Q3 2023 U.S. Legal & Regulatory Developments

The following is our summary of significant U.S. legal and regulatory developments during the third quarter of 2023 of interest to Canadian companies and their advisors.

1. SEC Adopts New Cybersecurity Disclosure Requirements

The United States Securities and Exchange Commission (the “SEC”) has adopted new disclosure requirements to enhance and standardize public company disclosures regarding cybersecurity risk management and incident reporting. Domestic issuers will be required to disclose material cybersecurity incidents within four business days on Form 8-K, and to provide annual disclosure regarding their cybersecurity governance and risk management. Foreign private issuers (“FPIs”) will be required to make corresponding disclosures regarding cybersecurity governance and risk management on Form 20-F and to disclose material cybersecurity incidents on Form 6-K that they must disclose or publicize in a foreign jurisdiction, to any stock exchange, or to security holders. The SEC did not make any amendments to Form 40-F disclosure requirements. The final rules reflect the SEC’s response to comments calling for more measured disclosure requirements, including, among other things, the elimination of the proposed requirement to disclose whether a board has cybersecurity expertise, the addition of a procedure to delay disclosure if the U.S. Attorney General determines that the disclosure would pose a substantial risk to national security or public safety and more explicit language that the disclosure be focused on material cybersecurity risks and impacts.

New Item 1.05 of Form 8-K, and the corresponding amendment to Form 6-K, will require current disclosure of material “cybersecurity incidents,” which the SEC has defined as “an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a company’s information systems that jeopardizes the confidentiality, integrity, or availability of a company’s information systems or any information residing therein.” The determination of whether a cybersecurity incident is material remains unchanged and is determined by the same principles articulated repeatedly by the courts and the SEC—namely, whether there is a substantial likelihood that a reasonable investor would consider it important. Disclosures of material cybersecurity incidents pursuant to new Item 1.05 of Form 8-K should include material aspects of the nature, scope and timing of the incident, and the material impacts or reasonably likely material impacts on the company, including its financial condition and results of operations. If any of these details are unavailable at the time of filing an initial Form 8-K, such information must be disclosed within four business days of its becoming available via an amendment filed on Form 8-K/A. In their disclosures, companies will not be required or expected to publicly disclose specific, technical information about their planned responses to the incident or their cybersecurity systems, related networks and devices, or potential system vulnerabilities, at a level of detail that could hamper their ability to respond to or remedy the incident. FPIs will be required to include on Form 6-K disclosure of material cybersecurity incidents that they must disclose or publicize in a foreign jurisdiction, to any stock exchange, or to security holders.

New Item 106 of Regulation S-K and new item 16K of Form 20-F will require companies to include in Annual Reports on Form 10-K and 20-F, respectively, a discussion about their cybersecurity risk management, strategy and governance covering the following topics:

• Cybersecurity risk management: Companies must describe their processes for assessing, identifying and managing material risks from “cybersecurity threats,” defined as any “potential unauthorized occurrence on or conducted through a company’s information systems that may result in adverse effects on the confidentiality, integrity, or availability of a company’s information systems or any information residing therein.” In the disclosure, companies must address a number of non-exclusive factors, including whether and how any such processes have been integrated into the company’s overall risk management system or processes, whether the company engages third parties in connection with such processes, and whether the company has processes to oversee and identify any such cybersecurity threats associated with its use of any third-party service providers. The disclosure must also describe whether any risks from cybersecurity threats (including prior incidents) have materially affected or are reasonably likely to materially affect the company, including its business strategy, results of operations or financial condition, and if so, how.
• Board oversight of cybersecurity risks: Companies must describe the board’s oversight of risks from cybersecurity threats, including an identification of any board committee(s) responsible for such oversight, and a description of the process by which the board or any committee is informed about cybersecurity risks.
• Management oversight of cybersecurity risks: Companies must also describe the role of management in assessing and managing material risks from cybersecurity threats. In particular, companies must address a number of non-exclusive factors, including which management positions or committees are responsible for assessing and managing cybersecurity risks and the relevant expertise of such persons, the process by which such persons or committees are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity incidents, and whether such persons or committees report information about such risks to the board or its committees.

These new disclosure requirements do not apply to Canadian multijurisdictional disclosure system filers who file annual reports on Form 40-F.

