This memorandum outlines certain considerations for US public companies in preparation for the 2019 annual reporting and proxy season. Part I provides a summary of certain key trends and insights from the 2018 proxy season, as well as new developments and practical action items for the 2019 proxy season; Part II sets forth an overview of recent corporate governance developments and trends; Part III examines disclosure considerations and regulatory updates; and Part IV includes a brief discussion relating to upcoming regulatory developments and pending rulemaking initiatives.
Part I: Recent Proxy Season Developments
2018 Proxy Season Recap
Corporate Governance Proposals
Special meeting, written consent and proxy access (to adopt proxy access or amend the terms of an existing proxy access right) proposals dominated the landscape in 2018. The overall pass rate for corporate governance proposals declined in the 2018 season, due in large part to a reduction in the relative number of proposals relating to proxy access, majority voting, board declassification and removal of supermajority vote proposals. Proposals requesting an independent board chair, board declassification, majority voting for director elections, and proposals seeking to adopt or amend proxy access were nearly 47% of all governance-related proposals. There was an overall increase in number of proposals seeking positive governance changes, likely due in part to increased engagement with shareholders. Boards submitted 160 proposals (up from 117) addressing proxy access, board declassification, majority voting for directors, special meeting, written consent rights, and reduction of supermajority voting requirements; 153 of these proposals received at least 90% support. Independent chair proposals averaged 30.8% support, indicating that shareholders are generally satisfied with a sufficiently empowered lead independent director as an appropriate alternative to a mandatory separation of the CEO and chair roles.
Special Meeting Proposals
There was a significant increase in proposals relating to the right of shareholders to call a special meeting (77 in 2018 vs. 23 in 2017), overtaking proxy access as the top governance proposal, both in terms of number of proposals submitted and number of proposals voted on (58). The majority of the proposals submitted (57) sought to lower the threshold required to call a special meeting from 25% to 10%; there were also 15 proposals seeking to introduce the right at companies that do not provide for such a right. For S&P 500 companies, 60% currently offer shareholders a right to call special meetings, and of the proposals that went to a vote, only three of the target companies did not provide the right to call a special meeting. Seven of the special meeting proposals passed.
- Institutional investors are generally supportive of giving shareholders the right to call a special meeting, but specific positions vary. Blackrock supports a threshold between 15 – 25 percent. State Street will only support a proposal to lower the threshold if the existing threshold is over 25 percent and the shareholder proposal provides for at least a 10 percent threshold.
Written Consent Proposals
There was a significant increase in proposals to allow shareholders to act by written consent (41 in 2018 vs. 15 in 2017); however, shareholder support remained low, with only five proposals passing. All of the companies where written consent proposals went to a vote already provided shareholders with the right to call a special meeting. Low passing rates, therefore, seem to reflect agreement by a majority of shareholders that special meeting rights render written consent rights unnecessary. When companies do implement a written consent right, it is often subject to a number of the same terms contained in market standard special meeting provisions.1
More than 500 US companies have adopted proxy access provisions to date, including approximately 87 percent of companies in the S&P 100 and approximately 67 percent of companies in the S&P 500. As a result, there were significantly fewer proposals to adopt proxy access in 2018.2 Because most companies that received such a proposal (as well as some that did not) chose to adopt proxy access with terms consistent with market practice,3 fewer proposals to adopt proxy access went to a vote in 2018. In addition, "fix it" proposals seeking to amend existing proxy access terms continued to be unsuccessful. Of the 23 "fix it" proposals that went to a vote in 2018, only four garnered more than 30 percent support, and none of the proposals, which mainly sought to remove or loosen restrictions on group size, passed.
The number of social proposals submitted during the 2018 proxy season increased slightly relative to 2017. The two largest sub-categories were lobbying/political contributions (85 submitted in 2018) and diversity related proposals (board, employment and gender pay gap) (78 submitted in 2018). However, fewer gender pay equity, equal employment opportunity and board diversity proposals went to a vote (less than half the number in 2017), as many were withdrawn after companies reached agreements with shareholders (particularly with respect to proposals addressing corporate anti-discrimination policies).
Political Contributions and Lobbying Disclosure
Proposals seeking disclosure related to a company's spending on political contributions and lobbying were the most common type of social proposal in 2018. Although none of these proposals passed, 23 received over 30% support. In addition, 12 proposals were withdrawn, likely due to corporate engagement with the proponents. Many S&P 500 companies voluntarily disclose some information related to political spending; in 2018, 294 companies disclosed some or all of their election-related spending, about the same as 2017.4
Linking Executive Compensation to Environmental and Social Issues
The most common type of compensation-related social proposal sought to link executive compensation to environmental and social issues, such as sustainability, diversity, cybersecurity/data privacy, or risks related to pharmaceutical pricing, with 21 submitted in 2018 (compared to 12 in 2017). These proposals averaged less than 20 percent support, and none passed, but shareholders are increasingly focusing on this issue.
Although proposals related to board diversity remained relatively stable in 2018, board diversity, especially with respect to women and minorities serving as directors, is an issue that has garnered an increasing amount of attention in the corporate governance arena. Only five proposals went to a vote (three of which were supported by Institutional Shareholder Services ("ISS")), as a significant number were withdrawn, typically after companies reached agreements with the proponents. The proposals that were voted upon averaged a 22.5 percent support rate, and none passed. Campaigns for gender diversity on boards of directors have already had an impact on board composition and recruitment. Equilar reports5 that for a third consecutive quarter the percentage of women on Russell 3000 boards increased during the second quarter of 2018, with 34.9 percent of new board seats going to women. Spencer Stuart reports6 that, for the second consecutive year, women and minorities represented half of the class of new S&P 500 directors in 2018. Gender and minority board diversity is likely to remain an important topic for the 2019 proxy season. Investors and regulators continue focusing on this issue, as is evident from the following developments and initiatives:
- SEC—In January 2018, the SEC's Office of Minority and Women Inclusion ("OMWI") introduced its "Diversity Assessment Report for Entities Regulated by the SEC,"7 which is designed to (i) help regulated entities conduct self-assessments of their diversity policies and practices; (ii) provide these entities with a template for submitting information about their self-assessments to OMWI; and (iii) encourage regulated entitled to publish information related to their self-assessments on their websites. Use of the assessment report is voluntary.
