Risky Business: SEC Expands DCP Enforcement Using Company Risk Factors

Outside of the small circle of federal securities law nerds (we proudly proclaim our membership), the phrase "disclosure controls and procedures" (DCP) rarely garners much attention. However, a recent settled order issued by the U.S. Securities and Exchange Commission (SEC or Commission) concerning a purported DCP violation by an issuer based on an alleged failure to collect information tied to one of the company's risk factor disclosures has brought DCP out from the practitioner shadows and into the spotlight.

In this post, we explore the history of DCP, the SEC's increasingly expansive enforcement of this provision, an overview of the recent order (along with a corresponding dissent to the order by SEC Commissioner Hester Peirce) and the significant compliance ramifications for public company issuers.

The Captivating History of DCP

Section 13a, titled "Reports of Issuers of Securities Registered Pursuant to Section 12," is a set of provisions within the Securities Exchange Act of 1934 (Exchange Act) that contain requirements for entities registered under Section 12 of the Exchange Act to follow when filing annual or other reports with the SEC. In August 2002, as directed by Section 302(a) of the Sarbanes-Oxley Act (SOX), the SEC enacted rules that the principal executive officer and principal financial officer (typically the CEO and CFO but sometimes other persons providing similar functions) of an issuer each must certify to certain information contained in the issuer's quarterly and annual reports (Certification Rules). The Certification Rules are now largely codified in Exchange Act Rule 13a-14 and SOX Section 302(a).

As part of the same rulemaking, the Commission also introduced Exchange Rule 13a-15 to require issuers to maintain, and regularly evaluate the effectiveness of, DCP designed to ensure that the information required in reports filed under the Exchange Act is recorded, processed, summarized and reported on a timely basis (DCP Rules).¹ DCP include, without limitation, controls and procedures designed to ensure that information required to be disclosed by an issuer in the reports that it files or submits under the Exchange Act is accumulated and communicated to the issuer's management, including its principal executive and principal financial officers as appropriate to allow timely decisions regarding required disclosure.²

The Certification Rules mandate, among other things, that CEOs/CFOs must certify that they have "designed such [DCP] to ensure that material information is made known to them, particularly during the period in which the periodic report is being prepared."³ The Commission stated that issuers should maintain DCP "to provide reasonable assurance that the issuer is able to record, process, summarize and report the information required in the issuer's Exchange Act reports."⁴ The Commission further noted that "it is necessary for companies to ensure that their internal communications and other procedures operate so that important information flows to the appropriate collection and disclosure points in a timely manner."⁵

Division of Enforcement DCP History and the SEC's Recent Order

Over the years, the SEC's Division of Enforcement (Enforcement) has alleged DCP with increasing frequency in enforcement actions. Although the SEC has filed DCP charges where fraud charges were not included, DCP charges often appear as part of broader actions involving false and misleading statements by issuers where the deficient DCP failed to head off these issues. In 2021, however, Enforcement took a step toward a more expansive approach to DCP enforcement in its action against First American Financial Corp. (First American) which it charged with deficient DCP without specifically alleging that the company had made any false or misleading statements or issued inaccurate financial statements.⁶ However, the accuracy (or lack thereof) of the company's statements or disclosures remained tacitly part of the SEC's findings.⁷

In early February, the SEC built on its expansive DCP approach by issuing an order against a publicly traded video game and development company for purported DCP violations and alleged violations of Rule 21F-17 (view a more in-depth analysis on the SEC's aggressive 21F-17 enforcement). Missing from the SEC's order? Any express or implicit finding that any of the company's statements were false or misleading.

According to the order, which the company settled to without admitting or denying the findings therein, the company in Forms 10-K and 10-Q for a multiyear period "acknowledged that attracting, retaining, and motivating a workforce of employees with specialized skills is particularly important to its business."⁸ The company included this disclosure as one of dozens of different risk factors it faced under Item IA of its 10-K filings and included several reasons why employee retention was a risk (such as competitive compensation and employee mobility).

