In April 2017, the U.S. Securities and Exchange Commission’s (SEC’s) Division of Corporate Finance announced it will not recommend enforcement action for companies that disclose, but do not further investigate usage of conflict minerals which may be from the Democratic Republic of Congo (DRC). Any company manufacturing or contracting to manufacture products using such minerals had previously been required to conduct extensive due diligence on its supply chain and make this diligence publicly known with a note that its products contained minerals which “have not been found to be ‘DRC conflict free.’” However, following a series of partial losses in court, the SEC appears to be backing off the rule—for now.
The Conflict Minerals Rule and Disclosure Requirements
A provision in the Dodd-Frank Act aims to cut off funding sources for armed rebel groups in the DRC and surrounding countries in central Africa. It requires companies manufacturing products containing certain minerals to conduct supply chain audits and disclose if those minerals were known to have originated in the DRC or adjoining countries. The SEC, as the enforcer of this provision, issued a rule requiring issuers of securities who filed reports with the SEC under Sections 13(a) or 15(d) of the Securities Exchange Act of 1934 and who manufactured or contracted to manufacture a product in which the defined conflict minerals were a necessary part, to file a separate special disclosure form, Form SD. Although these obligations were placed on manufacturing issuers, in practice, the diligence requirement was imposed on others in the supply chain because many manufacturers required their supply chain partners to certify origin of minerals and compliance with the rule.
When Form SD was first issued, items 101(a) and (b) required companies using conflict minerals to attempt to identify the country of origin of those minerals. If after conducting a “reasonable country of origin inquiry” the company determined that the country of origin was neither the DRC nor an adjacent country, it had to disclose this finding (and a description of the country of origin inquiry conducted) on its website as well as to the SEC. Per item 101(c) of Form SD, if a company’s minerals may have originated in either the DRC or its neighboring countries, the company was required to conduct additional, more extensive due diligence, and then file and publish a conflict minerals report. This report had to include a description of the company’s due diligence efforts, certified results of an independent private audit, and a list of planned changes as a result of the audit. In the report and on its website, companies also had to describe which products had “not been found to be ‘DRC conflict free,’” although for the first two years of enforcement they could use the label “DRC conflict undeterminable.”
The National Association for Manufacturers challenged these regulations on both procedural and constitutional grounds. After the district court granted the SEC summary judgment, the Association appealed to the DC Circuit of Appeals. Ultimately, the appeals court found that forcing companies to note whether or not their products are DRC conflict free was unconstitutional under the First Amendment. The case was remanded to the U.S. District Court for the District of Columbia, which issued its final judgment in April 2017 and set aside the part of the rule that requires companies to add language that their products are “DRC conflict free” or “have not been found to be ‘DRC conflict free.’” Citing both the court decision and the unclear efficacy of the rule, SEC Chair Michael Piwowar reopened comments and the SEC stayed the compliance portions of the rule pending the conclusion of litigation. The SEC announced it would not pursue enforcement actions against companies who only complete Form SD items 101(a) and (b) and do not pursue more extensive diligence on sourcing or secure an independent audit. The SEC has taken the view that the purpose of item 101(c) of Form SD and the related conflict minerals reports was to determine the status of conflict minerals by requiring the “conflict free” or “not conflict free” labels, and that these measures and the requirements for more detailed due diligence are in need of re-evaluation and clarification given recent court rulings on this matter.
Although companies are not currently expected to conduct the extensive due diligence envisioned by item 101(c) of Form SD, they are still expected to conduct in good faith a reasonable country of origin inquiry and disclose this information to the SEC and the public. Companies and boards still need to ensure there are effective diligence programs in place that allow reasonable inquiry into supply chain partners and components, particularly if conflict minerals are necessary to any product the company manufactures. By statute, the SEC is required to issue a rule relating to due diligence for conflict minerals. Although the “conflict free” labeling requirement has been eliminated, the question remains whether conflict minerals reports, in their current form, are otherwise valid. The SEC is currently developing its future enforcement recommendations with respect to the rule.