- New York City Comptroller/New York City Pension Funds – Launched its "Board Accountability Project 2.0" for the 2018 proxy season, sending letters to 151 companies to request disclosure of the skills, race and gender of board members in a standardized board matrix in the proxy statement,8 as well as seeking engagement to discuss board "refreshment" opportunities to bring new voices and viewpoints onto the board. In a few cases, the Comptroller's office submitted shareholder proposals requesting proxy disclosure of gender and race/ethnicity, as well as skills, experience and attributes, of directors and nominees in a matrix form. The Comptroller's office announced that 80 percent of companies responded to letters, 85 substantively engaged and adopted new processes, 35 now disclose director diversity details, 49 elected new diverse directors and 24 committed to include diverse candidates in every board search.
- BlackRock – Publicly stated that it expects to see at least two women directors on every board, indicating that it may vote against nominating/governance committee members if it believes that a company has not accounted for diversity in its board composition.9
- State Street Global Advisors – Advised that beginning in 2020 it will vote against the entire nominating committee of a company that does not have at least one woman on its board, and has not engaged successfully with State Street for three consecutive years (the existing guidelines target only the chair of the governance committee, rather than all the members). State Street reported that by early March 2018 it had voted against more than 500 companies for failure to demonstrate progress on board diversity.
- CalPERS – Engaged with more than 500 US companies in the Russell 3000 index regarding lack of board diversity and adopted a "Board Diversity & Inclusion" voting enhancement to hold directors at these companies accountable for failure to improve diversity on their boards or diversity and inclusion disclosures. CalPERS reported that through May 2018 it withheld votes or voted against 271 directors at 85 companies as a result of board diversity concerns.
- California S.B. 82610 – California recently passed a law that requires publicly traded companies based in California, regardless of state of jurisdiction or incorporation, to have at least one woman on their boards by December 31, 2019. By December 31, 2021, the applicable minimum number will increase to: (i) three female directors, if the company has six or more directors, (ii) two female directors, if the company has five directors, and (iii) one female director, if the company has four or fewer directors.
- ISS and Glass Lewis – In 2019, both of these proxy advisory firms updated their voting guidelines with respect to board gender diversity (see below for a discussion of these policies).
Fewer environmental proposals reached a vote this season, as companies were increasingly willing to reach agreements with proponents that led to the withdrawal of many proposals. Seven environmental proposals received majority support in 2018: two asking for preparation of a two-degree scenario (which received 59.7 percent and 53 percent support); one seeking a report on coal ash risk (53.2 percent support); one seeking a report on methane emissions management (50.3 percent support); one asking for a sustainability report (60.4 percent and 57.2 percent support); and one asking a company to set GHG emissions reduction goals (57.2 percent support).
Climate change proposals were the most prevalent type of environmental proposal, with continued high levels of shareholder support. Out of the 68 environmental proposals that went to a vote, one-third (23) were climate change proposals. Climate change proposals averaged 32 percent support in 2018, similar to the 34.5 percent support in 2017; more than half (12) received greater than 30 percent support, including eight proposals that received more than 40 percent support, with four proposals passing.
While several factors contributed to the increased support for environmental proposals, support from large institutional investors and public pension funds was instrumental in the passing of the four climate change proposals.
Institutional investors are looking at whether a company has integrated environmental risks and opportunities into its strategic planning, and many view sustainability as having a material impact on long-term corporate performance. Notwithstanding the applicable disclosure requirements, a company's environmental, social and governance ("ESG") disclosure should be tailored to the information the company's large shareholders want to know. This disclosure can be provided in a company's proxy statement, although most of this information will likely be provided in a separate sustainability report or on a company's website. Generally, these reports are positively perceived by investors.
Select ESG Developments
ESG Guidelines Rule-Making Petition
In October 2018, a group of investors, state treasurers, public pension funds, unions, legal experts and ESG advocates representing more than $5 trillion in assets filed a rule-making petition11 asking the SEC "to promptly initiate rule-making to develop mandatory rules for public companies to disclose high-quality, comparable, decision-useful environmental, social and governance information." Petitioners12 argued that standardized disclosure is critical for evaluating companies' long-term performance and risk management and that disparate reporting methods make it difficult for investors to compare companies or rely on the information for their investment decisions. They emphasized that their position was as fiduciaries looking to maximize returns and evaluate factors that could affect long-term risks, not promote personal values. Although 80 percent of large companies produce some kind of sustainability report, these reports are inconsistent due in part to a lack of guidance from the SEC.
ISS Environmental & Social QualityScore
While there were already several prominent ESG rating groups (for example, MSCI, Sustainalytics and RobecoSam), in 2018, ISS launched its Environmental & Social QualityScore platform13 ("E&S QualityScore"), a data-driven approach to measure the quality of corporate disclosures on environmental and social issues, including sustainability governance, and to identify key disclosure omissions.14 E&S QualityScore includes more than 380 environmental and social factors under analysis and provides a top-level score for both environmental and social, as well as scores for each category underneath each topic, on a scale of 1 (higher quality disclosure) to 10 (lower quality disclosure) relative to peer companies in their specific industry group. In November, ISS announced the addition of a new "Board Diversity" subcategory, which takes into account existing factors as well as factors such as: (i) the number of women serving in key leadership roles on the board, (ii) the number of female named executive officers, (iii) the standard deviation of director age, and (iv) the standard deviation of director tenure. The E&S QualityScore will have no impact on ISS' proxy voting recommendations.
