One of the things that makes cybersecurity compliance particularly challenging is the mosaic of privacy and data protection laws and regulations that companies have to comply with. This FEI Daily blog from two PwC partners offers some advice to companies on how to manage their cyber compliance efforts:
There are several regulations at the state, federal and international level that organizations, particularly multinationals, should be focused on: NY DFS 500, the California Privacy Protection Agency’s (CPPA) draft Cybersecurity Audit and Risk Assessment Regulations, the EU’s GDPR and the SEC cyber rules, to name a few. Additionally, there is the anticipated CISA cyber incident reporting rule, coming as soon as March 2024. This patchwork of regulations will likely continue to grow in complexity in the months ahead.
So, how can companies untangle this — and where is the most effective place to begin? Start with understanding which regulations apply to your organization. Then, rationalize the common requirements between them and implement no regrets decisions to address those head on. Then, take stock of unique requirements for various geographies. Lastly, engage in public policy to help influence future regulation.
In this evolving regulatory climate, companies that embrace this new era of transparency are likely setting themselves up for success. Those who shy away from transparency do so at their own reputational risk.
The blog also identifies some other cybersecurity trends to watch in 2024 and offers tips on how companies can boost their defenses. These include investing in tools that will permit companies to scale their cloud security efforts and leveraging generative AI in their threat detection and analysis as well as in their cyber risk disclosure and incident reporting processes.
Don’t miss tomorrow’s free virtual event – “Developments in Human Rights Due Diligence, AI in ESG & Carbon Markets” – hosted by our colleagues at PracticalESG.com. You can register here for this 3-hour program, which will kick-off at 12:00 pm eastern tomorrow. This virtual event features three panels of experts who will provide insights into the intersection between supply chains & human rights due diligence, how AI may transform ESG supplier due diligence, problem solving & reporting, and developments in carbon markets.
These events are free to all – you don’t have to be a member of PracticalESG.com to attend. But if you’re attending events like these, you need the resources that PracticalESG.com provides. Become a member today by clicking here, emailing sales@ccrcorp.com or by calling (800) 737-1271.
We know that many of you experienced significant problems with the live stream of Wednesday’s “The SEC’s Climate Disclosure Rules: Preparing for the New Regime” webcast. We sincerely apologize for the inconvenience and are working with our tech team to ensure this doesn’t happen again. We strive to offer our members high-quality programming in a user-friendly, accessible format. The webcast was excellent, and we think that those of you who listen to the archive – or read the transcript when it’s posted in the next week or so – will agree. However, the technical quality of the live webcast clearly did not live up to those standards, and for that we are truly sorry.
We don’t think simply saying “we’re sorry” is enough, so we’re also trying to make amends as best we can. Our team hustled to get the on-demand audio replay of the webcast posted as soon as possible. I’m pleased to say that it’s now available and does not have any of the audio problems experienced with the live feed. We are also applying for on-demand CLE credit for the webcast, so those of you who were counting on picking up credit for the webcast should be able to do that as well (pending approval from your state). You’ll need to follow the instructions on the webcast’s landing page to apply for on-demand CLE credit.
We sincerely appreciate your continued support of our sites and deeply value your membership. We will continue to strive to provide you with the quality resources and programming that you’ve come to expect from us, and we’re working hard to ensure that we don’t experience a problem like this again.
Last week, Meredith discussed the lawsuits filed by various Red State AGs seeking to invalidate the SEC’s climate disclosure rules. She also said that environmental groups like the Sierra Club were planning to launch challenges of their own, and sure enough, the Sierra Club filed a petition for review with the DC Circuit yesterday. As this excerpt from the Sierra Club’s press release announcing the filing explains, their problem with the rule is that it doesn’t go far enough:
The Sierra Club and the Sierra Club Foundation manage millions of dollars in investments for their respective organizations, including employee 401Ks. In addition, the Sierra Club represents millions of members and supporters, many of whom have significant investments of their own. These investors cannot adequately manage their investments without complete information on publicly-traded companies’ vulnerability to climate-related risks, including greenhouse gas emissions profiles. By allowing companies to selectively report their emissions, the SEC has fallen short of its statutory mandate to protect investors, maintain fair, orderly, and efficient markets, and promote capital formation.
The Sierra Club and Sierra Club Foundation affirm the SEC’s fundamental legal authority to require climate-based disclosures and call on the agency to fulfill its obligation to protect investors.
That last paragraph appeared in bold face in the original as well, and I think it’s interesting that the petitioners chose to emphasize that language. Perhaps they were trying to convince people (or even themselves) that a lawsuit like this doesn’t necessarily invite the DC Circuit to join some of its more conservative siblings in chipping away at the SEC’s authority.
On the other hand, maybe the Sierra Club’s action is a little more strategic – and shrewd – than it first appears. As this Vinson & Elkins memo points out, all of the various lawsuits challenging the rule will be consolidated into a single circuit court challenge based on a lottery system. So, while I’m sure the Sierra Club sincerely wants more demanding disclosure rules, one of its main objectives in filing may be to buy the regulator-friendly DC Circuit a ticket to that lottery.
