The Securities and Exchange Commission (SEC) recently published a concept release seeking public comment on redefining the term “foreign private issuer” (FPI). The current framework provides FPIs with less regulation than domestic issuers, based on the understanding that FPIs face different circumstances, such as compliance with home country laws. However, a recent study revealed significant changes in the FPI population, including an increase in China-based issuers incorporated in lightly regulated tax havens. The SEC is concerned that the current FPI definition may no longer be suitable and is considering potential amendments.

In a landmark decision on July 18, 2024, Judge Paul Englemayer of the Southern District of New York dismissed most charges in the SEC’s enforcement action against SolarWinds and its CISO, Timothy Brown. The court ruled that cybersecurity controls are not part of a company’s “system of internal accounting controls” under Section 13(b)(2)(B)(iii) of the Exchange Act, dismissing these claims. However, the court upheld charges that SolarWinds and Brown misled investors with public statements about their cybersecurity program. This case, stemming from the SUNBURST attack, highlights the importance of detailed risk disclosures and accurate public-facing statements on cybersecurity.

SEC officials have expressed concern that companies are not properly identifying and disclosing material weaknesses in internal controls, and that such weaknesses are too frequently disclosed only in conjunction with a restatement – after the damage is, in effect, done. See, e.g., January 2014 Update. However, an academic study in…