ISS15 16 and Glass Lewis17 18 Proxy Voting Guidelines
Board Gender Diversity
For 2019, ISS will highlight boards with no gender diversity; however, it will not make adverse vote recommendations due to a lack of gender diversity. Effective for meetings taking place on or after February 1, 2020, ISS will generally vote against or withhold from the chair of the nominating committee (or other directors on a case-by-case basis) at companies in the Russell 3000 or S&P 1500 indices where there are no women on the company's board. Mitigating factors include: (i) a firm commitment, as stated in the proxy statement, to appoint at least one female director in the near term; (ii) the presence of a female on the board at the preceding annual meeting; or (iii) other relevant factors as applicable.
For 2019, Glass Lewis will generally recommend voting against the chair of the nominating committee of a board that has no female members. Glass Lewis may also recommend voting against the other members of the nominating committee, depending on other factors, including: (i) the size of the company, (ii) the industry in which the company operates, and (iii) the governance profile of the company. When making its voting recommendations, Glass Lewis will carefully review a company's disclosure of its diversity considerations (including whether boards have provided a sufficient rationale for not having any female board members or have disclosed a plan to address the lack of diversity on the board), and may not recommend that shareholders vote against directors of companies outside the Russell 3000 index.
Board Accountability and Shareholder Rights & Defenses – Management Proposals to Ratify Existing Charter or Bylaw Provisions
ISS has added a new policy for 2019 pursuant to which it will vote against/withhold from individual directors, members of the governance committee, or the full board, where boards ask shareholders to ratify existing charter or bylaw provisions considering the following factors: (i) the presence of a shareholder proposal addressing the same issue on the same ballot; (ii) the board's rationale for seeking ratification; (iii) disclosure of actions to be taken by the board should the ratification proposal fail; (iv) disclosure of shareholder engagement regarding the board's ratification request; (v) the level of impairment to shareholders' rights caused by the existing provision; (vi) the history of management and shareholder proposals on the provision at the company's past meetings; (vii) whether the current provision was adopted in response to the shareholder proposal; (viii) the company's ownership structure; and (ix) previous use of ratification proposals to exclude shareholder proposals.19 ISS will generally also vote against management proposals to ratify provisions of the company's existing charter or bylaws, unless these governance provisions align with best practice.
ISS has also updated its responsiveness policy to provide that if the board failed to act on a management proposal to ratify existing charter/bylaw provisions that was opposed by a majority of votes cast, this will trigger a board responsiveness analysis at the following annual meeting.
Conflicting and Excluded Special Meeting Proposals
Glass Lewis has codified its policy regarding conflicting special meeting shareholder resolutions:
- Where there is both a management proposal and a shareholder proposal requesting different thresholds for the right to call a special meeting, Glass Lewis will generally recommend voting for the lower threshold and against the higher threshold.
- Where there are conflicting management and shareholder special meeting proposals and the company does not currently maintain a special meeting right, Glass Lewis may consider recommending that shareholders vote in favor of the shareholder proposal and abstain from voting on management's proposal.
- Where companies have excluded a special meeting shareholder proposal in favor of a management proposal ratifying an existing special meeting right, Glass Lewis will typically recommend against the ratification proposal, as well as members of the nominating and governance committee.
In addition, Glass Lewis will make note of instances where the SEC has allowed companies to exclude shareholder proposals, which may result in recommendations against members of the governance committee in very limited circumstances if Glass Lewis believes the exclusion was detrimental to shareholders.
Glass Lewis will generally recommend in favor of shareholder proposals requesting additional disclosure on: (i) employee diversity, and (ii) the steps companies are taking to promote workforce diversity.
Environmental and Social Risk Oversight
Glass Lewis has codified its approach to reviewing how boards oversee environmental and social issues:
- For large cap companies and where material oversight issues are identified, Glass Lewis will review a company's overall governance practices and identify which directors or board-level committees have been charged with oversight of environmental issues and/or social issues.
- Glass Lewis will also note instances where oversight of environmental and/or social issues has not been clearly defined by companies in their governance documents.
- Where it is clear that companies have not properly managed or mitigated environmental or social risks to the detriment of shareholder value, or when such mismanagement has threatened shareholder value, Glass Lewis may consider recommending that shareholders vote against members of the board who are responsible for oversight of environmental and social risks.
- In the absence of explicit board oversight of environmental and social issues, Glass Lewis may recommend that shareholders vote against members of the audit committee.
Ratification of Auditor
Glass Lewis codified that when reviewing auditor ratification proposals, additional factors it will consider include: (i) auditor's tenure, (ii) a pattern of inaccurate audits, and (iii) any ongoing litigation or significant controversies that call into questions an auditor's effectiveness. In limited cases, these factors may contribute to a recommendation against auditor ratification.
Virtual Shareholder Meetings
For companies that opt to hold virtual-only annual shareholder meetings (without the option of in-person attendance), Glass Lewis may recommend voting against members of the governance committee if the company does not provide disclosure assuring that shareholders will be afforded the same rights and opportunities to participate as they would at an in-person meeting.
Written Consent Shareholder Proposals
Glass Lewis adjusted its approach to written consent shareholder proposals such that, in instances where companies have adopted proxy access and a special meeting right with a threshold of 15 percent or lower, Glass Lewis will generally recommend against shareholder proposals requesting that companies adopt a shareholder right to act by written consent.
Board Composition – Attendance
ISS has codified its approach that in cases of chronic poor meeting attendance by a director, without reasonable justification, in addition to voting against the director, ISS will generally vote against or withhold from appropriate members of the nominating/governance committees or the full board.20
Excise Tax Gross-Ups
Glass Lewis will now consider recommending against members of a company's compensation committee if new excise tax gross-ups are provided in executive employment agreements, particularly in situations where a company previously committed not to provide any such entitlements in the future.
