Skip to main content

Sus and Yeet: Remarks before the University of California Irvine Audit Committee Summit

Oct. 7, 2022

Thank you, Patricia [Wellmeyer]. I am pleased to be at today’s Audit Committee Summit and to be at the University of California, Irvine, albeit only virtually. Before I begin, I must remind you that my remarks reflect solely my individual views as a Commissioner and do not necessarily reflect the views of the full Securities and Exchange Commission or my fellow Commissioners.

This year, we celebrate the twentieth anniversary of the Sarbanes-Oxley Act (“Sarbanes-Oxley” or the “Act”). Two decades should give us enough experience with Sarbanes-Oxley and distance from the events that sparked its passage to assess this law with fresh (or maybe somewhat jaded) eyes and draw lessons from it for current regulatory efforts. I do not have time to conduct a full review today since I promised Patricia that I would not speak for more than fifteen minutes, but I will offer a few thoughts on the law and its legacy and perhaps inspire others to do the heavy lifting.

Sarbanes-Oxley passed Congress with broad support. It responded to several notorious corporate accounting and disclosure frauds at large, well-known companies like Enron, WorldCom, Adelphia, and Tyco.[1] Long undetected by investors, auditors, and regulators, these companies’ problems cascaded suddenly and painfully into the markets and public discourse. The strong legislative reaction is, therefore, unsurprising, but crafting an appropriate law to respond quickly and comprehensively to a scandal is difficult.

Predicting how the words on the legislative page will play out in practice is also challenging. For example, a 2015 Supreme Court case, Yates v. United States, considered whether Sarbanes-Oxley’s criminal prohibition on destroying “any record, document, or tangible object with the intent to impede, obstruct, or influence” an investigation applied to tossing undersized fish back into the ocean after being told by a government official[2] to keep the fish onboard as evidence of breaking federal fishing regulations.[3] The Court said no:

A fish is no doubt an object that is tangible; fish can be seen, caught, and handled, and a catch, as this case illustrates, is vulnerable to destruction. But it would cut §1519 loose from its financial-fraud mooring to hold that it encompasses any and all objects, whatever their size or significance, destroyed with obstructive intent.[4]

In reaching that conclusion, the Court rejected a singular focus on the dictionary definition of “tangible object.” Justice Ginsburg explained: “Ordinarily, a word’s usage accords with its dictionary definition. In law as in life, however, the same words, placed in different contexts, sometimes mean different things.”[5] The dissent, by contrast, looked to the dictionary (supplemented by Dr. Seuss’s One Fish Two Fish Red Fish Blue Fish) to conclude that the Sarbanes-Oxley provision clearly covered fish.[6]

The Supreme Court’s dictionary debates in Yates make me think about how the task facing legislators is somewhat akin to that facing people charged with keeping dictionaries up-to-date. Whether you are responsible for writing laws or dictionaries, you try to be responsive to current events while maintaining a longer-term view. How do you figure out which words are just fads and which merit inclusion in the official dictionary, where they will stay for decades or centuries to come? What will our grandchildren think twenty years from now when they are perusing a dictionary’s digital pages and come across words we added this year? Metaverse, booster dose, side hustle, altcoin, pumpkin spice, use case, and greenwash made the list.[7] Those words and phrases likely have staying power. But sus, yeet, and adorkable—all new slang words in this year’s Merriam-Webster’s dictionary[8]—will we still be using those in twenty years? If so, the English language will be janky and in need of MacGyver[ing]—two other words on this year’s list.[9] Consider that in 2002, brain-box,[10] mizzle-shinned,[11] and celly[12] made it into the dictionary. I may be the first person to have spoken those words in 2022. Revisiting dictionary entries after the cultural moment they reflect has passed probably makes sense.

Analyzing laws well after the scandal of which they were born has faded can clarify which parts of them have lasting value and where changes might be warranted. In the process, we can learn lessons about how to address similar problems in the present and future. As I look back at Sarbanes-Oxley with the dispassion brought by the passage of time, I see a law that contributed to better corporate disclosure processes, stronger internal controls, and healthier corporate governance practices at companies; a more focused and systematic approach to reviewing periodic filings by the SEC; and more reliable financial statements.[13]

Sarbanes-Oxley, however, has not been all positive. Among other things, it has increased greatly the cost of being a public company, hastened the federalization of corporate governance, and complicated the financial regulatory bureaucracy. Sarbanes-Oxley covers a lot of territory, so I will focus today only on a handful of provisions related to the Public Company Accounting Oversight Board (“PCAOB”), internal controls, clawbacks, and board composition.

