This newsletter discusses noteworthy updates, key regulatory decisions and upcoming compliance reminders. You are welcome to contact us to discuss any of the topics. In this edition, we review:

Cybersecurity Disclosures for Reporting Companies

CEO Pay Ratio: How to Handle an Unflattering Result.

ISS Updates U.S. Proxy Voting Research Procedures & Policies FAQs

______________________________________________________________________________

Cybersecurity Disclosures for Reporting Companies

In our most recent Bryan Cave CLE Seminar “Current Issues Facing Public Companies,” Brendan Johnson presented on the disclosure obligations for reporting companies as they relate to cybersecurity and cyberattacks, sharing three takeaways for reporting companies:  (1) evaluate the risks of cyberattacks; (2) understand evolving SEC guidance related to cyber disclosures; and (3) plan ahead for disclosure analysis in the event of a cyber incident. These takeaways are all the more relevant in light of the SEC’s February 21, 2018 guidance for public companies on cybersecurity.

Evaluate the Risks.  In a statement issued on September 20, 2017 and reiterated in the February 2018 guidance, Chairman Jay Clayton outlined the risks of cyberattacks, including denials of service and destruction of systems (which can impede important market functionalities), loss or exposure of consumer data, theft of intellectual property, and regulatory, reputational and litigation risks.  He underscored the fact that remediation costs are increasing.  Companies should consider all of these risks and related potential costs as companies assess whether they are likely to meet the “materiality” threshold warranting disclosure – both in advance of an incident and in the event of an incident. 

Understand Evolving SEC Guidance.  On February 21, 2018 the SEC released its most recent statements on cybersecurity issues for public companies.  Much like Chairman Clayton’s September 2017 statement, the SEC stated that this new guidance on public company cybersecurity disclosures reinforces and expands upon the continuing relevance of CF Disclosure Guidance: Topic No. 2, released by the SEC on October 13, 2011 in connection with cybersecurity disclosures.  Companies were reminded to review and provide appropriate risk factor disclosures and business descriptions which reflect the particular cyber risks and profile of the company.  The February 2018 guidance also focused on the importance of maintaining disclosure controls and procedures which include cybersecurity information to ensure timely reporting of material information and the requirement that reporting companies consider insider trading policies and prohibitions in the event of a cyber incident.  The February 2018 guidance also referenced the risk management responsibilities of boards of directors and the related disclosure requirements of Item 407(h) of Regulation S-K. 

Plan Ahead.  Given the prevalence of cyberattacks, companies should anticipate a cybersecurity event and game plan the response in terms of disclosure.  A cybersecurity event is not an enumerated trigger for a Form 8-K filing; however, a company could report such an event under Item 7.01 as “Regulation FD Disclosure” or Item 8.01 as an “Other Event.”  Furthermore, both the New York Stock Exchange and the NASDAQ require companies to report material news to the market on a timely basis, which may include information regarding cyber incidents.  There is plenty of room, nevertheless, for a company to determine in good faith that a specific cybersecurity event does not require separate disclosure, and companies should consider advantages and disadvantages of early disclosure when determining how and when to disclose.  All public companies with material cybersecurity risks should have a plan in place for appropriate analysis with the appropriate decision makers well in advance of a cyber incident. 

CEO Pay Ratio: How to Handle an Unflattering Result.

The executive pay ratio rule, which the SEC adopted rules for in 2015 as part of the 2010 Dodd-Frank Wall Street Reform and Consumer Act, is forcing companies to consider how best to disclose unfavorable ratios related to CEO compensation.

Comparisons of pay ratio results within industry and peer groups are already starting to appear in popular media.  Bloomberg has tracked the CEO pay ratio of S&P 500 and Russell 1,000 companies according to each company’s economic sector.  In future years all companies, and especially those that compare poorly to industry competitors, must decide how to disclose and explain their pay ratios.

While the pay ratio rule is intended to increase transparency into executive compensation, executive compensation disclosure overall has grown increasingly complex in recent years and stand-alone ratios may not always tell a company’s entire story.  The SEC has acknowledged these concerns.  In September 2017, the SEC and the SEC staff issued helpful guidance emphasizing that the pay ratio rule provides for flexibility.

Importantly, companies are allowed to craft a narrative around their ratio in order to shed light into contributing factors.  What follows is a brief synopsis of flexibility within the executive pay ratio rule and methods of contextualizing the ratio that have been observed in the first year of implementation.