In the interim, companies should continue to ensure effective supply chain diligence mechanisms are in place that allow them to confirm where components, particularly conflict minerals, are sourced. To the extent that auditing or diligence measures had already been put into place prior to the final judgment and SEC announcement, companies may want to continue to implement these measures given the lingering uncertainty about future application of the rule. Companies also have the ability to submit comments on the rule to the SEC and should make their views known to influence future enforcement on this issue.
At Baker & McKenzie, Joan Meyer is a partner and chairs the North America Compliance, Investigations & Government Enforcement Practice Group. Reagan Demas is a partner and Maria McMahon is a professional support lawyer in the North America Compliance, Investigations & Government Enforcement Practice Group in Washington, DC.
To learn more about strategy and risk, attend the 2017 Global Board Leaders’ Summit where you will have the opportunity to explore emerging risk issues with peers. A detailed agenda of NACD and Marsh & McLennan’s Board Committee Forum on strategy and risk, can be found here.
The major cyber breach that Yahoo announced last week has ripple effects not only for the multimedia platform, but for every company. The incident already has caught the attention of a senator who is calling on the U.S. Securities and Exchange Commission (SEC) to investigate how Yahoo disclosed the breach to shareholders and the public.
Background on the Breach
Ashley Marchand Orme
Account data for at least 500 million users was stolen by what Yahoo has called a “state-sponsored actor” in what CNN Money calls one of the largest data breaches ever. Compromised information includes names, email addresses, phone numbers, dates of birth, encrypted passwords, and security questions.
Yahoo has not named a country of origin for the hacker. The company, which Verizon is seeking to acquire, is still one of the busiest online sites, boasting one billion monthly users.
The breach occurred in late 2014, according to Yahoo, but the company just disclosed the incident in a press release dated Sept. 22, 2016. The Financial Times reports that Yahoo CEO Marissa Mayer may have known about the breach as early as July of this year, raising questions as to why it wasn’t disclosed sooner.
Attention From Lawmakers
Sen. Mark R. Warner (D.-VA), a member of the Senate Intelligence and Banking Committees and cofounder of the Senate Cybersecurity Caucus, sent a letter to the SEC yesterday asking the agency to investigate whether Yahoo complied with federal securities law regarding how and when it disclosed the incident.
“Data security increasingly represents an issue of vital importance to management, customers, and shareholders, with major corporate liability, business continuity, and governance implications,” the senator wrote.
Warner—who cofounded the company that became Nextel, a wireless service operator that merged with Verizon—also told the SEC that “since published reports indicate fewer than 100 of approximately 9,000 publicly listed companies have reported a material data breach since 2010, I encourage you to evaluate the adequacy of current SEC thresholds for disclosing events of this nature.”
And Warner isn’t the only lawmaker pushing for increased cyber regulations. Earlier this month, New York Governor Andrew Cuomo (D-NY) announced proposed cybersecurity regulations to increase the responsibility of banks and insurance to protect their information systems and customer information. The regulations, if instated, would apply to companies regulated by the New York Department of Financial Services (NYDFS) and would require them to—among other steps—establish a cybersecurity policy and incident response plan. Companies would also have to notify the NYDFS within 72 hours of any cyber event that is likely to affect operations or nonpublic information.
The Boardroom Response
Any company—whether public, private, or nonprofit—can fall prey to a breach, and even companies with formal cybersecurity plans can find themselves the victims of a breach. Preliminary data from the 2016-2017 NACD Public Company Governance Survey show what corporate directors are already doing to oversee cyber-related risks.
When asked which cybersecurity oversight practices the survey respondents’ boards had performed over the past 12 months—and directors could select multiple answers—the most common responses included:
Reviewed the company’s current approach to protecting its most critical data assets (76.6%)
Reviewed the technology infrastructure used to protect the company’s most critical data assets (73.6%)
Communicated with management about the types of cyber-risk information the board requires (64.4%)
Reviewed the company’s response plan in the case of a breach (59.3%).
“Corporate directors should ask management for an accurate and externally validated report on the state of the organization with respect to cyber risk,” said Robert Clyde, a board director for ISACA, which is a global IT and cybersecurity professional association, and White Cloud Security. “They should also ask what framework is being followed for IT governance.”
