October 17, 2018

SEC Issues Section 21(a) Report on “CEO Impersonator” Emails

Yesterday, the SEC issued this Section 21(a) report about companies with deficient internal controls – in particular, nine unnamed companies that became victims of a cyberfraud called “business email compromises.” This fraud entails employees receiving spoofed or otherwise compromised electronic communications – and in response, employees wired large sums of money or paid fake invoices to the tune of at least $1 million. Two of them lost more than $30 million! Losses for the nine companies totaled nearly $100 million, almost all of which has not been recovered – and some of the frauds lasted a long time & weren’t discovered until the real vendor complained they hadn’t been paid yet.

As noted in this article, there were two kinds of business email compromises — emails from fake executives and ones from fake vendors. In schemes involving emails from fake executives – also called “executive impersonation” – fraudsters not affiliated with a company use spoofed email addresses to send communications that appeared to come from a company executive, typically the CEO. Sometimes, the spoofed emails used real law firm and attorney names. The executive impersonation emails often had these common elements:

1. Referred to time-sensitive “deals” that needed to be completed within days, emphasizing the need for secrecy from other company employees and sometimes suggested some form of government oversight.
2. Claimed that the requested funds were needed for foreign transactions – and all directed the wire transfers to foreign banks. The emails provided minimal details about the transaction – and while all of the companies had some foreign operations, these types of foreign transactions would have been out of the ordinary.
3. Typically went to mid-level personnel who rarely communicated with the executives being spoofed – and who typically were not involved in the supposed transactions.
4. Often included grammatical errors. Hint, hint.

Meanwhile, see this blog about how courts are wrestling with insurance coverage for cyber-related claims…

Governance Stats: Silicon Valley v. S&P 100

This Fenwick & West study surveys the landscape of Silicon Valley’s governance practices and compares them with those found at S&P 100 companies. Not surprisingly, the study found significant differences between Silicon Valley and Corporate America. Here are some highlights:

Annual Meeting Participation:
– An average of approximately 89.1% of shares of SV 150 companies was represented in person or by proxy at company annual meetings during the 2018 proxy season, similar to 2016. However, in addition to the approximately 10.9% not represented, an additional 14.5% were represented via proxy by brokers who did not receive instructions on voting for the bulk of matters for which broker discretionary voting is not permitted. This compares to 12.8% not represented and 13.9% broker non-votes in the S&P 100 in the same period.
– The ranges of representation and voting, though, were somewhat broader in the SV 150 than the S&P 100 (e.g., 52.9% –100% voting in the SV 150, compared to 71.3% – 93.9% voting in the S&P 100).

Director Elections:
– In the vast majority of cases, the elections of directors continue to be uncontested. One of the SV 150 companies and two of the S&P 100 companies had a contested election at its annual meeting in the 2018 proxy season (compared to one in each group in 2017).
– In the SV 150, the dissident stockholder was able to elect two of the three candidates sought.
– In the S&P 100, the dissident was able to have its candidate appointed after very narrowly losing the stockholder vote at Procter & Gamble, and Broadcom was forced to withdraw its slate at the 11th hour following CFIUS review.

– Opposition to named executive officer compensation reached 15% or more of votes cast (ignoring abstentions and broker non-votes) at 22.8% of SV 150 companies (compared to 13.8% of S&P 100 companies). Within those SV 150 companies with relatively lower levels of support, opposition reached 30% or more at 15 companies (of which nine had opposition of 40% or more, including seven companies where opposition exceeded 50%).

Other Proposals Voted On:
– Setting aside director elections, say-on-pay (as well as say-on-frequency) and auditor approval voting, stockholders at SV 150 companies were asked to vote on one other matter on average, while stockholders at S&P 100 companies averaged 2.5 other matters voted on. The difference is primarily driven by the fact that stockholder proposals are primarily a large company phenomenon. There were only four such proposals voted on by stockholders outside of the top 50 companies in the SV 150.

Company Proposals:
– Excluding director elections, say-on-pay (as well as say-on-frequency) and auditor approval voting, stockholders at SV 150 companies voted on 86 company-sponsored proposals in the 2018 proxy season, primarily in compensation-related subjects, as well as some governance matters (compared to 56 such proposals at S&P 100 companies).

Stockholder Proposals:
– The stockholder-sponsored proposals voted on in the SV 150 generally focused on governance matters or policy issues (this was also true in the S&P 100).
– The average support for stockholder-sponsored proposals was approximately 31.9% at the SV 150 companies (compared to approximately 27.3% at S&P 100 companies).
– The most common topic for stockholder-sponsored proposals in the SV 150 were proxy access (eight proposals, two of which succeeded) and anti-discrimination/diversity (eight proposals, none of which were successful).
– The most common such topic in the S&P 100 was regarding political/lobbying activities (31 proposals, none of which succeeded).

DOJ’s Updated “Corporate Monitors” Policy

Here’s an excerpt from this Wachtell Lipton memo (we’re posting memos in our “White Collar” Practice Area):

In a speech on Friday, Assistant Attorney General Brian Benczkowski of DOJ’s Criminal Division announced a newly updated policy to guide the Division’s decision-making on whether to require a monitor as part of a corporate criminal resolution. The updated policy codifies the principle that imposing a corporate monitor should be “the exception, not the rule.” Specifically, the policy requires a cost-benefit analysis, directing that a corporate monitor be imposed only where there is “a demonstrated need for, and clear benefit to be derived from,” a monitor when compared to the costs and burdens to the corporation. A monitor “will likely not be necessary” if a corporation’s compliance program is “demonstrated to be effective and appropriately resourced at the time of resolution.”

The new policy also mandates that, where a monitorship is imposed, its scope should be “appropriately tailored to address the specific issues and concerns that created the need for the monitor.” To ensure suitable tailoring, Criminal Division agreements must now include an explanation of the monitorship’s scope, along with a description of the process for replacing a monitor, if necessary. And AAG Benczkowski emphasized that Criminal Division prosecutors have an ongoing obligation to ensure that monitors are acting properly and effectively by “operating within the appropriate scope of their mandate.”

In the same speech, AAG Benczkowski announced that the Criminal Division will eliminate the position of compliance counsel – a role created to some fanfare in the last administration – citing the institutional limitations of relying on a single person as the repository of compliance expertise. But AAG Benczkowski hastened to emphasize that assessment of the compliance function will continue to be a key consideration in every corporate enforcement matter. Rather than hiring a new compliance counsel, the Criminal Division will institute a hiring and training program to cultivate “a workforce better steeped in compliance issues across the board.” Accordingly, this change does not signal a shift in DOJ’s approach to corporate enforcement nor does it diminish the importance of maintaining an effective compliance program.

Broc Romanek