Non-GAAP: the Pendulum Swings Back CONTENTS EARNINGS

July/August 2016 • Volume 24, Number 4

EARNINGS GUIDANCE CONTENTS EARNINGS GUIDANCE Non-GAAP: The Pendulum Non-GAAP: The Pendulum Swings Back Swings Back 1 By Pam Marcogliese and Dase Kim By Pam Marcogliese and Dase Kim DISCLOSURE The practice of reporting non-GAAP earn- Reinventing Disclosure: The SEC’s ings is back on the Security and Exchange Commission’s (SEC) radar, highlighted in recent Regulation S-K Concept Release 7 speeches by SEC Chair Mary Jo White,1 Chief By Mark Plichta, John Wilson, Accountant James Schnurr2 and Deputy Chief Megan Odroniec, and Richard Dancy Accountant Wesley Bricker.3 A series of news articles focusing on the increasing number of companies that report non-GAAP earnings SHAREHOLDER ENGAGEMENT (often confusingly called “pro forma” earnings) Shareholder Engagement: Governance and the widening gap between these companies’ Experts Share Perspectives 12 reported GAAP and non-GAAP earnings have also shed negative light on using NGFMs.4 By Abby E. Brown, Carolyn J. Buller, and Wendy K. LaDuca The ‘New’ Old Problem EXECUTIVE COMPENSATION The use of non-GAAP financial measures (NGFMs) and the concerns they raise are not Gender Pay Equity In Focus 16 new. In the 1990s, it was popular for compa- By Jon Weinstein and Ashley Meischeid nies, especially Internet technology firms during the first “dot-com” boom, to use NGFMs to report earnings. The SEC took note. In CYBERSECURITY September 1998, Arthur Levitt, then-chairman of the SEC, gave a speech titled “The ‘Numbers Director Cyber Risk: Insights from Game’,” in which he expressed concerns about Shareholder Derivative Lawsuits 17 By Melissa J. Krasnow Continued on page 2 AUDIT COMMITTEES © 2016 Cleary Gottlieb Steen & Hamilton LLP. Pam Marcogliese is a partner, and Dase Kim is an associate, of PCAOB Again Issues Proposal Cleary Gottlieb Steen & Hamilton LLP. to Change Audit Report 22 By Michael Scanlon, Brian Lane, Lori Zyskowski, and Michael Titera the widespread practice of “earnings manage- Not long after publishing the C&DIs, ment” (lamenting that there is a gray area the SEC staff exhibited signs of regret. In “where earnings reports reflect the desires of December 2011, at an AICPA national confer- management rather than the underlying finan- ence, then-Director of the SEC’s Division of cial performance of the company”).5 Corporation Finance Meredith Cross warned companies against abusing NGFMs under the A few years later in October 2000, Lynn new guidance (telling them to “knock it off”), Turner, then the SEC’s Chief Accountant, and Deputy Chief Accountant Craig Olinger coined the term “EBS” or “Everything but reminded the audience that although NGFMs Bad Stuff,” and told investors to be wary of can be helpful to investors, “non-GAAP mea- EBS earnings releases that provide “incomplete sures that are misleading are not allowed or inaccurate” information.6 As the use of anywhere.”12 NGFMs continued to proliferate, in December 2001, the SEC issued “Cautionary Advice,” In the same year, SEC comments on Groupon’s alerting companies and their advisors that an IPO registration statement led to the removal NGFM, “under certain circumstances, can mis- of an NGFM called “Adjusted Consolidated lead investors if it obscures GAAP results,”7 Segment Operating Income,” because the exclu- and in January 2002, the SEC brought its first sion of online marketing expenses (which the enforcement action based on a misleading use SEC viewed as a “normal, recurring operating of NGFMs.8 cash expenditure”) from the company’s results of operations was potentially misleading to After the Enron scandal and the dot-com investors.13 In 2013, David Woodcock, chairman market crash, the Sarbanes-Oxley Act of 2002 of the SEC’s newly created Financial Reporting directed the SEC to adopt rules on NGFMs, and Audit Task Force, said in a speech that the and in January 2003 it adopted Regulation G task force was scrutinizing companies’ use of and Item 10(e) of Regulation S-K requiring NGFMs.14 companies to satisfy certain conditions in connection with the use of NGFMs.9 The cumula- Highly publicized news reports about the tive effect of the Cautionary Advice, the new use of NGFMs by companies whose shares rules and the related FAQs published in June are under-performing, such as Valeant15 or 2003, and SEC comments on company filings, Twitter,16 added to the perception that NGFMs generally chilled the use of NGFMs for the bet- were being used by certain companies to mis- ter part of a decade. characterize their performance.

Then in 2010, the SEC seemed to acknowl- Renewed SEC Focus edge that the pendulum had swung too far against NGFMs. The SEC staff published new Now it looks as though the swing toward Compliance and Disclosure Interpretations discouraging NGFMs is gathering momentum. (C&DIs) in January 2010 that reflected a policy The recent speeches by White and Schnurr men- change to allow more liberal use of NGFMs by tioned previously indicate that the short-lived era companies in public disclosures.10 For example, of the SEC’s relaxed attitude toward NGFMs is the SEC staff made it clear in the C&DIs that over and there is now a renewed effort by the adjustments reflected in an NGFM would be SEC to scrutinize the use of NGFMs. In her permissible, subject to Regulation G and Item speech, White noted that the use of NGFMs 10(e) of Regulation S-K, even if such adjust- “deserves close attention, both to make sure ments are not “non-recurring, infrequent or that our current rules are being followed and to unusual.”11 Companies embraced this new guid- ask whether they are sufficiently robust in light ance by steadily increasing their use of NGFMs of current market practices.” She recommended in SEC filings and earnings reports ever since— that companies’ finance and legal teams, along perhaps a little too enthusiastically. with audit committees, carefully consider the

The Corporate Governance Advisor 2 July/August 2016 reasons for using NGFMs and whether such company either revise the disclosure or discon- NGFMs are useful to investors.17 tinue using the NGFM in question.21

Schnurr confirmed that the SEC staff will “continue to be vigilant in their review of the What Does the SEC Expect use of [NGFMs] for compliance with the rules,” Companies to Do? but believed that company management and the audit committee should go beyond mere com- The SEC has begun to give some indication pliance and ask “probing questions on why” of the way it expects companies to act through certain NGFMs are appropriate and provide the C&DIs, as well as the speeches and recent useful information to investors compared to comment letters. So what should a company do? GAAP financial measures. Mark Kronforst, Chief Accountant of the SEC’s Division of • Management and the audit committee should Corporation Finance, was more explicit – at a re-examine the company’s use of NGFMs in conference held in May 2016, Mr. Kronforst SEC filings and other public disclosures, par- was quoted as saying “[the SEC is] going to ticularly in light of the SEC staff’s focus on crack down” on the companies’ misuse of general prohibition of misleading measures, NGFMs.18 and evaluate the number of NGFMs it uses, the complexity of the NGFMs and whether The SEC staff were not bluffing. On May 17, it has substantive justification for using each 2016, the SEC Division of Corporation Finance of the NGFMs. released new and updated Compliance and Disclosure Interpretations (“C&DIs”) on the • Give equal or greater prominence to the use of NGFMs, which introduced new prohibi- directly comparable GAAP measure con- tions on practices that were previously consid- sistent with the C&DIs, particularly when a ered permissible and clarified which practices NGFM is used in headings or bullet points the SEC staff would consider to be mislead- in an earnings release. Pay close attention to ing.19 Overall, the C&DIs signal a tightening of the order of appearance (a NGFM cannot the SEC’s policy toward NGFMs and renewed precede the most directly comparable GAAP SEC focus on their use. measure) and style of presentation (a NGFM cannot be emphasized by using a descrip- After these speeches and the C&DIs, we tive characterization or a different font size/ expect the SEC to continue to carefully scru- style without equally emphasizing the most tinize the use of NGFMs in company filings, directly comparable GAAP measure). earnings releases and other public disclosures, and to ramp up its efforts to enforce full com- • Avoid presenting a non-GAAP revenue mea- pliance with the existing rules and its guid- sure that backs out the effect of GAAP ance. Following the release of the C&DIs, Mr. revenue recognition principles applicable to Kronforst reiterated at a PCAOB panel discus- the company’s business, which the SEC staff sion that companies should expect an uptick could view as per se misleading. A similar in the number of SEC comments on NGFMs approach to other financial statement line and that the SEC intends to curb the use of cer- items may also be problematic under the SEC tain NGFMs.20 The SEC appears particularly staff’s guidance.22 focused on general prohibition of NGFMs that could be misleading: Even when a company is • Do not present a NGFM on a per-share in technical compliance with the rules, if the basis if the NGFM can be used as a liquidity SEC is not satisfied with the purported useful- measure, regardless of whether management ness of the NGFM or finds the NGFM to be presents it as a performance or liquidity mea- potentially misleading to investors, the SEC sure. For this reason, per-share presentation may issue comment letters requesting that the of EBIT and EBITDA is prohibited.

