The Securities and Exchange Commission (“SEC”) recently updated and expanded its guidance to public companies on cybersecurity risks and incidents in its "Commission Statement and Guidance on Public Company Cybersecurity Disclosures" (the “2018 Guidance”). The 2018 Guidance represents a broad recognition of the critical role that cybersecurity plays in the health of companies and the stability of markets.
“There is no doubt that the cybersecurity landscape and the risks associated with it continue to evolve,” said a statement released by SEC Chairman Jay Clayton. “Public companies must stay focused on these issues and take all required action to inform investors about material cybersecurity risks and incidents in a timely fashion.”
To support this effort, the SEC has created a cybersecurity website with helpful alerts and bulletins, compliance toolkits, and educational resources. In addition, the SEC has constituted a Cyber Unit charged with targeting a wide range of cyber-related misconduct, such as market manipulation through the spread of false information, hacking, and intrusions and attacks on trading platforms and market infrastructure.
While a private company can be reassured that a member of the Cyber Unit will not show up at its door, the 2018 Guidance offers useful insights about the evolving risks in the digital marketplace, as well as effective controls and procedures to manage these risks—all of which can inform a private company that must navigate similar pitfalls in the modern e-commerce environment. Cybersecurity is, as the SEC’s website states, “a responsibility of every market participant.”
To that end, the following are some key takeaways for private companies from the 2018 Guidance:
- Disclosure is key. It is critical for companies to take appropriate action to inform investors about material cybersecurity risks and incidents in a timely fashion. Indeed, the SEC goes so far as to advise that a company may be obligated to make a disclosure even if it has not been the target of a cyberattack, but is merely subject to material cybersecurity risks.
Throughout the 2018 Guidance, the SEC stresses the importance of disclosure of all of the material facts of material cybersecurity risks and incidents. But, a company may ask, what is “material”?
- With regard to the materiality of facts, public companies follow the guideline disclosing facts that are required or necessary to make the disclosure and the statements therein not misleading. A company should disclose information if there is “a substantial likelihood that a reasonable investor would consider the information important in making an investment decision or that disclosure of the omitted information would have been viewed by the reasonable investor as having significantly altered the total mix of information available.” Measuring information to be disclosed against these standards will help a company avoid making a selective or partial disclosure.
- With regard to the materiality of cybersecurity risks and incidents, a company should generally weigh the nature, extent and potential magnitude of the risk or incident—particularly as they relate to the compromised information or the business and scope of company operations. The range of harm—including harm to the company’s reputation, financial performance, and customer and vendor relationships—as well as the possibility of litigation or regulatory investigations or actions—is also an important indicator of materiality.
- Bearing this in mind, a company might feel obligated to issue a tell-all statement to be sure to give a full disclosure. However, the 2018 Guidance clarifies that companies are not required to issue a “road-map” disclosure that might compromise cybersecurity efforts. Even so, while a company is not required to disclose so much information that it makes itself more vulnerable to a cyberattack, a company must be sure to disclose the risks and incidents that are material to investors, including the concomitant financial, legal or reputational consequences.
- Policies and procedures are must-haves. Disclosure controls and procedures are crucial to a company’s ability to discern the impact of cybersecurity risks and incidents, and to take appropriate action in a timely fashion.
- Effective controls and procedures should enable a company to identify cybersecurity risk and incidents, assess and analyze their impact and significance, provide for open communication with technical experts, and allow for timely disclosures. These procedures should include a protocol to determine the potential materiality of such risks and incidents.
- Companies should assess their compliance with these policies regularly, as well as assess whether they have sufficient disclosure controls and procedures to ensure that relevant information makes its way to appropriate personnel, including senior management.
- Management must be involved. A company’s directors, officers, and others responsible for developing and overseeing the controls and procedures must be informed about actual and potential cybersecurity risks and incidents in order to effectively develop and institute disclosure controls and procedures. Management has to remain informed of and engaged in cybersecurity efforts.
Ultimate responsibility, however, does not fall solely on management. The 2018 Guidance states that a company’s governing body (such as a board of directors) is also responsible for overseeing management of cybersecurity risk and engaging with management on cybersecurity issues.