A. The Unusual Public Company Accounting Oversight Board

You just heard from Chair Erica Williams of the PCAOB about the important work the PCAOB is doing to foster audit quality and thus trust in the capital markets.[14] The PCAOB is one of Sarbanes-Oxley’s major contributions to the financial regulatory landscape; but, throughout its life, questions about its unusual place in that landscape have haunted it. Sarbanes-Oxley created the PCAOB as a self-standing body to regulate—as its name suggests—public company auditors.[15] The SEC appoints its board members and oversees it, but the PCAOB is an independent regulator. A 2010 Supreme Court opinion held that this “Government-created, Government-appointed entity, with expansive powers to govern an entire industry” was constitutionally flawed because its board members had too many layers of tenure protection.[16] In the Court’s view, a judicial tweak to make it easier for the SEC to remove board members afforded the President “adequate control over the Board, which is the regulator of first resort and the primary law enforcement authority for a vital sector of our economy.”[17]

Had Congress simply charged the SEC with regulating auditors, it could have avoided the PCAOB’s constitutional defects and consolidated related authorities in one government agency. This approach would also have diverted the considerable SEC resources that have since gone into overseeing the PCAOB, its budget, and its standard-setting, inspections, and enforcement activity to go, instead, directly into fostering audit quality.

Housing the PCAOB’s functions within the SEC could be more efficient. For example, in investigating misconduct at public companies, the SEC often also looks at the auditor, which means the PCAOB generally does not. Even when not bringing a related case against a company, the SEC often brings enforcement actions against auditors rather than entrusting them to the PCAOB. Practically speaking, the PCAOB is not, as the Supreme Court envisioned, “the primary law enforcement agency for a vital sector of our economy.”[18] Perhaps casting about for a way to spend its enforcement resources, the PCAOB has signaled recently that it will bring enforcement actions for single acts of negligent conduct.[19] If the PACOB were folded into the SEC, its enforcement resources could be focused on more serious violations.

Similarly, knowing what it does now about the deep engagement of the SEC and its staff in PCAOB standard-setting and the interactions between the two regulators’ rules, Congress might have found it more efficient simply to delegate standard-setting to the SEC. For example, Chair Gensler recently directed the PCAOB “to consider adding updates for auditor independence standards to their agenda,” which was paired with a suggestion that “[w]e may need to take a fresh look at the SEC’s auditor independence rules as well.”[20] Why we and the PCAOB need to rewrite independence rules that we both recently updated is unclear,[21] but the two projects are sure to be linked. Finally and importantly, if the PCAOB drifts from its mission in the coming years into political hot topics of the day, as some advocate, calls to fold it into the SEC are likely to increase.[22]

Whether housed at the SEC or the PCAOB, the PCAOB’s function of “protect[ing] investors and further[ing] the public interest in the preparation of informative, accurate, and independent audit reports”[23] is vital. Independent audits are critical to giving investors’ confidence in the integrity of financial statements. High-quality financial statements in turn help investors allocate money to the most productive uses, which helps the economy grow and individuals thrive.

B. The Expensive Section 404: Internal Controls

Effective internal controls over financial reporting contribute to reliable financial statements. One of the PCAOB’s early defining moments was its implementation of Section 404 of Sarbanes-Oxley. Under Section 404, management is responsible for establishing and maintaining internal controls, and auditors have to “attest to, and report on, the assessment made by the management of the issuer.”[24] Thus, the SEC and the PCAOB both had a role in implementing the provision.[25] The PCAOB’s first attempt, Auditing Standard No. 2, fostered an unproductively granular and, therefore, costly attestation process.[26] In the words of then-Commissioner Paul Atkins:

We had an atmosphere in which what-if scenarios created mountains out of molehills – a control failure for a $500 error could be just as significant as for a $50 million error. And, we had companies being told to document, analyze, and create process charts for literally tens or hundreds of thousands of supposedly key internal controls . . . . [27]

The SEC and the PCAOB, attempting to recalibrate the 404 process, issued new guidance and a new auditing standard in 2007. The changed regulatory approach helped, but Section 404 remains one of the law’s most controversial and costly provisions. Professor Stephen Bainbridge, in a recent assessment of Section 404, observed:

Section 404 compliance costs were substantial from the outset. Those costs were disproportionately borne by smaller firms from the outset. Section 404 compliance costs remain high and show no signs of dropping over time. It remains the case that those costs are disproportionately borne by smaller firms.[28]

Section 404 costs likely are a material consideration for many companies contemplating going public.[29] Thus, in the 2012 JOBS Act, Congress created the Emerging Growth Company category, which, among other things, phased in Section 404(b) compliance for smaller, newly public issuers.[30] As recently as 2020, the SEC took steps to ease the Section 404 burden for certain low-revenue companies.[31] The Commission explained that:

Although factors other than the [Internal Control over Financial Reporting] auditor attestation requirement may have contributed to the decline [in the number of listed companies], . . . the described cost reductions associated with the final amendments could be a positive factor in encouraging additional small companies to register their securities offerings or a class of their securities, which would provide an increased level of transparency and investor protection with respect to those companies.[32]

The experience with Section 404 may provide some valuable lessons applicable to the SEC’s proposed public company climate change disclosures rule. As Section 404 did, the proposed climate rule, if adopted, would require companies to set up complex systems, this time for tracking greenhouse gas emissions and climate-related expenditures and revenues. The proposal would require attestation for some greenhouse gas emissions and wrap mandatory climate-related financial statement metrics into the audit. Commenters on the climate proposal have urged us to take the Section 404 experience into consideration.[33] Cumulative regulatory burdens matter for companies deciding whether to become or remain public and, depending on how it is finalized, the climate rule could add materially to cumulative burdens.[34]

C. The Ambiguous Section 304: Forfeiture of Certain Bonuses and Profits

As is common with statutes, experience with Sarbanes-Oxley has highlighted areas of ambiguity in the statutory text. Consider Section 304, which seeks to ensure that CEOs and CFOs do not profit from financial reporting shenanigans by their companies. To that end, the statute states that “[i]f an issuer is required to prepare an accounting restatement due to the material noncompliance of the issuer, as a result of misconduct, with any financial reporting requirement under the securities laws,” then the issuer’s CEO and CFO must repay “any bonus or other incentive-based or equity-based compensation” received and “any profits realized from the sale of securities” during the year following the issuance or filing of the affected financial statement.[35] The language leaves room for interpretation, particularly as to which restatements trigger the requirement, which payments are affected, and how it should be enforced. Although some questions have been answered,[36] surprisingly, much ambiguity remains twenty years after the provision became law. Section 304(b) grants the SEC explicit authority to exempt any person from application of the provision “as it deems necessary and appropriate.” Accordingly, the SEC has an important role in shaping the interpretation and application of Section 304.

Despite its authority to do so, the SEC has not yet set forth a sensible Section 304 approach. The Division of Enforcement, for example, could state in its enforcement manual that it would prioritize seeking reimbursement in cases involving fraud. Moreover, the language in Section 304(a) is best read as being limited to incentive-based or equity-based bonuses, so the SEC should not seek repayment of other types of bonuses.[37] In addition, the text of the statute obligates the CEO and CFO to “reimburse the issuer.” CEOs and CFOs who have paid back the money as required should not be subject to Commission action under Section 304 because payment satisfies the statutory obligation. For this reason, the Commission’s recent actions instituted after the officers paid the reimbursement seem ill-founded.[38] Finally, the Commission should think about the relationship between Section 954 of the Dodd-Frank Act, under which the Commission will require exchanges to prohibit the listings of issuers that do not have policies providing for the recovery of erroneously awarded compensation, and Section 304.[39] A broad interpretation of Section 304 could discourage talented people from taking the top spots at public companies.[40]

D. The Contagious Section 407: Audit Committee Financial Expert

Sarbanes-Oxley increased the role of the federal government in corporate governance. Section 407 of the Act, for example, requires companies “to disclose whether or not, and if not, the reasons therefor, the audit committee of that issuer is comprised of at least 1 member who is a financial expert, as such term is defined by the Commission.”[41] While styled as a disclosure provision, Section 407 put tremendous pressure on boards to find someone who met the precise parameters of “financial expert” set forth in the statute and further defined by SEC rule. As former Commissioner Glassman later explained, the Commission proposed a definition so narrow that “neither Federal Reserve Chairman Alan Greenspan nor investment luminary Warren Buffett would have qualified.”[42] Commenters convinced the SEC to broaden the definition, but even a more reasonably crafted disclosure requirement indirectly drives board composition. Particularly for small companies, finding and retaining a director who is a financial expert might be difficult and might stand in the way of boards getting other expertise they need.