Companies must comply with the Form 8-K and Form 6-K disclosure requirements starting on December 18, 2023, except for smaller reporting companies, which have until June 15, 2024. All companies must provide the cybersecurity governance and risk management disclosure in annual reports filed for fiscal years ending on or after December 15, 2023 (i.e., calendar-year-end companies will be required to include this in next year’s Annual Report on Form 10-K or 20-F).

For the full text of our memorandum, please see:

• https://www.paulweiss.com/media/3983604/sec_adopts_new_cybersecurity_disclosure_requirements.pdf    

For the SEC’s final rules, please see:

• https://www.sec.gov/files/rules/final/2023/33-11216.pdf

2. DOJ and FTC Issue Draft Merger Guidelines

• The Antitrust Division of the Department of Justice (the “DOJ”) and Federal Trade Commission (the “FTC,” and together with the DOJ, the “Agencies”) have published a draft set of new merger guidelines.
• Some concepts in the new guidelines are similar to those in the existing guidelines. However, several of the new guidelines differ significantly from existing guidelines and could in certain circumstances lead to challenges to deals that in the past would not have faced agency action.
• The Agencies accepted public comments on the draft guidelines until September 18, and said that they “will use the public comments to evaluate and update the draft before finalizing the guidelines.”

On July 19, 2023, the Agencies issued much-anticipated draft merger guidelines. These guidelines would replace both of the Agencies’ 2010 Horizontal Merger Guidelines and the DOJ’s 2020 Vertical Merger Guidelines (which were rescinded by the FTC in September 2021). The new guidelines are a substantial departure from existing guidelines in a number of respects. The most significant change may be that the guidelines lower the threshold market concentration level at which the Agencies would presume a merger to be illegal, from a post-merger Herfindahl-Hirschman Index (“HHI”) score of 2,500, with an increase greater than 200, to a post-merger HHI of 1,800, with an increase greater than 100. They also introduce a presumption that a merger resulting in a market share for the merged firm of greater than 30% would be illegal if it also resulted in a relatively modest increase in market concentration or if it entrenched or extended the firm’s market position. The new guidelines also assert that the Agencies could challenge mergers furthering a trend toward market or industry sector consolidation.

The federal antitrust analysis of mergers is generally governed by Section 7 of the Clayton Antitrust Act of 1914 (the “Clayton Act”), which prohibits acquisitions the effect of which “may be substantially to lessen competition, or to tend to create a monopoly.” The guidelines are meant to help the Agencies determine whether a merger falls into this category and should be enjoined.

The new guidelines reflect several significant departures from the existing guidelines. These include new guideline 1, which reflects lowered thresholds for the presumed illegality of horizonal mergers, including a reinstatement of the pre-2010 thresholds (i.e., post-merger HHI score of 1,800, with an increase greater than 100) and the establishment of a new metric (an HHI increase of greater than 100 and a firm with greater than 30% market share), new guideline 7, which sets out the Agencies’ approach to mergers that may entrench or extend a firm’s existing position as “dominant” (which, as defined in the guidelines, falls well shy of monopoly power), and new guideline 8, which indicates that a merger may violate the law if it contributes to a significant increase in concentration, which could be established by a change in HHI greater than 200, or by other factors showing that the merger would increase the pace of concentration.

The guidelines also retain and expand upon several concepts from the existing guidelines, including describing how the Agencies look to the degree of competition between merging firms to predict whether a merger may substantially lessen competition (guideline 2), and how competition may be lessened if a merger meaningfully increases the risk of coordination among remaining firms in a relevant market or makes the existing coordination more stable or effective (guideline 3), eliminates potential entrants to the market, whether that potential is actual or perceived (guideline 4), if it gives a firm control over access to a product, service, or customers that its rivals use to compete (guideline 5), or if circumstances are such that the merged firm could foreclose its competitors from a market (guideline 6).

Finally, the new guidelines also discuss their application to specific scenarios, including serial small acquisitions in the same or related business lines (guideline 9), multi-sided platforms (guideline 10), mergers among buyers due to their ability to establish monopsony power (guideline 11), and acquisition of partial or minority interests (guideline 12).

It is important to emphasize that the Agencies’ merger guidelines themselves do not have the force of law and are not binding on courts, though the Agencies assert that the new draft guidelines are based on “binding propositions of law to explain core principles that the Agencies apply.” In addition, the existing merger guidelines have been cited favorably by courts in a number of litigated merger cases. In what may be an attempt to bolster the credibility of the guidelines with the courts, the guidelines for the first time include citations to “binding legal precedent,” while at the same time stating that these citations “do not necessarily suggest that Agencies would analyze the facts in those cases identically today.” It remains to be seen to what degree the courts will adopt the guidelines and the application of the guidelines could vary from case to case, depending on particular facts. And it is notable that the guidelines are being released at a time when the courts have rejected the aggressive legal interpretations advanced by the DOJ and FTC in a number of merger challenges in federal court.

