Corporate Governance: 2023 Year-End Review

Since Kramer Levin issued its Corporate Governance: 2023 Midyear Review, there has been a growing focus on the criminalization and prosecution of international corruption involving U.S. individuals and businesses, as well as continued judicial review of Securities and Exchange Commission (SEC) regulations and the administrative process. Specifically:

• On Dec. 14, 2023, Congress passed the Foreign Extortion Prevention Act (FEPA) as part of the annual National Defense Authorization Act, which President Biden signed into law on Dec. 22, 2023. The law amends the domestic statute criminalizing bribery of federal officials, Section 201 of Title 18 of the United States Code (Bribery of Public Officials and Witnesses), to include a subsection titled “Prohibition of Demand for a Bribe.”
  
  FEPA establishes criminal liability for the “demand side” of foreign bribery (i.e., for foreign officials who seek or receive bribes from U.S. persons or businesses). Specifically, the amendment makes it unlawful for any foreign official to seek or accept anything of value from U.S. persons or certain U.S. companies in exchange for performing or omitting any official act or otherwise conferring an improper business advantage. Penalties under FEPA include fines up to the greater of $250,000 or three times the monetary equivalent of the thing of value received and imprisonment of up to 15 years.
  
  FEPA complements the Foreign Corrupt Practices Act, which focuses on the “supply side” of foreign bribery. With FEPA’s enactment, the United States joins strategic allies — including the United Kingdom, Germany and France — in an expanding multilateral effort to criminalize demand-side foreign bribery. All companies that interact with foreign government officials should consider revisions to their anti-corruption policies to ensure compliance with what is likely to become a new focus of Department of Justice (DOJ) prosecution efforts.
  
  
• On Dec. 19, 2023, the U.S. Court of Appeals for the Fifth Circuit vacated the share repurchase disclosure rules adopted by the SEC in May 2023. Those rules, detailed in our prior alert, required issuers to:
  
  
  • Disclose daily repurchase activity on a quarterly basis or semiannually for listed closed-end funds (notably, this is a change from the proposed requirement for issuers to disclose share repurchases one business day after each repurchase)
    
    
  • Check a box indicating whether certain directors or officers traded in the relevant securities within four business days before or after the public announcement of an issuer’s repurchase plan or program
    
    
  • Provide additional narrative disclosure about repurchase programs and practices in periodic reports, including objectives for repurchases
    
    
  • Provide quarterly disclosure regarding adoption, modification and termination of 10b5-1 trading arrangements

A coalition of industry groups led by the U.S. Chamber of Commerce challenged the rules shortly after their adoption in a lawsuit seeking to block their implementation. On Oct. 31, 2023, the Fifth Circuit ruled that the “SEC acted arbitrarily and capriciously, in violation of the [Administrative Procedure Act], when it failed to respond to petitioners’ comments and failed to conduct a proper cost-benefit analysis.”

Instead of invalidating the rules immediately, the court directed the SEC to cure the identified deficiencies in the rule within 30 days, including requiring the SEC to “show that opportunistic or improperly motivated buybacks are a genuine problem.” The SEC sought more time to address the court’s concerns, but the court denied the request. On Dec. 1, 2023, the SEC’s Office of the General Counsel informed the court that it was unable to correct the defects in the rules within the allotted time frame. Accordingly, on Dec. 19, 2023, the court vacated the SEC’s share buyback rule.

*  *  *

Additionally, Kramer Levin issued alerts throughout the second half of 2023 on other significant developments in the corporate governance space, including with respect to cybersecurity regulations, regulatory efforts by the SEC and related case law developments, boardroom diversity, and efforts by the DOJ to reward voluntary self-disclosure. We briefly summarize these alerts below.

NY Department of Financial Services Finalizes Significant Amendments to Its Cybersecurity Regulations

On Nov. 1, 2023, the New York Department of Financial Services (NYDFS) adopted comprehensive amendments to its cybersecurity regulations (known as Part 500). The draft amendments were first published in July 2022 and finalized after three rounds of public comment. The amendments took effect on Dec. 1, 2023, with “transitional periods” of up to 24 months from the date of publication for covered entities to comply with certain provisions.

