith exercises of judgment about cyber-incident disclosure. However, companies need to make reasonable efforts to meet their cyber and other loss contingency disclosure and accounting obligations and to document those efforts and the basis of their judgments. These efforts should include having in place comprehensive disclosure controls and procedures and accounting controls that are documented and periodically reviewed and assessed for compliance.
—
[1] Altaba Inc., f/d/b/a Yahoo! Inc., Securities Act Release No. 10485, Exchange Act Release No. 83096, Accounting and Auditing Enforcement Release No. 3937, Administrative Proceeding File No. 3973 (Apr. 24, 2018).
[2] Press Release, SEC, Altaba, Formerly Known As Yahoo!, Charged With Failing to Disclose Massive Cybersecurity Breach; Agrees To Pay $35 Million (Apr. 24, 2018).
[3] See my article, Keller and Held, “The Meaning of the Titan 21(a) Report: New Disclosure Practices for Contractual Representations,” INSIGHTS, Vol. 19, No. 6, June 2005 at p. 2.
[4] The Yahoo enforcement action needs to be read together with the SEC’s recent interpretive guidance on cybersecurity disclosure since it is obvious that each influenced the other. See SEC, Commission Statement and Guidance on Public Company Cybersecurity Disclosures, Release Nos. 33-10459, 34-82746 (Feb. 26, 2018).
[5] General Motors Company, Exchange Act Release No. 79825, Accounting and Auditing Enforcement Release No. 3850, Administrative Proceeding File No. 3-17797 (Jan. 18, 2017).
On July 18, the Securities and Exchange Commission adopted an amendment to Rule 701 increasing the threshold that triggers the Rule’s disclosure requirements. As background, Rule 701 provides an exemption from the registration requirements of the Securities Act for offers and sales of securities (including securities issuable under stock options and restricted stock units) by private companies (i.e., companies not subject to the reporting requirements under the Exchange Act) to their employees, officers, directors, consultants and advisors under compensatory benefit plans. If the aggregate sales price or amount of securities granted to service providers during any consecutive 12-month period exceeds $5 million, companies must deliver to participants a reasonable time before the sale financial statements, the risk factors associated with the investment, and a summary of the plan’s material terms. For stock options, this means a reasonable time prior to exercise. For other securities, it means prior to the date of grant. The disclosure requirements are applied retroactively to all sales made in the applicable 12-month period, and not just to those once the company has exceeded the limit.
As mandated by the Economic Growth, Regulatory Relief and Consumer Protection Act (which was signed by President Trump in May 2018), the SEC amended Rule 701(e) to increase the threshold that triggers the requirement to deliver disclosures from $5 million to $10 million. In all other respects, Rule 701(e) will continue to operate in the same manner as it currently does. Thus, if the aggregate sales during any consecutive 12-month period exceed $10 million, the company must deliver the disclosures within a reasonable period of time before the date of sale to all investors in that 12-month period. Companies that have commenced an offering in the current 12-month period will be able to apply the new $10 million disclosure threshold immediately upon effectiveness of the amendment. In this regard, a company that has crossed the $5 million threshold (but not the $10 million threshold) must comply with the disclosure requirements for those investors entitled to such information before the effective date of the amendment, but once the amendment becomes effective, the company is not required to provide further disclosures unless the $10 million threshold is exceeded (applied retroactively for the 12-month look-back period).
This amendment to Rule 701 follows an enforcement action brought by the SEC in March 2018 against Credit Karma, Inc., a privately-held internet-based financial technology company. From October 2014 to September 2015, Credit Karma issued $13.8 million of stock options to employees, but failed to provide the disclosures required by Rule 701 even though senior executives were aware of the Rule 701 requirements. Credit Karma agreed to a settlement with the SEC and paid a civil penalty of $160,000.
The SEC also voted to issue a concept release requesting public comment on ways to modernize Rule 701 and Form S-8 (the registration statement for compensatory offerings by reporting companies) in light of the significant evolution in both the types of compensatory offerings and the composition of the workforce since the SEC last substantively amended these rules in 1999. In particular, the SEC is asking for comments regarding “gig economy” relationships, to better understand how they work and to determine what attributes of these relationships may provide a basis for extending eligibility for the Rule 701 exemption to these workers.