Volume 24, Number 4 3 The Corporate Governance Advisor Avoid asymmetrical exclusion of expense • Include the reconciliation in the same disclo- items without similarly excluding revenue or sure as the NGFMs, except that a link or ref- gain items (so-called, “cherry-picking”). erence to a Web site containing the required information may be provided if the NGFM • Use a specific, substantive explanation for is disclosed orally, telephonically, by webcast, making an adjustment to a GAAP measure by broadcast, or by similar means. instead of relying on adjectives like “non- recurring” or “one-time” if the excluded item • Ensure that earnings releases comply with the is of a type that has occurred in the past or affirmative requirements under Item 10(e)24 is likely to recur in the future. However, if of Regulation S-K, even when they are “fur- the adjustment is a “normal, recurring, cash nished” under Item 2.02 of Form 8-K. This operating expense” that is a core element of trap for the unwary catches many companies, the company’s business or strategy, the SEC so review earnings releases as carefully as may view the NGFM as misleading.23 any SEC filed document. And, even though the SEC has not required compliance with • Be careful about changing the definition of certain other provisions of Item 10(e) (for NGFMs from period to period. If a change example, avoid using titles or descriptions of is necessary, the company should be trans- NGFMs that are the same as or confusingly parent about the reasons for the change and similar to GAAP financial measures), com- discuss comparability with prior periods (and panies should generally try to comply with provide, if the change is significant, the recast those provisions as well. measures for prior periods using the new definition). • Although in many cases foreign private issuers (FPIs) are exempt from the rules regarding • Present non-GAAP income tax effects that NGFMs, disclosures by FPIs in the US press or are appropriately calculated to reflect the in the US edition of a foreign newspaper high- nature of the NGFM. For example, if a lighting their financial results may be viewed as company’s income tax rate is low due to targeting persons in the United States. In such certain expenses that are excluded from a cases, FPIs should ensure that any NGFMs non-GAAP income measure, when showing used in the disclosure comply with the rules.25 the income tax effects on such NGFM, the company cannot apply the same low tax rate to calculate the non-GAAP tax expense while Notes using the higher non-GAAP taxable income. 1. Chair Mary Jo White, “Maintaining High-Quality, Reliable Financial Reporting: A Shared and Weighty • Use customary cautionary statements, such Responsibility,” Keynote Address at the 2015 AICPA as those advising that the company’s NGFMs National Conference (Dec. 9, 2015), available at https:// may not be comparable to similarly titled www.sec.gov/news/speech/keynote-2015-aicpa-white.html, last accessed May 24, 2016. NGFMs used by other companies and that an NGFM is merely a supplement to, and not a 2. Chief Accountant James V. Schnurr, Remarks before replacement of, a GAAP financial measure. the 12th Annual Life Sciences Accounting and Reporting Congress (Mar. 22, 2016), available at https://www.sec.gov/ news/speech/schnurr-remarks-12th-life-sciences-accounting- • Provide the directly comparable GAAP mea- congress.html, last accessed May 24, 2016. sure and reconciliation for any forward-looking 3. Deputy Chief Accountant Wesley R. Bricker, Remarks NGFM (for example, forecast, guidance or pro- before the 2016 Baruch College Financial Reporting jection) unless it requires “unreasonable efforts” Conference (May 5, 2016), available at https://www.sec.gov/ (in which case, the company must disclose that news/speech/speech-bricker-05-05-16.html. fact, identify information that is unavailable, 4. See, e.g., Justin Lahart, “S&P 500 Earnings: Far Worse and disclose its probable significance at a loca- Than Advertised,” The Wall Street Journal (Feb. 24, 2016) tion of equal or greater prominence). (subscription required); Dave Michaels, “Fuzzy-Math

The Corporate Governance Advisor 4 July/August 2016 Accounting Chided by Buffett Gets Fresh SEC Scrutiny,” 13. See Groupon, Inc., Response Letter to the SEC Bloomberg (Mar. 1, 2016), available at http://www.bloomberg. (Aug. 10, 2011), available at https://www.sec.gov/Archives/ com/news/articles/2016-03-01/fuzzy-math-accounting- edgar/data/1490281/000104746911007179/filename1.htm, chided-by-buffett-gets-fresh-sec-scrutiny, last accessed last accessed May 24, 2016. May 24, 2016; Theo Francis and Kate Linebaugh, “U.S. Corporations Increasingly Adjust to Mind the GAAP,” 14. Michael Rapoport, “SEC Task Force Probes Use of The Wall Street Journal (Dec. 14, 2015) (subscription Non-GAAP Metrics,” The Wall Street Journal (Dec. 10, required); and Gretchen Morgenson, “Fantasy Math Spins 2013), available at http://www.wsj.com/articles/SB100014 Losses Into Profits,” The New York Times (Apr. 24, 2016). 24052702303330204579250654209426392, last accessed May 24, 2016 (subscription required). 5. Chairman Arthur Levitt, The “Numbers Game,” Remarks at NYU Center for Law and Business (Sept. 28, 1998), 15. Gretchen Morgenson, “Valeant’s Fantastic(al) Numbers,” available at https://www.sec.gov/news/speech/speecharchive/ The New York Times (Nov. 1, 2015). 1998/spch220.txt, last accessed May 24, 2016. 16. Richard Beales, “Tweet Nothings,” Breaking Views 6. Chief Accountant Lynn E. Turner, Remarks to the (Feb. 12, 2016), available at http://www.breakingviews. 39th Annual Corporate Counsel Institute (Oct. 12, 2000), com/bad-finance-mind-the-non-gaap-@twitter-and- available at https://www.sec.gov/news/speech/spch418.htm, beyond/21235243.article, last accessed May 24, 2016. last accessed May 24, 2016. 17. Although Chair White asked in her speech “whether 7. Securities and Exchanges Commission, Cautionary [current rules] are sufficiently robust in light of current Advice Regarding the Use of “Pro Forma” Financial market practices,” it is unclear when, or whether, the SEC Information in Earnings Release (Dec. 4, 2001), available at will propose new rules on NGFMs, particularly insofar as https://www.sec.gov/rules/other/33-8039.htm, last accessed the SEC wishes to address the use of NGFMs it believes May 24, 2016. may be inherently misleading even though literally accurate. See Dave Michaels and Michael Rapoport, “SEC 8. In re: Trump Hotels & Casino Resorts, Inc., Securities Signals It Could Curb Use of Adjusted Earnings Figures,” and Exchange Commission Administrative Proceeding, File The Wall Street Journal (Mar. 16, 2016), available at http:// No. 3-10680 (Jan. 16, 2002), available at https://www.sec.gov/ www.wsj.com/articles/sec-scrutinizing-use-of-non-gaap- litigation/admin/34-45287.htm, last accessed May 24, 2016. measures-by-public-companies-1458139473, last accessed 9. Generally, and subject to certain exceptions, Regulation May 24, 2016 (subscription required), which points out G applies to all public disclosures of NGFMs made by that “Ms. White is likely to leave the commission sometime SEC reporting companies, and Item 10(e) of Regulation before the end of the Obama administration, meaning rule S-K applies to NGFMs that are used in “filings” with the changes likely aren’t imminent.” SEC (except earnings releases that are “furnished” under Item 2.02 of Form 8-K are subject to Item 10(e)(1)(i) of 18. Thomson Reuters Tax & Accounting News, Non- Regulation S-K (i.e., just the “affirmative” requirements GAAP Measures Hit With Crackdown (May 6, 2016), under Item 10(e)(1)(i)). Fundamentally, the rules require https://tax.thomsonreuters.com/media-resources/news- that, each time an NGFM is used, the disclosure must media-resources/checkpoint-news/daily-newsstand/ also present the most directly comparable GAAP financial non-gaap-measures-hit-with-crackdown. measure (for Item 10(e) of Regulation S-K, with “equal or 19. The C&DIs are available at https://www.sec.gov/ greater prominence”) and provide a reconciliation of the divisions/corpfin/guidance/nongaapinterp.htm. NGFM to such GAAP measure. For more in-depth discussions of the technical requirements under these rules, see our 20. Public Company Accounting Oversight Board, memo, “SEC Relaxes Guidance on Non-GAAP Financial Standing Advisory Group Meeting (May 18-19, 2006), Measures” (Jan 15, 2010) and the related memos attached webcast and audio available at https://pcaobus.org/News/ to it, available at https://www.clearygottlieb.com/news-and- Events/Pages/SAG-meeting-May-2016.aspx. insights/publication-listing/sec-relaxes-guidance-on-non-gaap- financial-measures5, last accessed May 24, 2016. 21. A recent SEC comment to ConocoPhillips is illus- trative. In its 2014 10-K, ConocoPhillips used a “price 10. Securities and Exchange Commission, Compliance normalized” NGFM that applied 2013 commodity prices and Disclosure Interpretations—Non-GAAP Measures, across different time periods. The company’s explanation available at https://www.sec.gov/divisions/corpfin/guidance/ for normalizing commodity prices to a base year was nongaapinterp.htm, last accessed May 24, 2016. to show its underlying performance across time periods 11. Id., Question 102.03. based primarily on factors that the management could control. Although the 10-K disclosure was compliant with 12. Emily Chasan, “SEC: ‘Knock It Off’ on Bogus Non- all of the requirements of Item 10(e) of Regulation S-K, GAAP Measures,” The Wall Street Journal (Dec. 5, 2011), the SEC objected to the company’s approach and asked available at http://blogs.wsj.com/cfo/2011/12/05/sec-knock- the company to stop using the NGFM, and the company it-off-on-bogus-non-gaap-measures, last accessed May 24, agreed to do so. See ConocoPhillips, Response Letter 2016 (subscription required). to the SEC (June 8, 2015), available at https://www.sec.

