The SEC’s Division of Enforcement has increasingly put the spotlight on disclosure controls— the processes that public companies use to collect information for disclosures in their public filings. The agency recently charged video game maker Activision Blizzard Inc. with a failure to maintain disclosure controls, a charge that came in the aftermath of a public controversy concerning widespread allegations of workplace misconduct at the company. The charging decision has been subject to criticism—including from one of the SEC’s own Commissioners—because the SEC did not allege that the content of the company’s disclosure had been deficient in any respect. A review of Activision Blizzard and earlier cases in which the SEC has pursued disclosure controls-based enforcement actions provides valuable lessons for public companies in evaluating and improving the quality of their own disclosure controls.
In addition to the above charge, the SEC also found that Activision Blizzard contravened whistleblower protection rules by requiring that former employees notify the company of any requests from an administrative agency in connection with a report or complaint and thus impermissibly discouraged individuals from reporting securities laws violations to the SEC.
The need for robust disclosure controls is neither remarkable nor particularly new. Public companies are obligated to report material information—profits (and losses) they make, risks they face, properties they own, legal proceedings they are engaged in, and so forth—when required by applicable SEC rules, and such rules are constantly evolving in response to market conditions and developments, as seen by the SEC’s pending proposals for expanded disclosures on cybersecurity and climate matters. In order to meet these disclosure obligations, public companies must have in place a mechanism for collecting relevant information. And for the last 20 years, public companies have been expressly obligated to maintain disclosure controls under Exchange Act Rule 13a-15, adopted in the wake of the Enron and WorldCom accounting scandals.
What is new, however, is the SEC’s apparently growing appetite to assert that a public company has deficient disclosure controls without also alleging a contemporaneous, underlying violation relating to the content of the associated disclosures. The SEC seems poised to sanction companies for allegedly lacking adequate disclosure controls on issues it prioritizes, such as workplace misconduct or cybersecurity, even when the alleged control failure does not in fact result in inaccurate or misleading disclosures.
In Activision Blizzard, the SEC alleged, among other things, that the company lacked sufficient controls and procedures to collect or analyze employee complaints of workplace misconduct across separate business units, and that this deficiency warranted enforcement action. Specifically, the SEC criticized the company for not including information about employee complaints or reported incidents of workplace misconduct among the information that business unit leaders were required to report to the company’s disclosure committee.
According to the SEC, the company’s management did not have sufficient information about the volume and substance of employee complaints of workplace misconduct to assess the related risks, whether material issues existed that warranted disclosure to investors, or whether the disclosures it made to investors in connection with these risks were sufficient and not misleading.
To explain the relevance of information about workplace misconduct to the company’s disclosure obligations, the SEC pointed to risk factor statements in the company’s SEC filings about its dependence on its ability to retain qualified personnel in an industry characterized by high employee mobility. The SEC did not, however, allege that Activision Blizzard had in fact made any inaccurate or misleading disclosures about its employee retention.
While certainly noteworthy for its lack of an underlying disclosure content violation, Activision Blizzard is the latest such SEC enforcement action but not the first of its kind. In First American Financial Corporation, the SEC charged a real estate transaction services provider for allegedly failing to maintain controls and procedures designed to ensure that all available, relevant information concerning a cybersecurity vulnerability was analyzed for potential disclosure. There, the SEC found that the company’s senior executives had issued a statement regarding a potential cybersecurity vulnerability—in response to an inquiry from a journalist—while unaware that the company’s information security personnel had identified the vulnerability months earlier and had failed to remediate it in accordance with the company’s policies.
The SEC did not allege that the executives’ statement was in fact inaccurate or misleading. Rather, the order in First American communicated (1) the SEC’s expectation that public companies will keep their management, including CEOs and CFOs, timely updated on information that needs to be considered for potential disclosure as part of their disclosure controls, and (2) that the SEC will take action on this basis alone if it determines that a company has not kept its management sufficiently informed. This expectation seems inspired by Exchange Act Rule 13a-15’s mandate that disclosure controls be designed to ensure that information required to be disclosed is accumulated and communicated to the company’s management, including its CEO and CFO, to allow timely decisions regarding required disclosure.
