The concept of materiality in securities law has always been intentionally vague. Information that some nebulous “reasonable investor” would consider important leaves ample room for interpretation. Nevertheless, as the Securities and Exchange Commission’s Acting Chief Accountant Paul Munter articulated in a statement earlier this year, the SEC still expects corporations to engage in an “objective” assessment to determine whether they should disclose a certain piece of information.
Occasionally, the courts and the SEC do offer some guidance to help issuers decide what qualifies as material. We’ve seen two recent examples.
The U.S. Court of Appeals for the Second Circuit recently weighed in on the obligations of companies to disclose SEC investigations to the public. In Noto v. 22nd Century Group Inc., the Second Circuit ruled on a complaint against 22nd Century Group and some of its executives for not disclosing it was being investigated for its internal control over financial reporting. The New York-based company, which bioengineers tobacco and cannabis plants, had previously reported the accounting weaknesses that led to the investigation. The company also disclosed when its remediation efforts to correct the weaknesses wrapped up. But it failed to mention that the SEC was investigating those financial control weaknesses.
A lower court dismissed the complaint, arguing the defendants in the case faced no duty to disclose the investigation. The Second Circuit reversed the decision in an opinion that notably pointed to the fact that 22nd Century disclosed its own conclusion about its financial control weaknesses: “Here, the fact of the SEC investigation would directly bear on the reasonable investor’s assessment of the severity of the reported accounting weaknesses.” As such, the Second Circuit declared the company’s statements on the weaknesses of its internal control “were not accurate and complete.”
So make a note, compliance professionals: An SEC investigation into an issue you’ve disclosed probably qualifies as material. And as lawyers from McDermott Will & Emery noted in an analysis of the ruling, governmental investigations seem likely to ramp up in the near future.
In March, we told you about the SEC’s proposed rules for cybersecurity disclosure, which Chair Gary Gensler says are designed to present important information in standard ways for financial-statement users. The question of materiality in the cyber arena appears to be giving some practitioners heartburn. A comment letter provided to the SEC by Hunton Andrews Kurth, for example, asks that the commission change how the rules would define a material cybersecurity breach to those that have “actual adverse impacts” on a company’s data or networks, rather than incidents that merely “jeopardize the confidentiality, integrity, or availability” of data or systems.
A related question: Has the SEC set overly aggressive timelines for companies to disclose material data breaches? To provide the public with “current” incident reporting, the commission proposed registrants disclose information about such cases within four business days of a materiality determination. In a memo on the proposed rules, lawyers at Vinson & Elkins LLP pointed out that companies will have to provide an assessment of an incident – accounting for factors such as if and how data was compromised, when the incident occurred, and remediation processes – in a tight time window. They indicated that may force companies to use time in the immediate aftermath of such an event preparing disclosures in lieu of investigating and addressing the incident.
It seems like a fair concern, given the potential threats posed by cybersecurity breaches. However, it shouldn’t be asking too much of companies to have proper systems and protocols in place ahead of time to diagnose and explain those problems to the investing public.