Shareholder Activism Trends and Developments
Under Exchange Act Rule 14a-6(g), any person who owns more than $5 million of a company's securities and who solicits shareholders on a topic, but does not seek proxy voting authority, must file with the SEC a Notice of Exempt Solicitation, which appears on the company's EDGAR page as Form PX14A6G. In July 2018, the SEC clarified in a new Compliance and Disclosure Interpretation ("C&DI")21 that shareholders owning less than $5 million of a company's securities are permitted to file a notice of exempt solicitation on a voluntary basis as long as the cover of the notice clearly identifies it as a voluntary filing.
There has been a significant increase in the number of exempt solicitation filings made by both institutional investors (sometimes in response to a company's statement in opposition to a shareholder proposal or to encourage shareholders to vote a specific way) and retail investors who do not meet the $5 million holding threshold, with filings for 2018 up 43 percent compared to 2016. So far, these solicitations have not had any meaningful impact on votes. However, given SEC guidance, companies should be prepared to monitor and respond to a proliferation of Form PX14A6G filings during the 2019, including informing the SEC if they believe an exempt solicitation filing contains materially false or misleading information, or is clearly not filed by a shareholder of the company, in order to potentially contest the filing.
"Vote No" Campaigns
While the numbers have remained relatively stable (18 in 2018, 18 in 2017, 22 in 2016 and 15 in 2015), there has been a recent increase in the visibility of "vote no" or "withhold" campaigns in which activists campaign against one or more directors supported by the board without proposing a slate of their own. Some shareholders use "vote no" campaigns to signify their discontent with the board of directors, in some cases targeting individual directors as a proxy for specific issues. "Vote no" campaigns are also used to pressure boards to reform themselves and drive change without the expense of formal proxy contest; to respond to a rejected takeover offer, when shareholders have missed the deadline for nominating their own slate; to express shareholder sentiment on economic or strategy-related issues; or to express dissatisfaction with company performance. These campaigns can have a significant impact on the targeted director and the board as a whole. Even a director who technically survives the vote may resign or be removed afterwards if the result is too damaging, and in companies with a resignation policy, if a director fails to receive the requisite vote, the board must decide whether to accept such director's resignation or face criticism from shareholders, ISS and Glass Lewis if it decides not to accept.
Shareholder Proposal and No-Action Letter Developments
Exclusion of Shareholder Proposals under the Ordinary Business Exception of Rule 14a-8(i)(7) and the Economic Relevance Exception of Rule 14a-8(i)(5)
In 2017, the staff (the "Staff") of the SEC's Division of Corporation Finance ("Corp Fin") issued guidance22 and subsequent statements,23 which indicated that companies submitting no-action letter requests based on the "economic relevance"24 and "ordinary business" exceptions25 could include a discussion of the board's analysis of the particular policy issue raised by the proposal and its significance in relation to the company, since no-action requests made on these bases often raise difficult judgment calls that the Staff believes are matters that the board is generally best suited to analyze. During the 2018 proxy season, a number of companies included board analyses as part of their no-action requests; however, only one such request was granted.26 To clarify what type of information is most helpful in a board analysis in connection with a no-action request, in October 2018, the Staff issued Staff Legal Bulletin 14J ("SLB 14J").27 SLB 14J also provides the Staff's views on the scope and application of (i) "micromanagement" as a basis to exclude a proposal under the "ordinary business" exception; and (ii) the "ordinary business" exception for proposals concerning executive and/or director compensation matters.
SLB 14J encourages companies that are including a board analysis to describe the specific substantive factors considered by the board, rather than focusing on the process undertaken by the board.28 While the absence of a board analysis will not create a presumption against exclusion, it may be difficult for the Staff to exclude a proposal without such an analysis when the significance of the issue in question may depend on factors that the board is well positioned to evaluate.29
Ordinary Business Micromanagement
SLB 14J explains that under the ordinary business exception a proposal with a proper subject matter may still be excludable if it "probe[s] too deeply into matters of a complex nature," involves intricate detail, or asks for specific time frames or methods for implementing complex policies.30
Proposals that Address Senior Executive or Director Compensation
Proposals that relate to the management of the workforce and general employee compensation and benefits are generally excludable as ordinary business matters, while those focused on senior executive and/or director compensation generally are not excludable as they are viewed as significant policy matters. SLB 14J clarified that the Staff will examine whether the underlying concern of the proposal is truly focused on aspects of senior executive or director compensation or merely touches upon or implicates senior executive or director compensation. Further, if the proposal focuses on elements of compensation generally available to the workforce, then it is likely excludable under the ordinary business exception. Finally, although historically, the Staff has not excluded executive and/or director compensation proposals on the basis of micromanagement, the Staff now agrees that such proposals can be excluded on this basis if they seek intricate detail, or seek to impose specific timeframes or methods for implementing complex policies.31
Because shareholder proposals generally must be addressed during an extremely busy time of the year for most companies, careful consideration should be given as to whether providing a board analysis is a worthwhile investment of the board's time. Evaluation by the board32 may be warranted if the issue in question depends on factors that the company believes are not self-evident and that can be best analyzed and explained by the board. If it is determined that an analysis by the board is appropriate, efforts should be made to streamline the process, provide the board with the requisite information for its analysis and schedule meetings as necessary to finalize the analysis in advance of the deadline for submitting a no-action request.