Few things annoy a company more than when a short-seller starts bad-mouthing the company to drive down its share price and the company can do little about it. Now, as a result of a recent SEC enforcement action, there may be some recourse against such troublesome activity. On September 12, 2018, the SEC filed an enforcement action against a short-seller, Lemelson Capital Management LLC, and its founder alleging that they engaged in a fraudulent “short-and-distort” scheme by spreading false information about a biotech company in order to profit from the decline in the company’s share price (https://www.sec.gov/news/press-release/2018-190).
The SEC was careful to note that short-sellers are free to express their opinions about particular companies but are not entitled to disseminate false statements to support their short-selling activity. Thus, if a company believes that a short-seller is in fact spreading false information, it may now have an avenue, through use of the SEC, to have recourse.
On September 13, 2018, following the lead of other federal agencies, SEC Chairman Jay Clayton issued a reminder that SEC staff positions are nonbinding and create no enforceable legal rights or obligations of the Commission or others, and thus is to be distinguished from actions by the Commission (https://www.sec.gov/news/public-statement/statement-clayton-091318). This statement has prompted a lot of comment about its meaning.
My view is that this statement is a formalization of what has always been understood, as reflected in the standard staff disclaimer to public comments and in other staff communications, such as no-action letters and interpretive advice. The effect, if any, of the statement is likely to be some circumscription of how far the SEC staff will be willing to go with interpretations and guidance, but I expect the staff to be as forthcoming and willing to interact as they have before. That approach has been the hallmark of the SEC and I foresee its continuing.
From time to time there is an SEC enforcement action that has a broader lesson for public companies. The recent settled enforcement action against SeaWorld Entertainment, Inc. (https://www.sec.gov/news/press-release/2018-198) is one of those. In SeaWorld the SEC charged the company, its CEO and its vice president of communication with misleading investors when they failed to accurately disclose the impact of the Blackfish documentary, which criticized SeaWorld’s treatment of orcas, on the company’s reputation and business.
This SEC enforcement action is a reminder of the need for companies to properly evaluate adverse events and to timely and accurately disclose the impact of those events on the company’s business and prospects, even when (and perhaps especially when) the event is publicly known. The often typical response that an event “is not expected to have a material effect” on the company may not, depending on the circumstances, be satisfactory. In SeaWorld the company had touted its reputation as one of its principal assets but it failed to timely disclose the effect of the Blackfish documentary on that reputation, which caused a significant decline in attendance and a resulting loss in share value when that effect was eventually disclosed.
We recently wrote about short sellers being the scourge of public companies and the availability of a response from the SEC (here). The SEC has now made clear in an enforcement action against Elon Musk, the CEO of Tesla Inc., a favorite of short sellers, that a response that is not acceptable is releasing false and misleading information, even by tweet, to pump up the stock price (here). In this case, Musk tweeted in early August that he might take Tesla private at a substantial premium to the then current market price and that funding had been secured. The SEC alleges that these statements were made without an adequate basis. It is notable that the SEC’s enforcement action was brought so quickly after the event. So far, the action is just against Musk and not the company. As part of the remedies, the SEC is seeking a bar on Musk acting as an officer or director of Tesla or any other public company, which is quite extraordinary given Musk’s central role in Tesla and his other ventures.
As discussed in more detail in our QuickStudy (available here), on August 17, 2018 the Securities and Exchange Commission (the “SEC”) adopted numerous amendments to its disclosure requirements that were intended to simplify compliance for issuers by eliminating certain redundant, overlapping, outdated or superseded disclosure requirements (the “Disclosure Simplification Rules”). The Disclosure Simplification Rules become effective 30 days after publication in the Federal Register[1], but it was unclear whether or not the amendments, when effective, should only apply to periodic reports covering periods ending on or after the effective date or to all periodic reports filed after the effective date. This is important as the Disclosure Simplification Rules, somewhat ironically, require additional disclosure in Form 10-Q related to changes in stockholders’ equity and dividends, which information was previously only required in Form 10-K. Issuers with a September 30 quarter-end needed to prepare to comply with these additional disclosures without certainty as to whether or not the Disclosure Simplification Rules would actually apply to their third quarter 10-Qs.
On September 25, 2018, the Division of Corporation Finance issued a new compliance and disclosure interpretation (“C&DI”) addressing the effectiveness of the Disclosure Simplification Rules and providing some limited relief with respect to the presentation of changes in stockholders’ equity. In short, the new rules apply to any filing made after the effective date but, with respect to the presentation of changes in stockholders’ equity, the C&DI provides that an issuer can hold off for one more quarter. The full text of C&DI 105.09 is available here.
[1] The rules have not been published in the Federal Register as of the date of this post.