February 10, 2021- Bryan Cave Leighton Paisner–JDSUPRA
As discussed in our November 24, 2020 post, amended Rule 302 under Regulation S-T permits the use of electronic signatures on documents “authenticating” typewritten signatures that are included in a company’s filings with the SEC, provided certain requirements are met. The signatory first has to manually (i.e., with “wet ink”) sign a company’s form of “attestation” in which the signer agrees that the use of his or her electronic signature on authentication documents constitutes the legal equivalent of his or her manual signature for purposes of authenticating his or her signature on any filing for which it is provided. The company’s electronic signature process must, at a minimum, also meet the following requirements as set out in updated Volume II of the SEC’s EDGAR Filer Manual:
- require presentation of a physical, logical or digital credential that authenticates the signer’s identity;
- reasonably provide for non-repudiation of the signature;
- provide that the signature be attached, affixed or otherwise logically associated with the signature page or document being signed; and
- include a timestamp to record the date and time of the signature.
As companies have begun to rely on amended Rule 302 to obtain electronic signatures on documents such as Form 10-Ks, Form 10-Qs and Section 302 and 906 certifications, here are a few of the questions and logistical issues that have arisen:
1. Are the authentication requirements met if a company emails a document for signature and asks that the recipient reply by email affirmatively indicating approval of the filing?
Many take the more conservative view that affirmative reply emails, without added features (discussed in Item 3 below), are not sufficiently secure to authenticate the signer’s identity. For example, someone other than the signer may have access to his or her email account and the ability to send affirmative reply emails on his or her behalf. Similarly, someone could theoretically walk by an unoccupied computer and send a reply email.
Another view is that an affirmative reply email in and of itself should be a sufficient “logical or digital” authentication as long as the attestation form confirms the signatory’s email address to be used for that purpose.
We recommend that unless and until the SEC provides guidance, companies proceed with caution in using “affirmative reply” emails to authenticate signatures, and that, to the extent practicable, they consider adding features such as those discussed in Item 3 below.
2. Would the answer be different if the signer instead emailed back a pdf of a manually executed signature page?
The answer is “probably not,” as there may still be an authentication question in that the identity of the sender of the signatory’s transmittal email is not guaranteed.
3. Can a company add features to its electronic signing process so that affirmative reply emails will meet the requirements of the amended rules?
Companies may wish to contact their IT departments for this purpose to see if a secure email and identity authentication process exists or can be put in place. For example, to securely verify identity, a company may be able to add authentication steps (i.e., multi-factor authentication) to guarantee identity, such as passwords, knowledge-based authentication (i.e., a system that requires signers to prove identity by answering personal questions) and telephone authentication. Companies may also wish to look into the use of digital certificates that can be used by the sender of an email to verify identity.
4. Are the requirements for electronic signature authentication met if a company uses the signature services offered by DocuSign, Adobe Sign and similar providers?
If such a provider’s basic service is used, there may be a concern about sufficient identity authentication because, with information about account access and/or access to another’s computer, someone could potentially log into the signer’s account to affix and submit an electronic signature.
However, these providers appear to offer identity authentication features that can be added to the signature process to meet the authentication requirements of the rule. For example, Adobe Sign describes certain authentication options here, and DocuSign describes certain authentication options here.
5. How can a company formally confirm a signatory’s email address for purposes of obtaining electronic signatures, whether via email or a service such as DocuSign?
Companies may wish to consider including in their attestation form a statement that the email address the signer has provided (with a blank for the signer to add his or her email address) is the signer’s unique email address for use by the company and its counsel, representatives and agents for the purpose of electronically transmitting and receiving documents as part of the company’s electronic signing process.
6. If an individual will be electronically signing a filing (e.g., a Form 10-K) on behalf of others under a power of attorney, from whom should the company obtain a manually signed attestation?
The company needs to obtain the attestation only from the individual holding the power of attorney who will be electronically signing documents both in (1) his or her own name and (2) the name of the person(s) for whom he or is signing the filing under a power of attorney. For such individuals, we recommend a company consider building into its attestation form (either its general form or a tailored one for persons appointed under a power of attorney) language providing that the attesting person’s electronic signature in the name of others under a power of attorney on behalf of others is for authentication purposes the equivalent of his or her submitting manual signatures on their behalf.
7. Do “Exhibit 24” powers of attorney included in a Form 10-K require backup manual signatures?
While we have not seen any guidance, we believe that the same logic that applies to the other signatures in the Form 10-K should apply to signatures on an Exhibit 24 power of attorney. This would mean that the answer is “no,” provided the signer has earlier manually signed an appropriate attestation.
8. May a signer still authenticate his or her signature by providing the company with a manually signed (i.e., wet ink) signature page?
Yes, although it could be confusing and/or burdensome for a company to maintain in effect at the same time signature collection and retention processes for both electronic and manual signatures.
9. How could a company comply with the requirement that the signature page be attached, fixed or associated with the filing to which it relates?
There is some flexibility as to how compliance may be achieved. Companies can circulate the filing along with the signature page or, alternatively, circulate the signature page and clearly reference where the filing being signed can be found for review (e.g., in a board portal). In all cases, the company should be sure it retains the records necessary to demonstrate the linkage between the signature page and the filing.
10. What can a company do if it is concerned that an electronic signature will not be sufficiently associated with the final filing if management makes last minute changes to the document?
A company trying to address this concern could consider, among other options, building into the signature process the signatory’s acknowledgment that his or her electronic signature will be included in the final document approved by the signatory, subject to any later changes by management that are not material or significant.
11. If a company collects electronic signatures in advance of the filing date, when should the signatures be dated?
The company’s authentication process will be required to record the actual date and time of signature. However, a company should provide for the signature page to be undated and inform the signatory that the filing date will be added to his or her signature on the date of filing with the SEC (or if electronic signatures are solicited on the filing date, the company can add that date to the signature page).
12. What should an issuer do with electronically signed authentication documents?
A company should develop procedures and controls to ensure that electronic signatures are timely gathered and stored along with the SEC filings to which they relate – in other words, companies should put in place a process that achieves the same results as the company has previously achieved in collecting and retaining manually signed authentication documents. The retention periods for electronic signatures is five years, and the retention period for attestation documents is seven years from the date of the signatory’s last electronically authenticated signature.
13. Sample Attestation. The following is a sample form of attestation:
Electronic Signature Attestation for SEC Filings
For purposes of authenticating my electronic signature (including my electronic signature in the name and on behalf of another under a power of attorney) on filings made by ________ (the “Company”) with the Securities and Exchange Commission through its Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system (each such authentication, an “Authentication Document”), I hereby attest that my electronic signature (including my electronic signature in the name and on behalf of another under a power of attorney) on any Authentication Document constitutes the legal equivalent of my manual signature on behalf of myself or any such other person. I understand that I may revoke this attestation by delivering a revocation to the Company in writing. I understand that this attestation is effective when signed and delivered to the Company.
I further confirm and consent that the following [email address(es)] is/are unique to me individually and may be used by the Company, its counsel and other representatives and agents for the purpose of transmitting and receiving documents for electronic signature authentic to me via DocuSign or other similar electronic signature service: [EMAIL ADDRESS(ES)]
By: ______________________________
Name:
Title:
Company Use Only:
Date Received:
To be retained by the Company for so long as signatory uses an electronic signature to sign Authentication Documents, and for a minimum period of seven years following the date of the most recent electronically signed Authentication Document.
Please refer to Rule 302, as amended, the SEC’s adopting release and Volume II of the SEC’s updated EDGAR Filer Manual for additional information.