Davis Polk on When Gaming Runs Afoul of Disclosure Controls and Whistleblower Rights

On February 3, the SEC announced a $35 million settlement with Activision Blizzard stemming from the company’s alleged failure to maintain adequate disclosure controls and procedures relating to workplace misconduct complaints and for a violation of a whistleblower protection rule.

In its periodic filings with the SEC between 2018 and 2021, Activision included risk disclosures relating to its dependence on personnel with specialized skills and the high level of employee mobility and competitive pressures in the gaming industry. According to the order, during that same timeframe, Activision “lacked controls and procedures designed to ensure that information related to employee complaints of workplace misconduct would be communicated to Activision Blizzard’s disclosure personnel to allow for timely assessment on its disclosures.” The order also states that over several years, Activision entered into separation agreements that included a notification clause requiring former employees to notify the company of any request from an administrative agency relating to a report or a complaint. The SEC found that the clause undermined the purpose of its whistleblower protection rule.

Commissioner Hester Peirce disagreed with both violation findings, writing in her dissent that the SEC “…alleges no fraud, misrepresentations, omissions, or investor harm” and that the order “…does not articulate any securities law violations.”

Disclosure controls

Rule 13a-15(a) of the Securities Exchange Act of 1934, or the Exchange Act, requires public companies to maintain disclosure controls and procedures designed to ensure that information required to be disclosed in their SEC filings is recorded, processed, summarized and reported within specified time periods.

The Activision risk disclosure at issue in the SEC order is the customary risk factor many public companies include in their SEC filings about their need to attract and retain qualified personnel, in this case tailored to the gaming industry. The SEC reasoned that because the company was aware of this risk, it should have had procedures in place to collect “relevant” information (such as instances of workplace misconduct) so it could assess the need for related disclosure.

The order alleges that Activision lacked “controls and procedures among its separate business units designed to collect or analyze employee complaints of workplace misconduct. As a result, complaints related to workplace misconduct were not collected and analyzed for disclosure purposes.” But the order does not say that the company’s risk disclosure was misleading or that it failed to disclose risks that were required to be disclosed.

Whistleblower rule

Rule 21F-17, whose purpose is to prohibit employers from interfering with an employee’s right to report potential securities laws violations to the SEC, reads: “No person may take any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement … with respect to such communications.”

The SEC found that Activision’s separation agreements, which contained language requiring a former employee to notify the company of any regulatory request in connection with a report or complaint within a day after learning of it, undermined this rule. However, the order notes that the SEC “…is not aware of any specific instances in which a former Activision Blizzard employee was prevented from communicating with Commission staff about potential violations of securities laws or in which Activision Blizzard took action to enforce the notification clause or otherwise prevent such communications.”


This settled enforcement action is noteworthy for the SEC’s decision to turn to disclosure controls rules as an enforcement tool for workplace misconduct. As we have written about previously in a client update, the SEC’s disclosure controls rule has historically been the subject of limited enforcement action. The case may signal continued and increased SEC effort to use internal controls requirements to address workplace activity not commonly associated with the business and financial performance at the heart of SEC disclosure rules.

Disclosure controls. As Commissioner Peirce states in her dissent, the alleged workplace misconduct at Activision is deeply concerning. But not all bad facts fall within the scope of the federal securities laws. Still, the SEC order highlights the need for companies to review their disclosure controls and procedures to assess whether they cover all material aspects of the company’s business and operations such that potentially material information finds its way to those drafting the company’s disclosure.

There is not a one size fits all takeaway since companies should evaluate the implications of the case in light of their existing internal processes and procedures. While existing efforts may include upward certifications for different parts of SEC filings, companies may wish to consider examining how risk factors are reviewed as part of their disclosure controls.

The SEC is likely to continue to focus on areas such as climate, cybersecurity, and increasingly, human capital. In light of this order, companies should ensure material information related to any risks they identify in their filings is tracked and reported to appropriate disclosure personnel so they can assess the need for new or additional disclosure.

Whistleblower protections. As we have discussed previously in a client update, in considering whistleblowers’ rights when drafting separation agreements, employment agreements, compensation plans and other company policies and documents, companies should continue to keep in mind that protecting and encouraging whistleblowers has been a priority for the SEC’s Enforcement Division. Since 2015, the SEC has brought a number of enforcement actions against companies for their use of what the SEC considered to be restrictive clauses in severance agreements and other documents that, according to the SEC, impeded whistleblowers under Rule 21F-17 of the Exchange Act.

The SEC order is another reminder for companies to review their form separation agreements, employment agreements and company policies for provisions that might be construed as impeding communications with a regulator. Many companies likely have already updated their form separation or employment agreements or company policies to strike or modify problematic provisions and add provisions to address and protect whistleblower rights.

But this case highlights the SEC’s view that requiring employees to notify the company of communications with a regulator could discourage employees from making whistleblower reports. As a result, companies should consider narrowly tailoring any notification or similar requirements in their form agreements and policies. In particular, companies may want to include clear language that any requirement to notify the company of a regulatory inquiry does not apply to any whistleblowing activities.

This post comes to us from Davis, Polk & Wardwell LLP. It is based on the firm’s memorandum, “When gaming runs afoul of disclosure controls and whistleblower rights,” dated February 14, 2023, and available here.