The SEC is Zeroing in on Disclosure Controls
The Securities Exchange Act Rule 13a-15 requires SEC reporting companies to maintain disclosure controls and procedures to ensure that information required to be disclosed “is recorded, processed, summarized and reported” in a timely manner.” Among other things, disclosure controls and procedures must be designed to ensure that information required to be disclosed “is accumulated and communicated to the issuer's management, including its principal executive and principal financial officers, or persons performing similar functions, as appropriate to allow timely decisions regarding required disclosure.”
Historically, disclosure control violations have been something of an afterthought in SEC enforcement cases. During the last few years, however, disclosure control violations have moved, if not to center stage, at least out of the wings. See, e.g., SEC Takes a Dim View of Sugar-Coating Cybersecurity Breaches, August 2021 Update (company failed to disclose a known cybersecurity breach despite a cybersecurity risk factor because it failed “to maintain disclosure controls and procedures designed to analyze or assess such incidents for potential disclosure in the company’s filings.”) and ESG Meets Disclosure Controls in an SEC Enforcement Action, February-March 2023 Update (company failed to maintain disclosure controls and procedures to collect information relating to its ability to attract and retain talented personnel, one of its risk factors; no actual disclosure violation charged). Two recent SEC enforcement actions shine a spotlight on the importance of disclosure controls.
On March 9, the Commission filed an administrative enforcement action against Blackbaud, Inc., a South Carolina company that provides donor relationship management software to non-profit organizations. The SEC’s order states that, in 2020, Blackbaud was the target of a ransomware attack, and that, on July 16, 2020, Blackbaud disclosed the cyberattack on its website. The website post indicated that the intruder did not access any donor bank account information or social security numbers. A few days after this post, the company’s technology and customer relations personnel learned that the attacker had in fact accessed donor bank account information and social security numbers. These personnel did not, however, communicate the new information to senior management responsible for disclosure, and no policy or procedure was in place to ensure that they did so.
On August 4, 2020, the company filed a Form 10-Q that discussed the cyberattack but did not disclose that donor financial information had been accessed and downloaded. Instead, the Form 10-Q contained a risk factor that treated the loss of sensitive donor information as merely a hypothetical possibility: “A compromise of our data security that results in customer or donor personal or payment card data being obtained by unauthorized persons could adversely affect our reputation with our customers and others, as well as our operations, results of operations, financial condition and liquidity and could result in litigation against us or the imposition of penalties.” Almost two months later, on September 29, Blackbaud filed a Form 8-K which disclosed for the first time that the attacker had, in fact, accessed and removed unencrypted bank account information and social security numbers of some donors.
In its administrative order, to which the company consented without admitting or denying the allegations, the SEC finds that Blackbaud’s disclosures concerning the ransomware attack were misleading and that it failed to maintain the required disclosure controls and procedures. With respect to the later, the order states:
“[T]he company’s senior management responsible for the company’s disclosures were not made aware of these facts [i.e., that the attacker accessed and exfiltrated sensitive donor information] prior to the company filing its Form 10-Q on August 4, 2020, or indeed until several weeks later, nor were there controls or procedures designed to ensure that such information was communicated to senior management. The company did not have controls or procedures designed to ensure that information relevant to cybersecurity incidents and risks were communicated to the company’s senior management and other disclosure personnel. As a result, relevant information related to the incident was never assessed from a disclosure perspective.”
Blackbaud consented to a cease-and-desist order against further violations and to a $3 million civil penalty.
DXC Technology Company
On March 14, five days after the Blackbaud case, the SEC issued an administrative order against DXC Technology Company, an information technology company with its principal office in Virginia. The DXC matter involves the publication of misleading non-GAAP financial measures. Like many companies, DXC discloses non-GAAP net income, non-GAAP earnings per share, and certain other non-GAAP metrics. These non-GAAP numbers were derived by excluding transaction, separation, and integration-related (“TSI”) costs. DXC described TSI costs as those “related to integration planning, financing, and advisory fees associated with the merger that formed DXC, other acquisitions, and the spin-off of a business.” However, according to the Commission, DXC materially increased its non-GAAP earnings by misclassifying certain expenses as TSI costs and improperly excluding them from its non-GAAP measures. As a result, non-GAAP net income and non-GAAP diluted EPS in various periodic reports and earnings releases were materially misleading.
As to disclosure controls and procedures, the Commission alleges that DXC had no formal guidance to determine which costs could be classified as TSI and instead relied on an informal process. That process lacked documentation of the basis on which an expense might be classified as a TSI cost, of how the expense related to a transaction or integration project, or of the expected amount or duration of the cost. These problems were compounded by the fact that individuals in the controller’s office who reviewed and approved the classification of TSI costs for non-GAAP reporting purposes apparently believed that the unit responsible for initially identifying and recommending TSI cost “had more robust procedures than it actually did for analyzing and vetting the TSI costs before forwarding the aggregated costs to the controllership.”
The order states:
“[T]he company had no process by which its employees evaluated whether proposed TSI costs were consistent with the description of TSI costs included in its non-GAAP disclosure. In turn, there was similarly no process by which the individuals and reviewers responsible for the TSI disclosure actually assessed the nature of specific TSI costs to determine whether the description in the disclosure matched DXC’s practices.”
On the basis of these facts, the Commission found that DXC committed various disclosure and reporting violations, including violations of the Commission’s rules relating to non-GAAP financial measures. In addition, the Commission finds that DXC violated Rule 13a-15 in that “DXC lacked company-wide disclosure controls and procedures to ensure that TSI costs were identified, reviewed, and approved for appropriate inclusion in the TSI adjustment in a manner consistent with their disclosure.” In settling the case, DXC consented, without admitting or denying the allegations, to develop and implement various policies and disclosure controls and procedures related to the disclosure of non-GAAP measures. The company also consented to a cease-and-desist order against further violations and to an $8 million civil penalty.
Comment: Disclosure controls and procedures have become a hot button issue. The SEC enforcement actions in this area suggest several lessons that audit committees may want to keep in mind when discussing disclosure controls with management. For example –
The relationship between cybersecurity breach investigations and disclosure is an area of focus. In particular, there should be controls that make sure that the technology staff that investigates breaches is in communication with management personnel responsible for disclosure. The risks of communications breakdowns in this area are underscored by the fact that the SEC has proposed, and will likely soon adopt, new disclosure requirements around cybersecurity incidents. See SEC Proposes Cyber Risk Management and Attack Reporting Requirements, March 2022 Update.
There should be a match between risk factor disclosure and disclosure controls and procedures. If a risk is significant enough to be included in risk factor disclosure, there should be controls that ensure that information bearing on this risk comes to the attention of disclosure management so that consideration can be given to the need for additional or modified disclosure. See ESG Meets Disclosure Controls in an SEC Enforcement Action, February-March 2023 Update.
Risk factors are necessarily often phrased in hypothetical terms – highlighting the possible consequences of events that may occur. However, continuing to describe a risk and its consequences as hypothetical after an relevant event has actually occurred is a red flag. Controls focused on risk factors need to encompass, not just whether to disclose the event, but also whether to modify the risk factor. See SEC Takes a Dim View of Sugar-Coating Cybersecurity Breaches, August 2021 Update.