Background
On September 10, 2019, prior to the outbreak of COVID-19, Buyer and Seller entered into a Sale and Purchase Agreement (the “Purchase Agreement”), pursuant to which Buyer agreed to purchase from Seller all of the equity interests in Strategic Hotels & Resorts LLC (the “Company”), a holding company for a portfolio of 15 luxury hotels in the United States. As a result of the Buyer’s need to arrange for debt financing, as well certain issues that were revealed in the course of due diligence, the parties agreed that the closing of the Purchase Agreement transaction would be delayed until the diligence issues could be appropriately addressed and the Buyer could arrange for debt financing.
In mid-February 2020, the Buyer had successfully arranged for financing to close the transaction; however, there continued to be open due diligence issues that prevented the Buyer from obtaining a firm financing commitment and delayed the closing. As the Buyer and the Seller continued to work through the open diligence issues, the COVID-19 pandemic was spreading. As the pandemic continued to spread through the end of February and into March 2020, Buyer’s financing became unavailable due to changes in market conditions. The parties continued to delay the closing to provide additional time to resolve the diligence issues and for financing to become available again to the Buyer. The parties ultimately scheduled for closing to occur on April 17, 2020.
Shortly before the scheduled closing date, on April 2, 2020, the Seller informed the Buyer that the Company had taken certain actions with respect to its business in response to COVID-19, including “temporarily closing two hotels (one ahead of its normal seasonal closing), operating other hotels at reduced staffing and pausing all non-essential capital spending.” The Seller’s notice to the Buyer of these changes included a request for the Buyer’s consent, but simultaneously took the position that it was not required and that it could not be reasonably withheld in any event, in light of the pandemic. The Buyer did not consent, but requested further information regarding the changes, which apparently was never provided.
As the closing date approached, the Buyer refused to consummate the transaction on a number of bases, and the Seller sought specific performance to enforce the Purchase Agreement. The Seller filed an action in the Court of Chancery, which ultimately found for the Buyer, concluding that on the basis of the significant changes the Seller undertook with respect to the Company’s business in response to the pandemic, the Seller breached its covenant to operate the Company in the ordinary course of business, and as a result, the Buyer did not have an obligation to close the transaction and was entitled to terminate the Purchase Agreement.
Analysis
The key provisions in the Purchase Agreement relating to the “ordinary course of business” analysis were as follows:
The “Ordinary Course Covenant” which read in relevant part: “[B]etween the date of this Agreement and the Closing Date, unless the Buyer shall otherwise provide its prior written consent (which consent shall not be unreasonably withheld, conditioned or delayed), the business of the Company and its Subsidiaries shall be conducted only in the ordinary course of business, consistent with past practice in all material respects . . .”; and
The “Covenant Compliance Condition” which made it a condition to the Buyer’s obligation to close the transaction that Seller had “performed in [all] material respects all obligations and agreements and complied in all material respects with all covenants and conditions required by this Agreement to be performed or complied with by it prior to or at the Closing.”
The Court noted that “Delaware courts have interpreted ‘ordinary course’ as ‘[t]he normal and ordinary routine of conducting business.’”
In its appeal, the Seller raised three main arguments with respect to Chancery Court’s finding that it had breached the Ordinary Course Covenant. First, the Seller argued that the changes that were made to the operation of its business were reasonable in light of the ongoing pandemic and were similar to actions being taken by similarly situated companies, and therefore were justifiable and should not be viewed as covenant violations. Second, the Seller argued that because the MAE provision in the Purchase Agreement was intended to shift systemic and market risks from the Seller to the Buyer, it would be inconsistent to interpret the Ordinary Course Covenant in a way that allocates the risk of operating the Company in a worldwide pandemic on the Seller. Third, the Seller argued that obtaining the Buyer’s consent to the changes in its operations was effectively a formality, and that because the actions taken by the Company were reasonable, and because under the terms of the Ordinary Course Covenant, the Buyer was not permitted to unreasonably withhold its consent, the outcome should be the same as if the Seller had obtained the Buyer’s consent. The Court addressed each of the Seller’s arguments in turn.
Reasonable, Justifiable Actions
The Seller’s first argument was that it took reasonable steps consistent with other companies in its industry to preserve the value of its business in light of an unprecedented pandemic. In rejecting this argument, the Court noted two key problems – that neither the changes undertaken by other companies in the industry nor the reasonableness of any actions taken were relevant to an analysis of the Seller’s compliance with the Ordinary Course Covenant.