Aside from high-profile breaches of emails and email providers, Clyde says that breaches related to ransomware are increasing.
“Ransomware encrypts data that can only be decrypted by paying the attacker a fee in Bitcoins. According to the NACD Cyber-Risk Oversight Handbook and many other organizations, the key control to reduce the risk of attack—including ransomware—is restricting user installation of applications, called ‘whitelisting’ or ‘Trusted App Listing,’” Clyde said. “Yet this highly recommended control is rarely implemented. Boards should ask organizations for their plans to implement this specific control.”
NACD recently announced a new online cybersecurity learning program for directors. The multi-module course aims to enhance directors’ understanding of cybersecurity, and the difference between the board’s and management’s responsibilities related to cyber risks. Participants in the program, which is the product of partnership between NACD, Ridge Global, and the CERT Division of Carnegie Mellon University’s Software Engineering Institute, will work through a cyber-crisis simulation and take a comprehensive exam. Successful completion of the program will earn the participant a CERT Certificate in Cybersecurity Oversight.
The release asserts that current disclosure rules may not mandate enough disclosures about activities of audit committees in the reports they make in annual proxy statements and explores possible disclosure mandates in several areas—most of them pertaining to the external auditor. The areas outlined are as follows:
Audit Committee’s Oversight of the Auditor
Audit Committee’s Process for Appointing or Retaining the Auditor
Qualifications of the Audit Firm and Certain Members of the Engagement Team Selected by the Audit Committee
Location of Audit Committee Disclosures in Commission Filings
Smaller Reporting Companies and Emerging Growth Companies
In addition to these areas, the SEC asks for comment on the possible need for disclosures on accounting and financial reporting process or internal audits and invites comment on the scope of audit committee work.
Throughout the 55-page release, the SEC asks questions—74 in all—seeking the views of interested parties, such as audit committee members and investors, on what disclosures would be valuable. All but two of these questions pertain to oversight of the independent auditor.
2. What exactly is a concept release?
A concept release is an early indication that an agency is thinking about a matter and may issue new rules or standards on it. Any agency may issue a concept release. This current SEC concept release is the only one issued so far in 2015, and it is the first SEC concept release issued since 2011. (There were no SEC concept releases at all from 2012–2014.) While there are no recent studies showing the correlation between concept releases and rulemaking, we can assume that new rulemaking may follow. In this sense, concept releases are not the same as interpretive releases, which interpret new laws or court decisions, or policy statements, which clarify the SEC’s positions on particular matters.
3. How does this SEC concept release fit into the SEC’s overall “disclosure effectiveness initiative”?
The release is aimed at improving audit committee disclosures in concert with the stated goal of the SEC’s ongoing disclosure effectiveness initiative, described in a recent NACD Directorship article. Under this initiative, the SEC’s Division of Corporation Finance is reviewing the disclosure requirements under Regulation S-K (regarding company disclosures generally) and Regulation S-X (regarding company disclosures in financial statements) to “facilitate timely, material disclosure by companies….” So far the SEC has focused on the forms 10-K (annual report), 10-Q (quarterly report), and 8-K (updates). Later phases of the project will cover the compensation and governance information in proxy statements.
If the SEC’s new concept release on audit committee disclosures leads to rules mandating additional disclosures that are not material to investors, it would operate against the goals of the initiative. As SEC Chair Mary Jo White said in her keynote speech at NACD’s fall conference two years ago, “[w]e must continuously consider whether information overload is occurring as rules proliferate and as we contemplate what should and should not be required to be disclosed going forward.”
4. Has NACD commented on the SEC’s concept release?
Yes. On Sept. 8, 2015, the NACD submitted a comment letter affirming the importance of improved disclosures. However, the letter also argues that the choice of what to disclose should be up to audit committees themselves because they are in the best position to describe how they are fulfilling those duties. The NACD letter cautions that information should only be included in a proxy statement (or any other disclosure for that matter) if it would be useful to investors.