Volume 24, Number 4 5 The Corporate Governance Advisor gov/Archives/edgar/data/1163165/000119312515228129/ the company’s business. See Valeant Pharmaceuticals filename1.htm, last accessed May 24, 2016. International, Inc. Response Letter to the SEC (Dec. 18, 2015), available at https://www.sec.gov/Archives/edgar/ 22. For further discussion on this topic, please see our data/885590/000134100415000930/filename1.htm. memo, “SEC Releases New Guidance on Non-GAAP Financial Measures” (May 18, 2016), available at https:// 24. See supra n.9. www.clearygottlieb.com/~/media/cgsh/files/alert-memo-pdf- 25. There may also be local regulatory requirements regarding version-201653.pdf. use of NGFMs to which FPIs are subject. In an effort to 23. The SEC’s comment on Groupon’s IPO discussed in harmonize the rules governing NGFMs across different the text accompanying supra note 13 is an example of this jurisdictions, in June 2016, the Board of the International prohibition. More recently, the SEC objected to Valeant’s Organization of Securities Commission published a Statement removal of acquisition-related expenses from its NGFMs, on Non-GAAP Financial Measures (available at https://www. given that acquisitions are part of a critical strategy of iosco.org/library/pubdocs/pdf/IOSCOPD532.pdf).

The Corporate Governance Advisor 6 July/August 2016 DISCLOSURE

Reinventing Disclosure: The SEC’s Regulation S-K Concept Release By Mark Plichta, John Wilson, Megan Odroniec, and Richard Dancy

On April 13, 2016, the US Securities and White has recently referred to as a crucial ongo- Exchange Commission (SEC) issued a concept ing responsibility of the SEC. release discussing and requesting public comment on the business and financial disclosure Key Concepts and Elements required by Regulation S-K. The concept release represents an important first step toward the The concept release addresses an expansive reform and modernization of Regulation S-K. list of topics and the SEC’s discussion of these topics is extensive; however, there are several key concepts and elements that are discussed Background: The SEC’s Disclosure throughout the concept release, including the Effectiveness Initiative following. The concept release is part of the SEC’s ongo- Principles-Based Disclosure vs. ing Disclosure Effectiveness Initiative, which is Prescriptive Disclosure a broad-based review of the SEC’s disclosure requirements and the presentation and delivery The concept release discusses and com- of disclosures that registrants make to investors. pares the merits of principles-based disclosure, The Disclosure Effectiveness Initiative began in 2013, following the SEC’s production of a report to Congress on its disclosure rules for US public companies, as mandated by the Jumpstart Our Business Startups (JOBS) Act. Following that report, the SEC initiated a comprehensive review Copyright © 2016 CCH Incorporated. All Rights Reserved. of the disclosure requirements in Regulation S-K The CORPORATE GOVERNANCE ADVISOR (ISSN 1067-6171) and Regulation S-X to make recommendations is published bimonthly by Wolters Kluwer at 76 Ninth Avenue, New York, NY 10011. Subscription rate, $835 for one year. on how to update those requirements to facilitate POSTMASTER: Send address changes to THE CORPORATE timely, material disclosure by companies and GOVERNANCE ADVISOR, Wolters Kluwer, 7201 McKinney Circle, Frederick, MD 21704. Send editorial correspondence to access to information by shareholders. Wolters Kluwer, 76 Ninth Avenue, New York, NY 10011. To subscribe, call 1-800-638-8437. For Customer service, call 1-800-234-1660. This material may not be used, published, broadcast, rewritten, copied, The purpose of the concept release is to redistributed or used to create any derivative works without prior writ- revisit the business and financial disclosure ten permission from the publisher. requirements in Regulation S-K and to assess This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold with the whether such requirements continue to provide understanding that the publisher is not engaged in rendering legal, the information that investors need to make accounting, or other professional services. If legal advice or other professional assistance is required, the services of a competent profes- informed investment and voting decisions and sional person should be sought. whether any of the existing rules have become —From a Declaration of Principles jointly adopted by a committee outdated or unnecessary. The SEC intends of the American Bar Association and a Committee of Publishers and to use the feedback collected from the con- Associations. Permission requests: For information on how to obtain permis- cept release to further its goal of optimizing sion to reproduce content, please go to http://www.wklawbusiness. Regulation S-K, a goal that SEC Chair Mary Jo com/footer-pages/permissions. Purchasing reprints: For customized article reprints, please contact Wright’s Media at 1-877-652-5295 or go to the Wright’s Media © 2016 Foley & Lardner LLP. Mark Plichta and John website www.wrightsmedia.com. Wilson are partners, Megan Odroniec is senior counsel, and www.wklawbusiness.com Richard Dancy is an associate, of Foley & Lardner LLP.

Volume 24, Number 4 7 The Corporate Governance Advisor which is based on principles such as “mate- The SEC also seeks input on several alternate riality,” and the merits of prescriptive disclo- approaches to the periodic disclosure regime sure, which is based on objective line-item that could result in less year-to-year repetition requirements, bright-line tests, and required and comparison of prior periods and less fre- tabular presentation. The concept release notes quent periodic reporting. that principles-based disclosure offers a more flexible, management-oriented approach that allows individual registrants to tailor disclo- Expanding Disclosure sures to provide the information that is most In addition to requesting comments on relevant and material to the individual regis- methods for streamlining disclosure, the con- trant and omit irrelevant or immaterial infor- cept release examines the “other side of the mation. Conversely, the concept release notes coin” and requests comments on whether new that prescriptive disclosure provides investors or expanded disclosure is necessary to reflect with the ability to more easily make compari- changes in the market and recent stakeholder sons between registrants because information is input. The concept release includes numerous presented in a more standardized form. requests for comment on whether the items of Regulation S-K should be expanded or modi- The SEC seeks input on which approach is fied to, among other things, adopt disclosure the most effective and cost-efficient by request- approaches that have become common in cer- ing input on a variety of questions, including tain industries and require greater disclosure of whether certain line-item disclosures (both nar- industry-specific metrics. The SEC is also seek- rative and tabular) should be added or removed ing input on the utility of increased periodic from Regulation S-K; whether additional and intra-period reporting. industry-specific disclosure should be required in periodic reports; and whether qualitative or The concept release also explores the value quantitative thresholds should be added to or of new disclosure topics not currently required removed from existing disclosure requirements. under Regulation S-K. The SEC asks whether (and which) sustainability and public policy issues are important to voting and investment Streamlining Disclosure decisions and an understanding of a registrant’s A significant portion of the concept release is business and financial condition. In addition, devoted to determining how to make the exist- the SEC is requesting input on how to create ing disclosure framework under Regulation disclosure requirements that adequately address S-K more effective and cost-efficient to inves- such issues without resulting in disclosure that is tors and registrants. The SEC asks whether immaterial or otherwise obscuring to investors. certain required disclosures and disclosure frameworks should be consolidated with other, similar disclosure requirements or eliminated Presentation of Information altogether. The SEC acknowledges that technology and the way investors obtain information regarding In addition, the concept release includes a registrants has changed over time, and is there- discussion of the scaled disclosure requirements fore seeking input on how these changes may available to smaller reporting companies and be reflected in the presentation of information emerging growth companies. The SEC requests in periodic reports. In particular, the SEC cites input on how to further scale or eliminate the widespread use of the Internet by investors disclosures applicable to these companies in when requesting comments on whether the addition to exploring whether additional types SEC should permit the increased use of cross of registrants, including larger registrants with references, hyperlinks and registrant Web site established reporting histories, should be eli- disclosure to satisfy the reporting requirements gible for a form of scaled disclosure. of Regulation S-K.