With respect to the changes undertaken by industry peers, the Court noted that the Ordinary Course Covenant specifically included a reference to “consistent with past practice”, and therefore only the Company’s past practice was relevant to the analysis, and not the practices of other industry participants. The Court went on to note that the Ordinary Course Covenant was absolute – there was no reasonableness qualification to the covenant, and that while other provisions in the Purchase Agreement included qualifications with respect to commercially reasonable efforts, the Ordinary Course Covenant did not. Accordingly, the Court found that the changes made by the Seller to the Company’s business in response to the pandemic were not consistent in all material respects with the prior operation of the Company’s business, and neither the reasonableness of the changes nor industry practice impacted that conclusion.
Inconsistent with MAE
The Seller’s second argument was that an interpretation of the Ordinary Course Covenant that resulted in the Seller taking on systemic or market risk with respect to the business of the Company was inconsistent with the purpose of the MAE clause in the Purchase Agreement. The Seller further argued that for the Court to give proper effect to both the MAE provision and the Ordinary Course Covenant, the Ordinary Course Covenant must be interpreted to permit the Seller to take “reasonable, industry-standard responses to systemic risks allocated to [the Buyer] by the MAE provision.” The Court summarized the Seller’s argument as being “reasonable responses to an event carved out from the MAE provision do not violate the ordinary course covenant.”
The Court rejected this argument, noting that the Ordinary Course Covenant and MAE provision served different purposes in the Purchase Agreement, and that while the MAE provision addressed overall changes in the Company’s value between the signing and closing, the Ordinary Course Covenant addressed the consistent operation of the business. The Court also noted there was no reference to the MAE provision in the Ordinary Course Covenant, which included a different materiality standard – compliance was required in “all material respects.”
The Seller further argued that under the Court’s interpretation, the Seller could be forced to continue to operate its business in a way that destroys value in order to comply with the Ordinary Course Covenant, and that the covenant should not be interpreted to require the Seller to do so. The Court simply noted that there was a consent process built into the Ordinary Course Covenant which the Seller could have used but elected not to.
Consent is a Formality
The Seller’s final argument was that the consent process should be viewed as a formality, and that because the Seller took reasonable actions that would have been unreasonable for the Buyer to object to, there should be no difference as to whether or not the consent was actually granted, and that the Buyer would not have been expected to grant its consent in any event. The Seller argued that it had undertaken the changes to the Company’s business only two weeks prior to sending the notice to the Buyer on April 2, 2020 noted above, and that at that time the Buyer unreasonably refused its consent. The Court did not comment as to whether a two week non-compliance period would have been sufficient to violate the Ordinary Course Covenant, finding instead that the Buyer’s request for additional information was not an unreasonable denial of consent, and the Seller’s failure to provide the additional information made the Buyer’s withholding of consent reasonable.
Observations
The ordinary course covenant in acquisition agreements warrants special consideration in transactions in the infrastructure sector. Companies operating in the sector are often in critical industries that cannot shut down in the face of a pandemic or other similar event, but need to continue to operate, potentially at much greater cost. When drafting or negotiating this provision for transactions in the infrastructure sector, practitioners should take into consideration, among other items, regulatory requirements (as many infrastructure business are highly regulated), timing requirements for consent (to ensure that service is not interrupted), and whether any specific exceptions should be included, such as responses to emergency situations (as is common in agreements in the utility industry). Further to the issues raised in this case, we are seeing sellers include an express exception to the ordinary course covenant for actions taken in a pandemic or similar outbreak.
For sellers, this case highlights that the typical ordinary course covenant imposes a much tighter standard than an MAE standard, and accordingly, sellers should consider the flexibility that they will need to continue to operate their businesses, sometimes for an extended interim period, and ensure that they specifically provide for that in the acquisition agreement. Sellers should also be diligent about complying with agreement requirements regarding seeking consent whenever required.
For buyers, it is important to consider the dynamic between the differing standards of the typical ordinary course covenant and the MAE provision, and that a buyer’s failure to consent to an ordinary course covenant deviation may result in a loss of value at the target business, that may in turn be for the buyer’s account if the loss does not rise to the level of an MAE.
