The SEC Adopts Significant Cybersecurity Amendments to Regulation S-P
On May 16, 2024, the SEC adopted amendments to Regulation S-P one year after its proposed amendments (the “Proposed Amendments”). The finalized amendments (“Amended Regulation S-P”) largely track the Proposed Amendments and include significant requirements related to (1) incident response programs, (2) 30-day customer notifications of data breaches, (3) service provider oversight, (4) the scope of the Safeguards and Disposal Rules (defined below), (5) recordkeeping and (6) an exception to the annual privacy notice requirement.
Since its initial adoption in 2000, Reg S-P has required broker-dealers, investment companies and registered investment advisers (“Covered Institutions”) to adopt written policies and procedures to safeguard customer records and information (the “Safeguards Rule”) and to properly dispose of consumer report information (the “Disposal Rule”). Amended Regulation S-P represents a substantial expansion of the protections available to the customers of institutional securities market participants under the federal securities laws and establishes a new federal minimum standard for data breach notification at such firms.
Specifically, Amended Regulation S-P, among other things, requires Covered Institutions to develop, implement, maintain and adopt written policies and procedures for incident response programs to address unauthorized access to, or use of, customer information. Amended Regulation S-P also requires that the response program includes procedures for, with certain limited exceptions, Covered Institutions to provide notice to individuals whose sensitive customer information was or is reasonably likely to have been accessed or used without authorization. In addition, the Regulation S-P extends requirements to safeguard customer records, broaden the scope of information covered by the requirements for safeguarding customer records and impose requirements to maintain written records documenting compliance.
Amended Regulation S-P requires a Covered Institution to provide notice to customers as soon as practicable, but not later than 30 days, after becoming aware that an incident involving unauthorized access to, or use of, customer information has occurred or is reasonably likely to have occurred. The notice must include details about the incident, what data was breached and how affected individuals can protect their information. Larger entities will have 18 months after the new amendments are published in the Federal Register to comply, and smaller entities will have 24 months.
For more information, see Debevoise In Depth.
Chancellor Laster Allows Claims Against Target Directors, Special Committee, Controlling Sponsor and Bankers in Merger with TRA Termination Payment
On May 31, 2024, Vice Chancellor Laster of the Delaware Court of Chancery declined to dismiss fiduciary duty claims against the directors, special committee and controlling stockholder of Foundation Building Materials, Inc. (“Foundation”) arising from its 2020 sale to American Securities (the “Transaction”) (Firefighters’ Pension System of the City of Kansas City, Missouri Trust v. Foundation Building Materials, Inc. et al., C.A. No. 2022-0466-JTL (May 31, 2024)).
In 2017, a private equity fund (“Lone Star”) took Foundation public and retained control of Foundation at both the stockholder and board levels. At the time of the IPO, Lone Star entered into a tax receivable agreement (“TRA”), which would trigger a $75 million early termination payment to Lone Star (the “Termination Payment”) at the time of a future sale of Foundation. Soon after the IPO, due to tax code changes, Lone Star explored selling Foundation. A special committee (the “Special Committee”) was created, comprised of three members of the board who were unaffiliated with Lone Star, to oversee the potential sale of Foundation, which resulted in the completion of the Transaction and the triggering of the Termination Payment. After the completion of the Transaction, a Foundation stockholder brought claims alleging, among other things, that Lone Star and Foundation’s directors breached their fiduciary duties by selling the company to trigger the Termination Payment. The court ultimately dismissed claims against Lone Star and its affiliated board members for following an unreasonable sale process, and for using the Termination Payment to divert merger consideration from unaffiliated stockholders.
However, the court allowed certain claims against, among others, the Foundation financial advisers (“RBC”) and the Special Committee for aiding and abetting fiduciary breaches, including disclosure violations related to the role of the TRA in merger discussions, the bankers’ fee arrangements and RBC’s and legal counsel’s relationships to Lone Star.
For more information, see the Delaware Court of Chancery Opinion.