- Companies must protect against cybersecurity-based insider trading. Knowledge regarding a significant cybersecurity incident may constitute material nonpublic information. Companies need to have policies and procedures in place to guard against insiders taking advantage of the period between discovery of a cybersecurity incident and disclosure to other investors.
Companies should consider how their code of ethics or conflict of interest policies take into account and prevent transfers of company securities on the basis of material nonpublic information related to cybersecurity risks and incidents. Furthermore, companies should specifically consider whether it would be appropriate to restrict transfers during an ongoing investigation of a cybersecurity incident.
Effective cyber governance is becoming an essential component of a well-managed business. While the 2018 Guidance from the SEC is aimed at public companies, it is also a useful tool for private companies to assess their cybersecurity protections and protocols to ensure that they are taking every reasonable step possible to adequately guard against, yet be prepared for, cybersecurity risks and incidents. After all, public and private companies face many of the same challenges when it comes to adapting to the evolving risks of an increasingly digital world. Private companies would do well to take note of the standards set for their public peers as they forge their own paths forward, grow the size and complexity of their businesses, and look for useful resources on how to deal with information security issues in the digital age.
A recent decision from Delaware’s Court of Chancery (the “Court”) makes clear that parties entering into an operating agreement for a noncorporate entity have wide discretion when structuring the rights of controlling and minority investors. It is possible for parties to waive fiduciary duties they might otherwise be owed, or to empower boards to engage in conflicted or self-interested transactions, and rarely will the implied covenant of good faith and fair dealing be available to a party seeking relief from onerous or unfair terms to which it expressly agreed. This freedom when contracting underpins the attractiveness of limited liability companies and limited partnerships; however, investors need to be mindful of potential outcomes permitted by a target entity’s governing documents in order to avoid a bad deal. The Court will not save them.
In Miller v. HCP, decided by the Court on February 1, 2018, a minority investor in a limited liability company challenged its board’s decision to sell the company without an auction process. The majority of the board was allied with a controlling shareholder entitled to the bulk of the modest sale proceeds due to the particulars of the entity’s operating agreement, whereas the minority investor who filed suit would receive very little compensation unless the company was sold at a much higher price. The board had little incentive to seek bids beyond what would satisfy the controlling shareholder and in fact did not pursue a fulsome auction process despite indications that other bidders might have been willing to pay significantly more for the company. The minority investor raised objections during the sale process and later claimed that the board breached its implied covenant of good faith and fair dealing by failing to try to maximize the sale price.
Significantly, under the terms of the operating agreement, the parties waived all fiduciary duties and granted the board sole discretion in pursuing a sale with an unaffiliated third party. The Court reasoned that the implied covenant of good faith and fair dealing—which is available to address contractual gaps the parties did not anticipate when negotiating the operating agreement —could not be invoked by the minority investor given there was not in fact a contractual gap implicated by the sale. Rather, since the operating agreement included an express waiver of fiduciary duty and a grant of authority to the board with respect to a sale process, and the slanted waterfall provision in black and white, the minority investor was stuck with the deal.
This unbending contractual overlay on the noncorporate form is in contrast to the world of corporations, where different standards of judicial review apply and boards have fiduciary duties to other investors that may not be waived. While the case remains subject to appeal, minority investors in LLCs or limited partnerships should be cautious since they choose to forego the statutory and common law protections tied to the corporate form and therefore must live with the operating agreement bearing their signature.
Fraud. It’s something that we hope to never come across in a transaction, but the unfortunate reality is that it occurs from time to time and those involved in corporate transactions would be well-served to have at least a basic understanding of how it will be treated by courts.
A recent case – Teva Pharmaceuticals v. Fernando Espinosa Abdala, et. al. (Index No. 655112/2016, (July 31, 2017 N.Y. Sup. Ct.)) – provides some valuable insights in this area. In this case, Teva Pharmaceuticals (“Teva”) acquired a pharmaceutical company (the “Target”) and related intellectual property from two brothers for $2.3 billion, and after the transaction closed, Teva brought a fraud claim against the brothers alleging that: (i) the Target was selling pharmaceutical drugs that had not been approved by the Mexican government and (ii) the brothers had concealed this from Teva.
One of the key issues in this case was whether Teva could use evidence from the due diligence phase of the transaction to support their fraud claim. The sellers argued that this evidence was barred because the purchase agreement contained a non-reliance provision, wherein Teva agreed that it was relying solely on the representations and warranties in the purchase agreement and not on “any materials made available to [Teva], during the course of its Due Diligence Investigation.”