C. Proposed SEC Rule – Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure
Overview
On March 9, 2022, the U.S. Securities and Exchange Commission (the “SEC”) proposed new rules under the Securities Exchange Act of 1934, as amended (the “Exchange Act”) with regard to disclosure regarding cybersecurity risk management, strategy, governance and incident reporting applicable to public companies (“Cybersecurity Proposed Rules”). This action follows prior SEC guidance issued in 2018 with respect to disclosure of cybersecurity matters under existing rules, and provides greater specificity and additional requirements with respect to the timing and content of this disclosure.
The comment period for the Cybersecurity Proposed Rules is open until the later of May 9, 2022 or 30 days after publication in the Federal Register.
Discussion
The Cybersecurity Proposed Rules generally fall into two categories – incident reporting and disclosure of policies, procedures and governance matters.
Incident Reporting
Pursuant to the Cybersecurity Proposed Rules, a company would be required to disclose a material cybersecurity incident as promptly as practicable, and within four business days of, determining that it has experienced a material incident. For this purpose, the determination of whether an incident is “material” would be made based on the same standard as has traditionally been used with respect to SEC reporting – whether there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have significantly altered the “total mix” of information made available.
The SEC provided the following non-exclusive list of incidents that could be reportable, if determined to be material:
- An unauthorized incident that has compromised the confidentiality, integrity or availability of an information asset (data, system or network);
- An unauthorized incident that violated the company’s security policies or procedures;
- An unauthorized incident that caused degradation, interruption, loss of control, damage to, or loss of operational technology systems;
- An incident in which an unauthorized party accessed, or a party exceeded authorized access, and altered, or has stolen sensitive business information, personally identifiable information, intellectual property, or information that has resulted, or may result, in a loss or liability for the company;
- An incident in which a malicious actor has offered to sell or has threatened to disclose sensitive company data; or
- An incident in which a malicious actor has demanded payment to restore company data that was stolen or altered.
Note that an incident may involve an accidental disclosure as well as a deliberate attack.
The release highlights that companies would not be entitled to delay reporting in order to complete an internal or external investigation, including under circumstances where state law would permit delayed disclosure or law enforcement has requested a delay in disclosure. The release notes that, on balance, the SEC believes the importance of prompt disclosure to investors outweighs other considerations.
In addition to the initial reporting on a material incident, the Cybersecurity Proposed Rules would require (i) updated disclosure for any material changes, additions or updates to material incidents that were previously reported and (ii) disclosure of cybersecurity incidents that are not material individually, but have become material in the aggregate.
Policies, Procedures and Governance Matters
In addition to material incident reporting, companies would also be required to provide detailed disclosure on their cybersecurity policies and procedures, including whether they: (i) have a cybersecurity risk assessment program, and if so, provide a description; (ii) engage consultants or advisors with respect to any cybersecurity risk assessment program; (iii) have policies and procedures in place to oversee and identify cybersecurity risks in connection with the use of third-party service providers; (iv) undertake activities to prevent, detect and minimize the effects of cybersecurity incidents; (v) have business continuity, contingency and recovery plans in place; and (vi) have had prior incidents that have led to changes in their governance, policies, procedures or technologies. Companies would also be required to disclose whether cybersecurity related risks and incidents have affected or are reasonably likely to affect their results of operations or financial condition, and if so, how, and whether cybersecurity risks are considered as part of their business strategy, financial planning and capital allocation, and if so, how.
With respect to governance matters, companies would be required to disclose whether the entire board of directors, a committee of the board, or certain directors are responsible for the oversight of cybersecurity risks, the process by which cybersecurity risks are raised to the board, and the frequency with which they are discussed, and whether the board considers cybersecurity risks as part of the company’s business strategy, risk management and financial oversight. In addition, companies would be required to disclose similar information with regarding to management committees and individual officers with regard to the same types of cybersecurity risk matters.
Finally, the Cybersecurity Proposed Rules would also require disclosure as to whether any of the company’s directors has cybersecurity expertise, and if so, the company would be required to name the directors with that expertise, and describe the directors’ expertise, including with respect to prior work experience, certifications, as well as knowledge, skills and other background in cybersecurity.