SEC's Corp Fin Further Refines Rule 14a-8(i)(9) Exclusion
Rule 14a-8(i)(9) allows a company to exclude a shareholder proposal that "directly conflicts" with a management proposal. In 2015, the Staff narrowed the application of Rule 14a-8(i)(9) by redefining the meaning of "direct conflict"33 and further refined its position34 in a series of no-action responses in 201835 which allowed companies to exclude shareholder proposals that "directly conflicted" with management proposals where a management proposal asked shareholders to ratify an existing corporate governance provision (in these cases, special meeting thresholds) and the shareholder proposal asked for a lower threshold.36 However, in each of those cases, the provisions that the companies were submitting to the shareholders for ratification already existed in the companies' governing documents. By contrast, the Staff did not concur that a company could exclude a proposal asking the company's board to take the steps necessary to amend the bylaws to give shareholders the right to call a special meeting, where the company's "counterproposal" was to amend existing bylaws and charter provisions under which only the board or CEO could call a special meeting.37 Noting that shareholders were not currently permitted to call a special meeting and that the bylaw amendments would only become effective upon shareholder approval, the Staff found that both proposals sought to give shareholders the ability to call a special meeting "[and did] not present shareholders with conflicting decisions such that a reasonable shareholder could not logically vote in favor of both proposals."38 Companies considering no-action requests based on a "direct conflict" between a management and shareholder proposal should evaluate whether the proposals "directly conflict" given the nuanced position taken by the Staff in the previous requests.
Part II: Corporate Governance Developments
New Proxy C&DIs
In May 2018, Corp Fin issued 45 new C&DIs to replace the interpretations in the Telephone Interpretation Manual and the March 1999 Supplement that relate to the proxy rules and Schedules 14A and 14C.39
Board Oversight of Risk Exposure
Oversight of Social Media Risk; Disclosure Controls Impact
The SEC's recent action against Tesla and its CEO40 highlights the importance of having disclosure controls for all corporate communications and makes clear that the SEC is focused on communications from a company in any form. Accordingly, all communications made on behalf of a company must be vetted as carefully as traditional modes of communication, such as SEC filings, and companies should have formal disclosure controls and procedures in place around all corporate communications as well as a written disclosure policy that specifically covers corporate communications via social media channels. All information disclosed through social media channels must be reviewed before publication for accuracy, completeness, and compliance with any regulatory requirements. Special procedures should be put in place around corporate communications made by individual senior executives through their personal accounts to the extent that the company has individual executives communicating material information on its behalf. This is necessary even if the company has previously announced that such medium will be used for company communications (thereby indicating that it should be relied on as a Regulation FD-compliant forum for the company).
Further, companies should ensure that their disclosure policy is regularly updated to reflect the latest technological developments in social media and changes in the use of social media by corporate executives, as well as developments in applicable laws and relevant regulatory guidance. A formal communications/disclosure plan or guidelines should establish a hierarchy for clearing communications on significant corporate issues.
Oversight of Cybersecurity Risk (and Related Disclosure and Governance Considerations)
Ensuring the adequacy of a company's cybersecurity measures is a critical part of a board's risk oversight responsibilities.41 42 In February 2018, the SEC issued an interpretive release43 providing guidance (the "Cybersecurity Guidance") to assist public companies in preparing disclosures about cybersecurity risks and incidents.44 Among other things, the Cybersecurity Guidance discusses cybersecurity and its related disclosure requirements as a key element of enterprise risk management in which program development and oversight responsibilities move straight "up the corporate ladder" to officers and directors. Oversight of cybersecurity risk may be vested in a committee of the board45 or the board as a whole, and companies should make this decision carefully, as it can signal the relative importance the company places on cybersecurity issues. Directors must understand the nature of cybersecurity risk and prioritize their oversight of cyber preparedness, detection, response, and disclosure. Boards should receive periodic updates from management and any relevant expert advisors on the company's compliance with applicable standards46 Further, board oversight of cyber risk management, including how the board engages with management on cybersecurity issues, should be disclosed to the extent cybersecurity risks are material to the business.
SEC Commissioner Kara Stein also articulated her views about board cybersecurity oversight in a September 2018 speech.47 Most notably, she: (i) supported the notion of boards retaining independent experts to provide advice on technology and cybersecurity if they lack independent expertise on the board; (ii) advised independent directors to meet with the company's CISO in executive session at least twice a year to facilitate candid dialogue about "culture, tone and the resources dedicated to both prevention and resiliency"; and (iii) emphasized the board's duty to affirm that the company's disclosures adequately reflect its significant cyber risks.
The SEC is focused on timely and accurate disclosure, as illustrated by its recent enforcement case against Yahoo48 in which the company was fined US$35 million for failing to timely disclose a personal data breach that impacted more than 500 million user accounts, demonstrates that a company has an affirmative obligation to disclose a material breach in a timely manner. In addition, Yahoo's failure to consult with outside counsel and auditors may be an indication of a failure in its disclosure controls, underscoring the importance of maintaining robust internal controls around issues of cybersecurity.
The Cybersecurity Guidance encourages companies to consider their obligation to disclose cyber risks and incidents as they relate to risk factors, MD&A, description of business, legal proceedings and financial statement disclosures, along with their disclosures regarding the role of the company's board of directors in the risk oversight of the company. Companies, however, are not expected to disclose specific information about their cybersecurity systems or vulnerabilities that could compromise their cybersecurity efforts and serve as a roadmap for hackers.
The SEC has indicated that it is particularly focused on these disclosures as part of their periodic reviews for the upcoming reporting cycle, and care should be taken to craft disclosure that accurately and thoroughly addresses the company's cybersecurity risks, incidents and protocols. Companies should be aware that when reviewing a company's periodic reports, the SEC will also consider a company's disclosure on its website, in its earnings calls and in press releases; therefore, internal consistency with respect to cybersecurity disclosure is very important and should be regularly assessed.
Given this focus and the Cybersecurity Guidance, companies should review their disclosure to ensure it accurately reflects the company's cybersecurity risk profile, and the potential impact and costs of cybersecurity efforts and initiatives. This is the first year that disclosures will be drafted with this guidance in mind, and companies should pay particular attention to:
- Risk Factors: Evaluate how to communicate risks properly in light of the probability and magnitude of past and potential future cybersecurity events; consider disclosure regarding adequacy of preventive actions; discuss material industry, customer and/or supplier-specific risks that may increase the potential impact; discuss material risks related to insurance and other costs; consider disclosure regarding material risks of reputational harm; and consider disclosure regarding compliance with any applicable regulatory requirements.