One of the biggest changes to Part 500 is the creation of a new class of covered entity called “Class A Companies.” A “covered entity” under the NYDFS is any person, partnership or other entity operating or required to operate under a license, registration, charter, permit or similar authorization under New York’s Banking Law, Insurance Law or Financial Services Law, regardless of whether the covered entity is also regulated by other government agencies. The heightened requirements for Class A Companies include:

• Conducting annual independent audits of cybersecurity programs based on the covered entity’s risk assessments;
  
  
• Monitoring privileged access activity by implementing a privileged access management solution and automatically blocking commonly used passwords; and
  
  
• Implementing endpoint detection and response solutions to monitor and log potentially anomalous activity and security events.

Additionally, all covered entities must notify the NYDFS within 72 hours of any “cybersecurity event” that:

• Has a reasonable likelihood of materially harming any material part of the covered entity’s or its affiliates’ normal operations;
  
  
• Requires the covered entity to provide notice to another government body or other authority; or
  
  
• Involves ransomware deployment in the covered entity’s or its affiliates’ systems.

The amendments also require an annual review of internal policies and risk assessments, the creation of a senior governing body overseeing the covered entity’s cybersecurity program (by April 29, 2024), new responsibilities for chief information security officers (by Nov. 1, 2024), the development of written policies and procedures to maintain an asset inventory of information systems (by Nov. 1, 2025), and other requirements related to training, testing and access controls.

Related disclosures required under recently adopted SEC rules are described below under “SEC Finalizes New Cybersecurity Disclosure Rules.”

Second Circuit Narrows SEC Disgorgement Powers and Deepens Circuit Split

On Oct. 31, 2023, the Second Circuit substantially narrowed the scope of the SEC disgorgement powers to cases in which the SEC can demonstrate that investors suffered pecuniary harm. The decision in SEC v. Govil limits the SEC’s ability to seek disgorgement as a remedy in cases where investors have not suffered pecuniary harm. Such cases may include, for example, books and records violations, unregistered securities offerings or failure to register as an investment adviser. The decision also solidifies the Second Circuit’s split with the Fifth Circuit. On Dec. 15, 2023, the SEC filed a petition for a rehearing en banc before the full Second Circuit.

Diversity in the Boardroom: Fifth Circuit Rejects Challenge to the SEC Nasdaq Board Diversity Rules; En Banc Petition Quickly Filed

On Oct. 18, 2023, the U.S. Court of Appeals for the Fifth Circuit rejected challenges to Nasdaq’s “Board Diversity” framework. Those rules require Nasdaq-listed companies to report that they have, or explain why they do not have, diverse directors on their boards. In a unanimous opinion, the court held that the SEC acted within its authority to approve the rules. The three judges who heard the case were all appointed by Democratic presidents. On Oct. 25, the groups opposing the rules, the Alliance for Fair Board Recruitment and the National Center for Public Policy Research, filed a still-pending petition for a rehearing en banc before the full Fifth Circuit, whose overall membership is more conservative leaning.

SEC Adopts Amendments to Rules Governing Beneficial Ownership Reporting

On Oct. 10, 2023, the SEC adopted amendments to the rules governing beneficial ownership reporting under Sections 13(d) and 13(g) of the Securities Exchange Act of 1934. These amendments shorten the period for making both initial filings and amendments and require that certain information be presented in a structured data format. In addition, the SEC provided guidance on the treatment of cash-settled derivative securities and group formation under the beneficial ownership reporting rules.

DOJ Announces New Mergers and Acquisitions Safe Harbor Policy for Voluntary Self-Disclosures

On Oct. 4,2023, in remarks delivered to the Society of Corporate Compliance and Ethics’ 22nd Annual Compliance & Ethics Institute, Deputy Attorney General (AG) Lisa Monaco announced the DOJ’s new Mergers & Acquisitions Safe Harbor Policy. Under that policy, the DOJ will presumptively not prosecute acquirers that self-disclose and remediate wrongful activities discovered in arm’s-length merger transactions.

This announcement builds on the DOJ’s ongoing efforts to reward voluntary self-disclosure and to encourage corporate counsel and compliance officers to take a proactive role in ensuring compliance. In remarks last month previewing the DOJ’s cooperation policies, Principal Associate Deputy AG Marshall Miller emphasized that the DOJ wanted to avoid “deterring companies with good compliance programs from acquiring companies with histories of misconduct.” On the contrary, “[a]cquiring companies should not be penalized when they engage in careful pre-acquisition diligence and timely post-acquisition integration to detect and remediate misconduct at the acquired company’s business.”

The new policy underscores the need for effective compliance due diligence in M&A transactions and the benefits that such due diligence will yield when accompanied by prompt remediation and cooperation. In setting out specific deadlines and timing guidance, the DOJ provides greater certainty as to its cooperation expectations. But it remains to be seen whether that timing is in fact practical in complex and international transactions.