The Corporate Governance Advisor 8 July/August 2016 The concept release further discusses information disclosed in these areas without whether changes in technology have made it overburdening registrants or investors. possible for registrants to provide information in a more disaggregated manner, or whether there is practical and regulatory value in Core Company Business Information requiring information to be contained in one The concept release seeks comment on consolidated source. expanding, contracting, and otherwise reform- ing the key business disclosures under Items 101 and 102 of Regulation S-K regarding Audience Sophistication development of the business; narrative descrip- The concept release solicits information on tion of the business; technology and intellec- the type of investors that are actually reading tual property rights; government contracts; and utilizing the materials that are filed by compliance with environmental laws; govern- registrants on EDGAR. Throughout the con- ment regulation; employees; and description cept release, comments are requested regarding of property. whether certain disclosures are for the benefit of, and, as a result, should be tailored toward, Company Performance, Financial more sophisticated institutional investors or Information, and Future Prospects less sophisticated retail investors. The concept release indicates that this information is impor- The concept release examines the disclosure tant, in part, because it provides insight into the of selected financial data and supplementary way disclosures should be tailored, including financial information under Items 301 and whether currently required disclosures should 302(a) of Regulation S-K, including the line be expanded or eliminated. The concept release items and time periods required to be covered also discusses the use of third-party data aggre- by such disclosure. The SEC asks whether this gators by different types of investors, and ques- disclosure is useful to investors, and whether the tions whether the functions performed by such current requirements prescribed by Items 301 and aggregators reduces the need for comparative or 302(a) should be expanded or contracted. The repetitive disclosure in SEC filings. SEC also seeks comment on whether there should be greater auditor involvement in pre- paring these disclosures. Adapting to Changes in the Market The concept release discusses potential The concept release also discusses potential reforms to the SEC’s rulemaking process improvements to the quality of Management’s designed to allow new disclosure rules to be Discussion & Analysis (MD&A) disclosure adapted or to expire in response to a chang- under Item 303, with the SEC requesting com- ing market. The SEC seeks input on how to ment on the required content of MD&A, the make its disclosure requirements more adaptive, thresholds for disclosure, the disclosure of including through the implementation of auto- forward-looking information, and key perfor- matic sunset provisions on new disclosure rules mance indicators. The SEC is also seeking or by requiring that the staff of the Division of input on whether to require an executive level Corporation Finance study and report on the overview of MD&A; whether to include a impact of new disclosure requirements. principles-based disclosure of key industry metrics; and whether to revisit the current “two-step” test for determining whether for- Specific Disclosure Areas ward-looking disclosure is required in MD&A. In addition to the overarching conceptual The SEC is also seeking input on the key com- topics described previously, the concept release ponents of MD&A disclosure, including results discusses certain specific disclosure areas and of operations, liquidity and capital resources seeks input on how to improve the quality of (including short-term borrowings), off-balance

Volume 24, Number 4 9 The Corporate Governance Advisor sheet arrangements, contractual obligations, from registered securities, and registrant repur- and critical accounting estimates. chases of equity securities. Generally, the SEC is seeking to understand whether these disclosures remain important to investors or whether Risk and Risk Management they have become redundant in the face of The concept release discusses improving the overlapping disclosure requirements and other disclosure of risk and risk management in peri- sources of information. odic reports pursuant to Items 503(c) and 305 of Regulation S-K. The SEC seeks comment on several new approaches to risk factor disclo- Exhibits sure, including presentation of risks based on The concept release discusses the current the order of magnitude and the identification filing requirements for exhibits to periodic and of the ten most important risks to a registrant. other reports, with an emphasis on the filing The SEC has also requested input on whether of material contracts and subsidiary informa- the inclusion of “generic” risk factors should tion under Item 601 of Regulation S-K, as be discouraged. In addition, the concept release well as the filing of schedules, attachments, explores the possibility of including risk mitiga- amendments, and other modifications to such tion disclosure within the discussion of a regis- exhibits. trant’s risk factors.

The concept release further examines the Industry Guides quantitative and qualitative disclosures about The concept release considers the ongoing market risk under Item 305 of Regulation S-K, role of the SEC’s Industry Guides, and asks including a discussion of disclosure objectives, whether the Industry Guides continue to pro- disclosure alternatives, and coordination and vide useful guidance for registrants and result comparability of disclosure. In particular, the in the disclosure of important information to SEC seeks input on whether the disclosure investors. In particular, the concept release asks required by Item 305 remains useful given whether the Industry Guides should be updated changes in US generally accepted account- or codified into Regulation S-K. ing principles and Regulation S-X that have resulted in the inclusion of similar information Topics Not Discussed in the presentation of financial statements. The concept release does not address certain Finally, the SEC has requested input on disclosure requirements in Regulation S-K, whether the consolidation of all risk-related such as executive compensation and gover- disclosure would improve the overall quality of nance, or the required disclosures for foreign disclosure, and whether Regulation S-K should private issuers, business development compa- be revised to require new narrative disclosure nies, or certain other categories of registrants. from registrants describing their risk manage- Although the concept release is silent on these ment processes. requirements, it nonetheless welcomes comments on any disclosure topic not specifically addressed within its text. Securities of the Registrant The concept release discusses the current Next Steps: Is Reform Imminent? disclosure framework related to a registrant’s securities, with an emphasis on disclosure Although the concept release discusses a under Items 201(b)(1), 202, 701, and 703 of broad spectrum of potential changes to Regulation S-K regarding number of equity Regulation S-K, it is unlikely that such changes holders, description of capital stock, recent are imminent. First, the SEC will review com- sales of unregistered securities, use of proceeds ments received on the concept release, which

The Corporate Governance Advisor 10 July/August 2016 are due 90 days following its publication in the Although the concept release is an important Federal Register. After reviewing any comments step toward the reform and modernization of submitted, the SEC may, at its discretion, issue Regulation S-K, it remains to be seen whether one or more rule proposals, which will be made and how the input provided by registrants, available for review and comment by the public investors, and other stakeholders is applied to prior to the publication of any final rules. reform the existing disclosure framework.

Volume 24, Number 4 11 The Corporate Governance Advisor SHAREHOLDER ENGAGEMENT

Shareholder Engagement: Governance Experts Share Perspectives By Abby E. Brown, Carolyn J. Buller, and Wendy K. LaDuca

In April 2016, our firm hosted a round- compensation, and corporate governance. table discussion, “Strategies and Best Practices Thinking of shareholder engagement as a for Shareholder Engagement,” during our more broad-sweeping and long-term relation- 2016 Roundtable for General Counsel in ship will assist companies in keeping a finger the Chemical and Performance Materials on the pulse of their investors and their con- Industries, a two-day executive briefing held cerns on an ongoing basis. in Washington DC. The discussion was well timed, taking place in the midst of proxy season when shareholder engagement activi- ties are in the spotlight. The panel addressed Practical Tips for Shareholder various perspectives of shareholder engagement through the eyes of industry experts Engagement including Glenn Booraem, Principal and Fund • Make inbound engagement easier. Investors Treasurer for Vanguard (Vanguard); John Roe, who use shareholder proposals often do so Managing Director and Head of Advisory because they feel that they have no other and Client Services, ISS Corporate Solutions way to get the attention of company man- (ISS); Amy Borrus, Deputy Director, Council agement and the board. Prevent this by of Institutional Investors (CII); and Matthew supplying an easy communication channel Juneau, Senior Vice President, Corporate for them. Strategy and Investor Relations, Albemarle Corporation (Albemarle). The panel discus- • Set internal expectations. Expect that only sion was moderated by Abby Brown, partner 25 percent to 30 percent of your engage- in the Global Corporate Practice of the firm’s ment invitations sent out will actually result Washington DC office. in a meeting (and assume an even lower return rate during proxy season). Take a low response as a sign that these shareholders What Is Engagement? either lack the resources to engage at that Companies engage with investors all the moment, or that they do not have an issue time through their proxy statement disclosure, with your company. Also, presume that any Forms 10-K and 10-Q, press releases, earn- outreach is well received and noticed by the ings calls, and other investor presentations shareholder, even if they do not take you up and discussions. ISS’s John Roe encourages on an offer for a meeting or discussion at companies to think of shareholder engagement that time. as more than the limited dialogue regarding • Ask questions; do not just give a road- say-on-pay or proxy access that might occur show. Use the opportunity for engagement during the proxy statement and annual meet- to solicit shareholder feedback on certain ing process. Rather, his view is that investors issues. Avoid the temptation to walk an typically want to engage on a broader range of investor or the ISS staff through your com- topics, including corporate strategy, manage- pany’s proxy statement—it should stand ment performance, board structure, executive on its own. Make sure that you understand each shareholder’s perspective on key issues; do not fall into the trap of justifying © 2016 Squire Patton Boggs. Abby E. Brown, Carolyn J. your actions and policies against proxy Buller and Wendy K. LaDuca are with Squire Patton Boggs.

