FBI, DOJ and SEC Publish Guidance on Disclosure Delays Related to SEC Cybersecurity Rules for Issuers

The SEC’s cybersecurity rules for public companies, which became effective on December 18, 2023, require disclosure of a cybersecurity event within four business days of a determination that it is material. The rules also provide that such disclosure may be delayed for up to 30 days if the United States Attorney General (or per the U.S. Department of Justice (the “DOJ”) guidelines, the Attorney General’s authorized designees) determines that immediate disclosure would pose “a substantial risk to national security or public safety, and the United States Attorney General notifies the SEC of such determination in writing.” Two subsequent delay periods of 30 days and 60 days (in extraordinary circumstances) may also be sought.

On December 6, 2023, the U.S. Federal Bureau of Investigation (the “FBI”), in coordination with the DOJ, published guidance and a Policy Notice on how victims of cyber incidents can request disclosure delays for national security or public safety reasons. The FBI recommends that public companies first establish a relationship with the cyber squad at their local FBI field office before any potentially material cyber incident occurs. The FBI “strongly encourages” victims to engage with the FBI directly (or through U.S. Secret Service (the “USSS”), the Cybersecurity and Infrastructure Security Agency (the “CISA”) or another sector risk management agency (“SRMA”)) prior to making a materiality determination. The FBI also warns that if it does not receive a delay request “concurrently” with the materiality determination, it will not process the request. The Policy Notice outlines that the FBI is responsible for: (1) intaking delay requests on behalf of the DOJ; (2) documenting those requests; (3) coordinating checks of U.S. government national security and public safety equities, including consulting with the USSS, CISA and SRMAs as appropriate; (4) referring the request forms to the DOJ; (5) conducting follow-up victim engagement, as appropriate; and (6) coordinating and documenting requests for additional delay referrals. The FBI will also soon provide a dedicated email address for initial reporting delay requests and delay extension requests.

On December 12, 2023, the DOJ issued its departmental guidelines for material cybersecurity incident delay determinations, outlining that the “primary inquiry” for the DOJ is “whether the public disclosure of a cybersecurity incident threatens public safety and national security, not whether the incident itself poses a substantial risk to public safety and national security.”

Additionally, the SEC has made clear in recently issued Exchange Act Form 8-K compliance and disclosure interpretations that requesting a delay alone does not toll the registrant’s filing obligation. Importantly, the SEC confirmed that if the Attorney General declines to make a determination of whether disclosure of the incident poses a substantial risk to national security or public safety or does not respond before the Form 8-K otherwise would be due, the registrant must file the Item 1.05 Form 8-K within four business days of its determination that the incident is material (or within four business days of the end of the initial delay period, if the request relates to a delay extension). The director of the SEC’s Division of Corporation Finance also reiterated, in a recent speech, that a decision to contact the FBI or the DOJ about a cybersecurity incident does not trigger a materiality determination. However, this will only be relevant prior to submitting a request for delay, as the request form requires an indication of when the incident was determined to be material.

For more information, see Debevoise Insights.

Fifth Circuit Vacates SEC Share Repurchase Rules

On December 19, 2023, the Fifth Circuit vacated the Share Repurchase Disclosure Modernization rules (the “Share Repurchase Rules”) issued by the SEC, which were originally scheduled to apply to most issuers beginning with the first periodic report on either Form 10-Q or Form 10-K (or Form 20-F) in respect of the first full fiscal quarter that began on or after October 1, 2023. This followed the SEC’s failure to correct the defects identified in an October 31, 2023 decision by the Fifth Circuit in Chamber of Commerce of the USA vs. SEC that the SEC violated the Administrative Procedure Act in its rulemaking process by failing to (a) adequately respond to the Chamber of Commerce’s comments and (b) substantiate the Share Repurchase Rules’ benefits. The SEC will now need to restart its rulemaking process if it wishes to implement the Share Repurchase Rules (or a variation thereof).

The Fifth Circuit’s vacatur of the Share Repurchase Rules means that issuers will not be required to comply with the disclosure requirements of the Share Repurchase Rules. However, an issuer is required to continue to disclose aggregate monthly repurchase information in its periodic reports under Item 703 of Regulation S-K and the adoption, modification and termination of Rule 10b5-1 and other trading arrangement by directors and officers in its periodic reports under Item 408(a) of Regulation S-K, as required before the Share Repurchase Rules.

For more information, see Debevoise Insights.

Delaware Court Partially Upholds, Partially Invalidates Bylaws Requiring Advance Notice of Stockholder Nominations for a Contested Election

On December 28, 2023, the Delaware Court of Chancery decided Kellner v. AIM Immunotech et al., upholding in part and invalidating in part bylaws requiring advance notice of stockholder nominations for a contested election of directors.

