July 10, 2020

Cybersecurity: The Ongoing Challenge of a Remote Workforce

Like many businesses, my law firm’s offices have been operating on a restricted schedule for the past several months, and even though we’re in the process of transitioning to a full reopening, I suspect that many of our lawyers will continue to spend a lot of time working from home.  My guess is that many other companies will have similar experiences. This Deloitte memo on the CLO’s role in reopenings highlights some of the cybersecurity challenges facing companies that will continue to have a large remote workforce. These include:

– Increases in socially engineered cyberattacks targeting financial and personally identifiable information (PII) data
– Cyber risk levels are elevated due to an increase in phishing and malware attacks.
– Some communication and collaboration tools may not be secure, even where these platforms have their own built-in controls.
– Client and customer data may be more vulnerable when employees work from home if employees are transmitting data on unsecure networks and/or saving or printing on home devices.
– Employees who previously did not work at home may not be familiar with cybersecurity and data protection leading practices. Most are likely to benefit from regular reminders related to cybersecurity leading practices.
– Potential threats to attorney-client privilege may arise where there are risks to cybersecurity or where attorney-client conversations may be overheard (by family members, for example).

In addition to reviewing cybersecurity insurance policies for potential coverage gaps associated with remote work, the memo recommends additional cybersecurity training to employees, communicating new and emerging threats as they arise, providing remote workers with the tools and instructions necessary to protect data and maintain data privacy protocols.

The memo also recommends that companies prioritize the preservation of the attorney-client privilege by taking actions such as reminding employees not to forward documents to personal email accounts or use other unsecure methods to transfer files or communicate with clients.

Covid-19: Changes to Internal Audit

Over on “Radical Compliance,” Matt Kelly blogged about the results of a recent survey conducted by the Institute of Internal Auditors that suggests that the Covid-19 crisis has resulted in some significant changes to the internal audit function.  In addition to the inevitable budget-cutting, the survey suggests that risk assessments & updates to audit plans are likely to increase:

Survey respondents also said they will both conduct risk assessments and update their audit plans more often. This should surprise nobody, given how Covid-19 has put standard risk scenarios through the blender. Fraud risk, cybersecurity risk, user access controls, management review and sign-off of reconciliations or controls; they’ve all gone haywire.

A majority of respondents expect to increase their risk assessments to at least some degree, and 11% expect to increase the frequency significantly. Meanwhile, 68% of respondents say they’ll at least increase the frequency of updates to the audit plan.

That’s a lot of change and improvisation for the audit function. It implies an embrace of “agile auditing” — a concept the IIA and many others in the audit profession heartily support. It’s the idea that an audit function will run light on staff, heavy on technology, and stand ready to jump on emerging or fast-changing risks by working with other parts of the enterprise.

Covid-19 poses new risks across the enterprise, and since audit teams don’t have the time or personnel to engage in “ponderous” risk assessment & remediation planning efforts, the blog says that they will need to embrace a more swift, data-driven approach to assessment, testing, and remediation.

B Corps: DGCL Amendments Ease Transition Process

This Freshfields blog highlights how the 2020 amendments to the DGCL make it simpler for corporations to transition from soulless entities devoted to maximizing stockholder value to virtuous “public benefit corporations” devoted to uplifting humanity. This excerpt addresses elimination of supermajority approval requirement & appraisal rights risks that previously applied to transitioning entities:

Prior to these amendments, the approval of two thirds of a company’s outstanding stock entitled to vote was required to amend its charter to become a PBC. And, in the case of private companies, the decision to convert to a PBC triggered an opportunity for dissenting holders to exercise appraisal rights and thereby monetize their unlisted shares at the expense of the issuer.

Both of these requirements were procedurally onerous and a deterrent to conversion. The amendments will remove both the supermajority requirement and the right to appraisal. Companies may now convert to PBCs through a simple majority vote of their stockholders (plus whatever additional approvals are required under their organizational documents).

The amendments also make clear that a director’s ownership of stock in the PBC does not disqualify the director from being “disinterested” so that the director can benefit from the protection of the business judgment rule and the broad PBC exculpatory provisions when balancing the interests of various constituencies.

John Jenkins