The Corporate Governance Advisor 12 July/August 2016 attention. For example, after a new message is advisors’ views or recommendations when released, Albemarle issues personalized emails shareholders have their own guidelines. or makes individual phone calls to top inves- • Follow-up. After a shareholder engagement tors to make sure they understand why the meeting, the company should carefully eval- company is taking a certain action. Another uate the shareholder’s position, consider Albemarle initiative is to invite investors to how peers have approached similar issues, attend a call with executive management to and consider whether any changes are war- discuss topics of interest. Any such calls, how- ranted. If the company does make a change ever, should be short (for example, no longer as a result of the engagement meeting, the than 30 minutes) and have a clear agenda set company should communicate that change in advance. to the shareholder even if follow-up is sim- ply a revised proxy disclosure. In addition, some companies are now including in their proxy statements a summary of engage- Practical Tips on How to Engage ment themes, including any actions taken in response to what they heard from investors • Be prepared. Before engaging with an inves- as a result of their engagement efforts. tor, company management or directors should have a clear idea of that investor’s concerns and priorities, and an agreed- How to Engage upon agenda in place (with no more than three to four items for discussion), along “A company should always tell its best story with a list of participants. up front to investors,” said Vanguard’s Glenn • Set the tone of the discussion. Both com- Booraem. Vanguard has seen instances of a panies and investors should approach any standard proxy statement with a great engage- meeting with a list of questions (and not ment story get lost and only later fully or better demands) and each side should be cor- disclosed in a proxy supplement. His advice dial and give the other side equal time is to spend the time and energy at the outset to speak. to include this great information in the initial proxy statement, which will ultimately save time • Avoid boilerplate disclosures about investor and money, and potentially alleviate investor engagement. Good engagement disclosure concerns in the initial filing. should describe in detail the way your company engages with investors, discuss Albemarle’s Matthew Juneau indicated that outreach over the past year, highlight any it is important to be consistent in how you tell changes that occurred as a result, and your story. In his view, it is a good idea to tightly provide email addresses or other contact manage the disclosure process to ensure that information. inconsistent messages are not delivered, particu- • Small cap companies in particular should larly in light of Regulation FD. For example, spend time at the outset to craft careful before earnings calls, Albemarle takes the time proxy statement disclosure. Small cap com- to prepare expected investor questions with panies may not be at the top of an inves- proposed answers. While there are occasional tors’ list for communication and, as such, surprises, such a process contributes to consis- the proxy statement may serve as the main tent messages, which in turn builds confidence form of communication. With more limited in company management. resources, small cap companies may desire to leverage the engagement disclosures of Further, Juneau stated that as part of ongo- large cap companies and borrow from their ing shareholder engagement efforts, Albemarle approaches and engagement ideas. routinely gives its top 35 shareholders extra

Volume 24, Number 4 13 The Corporate Governance Advisor Who Should Engage? • CII’s Amy Borrus advised circumventing Companies should ensure that they have the unexpected drop-ins. Unexpected drop-ins right people from the company in attendance by a CEO or board chair during an engage- at investor engagement meetings. Often, that ment meeting can be off-putting to an includes members of the company’s manage- investor. Make sure the investor knows ment team or investor relations. Someone from ahead of time exactly who is going to be the compensation committee should always be present at the meeting. present at any meeting discussing compensation • Ensure you know with whom you are meet- issues (not necessarily the committee chair) so ing. Company management and directors long as that person is informed about the mat- in attendance at any shareholder engage- ters to be discussed. Along the same lines, a ment meeting should be familiar with the director should be present if the discussion is to particular shareholder’s equity position, be focused on board-related topics (for exam- their public views on key governance issues, ple, board compensation). Booraem shared an as well as the history of any engagement ideal shareholder meeting example whereby and voting results. This enables company director(s) excused management at the end of responsiveness to specific investor con- an engagement meeting to give Vanguard an cerns, as well as continuity over time in the opportunity to ask questions and provide feed- engagement dialogue. back without management present, which was highly effective in reinforcing Vanguard’s link to the company’s board. When Should Engagement Occur? Borrus noted that recent years have shown companies are increasingly willing to reach out Practical Tips for Those Who Engage to shareholders to start a dialogue. She also • Make sure the directors are communication noted, however, that such engagement should ready. Engaging with shareholders is part not be a “last minute blitz” before the annual of a board member’s job description now. meeting; rather, engagement is an on-going, If you do not have directors on your board year-round process. As a matter of fact, the who possess effective communication skills, rush of the proxy season can make it difficult now is a good time to recruit them. for companies to get the attention of investors or ISS in order to engage during the first • Identify the right investors. When looking months of the year. Rather, Borrus indicated for shareholders to engage with, do not that “off-season” engagement outside of the stop at the top 10, 15 or 25 investors; review heat of proxy season offers a good opportu- your shareholder base as a whole to deter- nity for long-term investor engagement and mine with whom it might be important to is critically important to building shareholder engage, including small but strategically relationships that may make it easier to resolve important shareholders. conflicts in the future. • If a director is present at an investor engagement meeting, make sure the director is In Booraem’s opinion, the ideal time for prepared. Whether you should have a par- shareholder engagement is when the ink is not ticular director present at a shareholder yet dry on the proxy statement—essentially, engagement meeting depends on how well- right after the prior year’s annual meeting. informed that director is and how comfort- Once a company has had the opportunity able talking about certain potential issues to digest the meeting vote and think about (arrogance or unwillingness to hear sugges- the broader trends that developed during the tions should be avoided). proxy season. Similarly, Juneau offered that Albemarle has found that it tends to

The Corporate Governance Advisor 14 July/August 2016 be easier to have a dialogue and engage • Engage with ISS at the appropriate time. with investors during the late summer and Roe indicated that companies should ide- early fall. ally engage with ISS only after they have actively engaged with their investor base. Practical Tips on Engagement Timing Conclusion • Do not underestimate the value of “off-season” investor engagement. Investor engagement From these discussions, we learned that it is during the “off-season” in the annual meet- important for companies to have a good under- ing cycle allows for companies to care- standing of the “who,” “what,” “when,” and fully contemplate investor concerns, make “how” aspects of the shareholder engagement necessary adjustments to the proxy state- process. Good engagement goes a long way to ment months ahead of time, and provide building positive relationships with an investor adequate time for board review. base, facilitating solid communications, and helping potentially avoid a future crisis.

Volume 24, Number 4 15 The Corporate Governance Advisor EXECUTIVE COMPENSATION

Gender Pay Equity In Focus By Jon Weinstein and Ashley Meischeid

This year’s Equal Pay Day (April 12, 2016) pay equity statistics showing what women in produced an extraordinary volume of discourse their companies earn as a percentage of men, and disclosure on a vitally important topic— with the data ranging from from 99.7¢ to $1.003. and one that is surfacing more frequently at These figures compare favorably to a recent the compensation committee level. As activist study conducted by Glassdoor that found an shareholders and a presidential election year “unadjusted” US gender wage gap of 75.9¢ and bring heightened attention to pay equity in an “adjusted” wage gap (normalized for differ- the private sector, companies are increasingly ences in education, age, experience, industry, job disclosing their own demographic compensa- title, and other factors) of 94.6¢. tion statistics or chartering studies to ascer- tain where they stand. Further, compensation On the governmental front, the US Office committees are showing significant interest in of Federal Contract Compliance Programs the issue as committee agendas have begun to (OFCCP) and Equal Employment Opportunity include pay equity as a subject for discussion. Commission (EEOC) have issued new requirements on pay transparency/disclosure, and Thus far, a range of prominent companies, UK Prime Minister David Cameron has pro- primarily in the technology space, have made posed rules that would require companies with headlines by voluntarily disclosing their pay more than 250 employees to disclose their pay equity statistics to the public. Specifically, equity data. Amazon, Apple, Facebook, GoDaddy, Intel, Microsoft, and RedFin have all disclosed gender While much work and continued progress is still needed, the dialogue on pay equity and focus of major employers on this issue demon- © 2016 Pay Governance LLC. Jon Weinstein and Ashley strate a positive trend. We expect to see contin- Meischeid are compensation consultants with Pay ued amplification of this critical issue moving Governance LLC. forward.

The Corporate Governance Advisor 16 July/August 2016 CYBERSECURITY

Director Cyber Risk: Insights from Shareholder Derivative Lawsuits By Melissa J. Krasnow

Shareholder derivative lawsuits regarding the the purview of the business judgment rule, Wyndham, Home Depot and Target cyber under which there is a presumption that the attacks provide insights on steps companies can board refused the demand on an informed take regarding director cyber risk.1 These steps basis, in good faith and in the honest belief include: (1) determining fiduciary duties and that the action taken was in the best interests monitoring shareholder derivative lawsuits for of the company. Among other things, the developments (this article covers both Delaware defendants argued that the board’s decision to and Minnesota law), (2) reviewing organiza- refuse the demand was a good faith exercise tional documents, applicable law and agree- of business judgment, made after a reasonable ments, policies and insurance, (3) reviewing and investigation. considering company committee charters and privacy policies and Securities and Exchange The court dismissed the lawsuit with preju- Commission disclosures comprehensively and dice and described in a footnote the failure to specifically regarding cyber risk, and (4) devel- act in good faith that is required to show direc- oping, implementing, testing, and updating tor oversight liability (as part of the duty of incident response plans. loyalty):

Caremark requires that a corporation’s Determining Fiduciary Duties and ‘‘directors utterly failed to implement any Monitoring Shareholder Derivative reporting or information system … [or] Lawsuits for Developments consciously failed to monitor or oversee its operations thus disabling themselves from Delaware law is applicable in Palkon v. Holmes being informed.’’ Stone v. Ritter, 911 A.2d regarding Wyndham and In re The Home Depot, 362, 370 (Del. 2006). Yet Plaintiff con- Inc. Shareholder Derivative Litigation regarding cedes that security measures existed when Home Depot because Wyndham and Home the first breach occurred, and admits the Depot are Delaware corporations. Delaware Board addressed such concerns numerous case law describes the director duty to monitor times. (Compl. ¶¶ 46, 62, 63). The Board and oversee risks as derived from the duty of was free to consider such potential weak- care and the duty of loyalty.2 nesses when assessing the lawsuit.

