As one calendar year ends and the next begins, it is natural to look back to take an inventory of lessons learned and to look forward in an attempt to implement such lessons. The year 2012 certainly had its fair share of wisdom to absorb. Throughout this Corporate Communicator, we touched on a number of such topics, but below we discuss three areas noted during interactions with our clients this year.

SEC Comment Letter Process

Receiving a comment letter from the SEC is often old-hat for a CFO and GC of a public company. The SEC began publicly releasing correspondence between it and public registrants in 2005. In issuing comments to a registrant, the SEC staff may request that the company provide additional supplemental information so the staff can better understand the company’s disclosure, revise disclosure in a document on file with the SEC, provide additional disclosure in a document on file with the SEC, or provide additional or different disclosure in a future filing with the SEC. As any seasoned CFO or GC understands, there may be several rounds of letters from the SEC staff and responses from the filer until the issues identified in the staff review are resolved. Set forth below are some short tips regarding the review process:

• Public companies may want to consider implementing an official process and procedure related to the receipt of an SEC comment letter.
  • This process may contemplate immediate distribution of the comment letter to both internal and external working group members (e.g., accounting and legal departments, auditors and outside legal counsel) upon receipt from the SEC staff. Consideration may be given to identifying consistent points of contact for external parties.
     
  • Any comments that are unclear or not understood by the company can be clarified with the SEC staff.
     
  • Companies may want to ensure they meet designated response deadlines set forth in the comment letter (generally 10 business days) or to reach out to the SEC staff for an extension request if the response deadline is not feasible.
• Responses should be concisely drafted and specifically address each area of inquiry.
  • While the SEC staff has clarified that comment letters (1) are not an official expression of SEC views and (2) are limited to the specific facts of the filing in question and do not apply to other filings, many registrants and their outside legal counsel and accountants comb through SEC comment letters to get a sense of trends and SEC positions on specific topics. More often than not, your competitors and peers have received a similar comment from the SEC and there is often a compelling argument to not “reinvent the wheel” when crafting a response to a comment the SEC has made in prior comment letters.
     
  • A registrant should not necessarily assume that the SEC understands the company’s disclosure as well as the registrant. While seemingly an obvious point, this concept bleeds into various areas. For instance, if the SEC has commented on immaterial disclosure, or has made a comment that is misguided, the registrant may want to offer a detailed and cogent response that clarifies why this disclosure is immaterial or the staff’s comment is misguided. There may be a tendency of management to take the path of least resistance, which may not be the best course in the long run for the registrant. Like most disclosure issues, management must reach a balanced approach on such matters.
     
  • When applicable (it is typically clear from the staff comment), the registrant may want to make clear that it will include a requested disclosure in future filings. A failure to do so may result in an unnecessary follow-up comment.
     
  • Clearly citing specific rules, regulations or authorities relied upon in responses increases the likelihood of not receiving further staff comments.
• After response letters have been submitted, registrants may want to have a consistent follow-up process.
  • After submitting a response, it is acceptable to follow-up with the SEC staff any time after a 10-day business period has lapsed since the registrant’s response.
     
  • Some registrants avoid oral conversations with SEC staff unless absolutely necessary. Other registrants believe that oral conversations before and after response letters have been submitted open up the channels of communication and, if used judiciously, can alert the staff to registrant-specific issues like specific timing issues or matters unique to the registrant.
     
  • In the event the SEC staff indicates orally that the review is complete, the registrant may want to request a letter of confirmation, although we have found the SEC staff is fairly consistent in issuing its customary “no further comment” letters.

Director Compensation Litigation

Executive compensation, with all of its considerations for public companies, continues to be a subject that demands the attention of management and in-house counsel. Pages could be filled with germane executive compensation topics and elsewhere in this Corporate Communicator, we have addressed many of these salient topics such as compensation committee independence, ISS policy updates and Dodd-Frank rule making. In recent years, shareholder litigation related to executive compensation has arisen in the context of failure to obtain approval of Say-on-Pay advisory votes but courts have typically upheld the deference granted directors under the business judgment rule in the context of failed Say-on-Pay votes.