SEC Moves to T+1 Settlement Cycle
On May 28, 2024, the SEC’s rule amendments went into effect to shorten the standard settlement cycle for most broker-dealer transactions from two business days (“T+2”) after the trade date to one business day (“T+1”). The new rules amend paragraph (a) of Rule 15c6-1 under the Securities and Exchange Act of 1934 to provide that the default for settlement of most securities transactions by broker-dealers is one business day. The amendments prohibit a broker-dealer from effecting or entering into a contract for the purchase or sale of a covered security, absent certain exemptions, that provides for payment of funds and delivery of securities later than T+1 unless otherwise expressly agreed by the parties at the time of the transaction.
Under the new adopted rules, there are two exceptions to the T+1 default settlement cycle: (i) under Rule 15c6-1(d), parties in firm commitment underwritten offerings can mutually agree, at the time of the transaction, to extend settlement timing beyond the standard T+1 requirement and (ii) under Rule 15c6-1(c), primary market transactions that price after 4:30 p.m. Eastern Time may settle on a T+2 timeframe, even if the parties did not agree to the T+2 settlement at the time of the transaction.
SEC Chair Gary Gensler
explained that shortening the settlement cycle will “help the markets because time is money and time is risk” and will “make our market plumbing more resilient, timely, and orderly.”
For more information, see
Debrief.
SEC Charges Intercontinental Exchange and Nine Affiliates, Including the New York Stock Exchange, with Failing to Inform the SEC of a Cyber Intrusion
On May 22, 2024, the SEC announced that The Intercontinental Exchange, Inc. (“ICE”) and nine of its wholly-owned subsidiaries (collectively with ICE, the “Respondents”) agreed to pay a $10 million penalty (the “Penalty”) to settle charges that the Respondents failed to timely inform the SEC of a cyber intrusion as required by Regulation Systems Compliance and Integrity (“Regulation SCI”). The Respondents entered into the settlement with the SEC on a without-admitting-or-denying basis.
Regulation SCI was adopted by the SEC in 2014 to strengthen the technology infrastructure of the U.S. securities markets. Regulation SCI applies to, among others, stock and options exchanges, registered clearing agencies, FINRA, alternative trading systems that trade stocks exceeding specified volume thresholds, disseminators of consolidated market data and certain exempt clearing agencies (“Covered Entities”). Under Regulation SCI, Covered Entities must immediately notify the SEC within 24 hours when a Covered Entity has “a reasonable basis to conclude” that it has suffered a cyber intrusion.
In April 2021, a third-party informed ICE that ICE was potentially impacted by a system intrusion involving a previously unknown vulnerability in ICE’s virtual private network (“VPN”). ICE investigated and determined that a threat actor had inserted malicious code into a VPN device used to remotely access ICE’s network. However, ICE did not notify its subsidiaries of the intrusion for multiple days, in violation of ICE’s internal cyber incident reporting procedures. As a result, ICE’s wholly-owned subsidiaries did not evaluate the intrusion and satisfy their independent regulatory disclosure obligations under Regulation SCI, which required them to (i) immediately contact the SEC regarding the intrusion and (ii) provide an update to the SEC within 24 hours (subject to certain caveats).
Since ICE and its wholly-owned subsidiaries failed to notify the SEC of the intrusion, the SEC imposed the Penalty. The SEC indicated that the Penalty not only reflected the seriousness of the violations, but also that several of the Respondents have been the subject of prior SEC enforcement actions, including for violations of Regulation SCI.
For more information, see the SEC’s press release.
FCA Developments
The UK Financial Conduct Authority (“FCA”) has recently published Primary Market Bulletin 49 (“PMB 49”), the latest of the periodic newsletters sent by the FCA to primary market participants. In PMB 49, the FCA reported on the results of thematic surveys conducted by the FCA, and reminded issuers of certain continuing obligations under the Listing Rules (“LR”). In particular, PMB 49 addressed:
- Long Term Incentive Plans (“LTIPs”). The FCA reviewed 25 premium listed commercial companies over a three-year period. The FCA found that there was full compliance with the relevant LTIP disclosures by the sampled issuers and that the most commonly used LTIP financial metrics are total shareholder return, return on capital employed and earnings per share.