Ultimately, the court sided with the sellers and enforced the non-reliance provision. For some, this may be a surprising result because the alleged fraud goes directly to the very heart of the transaction. A seemingly fundamental expectation of acquiring a pharmaceutical company would be that it is selling its pharmaceutical drugs legally. Moreover, Teva paid a substantial amount for the Target – $2.3 billion. However, the court reasoned that the non-reliance provision in the contract was “specific” and thus, reflected the intent of the parties to be bound by it. It also pointed to the fact that Teva “is a sophisticated entity and performed extensive diligence.”
This case contains a number of valuable lessons and reminders for those involved in corporate transactions – namely:
· To not gloss over non-reliance provisions, which are often viewed as part of the “boilerplate;”
· For sellers, to incorporate references to the diligence process in their non-reliance provisions; and
· For buyers, to undertake a thorough diligence process because as seen in the Teva case, the remedies for any issues that are not discovered in the diligence process may be limited.
Over time, public pension funds have become significantly underfunded. There are a lot of factors that explain this. Some are poor planning by the pensions, such as decreasing investments after periods of strong returns; overly optimistic promises to pensioners; changes in demographics; and stock market fluctuations. As a result, pension funds are now $2 trillion underfunded.
Additionally, typical pension investments, such as safer, low-interest bearing investments, are not providing the returns for pension funds to address their unfunded liabilities. So pension funds are under pressure to provide stronger returns from other asset classes, including private equity.
But investing in PE comes with some downsides. For one, management fees are higher than with other asset classes, which digs into the profitability of the funds. Over the past decade, fees have increased by 30%. There are also ongoing monitoring and strategic costs related to PE investments that are greater than other asset allocations.
These high investment costs have not led to great returns. For example, one study showed that New York City’s biggest pensions would have done better had they invested in a stock index fund rather than PE.
So what are pension funds doing about this?
For starters, many are questioning their PE investments, and asking for justification for the high fees. Pension funds are pressing funds to provide more transparency of their fees and are looking most closely at their most expensive funds.
Some pension funds are also making private equity investments directly, rather than through a separate PE fund. Pensions are looking at co-investment opportunities, which allows for direct investment and often without management fees or with lower overall fees.
Pension funds are decreasing their allocations in private equity as compared with other asset classes. One article notes that pensions have reduced by one-half their allocations in PE in 2017. Pensions are also decreasing the number of funds that they invest in. The New York City pension fund invests in over 200 funds, which is a huge amount. They intend to decrease that to 60 funds.
Pensions like the Illinois State Board of Investment are looking to index funds rather than PE and hedge fund managers. They feel that investment returns are the same over the long term, at a fraction of the cost. And they don’t need to monitor the performance of individual investment managers.
Most notable for PE funds, in some cases, pensions are trying to bring as much work in-house as possible. This may be impractical for most funds, given the cost and difficulty to obtain the talent needed to carry out complex investment strategies. Pensions are trying to reduce their reliance on pension consultant firms, which larger pensions pay tens of millions of dollars per year, and are hiring their own consultants at lower rates than what they pay outside firms. Particularly large funds have also considered buying a PE firm or creating a separate entity that would make its own investments.
As a result of recent challenges and competition among PE fund managers, commentators have opined that pension funds will likely continue to seek more favorable fees and reevaluate their PE investments. This may mean that PE funds will face more difficulty raising capital, and will have less cash to carry out investments. However, despite these changes, commentators think it is unlikely that public pension plans will exit private funds as an asset class in the near future, given the ability of PE to historically outpace returns of other investment classes and the need to cure unfunded liabilities.
There have been two recent changes to cybersecurity laws in the European Union, specifically relating to the use of personal data of E.U. residents, which are further summarized below. M&A professionals will need to keep these two laws in mind when (a) a target company uses the personal data of E.U. residents in its ordinary course of business or (b) a U.S. acquirer needs to access the personal data of E.U. residents during the due diligence process.