While acknowledging that settled orders from the SEC often involve lengthy negotiations on the specific content included therein, the factual basis for the DCP charge in this case – a mere three paragraphs of the order – is sparse and has led to a great deal of confusion for public company issuers. The SEC's order claims that the company lacked effective DCP because it did not collect or analyze employee complaints of workplace misconduct for disclosure assessment purposes.⁹ Because this information was not collected, it was not accessible to the company's management and thus the company allegedly could not assess whether information on those employee complaints should be disclosed ("whether material issues existed that warranted disclosure to investors"). The SEC's order, however, never identified the company's risk factor as false or misleading.

The SEC's order does include a sentence from the Commission's 2002 Adopting Release for the DCP rules concerning the need to capture information "relevant to an assessment of the need to disclose developments and risks that pertain to the issuer's business." But the full context of that reference suggests the ultimate purpose of these controls is to ensure that accurate and reliable information is reported, as opposed to ensuring that information potentially relevant to disclosures is collected and reviewed by upper management:

As discussed in the June Proposals, these procedures are intended to cover a broader range of information than is covered by an issuer's internal controls related to financial reporting. For example, the procedures should ensure timely collection and evaluation of information potentially subject to disclosure under the requirements of Regulation S-X, Regulation S-K or S-B and Forms 20-F and 40-F. The procedures should capture information that is relevant to an assessment of the need to disclose developments and risks that pertain to the issuer's businesses. They also should cover information that must be evaluated in the context of the disclosure requirement of Exchange Act Rule 12b-20. We believe that the new rules will help to ensure that an issuer's systems grow and evolve with its business and are capable of producing Exchange Act reports that are timely, accurate and reliable.¹⁰

Even though there is no allegation that the company's public reports were untimely, inaccurate or unreliable, by virtue of this purported failure and its alleged Rule 21F-17 violation, the company agreed to pay a $35 million penalty.

Commissioner Peirce's Compelling Dissent

Over the years, Commissioner Peirce has not been shy about issuing dissents when she disagrees with Commission enforcement actions or rulemaking. Here, Commissioner Peirce's dissent was rooted in her view that the SEC's allegations do not allege a securities law violation, as the Commission alleged "no fraud, misrepresentations, or investor harm."¹¹ She pointed out that, based on the clear definition of DCP provided in Rule 13a-15(e), a company's DCP need only capture "information that is required to be disclosed" under the Exchange Act, not "information 'relevant' to a company's determination about whether a risk or other issue reaches the threshold where it is 'required to be disclosed,'" the standard articulated by the SEC in its order.¹²

Commissioner Peirce also took issue with the alleged basis for the alleged securities violation – the company's risk factor disclosure – as there are a "multitude of factors" that play into employee retention and recruitment, not just reports of workplace misconduct.¹³ Commissioner Peirce stated that "[i]f workplace misconduct must be reported to the disclosure committee, so too must changes in any number of workplace amenities and workplace requirements," because those factors could all be relevant to the disclosed risk factor.¹⁴ Ultimately, Commissioner Peirce took the position that the SEC's order places it in the improper position of a "Corporate Manager" attempting to use DCP enforcement to encourage companies to "manage themselves according to the metrics the SEC finds interesting at the moment."¹⁵

Most concerning for Commissioner Peirce – and, we imagine, public companies – is the extrapolation of this order to other circumstances: "It is also difficult to see where the logic of this Order stops."¹⁶ She indicated that the potential implications from the order would significantly increase the data-gathering necessary to avoid similar theories in the future, which could "distract management from collecting the data it actually needs to provide material information to investors and impose additional, unnecessary costs on investors who will not benefit from the company's collection of data points … ."¹⁷ In other words, the SEC's interpretation of the scope of DCP may actually harm, rather than help, investors.

Key Takeaways: More Controls, More Procedures

The SEC's recent order raises significant questions and concerns for public company issuers.

First, issuer companies should be aware that the SEC may pursue enforcement actions for alleged DCP violations even if there are no allegations of fraud or false or misleading representations by the company. As noted above, even with increasing use of alleged DCP violations, the SEC's recent order pushes its enforcement approach beyond prior boundary markers.

