A regulatory environment that supports robust secondary market disclosures is critical for a well-functioning securities market. Ongoing disclosures by listed companies are being increasingly scrutinised by regulators, stock exchanges and market participants to see if timely and accurate disclosures of all material information are being made by the listed entity. Accordingly, it is important for companies to ensure that developments in their businesses translate to appropriate regulatory disclosures.
A recent example of the importance of secondary market disclosure is the Facebook case. In 2019, the US Securities and Exchange Commission (“SEC”) announced charges against Facebook Inc. (“Facebook”) for making misleading disclosures in its periodic filings against the risks pertaining to misuse of its user data by third parties. The SEC alleged that in public disclosures, Facebook presented the risk of misuse of user data as “merely hypothetical”, when they were aware that a third-party developer had actually misused Facebook user data. The SEC press release states that Facebook has agreed to pay $100 million to settle the charges.
We discuss this development and learnings for the Indian market below.
Facebook had considered improper use of user data as a material risk and had been highlighting the risk in public filings since its initial public offering (“IPO”) in 2012. In its IPO prospectus, Facebook stated that “If…third parties or Platform developers fail to adopt or adhere to adequate data practices or fail to comply with our terms and policies, or in the event of a breach of their networks, our users’ data may be improperly accessed or disclosed.” The prospectus further stated that such incidents could have a material and adverse effect on the business, reputation or financial results of Facebook.
In the periodic reports that listed companies in the US are required to submit to the SEC post listing, they are required to include details of risks perceived by the management. Accordingly, Facebook included disclosure in the risk factors similar to the prospectus, in its quarterly and annual filings with the SEC from 2012 to 2015.
The SEC complaint states that in December 2015, newspaper articles reported that a research company had obtained Facebook data from millions of users of the social media platform and used such data in the American elections. Thereafter, an employee of Facebook contacted the research company that had access to such user data and concluded that user data was collected and transferred to the research company in violation of Facebook’s policy for third-party app developers. The SEC complaint also alleges that in December 2015, there were suspicions within Facebook about a third party having misused its user data.
However, in its periodic filings made with the SEC between January 28, 2016 and March 16, 2018, Facebook continued to state that “Any failure to prevent or mitigate security breaches and improper access to or disclosure of our data or user data could result in the loss or misuse of such data, which could harm our business and reputation and diminish our competitive position.” It further stated that if “developers fail to adopt or adhere to adequate data security practices…our data or our users’ data may be improperly accessed, used or disclosed.” (emphasis supplied)
As per the SEC complaint, when Facebook first publicly acknowledged that it had learned of such violation of its policy, on March 16, 2018, the share price of Facebook substantially declined. Accordingly, the SEC complaint alleged that despite having confirmations that user data had been misused and red flags raised, Facebook did not evaluate how the risk factor disclosure in SEC filings should be altered basis this information and made a material omission in its disclosures. Facebook agreed to pay $100 million to settle the charges.
Learnings for the Indian securities market
Principles underlying the SEC’s charges are relevant for the Indian securities market as well and some learnings are set out below.
- Closer Scrutiny of Risk Factors
Issuers in India should review the risk factors in offer documents carefully to assess whether they are presenting the risks correctly. Offer documents are typically drafted to include a variety of risk factors, which are drafted to cover potential events that may cause a material adverse effect on the company. However, the Facebook complaint shows that there is a material difference between a potential or hypothetical risk and a risk that has actually materialised. Issuers should scrutinise risk factors to assess whether any of the risks have actually materialised so that the disclosure related to risk factors can be suitably modified. Additionally, the risk management function of companies should also be involved in the drafting of offer documents and continuous disclosure requirements for companies, particularly for banks, NBFCs and other companies operating in highly-regulated sectors. Further, if a particular incident/risk has already occurred, it should be disclosed in the offer documents, and including a catch all/generic risk factor may not be advisable.
- Redesign internal processes
Typically, only the senior management of a company is involved in the drafting sessions and reviewing the disclosures in the offer document. Further, only the legal and finance teams are usually involved in drafting the disclosure. To ensure business developments are accurately reflected in the document, internal processes should be redesigned to ensure business developments and risks are communicated with the team finalising the disclosure. Companies that undertake follow-on offerings should carefully review the disclosures so that changes to the business and risks are accurately reflected.
- Improving continuous disclosure requirements
As stated above, the SEC has prescribed periodic filings for listed companies in the US to update their offer documents (including risk factors and the business section). This provides investors a holistic update on the business of the company and the risks affecting the company.
In India, whilst Regulation 35 of the SEBI Listing Regulations prescribes an ‘Annual Information Memorandum’ to be submitted by listed entities, the SEBI has not yet operationalised this provision.
Annual updates to the offer document will build investor confidence. It will provide investors with an opportunity to track updates and risks facing a business and allow them to make an accurate assessment of the company. This would create a healthy trend in the market where information about the company would be made available in one place and available to all stakeholders. This also has benefits for periodic follow on capital raising by companies. It would also serve as a useful regulatory tool for SEBI and the stock exchanges to monitor disclosures and investigate if there are allegations of non-disclosure of material information. Accordingly, SEBI should consider operationalising the submission of an Annual Information Memorandum by listed companies.