First, the Privacy Shield Data Transfer Pact (the “Privacy Shield”) was approved by the E.U. member states on July 12, 2016 and sets forth how companies established or using equipment in the E.U. can share the personal data of E.U. residents with U.S. companies. The Privacy Shield replaces the invalidated Safe Harbor program that was previously relied on by both U.S. and E.U. based companies to legally transfer the personal data of E.U. residents from the E.U. to the U.S. In addition to imposing stronger obligation on U.S. companies to protect the personal data of Europeans and mandating tougher monitoring and enforcement by the U.S. Department of Commerce and the Federal Trade Commission, the Privacy Shield also includes written assurances from the U.S. that any access to the data by law enforcement will be subject to clear limitations to prevent surveillance of European citizens’ data. For more detail on the specific requirements of the Privacy Shield, please see this NP Privacy Partner Blog Post.
One of the ways a U.S. company can be in compliance with the Privacy Shield is to complete a self-certification, which includes name and contact details of the recipient of the personal data, a description of the activities that will be completed with respect to the personal data received from the E.U., and a description of how the U.S. company is in compliance with the Privacy Shield. The U.S. Department of Commerce and the Federal Trade Commission have expressed their commitment to enforce the Privacy Shield and violations of the Privacy Shield can result in penalties of up to $40,000 per violation or $40,000 per day for continuing violations. More information on the enforcement of the Privacy Shield can be found at this website.
Second, the General Data Protection Regulation (the “GDPR”) is the next iteration of E.U. data protection laws and will be effective on May 25, 2018. The GDPR applies to all companies based in the E.U. as well as any foreign companies processing the personal data of E.U. residents. The GDPR is intended to strengthen and unify data protection for all individuals within the E.U. and requires companies to completely transform the way that they collect, process, securely store, share and securely wipe personal data. The changes that GDPR will implement include requirements for companies to appoint a data protection officer responsible for implementing and monitoring compliance with GDPR. In addition, companies will be required to implement privacy by design meaning that they must take a proactive approach to ensure that an appropriate standard of data protection is the default position taken when personal data is being processed. GDPR also includes a clear focus on data subjects’ consent to processing and accessing data, as well as requiring a data breach notification obligation to notify the E.U. protection authority of a breach without undue delay and, where feasible, within 72 hours. Companies must also notify the individuals where there is a high risk to the individuals concerned.
In the event GDPR is violated, then the penalties can be significant: for breaches, including security and data breach notification obligations, the penalties can be up to €10,000,000 or 2% of worldwide revenue, whichever is higher; and for more significant breaches, including consent violations and transfer restriction violations, the penalties can be up to €20,000,000 or 4% of worldwide revenue, whichever is higher.
Given the potential penalties for violations of both the Privacy Shield and the GDPR, M&A professionals will want to include in their due diligence of a target company an analysis as to whether the target company is in compliance with both laws. If the due diligence results conclude that the target company is not currently in compliance with the Privacy Shield, or that the target is not in compliance with the GDPR when it takes effect in May 2018, then these issues may require some changes to the purchase agreement, including the exclusion of certain non-compliance liabilities from the transaction, the addition of certain specific indemnities relating to such non-compliance issues, the inclusion of a covenant enabling for ongoing safeguards of sensitive information by the target company in between signing and closing, or the addition of a new closing condition requiring the target company to take steps to address non-compliance issues or the implementation of missing IT safeguards.
Carried interest is the contractual right received by a private equity or hedge fund manager representing their share of profits or gains from the fund’s investments, which amount is unrelated to any capital invested by the manager. When properly structured, carried interest is taxed at the lower long term capital gains tax rate of 20% (plus 3.8% investment income tax or “NIIT”) instead of the higher ordinary income tax rate of 39.6% (assuming such manager is taxed in the highest federal income tax bracket, plus 3.8% investment income tax or “NIIT”). President Donald Trump vowed on the campaign trail to eliminate what he characterized as the “carried interest loophole” by changing tax laws so that carried interest would be taxed at the ordinary income tax rate; however, the Trump administration has not given any indication as to how they want to deal with this change through legislation and private equity groups and lobbyists have not been shy about continuing to lobby against any such tax change making it into a final law.
On March 27, 2017, the Wall Street Journal reported that Treasury Secretary Steven Mnuchin signaled that the Trump administration wanted hedge funds taxed more heavily, but was still deciding whether or not higher taxes on carried interest could hurt private equity’s ability to drive jobs and economic growth because higher taxes could disincentive investments by pensions, state funds and other investors into infrastructure, real estate and energy. This was an early signal that the Trump administration may have been considering handling the taxation of carried interest differently between hedge fund managers and private equity managers.