Second, taking the plain language of the order, an enforcement action may be premised purely on whether the entity in question captured information that is "relevant to an assessment of the need to disclose developments and risks that pertain to the issuer's business." If Enforcement follows this approach going forward, it provides seemingly endless avenues for Enforcement to argue that companies failed to collect information on a given topic, without any regard for whether the company's disclosures on such topic were accurate or reliable. This appears at odds with the purported aim of DCP from the 2002 Adopting Release.

Third, issuers have long included scores of risk factors in their public reports to provide holistic and fulsome disclosure on the risks they face. Now, the SEC has seemingly utilized these broad disclosures as a foothold for potential DCP violations. The potential impact – and cost – to issuers cannot be overstated when applied to other situations. What type of information would issuers need to compile about their competitors if they note that they are in a highly competitive industry? What type of information would issuers need to assess about third-party companies if they note that they rely upon the third parties for success? As Commissioner Peirce noted, it's hard to see the limits of this order when applied elsewhere. At the same time, it's equally easy to see Enforcement utilizing a similar playbook to "Monday Morning Quarterback" situations where companies aren't collecting information on a subject matter that is of interest to the Commission at that time. Such prospects make risk factor disclosures a risky business going forward.

The Holland & Knight SECond Opinions Blog will continue to monitor this space and provide updates as to future developments. If you need any additional information on this topic – or anything related to SEC enforcement or internal investigations – please contact the authors or another member of Holland & Knight's Securities Enforcement Defense Team.

Notes

¹ Release Nos. 33-8124, 34-46427, U.S. Sec. & Exch. Comm'n, "Certification of Disclosure in Companies' Quarterly and Annual Reports," Section II.A. (Aug. 28, 2002).

² Id.; 17 C.F.R. § 240.13a–15(e) (emphasis added). As part of the adopting release, the Commission specifically noted that "[w]e also have included this definition to differentiate this concept of disclosure controls and procedures from the pre-existing concept of "internal controls" that pertains to an issuer's financial reporting and control of its assets, as currently embodied in Section 13(b) of the Exchange Act."

³ Release Nos. 33-8124, 34-46427, U.S. Sec. & Exch. Comm'n, "Certification of Disclosure in Companies' Quarterly and Annual Reports, supra" note 1 at Section II.A (emphasis added).

⁴ Id. at Section VI. (emphasis added).

⁵ Id. at Section III.A. (emphasis added).

⁶ See "In the Matter of First American Financial Corporation," Order Instituting Cease and Desist Proceedings Pursuant to Section 21C of the Securities Exchange Act of 1934, Making Findings, and Imposing a Cease-and-Desist Order (Jun. 14, 2021).

⁷ On May 24, 2019, a cybersecurity journalist notified First American that its document image-sharing application had suffered a vulnerability, exposing more than 800 million images containing sensitive personal data. Id. First American issued a press statement and filed a Form 8-K with the SEC, but unbeknownst to the senior executives responsible for the public statements or Form 8-K disclosure, First American information security personnel had learned about this vulnerability months earlier, failed to remedy the problem and failed to communicate the issue to senior information security management prior to the journalist's warning. Id. This information was not communicated to First American management before it issued a public statement that the company took "immediate action to address the situation …" or before issuing its Form 8-K that omitted information about its personnel discovering the issuer four months earlier.

⁸ In the Matter of Activision Blizzard, Inc., Order Instituting Cease-and-Desist Proceedings Pursuant to Section 21C of the Securities Exchange Act of 1934, Making Findings, and Imposing a Cease-and-Desist Order, at ¶ 2 (Feb. 3, 2023).

⁹ Id. at 8.

¹⁰ Release Nos. 33-8124, 34-46427, U.S. Sec. & Exch. Comm'n, "Certification of Disclosure in Companies' Quarterly and Annual Reports, supra" note 1 at Section III.B (emphasis added).

¹¹ See Commissioner Hester M. Peirce, U.S. Sec. & Exch. Comm'n, "The SEC Levels Up: Statement on In re Activision Blizzard, supra" note 6.

¹² Id.

¹³ Id.

¹⁴ Id. (emphasis added).

¹⁵ Id.

¹⁶ Id.

¹⁷ Id.