- MD&A: Consider the costs of ongoing cybersecurity efforts and the consequences of cybersecurity incidents when analyzing the events, trends and uncertainties that are reasonably likely to materially impact financial condition or liquidity.
- Business Description: Include disclosure of cybersecurity incidents or risks that materially affect products, services, competitive conditions or business relationships, with additional consideration given to any unique cybersecurity risks that may stem from acquisitions.
- Financial Statements: Financial statement disclosure should include information about the range and magnitude of cybersecurity events, such as investigation and remediation costs, claims, loss of revenue, diminished future cash flow, impairment of assets, and increased financing costs.
The Cybersecurity Guidance also provides the following guidance with respect to governance policies around cybersecurity issues:
Disclosure Controls and Procedures
Companies are encouraged to adopt comprehensive policies and procedures related to cybersecurity. A company's conclusions with respect to the effectiveness of disclosure controls and procedures must be informed by management's consideration of cybersecurity risks and incidents, taking into account the degree to which cybersecurity risks impact the effectiveness of those controls and procedures.
The SEC is also focused on ensuring that a company's cybersecurity policies and governance procedures are not merely formalized in writing, but that they work in practice. For example, in September 2018, the SEC initiated an enforcement action49 against Voya Financial Advisors for violating the "Identity Theft Red Flags Rule,"50 alleging that although Voya had an identity theft prevention program in place, it did not update it to account for changing cybersecurity risks to its customers, did not include procedures to identify the red flags that led to the intrusion, did not provide training to its employees, and neither the board nor a management team was involved in administering and overseeing the program, and these failures allowed hackers to access social security numbers, account balances and details of client investment accounts. Companies should ensure that their procedures are regularly updated to address changing risks and that existing policies and procedures are implemented effectively, including through appropriate employee training.
Companies and their directors, officers, and other corporate insiders are reminded that information about cybersecurity risks and incidents, including vulnerabilities and breaches, may constitute material non-public information ("MNPI") for purposes of insider trading violations under the US federal securities laws.51
Regulation FD and Selective Disclosure
Companies are reminded that they should not selectively disclose MNPI regarding cybersecurity risks and incidents to Regulation FD enumerated persons before disclosing that same information to the public, and any unintentional selective disclosures will require prompt public disclosure in compliance with Regulation FD.
To prepare for a potential incident, companies should ensure they have a protocol in place to quickly inform necessary personnel, including representatives from investor relations, IT, management and internal and outside legal counsel, and to determine the appropriate timing, nature and form of potential disclosures and breach notifications. Key personnel should be trained and kept updated on their responsibilities in the event of a cybersecurity incident and cyber breach simulations can be conducted to test the system for weaknesses and prepare personnel for action in the event of a true incident. Companies should consider adding a technical expert to their sub-certification and/or disclosure committee procedures, or include regular consultation with appropriate technical personnel and trusted advisors.
The National Institution of Standards and Technology ("NIST") Cybersecurity Framework
In April 2018, NIST released an updated cybersecurity framework52 ("Version 1.1") to clarify and refine its original 2014 framework.53 Version 1.1 encourages companies to integrate cybersecurity objectives into strategic planning and governance structures and to ensure that cybersecurity is a central part of overall risk management. It also provides new guidance on how to use the framework to conduct self-assessments of internal and third-party cybersecurity risks and mitigation strategies, includes an expanded discussion of how to manage cyber risks associated with third parties and supply chains, advances new standards for authentication and identity proofing protocols, and addresses how to apply the framework to a wide range of contexts. The framework provides a useful tool to guide and benchmark company approaches to cybersecurity risk and may impact how regulators evaluate cybersecurity programs and incident responses across sectors.
1 These include disclosure requirements, holding requirements, and black-outs (i.e., meeting requests not valid if received during a specified period before the annual meeting or after a meeting at which a similar matter was on the agenda).
2 Almost 80% of all shareholder proposals are received by S&P 500 companies.
3 Market practice includes allowing a shareholder, or group of up to 20 shareholders, who have held at least 3 percent of the company's stock for at least 3 years, to nominate up to 20 percent of the board.
4 See The 2018 CPA-Zicklin Index of Corporate Political Disclosure and Accountability, available here.
5 Equilar's Q2 2018 Gender Diversity Index can be found here.
6 The 2018 US Spencer Stuart Board Index Highlights is available here.
7 Diversity Assessment Report for Entities Regulated by the SEC. Available here.
8 46 percent of S&P 500 companies provided a board skills matrix in their 2018 proxy statements (up from 27 percent in 2017).
9 See our previous alert, "Blackrock Publishes Updated Proxy Voting Guidelines."
10 The full text of the bill is available here.
11 The petition is available here.
12 Including the US$360 billion CalPERS; the New York state Comptroller; the Illinois state Treasurer; the Connecticut state Treasurer; the Oregon state Treasurer; the U.N. Principles for Responsible Investment; and US SIF: The Forum for Sustainable and Responsible Investment.
13 Available here.
14 As part of its announcement, ISS also provided FAQs and a companion Key Issues (issgovernance.com/file/faq/es-key-issues-discloure-transparency-qualityscore.pdf) document.
15 ISS' 2019 Voting Guidelines can be found here.
16 In addition to the below, ISS also updated its policies on director performance evaluations, reverse stock splits and environmental and social shareholder ("E&S") proposals (adding whether there are significant controversies, fines, penalties or litigation associated with the company's E&S practices as a factor it will consider).
17 Glass Lewis' 2019 Policy Guidelines can be found here.
18 In addition to the below, Glass Lewis also added clarifying language regarding its approach to the following topics: (i) peer groups, (ii) pay-for-performance, (iii) use of discretion, (iv) director compensation, and (v) bonus plans.