Supreme Court Grants Certiorari to Resolve Circuit Split on Whether SEC Disclosure Rule Triggers Section 10(b) Liability

On Sept. 29, 2023, the U.S. Supreme Court granted certiorari in Macquarie Infrastructure Corp. v. Moab Partners, L.P., to review a decision by the Second Circuit reviving an investor lawsuit alleging Section 10(b) and Rule 10b-5 violations predicated on a failure to make disclosures required under Item 303 of SEC Regulation S-K. This case presents significant questions regarding the scope of corporate liability under the securities laws and could potentially affect the nature and volume of investor lawsuits.

The Court’s decision to grant certiorari signals its willingness to resolve this divide among the appellate courts and clarify the extent to which an alleged Item 303 violation can serve as a predicate for Section 10(b) liability. This case is scheduled for argument on Jan. 16, 2024.

New York District Court Holds Late 13D Filing Can Lead to Private Damages Under Section 10(b)

On Sept. 29, 2023, Southern District of New York Judge Andrew L. Carter issued a decision denying Elon Musk’s motion to dismiss a securities fraud class action brought against him. The gravamen of the claim was that Musk violated Section 10(b) of the Securities Exchange Act (Exchange Act) when he failed to file timely a Schedule 13D publicly reporting that on March 14, 2022, he had acquired greater than 5% ownership of Twitter Inc. SEC rules require investors to file a Schedule 13D within 10 days of obtaining more than a 5% ownership interest of a public company’s shares, but the suit alleges that Musk did not file any disclosures until April 4, 2022, 21 days after crossing the 5% threshold and 11 days after his March 24 disclosure deadline, by which point he had acquired 9.1% of Twitter. The lead plaintiffs, representing a class of shareholders who sold their shares between March 24 and April 4, allege that Musk’s failure to file the required disclosure damaged them by artificially depressing the price of Twitter’s shares for those 11 days, which delay also allegedly saved Musk nearly $200 million on his additional share purchases.

Musk sought dismissal of the claim on the grounds that Section 13(d) of the Exchange Act, which sets out an investor’s obligation to disclose it had exceeded the 5% threshold, does not give plaintiffs a private right of action for damages, nor could a Section 13(d) violation be the basis for a Section 10(b) claim. In denying the motion to dismiss, Judge Carter held that a Section 13(d) violation could support a private Section 10(b) claim, observing that no Second Circuit case has yet addressed this specific issue, and permitted the plaintiffs to move forward with their complaint. This decision, which conflicts with a New Jersey federal district court decision, is one of the few to address whether a Section 13(d) violation can form the basis of a private Section 10(b) civil damages claim.

Investment Adviser Settles SEC Enforcement Action Concerning Alleged Misstatements Regarding ESG Investment Process

On Sept. 25, 2023, the SEC announced settled charges against registered investment adviser DWS Investment Management Americas Inc. (DIMA), a Deutsche Bank investment arm, in an enforcement action concerning DIMA’s misstatements regarding its environmental, social and governance (ESG) investment process. Without admitting or denying the SEC’s allegations, DIMA agreed to a cease and desist order and to pay a $19 million penalty for the purported ESG misstatements.

This enforcement action, which follows similar actions by the SEC against other investment managers, highlights the SEC’s continued interest in ESG-related disclosures and alleged “greenwashing.” The SEC’s focus on ESG disclosures underscores the need for asset managers that market ESG products to represent accurately and implement uniformly their written policies and procedures pertaining to their investment decisions. Asset managers should also be aware of the SEC’s recent adoption of amendments to Rule 35d-1, more commonly known as the “Names Rule,” under the Investment Company Act of 1940, described below.

SEC Adopts ‘Names Rule’ Changes

On Sept. 20, 2023, the SEC adopted amendments to Rule 35d-1, more commonly known as the “Names Rule,” under the Investment Company Act of 1940. These amendments are designed to broaden the scope of the Names Rule’s applicability and include updated disclosure and record-keeping requirements.

Currently, the Names Rule requires that a registered investment company whose name suggests a focus in a particular type of investment adopt a policy to invest at least 80% of the value of its assets in that investment. The amendments expand the Names Rule to require a broader scope of funds to adopt an 80% investment policy, including funds with names suggesting a focus in investments with “particular characteristics” — for example, terms such as “growth” or “value” or certain terms that reference a thematic investment focus, such as the incorporation of one or more ESG factors. These amendments apply in addition to the existing 80% investment policy requirement for funds whose names suggest a focus in a particular type of investment, industry, country or geographic region or a certain tax treatment.