Palkon v. Holmes addressed three cyber The actions of Wyndham that were men- attacks against Wyndham between 2008 and tioned in this case included: 2010. The plaintiff was required to plead with particularity that the board’s decision to refuse (1) Board discussion of the cyber attacks, his demand to bring a lawsuit regarding the Wyndham’s security policies, and proposed cyber attacks was in bad faith or not based security enhancements at 14 meetings and on a reasonable investigation. The Wyndham audit committee discussion at 16 meetings board’s decision to refuse the demand is under between 2008 and 2012;

(2) Wyndham hiring technology firms to inves- Melissa J. Krasnow is a partner with Dorsey & Whitney tigate each cyber attack and issue rec- LLP, a Certified Information Privacy Professional/US, and ommendations on enhancing Wyndham’s a National Association of Corporate Directors Fellow. security;

Volume 24, Number 4 17 The Corporate Governance Advisor (3) Wyndham beginning to implement such Committee and Defendants will move the court recommendations after the second and for approval and dismissal of the derivative third cyber attacks, and actions with prejudice, asserting that

(4) Presentations of Wyndham’s general (1) The members of the Special Litigation counsel regarding the cyber attacks and Committee were disinterested and indepen- Wyndham’s data security generally at every dent, and quarterly board meeting. (2) The Special Litigation Committee’s investiga- The defendants’ motion to dismiss filed on tive procedures and methodologies were ade- April 14, 2016, in In re The Home Depot, Inc. quate, appropriate and pursued in good faith, Shareholder Derivative Litigation states: in satisfaction of the business judgment rule.5

Loyalty claims based on alleged failure The business judgment rule accords deference of oversight are widely recognized as “the to the determination of the Special Litigation most difficult theory in corporation law Committee regarding the derivative actions. upon which a plaintiff might hope to win a judgment.” In re Caremark Int’l., Inc. Deriv. Finally, both breach of fiduciary duty claims Litig., 698 A.2d 959, 967 (Del. Ch. 1996). To and waste of corporate assets claims were made state such a claim, a stockholder must plead in Palkon v. Holmes, In re The Home Depot, particularized facts that the defendants Inc. Shareholder Derivative Litigation and In re “(a) utterly failed to implement any reporting Target Corp. Shareholder Derivative Litigation. or information system or controls or (b) hav- According to Delaware case law, a “claim of ing implemented such a system or controls, waste will arise only in the rare, ‘unconscionable’ consciously failed to monitor or oversee its case where directors irrationally squander or operations thus disabling themselves from give away corporate assets.”6 being informed of risks or problems requiring their attention. In either case, imposi- In re The Home Depot, Inc. Shareholder tion of liability requires a showing that Derivative Litigation and In re Target Corp. [defendants] knew that they were not dis- Shareholder Derivative Litigation should be charging their fiduciary obligations.” Stone monitored for developments, as should any ex rel. AmSouth Bancorporation v. Ritter, other shareholder derivative lawsuits regarding 911 A.2d 362, 370 (Del. 2006). cyber attacks.

According to the defendants’ motion to dis- Reviewing Organizational miss, the plaintiffs failed to state a duty of loyalty claim against any defendants.3 Documents, Applicable Law and Agreements, Policies and Insurance Target is a Minnesota corporation. The Minnesota corporate statute describes the stan- According to the defendants’ motion to dis- dard of conduct for a director.4 Regarding In re miss in In re The Home Depot, Inc. Shareholder Target Corp. Shareholder Derivative Litigation, Derivative Litigation, Home Depot’s Certificate the board of directors appointed a Special of Incorporation contains language that pre- Litigation Committee to investigate the claims. cludes a duty of care claim against its directors.7 The Special Litigation Committee completed According to an order filed on May 23, 2016, its investigation and issued a report in March Plaintiffs must file and serve their opposition 2016, determining that it was not in Target’s to Defendants’ motion to dismiss by June 30, best interests to pursue the derivative claims 2016 and Defendants must file and serve their and seeking dismissal of the claims with preju- reply brief in further support of their motion to dice. On June 22, 2016, the Special Litigation dismiss by July 20, 2016.

The Corporate Governance Advisor 18 July/August 2016 However, neither the Delaware corporate stat- attack exercises, and update incident response ute nor the Minnesota corporate statute permits plans in light of insights obtained from testing eliminating or limiting the personal liability of a and legal, business, technological, and pub- director to a corporation or its shareholders for lic relations developments to bolster prepara- monetary damages for breach of fiduciary duty tion regarding and response to cyber risk and for any breach of the director’s duty of loyalty attacks. to the corporation or its shareholders or for acts or omissions not in good faith or that involve Directors could ask the following questions intentional misconduct or a knowing violation regarding incident response plans:10 of law, among other things.8 (1) What is the date of the plan and what was Companies should review their organiza- the most recent date of testing the plan? tional documents and applicable law and their indemnification agreements or policies and (2) How frequently is the plan is tested or directors and officers liability insurance and updated? cyber liability insurance coverage. (3) What was the situation that was the sub- Reviewing and Considering ject of the testing? Committee Charters, Privacy (4) What are the results of and insights from Policies, and SEC Filings the testing or updating of the plan?

Palkon v. Holmes, In re The Home Depot, Inc. (5) Who are the members of the incident Shareholder Derivative Litigation, and In re Target response team? Corp. Shareholder Derivative Litigation reference the companies’: (1) audit committee charters, (6) Who are the external team members (2) Securities and Exchange Commission dis- (including service providers)? closures regarding cyber risk and attacks and (3) privacy policies, including language about the (7) What are team member responsibilities? companies using industry standard methods to protect customer information. (8) What are the lines of communication?

Company committee charters and pri- (9) What communications, disclosures, and vacy policies and Securities and Exchange notifications are being considered? Commission disclosures should be reviewed comprehensively and specifically regarding (10) What is the nature of and how frequently cyber risk and attacks, including in terms of is employee security training and aware- litigation.9 The foregoing also can be reviewed ness provided? against similar items of companies in the same industry or that have experienced cyber attacks. Conclusion Developing, Implementing, Testing In re The Home Depot, Inc. Shareholder and Updating Incident Response Plans Derivative Litigation and In re Target Corp. Shareholder Derivative Litigation should be mon- Palkon v. Holmes, In re The Home Depot, itored for developments, as should any other Inc. Shareholder Derivative Litigation, and In re shareholder derivative lawsuits regarding cyber Target Corp. Shareholder Derivative Litigation attacks. Companies also should: (1) determine address preparation regarding and response fiduciary duties; (2) review organizational docu- to cyber risk and attacks. Companies should ments, applicable law, indemnification agree- develop, implement, test via simulated cyber ments or policies, directors and officers liability