This provision of Sarbanes-Oxley has set the template for proposals we issued this year to require boards to disclose whether they have board members with expertise in areas like climate or cybersecurity.[43] While some commenters on those proposals have been supportive,[44] others have asked us to consider whether these requirements would drive boards into a one-size-fits-all mold, undercut the collective and collaborative decision-making of boards, and insinuate that boards play a managerial, rather than oversight, role at companies.[45]

E. Conclusion

Even if you are—drawing on the 2002 new word list here—a brain-box,[46] reviewing Sarbanes-Oxley is not an easy task. It is, however, a worthwhile task at the twenty-year mark. We need to “collabo”—another new 2022 word, this time from the Oxford English Dictionary[47]—on thinking about what lessons we can draw from our experience with Sarbanes-Oxley. Those lessons can help us assess whether changes are needed to the Act, but also can help us think about how to solve today’s problems.

[1]      See, e.g., Report of the Senate Committee on Banking, Housing, and Urban Affairs to accompany S. 2673, S. Rep. No. 107-205, at 2 (2002) (“The Banking Committee’s action [to draft Sarbanes-Oxley and report it to the Senate floor] followed ten hearings on the accounting and investor protection issues raised by the financial revelations involving Enron and other public companies.”); William Donaldson, Chairman of the Securities and Exchange Commission, Testimony Concerning Implementation of the Sarbanes-Oxley Act of 2002, Hearing Before the S. Comm. on Banking, Hous., & Urb. Affs. (Sept. 9, 2003) (“Starting in the second quarter of 2000, the bubble burst. Stock prices plummeted. Investors fled the markets. The IPO market disappeared. As happened after the crash of 1929, the falling market that began in 2000 led to other revelations. Starting with the unfolding of the Enron story in October 2001, it became apparent that the boom years had been accompanied by fraud, other misconduct and a serious erosion in business principles. The low points in this story are now household names — not just Enron, but also WorldCom, Tyco, Adelphia and others. . . . To address the widespread collapse of investor confidence and the recognition that something had gone seriously awry in segments of corporate America, Congress approved and the President signed into law the Sarbanes-Oxley Act.”).

[2]      Otherwise known as an o-fish-ial.

[3]      Yates v. United States, 135 S.Ct. 1074 (2015).

[4]      Id. at 1079.

[5]      Id. at 1082.

[6]      Id. at 1090–1101 (Kagan, J. dissenting).

[7]      We Added 370 New Words to the Dictionary for September 2022, Merriam Webster, (last visited Oct. 5, 2022).

[8]      Id.

[9]      Id.

[10]    New Words List 2002, Oxford English Dictionary,  (last visited Oct 10, 2022).

[11]     Updates to the OED, Oxford English Dictionary, (adding the adjective mizzle-shinned as a word in Sept. 2002) (last visited Oct. 10, 2022).

[12]     Time Traveler by Merriam-Webster: Words from 2002, Merriam Webster, (last visited Oct. 10, 2022).

[13]     For a helpful twenty-year look-back at Sarbanes-Oxley that underscores some of these points, see SEC Historical Society, The Sarbanes-Oxley Act at 20: A Corporate Governance Legacy, YouTube (Sept. 10, 2022); see also Steven Zelin, Sarbanes Oxley, on The Singing CPA (Zelin Records, 2008) (“Because of WorldCom and Enron, we’ve got Sarbanes-Oxley, Sarbanes-Oxley, the tough new law. And now we have to be compliant with Sarbanes-Oxley, so investors will feel secure.); but see id. (“Our accountants can retire thanks to Sarbanes-Oxley, Sarbanes-Oxley has cost us a ton. And our consultants can retire thanks to Sarbanes-Oxley, Sarbanes Oxley, and they’re still not done. . . . Now that we’ve strengthened our controls for Sarbanes-Oxley, we are moving our companies abroad.”).

