Is recent SEC disclosure-controls settlement a blueprint for ESG enforcement?
The recent US$35 million settlement between Activision Blizzard, Inc. (Activision) and the United States Securities and Exchange Commission (SEC) is noteworthy for Canadian reporting issuers, their directors, officers and other stakeholders. It raises novel issues concerning the extent to which the adequacy of a reporting issuer’s internal controls and procedures concerning disclosure will be policed by securities regulators – even in the absence of any finding of materially misleading disclosure. This settlement also raises important implications for issuers about the adequacy of internal controls and procedures that may be required to support ESG-related disclosure.
The SEC Settlement in Activision Blizzard
The SEC alleged that Activision violated the Exchange Act’s disclosure-controls procedures. Under Rule 13a-15(e) of the Exchange Act, issuers are required to maintain disclosure controls and procedures that are “designed to ensure that information required to be disclosed … is accumulated and communicated to the issuer's management ... to allow timely decisions regarding required disclosure.”
Activision, a Fortune 500 producer of popular video games, disclosed in quarterly and annual SEC filings between 2017 and 2021 that a failure to attract, retain and motivate key personnel could materially affect the company’s performance. However, employee complaints of workplace misconduct likely to negatively impact employee engagement or retention were not included among the material provided to Activision’s management or members of the company’s disclosure committee. As a result, the SEC found that:
- Activision lacked controls and procedures “designed to ensure that information related to employee complaints of workplace misconduct would be communicated to Activision Blizzard’s disclosure personnel to allow for timely assessment on its disclosures.”
- Activision’s management “lack[ed] sufficient information to understand the volume and substance of employee complaints of workplace misconduct” and were unable “to assess related risks to the company’s business, whether material issues existed that warranted disclosure to investors, or whether the disclosures it made to investors in connection with these risks were fulsome and accurate.”
Activision settled the complaint without admitting or denying the SEC’s findings. Importantly, there was no finding – or even any specific allegation - that Activision’s disclosures contained a material misrepresentation or were misleading.
The SEC Order was not granted unanimously. Commissioner Hester Peirce issued a strong dissent noting that “[i]f the information that management did not receive were relevant, one would expect that not having it would affect the quality or accuracy of the related disclosure”. Yet, there was no allegation that Activision’s risk disclosure was misleading or incomplete. She also noted:
It is also difficult to see where the logic of this Order stops. When the SEC gets this granular, the limits are not clear. If workplace misconduct must be reported to the disclosure committee, so too must changes in any number of workplace amenities and workplace requirements, and so too must any multitude of factors relevant to other risk factors. The requirement cannot be that a company’s disclosure controls and procedures must capture potentially relevant, but ultimately—for purposes of disclosure—unimportant information. As I read it, in this Order, the SEC once again has sat down at the gaming console to play its new favorite game “Corporate Manager.” Using disclosure controls and procedures as its tool, it seeks to nudge companies to manage themselves according to the metrics the SEC finds interesting at the moment. …
Takeaways for Canadian Reporting Issuers
At a minimum, the Activision settlement is a reminder that regulatory risks exist for issuers that do not have appropriate policies, procedures and controls to track, report and analyze company information that may inform disclosure decisions. These risks could arise even when, as in Activision’s case, there was no material disclosure issue.
If the SEC’s aggressive enforcement position in the Activision matter were adopted by Canadian securities regulators, Staff could require reporting issuers to demonstrate, with reference to their respective disclosure policies, procedures, controls and other relevant documentation, that their management and disclosure committees have sufficient information to assess whether the issuer’s disclosures, including risk disclosures, are materially misleading.
If and to the extent that Staff is not persuaded about the sufficiency of an issuer’s disclosure policies, procedures and controls, enforcement activity could be initiated, either for failure to comply with a requirement of National Instrument 52-109 - Certification of Disclosure of Issuers’ Annual and Interim Filings (“NI 52-109”) or under the regulators’ broad public interest jurisdiction, which does not require any finding of a breach of securities laws.
NI 52-109 has some similarity to Rule 13a-15(e) of the Exchange Act and requires reporting issuers to implement effective internal control over financial reporting and disclosure controls and procedures. NI 52-109 defines disclosure controls as:
…controls and other procedures of an issuer that are designed to provide reasonable assurance that information required to be disclosed by the issuer in its annual filings, interim filings or other reports filed or submitted by it under securities legislation is recorded, processed, summarized and reported within the time periods specified in the securities legislation and include controls and procedures designed to ensure that information required to be disclosed by an issuer in its annual filings, interim filings or other reports filed or submitted under securities legislation is accumulated and communicated to the issuer’s management, including its certifying officers, as appropriate to allow timely decisions regarding required disclosure; [emphasis added]
If a Canadian securities regulator applied the theory underlying the SEC’s Order, then:
- Any number of topics subject to disclosure could be scrutinized in hindsight to determine that the issuer’s management lacked sufficient information when making such disclosures. For example, it might not be enough for issuers to include prospective risk factor disclosures in their periodic disclosures, without also collecting and sharing relevant information with management and disclosure committees to assist them in evaluating the company’s evidence-based vulnerabilities to those risks.
- An issuer’s disclosure controls and procedures could be expected to capture not only information that the issuer is required to disclose, but also (as Commissioner Pierce put it) “an additional, vaguely defined category—information ‘relevant’ to a company’s determination about whether a risk or other issue reaches the threshold where it is ‘required to be disclosed.’” In our experience, this position is inconsistent with the disclosure requirements under Canadian securities laws.
- It could become another tool used by regulators to continue their focus on ESG disclosure and underlying controls and procedures. While the SEC’s theory against Activision focussed on the “Social” component of ESG (human resources and capital disclosure), it could be retrofitted for any other components of ESG, such as statements about carbon neutrality, diversity and inclusion targets or climate change risks.
In any case, issuers should consider whether their existing disclosure policies, procedures and controls appropriately “map” their ESG statements to company information that is available to their management and disclosure committees.
With issuers increasingly making more ESG-related disclosure, even when such disclosure may not be material (or otherwise required) under securities law, they should be aware of an additional risk relating to designing and maintaining appropriate disclosure controls and procedures to support the accuracy of any ESG-related disclosure. Issuers should therefore take steps to cross-reference their controls and internal reporting with risk factor disclosures and consider whether additional data should be collected and considered by the disclosure committee.
 The SEC Order also charged Activision with violating Dodd-Frank Act whistleblower protection rules by having former employees sign separation agreements requiring them to notify the company of disclosure obligations or requests from government agencies.