While the standalone disclosure controls-based violations in Activision Blizzard and First American represent a novel development because of the nature of the information at the heart of the alleged control failures, charges of disclosure controls violations as such, and even certain other aspects of the more recent cases, have precursors in the agency’s track record over the past decade.
The SEC laid the groundwork for exclusively disclosure controls-based enforcement in 2015, when it first started adding violations for alleged disclosure controls failures as secondary charges to actions in which it charged primary disclosure content violations (e.g., misrepresentations on financial reporting, financial and operational trends, executive compensation, perquisites and related party transactions). Around the same time, the SEC also started charging companies in enforcement actions relating to financial reporting violations with secondary violations of the requirement to maintain adequate internal control over financial reporting (ICFR), which is a process designed to provide reasonable assurance regarding the reliability of financial reporting.
In 2019, we saw a precursor to purely disclosure controls-based enforcement when the SEC charged two public companies with failing to maintain ICFR without also charging an underlying primary financial reporting violation. Those cases had unique facts, however, because the companies had reported continuous material weaknesses in their ICFR for at least seven years straight, thus raising questions about their commitment to maintain effective ICFR.
The SEC pointed to a company’s own risk factor disclosures to construct a disclosure controls violation in its August 2021 settled enforcement action in Pearson plc. While the action centered primarily on allegedly deficient disclosures about a 2018 cybersecurity breach, the SEC also included a secondary charge alleging that the company’s processes failed to inform relevant personnel of certain information about the circumstances surrounding the breach. In asserting this secondary controls violation, the SEC emphasized that the company’s own risk factor disclosures had highlighted improper data access as a significant risk. The company’s inclusion of this item as a significant risk factor, the SEC implied, made it incumbent upon the company to design a corresponding disclosure control.
Reactions critical of the SEC’s disclosure controls only-based enforcement action (without an underlying disclosure content violation) in Activision Blizzard have been swift and strong. In a dissent, Commissioner Hester Peirce questioned whether workplace misconduct at a public company, while no doubt a serious issue, is appropriately the SEC’s concern. If workplace misconduct must be reported to a public company’s disclosure committee, she reasoned, so too must changes in any number of workplace amenities and workplace requirements, and potentially endless other work-place issues relevant to other risk factors. Commissioner Peirce argued that it cannot be that a company’s disclosure controls must capture all potentially relevant, but ultimately—for purposes of disclosure—unimportant (to investors) information because this would impose a new and significant burden upon companies, and at significant cost, with no justification in the federal securities laws. Practitioners and other commentators have voiced similar concerns.
The SEC’s approach in Activision Blizzard may suggest that the inclusion of any operational risk factor now triggers a corresponding requirement to collect all information that could potentially be relevant to assessing disclosures related to that risk. That was a concern implied by Commissioner Peirce and voiced by some other critics of Activision Blizzard who worried that such an extension of the SEC’s approach could overburden companies. Collecting and reviewing the information and data associated with each operational risk factor would take significant time and effort even though it may not ultimately result in any affirmative disclosure changes.
We do not believe, however, that this is where the SEC intends to take its controls-based enforcement approach. Rather, we expect that the SEC will use this tool, selectively, in matters (1) of broader public interest, or (2) where the SEC sees a specific opportunity to highlight an example of information it believes is getting insufficient attention for disclosure purposes.
The announcement of the Activision Blizzard order came one week after a significant ruling by the Delaware Court of Chancery Court in a shareholder derivative litigation against the Chief People Officer of a public company for allegedly allowing a corporate culture to develop that condoned sexual harassment and misconduct. While the decision has mostly been discussed for its holding that corporate officers—not just directors—have a duty of oversight, it also has potential implications for how companies design the processes that ensure the flow of information to corporate decision-makers. Specifically, the court held that the Chief People Officer’s duty of oversight included “an obligation to make a good faith effort to put in place reasonable information systems so that he obtained the information necessary to do his job and report to the CEO” and not “ignore red flags indicating that the corporation was going to suffer harm.”
Where the SEC will go next with its disclosure controls-based enforcement initiative remains to be seen. Absorbing these lessons will serve public companies well and strengthen their disclosure controls and information flows to key decision-makers—regardless of evolving SEC priorities.