[14]     Chair Erica Williams, PCAOB Chair Williams Delivers Remarks at UCI Audit Committee Summit, PCAOB (Oct. 7, 2022),

[15]     The PCAOB also had limited authority over auditors of broker-dealers, which Congress expanded in the Dodd-Frank Act.  See Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub. L. No. 111-203 (hereinafter, the “Dodd-Frank Act”), § 982 (July 21, 2010); see also Public Company Accounting Oversight Board, PCAOB Statement Upon Signing of the Dodd-Frank Wall Street Reform and Consumer Protection Act (July 21, 2010),

[16]     Free Enter. Fund v. Pub. Co. Acct. Oversight Bd., 561 U.S. 477, 485 (2010).

[17]     Id. at 508.

[18]     Id.

[19]     See, e.g., Chair Erica Y. Williams, Address at the Council of Institutional Investors Fall Conference, PCAOB (Sept. 22, 2022), (“For any violation of PCAOB standards that is serious enough to put investors at risk, the excuse that ‘it only happened once’ simply won’t cut it. We will not hesitate to bring cases that hinge on only a single, serious wrongful act, whether reckless or negligent.”).

[20]     Chair Gary Gensler, Address at Center for Audit Quality - Sarbanes-Oxley at 20: The Work Ahead, SEC (Jul, 27, 2022),

[21]     See Qualifications of Accountants, SEC Rel. No. 33-10876 (Oct. 16, 2020) [85 FR 80508 (Dec. 11, 2020)]; Public Company Accounting Oversight Board; Order Granting Approval of Amendments to PCAOB Interim Independence Standards and PCAOB Rules to Align with Amendments to Rule 2-01 of Regulation S-X, SEC Rel. No. 34-90930 (Jan. 14, 2021) [86 FR 6708 (Jan. 22, 2021)].

[22]     For a discussion of this issue, see Commissioner Hester M. Peirce, Audit Regulators and Cliff Hangers: Remarks before the Stanford Law School Federalist Society, SEC (Feb. 15, 2022),

[24]     See 15 U.S.C. § 7262. Section 404(a) requires public companies’ annual reports to include an internal control report that “state[s] the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting” and “contain[s] an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.” Section 404(b) requires that “each registered public accounting firm that prepares or issues the audit report for the issuer attest to, and report on, the assessment made by management of the issuer” on “the effectiveness of the internal control structure and procedures of the issuer for financial reporting.”

[25]     See Management's Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports, SEC Rel. Nos. 33-8238; 34-47986; IC-26068 (June 3, 2003),; Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements, PCAOB Rel. No. 2004-001 (Mar. 9, 2004), (superseded by Auditing Standard No. 5).

[26]     See, e.g., Joseph A. Grundfest & Steven E. Bochner, Fixing 404, 105 Mich. L. Rev. 1643, 1645 (June 2007), (estimating costs for implementing Section 404 in the first year to be “$7.3 million for companies with market capitalizations in excess of $700 million and about $1.5 million for issuers with market capitalizations of $75 million to $700 million”) (citing CRA Int’l, Sarbanes-Oxley Section 404 Costs and Implementation Issues: Survey Update, at 5-6 (2005)).

[27]     Paul S. Atkins, Commissioner, Remarks at the Corporate Directors Forum 2007, SEC (Jan. 22, 2007),

[28]     Stephen M. Bainbridge, Sarbanes-Oxley §404 at Twenty, UCLA School of Law, Law-Econ Research Paper No. 08, 2022, at 23 (Aug. 26, 2022),

[29]     See, e.g., Accelerated Filer and Large Accelerated Filer Definitions, Rel. No. 34-88365 (Mar. 12, 2020) [85 FR 17178 (Mar. 26, 2020) (estimating that an “issuer no longer subject to the ICFR auditor attestation requirement would save approximately $210,000 per year comprised of approximately $110,000 per year reduction in audit fees and an additional reduction in non-audit costs of approximately $100,000”); Protiviti, SOX Compliance Amid Rising Costs, Labor Shortages and Other Post-Pandemic Challenges, at 5 (June 9, 2022), (reporting survey results from 562 public companies generally, including roughly 39 that were in their second year of SOX 404 compliance, that second year costs of SOX 404 compliance increased from an average $1.25 million in 2021 to $1.47 million in 2022). 