The amendments also include a new requirement that a fund review its portfolio assets’ treatment under its 80% investment policy at least quarterly. Funds are required to comply with the 80% investment requirement “under normal circumstances.” Should a fund depart from compliance with its 80% policy, either due to portfolio drift or intentional departure, it will now have 90 days to return to compliance from when the departure is discovered, as opposed to the 30-day period initially proposed by the SEC. The SEC further adopted amendments to Form N-PORT (filed quarterly) to require a fund that is subject to an 80% investment policy to report whether, as of the end of the fiscal quarter, each investment in the fund’s portfolio is in that fund’s 80% basket and to report the value of the fund’s 80% basket as a percentage of the value of the fund’s net assets. 

The amendments to the Names Rule became effective on Dec. 11, 2023. Fund groups with net assets of $1 billion or more have 24 months to comply with the updated rule, and fund groups with net assets of less than $1 billion have 30 months to comply. The full text of the amended Names Rule, along with the SEC’s adopting release, can be found here.

SEC Finalizes New Cybersecurity Disclosure Rules

On July 26, 2023, by a 3-2 vote, the SEC adopted final rules enhancing disclosure requirements regarding public companies’ cybersecurity risk management, strategy, governance and incident reporting. These rules apply to all registrants, including business development companies. Registrants are required to provide these disclosures starting with annual reports for fiscal years ending on or after Dec. 15, 2023.

With respect to mandatory incident reporting, the final rules require, from and after Dec. 18, 2023, disclosure of “material cybersecurity incidents” in a Form 8-K under a new Item 1.05 that must be filed within four business days of determining that the incident is “material.” Companies must determine without “unreasonable delay” following discovery whether an incident is material. A materiality determination is a fact-specific inquiry that weighs the magnitude of the incident in light of total company activity. To date, only a handful of Item 1.05 Form 8-Ks have been filed.

The final rules also amend Regulation S-K to require annual disclosures describing a company’s cybersecurity risk management and strategy in Forms 10-K and 20-F, including “processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes.” The SEC provides a non-exhaustive list of elements that should be included in these disclosures, including whether and how the company has integrated cybersecurity processes into its overall risk management system, whether it engages third parties such as consultants or auditors in connection with such processes, and whether it has processes in place to oversee material risks associated with any third-party service providers. Companies must also disclose which persons and committees hold cybersecurity responsibilities, explain the relevant expertise of such persons or committee members, and describe how they monitor the prevention, detection, mitigation and remediation of cybersecurity incidents. The final rules also require disclosure of whether such persons or committees report information about cybersecurity risks to their board of directors. 

Companies also need to disclose in Forms 10-K and 20-F whether any risks from cybersecurity threats, including as a result of prior incidents, have materially affected or are reasonably likely to materially affect the company, “including its business strategy, results of operations, or financial condition[,] and if so, how.” 

Supreme Court Grants Certiorari to Determine Constitutionality of SEC Administrative Law Process

On June 30, 2023, the Supreme Court granted certiorari in SEC v. Jarkesy to review a Fifth Circuit decision rejecting key aspects of the SEC’s administrative process and holding that the SEC’s administrative law proceedings are unconstitutional. This case presents significant questions regarding the SEC’s administrative practices and could potentially affect the administrative law process of many other government agencies.

In Jarkesy, a split panel of the Fifth Circuit vacated the decision of the SEC and remanded the case for further proceedings consistent with three groundbreaking holdings on the constitutionality of SEC administrative proceedings. In a significant rebuke to the SEC’s administrative law process, the court held that:

• The SEC had deprived the respondents of their constitutional right to a jury trial;
  
  
• Congress had unconstitutionally delegated legislative power to the SEC by granting the agency unfettered discretion in exercising the option to bring enforcement actions administratively before SEC administrative law judges (ALJs) instead of in federal district court; and
  
  
• Statutory removal restrictions insulating SEC ALJs are unconstitutional.

The court emphasized that the first two holdings were independently sufficient to provide grounds for vacating the SEC’s judgment. It therefore did not “decide whether vacating would be the appropriate remedy” for the third issue — the removal question — alone.

The Supreme Court granted the SEC’s petition for certiorari to review the Fifth Circuit’s decision and heard argument on Nov. 29, 2023. A decision is expected before summer 2024.