For the full text of our memorandum on the 2023 Draft Merger Guidelines, as well as our memorandum on the implications of the 2023 Draft Merger Guidelines for private equity clients, please see:

• https://www.paulweiss.com/media/3983560/doj_and_ftc_issue_draft_merger_guidelines.pdf
• https://www.paulweiss.com/media/3983680/proposed_merger_guidelines_and_private_equity.pdf

For the 2023 Draft Merger Guidelines, please see:

• https://www.justice.gov/d9/2023-07/2023-draft-merger-guidelines_0.pdf

For the 2010 Horizontal Merger Guidelines, please see:

• https://www.justice.gov/atr/file/810276/download

3. Second Circuit Confirms That Syndicated Bank Loan Is Not a “Security”

On August 24, 2023, in a highly anticipated decision, the Second Circuit in Kirschner v. JPMorgan Chase Bank, N.A. et al. (“Kirschner”) affirmed the dismissal of state-law securities claims because the syndicated term loan in question was not a “security” and therefore not subject to state and federal securities laws and regulations.

Background

Kirschner arose out of a $1.775 billion syndicated loan transaction in which several banks served as lenders to Millennium Laboratories LLC (“Millennium”), a private California-based drug testing company, and then syndicated that loan to a group of approximately 70 institutional investors. Shortly after the transaction was completed, Millennium lost a significant litigation involving alleged kickbacks and entered into a settlement with the U.S. Department of Justice to resolve alleged violations of the False Claims Act (“FCA”). Millennium thereafter filed for bankruptcy, and the bankruptcy trustee filed a lawsuit against the banks, claiming they had, among other things, violated state securities laws (so-called “blue sky” laws) by making misrepresentations to investors, including falsely assuring investors that Millennium had no exposure to material litigation. The defendants moved to dismiss the complaint for failure to state a claim, arguing that a syndicated bank loan is not a “security” under the state securities laws and that a loan syndication is not a “securities distribution.”

In May 2020, the district court found that the syndicated bank loan at issue was not a security and dismissed the case. On appeal to the Second Circuit, the plaintiff argued, among other things, that the Court had erroneously applied the “family resemblance test” established by the Supreme Court in Reves v. Ernst & Young, 494 U.S. 56, 63 (1990) (“Reves”), when determining that the syndicated loan was not a security.

Opinion

The Second Circuit began by noting that “although the [FCA] defines ‘security’ to include ‘any note,’ the phrase ‘any note’ should not be interpreted to mean literally ‘any note.’” Instead, “only ‘notes issued in an investment context’ are securities,” whereas “notes ‘issued in a commercial or consumer context’ are not.” In affirming the district court’s dismissal, the Second Circuit concluded that the syndicated bank loan on balance bore a “‘strong resemblance’ to one of the categories of ‘notes’ held not to be a security: ‘[L]oans issued by banks for commercial purposes.’”

To reach this decision, the Second Circuit applied the family resemblance test from Reves, which “begin[s] with a presumption that every note is a security” and then directs the court to examine four factors: (1) the motivations that would prompt a reasonable seller and buyer to enter in the transaction (i.e., the commercial purpose for seeking lending by the borrower, and the nature of the return expectations of the lender); (2) the breadth of the plan of distribution of the instrument; (3) the reasonable expectations of the investing public; and (4) the existence of another regulatory scheme to reduce the risk of the instrument. When weighing these factors, the court compares the note at issue to an existing judicially crafted list of instruments that are not securities in order to determine if it bears a strong resemblance.

On appeal, the Second Circuit found that while the first factor “tilt[ed] in favor of concluding that” the loan was a security because “the pleaded facts indicate the parties’ motivations were mixed,” the remaining factors pushed the scale in the other direction. On the second factor, the Second Circuit noted that the complaint had failed to plead that the loan was “offered and sold to a broad segment of the public” because the notes “were unavailable to the general public by virtue of restrictions on assignments.” The Second Circuit also concluded that the third factor weighed against finding that the loan was a security because “the sophisticated entities that purchased the [n]otes ‘were given ample notice that the [notes] were . . . loans and not investments in a business enterprise’” based on the lenders’ certification, which was “substantively identical to the certification made by the purchasers” in Banco Espanol de Credito v. Security Pacific National Bank—a case in which the Second Circuit previously found that certain loan participations were not securities. Finally, the fourth factor did not suggest the loan was a security because the Second Circuit reasoned that other risk-reducing factors were present: the loan was “secured by collateral and federal regulators have issued specific policy guidance addressing syndicated loans.”

