Market Tracker weekly bulletin – 1st November 2018
A round up of key developments in corporate transactions covered by Lexis®PSL Corporate and Market Tracker this week, including an update on the offer for Lonmin plc by Sibanye Gold Limited, and news updates on draft regulations to address the takeover regime post Brexit and draft provisions for a Brexit transition to a standalone UK competition regime. Our focus of the week is on cyber security disclosures, following research carried out by the Market Tracker team into the annual reports of the FTSE 100.
Lonmin plc offer by Sibanye Gold Limited (Sibanye-Stillwater)
Lonmin plc (Lonmin), a primary producer of platinum group metals, is listed on the Main Market of the London Stock Exchange and has a secondary listing on the Main Board of the Johannesburg Stock Exchange. Since 14 December 2017, Lonmin has been the subject of a recommended all share offer by South African incorporated Sibanye Gold Limited (trading as Sibanye-Stillwater), structured by way of a scheme of arrangement. The offer value is £285 million.
The decrease in demand for platinum, particularly from the move away from diesel cars (which use the metal in their catalysts) and the increase in costs has had a negative impact on Lonmin.
Platinum prices are at their lowest level for a decade (US$ per troy ounce):
The result of the depreciating price of platinum resulted in Lonmin entering into an agreed £154 million (US$200 million) metal purchase agreement with Chinese incorporated Pangaea Investments Management Limited, an affiliate company of Jiangxi Copper Company Limited (announced 22 October 2018). The upfront payment will be amortised over three years.
Lonmin will distribute the loan proceeds to pay its pre-existing loan of £115.4 million (US$150 million) and to terminate its pre-existing undrawn facilities. The loan will enable Lonmin to recover from its previous losses due to decreased demand.
The board of Lonmin remain confident in their transaction with Sibanye-Stillwater with Lonmin’s chief executive officer Ben Magara stating:
‘We are pleased to announce an improved funding arrangement as it immediately enhances Lonmin’s liquidity. Regrettably, the new facilities do not address the fundamental business challenges facing Lonmin and do not offer an opportunity to avoid the announced retrenchments and shaft closures. Accordingly, the board of Lonmin remains focused on completing the Sibanye-Stillwater all share transaction, which we firmly believe provides a sustainable solution and is in the best interest of all our stakeholders.’
Despite the recommended all share transaction facing different challenges it has received clearance from the UK Competition and Markets Authority and a recommendation from the South African Competition Commission to the South African Competition Tribunal to approve the transaction subject to certain conditions.
Sibanye-Stillwater’s chief executive officer Neal Froneman remains positive and the board of Sibanye-Stillwater ‘remain focused on completing the acquisition of Lonmin, and delivering on our strategy of creating value for all stakeholders’.
In focus: Cyber security
On 25 October 2018, British Airways’ (BA) parent company International Consolidated Airlines Group (ICAG) announced that the cyber-attack against BA made public on 6 September 2018 was of a much bigger scale than initially reported.
Previously, ICAG disclosed that cyber criminals had stolen customer data from BA’s website and mobile app during the period of 21 August 2018 - 5 September 2018. During this two-week period, BA estimated that the data of 380,000 passengers was stolen. However, most controversially, the hackers not only acquired the customers’ personal details and card numbers but also the corresponding 3-digit CVV codes. Resultantly, despite not being the largest data breach in recent memory, the BA cyber-attack proved to be one of the most controversial. For example, several banks cancelled and reissued any affected cards solely off the back of reports in the press due to the severity of CVV codes being leaked. However, BA insisted that they did not store any CVV codes and that the hackers acquired this information through other means.
In the latest announcement, ICAG have announced that the data of a further 185,000 customers has been compromised. All newly affected customers have had their personal details, card number and expiry date stolen, but 77,000 have also had their CVV code stolen. ICAG also provided information about the initially notified customers, stating that 244,000/385,000 had been ‘affected’, although the meaning of this is unclear.
Cyber security is becoming increasingly important to companies following numerous other high profile cyber-attacks and the introduction of the EU’s General Data Protection Regulation (GDPR). In this instance, the financial implications for BA could be severe. Under the GDPR, companies can be fined up to 4% of annual global revenue, which for BA would equate to a fine of £489 million. BA may also be financially affected through compensating any negatively affected customers, as they promised to do so.
In response to this, the Lexis®PSL Market Tracker team have conducted research into ‘cyber security references’ within FTSE 100 companies’ annual reports. We have analysed the quantity and quality of the disclosures made relating to cyber security and data protection to determine how companies are reassuring shareholders and potential investors that they will not be the latest company negatively affected by a data breach.
