January 17, 2020

SEC Risk Factors: A Single Wrong Word Could Cost Millions

Thomas A. Sporkin, Meredith Leeson

IN BRIEF

  • The Securities and Exchange Commission recently proposed to simplify crucial corporate disclosures regarding legal proceedings and risk factors.
  • However, the proposed standards do not go far enough to clarify what constitutes accurate disclosures given the SEC’s actual enforcement message.

The Securities and Exchange Commission recently proposed to simplify crucial corporate disclosures regarding legal proceedings and risk factors by moving toward a more principles-based approach; yet, the SEC continues to pursue big-dollar enforcement actions that offer filers little clarity about what precisely constitutes accurate disclosure of their risk factors.

Weighing materiality and the potential for liability are traditionally hazy areas that have tripped up a number of companies, including most recently:

  • Mylan NV, which agreed to pay $30 million because it calculated as “remote” rather than “reasonably possible” the likelihood that a government investigation would impose a substantial liability on the company
  • Facebook, which in using of the word “may” rather than “have” in its risk-factor disclosures about customer data likely cost the company $100 million
  • Altaba Inc. (formerly known as Yahoo!), which reached a $35 million settlement last year with the SEC for its tardy disclosure of a data breach

These settlements all point to a heightened focused on analyses of materiality and probability in SEC risk-factor disclosures, which often hinge on standards that are subject to wide variances of interpretation: Is the risk material? Is the liability probable? Is the fact significant? How is a company supposed to communicate to shareholders about the likelihood of adverse consequences?

Slippery Standards

The SEC offers guidance on disclosure descriptions and best practices in performing analysis, but the way in which courts and the SEC have applied the standards has often confounded filers. It may seem black or white to a class-action plaintiff or the SEC looking in hindsight to determine whether a data breach occurred or whether litigation risk should have been more definitive. However, companies answering these questions in real time must pick through numerous cyber incidents and litigation filings to decide which demand disclosure.

In August, the SEC proposed modernizing risk-factor disclosures with the stated intention of improving information available to investors and simplifying compliance for registrants. If finalized as proposed, the disclosure threshold would change from “most significant” to “material” factors. It is far from certain, though, that the new standard would offer brighter lines to filers assessing whether and how to describe unclear scenarios.

Murky Materiality

The Facebook case is an example of how a materiality analysis can be viewed in one way by the company in real time and another way by a regulator in hindsight. For example, the SEC took issue with a disclosure that read, “our users’ data may be improperly accessed, used or disclosed” (emphasis added). The disclosure continued in the same form even after the company became aware that such a breach had in fact occurred. According to the co-director of the SEC’s enforcement division, that meant the company had “presented the risk of misuse of user data as hypothetical when they knew user data had in fact been misused.” Although the SEC repeatedly emphasized materiality in its announcement of the settlement, the staff did not address the specific data breach considerations that should have resulted in a different materiality call. We also do not know the exact materiality considerations that Facebook went through in determining its disclosures.

Determining whether an “event” is material—and required to be disclosed—typically involves undertaking an analysis under SEC Staff Accounting Bulletin No. 99. This 20-year-old standard requires both quantitative and qualitative considerations. Auditors often use five to ten percent of net income as a rule-of-thumb cutoff for a quantitative materiality threshold. However, even that seemingly straightforward accounting practice is packed with many caveats requiring the consideration of numerous inputs that could potentially nullify the initial conclusion. For example, an initially immaterial netted result could become material when reviewed in isolation, whereas similar reliance on a commonplace accounting precedence or on industry practices could inappropriately mask an otherwise material event.

Qualitative analysis is even more complex. To develop risk factors, public companies must assess a list of considerations that is so extensive that it requires its own chapter in the applicable concept note issued by the Financial Accounting Standards Board. Considerations include a mishmash of terminology: estimate imprecisions, masked trends, analyst expectations, misleading impressions, significant segments, contractual requirements, executive compensation, and lawfulness. Even highly experienced accountants, disclosure counsel, and subject-matter experts struggle to apply theoretical generally accepted accounting principles to practical real-world events.

