The Securities and Exchange Commission doesn’t regulate everything a public company does.
Or does it?
SEC practitioners are grappling with that question in the wake of the agency’s recent $35 million settlement with video game developer Activision Blizzard, where the SEC leveraged an inconspicuous internal controls rule to sanction alleged corporate conduct that had no evident impact on the company’s public reporting.
Despite the hefty civil penalty, the Activision settlement does not entail allegations of fraud or deceit, or that Activision misstated or omitted anything at all. There are also no allegations that investors were harmed or put at risk.
So what does the SEC allege Activision did to merit a $35 million penalty? On the surface, the SEC’s case is premised on the company’s alleged failure to maintain appropriate disclosure controls and procedures (or “DCP” in SEC parlance) and its alleged use of employment separation agreements that, in the SEC’s view, “undermine[d]” the purpose of the SEC’s whistleblower protection rules. But neither of these alleged violations seems to support the SEC’s sizable penalty, which far outstrips the low- to mid-six-digit penalties the SEC has obtained in previous standalone DCP cases. And while some part of the penalty amount likely relates to Activision’s alleged whistleblower-protection failures, recent precedent suggests that this too accounted for only a small fraction of the total. The SEC’s case against The Brinks Company last summer, for instance, involved very similar contractual terms and time periods as Activision but garnered only a $400,000 civil penalty.
Instead, it appears that the penalty was driven by the SEC’s concerns about sexual harassment and other “workplace misconduct” that allegedly occurred at Activision. If so, this signals an expansion of the agency’s intent to police public company conduct even in the absence of deceptive disclosures or investor harm. Equally important, it is a call to action for public companies to review, update and document their DCP, especially over environmental and social topics in which the SEC has expressed interest.
The Disclosure Controls Rule
The disclosure controls rule is housed under Rule 13a-15(a) of the Securities Exchange Act of 1934 and was part of the Sarbanes-Oxley Act rulemaking intended to strengthen public company internal controls. In sum, the rule requires public companies to implement controls and other procedures designed to ensure that information that is required to be disclosed in SEC filings is timely recorded, processed, summarized and reported, and that such information is accumulated and communicated to management to allow timely decisions about required disclosures.
The SEC’s Allegations Against Activision
On Feb. 3, the SEC issued a settled order alleging that Activision’s annual and quarterly reports, filed from February 2018 through August 2021, included risk factor disclosures acknowledging that its ability to attract, retain and motivate a skilled workforce was important to its business.
According to the SEC, however, Activision lacked controls and procedures designed to collect information about employee complaints or workplace misconduct that the SEC claims “related to” these risk factors. Because of these alleged shortcomings, the SEC concluded that Activision’s management was unable to “assess related risks to the company’s business, whether material issues existed that warranted disclosure to investors, or whether the disclosures it made to investors in connection with these risks were fulsome and accurate.” The SEC, however, did not fault Activision’s actual disclosures in any way.
Although not cited in the SEC’s order, the “employee complaints” and “workplace misconduct” it references likely relate to sexual harassment and other allegations in lawsuits filed against Activision in 2021. Activision first disclosed these lawsuits in its quarterly report for the third quarter of 2021, when it also revealed that federal and state agencies had been probing workplace harassment claims at the company for nearly three years. The SEC does not contend, however, that these disclosures were misleading or incomplete, or that they should have been made earlier. In other words, Activision’s accounting and disclosure for these matters appear to have been SEC-compliant throughout the period covered by the SEC order.
SEC Commissioner Hester Peirce dissented from the settlement, noting among other things that, if information related to workplace misconduct were relevant to workforce retention, one would expect that management’s failure to receive such information would render Activision’s disclosures misleading or incomplete, which the settled order does not allege. She also objected to the order’s expansion of the disclosure control rule’s plain text — which ties DCP to “information that is required to be disclosed” — to include the “additional, vaguely defined category” of information that is “relevant” to a company’s determination about whether a risk or other issue is required to be disclosed. Lastly, she observed that the underlying sexual harassment allegations, while “deeply concerning,” were being addressed by other government agencies with express jurisdiction over such issues, which the SEC lacked.