19 This is in response to an increase in the use of board-sponsored proposals to ratify existing charter or bylaw provisions in response to guidance from SEC staff that granted some companies' requests to grant no-action relief if companies sought to exclude shareholder proposals from their ballots by including a "conflicting" management-sponsored proposal to ratify one or more of their existing governance provision citing 14a-8(i)(9). See below discussion under "Shareholder Proposal and No-Action Letter Developments – SEC's Corp Fin Further Refines Rule 14a-8(i)(9) Exclusion."
20 Currently, the policy is generally applied as follows: (a) After three years of poor attendance by a director, recommend withhold from the chair of the nominating or governance committee; (b) After four years, recommend withhold from the full nominating or governance committee; and (c) After five years, recommend withhold from all nominees.
21 Available here.
22 Staff Legal Bulletin 14I. See our prior alert, "SEC Releases Timely Guidance on Shareholder Proposals."
23 See statements by Corp Fin Director William Hinman and Corp Fin Associate Director Michele Anderson at the November 2017 PLI Securities Regulation Institute, and Corp Fin Senior Special Counsel Matt McNair on a webcast presented by thecorporatecounsel.net, available here.
24 Rule 14a-8(i)(5) permits a company to exclude a proposal that "relates to operations which account for less than 5 percent of the company's total assets at the end of its most recent fiscal year, and for less than 5 percent of its net earnings and gross sales for its most recent fiscal year, and is not otherwise significantly related to the company's business."
25 Rule 14a-8(i)(7) permits a company to exclude a proposal that "deals with a matter relating to the company's ordinary business operations."
26 Dunkin' Brands Group, Inc. (avail. Feb. 22, 2018).
27 See our prior alert "SEC Releases New Guidance on Board Analyses and Rule 14a-8 Ordinary Business and Economic Relevance Exceptions."
28 These include, among other things,: (i) the extent to which the proposal relates to the company's core business activities, (ii) quantitative data, including financial statement impact, illustrating whether or not the matter is significant to the company, (iii) whether the company has already addressed the issue in some manner, including the differences between the proposal's specific request and the actions the company has already taken, and an analysis of whether such differences present a significant policy issue for the company, (iv) the extent of shareholder engagement on the issue and the level of interest shareholders have expressed on the issue; (v) whether there have been other requests for the action or information sought by the proposal; and (vi) whether the company's shareholders have previously voted on the matter and, if so, how the board views those voting results.
Previous voting results were a key issue for several no-action letters submitted during the 2018 proxy season. SLB 14J makes clear that if a previously voted-on matter received "significant shareholder support," the Staff will consider whether the company has taken any subsequent action or whether other intervening events have occurred since the vote that may have mitigated or increased the issue's significance to the company. In addition, the more recent a vote, the more likely it is to indicate significance.
29 While a board analysis is not required, the SEC recently denied no-action relief to a company that did not include a board analysis in its request to exclude a shareholder proposal under the ordinary business exception. The Staff specifically noted that "the information presented includes neither a board analysis nor other analysis addressing the significance of the particular proposal to the Company's business operations" and cited SLB 14J's emphasis on the importance of including such an analysis where "the significance of a particular issue…may depend on factors that are not self-evident and that the board may be well-positioned to consider and evaluate." See Walgreens Boots Alliance, Inc. (avail. Nov. 20, 2018).
30 For example, a proposal seeking a plan to reach net-zero greenhouse gas emissions by 2030 which imposed specific time frames or methods was excludable because it was determined to be micromanaging the company. See Apple Inc. (December 5, 2016). Recently, the Staff allowed exclusion of a proposal requesting that shareholder approval be required prior to effectiveness of any new open market share repurchase programs or stock buybacks adopted by the board under the micromanagement exception, as "the [p]roposal would make each new share repurchase program and each and every stock buyback dependent on shareholder approval." See Walgreens Boots Alliance, Inc. (avail. Nov, 20, 2018).
31 For example, a proposal detailing the eligible expenses covered under a company's relocation expense policy such as the type and duration of temporary living assistance, as well as the scope of eligible participants and amounts covered, may be excludable on the basis of micromanagement.
32 It is also appropriate/acceptable for the requisite analysis to be performed by a committee of the board.
33 See Staff Legal Bulletin 14H ("SLB 14H"), available here, under which the key question in evaluating a possible Rule 14a-8(i)(9) exclusion for "conflicting proposals" is "whether a reasonable shareholder could logically vote for both proposals" because both seek a similar objective. If so, the proposals were not in "direct conflict."
34 Post-SLB 14H, the Staff addressed its application in a series of no-action responses, in each case granting no-action relief to the company under Rule 14a-8(i)(9). In all of those cases, the provisions that the companies were submitting to the shareholders for ratification already existed in the companies' governing documents. As a result, the companies were seeking only shareholder ratification; no further shareholder action was necessary to implement the charter and bylaw provisions, and in each case the Staff allowed the exclusion of the shareholder proposal seeking changes to the thresholds provided in such provisions.
35 See Illumina, Inc. (avail. March 18, 2016), AES Corporation (avail. December 19, 2017), CF Industries Holdings (avail. January 30, 2018) and Capital One (avail. Feb 21, 2018).
36 In one subsequent similar no-action response, the Staff conditioned no-action relief on the company making specified disclosures in its proxy statement. Specifically, the company had to disclose: (i) the shareholder proposal that the company omitted, (ii) that the company believes a vote in favor of ratification is tantamount to a vote against lowering the relevant threshold, (iii) the impact on the threshold, if any, if ratification is not received, and (iv) the company's expected course of action, if ratification is not received.
37 Neither the amendment to the certificate nor the amendment to the bylaws could become effective until the certificate amendment was approved by the shareholders.
