Notable 2018 Developments in Federal Securities Laws

Among the significant changes effectuated in 2018 to Federal Securities laws and regulations are amendments to existing regulations that (i) ease periodic reporting requirements for smaller public companies; (ii) allow public reporting companies to utilize an additional exemption for securities offerings under Regulation A (which was only previously available to private companies); and (iii) expand private companies’ ability to issue stock, options or other securities under compensatory benefit plans. In addition, the Securities and Exchange Commission gave guidance on cyber-related disclosure issues and fraud. This article summarizes these changes and guidance.

Amendments to Smaller Reporting Company Disclosure Requirements

In an effort to provide general regulatory relief for smaller public reporting companies, the U.S. Securities and Exchange Commission (the “SEC”) established the “Smaller Reporting Company” category in 2008. Smaller Reporting Companies, as defined, were allowed to provide certain scaled disclosures under applicable SEC rules for their (i) quarterly and annual reports and (ii) proxy statements. Most notably, a Smaller Reporting Company only had to provide two, instead of three, years of audited financial statements and could omit certain disclosures relating to executive compensation and the CEO pay ratio.

Under the previous definition, a company qualified for Smaller Reporting Company status if (i) its public float (i.e., outstanding shares of stock less shares held by affiliates) was less than $75 million or (ii) it had no public float or no market price for its public equity and less than $50 million in annual revenues.

After first proposing a change to the definition of Smaller Reporting Company in 2016, on June 28, 2018, the SEC amended such definition. As now in effect, a Smaller Reporting Company is a company with (i) a public float of less than $250 million or (ii) annual revenues of less than $100 million and either no public float or a public float of less than $700 million.

The SEC estimates that approximately 1,000 additional companies will become eligible for Smaller Reporting Company status in the first year under the new definition. In addition to reducing filing expenses, Smaller Reporting Company status reduces audit expenses and, for certain companies, could cut audit fees by as much as 50%.

Consistent with the previous definition, once a company determines that it does not qualify as a Smaller Reporting Company under the initial qualification thresholds, it will remain unqualified unless and until it meets one or more lower qualification thresholds, which are set at 80% of the initial qualification thresholds. Under the final rules, a company that did not previously qualify as a Smaller Reporting Company because its public float was $250 million or more would subsequently qualify as a Smaller Reporting Company if its public float dropped below $200 million, regardless of its revenues. In addition, once a company determines that it does not qualify as a Small Reporting Company because it has exceeded either or both of the $100 million annual revenue and $700 million public float thresholds, it will remain unqualified until its annual revenue and/or public float, as applicable, is less than 80% of the aforementioned thresholds. By requiring that a company satisfy a separate, lower threshold to re-qualify for Smaller Reporting Company status, the SEC is trying to strike a balance between avoiding situations in which companies frequently enter and exit Smaller Reporting Company status due to small fluctuations and not imposing an undue burden on companies seeking to qualify for Small Reporting Company status.

The final rules preserve the application of the current thresholds contained in the “accelerated filer” and “large accelerated filer” definitions. Accordingly, companies with $75 million or more of public float that qualify as a Smaller Reporting Company will remain subject to the requirements that apply to accelerated filers, including the timing of the filing of periodic reports and the requirement that accelerated filers provide the auditor’s attestation of management’s assessment of internal control over financial reporting required by the Sarbanes-Oxley Act. However, SEC Chairman Jay Clayton has directed the SEC staff to make recommendations to the SEC for possible additional changes to the “accelerated filer” definition.

The change to the definition of Smaller Reporting Company is a welcome step in reducing compliance costs for the affected companies while providing appropriate investor protection.

Expansion of Availability of Regulation A

The SEC took a step forward making capital raising for smaller raises by public companies easier by allowing such companies to rely on the Regulation A exemption from registration. Previously, Regulation A was not available to companies that are reporting companies under the Securities Exchange Act of 1934, as amended (the “Exchange Act”).

As amended, Regulation A now provides an exemption from registration for offerings of securities up to $50 million in a 12-month period by reporting companies as well as private companies.

In addition, Regulation A requires certain ongoing reporting obligations for users of such regulation. However, the SEC amendment to Regulation A provides that companies subject to the Exchange Act’s reporting requirements (such as quarterly and annual reports) will be deemed to have met the reporting requirements of Regulation A.

Regulation A allows the sale of equity securities, including warrants, debt securities and debt securities that are convertible into, or exchangeable for, equity securities.

In certain cases, an issuer may submit a draft Regulation A offering for confidential SEC staff review. Also, anytime before the qualification of the offering statement, including the filing of the offering statement with the SEC, a company may engage in oral or written communications with potential investors to determine their interest in the contemplated offering. This is known as “testing the waters.”  By soliciting potential investors, businesses can gauge the market interest in their securities before formally commencing the offering.

Allowing reporting companies to use Regulation A is a positive development in giving such companies additional flexibility when seeking to raise capital.

Issuances of Securities Under Compensatory Plans by Private Companies

Rule 701 provides an exemption from the registration requirements of the Securities Act of 1933, as amended (the “Securities Act”) for the issuance of stock, options or other securities by private companies to their employees, directors, consultants and advisors under a compensatory benefit plan. Many private companies rely on Rule 701 to issue stock and options to recruit and retain talent. There are a number of conditions that must be met to rely on Rule 701, including those relating to which entity may issue the securities, who may receive the securities, limits on the aggregate amounts that can be sold during any 12-month period, disclosure requirements and restrictions on resale. A company can sell up to $1 million of securities during any consecutive 12-month period under this exemption, regardless of its size. A company can also sell a larger amount of securities if it satisfies certain formulas based on its assets or the number of its outstanding securities.

