Hypothetical Scenario Disclosures by Companies Risk SEC Scrutiny

The SEC’s recent court win against a Massachusetts investment adviser underscores the fine line companies walk when divulging conflicts and risk factors to investors.

A judge agreed with the Securities and Exchange Commission earlier this month that Commonwealth Financial Network’s use of the word “may” in an SEC filing to describe an actual conflict of interest was inadequate.

The agency argues “hypothetical” disclosures can mislead investors. The potential pitfalls arise in a range of disclosures, from investment advisers’ conflict-of-interest filings to publicly traded businesses alerting investors to a government investigation.

Companies, including Meta Platforms, Blackbaud, and Merck, have been fined millions of dollars for in recent years for describing actual risks as hypothetical.

“We know it can be a real bugaboo, for lack of a more technical term, to the SEC,” Ropes & Gray LLP attorney Joel Wattenbarger said.

Risk factors evolve on macroeconomic, technological and other developments, and the SEC has had to adapt. Companies disclosures about hacks and other cyber incidents—problems that can plague all types of businesses—have been a particular point of emphasis for the agency.

“Speaking only hypothetically of incidents is an increasingly dangerous practice in this area,” Akin Gump Strauss Hauer & Feld LLP attorney Michelle Reed said.

Hypothetical Dislclosure

The SEC sued Commonwealth in 2019, alleging the company didn’t provide enough information to clients about conflicts of interest that could drive the firm to choose more expensive investments.

Commonwealth disclosed certain fees received from National Financial Services LLC, which maintained custody of Commonwealth’s clients’ assets. But Commonwealth described the conflict merely as “potential” and said it “may” have incentives to select costlier investments, the SEC said.

Commonwealth actually had a conflict and those incentives actually existed, the agency said in its complaint. The SEC won a court ruling against Commonwealth on April 7 in the US District Court for the District of Massachusetts, when Judge Indira Talwani agreed the disclosures weren’t good enough.

“Commonwealth presents the payments it receives from the revenue sharing arrangement as a hypothetical rather than disclosing it as a matter of fact,” Talwani wrote.

Commonwealth says it believes its disclosures were sufficient. The SEC is seeking civil penalties in the case.

Hacks, Customer Data

Companies’ disclosures about other risk factors also face SEC scrutiny.

Blackbaud Inc., a South Carolina software company, revealed a 2020 ransomware hack and said that kind of incident “could” affect its operations and reputation. The SEC said in March that was misleading because the risks “were no longer hypothetical.”

Blackbaud agreed to pay $3 million to settle the agency’s allegations.

Pearson Plc paid $1 million in 2021 after the SEC said it made misleading statements, in part, because it told reporters a data breach “may” include dates of birth and email addresses. The London-based publisher already knew those records were stolen, the SEC said.

Merck NV, Alphabet Inc., and Facebook Inc. have faced similar scrutiny, either from the SEC or from investors in court. Facebook in 2019 paid $100 million to settle SEC claims that it presented the risk of misusing customer data as hypothetical, despite knowing for years that outside developer Cambridge Analytica was already mishandling it.

“It definitely to me is something where a company doesn’t want to be cute in trying to condition something as being a possibility when it knows that it has in fact occurred,” said Bryan Westhoff, a Polsinelli PC attorney.

Companies are required to update existing disclosures when a risk or another issue, which was hypothetical at the time, has turned into an actual problem.

DocuSign Inc. is facing a securities fraud suit from investors who say the company presented Covid-related business risks as possibilities when it knew the risks had come to pass.

Needle Threading

But there are gray areas, attorneys said. It might be unclear whether a problem is theoretical or actual.

Companies might be waiting for final word on whether a regulator will approve a new product. It can lead to contorted disclosures, trying to communicate an issue clearly to investors without drawing the focus of the SEC.

“Part of challenge, or at times even frustration, as a practitioner is you have to be constantly on guard to, ‘am I giving this particular conflict or this particular matter sufficient weight if I say this ‘may’ occur?’” Wattenbarger said.

The SEC has recently been pushing companies to be more transparent about cybersecurity events in particular. The agency in March 2022 proposed a rule that would require companies to quickly provide information about cyber incidents.

It can be tricky for businesses when deciding how to describe a given incident in a way that satisfies the SEC without blowing the situation out of proportion and unnecessarily shaking investors’ confidence.

“Companies really face a crossroads when they’re looking at their disclosures,” Reed said. “Everyone has to thread the needle in the way that they see fit.”