Volume 24, Number 4 19 The Corporate Governance Advisor insurance, and cyber liability insurance coverage; 4. According to the Minnesota corporate statute: (3) review committee charters, privacy policies, A director shall discharge the duties of the position and Securities and Exchange Commission dis- of director in good faith, in a manner the director closures in a comprehensive and specific manner reasonably believes to be in the best interests of the regarding cyber risk and attacks, and (4) develop, corporation, and with the care an ordinarily prudent person in a like position would exercise under similar implement, test via simulated cyber attack exer- circumstances. A person who so performs those duties cises, and update incident response plans. is not liable by reason of being or having been a director of the corporation. Minn. Stat. § 302A.251, Subd. 1. Notes The Minnesota corporate statute further states: 1. See Palkon v. Holmes, No. 2:14-CV-01234 (D.N.J. (a) A director is entitled to rely on information, opin- Oct. 20, 2014); In re The Home Depot, Inc. Shareholder ions, reports, or statements, including financial Derivative Litigation, No. 1:15-CV-2999 (N.D. Ga.) statements and other financial data, in each case and In re Target Corp. Shareholder Derivative Litigation, prepared or presented by: No. 0:14-cv-00203 (D. Minn.). (1) one or more officers or employees of the 2. Stone v. Ritter, 911 A.2d 362, 370 (Del. 2006). corporation whom the director reasonably 3. Regarding the failure to implement any reporting or believes to be reliable and competent in the information system or controls, the plaintiffs’ complaint matters presented; pleads that “… (i) the Audit Committee was established (2) counsel, public accountants, or other persons as to assist the Board in reviewing and monitoring the to matters that the director reasonably believes Company’s compliance programs (Comp., ¶ 49); (ii) the are within the person’s professional or expert Audit Committee has ‘primary responsibility for over- competence; or seeing risks related to IT and data privacy and security at Home Depot’ (id., ¶ 278); (iii) internal audits were (3) a committee of the board upon which the conducted on the Company’s data security systems (id., director does not serve, duly established in ¶¶ 141, 164, 205, 279); and (iv) the Company’s IT Security accordance with section 302A.241, as to mat- and internal audit departments frequently reported to ters within its designated authority, if the the Board and Audit Committee regarding cybersecurity director reasonably believes the committee to issues (id., ¶¶ 86–88, 97, 99, 103, 116, 120–123, 139–142, merit confidence. 150–153, 155, 157, 158, 160-163, 200, 205–209). Regarding showing that the defendants acted in bad faith by con- (b) Paragraph (a) does not apply to a director who sciously failing to monitor or oversee its operations, the has knowledge concerning the matter in question plaintiffs’ allegations negate any claim that the defendants that makes the reliance otherwise permitted by acted in bad faith in breach of the duty of loyalty”: paragraph (a) unwarranted. Minn. Stat. 302A.251, Subd. 2. • M. Carey “met regularly with Home Depot’s Audit Committee and its full Board of Directors and pro- Good faith is defined in the Minnesota corporate vided the Board with updates regarding Home Depot’s statute as “honesty in fact in the conduct of the act data security systems.” (Comp., ¶97). or transaction concerned.” Minn. Stat. § 302A.011, Subd. 13. • M. Carey additionally briefed the Board on data breaches at other large retailers. (Comp., ¶¶76, 77). 5. “Minnesota case law requires a court to ‘defer to an SLC’s decision to settle a shareholder derivative action • Management conducted regular scans and internal if (1) the members of the SLC possessed a disinterested audits of the Company’s cybersecurity systems, and independence and (2) the SLC’s investigative procedures reviewed those results with the Audit Committee and and methodologies were adequate, appropriate, and the Board. (Comp., ¶¶86, 150, 151, 162, 206, 207). pursued in good faith.’ ” In re UnitedHealth Group Inc. • Based on these scans and audits, M. Carey and his Shareholder Derivative Litigation, 754 N.W.2d 544, 559 department planned and executed remedial measures (Minn. 2008). and “enhancements” to the Company’s data secu- 6. In re Walt Disney Co. Derivative Litigation, 906 A.2d rity systems. (Comp., ¶¶ 88, 118, 121, 150, 152, 200, 27, 74 (Del. 2006). Under the Minnesota corporate statute, 202–206, 230, 238, 239). “[a] court may grant any equitable relief it deems just and • Third-party consultants were retained to advise the reasonable in the circumstances … (b) In an action by a Company on its cybersecurity measures and “to per- shareholder when it is established that … (5) the corporate form a ‘health check’ on its computer systems.” assets are being misapplied or wasted … .” Minn. Stat. (Comp., ¶¶101, 104, 136). § 302A.751, Subd. 1.

The Corporate Governance Advisor 20 July/August 2016 7. According to Article 9 of Home Depot’s Certificate of 8. Del. Gen. Corp. Law § 102(b)(7); Minn. Stat. § 302A.251, Incorporation: Subd. 4. No director of the Corporation shall be liable to the 9. See Division of Corporation Finance, US Securities Corporation or its stockholders for monetary damages and Exchange Commission, CF Disclosure Guidance: for breach of fiduciary duty as a director, except for lia- Topic No. 2 (Oct. 13, 2011); Melissa Krasnow, “The bility (i) for any breach of the director’s duty of loyalty Securities and Exchange Commission’s Guidance on to the Corporation or its stockholders, (ii) for acts or Cybersecurity and Cyber Incident Disclosure,” BNA omissions not in good faith or which involve intentional Privacy & Security Law Report (Oct. 31, 2011). misconduct or a knowing violation of law, (iii) under Section 174 of the Delaware General Corporation 10. See Melissa Krasnow, ‘‘Guidance for Guidance for Law, or (iv) for any transaction from which the director Incident Response Plans,’’ International Risk Management derived an improper personal benefit. Institute (May 2015).

Volume 24, Number 4 21 The Corporate Governance Advisor AUDIT COMMITTEES

PCAOB Again Issues Proposal to Change Audit Report By Michael Scanlon, Brian Lane, Lori Zyskowski, and Michael Titera

The Public Company Accounting Oversight What are CAMs?—Required Board (PCAOB) recently re-proposed an audit Disclosures in the Audit Report standard to amend the form and content requirements for the independent auditor’s report on about Critical Audit Matters financial statements.1 The new proposal retains the pass/fail model present in the existing audit Under the re-proposal, a critical audit matter report but also requires the auditor to include (CAM) is defined as “any matter arising from the new disclosures in the audit report about “criti- audit of the financial statements that was com- cal audit matters” that are identified during municated or required to be communicated to the the course of the audit. The re-proposal also audit committee and that: (1) relates to accounts requires new disclosures about the length of or disclosures that are material to the financial the auditor’s tenure and the applicable auditor statements and (2) involved especially challenging, independence requirements. subjective, or complex auditor judgment.”

The re-proposal is the latest chapter in a The proposed definition thus has three com- standard-setting project that dates back to 2011, ponent pieces. First, a CAM must be a mat- when the PCAOB issued a concept release2 on ter that was voluntarily communicated to the potential changes to the audit report, and that audit committee or that was required to be evolved in 2013, when the PCAOB issued its communicated to the audit committee under original proposal3 on this topic. The PCAOB’s Auditing Standard 1301 (formerly AS No. 16), re-proposal narrows in some respects the scope Communications with Audit Committees. As of the disclosure requirements for critical audit issuers and audit committees are well aware, matters that appear in the audit report, and the scope of these required communications is also drops the component of the original not narrow, with AS 1301 containing more than proposal that would have required the audi- 15 topics and several dozen related paragraphs tor to review and report on matters outside that specify what must be communicated to the the financial statements. But the re-proposal audit committee. Second, a CAM must relate to still represents an important development for an account or disclosure that is “material” to the financial reporting landscape that issu- the financial statements. Notably, the proposed ers and their audit committees should review definition does not require the communication and consider in detail, including as described itself to involve a material issue, but rather that later under “Steps to Consider.” The deadline the communication must be about an account for commenting on the PCAOB’s proposal is or disclosure that is material to the financial August 15, 2016. statements. And third, the proposed definition provides that a CAM must have involved an “especially challenging, subjective, or complex auditor judgment.” The proposal seeks to inject some objective criteria to help guide this test by © 2016 Gibson, Dunn & Crutcher LLP. Michael Scanlon laying out several factors that an auditor should and Brian Lane are partners in the Washington, D.C., take into account in determining whether a mat- office of Gibson, Dunn & Crutcher LLP, Lori Zyskowski ter involved such judgments, specifically: is a partner in the firm’s New York, NY, office and Michael Titera is an associate in the firm’s Orange County, • The auditor’s assessment of the risks of mate- CA, office. rial misstatement, including significant risks;

The Corporate Governance Advisor 22 July/August 2016 • The degree of auditor subjectivity in deter- could be CAMs remains quite broad and could mining or applying audit procedures to lead to significant new disclosures in the audit address the matter or in evaluating the results report, as discussed in more detail later under of those procedures; “Steps to Consider.”

• The nature and extent of audit effort required The new proposal specifies that CAMs would to address the matter, including the extent of not have to be disclosed in audit reports issued specialized skill or knowledge needed or the in connection with audits of brokers and deal- nature of consultations outside the engage- ers, investment companies other than business ment team regarding the matter; development companies, or employee stock purchase, savings, and similar plans. • The degree of auditor judgment related to areas in the financial statements that involved the application of significant judg- Additional New Disclosures ment or estimation by management, includ- in the Audit Report ing estimates with significant measurement uncertainty; Auditor Tenure. The re-proposal requires the auditor to include in its report “[a] statement • The nature and timing of significant unusual containing the year the auditor began serving transactions and the extent of audit effort consecutively as the company’s auditor.” Under and judgment related to these transac- the proposed requirement, the auditor tenure tions; and would include the years the auditor served as the company’s auditor both before and after • The nature of audit evidence obtained regard- the company became subject to SEC reporting ing the matter. obligations. Although the PCAOB unanimously approved the issuance of the proposal, several The new proposal provides that if the audi- board members indicated they were not certain tor determines that a CAM exists, the auditor this disclosure is needed. These sentiments were must include disclosure in the audit report that expressed in part because many issuers have identifies the CAM, describes the principal voluntarily included enhanced audit committee- considerations that led the auditor to determine related disclosures in their proxy statements, that the matter is a CAM, describes how the and such disclosures often include information CAM was addressed in the audit, and identifies about the length of service by the auditor. the relevant financial statement accounts and disclosures that relate to the CAM. Independence. The re-proposal also requires a statement in the audit report that the auditor The CAM definition offered in the original “is a public accounting firm registered with the proposal was more expansive because it did not PCAOB (United States) and is required to be specifically relate back to disclosure of matters independent with respect to the company in that were communicated to the audit commit- accordance with the U.S. federal securities laws tee. By incorporating the concept of matters and the applicable rules and regulations of the required to be communicated to the audit com- SEC and the PCAOB.” mittee, the re-proposal draws on existing AS 1301 to provide some guideposts for determin- Clarification of Auditor Responsibilities. ing which matters may be treated as CAMs. Under the re-proposal, the auditor also has to However, given the lengthy list of required com- include in its audit report the phrase “whether munications in AS 1301 and that the re-proposal due to error or fraud,” when describing the includes both required communications and auditor’s responsibilities under PCAOB stan- those that are voluntarily communicated to dards to obtain reasonable assurance about the audit committee, the range of matters that whether the financial statements are free of