Calculation and Flexibility

The pay ratio rule requires companies to disclose the ratio between the median of the annual total compensation of all employees compared to the annual total compensation of the CEO.  However, companies are permitted to use several different methods to find their median employee.  This includes using the total employee population, statistical sampling, or other reasonable methods, which must be disclosed if implemented.  The rules also allow for specific circumstances that employees may be excluded from the employee calculation:

• Directors, independent contractors, “leased employees” and workers employed by, and whose compensation is determined by, third parties are excluded.
• If a company’s non-U.S. employees account for 5% or less of its total employees, the company may exclude these non-U.S. employees, but if some non-U.S. employees are excluded, then all non-U.S. employees must be excluded. If a company’s non-U.S. employees exceed 5% of its total employees, it may exclude up to 5% of its total employees who are non-U.S. employees.
• Any employees obtained in a business combination or acquisition for the fiscal year that the transaction becomes effective may be excluded; however, the company must identify the acquired business and disclose the approximate number of employees it is excluding.
• In certain circumstances non-U.S. employees from countries with data privacy laws or regulations that make companies unable to comply with the rule may be excluded.

Disclosure Considerations

Although the SEC requires disclosure of the mandated pay ratio, companies are given flexibility in how they present the information and are allowed to provide context.  This leaves companies with critical decisions as they navigate these unchartered waters.  Early results from fiscal year 2017 filings suggest pay ratio disclosure will evolve, especially as an adaptation to a sub-par ratio.  Companies with disappointing ratios should consider implementing the following strategies.

Strategy 1 – Include a Supplemental Ratio

The SEC allows companies to provide supplemental ratios to provide context for investors.  For example:

• Sears Holding Corporation, with a ratio of 264:1, provided on a supplemental basis that when considering only salaried employees it had a pay ratio of 66:1;
• Six Flags Inc., with a ratio of 1,920:1, disclosed that due to the extreme seasonality of its business some of its employees only work one or two months a year and therefore provided an estimated supplemental pay ratio of 247:1 (which only included full-time employees);
• Williams-Sonoma, Inc. disclosed an SEC required pay ratio of 1,477:1, along with a supplemental ratio of 372:1, which excluded permanent part-time, temporary and seasonal employees.

In addition, companies may also consider whether to add the following ratios to provide additional context to their required pay ratio:

• A pay ratio excluding bonuses, incentive compensation, or one-off equity awards.
• A ratio excluding all oversees employees.
• A ratio excluding all part time employees.

Strategy 2 – Include Supplemental Textual Information

Companies are also permitted to provide supplemental textual explanations.  This can include information about how the employment policies or corporate structure of the enterprise effects the pay ratio, information about opportunities for advancement and career development programs for lower wage employees, or simply more personal information about the median employee.  For example, McDonald’s Corporation disclosed that its median employee in 2017 was “a part-time restaurant crew employee located in Poland.”  Likewise, Mondelez International, Inc., noted that out of the nearly 100,000 employees in more than 80 countries around the world, most are hourly, many are part time or seasonal and 82% are located outside of the U.S.  Companies may also consider the following information to provide a narrative around how they reached their ratio:

• Provide a more detailed description of the median employee.
• Provide a more detailed description of the location of the median employee.
• Provide a disclaimer instructing shareholders that pay ratio comparisons may not be an accurate comparison among “peer companies.”

Strategy 3 – Location Augments Context

Finally, the SEC has no requirements for where the pay ratio must be disclosed in the required disclosures of the proxy statement and/or 10-K.  Companies should strategically consider where the pay ratio would best be positioned.  Many companies have included the pay ratio at the end of the Compensation and Discussion Analysis (CD&A) section of the proxy statement.  This placement allows the reader to be introduced to major themes or drivers affecting CEO pay before consideration of the pay ratio.  We anticipate over time companies will present pay ratio information earlier within the CD&A presentation as Compensation Committees begin to consider the pay ratio of competitor/peer companies and discuss the value (if any) of executive pay ratio in each Committee’s compensation philosophy.

Companies should strategically consider how they can provide a positive narrative around their disclosure, regardless of the pay ratio number.  Contextualizing the executive pay ratio may be achieved by adding supplemental ratios, providing additional textual information and strategically locating the ratio within the required disclosure.

For more information about this update, please contact a member of Bryan Cave’s Securities Team or one of the authors of this newsletter.

ISS Updates U.S. Proxy Voting Research Procedures & Policies FAQs

Recently Institutional Shareholder Services (“ISS”) updated its U.S. Proxy Voting Research Procedures & Policies Frequently Asked Questions.¹  In the last year, ISS tightened its policies on certain substantive areas covering responsiveness of the board of directors on majority-supported shareholder proposals, recommendations on poison pills and unilateral bylaws and charter amendments, as well as gave additional information about how to engage ISS regarding proxy reports and research analysts.  Noteworthy updates over the past year are described in greater detail below.