Implications

The syndicated loan market has experienced significant growth and maturation in recent years, including the increased prevalence of secondary-market transactions. The Second Circuit’s highly anticipated decision in Kirschner affirms the long-standing view that syndicated bank loans are not securities, likely assuaging concerns that a decision to the contrary could have significantly disrupted the market. While this decision may reflect a general unwillingness to classify such instruments as securities, the ruling also illustrates the fact-specific nature of the Reves framework and offers guidance on steps market participants can take to limit the risk that a syndicated loan may be deemed a “security.” For example, the Court relied on the fact that restrictions were placed on assignments so that the notes were not available to the general public and that the lenders’ certification confirmed the purchasers’ understanding that the notes were loans rather than investments in a business enterprise. Finally, because the Reves framework incorporates the reasonable expectations of the investing public as a factor, the Court’s decision should serve to solidify such expectations, making this decision helpful precedent for defending future similar lawsuits.

For the full text of our memorandum, please see:

• https://www.paulweiss.com/media/3983666/second_circuit_confirms_that_syndicated_bank_loan_is_not_a_security.pdf

For the Second Circuit’s opinion in Kirschner v. JP Morgan Chase Bank, please see:

• https://law.justia.com/cases/federal/appellate-courts/ca2/21-2726/21-2726-2023-08-24.html

4. Delaware Case Law Developments

Delaware Court of Chancery Will Require Supplemental Disclosures to Be “Plainly Material” to Justify Mootness Fee Awards

In Anderson v. Magellan Health, Inc. (“Magellan”), the Delaware Court of Chancery drastically reduced a plaintiff’s mootness fee request and held, in an opinion by Chancellor McCormick, that, moving forward, plaintiffs can justify a mootness fee only if they obtain supplemental disclosures that are “plainly material.” In so holding, the court split with prior Court of Chancery precedent requiring that such disclosures be merely “helpful” to support a mootness fee. The result is that the standard required for supplemental disclosures in the context of a mootness fee award is now higher and in line with the “plainly material” standard established for disclosure-only settlements in re Trulia, Inc. Stockholders Litigation. Magellan also provides helpful guidance around the dollar value of mootness fee awards based on supplemental disclosures. The plaintiff also sought a mootness fee award based on the loosening of deal protections (specifically, the waiver of “don’t-ask-don’t-waive” standstill provisions), and while the court acknowledged that such waivers could result in a compensable corporate benefit by increasing the likelihood of a topping bid, the waivers here achieved “little-to-no value,” and therefore did not justify a fee award.

Delaware Court of Chancery Upholds High/Low Vote Structure Based on Stockholder Identity

In Colon v. Bumble, Inc., the Court of Chancery held that a provision in the charter of a Delaware corporation granting the company’s founder and financial sponsor high voting power within the same class of stock also issued to the public shareholders was valid under the Delaware General Corporation Law (the “DGCL”). The provision, which, in simplified terms, provided that a share carried ten votes if held by the founder or sponsor (or anyone else party to a particular stockholder agreement), but only one vote if held by others, was consistent with long-standing Delaware precedent enforcing charter provisions providing for formula-based allocations of voting power. Because the DGCL permits voting rights to be made dependent upon “facts ascertainable” outside of the charter, such “identity-based voting” is permissible under Delaware law. This decision validates a structure that may be of particular interest to those companies seeking to go public with a high/low vote structure, as it allows the maintenance of voting control with only one class of registered, liquid shares, without the need for an illiquid second class of stock.