The case, which according to the court “hints at what coming activism disputes may bring,” arose from the efforts of a dissident group of stockholders of AIM Immunotech (“AIM”), a microcap pharma company, to elect directors at AIM’s 2023 annual meeting. The dissident group of stockholders sought to elect three directors to AIM’s four-member board at AIM’s 2023 annual meeting. The nominations followed a 2022 election effort by some members of the dissident group, which had been stymied by AIM’s assertion that they failed to comply with the company’s advance notice bylaws—in particular, a bylaw requiring disclosure of arrangements or understandings pursuant to which nominations were to be made. The dissidents were again thwarted in 2023 after AIM beefed up its advance notice bylaws and rejected the new nominations for failing to comply with their heightened requirements.

The Court of Chancery reviewed the bylaws under a Unocal analysis, evaluating whether AIM’s board faced a threat to an important corporate interest or to the achievement of a significant corporate benefit and whether the board’s response was reasonable in relation to that threat and not preclusive or coercive to the stockholder franchise. While the court ultimately upheld the AIM board’s decision to reject the nominations, it found AIM’s amended bylaws to be “a mixed bag.” The court had no trouble finding that the AIM board had a legitimate interest in amending the bylaws to increase transparency, particularly after the company’s experience with the dissident group in 2022. However, the court found several of the AIM bylaws indeed to be unduly burdensome but declined to draw a bright line as to when a bylaw goes too far, other than to note that “the discretion afforded a board’s adoption of advance notice bylaws is not limitless.”

For more information, see Debevoise Insights.

SEC Signals New Enforcement Interest in Venture Space

The SEC recently announced both the SEC’s Division of Enforcement results for the fiscal year 2023 and the SEC’s Division of Examinations’ exam priorities for fiscal year 2024. The enforcement results reveal a continued SEC focus on conflicts of interest, calculation of management fees, allocation of expenses and valuation practices within private fund advisers, including those related to venture capital funds. Notably, 2024 marks the first year the SEC has called out venture fund advisers specifically in its Examination Priorities, noting that it will prioritize a review of “[d]ue diligence practices for consistency with policies, procedures, and disclosures, particularly with respect to private equity and venture capital fund assessments of prospective portfolio companies.” The SEC’s tools for enforcement against exempt reporting advisers are limited, but it does have the authority use anti-fraud provisions to bring charges and scrutinize disclosed due diligence practices. Ultimately, the import of the SEC’s specific reference to venture capital funds signals that venture capital fund advisers may be subject to both a wider and closer inspection by the SEC.

For more information, see Debevoise article in Daily Journal.

SEC Announces More Than $28 Million to Seven Whistleblowers

On December 22, 2023, the SEC awarded more than $28 million combined to seven individuals whose information and assistance led to a successful SEC enforcement action. The seven whistleblowers were composed of a single claimant and two sets of joint claimants. Each of the claimants provided information that significantly contributed to an SEC investigation.

Whistleblowers may be eligible for an award when they voluntarily provide the SEC with original, timely and credible information that leads to a successful enforcement action. Whistleblower awards can range from 10 to 30 percent of the money collected when the monetary sanctions exceed $1 million.

For more information, see SEC Press Release.

BarnBridge DAO Agrees to Stop Unregistered Offer and Sale of Structured Finance Crypto Product

On December 22, 2023, the SEC announced it had settled charges against BarnBridge DAO, a purportedly decentralized autonomous organization (“DAO”), and its two founders, Tyler Ward and Troy Murray. A DAO is a blockchain-based organization that allocates a pool of money or digital assets based on how its holders’ “governance tokens” vote. The SEC claims that between March 2021 and May 2023, Ward, Murray and BarnBridge, through the BarnBridge DAO website and application, offered to investors, including U.S. investors, the opportunity to invest in so-called SMART Yield pools of structured crypto-asset securities marketed as SMART Yield bonds, in violation of the Securities Act of 1933 and the Investment Company Act of 1940. To settle the SEC’s charges, BarnBridge agreed to disgorge nearly $1.5 million of proceeds from the sales, and Ward and Murray each agreed to pay $125,000 in civil penalties.

Without admitting or denying the SEC’s findings, BarnBridge, Ward and Murray agreed to cease-and-desist orders prohibiting them from violating and causing violations of the registration provisions of the Securities Act and the Investment Company Act. For more information, see SEC Press Release.