Despite the imprecision in materiality analysis, companies can put themselves in as defensible a position as possible by ensuring the inclusion of subject-matter experts in drafting and reviewing relevant disclosures. Board members, in-house and outside counsel, and consultants well versed in weighing the appropriate considerations must collaborate with subject matter experts as well, and all participants should be empowered to apply those assessments in an impartial manner.

Probable Probability

The Mylan case is a warning to companies that rely on the uncertainties of litigation and investigation to omit loss disclosures and accruals. In its complaint, the SEC mentioned tolling agreements four times, signaling that in the SEC’s view, entering into a tolling agreement means the company has determined an adverse outcome is no longer just “remote,” but now “reasonably possible and probable.” The SEC’s enforcement division emphasized that it is “critical that public companies accurately disclose material business risks and timely disclose and account for loss contingencies that can materially affect their bottom line.”

Evaluating a loss contingency typically falls under SEC Regulation S-K and its FASB counterpart, Accounting Standards Codification 450 (with roots in FAS 5). This guidance requires that an estimated loss from a contingency be recognized if a liability has been incurred as of the date of the financial statements and the amount can be reasonably estimated. Further complicating matters, companies may still need to disclose loss contingencies that do not meet the recognition criteria.

Public companies often associate this standard with “significant litigation” disclosure obligations. In reality, though, the standard applies more broadly to any loss contingency, including asset impairment, product injury, property damage, asset expropriation, and assessments. A separate test under the same standard applies to less common gain contingencies as well.

Companies then face the daunting task of categorizing pending legal matters, whether litigation or investigations, as remote, reasonably possible, or probable. The harsh reality is that depending on the stage of litigation, none of the descriptions may be completely appropriate. Even during negotiations, the initial gap between settlement offers can range in the tens of millions of dollars, leaving a significant possibility that the matter continues to trial without settling at all. Forcing a disclosure that puts a dollar figure on a specific matter in advance of a settlement also puts the company in a weak negotiating position. In addition, during a government investigation, a company often has an extremely limited view of the outcome the enforcement attorney is seeking, whether it be a settlement, a penalty, or a fine.

To Be Continued . . .

A further word of caution: Disclosure analyses do not end upon arriving at a final materiality or liability disclosure determination. If such evaluations affirm a material risk or reasonably probable liability, simply disclosing it is not always sufficient—the risk must be remediated. In October 2019, the SEC held an administrative proceeding against Northwestern Biotherapeutics for “internal control weaknesses” related to the supervision of accounting operations. The company had concluded that the weaknesses were material and publicly disclosed them in its risk factors, but the SEC found that the company failed to remediate in a timely manner the weaknesses it repeatedly identified in its risk factors.

The SEC’s latest move toward principles-based disclosure notwithstanding, the actual enforcement message to SEC filers on materiality, liability disclosures, and accruals is a fairly ominous one.

Thomas A. Sporkin

Partner, Buckley LLP

As a former senior Securities and Exchange Commission enforcement official, Tom Sporkin brings unique experience and insights to the individuals and businesses he represents in matters before the SEC and other financial regulators.

Meredith Leeson

Associate, Buckley LLP

Meredith Leeson is an Associate in the Washington, D.C., office of Buckley LLP. Ms. Leeson has represented numerous corporations and C-suite individuals in a wide range of enforcement, regulation, and litigation matters involving the Department of Justice, the Securities and Exchange Commission, the Consumer Financial Protection Bureau, the Financial Crimes Enforcement Network, the Federal Deposit Insurance Corporation, state attorneys generals, and others regarding alleged Foreign Corrupt Practices Act,  False Claims Act,  Dodd-Frank, Sarbanes–Oxley Act, and Securities Exchange Act violations.