We collected data from all 100 FTSE 100 companies’ latest annual reports, rating their ‘level of disclosure’ into the following categories:
- No reference
- Light: passing reference to the risk of cyber-attack or its discussion by eg the audit committee
- Light/medium: a sentence or two on the risk of cyber-attack or ‘investment’ in cyber security
- Medium: a generic analysis of the risks and mitigation measures, usually in the ‘risks’ section of the strategic report
- Medium/high: slightly more detail into the mitigation measures
- High: a detailed analysis of both the risks posed to the company by cyber threats and the specific programmes and strategies to mitigate cyber-attacks and improve cyber security. In some cases a whole page dedicated.
97 out of 100 companies referred to cyber security in some form within their annual report, highlighting the high level of importance attached to this issue and the universal nature of the risk.
The level of coverage varied, however. Despite the seriousness of the risk, we found a higher number of light or light/medium level disclosures (34) than medium/high or high disclosures (27). Further, 25 out of FTSE 100 companies either provided no disclosure or only a light level of coverage.
A light level of coverage, as provided by Legal & General Group PLC, constituted the following:
‘Cyber crime also continues to be a risk for the financial services sector as a whole, and the regulatory change agenda is set to continue.’(Legal & General Group plc, Annual Report – Page 50)
In contrast, GlaxoSmithKline plc (GSK) provided the largest amount of detail when discussing cyber security, with their coverage being rated as high. The company provided a full page of coverage within the investor information section of their annual report titled ‘Information Protection’. GSK defined the risk, the potential impact of the risk, provided context and comprehensively explained the company’s ‘mitigating activities’.
‘We have a global information protection policy and accompanying information technology standards and processes that are supported through a dedicated team and programme of activity. Our Information Protection function provides strategy, direction, and oversight, including active monitoring of cyber security, while enhancing our global information security capabilities, through an ongoing programme of investment that is in its fifth year…’ (GlaxoSmithKline plc, Annual Report – Page 265)
A high level of coverage of cyber risk was found in the following industry sectors:
Notably, despite accounting for 17 of the FTSE 100, the financial services and banking & finance sectors together only provided two companies with a high level of disclosure. Considering the sensitive level of information held by companies within these industries, it may be that the level of coverage does not correspond with the level of importance attached to this issue by companies.
The Market Tracker team rated ICAG’s level of coverage as ‘light/medium’, with the company stating in its Annual Report (amongst other things) that ‘the fast-moving nature of this risk means that the Group will always retain a level of vulnerability’. It will be interesting to see if the level of coverage afforded to cyber security is increased due to the events which have occurred since publication of the company’s annual report.
Government publishes amending regulation to address UK takeover regime post-Brexit
The government has published a draft regulation amending Part 28 of the Companies Act 2006 (CA 2006) to facilitate the effective operation of the UK takeovers regime on a freestanding basis outside the EU framework post-Brexit. The draft regulation also includes a proposal to remove the shared jurisdiction regime from the Takeover Code.
For further details on this story, see Government publishes amending regulation to address UK takeover regime post-Brexit (a subscription to LexisPSL Corporate is required). For information on the existing UK regulatory framework for takeovers, including the shared jurisdiction rules, see Practice Note: The Panel and the regulatory framework of the Takeover Code.
Government and CMA publish provisions for Brexit transition to standalone UK competition regime
This week, the government published a draft statutory instrument setting out provisions for a Brexit transition to a standalone UK competition regime in the event of a ‘no deal’ Brexit; in addition, the Competition and Markets Authority (CMA) has published brief guidance covering the same scenario.
In relation to merger control, it is proposed that the CMA will immediately assume jurisdiction over proposed mergers being investigated by the European Commission (Commission) at the date of Brexit but where no decision has been issued.
This provision has the potential to be very wide and far-reaching; under this, the CMA may launch investigations into all transactions that, at the time, are under investigation by the Commission, where the UK’s jurisdictional thresholds are met. For example, the CMA may choose to replicate months’ worth of detailed work by the Commission if, for example, it assumes jurisdiction over an ongoing Commission phase II merger investigation – this could be in relation to a merger that has already been notified to the Commission now. With this, the government has added an extra layer of uncertainty into proposed transactions that are at advanced stages and potentially already being investigated by the Commission. It may be advisable for parties planning transactions where they face the potential of the CMA claiming jurisdiction in such cases, to engage in pre-notification discussions with both the Commission and the CMA. The impact on deal timetables should also be considered, especially given the CMA’s longer investigation timetable.
The guidance does not address the major question of the CMA’s resources. It is acknowledged that, in such a scenario, the CMA will, for example, face a large increase in the number of merger investigations. Furthermore, it is clear that, in relation to competition law, the government’s Brexit will increase the applicable regulation.
Corporate governance reform and the new GC100 guidance on directors’ duties
Further to the government’s invitation in 2017, the GC100 has published new advice and guidance on the practical interpretation of the directors’ duty in section 172 of the Companies Act 2006 (CA 2006). LexisPSL Corporate have examined and summarised the key points raised in the guidance. For further details on this story, see Corporate governance reform and the new GC100 guidance on directors’ duties (a subscription to LexisPSL Corporate is required).