Evolving Risks for Officers and Directors of Public Companies

• Publication year: 2024
• Citation: Vol. 2 No. 1

[Page 9]

J. Gregory Deis, Glenn K. Vanzura, Richard M. Rosenfeld, and Andrew J. Spadafora ^*

In this article, the authors examine a recent Securities and Exchange Commission order and a Delaware Chancery case that highlight expanding liability exposure that public companies and their officers and directors may face when they fail to adequately monitor, investigate, and communicate key risk areas or allegations of workplace misconduct.

The recent order (Order) by the Securities and Exchange Commission (SEC) in Activision and the Delaware Chancery Court's recent decision in In re McDonald's Corp. Stockholder Derivative Litigation highlight expanding liability exposure that public companies and their officers and directors may face when they fail to adequately monitor, investigate, and communicate key risk areas or allegations of workplace misconduct. These risks exist even when such issues fall outside the scope of conduct generally understood to implicate the federal securities laws.

This article discusses the Activision and McDonald's cases in turn.

Activision

The SEC's Order

The Activision Order reflects the SEC's expanded view regarding the scope of potential liability for failure to monitor employee misconduct and other compliance risks. ¹ On February 3, 2023, video game developer and publisher Activision Blizzard, Inc. (Activision) agreed to pay a $35 million civil penalty to settle an SEC enforcement action. The action principally targeted Activision's policies, procedures, and controls designed to address employee complaints of workplace misconduct. ²

More specifically, according to the Order, between 2018 and 2021, Activision's Forms 10-K and 10-Q identified as risk factors

[Page 10]

the company's ability to attract, retain, and motivate employees. ³ The SEC alleged that, despite these disclosures, Activision lacked controls and procedures among its separate business units to collect and analyze employee complaints or other information regarding incidents of alleged employee misconduct. ⁴

In the SEC's view, absent such controls and procedures, the company's management and disclosure personnel did not have sufficient information regarding the volume or substance of employee complaints to assess their materiality. ⁵ That failure left the company "without the means to determine whether larger issues existed that needed to be disclosed to investors," according to the SEC's Director of the Denver Regional Office. ⁶ The Order does not clearly articulate the underlying misconduct or information that, in the SEC's view, should have or could have been captured by properly designed controls and procedures. That said, Activision had recently faced investigations by the Equal Employment Opportunity Commission (EEOC) and a California regulator, along with related shareholder class action litigation, concerning allegations of pervasive sexual harassment and pregnancy discrimination at Activision. ⁷

Significantly, the Order does not allege that Activision's disclosures actually contained material misstatements or omissions. Instead, the SEC found only that the company violated Securities Exchange Act Rule 13a-15(a). That rule requires most issuers of securities registered under Section 12 of the Exchange Act to maintain disclosure controls and procedures to channel information that must be disclosed to the issuer's management. ⁸ Thus, the SEC predicated liability on insufficient controls to determine whether additional disclosures were required, rather than disclosures that were, in fact, false or misleading. By extension, the SEC's liability theory was predicated on potential harm to shareholders, but with no allegation of any actual harm given the absence of any false or misleading disclosure.

Activision therefore suggests companies may face an increased risk of liability on two fronts—assuming courts agree with the SEC's expansive view of Rule 13a-15(a).

First, Activision reflects the SEC's view that Rule 13a-15(a) violations do not require a materially misleading disclosure. In the SEC's view, an absence of controls around certain risk factors—which may prevent companies from assessing whether a material risk exists—is sufficient to violate the rule.

[Page 11]

Second, the SEC's interpretation of Rule 13a-15(a) suggests that the required disclosure controls and procedures must not only accumulate and communicate "information required to be disclosed" ⁹ but also "information that is relevant to an assessment of the need to disclose developments and risks that pertain to the issuer's business." ¹⁰

Commissioner Hester Peirce dissented from the Order, citing its failure to allege a misleading disclosure or omission. She also noted the broad implications of the SEC's interpretation of Rule 13a-15(a). Peirce further observed the tension between the allegation that management was denied access to relevant information and the absence of any claim that Activision's risk disclosure was misleading. "If the information that management did not receive were relevant, one would expect that not having it would affect the quality or accuracy of the related disclosure," she wrote. ¹¹ But the SEC Order made no such allegation.

Peirce's dissent highlights the challenge that the SEC's broad interpretation of Rule 13a-15(a) presents for issuers who must draw a line between relevant and irrelevant information for purposes of designing and implementing a company's disclosure controls. "If workplace misconduct must be reported to the disclosure committee, so too must changes in any number of workplace amenities and workplace requirements, and so too must any multitude of factors relevant to other risk factors" Peirce wrote. ¹² As a result, she argued, it is "difficult to see where the logic of this Order stops."

Activision Lessons

The SEC's Activision Order suggests that disclosures intended to identify corporate risks—which could serve as a prophylactic to certain types of securities claims based on a failure to disclose—could actually heighten an issuer's obligation to monitor or investigate potentially relevant misconduct. Activision could portend a substantial increase in the scale of companies' internal audit and compliance functions. After all, risk disclosures relating to the ability to attract, retain, and motivate employees, like Activision's, are commonplace, and the Order's logic could be applied to other types of standard disclosures. On the other hand, unless its expansive implications are cabined, the Order could have an unintended chilling effect on corporate risk disclosures, incentivizing companies

[Page 12]

to reduce their number in order to limit the corresponding obligation to investigate and collect information potentially related to the identified risks. In that way, the SEC's Order...