Delaware Supreme Court Holds That Charter Provision Could Not Be Applied to Exculpate for Duty of Loyalty Breaches

In CCSB Fin. Corp. v. Totta, the Delaware Supreme Court, in an opinion by Chief Justice Seitz, affirmed the Court of Chancery’s invalidation of a charter provision purporting to make good-faith board decisions regarding a stockholder voting limitation “conclusive and binding upon the Corporation and its stockholders.” The voting limitation capped at 10% the stock that could be voted by a “person” (including stockholders acting in concert therewith) in any stockholder vote, as determined by the board. The Supreme Court held that the Court of Chancery must first test the board’s decision under the provision itself, and then apply enhanced judicial review under established standards. Here, the company argued that the charter provision “eliminat[ed] the first step, and requires business judgment rule for the second step.” While the court acknowledged that such a provision could be included in the organizational documents for a Delaware limited liability company or limited partnership, it could not for a corporation because the provision was an attempt to exculpate directors from a breach of the duty of loyalty, which is inconsistent with Section 102(b)(7) of the DGCL and Delaware public policy. Moreover, the court concluded that there was no equitable basis for the board’s decision to direct the election inspector not to count votes in favor of an insurgent slate under the voting limitation, affirming the Court of Chancery’s findings in this regard.

Delaware Court of Chancery Declines to Enforce Non-Compete in Employment Agreement

In Centurion Service Group, LLC v. Wilensky, the Delaware Court of Chancery held that a non-compete provision in an employment agreement was unenforceable. The court first addressed the parties’ Delaware choice of law provision, which the court noted was “not necessarily binding.” While Illinois had a materially greater interest in the issue than Delaware given that the company is an Illinois limited liability company with its principal place of business in Illinois, the former employee is an Illinois resident and the alleged breach occurred in Illinois, Delaware and Illinois law were largely in step on the enforceability of restrictive covenants, and therefore the court saw no basis to disturb the Delaware choice of law. The court then addressed the terms of the two-year non-compete. The court found the provision’s restricted area, which included any area within the United States or abroad where the company is currently actively soliciting or engaging in its business (or actively planning to solicit or engage in) its business, to be overly broad. The court has now declined to enforce or blue-pencil non-compete provisions in three key contexts, including the sale-of-business (Kodiak Building Partners, LLC v. Adams), forfeiture-for-competition/partnership (Ainslie v. Cantor Fitzgerald, L.P.) and now employment (Centurion).

Delaware Court of Chancery Denies Dismissal of Claims Against Officers of LLC for Failing to Make Disclosures Despite Competing Duty of Obedience to the Board

In Cygnus Opportunity Fund, LLC v. Washington Prime Group, LLC, the Delaware Court of Chancery declined to dismiss breach of fiduciary duty claims against the officers of a Delaware limited liability company for failing to make adequate disclosures in connection with a tender offer by the controller and a subsequent squeeze-out of the minority. Specifically, in connection with the tender offer, plaintiffs alleged that the controller and board did not make any recommendation, that the controller disclosed that the consideration might not reflect fair value and that no financial information was provided to the minority. With regard to the squeeze-out merger, the plaintiffs alleged that the related disclosure was missing key information. As the court framed it, the disclosure documents “disclosed what the Squeeze-Out Merger was, but did not disclose any information that would explain how the Company made its decision or why this was an appropriate course of action.” Plaintiffs asserted breach of fiduciary duty claims against the board, officers and controllers for the inadequate disclosures, and against the board and controller for approving an unfair transaction. The court dismissed the claims against the board and controller because the relevant LLC agreement contained a fiduciary duty waiver. The waiver did not, however, encompass company officers, and the court denied the dismissal of the breach of the duty of disclosure claims against the officers. Such disclosure duties for an officer, the court concluded, may be analogous to the duties owed by company directors and, depending on the circumstances, may require disclosure in connection with the tender offer, and also in connection with the squeeze-out merger, “even in the absence of request for action.” The court did acknowledge that the officers’ “competing duties” to the stockholders in this regard and their duty of obedience to the board created a “conundrum.” Nonetheless, the court noted that “[i]t is reasonably conceivable that a duty of disclosure could exist in connection with a severely underpriced tender offer such that fiduciaries for the entity and its investors would have a duty to say something.” In addition, the court also denied dismissal of claims against the board, controller and officers for breach of the implied covenant of good faith and fair dealing in connection with their failure to make adequate disclosures about the transactions, failure to seek a vote of the minority under the LLC agreement and providing an inadequately low price in the squeeze-out merger.

For the full text of our Delaware M&A Quarterly memorandum for Autumn 2023, which contains links to the Delaware Court of Chancery’s opinions in each of the matters listed above, please see:

• https://www.paulweiss.com/media/3983781/delaware_ma_quarterly_autumn_2023.pdf

                                                                                                                     *       *       *