In addition on April 26, 2017, the Trump administration released its outline of a tax plan, which was silent on the treatment of any changes to the taxation of carried interest. According to a New York Times article, several tax experts and lawyers have stated that by not mentioning the matter at all, the Trump administration could be signaling that the tax proposal would effectively eliminate the unique taxation of carried interest. However, this does not mean that carried interest necessarily would be taxed at a higher rate because the outline of the tax plan stated that certain “small” pass-through entities, which could include the management entities used by private equity firms and hedge funds, would be subject to a 15% tax rate, which tax rate is lower than the long-term capital gains tax rate of 20%.
However on April 30, 2017, White House Chief of Staff, Reince Priebus, reiterated in an interview that carried interest could be on the chopping block and warned against analysts taking the view that fund managers would continue to benefit from the loophole. Mr. Priebus reiterated President Trump’s campaign message that he wants to get rid of the loophole. It remains to be seen how the Trump administration’s final tax plan will look as well as how lawmakers will change such proposed tax plan prior to some, all or none of it being enacted into law.
In the event that the taxation relating to carried interest is increased to the ordinary income tax rate, fund managers could find their carried interest taxed as high as 43.4% (current rates) or as low as 25% if Trump follows through and slashes ordinary income tax rates and repeals the so-called Obama Care tax (3.8% NIIT).
As a matter of course, a seller of a business includes a provision in a sale agreement to limit its liability to breaches of specific representations and warranties included in the sale agreement and not for representations made outside of the contract such as management presentations, data room disclosures and projections. The seller’s goal is to eliminate all such extra contractual claims including fraud claims. The buyer, on the other hand, will generally push back that if a seller commits fraud (i.e. intentionally misleads or omits to disclose a material fact) in extra contractual communications, most likely found in projections, the seller should not be able to avoid liability. But how does each accomplish its goals?
Of recent date, the Delaware courts have given guidance on this matter. See IAC Search, LLC v. Conversant LLC; C.A. No. 11774–CB Submitted: September 20, 2016. Decided: November 30, 2016; Anvil Holding Corporation v. Iron Acquisition Company, Inc., C.A. Nos. 7975–VCP, N12C–11–053–DFP [CCLD]. Submitted: April 22, 2013. Decided: May 17, 2013; and TransDigm Inc. v. Alcoa Global Fasteners, Inc., C.A. No. 7135–VCP. Submitted: Feb. 1, 2013. Decided: May 29, 2013.
A seller looking to bar claims based on extra-contractual statements, including fraud claims, should include an affirmative, comprehensive buyer acknowledgement clause with a clear statement that the buyer did not rely on any extra-contractual information, and that no other representations or warranties were made, including with respect to virtual data rooms, due diligence materials, management presentations, etc., unless such information is expressly included in a representation and warranty in the sale agreement. A seller should also include a standard integration clause to compliment the buyer acknowledgement clause to properly limit the documents that constitute the parties’ agreement. A buyer must be diligent when negotiating a buyer acknowledgement clause and should confirm the scope of the acknowledgement to prevent the seller from overreaching. Moreover, a buyer should ask for a specific fraud carve out to preserve its right to claims for fraud based on extra-contractual statements and representations.
A buyer and seller each have compelling arguments for their respective positions and the outcome is found in the art of persuasion and negotiation of the sale agreement terms.
President Trump recently issued an Executive Order called “Buy American and Hire American,” requiring certain federal agency heads to suggest reforms to the H-1B visa program including how - and to whom - these visas are awarded. (Additional coverage of this development is available here).
H-1B visas are offered to foreign workers who are coming to the United States temporarily to perform services in a “specialty occupation,” and typically require the applicants to have highly specific knowledge and a specialized degree. The White House has asserted that the H-1B program is harmful to Americans because companies routinely pay H-1B workers below-market rates, which makes it more likely that these visa holders will replace similarly qualified American workers.