In the letter, NACD proposes that audit committees take voluntary action by finding new ways of disclosing the broad scope of their work. NACD has also offered to convene a meeting between the SEC and audit committee leaders in order to accomplish this.
The NACD letter followed a more detailed comment submitted to the SEC on Aug. 3, 2015, by Dennis Beresford, a member of the NACD board of directors, an experienced director and audit committee leader, and the former chair of the Financial Accounting Standards Board (FASB).
In his letter, Mr. Beresford states that the concept release focuses too heavily on the audit committee’s relationship with the auditor, which he says is important but should not dominate the committee’s work. He notes that of the 74 questions asked in the release, all but the last two focus on this topic.
Based on his experience, Mr. Beresford suggests that audit committee reports need to cover a wider range of topics, as suggested by the Audit Committee Collaboration, a group that includes NACD. In order of priority, these topics include:
Scope of duties (as referenced in the audit committee charter).
Committee composition (especially information on qualifications of the “audit committee financial expert”).
Oversight of financial reporting (highlighting how the committee is assessing the quality of financial reporting).
Oversight of independent audit (selection of the audit firm and lead engagement partner, and compensation, oversight, and evaluation of the audit firm). Mr. Beresford argues that the disclosure of the lead engagement partner’s name is unnecessary. [This is the subject of a separate Public Company Accounting Oversight Board (PCAOB) release on Rules to Require Disclosure of Certain Audit Participants on a New PCAOB Form.]
Risk assessment and risk management (which is often assigned to the audit committee).
Information technology (such as cybersecurity, which is also often assigned to the committee).
Internal audit (namely, internal audit plan review and results).
Legal and compliance (such as any discussions with legal counsel).
This list of possible topics for voluntary audit committee disclosures accords with NACD’s own publications on audit committee work. These subjects are frequently discussed in meetings of our Audit Committee Chair Advisory Council and in the webcasts and gatherings we produce with KPMG’s Audit Committee Institute.
Notably, Mr. Beresford warns against turning these subjects into mandatory “check-the-box” disclosures. Because audit committee reports are still in an early stage of development, he hopes “that the SEC allows them to continue to develop largely as ‘best practices’ without becoming overly prescriptive [emphasis added].” Regarding disclosure of the name of the lead engagement partner, he says that this should be left to the discretion of audit committees: “If they felt it would be useful to investors, they could include it in their reports in the proxy statement.”
5. Are there any other agency concept releases that audit committee members should know about?
Yes. On July 1, 2015, the PCAOB issued a concept release on Audit Quality Indicators (AQIs) with a comment deadline of Sept. 29, 2015. The release notes that “[t]aken together with qualitative context, the indicators may inform discussions among…audit committees and audit firms.”
NACD does not plan to comment on this release. However, we note that NACD member J. Michael Cook, chair of Comcast’s audit committee, together with Comcast’s executive vice president and chief accounting officer, Lawrence J. Salva, sent acomment letter advising the PCAOB of their views: “We encourage the PCAOB to be judicious with regard to the number of recommended AQIs, as we believe too many AQIs would lessen their impact. As you have previously noted, audit committees have many responsibilities and a limited amount of time, and as you are aware, audit quality requires more than measurable indicators; skepticism and independence are necessary to turn quantifiable indicators into real audit quality.”
6. What is the key takeaway from the SEC and PCAOB concept releases for audit committees?
The SEC and PCAOB are being proactive on the audit committee front. The SEC wants audit committees to say more about their activities in the proxy statement, and the PCAOB wants audit committees to use specific metrics to judge the quality of audits. Comments from the director community have pointed out the importance of ensuring that disclosures are material and that metrics are useful. In response to these two concept releases, audit committee leaders and members might consider taking two main actions:
Review disclosures and their metrics to ensure they are useful.
Reach out to the SEC and PCAOB to express views on these matters.
A Final Word
SEC and PCAOB regulators strive to strengthen the U.S. economy through enlightened rulemaking, but they cannot do it alone. They need to hear the voice of the director. NACD members can make a positive difference in this regard.