Governance Matters

Exception to Attendance Policy for Newly-Appointed Directors.  ISS modified its policy on disclosure of attendance of newly-appointed directors to provide that such directors generally are exempted from a negative vote if they attended fewer than 75% of the board and committee meetings for the period for which they served, or if the disclosure is unclear as to whether they attended 75% of such meetings. Previously issuers had to disclose that new directors missed meetings due to scheduling conflicts.

Majority-Supported Shareholder Proposals.  ISS clarified its policy on proxy access proposals to provide that board-implemented provisions, which provide broad and binding authority of interpretation, while problematic, may not void the board’s right of interpretation on its own but will be considered in connection with other problematic provisions.

Poison Pills.  ISS policy is to recommend against director nominees at issuers holding a long-term poison pill that has not been ratified by its shareholders.   The policy no longer grandfathers pills adopted or renewed prior to November 19, 2009. 

If an issuer adopts a poison pill before it goes public, and if such pill was not put to a binding shareholder vote at the first shareholder meeting, ISS will recommend a withhold or negative vote against all director nominees.  Issuers no longer have the additional option of committing to put the pill up to a vote within 12 months following the IPO.

ISS suggested that issuers could terminate poison pills prior to their expiration dates by accelerating the expiration dates to avoid the costs of redemption.

Unilateral Bylaws/Charter Amendments.  For newly-public companies, the adoption of a multi-class structure, classified board, and/or supermajority vote requirements generally will result in an ISS recommendation of withhold or negative vote against the director nominees.  Fee-shifting provisions also result in continued withhold recommendations.

Governance Failures.  ISS’s Governance Failures policy is designed to catch one-off egregious actions that are not covered under other policies.  If a type of action applies to a large number of issuers or persists year after year, ISS generally will break such action out into its own standalone policy.  In 2018, ISS added as standalone policies:  1) excessive pledging, and 2) the failure to opt out of state statutes requiring classified boards.  ISS recently has been recommending against the director nominees of issuers incorporated in states requiring a classified board of directors where the issuer has not opted out of such requirement.

Procedural Matters

Proxy Reports.  ISS generally issues U.S. proxy reports to issuers between 13 and 30 calendar days before the shareholder meeting.  Issuers may access their own proxy reports through Governance Analytics, a web-based platform hosted by ISS Corporate Solutions (“ICS”), by submitting a request through the ISS Help Center.  Proxy reports are provided to issuers free of charge subject to the following conditions: 

• Proxy reports are only for an issuer’s internal use by its employees; and
• The issuer is prohibited from making the report, or any portion thereof, public or sharing the report, profiles, or login credentials with any external parties, including shareholders and external advisors retained by the issuer, such as law firms, proxy solicitors and compensation consultants.²

Factual Errors. If an issuer believes a proxy report contains an error, the issuer should submit the matter through the ISS Help Center.  If ISS agrees that a change or correction is required, it will issue a proxy alert to its clients.  

Change of a Vote Recommendation.  ISS will not disclose or guarantee a vote recommendation or change of vote recommendation to the issuer in advance of the proxy report.  Instead, ISS will determine if any new information disclosed by the issuer warrants an update to the report or voting recommendation, and if so, ISS will issue a proxy alert featured at the head of the reissued proxy report.  If an issuer is filing additional information on the issuer’s website or on EDGAR, the issuer must inform ISS of such filing at least five business days prior to the shareholder meeting.

Engagement of a U.S. Research Analyst.  Issuers should submit a request for engagement with the U.S. research analysts through the ISS Help Center, including an agenda, list of participants, and preferred dates and times.

ISS accepts engagement requests at its sole discretion and prioritizes engagements with issuers with substantive governance issues.  Engagements requested for non-contentious meetings generally are scheduled between August and February, before the U.S. proxy season begins.  With respect to engagements regarding contentious meetings, ISS generally will engage both sides once the proxy materials are released. All discussions with ISS are on-the-record and material non-public information should not be disclosed.  ISS analyses are based on publicly-available information, and therefore, information provided by issuers should either be already publicly-available to all shareholders or will be disclosed in the issuer’s filings for the upcoming shareholder meeting. 

While the ISS research team is never in “blackout” with respect to contact with issuers, issuers should be aware that there is a blackout period for ICS during the period from the filing of the proxy through the date of the shareholder meeting.  Due to the firewall between ISS and ICS, issuers should not mention any contact with ICS, disclose any information obtained from the purchase of ICS services or products, or identify the issuer as an ICS client.

1. ISS updated the U.S. Proxy FAQs on March 29, 2018 and April 9, 2018.  These updates were the most recent since the April 20, 2017 update.

2. Such restriction on sharing of published proxy reports with external advisors does not apply to draft reports provided for review by the issuer. 

[View source.]