[30]     Report of the House Committee on Financial Services to accompany H.R. 3606, H.R. Rep. No. 112-406, at 6 (2012), (“H.R. 3606 adapts the SEC’s scaled regulations for smaller companies by more slowly phasing in regulations that impose high costs on issuers, without compromising core investor protections or disclosures. [Emerging Growth Companies] would still be required to comply with SEC-mandated quarterly and annual disclosures, but they would be exempted from Section 404(b) of the Sarbanes-Oxley Act (P.L. 107–204) of 2002 for a longer transition period—up to five years—instead of the current transition period of two years.”).

[31]     Accelerated Filer and Large Accelerated Filer Definitions, Rel. No. 34-88365 (Mar. 12, 2020) [85 FR 17178 (Mar. 26, 2020).

[32]     Id.

[33]     See, e.g., Letter from Business Roundtable, at 15 (June 17, 2022), (“As we saw with Section 404 of the Sarbanes-Oxley Act, the proposed assurance requirements have the potential to increase costs substantially.”); Letter from U.S. Chamber of Commerce at 58 (June 16, 2022), (“the proposed footnote disclosures would leave auditors, and thereby registrants, open to undue second-guessing through the PCAOB inspection process – as has been learned from experience in implementing Section 404 of the Sarbanes-Oxley Act”); Letter from United Parcel Service, Inc., at 5 (June 14, 2022), (“The SOX 404 attestation was similarly outside the scope of the services auditors were then providing and introduced greater liability risk for auditors. Studies on the compliance cost of implementing SOX 404 generally showed that audit fees increased by a factor of between 50% and 73%, with some studies suggesting that audit fees had doubled.”) (citing Fischer, B., Gral, B. and Lehner, 0.M., 2014, Evaluating SOX Section 404: Costs, Benefits and Earnings Management, 3 Journal of Finance and Risk Perspectives 43, 46-47 (Jan. 2014)).

[34]     See, e.g., Letter from Biotechnology Innovation Organization (BIO), at 20-21 (June 17, 2022), (“The net consequence of heavy regulatory reporting burdens for public companies are two-fold. (1) Fewer companies will join public markets (particularly since climate risk disclosure are required for Form S-1 with no phase-in or protections from an emerging growth company designation), and (2) the companies that do become public will be large in order to absorb the burdens associated with being a public company.”); Letter from David R. Burton of the Heritage Foundation, at 22-23 (June 17, 2022), (“The Commission’s own estimate is that the proposed rule will nearly triple the costs of filing the forms associated with being a public company. This is unprecedented and can be expected to have unprecedented effects. The proposed rule would lead to a resumption in the decline in the number of public companies and a shrinkage in the size and scope of public capital markets. Because of the massive costs imposed by the rule, if the rule is finalized in anything close to its current form, firms will go public much later in their life-cycle and many small and medium-sized companies will engage in “going private” transactions. This occurred after the Sarbanes-Oxley internal controls reporting requirements were implemented. And those costs were relatively small compared to the costs that the proposed rule would impose.”).

[35]     15 U.S.C. 7243(a).

[36]     For example, courts have concluded that the reimbursement obligation can apply even if the issuer’s CEO or CFO were unaware of the relevant misconduct requiring the restatement.  SEC v. Jenkins, 835 F.3d 1100, 1114-15 (9th Cir. 2016).

[37]     Others, including the SEC, read the Section 304 language loosely to encompass all kinds of bonuses, but that reads out the word “other” in the statutory text: “bonus or other incentive-based or equity-based compensation.” Section 304(a) (emphasis added). See, e.g., Stephen G. Waldis, SEC Rel. No. 95054, 2022 WL 2063304 (June 7, 2022), (SEC order citing CEO of Synchronoss Technologies, Inc., Stephen Waldis, with violating Section 304 of Sarbanes-Oxley for not reimbursing to his company all “bonuses, incentive-based compensation, equity-based compensation, and realized profits from his sales of his company’s stock during the clawback period, while not otherwise charging Waldis with misconduct); Scott Mascianica & Javan Porter, SEC Showing Its Claws With Increased Focus on Recouping Executive Comp, Holland & Knight (Sept. 19, 2022), (suggesting that the SEC’s approach to Section 304’s reimbursement requirement is to apply it to any bonuses, even if unrelated to incentive-based or equity-based compensation).

[38]     See, e.g., Laurel Krzeminiski, Rel. No. 34-95610, 2022 WL 3703830 (Aug. 25, 2022); Jigisha Desai, Rel No. 34-95611, 2022 WL 3703831 (Aug. 25, 2022).