- Global Depositary Receipts (“GDR”) Issuers. The FCA assessed compliance with the following requirements of GDR issuers:
- Annual accounts continuing obligations (LR 18.4.3A R) – a small number of GDR issuers (5 out of 52 assessed) did not publish their Annual Report and Accounts on the National Storage Mechanism (“NSM”) and/or via Regulatory Information Service (“RIS”).
- Corporate governance statements (Disclosure Guidance and Transparency Rule (“DTR”) 7.2) – a small number of GDR issuers (7 out of 26 assessed) did not include compliant corporate governance statements in their annual report.
- Public disclosure of inside information (Article 17 of The Market Abuse Regulation 2019 (“UK MAR”)) – the FCA found that GDR issuers are more likely to make an announcement of information in local markets, rather than via RIS and filed with the NSM. The FCA noted this is not a breach of Article 17 UK MAR per se, but advised issuers to remain conscious of their obligations under UK MAR.
- Managers’ transactions (Article 19 UK MAR) – the FCA found that a low number of persons discharging managerial responsibilities (“PDMR”) transactions have been filed (23 out of the 26 GDR issuers assessed had not submitted any PDMR transaction notifications).
- Annual Financial Reporting. The FCA noted instances of (i) annual financial reports being made public via a regulatory announcement, but not filed on the NSM, (ii) announcements of annual financial reports not containing a statement to indicate that the full report is available on the NSM and
(iii) announcements of annual financial reports not containing a statement indicating the website on which the report is available. Additionally, the FCA noted low compliance with the disclosure requirements in respect of issuers required to comply with DTR 4.1 to ensure their annual financial reports are prepared in Extensible Hypertext Markup Language (known as XHTML) format. The FCA warned that it currently temporarily suspends the listings of securities where issuers are unable to publish and file their annual financial report by the prescribed timeline.
- International Sustainability Standards Board (“ISSB”) Standards. The FCA noted that the UK Government expects to complete the endorsement of ISSB Standards by the first quarter of 2025. Accordingly, once the endorsement is completed in 2025, the FCA will consult on amending its rules to move from Task Force on Climate-Related Financial Disclosures reporting to the UK-endorsed ISSB disclosure standards. The FCA encouraged issuers to familiarize themselves with the ISSB Standards.
PMB 49 was published on May 22, 2024, and was updated on May 31, 2024 following industry feedback.
SEC Rule-Making Agenda
The SEC’s Fall 2023 Regulatory Agenda was posted in December 2023. A summary of key pending rule changes is included below, along with the SEC’s announced release date. We expect the spring 2024 agenda to be released in June 2024. For more information, see the full regulatory agenda here.
|
Title
|
Stage of Rulemaking
|
Expected Release Date
|
|
Human Capital Management Disclosure
|
Proposed Rule Stage
|
April 2024
|
|
Incentive-Based Compensation Arrangements
|
|
Financial Data Transparency Act Joint Rulemaking
|
|
Regulation D and Form D Improvements
|
|
Revisions to the Definition of Securities Held of Record
|
|
Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies
|
Final Rule Stage
|
April 2024
|
|
Cybersecurity Risk Management Rules for Broker-Dealers, Clearing Agencies, MSBSPs, the MSRB, National Securities Associations, National Securities Exchanges, SBSDRs, SBS Dealers, and Transfer Agents
|
|
Enhanced Disclosures by Certain Investment Advisers and Investment Companies about Environmental, Social, and Governance Investment Practices
|
|
Open-End Fund Liquidity Risk Management Programs and Swing Pricing; Form N-PORT Reporting
|
|
Rule 14a-8 Amendments
|
|
Registration for Index-Linked Annuities; Amendments to Form N-4 for Index-Linked and Variable Annuities
|
Proposed Rule Stage
|
June 2024
|
|
Corporate Board Diversity
|
Proposed Rule Stage
|
October 2024
|
|
Rule 144 Holding Period
|
|
Covered Clearing Agency Resiliency and Recovery and Wind-Down Plans
|
Final Rule Stage
|
October 2024
|
This publication is for general information purposes only. It is not intended to provide, nor is it to be used as, a substitute for legal advice. In some jurisdictions it may be considered attorney advertising.