38 American Airlines Group (avail. April 2, 2018).
39 The six substantive changes were:
- If action is to be taken with respect to the election of directors and the persons solicited have cumulative voting rights, a soliciting party can cumulate votes among director nominees, even if a choice has not been specified by the security holder, by simply indicating this in bold-faced type on the proxy card, as long as state law grants the proxy holder the authority to exercise discretion to cumulate votes and does not require separate security holder approval for cumulative voting. (Question 124.01)
- A registrant must file preliminary proxy materials if it receives adequate advance notice of a non-Rule 14a-8 matter that may be raised at a meeting if Rule 14a-4(c)(2) does not permit the company to exercise discretionary authority on such matter. (Question 124.07)
- A proposed change in the registrant's name, by itself, does not require the filing of a preliminary proxy statement. (Question 126.02)
- If raising proceeds through a sale of common stock is not an integral part of an acquisition transaction because at the time the acquisition consideration is payable, the registrant has other means of fully financing the acquisition, then a proposal to approve the authorization of a common stock issuance would not involve the acquisition and Note A of Schedule 14A would not apply. By contrast, if the cash proceeds from the public offering are expected to be used to pay any material portion of the consideration for the acquisition, then Note A would apply. (Question 151.01)
- If a registrant is required to disclose the New Plan Benefits Table under Item 10(a)(2) of Schedule 14A, it should list in the table all of the individuals and groups for which award and benefit information is required, even if the amount to be reported is "0"; alternatively, it can identify any such individuals or groups through narrative disclosure that accompanies the New Plan Benefits Table. (Question 161.03)
- A proxy statement seeking security holder approval for the elimination of preemptive rights from a security does involve a modification of that security for purposes of Item 12 of Schedule 14A and accordingly must contain the financial and other information required by Item13 of Schedule 14A. (Question 161.01)
40 Tesla's Elon Musk was charged with securities fraud related to tweets in which he stated that he had secured funding to take Tesla private at a substantial premium to its then-current trading price and that the only remaining uncertainty was a shareholder vote. The SEC's complaint alleged that, in truth, Musk had not discussed specific deal terms with any potential financing partners and knew that the potential transaction was uncertain and subject to numerous contingencies, thereby making untrue statements of material fact in violation of the anti-fraud provisions of Section 10(b) of the Exchange Act of 1934. The SEC also charged Tesla with violating Rule 13a-15 of the Exchange Act for failing to have required disclosure controls and procedures relating to Musk's tweets. Despite having notified the market in 2013 that it intended to use Musk's Twitter account as a means of announcing material information about the company and encouraging investors to review Musk's tweets, Tesla had no disclosure controls or procedures in place to determine whether Musk's tweets contained information required to be disclosed in Tesla's SEC filings, nor did it have sufficient processes in place to ensure that Musk's tweets were accurate or complete. The SEC's complaint against Musk is available here and the complaint against Tesla is available here. Both Musk and Tesla settled with the SEC. Among other relief, the settlements required that: (i) Musk step down as Tesla's Chairman and be replaced by an independent Chairman. Musk will be ineligible to be re-elected Chairman for three years; (ii) Tesla will appoint a total of two new independent directors to its board; (iii) Tesla will establish a new committee of independent directors and put in place additional controls and procedures to oversee Musk's communications; and (iv) Musk and Tesla will each pay a separate $20 million penalty, to be distributed to harmed investors under a court-approved process. The SEC's statement on the settlement is available here.
41 The Center for Audit Quality has issued a "Cybersecurity Risk Management Oversight: A Tool for Board Members", which offers questions that directors can ask of management and the auditors as part of their oversight of cybersecurity risks and disclosures.
42 84 percent of Fortune 100 companies disclosed in their proxy statement or 10-K that at least one board-level committee was designated oversight of cybersecurity matters. At the same time, around 25 percent identified one or more "point persons" on cyber among the management team (e.g., the CISO or CIO). See EY Center for Board Matters "Cybersecurity Disclosure Benchmarking", available here.
43 Available here.
44 See our prior alert, "SEC Issues Interpretive Guidance on Public Company Cybersecurity Disclosures: Greater Engagement Required of Officers and Directors."
45 In many companies, the Audit Committee retains primary oversight of cybersecurity risks, consistent with its role in oversight of enterprise risks generally. However, in some companies it may make sense to assign primary oversight of cybersecurity to a Risk Committee that oversees a range of the company's enterprise risks or a Technology Committee focused on oversight of technology-related risks.
46 Boards are increasingly seeking director candidates with cybersecurity knowledge, although qualified candidates can be difficult to find. See EY's "Understanding the Cybersecurity Threat," available here (www.ey.com/Publication/vwLUAssets/ey-understanding-the-cybersecurity/$FILE/ey-understanding-the-cybersecurity.pdf).
47 "From the Data Rush to the Data Wars: A Data Revolution in Financial Markets" (speech given on September 27, 2018).
48 Yahoo's risk factor disclosures in its annual and quarterly reports were materially misleading in that they claimed the company only faced the "risk of potential future data breaches" that might expose the company to loss and liability "without disclosing that a massive data breach had in fact already occurred." The SEC's action is available here. For more information, see our prior alert, "SEC Fines Yahoo $35 Million for Failure to Timely Disclose a Cyber Breach."
49 The SEC's action is available here.
50 The rule requires investment firms to maintain an up-to-date program for preventing identity theft that provides "red flags" or other warning signs when hackers might be trying to steal customer information. The complete rule is available here.
51 See, for example, a recent SEC enforcements against a software engineer at Equifax for trading in the company's securities based on confidential information he received while creating a website for consumers impacted by the company's 2017 data breach that exposed the personal information of approximately 148 million customers. The SEC's action is available here. For more information, see our prior alert, "SEC Insider Trading Charges Against Equifax Insider Highlight Need for Proper Policies and Procedures Related to Cybersecurity and Insider Trading."
52 Available here.
53 Available here (www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf).
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2018 White & Case LLP