Observations
The Cybersecurity Proposed Rules will certainly enhance the content and detail of disclosure regarding cybersecurity risks. Given the critical nature of the infrastructure operated by many companies in the infrastructure sector, cybersecurity risks are often of heightened sensitivity, and therefore the disclosure requirements may be more significant as a practical matter than is the case in other sectors. While there still may be significant changes prior to the adoption of final rules, if any, the Cybersecurity Proposed Rules we offer some points for consideration:
- Companies would need to consider the level of detail to include in their incident reporting, to strike a balance between providing investors with sufficient information to understand the incident, and minimizing any adverse effects on any ongoing investigation, and future exposure;
- Companies would need to ensure that they have disclosure controls and procedures in place to capture the broad range of cybersecurity incidents potentially implicated by the rules;
- The rules would not permit delayed reporting while an investigation is underway; companies will need to be thoughtful about at what point in the investigative process are they able to determine that the incident is “material”; and
- While styled as disclosure obligations, the rules with respect to cybersecurity policies, procedures and governance may effectively become a requirement for companies to adopt the types of policies, procedures and governance measures referenced in the rules, to ensure that they don’t appear deficient as compared to their peers.
D. Proposed SEC Rule – The Enhancement and Standardization Of Climate-Related Disclosures for Investors
Overview
On March 21, 2022, the SEC proposed new rules under the Securities Act of 1933 and the Exchange Act with regard to disclosure regarding climate related information applicable to public companies (“Climate Proposed Rules”). This action follows prior SEC guidance issued in 2010 with respect to disclosure of the impacts of climate change under the SEC’s existing rules, and provides substantially greater specificity and additional requirements, both quantitative and qualitative, with respect to this disclosure.
The comment period for the Climate Proposed Rules is open until the later of May 20, 2022 or 30 days after publication in the Federal Register.
Discussion
The Climate Proposed Rules are voluminous and detailed, and this report sets forth a summary highlighting key aspects of the rules. Further analysis will undoubtedly yield additional key considerations for public companies that would be subject to the rules.
Disclosure of GHG Emissions
Central to the Climate Proposed Rules is a requirement that companies disclose greenhouse gas (“GHG”) emissions related to their operations. The rules separate these into three categories:
- “Scope 1” emissions – direct GHG emissions from sources owned or controlled by a company;
- “Scope 2” emissions – GHG emissions primarily resulting from the generation of electricity purchased and consumed by the company; and
- “Scope 3” emissions – all indirect GHG emissions (from sources not owned or controlled by the company) that are a consequence of a company’s activities that are not Scope 2 emissions, including emissions from upstream and downstream activities and the use of a company’s products by third parties.
The SEC notes that these emissions categories are informed by existing voluntary disclosure regimes, including in large part the GHG Protocol.
General Content of Climate Related Disclosure
The Climate Proposed Rules would require disclosure by companies with respect to:
- The oversight and governance of climate-related risks by the company’s board and management;
- Whether any climate-related risks identified by the company have had or are likely to have a material impact on its business or financial statements over the short, medium or long term;
- The impact or likely impact of any climate-related risks on the company’s strategy, business model and outlook;
- The company’s processes for identifying, assessing and managing climate-related risks, and whether those processes are integrated with the company’s overall risk management system;
- The impact of climate-related events and transition activities on the line items of the company’s financial statements and expenditures;
- Separate disclosure of Scope 1 and Scope 2 GHG emissions and intensity;
- Scope 3 GHG emissions and intensity, if material, or if the company has set climate related targets or goals that include Scope 3 emissions; and
- The company’s climate-related targets or goals, and transition plan, if any.
Presentation of Disclosure
As indicated above, the Climate Proposed Rules would require both quantitative financial statement disclosure as well as qualitative disclosure in a company’s reports under the Exchange Act, as amended. The rules would require disclosure in a separate footnote to the company’s audited financial statements, as well as separately captioned disclosure in the company’s annual report on Form 10-K. It should be noted that the rules would require that this information be “filed” rather than “furnished”, meaning that they would be subject to potential securities law liability under Section 18 of the Exchange Act, and Section 11 of the Securities Act of 1933, as amended, if included in a registration thereunder.
Attestation
The Climate Proposed Rules would require certain public companies (accelerated filers and large accelerated filers) to include in the applicable report an attestation report from a third party provider that covers, at a minimum, the disclosure of its Scope 1 and Scope 2 emissions. As described below, the attestation requirements would phase in over time.
Phase-In
Given the substantial new disclosure requirements that would be required by the Climate Proposed Rules, the SEC has proposed a phase-in of the rule requirements, as follows:
GHG Disclosure Phase-In