[39]     Dodd-Frank Act § 954.  The Commission proposed rules to implement Section 954 in 2015 and asked for additional comment on an expanded set of questions a year ago.  See Listing Standards for Recovery of Erroneously Awarded Compensation, Release No. 34-75342 (Jul. 1, 2015) [80 FR 41143 (Jul. 14, 2015)] and Reopening of Comment Period for Listing Standards for Recovery of Erroneously Awarded Compensation, Release No. 34-93311 [86 FR 58232 (Oct. 21, 2021)]. The provision effectively mandates that companies listed on exchanges have policies requiring executives to reimburse the company after certain restatement, which, when implemented, could overlap with Section 304.

[40]     See, e.g., Jacqueline Dakin, Sarbanes-Oxley and CEO Accountability: Looking for a Corporate Scapegoat in S.E.C. v. Jensen, 63 Vill. L. Rev. 126, 150 (2019) (“This risk [of Section 304 liability without personal misconduct] may deter some qualified individuals from taking on the role of CFO or CEO or lead highly-qualified and experienced executives to leave public companies in favor of private equity, where they will not face the increased potential for criminal liability brought on by Sarbanes-Oxley.”).

[41]     15 U.S.C. 7265 (2018).

[42]     Commissioner Cynthia A. Glassman, Remarks at the XIXth Conference on Financial Markets and Control Systems, (2004),

[43]     Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, SEC Rel. Nos. Nos. 33-11038; 34-94382; IC-34529 (Mar. 9, 2022) [87 FR16590 (Mar. 23, 2022)]; The Enhancement and Standardization of Climate-Related Disclosures for Investors, Rel. Nos. 33–11042; 34–94478; File No. S7–10–22 (Mar. 21, 2022) [87 FR 21334 (Apr. 11, 2022)]. 

[44]     See, e.g., Letter from Assistant Professors Michelle Lowry and Marshall Vance and Professor Anthony Vance (Sept. 8, 2022), (presenting research in support of the SEC’s proposal regarding board cybersecurity expertise).

[45]     See, e.g., Letter of Magna International Inc., at 3, (May 20, 2022) (“Boards operate and make decisions as collective bodies – potentially singling-out one or more directors for elevated oversight responsibility goes against the very notion of a board, and may also undermine the SEC’s apparent intent by making it harder for boards to attract such candidates.”); Letter of U.S. Chamber of Commerce, at 36 (June 16, 2022),  (remarking on “an emerging SEC trend of implicitly mandating “subject matter experts” on the board of directors”); Letter of Society for Corporate Governance, at 2, 17 (May 9, 2022), (“[T]he proposed rule will pressure issuers to appoint a technical cybersecurity expert to their boards, regardless of whether it is appropriate for their particular governance needs . . . a board of directors should not operate as a second management team, with individual directors replicating the most important management roles. Rather, a board exists to provide high-level oversight of strategy and operations, helping ensure management is balancing priorities, taking advantage of opportunities, and protecting against risks.”) (footnote omitted); Letter of Business Roundtable, at 7 (May 9, 2022),  (“[W]e caution against an ever-expanding set of disclosure requirements regarding specific skills without regard to the materiality of that particular skill to the registrant. . . . [T]he SEC risks driving companies to create boards filled with “specialty directors” who have deep but narrow knowledge and struggle to fulfill the broad oversight and related duties required today”); Letter of New York Stock Exchange, at 3 (May 9, 2022), (“If the Proposal is adopted in its current form, the Exchange believes that many companies will prioritize attracting board members with ‘cybersecurity expertise’ in order to demonstrate their commitment to managing cybersecurity risk. With 7,848 companies filing on domestic forms and 973 FPIs filing on foreign forms during calendar year 2020, the NYSE questions whether there are truly enough individuals with both cybersecurity expertise and other relevant experience to make them suitable candidates for service on a corporate board. If a shortage does exist, the Exchange is also concerned that smaller and medium-sized companies may be disproportionately disadvantaged in attracting these highly sought after individuals for board service.”).

[46]     See Oxford English Dictionary, (Providing that one colloquial definition of brain-box is a “very clever or well-informed person.”) (last visited Oct. 5, 2022).

[47]     New Words List June 2022, Oxford English Dictionary, (last visited Oct. 5, 2022).

Return to Top