Implications of the SEC’s Approach in Activision
Traditionally, SEC enforcement actions treated violations of the disclosure controls rule as ancillary to more substantive fraud or misrepresentation claims. Recently, however, the SEC has elevated the rule to a starring role by bringing standalone charges for DCP failures. But even in those cases, the SEC clearly connected the alleged DCP failures to public statements that the SEC considered to be false or misleading. In its 2018 case against Tesla, for instance, the SEC’s complaint expressly tied the company’s alleged DCP failures to representations its then-CEO made on social media, which the SEC claimed were false.
That is not true in Activision. The SEC’s order does not allege that the company’s risk factor disclosures about employee retention were false or misleading, or how (if at all) they were connected to the company’s reported workplace harassment issues. The order is also silent on alleged investor harm. And the SEC does not contend that Activision was required to publicly disclose more than it did about the alleged workplace harassment.
That’s why the SEC’s use of the disclosure rule here is potentially troubling. When untethered from false or misleading disclosures, the rule becomes a garment the SEC can stretch to fit any situation. Even the most robust disclosure controls systems have limits, which means the SEC likely can find some piece of information inside a company that did not reach those responsible for public disclosures. Historically, liability in such situations would be measured against established accounting and disclosure rules and filtered through well-settled standards for materiality and the required mental state. But these constraints are inapplicable to purported violations of the disclosure controls rule, opening the possibility that the SEC can use the rule to police any corporate conduct it thinks should be addressed.
The size of the SEC’s civil penalty is also concerning. In addition to being much larger than the penalties levied in other standalone DCP cases, it also nearly doubles what the Equal Employment Opportunity Commission — the federal agency with jurisdiction over sexual harassment claims — required Activision to pay ($18 million) in its March 2022 settlement of workplace harassment charges. With this frame of reference, and without any allegations of fraud, misrepresentation or investor harm, it is unclear how the SEC determined the penalty amount. It is possible that Activision’s pending merger transaction factored into its decision to settle on these terms and provided the SEC additional leverage in the case. But the SEC order’s silence on this point creates an additional layer of uncertainty for issuers.
How Issuers Can Respond to Activision
Notwithstanding its potential implications, the Activision order reminds issuers to ensure that their DCP are reviewed and updated regularly, and that these reviews and updates are well-documented. Particular attention should be paid to controls and procedures touching on environmental and social topics of current SEC concern. Many issuers, for instance, cite the ability to attract and retain talented employees as a risk factor, so DCP for this risk factor should at a minimum capture the kinds of information at issue in Activision. DCP for risk factors touching on other issues of current SEC focus — such as climate change and cybersecurity — should likewise be scrutinized.
In addition, when conducting this review, issuers should identify and include all the different media through which they communicate with the public about their business. The SEC has applied the disclosure controls rule to communications made outside of formal SEC filings, such as through social media accounts and annual ESG or sustainability reports.
Another key takeaway is the importance of breaking down information silos inside the company to ensure that potentially material information reaches those responsible for public disclosures. Parts of the organization that often have this information — such as legal, information security and enterprise risk management — should be integrated into the disclosure process to minimize the risk of overlooking developments that could potentially impact the company’s business, risk factors and accounting disclosures. While no system of disclosure controls and procedures can capture every piece of information that might bear on disclosures, well-documented and good-faith efforts will provide the best defense to a potential SEC challenge.
About the authors:
David Peavler is a Securities Litigation & SEC Defense partner in the Dallas office of Jones Day.
Evan Singer is a Securities Litigation & SEC Defense partner in the Dallas office of Jones Day.
Camden Douglas is an associate in the Dallas office of Jones Day.
The views and opinions set forth herein are the personal views or opinions of the authors; they do not necessarily reflect views or opinions of the law firm with which they are associated.