Reaction to this Executive Order from the business community – and particularly the tech industry – has been cautious. The tech industry, which is the most reliant on the H-1B program, has contended that this order will impede their ability to attract and retain top talent. The industry has asserted that a visa program that favors higher-paid workers will give larger, more established companies an advantage. Silicon Valley leaders have pointed to the large number of employees that are foreign born, arguing that immigration is an economic benefit, not a burden. The industry has also asserted that the H-1B program is essential to their ability to keep foreign high-tech students with unique qualifications in the US after getting their degrees, and that there is a shortage of qualified Americans for these jobs.
Specific implications from this Executive Order remain to be seen, but it is fair to say that those companies that have traditionally benefited from the H-1B program will be paying close attention to the reforms recommended by federal agencies.
Following discussions with a number of boutique investment banks, there appears to be a trend that some engagements relating to sell-side deals at such investment banks are being slowed down or temporarily put on hold as the targets await the outcome of proposed tax law and regulatory changes that have been promised by the Trump administration, which include cutting business regulations, reducing the corporate income tax rate and implementing an import tax or tariff.
The overall economic environment is healthy and macroeconomic indicators are pointing in a positive direction (http://www.focus-economics.com/countries/united-states). This positive information bodes well for the overall M&A environment and most market participants believe this year we will see continued growth in M&A activity in the current economic expansion. That being said, it appears that private company owners are being cautious about entering into a possible sale of their respective companies as they believe the regulatory and tax changes will have positive value indications for their businesses and for their own personal finances (i.e., as an outcome of liquidity events).
The outlook for M&A this year still suggests that parties are interested in pursuing M&A activities this year, but that sellers are adopting a wait and see approach for now, hoping that the promised regulatory and tax changes proposed by the Trump administration will have a near-term effect on the outcomes, including, from a regulatory perspective, potential impacts would be priced into the target’s value on a forward-looking basis. This outlook, however is somewhat disconnected from what we are seeing in the public markets, where the anticipated tax changes appear to have been priced into some equity values, as public equities overall have seen a significant run-up post-election, assuming that the Trump administration will have a positive effect on business performance in the future.
On February 2, 2017, Nixon Peabody LLP hosted a Hot Topics in the Middle Market event entitled “2017 Private Equity and M&A Outlook – Trends & Opportunities” at the Casa Del Mar Hotel in Santa Monica. Los Angeles partners Marc Kenny and Matt Grazier (Private Equity & Investment Funds) moderated a lively discussion featuring the following speakers:
· Nino Cordoves, MidCap Financial Services, LLC
· Paul Kacik, Opus Financial Partners
· Vince Lawler, Bernstein Global Wealth Management
· Bill Lemos, Aon Risk Services
· Brad Meadow, SPK Capital, Pardis Nasseri
· Palm Tree Advisors, Craig Wickwire RSM US LLP
· Matt Young, CriticalPoint Partners.
Here are some of the key takeaways from the discussion:
· Deal Environment. In general, 2016 remained a “sellers’ market” with various buyers competing for fewer quality assets and such buyers paying top dollar in the process. Panelists noted that the number of funds competing in the lower middle market have increased over the past few years leading to an increase of potential buyers competing for the same assets. The panel agreed that strategic buyers continue to perform well in this competitive market and were often willing to pay higher multiples relative to private equity buyers.
· Valuations. The general consensus amongst the panelists was that throughout 2016 valuations remained high and that high valuations were likely to continue into 2017. Some panelists, however, thought there was some softening in selective areas, such as retail, especially for retail companies without a robust online presence.
· Trump Administration. The election of President Trump will undoubtedly bring a number of changes. The panelists generally agreed that potential tax changes could have a significant effect on when owners decide to sell. However, the panelists but were uncertain on how the election of President Trump will affect deal flow with so many factors at play. The consensus feeling was that of uncertainty regarding tax changes, trade policy and tariffs and the effect on supply chains, so investors need to get comfortable with being uncomfortable.
· 2017 Forecast. The panelist generally agreed that the M&A environment will continue to remain strong in 2017 and that corporate strategics will remain active on the buy-side. There was some disagreement amongst the panelists as to whether funds that specialize in certain industries would have an advantage in securing quality deals over generalist funds in 2017. A couple of panelist also noted that fundless sponsors are gaining traction and continue to be players in the market. Some panelist are bullish on certain verticals for 2017, such as aerospace, defense and healthcare management.