Ultimately, we continue to emphasize the need for “proper process” for boards and management in the context of compensation decisions and the related disclosure thereof. Below are a few take-aways in light of developments in 2012:

• Proper process may want to be used to determine compensation. For instance, boards may want to carefully consider the use of benchmarking and compensation consultants in not only executive compensation decisions but also director compensation decisions. Due diligence, based on guidance from compensation, legal and other experts, has become a must. Hindsight is 20/20 and it is substantially easier to second guess board decisions that were not based on objective criteria used by the company’s peers. Boards may want to take a step back from their deliberations and consider whether their process of decision making and the data used to come to such compensation decisions will look adequate in the glare of hindsight.
• It goes without saying that public companies may want to have a good process in vetting the adequacy of annual proxy disclosures. Careful thought may want to be given to get adequate feedback from within and outside of the company. Shareholder litigation inherently focuses not only on board process but the adequacy and correctness of disclosures.
• Finally, given the overwhelming scrutiny boards of public companies face in the current regulatory and shareholder climate, it is a wonder why so many qualified individuals still want to serve on public company boards. Some public companies are finding it difficult to recruit and retain qualified directors who meet all the criteria public companies desire in this age of specialization, diversity, independence, etc. The upshot is that when a public company finds the correct mix on its board, it is imperative that compensation for directors be set to retain such directors in light of the current demands that such service requires. We believe that the upward trends in director compensation reflect these realities.

Technology Risks

Technology in all its forms (be it social media, mobile devices, remote access or its many other iterations), presents multiple challenges for public companies. Below we address two areas of technology concerns that continued to inundate the news in 2012: (1) social media and (2) cyber security.

• Social media (e.g., Twitter, Facebook, LinkedIn, etc.) have become a significantly integrated part of our personal and professional lives in a very short amount of time. Some public companies have embraced the benefits of social media while many have taken a “wait and see” approach. Many commentators are concerned that public companies have not developed sufficient policies and procedures and, possibly more important, risk assessments related to social media concerns. These policies can address simple issues related to employee access to social media in the workplace to more nuanced issues related to how the company intends to utilize social media to its advantage. Management and boards of public companies may want to make social media a recurring part of the dialogue related to technology concerns at their company—not just from a risk perspective but also from a business growth perspective. Late in 2012, the SEC’s Enforcement Staff entered the fray by issuing a Wells Notice to Netflix and its CEO over a Facebook post about the aggregate number of hours people were viewing Netflix content. This action may severely chill the use of social media as a means to provide the investor community material disclosures. This is particularly true since many in the legal community have had reservations regarding the use of social media as a form of disclosure for public companies.
• As public companies continue to evolve with technology, boards are focusing more and more on cyber security.^[8] In 2012, boards of multiple notable public companies were forced to address cyber breaches at their companies. These concerns regarding cyber breaches will be more relevant as companies continue to integrate remote access and data sharing technologies.
• The SEC has existing disclosure guidance regarding these risks.^[9] While this guidance is ostensibly “advisory” in nature, in 2012, the SEC made disclosures regarding cyber security a point of review in connection with SEC comment letters on public filings and more than a few companies received comments from the SEC on issues related to cyber security. One thing we can count on in future years is increased regulation/attention in this area^[10] and increased potential litigation for companies who fall prey to cyber security breaches. Hence, boards may want to continue to make cyber security concerns a focus of oversight, particularly as it relates to contingency plans and adequacy of existing insurance.
• For example, general liability insurance policies may prove to be inadequate in the event of a material cyber-security breach and boards might consider purchasing specific cyber insurance covering the company and third-party exposure, as well as ensuring that the company’s D&O insurance covers cyber-related claims based on allegations of securities fraud, breach of fiduciary duty and alternative theories of liability.
• Like oversight in all significant areas of concern for a public company, board oversight with respect to cyber security is about proper process. Boards may want to discuss issues regarding cyber security on a regular basis at a board level and may rely upon consultants, experts and even management in its role of oversight, paying particular attention to sufficiency of the company’s overall cyber security plans and resources.

^[1] This requirement added Section 10C to the Securities Exchange Act of 1934 (Exchange Act). [back]

^[2] However, smaller reporting companies are not completely exempt from the proposed rules promulgated by the exchanges. More details are provided in the comparative chart below. [back]

^[3] Section 10C(c)(2)(A) of the Exchange Act. [back]

^[4] Reported November 26, 2012. [back]

^[5] Andrew Ackerman, “SEC Gives Up On Web Schedules For Dodd-Frank Rules,” The Wall Street Journal, September 17, 2012. [back]

^[6] See paragraphs (c)(2)(B), (d)(3) and (e)(3) of NASDAQ Rule 5605. [back]

^[7] Whether the grants at issue were entirely fair was not decided and remains a question to be determined at trial. [back]

^[8] “Legal Risks on the Radar,” Corporate Board Member, 2012 Law and the Boardroom Study, August 13, 2012. [back]

^[9] http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm [back]

^[10] http://online.wsj.com/article/SB10000872396390443720204578004690006299614.html