Volume 24, Number 4 23 The Corporate Governance Advisor material misstatements. This phrase is not subjective, or complex auditor judgment” by included in the existing auditor’s report and the its terms still leaves the auditor with broad release accompanying the re-proposal says that discretion to determine whether a matter is the phrase is added to clarify that the auditor a CAM that should be disclosed in the audit is responsible for detecting material misstate- report. Auditor discretion in making this ments, whether such misstatements are due to determination of course could cut either error or fraud. way, but issuers and their audit committees may wish to consider whether the degree of uncertainty in how the proposed CAM Steps to Consider definition will be applied in practice, given its potential breadth and subjectivity, merits With this re-proposal, the PCAOB appears comment. to be moving closer to requiring changes to the pass/fail model that has served as the basis for • Auditor Disclosure of Original Information. an unqualified audit report for many decades. In reviewing the original proposal, a num- As a result, issuers and their audit committees ber of commenters expressed concern that would be well served to review in depth the new the proposal would place the auditor in the disclosures contemplated by the proposal— position of being the source of disclosure of particularly as they are disclosures for which original information about a company—in the auditor will have the final say; consider the other words, having to make disclosures potential implications and costs associated with before a company itself has made the disclo- the new disclosures, including the questions and sure or, in effect, forcing a company’s hand to potential issues discussed later; and evaluate make disclosures. The PCAOB’s re-proposal whether to comment on the proposal. In con- responded to this concern by noting that sidering this topic, issuers and audit committees “[s]ince the auditor would be communicating also may wish to engage with their auditors to information regarding the audit rather than understand what types of issues in prior audits information directly about the company and may be considered CAMs under the proposal its financial statements, the communication and what corresponding disclosures would have of critical audit matters should not diminish looked like if they had been disclosed in connec- the governance role of the audit committee tion with those prior audit reports. and management’s responsibility for the company’s disclosure of financial information.” • Scope of the New CAM Definition. In its Companies and audit committees may wish re-proposal, the PCAOB made efforts to to consider whether this response is sufficient reign in the breadth of its original concept to allay the noted concerns, particularly given for critical audit matters, but aspects of the the nature of the proposed disclosure topics proposed CAM definition still may present that have to be addressed once a CAM has concern. The audit standard governing com- been identified—as reflected by the three munications that the auditor is required to pages of sample disclosures for a CAM make to the audit committee is itself expan- that appear in the proposing release. The sive, as noted previously. The definition PCAOB’s proposed standard also includes a also includes any communication made to note intended to address concerns about the the audit committee outside of the required auditor becoming the source of original (and communications. It also appears that CAMs potentially confidential) information about may not be limited to communication about the company. This note says that the auditor material issues, but rather could include will not be expected to provide information disclosure of an issue that may not itself about the company that has not been made be material but that may involve a material publicly available by the company “unless account or disclosure. And, the question of such information is necessary to describe the whether an issue was “especially challenging, principal considerations that led the auditor

The Corporate Governance Advisor 24 July/August 2016 to determine that a matter is a critical audit to the increased strain on audit committee matter or how the matter was addressed in resources and timing issues associated with the audit.” Companies and audit committees completing the audit—for example, when may wish to consider whether this excep- financial reporting or audit-related issues tion in effect nearly swallows the rule, and that have CAM implications arise at the if so, what disclosure considerations may be last moment—also seem relevant in rela- implicated, including whether it would put tion to the re-proposal. Although varied in the auditor in a position of having to make nature, the common theme underlying these disclosures in the first instance about any concerns appears to be that uncertainty in number of matters, such as loss contingency application will result from requiring CAM considerations or investigations. disclosures in the audit report, particularly in light of the subjectivity inherent in the defi- • Uncertainty in Application. A number of nition and the significance of the changes to concerns expressed in relation to the original the audit reporting model. proposal also appear not to have been fully addressed by the re-proposal. Companies and their audit committees may wish to com- Notes ment on these issues as well. For example, 1. Proposed Auditing Standard—The Auditor’s Report because the re-proposal may require disclo- on an Audit of Financial Statements When the Auditor sure of matters that have been voluntarily Expresses an Unqualified Opinion and Related Amendments reported to the audit committee, some have to PCAOB Standards, PCAOB Release No. 2016-003 expressed the view that the approach out- (May 11, 2016), available at http://pcaobus.org/Rules/ lined could lead auditors to hesitate in raising Rulemaking/Docket034/Release-2016-003-ARM.pdf, last accessed June 8, 2016. matters to audit committees as it would then trigger potential CAM reporting. Conversely, 2. Concept Release on Possible Revisions to PCAOB some have expressed concern that there will Standards Related to Reports on Audited Financial Statements and Related Amendments to PCAOB Standards, be a tendency to over-disclose the existence PCAOB Release No. 2011-003 (June 21, 2011), available at of CAMs given the subjectivity in the pro- http://pcaobus.org/Rules/Rulemaking/Docket034/Concept_ posed standard and the potential adverse Release.pdf, last accessed June 8, 2016. consequences for the auditor associated with 3. Proposed Auditing Standards—The Auditor’s Report on an being second-guessed in whether a CAM Audit of the Financial Statements When the Auditor Expresses an should have been disclosed. Still others have Unqualified Opinion; The Auditor’s Responsibilities Regarding expressed concern that the range of CAM Other Information In Certain Documents Containing Audited disclosure practice among firms and engage- Financial Statements and the Related Auditor’s Report; and Related Amendments to PCAOB Standards, PCAOB Release ment teams will lead to unhelpful variabil- No. 2013-005 (Aug. 13, 2013), available at http://pcaobus.org/ ity across audit reports. Concerns expressed Rules/Rulemaking/Docket034/Release_2013-005_ARM.pdf, about the original proposal with respect last accessed June 8, 2016.

Volume 24, Number 4 25 The Corporate Governance Advisor

Andrew E. Bogen Gibson, Dunn & Crutcher LLP Los Angeles, CA Gwenn Carr Metropolitan Life Insurance Company EDITOR-IN-CHIEF New York, NY Broc Romanek TheCorporateCounsel.net, Arlington, VA John Wilcox 703-237-9222 Sodali Ltd. New York, NY PUBLISHER Professor John C. Coffee Columbia Law School Richard Rubin New York, NY MARKETING MANAGER Professor Charles M. Elson Steven Santel University of Delaware, EDITOR EMERITUS Center for Corporate Governance Wilmington, DE Henry Lesser DLA Piper, LLP, Palo Alto, CA Professor Ronald Gilson Stanford Law School Stanford, CA and Columbia Law School SPECIAL EDITORIAL ADVISORS New York, NY Professor William T. Allen Keir Gumbs New York University Law School & Stern School of Covington & Burling LLP Business Washington, DC Counsel: Wachtell, Lipton, Rosen & Katz New York, NY Richard H. Koppes Stanford Law School Kenneth J. Bialkin Sacramento, CA Skadden, Arps, Slate, Meagher & Flom New York, NY John F. Olson Gibson, Dunn & Crutcher LLP Arthur Fleischer Jr. Washington, DC Fried, Frank, Harris, Shriver & Jacobson New York, NY John F. Seegal Orrick, Herrington & Sutcliffe Amy L. Goodman San Francisco, CA Gibson, Dunn & Crutcher LLP Washington, DC Evelyn Cruz Sroufe Perkins Coie Martin Lipton Seattle, WA Wachtell, Lipton, Rosen & Katz New York, NY Paul D. Tosetti Latham & Watkins Ira M. Millstein Los Angeles, CA Weil, Gotshal & Manges New York, NY Susan Ellen Wolf Global Governance Consulting Washington, DC EDITORIAL BOARD Beth Young Harvard Law School Ken Bertsch New York, NY CamberView Partners San Francisco, CA ASPEN PUBLISHERS Dennis J. Block 76 Ninth Avenue Greenberg Traurig New York, NY 10011 New York, NY 212-771-0600

Volume 24, Number 4 27 The Corporate Governance Advisor Wolters Kluwer The Corporate Governance Advisor Distribution Center 7201 McKinney Circle Frederick, MD 21704

TIMELY REPORT Please Expedite

July/August 9900529057

To subscribe, call 1-800-638-8437 or order online at www.wklawbusiness.com

Ordering Additional Copies of CORPORATE GOVERNANCE ADVISOR

Don’t wait for the office copy of CORPORATE GOVERNANCE ADVISOR to circulate to your desk. Get updated news and information on important developments the moment it is available by ordering additional copies of CORPORATE GOVERNANCE ADVISOR for your office now. For more information and to order multiple copies at a specially discounted rate, please call 1-800-638-8437.