ISS and Glass Lewis Release 2024 Proxy Advisor Guidance

Institutional Shareholder Services (“ISS”) made only one revision to its 2024 proxy voting guidelines relating to executive severance agreements and golden parachutes, which are applicable to shareholder meetings held on or after February 1, 2024.

ISS will analyze shareholder proposals requiring that executive severance arrangements or payments be submitted for shareholder ratification on a “case-by-case” basis. ISS will consider, when making its recommendation on such proposals: (i) the presence of problematic features in the company’s existing severance agreements; (ii) any existing limitations on cash severance payouts or policies; (iii) any recent controversies related to the company’s severance; and (iv) whether the proposal is overly prescriptive.

Glass Lewis, in its benchmark policy guidelines for 2024, made the following noteworthy revisions:

• Board Oversight of Cyber Risk: Glass Lewis views cybersecurity as a material risk area for all companies. In the absence of material cybersecurity incidents, Glass Lewis generally will not make voting recommendations based on a company’s oversight of cybersecurity issues. However, in instances where a company has been materially affected by a cyber attack, Glass Lewis’ recommendations will depend on their evaluation of the board’s response.
• Clawback Provisions: In addition to incorporating the new NYSE and Nasdaq listing requirements, Glass Lewis has updated its views to state that effective clawback policies should provide companies with the power to recoup incentive compensation from an executive when there is “evidence of problematic decisions or actions… the consequences of which have not already been reflected in incentive payments and where recovery is warranted.” In situations where the company ultimately determines not to follow through with recovery of compensation, Glass Lewis will assess the appropriateness of that determination, which may affect Glass Lewis' overall recommendation on the advisory vote on executive compensation.
• Board Oversight of Environmental and Social Issues: Glass Lewis will examine a company’s committee charters and other governing documents when examining whether a company has “formally designed and codified” a meaningful level of oversight of a company’s material environmental and social impacts. Given the importance of the board’s role in overseeing environmental and social risks, Glass Lewis will generally recommend voting against the governance committee chair of a company in the Russell 1000 index that fails to provide explicit disclosure concerning the board’s role in overseeing these issues.
• Board Accountability for Climate-Related Issues: Glass Lewis will carefully examine the climate-related disclosures provided by companies in the S&P 500 index with material exposure to climate risk stemming from their own operations, as well as companies where Glass Lewis believes emissions or climate impacts, or stakeholder scrutiny thereof, represent an outsized, financially material risk, in order to assess whether they have produced disclosures in line with the recommendations of the Task Force on Climate-Related Financial Disclosures. Glass Lewis will also assess whether these companies have disclosed explicit and clearly defined board-level oversight responsibilities for climate-related issues. In instances where Glass Lewis finds either (or both) of these disclosures to be absent or significantly lacking, Glass Lewis may recommend voting against the chair of the committee (or board) charged with oversight of climate-related issues or, if no committee has been charged with such oversight, the chair of the governance committee.

The Glass Lewis guidelines also include updates relating to executive ownership policies, proposals for equity awards for shareholders with large company holdings, net operating loss poison pills and control share statutes. These guidelines are applicable to shareholder meetings held on or after January 1, 2024.

For more information, see Debevoise Insights.

FCA Publishes Near-Final Proposals for Major Reforms to the UK Listing Regime

On December 20, 2023, the Financial Conduct Authority (the “FCA”) published a further consultation paper (the “Consultation Paper”) setting out near-final proposed reforms to the UK equity listing regime and inviting feedback by March 22, 2024 (except for comments on sponsor competence, which are due on February 16, 2024). These proposals follow an earlier consultation paper published by the FCA in May 2023 (“CP23/10”), which sought views on an earlier set of proposals by the FCA. The proposals seek to simplify the UK listing regime, including initial listing eligibility and ongoing compliance rules, and encourage listings in the United Kingdom.

The latest recommendations maintain the theme of increasing flexibility by replacing the current rules-based regime with a disclosure-based approach. The proposed reforms include a proposal for a single segment for equity shares (which would replace the current standard and premium listing segments). New proposals, following feedback gathered on the prior consultation paper published in May 2023, include widening the group of people who may receive shares carrying enhanced voting rights, maintaining the requirement for relationship agreements to be put in place for controlling shareholders, simplifications to the significant transactions regime and greater clarity on the proposed separate categories for other types of securities and transitional listing arrangements. The FCA intends to publish the final Listing Rules in the second half of 2024, with the new Listing Rules coming into force shortly thereafter.

For more information, see Debevoise Insights.

SEC Rule-Making Agenda

The SEC’s Fall 2023 Regulatory Agenda was posted in December 2023. A summary of key rule changes is included below. We expect the spring 2024 agenda to be released by June 2024. For more information, see the full regulatory agenda here.