Although companies seeking to rely on Rule 701 are required to provide investors with a copy of the compensatory benefit plan or contract under which the stock, options or other equity securities are being granted, Rule 701 had required enhanced disclosures if the aggregate amount of securities sold during any consecutive 12-month period exceeded $5 million. The Economic Growth, Regulatory Relief, and Consumer Protection Act, signed into law in May 2018, requires the SEC to increase this threshold to $10 million and further provides that the $10 million threshold will be indexed to inflation every five years.

A company that sells securities in excess of the threshold is required to provide investors with the following enhanced disclosures “a reasonable period of time before the date of the sale”: (i) if the plan is subject to ERISA, a copy of the summary plan description required by ERISA; (ii) if the plan is not subject to ERISA, a summary of the material terms of the plan; (iii) information about the risks associated with the investment in the securities; and (iv) financial statements as of a date no more than 180 days before the sale of the securities.

Securities issued under the Rule 701 exemption are “restricted securities” under the Securities Act and may not be freely traded unless they are registered or the holder can rely on an exemption under the Securities Act.

Rule 701 is an important part of a private company’s ability to compensate its people and the increased threshold for enhanced disclosure should help companies as they grow. It remains to be seen, however, if the maximum amount of securities that can be issued in any 12-month period will be increased. Given the growth in size of privately-held companies, such an increase could be important to issuers. 

Cybersecurity

Early in 2018, the SEC issued updated interpretive guidance regarding public companies’ disclosure obligations under the securities laws regarding cybersecurity risk and incidents. The SEC last issued such guidance in 2011. The updated guidance comes at a time when several businesses have suffered from serious cyberattacks.

Highlights of the updated guidance include: (i) stressing the importance of maintaining “comprehensive policies and procedures related to cybersecurity risks and incidents,” in particular as incorporated into a company’s disclosure controls and procedures; (ii) reminding companies and their directors, officers and other corporate insiders of the laws and rules relating to insider trading and selective disclosure; (iii) expanding the existing disclosure guidance to address how the board of directors oversees the management of cybersecurity risk, as well as management’s discussion and analysis of how cybersecurity incidents affected reportable segments; and (iv) discussing the laws, rules, regulations and SEC form requirements that must be taken into consideration when preparing cybersecurity disclosures.

The SEC stated in its release that “…it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.” The SEC went on to state that “[c]rucial to a public company’s ability to make any required disclosure of cybersecurity risks and incidents in the appropriate time frame are disclosure controls and procedures that provide an appropriate method of discerning the impact that [cybersecurity risks and incidents] may have on the company and its business, financial condition, and results of operations, as well as a protocol to determine the potential materiality of such risks and incidents.”

Disclosure controls and procedures, according to the SEC, should provide an “early warning system” to enable companies to determine whether – with respect to any matter, including a cybersecurity matter – they need to file a current report on Form 8-K, make disclosure in any other SEC filing, issue a press release or suspend trading in its stock.

Cybersecurity risks and incidents also have an impact on public companies’ codes of ethics and insider trading policies. In that information about risks and incidents may be material nonpublic information, public companies are encouraged to review their codes of ethics and insider trading policies to take into account and seek to prevent trading on the basis of material nonpublic information regarding cybersecurity risks and incidents. Companies were urged to consider appropriate revisions to their insider trading policies, including procedures regarding trading windows, blackout periods and Rule 10b5-1 trading programs. Finally, the SEC reminded public companies that regulations prohibit companies from selectively disclosing material nonpublic information about cybersecurity risks and incidents to certain persons.

With respect to disclosure issues, the SEC stated that companies “must [disclose] how their board of directors administers its risk oversight function” and in doing so should disclose (i) the company’s cybersecurity risk management program; (ii) the board’s role in overseeing the management of material cybersecurity risks; and (iii) how the board engages with management on cybersecurity issues.

On an ongoing basis, public companies should address cybersecurity risks and incidents in the following components of applicable reports: (i) risk factors; (ii) management’s discussion and analysis of financial condition and results of operations; (iii) business description; (iv) legal proceedings; and (v) financial statement disclosures.

Finally, in an October 2018 release, the SEC highlighted the risks to companies of cyber-related frauds and the need to review procedures and controls to prevent losses.

Public companies are required by the federal securities laws to devise and maintain a system of internal accounting controls. The SEC investigated whether nine companies that lost almost $100 million in cyber-related frauds violated the securities laws by failing to have adequate internal accounting controls. Ultimately, the SEC chose in 2018 not to pursue enforcement actions against these companies. The SEC stated that because an issuer “is the victim of a cyber-related scam”, it does not necessarily indicate that the issuer is “in violation of the internal accounting controls requirements.” However, the SEC concluded that “issuers subject to the requirements of [the internal controls regulations] must calibrate their internal accounting controls to the current risk environment and assess and adjust policies and procedures accordingly.”

Given the heightened risks to businesses, companies should maintain, if not expand, their protections against cyber attacks and, if a public company, be cognizant of and fully comply with applicable disclosure requirements.