Last November, Liz blogged about an attempt by a hacker group to exploit the SEC’s new Form 8-K cybersecurity disclosure rules to extort money from a company by threatening to go to the SEC and tell the agency that the company failed to disclose a material hack. The same group apparently tried that tactic again in December and again last month. This recent Woodruff Sawyer blog highlights how this new threat puts public companies in a tough spot:
Companies were already very concerned that the four-day disclosure rule would cause chaos. The idea that the hackers themselves would weaponize the rule, however, is an entirely new twist on what is already a fraught situation. Any hacker worth the name will take the position that their hack is material—but that doesn’t necessarily make it so.
However, in a world where attackers themselves are alerting the SEC, it becomes increasingly challenging to dismiss any cyberattack as inconsequential. We all understand that hackers are using the whistleblower tactic to throw companies back on their heels and pressure them into paying the requested ransom as soon as possible.
It’s a cliché for a reason: the question is not whether you will be hacked, but when. With this in mind, it’s best to be proactive about putting in place the resources you will need to defend yourself.
The blog offers a list of 10 steps a company should take to reduce cyber liability risk and says that companies that take an active approach to managing cyber risk will be in the best position to respond swiftly to a breach and minimize the disruption to their business & the risk of subsequent litigation.
Our friends at Weil let us know the sad news that corporate governance legend Ira Millstein passed away on Wednesday. Here’s an excerpt from the firm’s announcement of his passing:
International law firm Weil Gotshal & Manges, LLP is saddened to announce today that our partner Ira M. Millstein died yesterday evening. He was 97 years old.
Mr. Millstein joined Weil in 1951, after spending two years at the Antitrust Division of the Justice Department in Washington, D.C. He was the Firm’s 11th partner. He played a key role in developing Weil into the full-service international corporate law firm it is today, and we credit him with helping to instill Weil with its unique culture of entrepreneurship, teamwork, camaraderie and the commitment to the greater community that remains today.
“The legal community has lost a true visionary,” said Weil Executive Partner Barry Wolf. “We mourn the loss of our partner and friend, and celebrate his achievements and his role in shaping Weil into the Firm it is today.”
If you take a moment to click on the link to the bio included in Weil’s announcement, you’ll begin to get a sense of just how towering a figure Ira Millstein was. In addition to his many accomplishments as a practitioner, Mr. Millstein was noted for his philanthropy and community service. He was also a formidable intellect who authored numerous books and articles on corporate governance topics, and he founded the Ira Millstein Center for Global Markets and Corporate Ownership at Columbia Law School. Here’s a video in which he reflects on his life, career, and the Millstein Center.
All of us here at TheCorporateCounsel.net extend our sincere condolences to Ira Millstein’s friends and family, as well as to all of his colleagues at Weil. He will most assuredly be missed by everyone in the legal and corporate governance community.
The Delaware Chancery Court has made it clear that officers as well as directors are subject to oversight responsibilities under Caremark, but while a lot of ink has been spilled providing advice to boards about their oversight responsibilities, I haven’t seen much guidance for officers on their oversight responsibilities. This excerpt from a recent Seyfarth memo on avoiding oversight claims helps to fill that gap:
Officers are generally most at risk concerning oversight claims by failing to monitor issues and risks in those areas which are within the officer’s scope of authority. Officers (including senior officers) should ensure that they are well-apprised of the risks that the company faces within the scope of their duties and have systems in place to monitor information concerning such issues and risks. Some action items that officers can take to mitigate the risk of an oversight claim include:
1. Identify Business Risks Within their Scope of Authority. Officers should identify “mission critical” issues and risks within their scope of responsibility and implement procedures for reporting any significant ones. Officers should also ensure proper controls are in place to help identify any significant problems within their scope of authority.
2. Get Regular Reports on Material Issues and Risks. Just as directors should have systems in place to regularly receive reports concerning material issues and risks, so too should officers see to that they are appropriately informed.
3. Consider with Legal Advice What Records Should be Kept of Oversight and Compliance Issues. Just as with directors, officers should have a system in place to address important issues and risks and actively monitor and utilize that system. This can include, where pros and cons are carefully considered, memorializing the subject of certain meetings that report on such items as well as memorializing in written reports made to a CEO. We also recommend an attorney review any officer’s reports to the board to help avoid unhelpful or inaccurate memorialization.
The memo reminds readers that Delaware case law indicates that “barring extreme facts,” oversight claims only extend to matters within the scope of the officer’s responsibilities and that the standard for oversight claims against officers is the same as it is for directors. It also points out the need for companies to ensure that they have they have adequate D&O insurance to protect directors and senior officers against potential oversight claims.
The FTC & SEC long ago bought into the concept of – with apologies to Snow White – “Whistleblowing While You Work” and implemented programs providing significant financial incentives for employees to blow the whistle on misconduct by their employers. Now the DOJ has joined the corporate whistleblower party. Here’s an excerpt from this Dentons memo:
Deputy Attorney General Lisa Monaco has announced a new Department of Justice (“DOJ”) program that will provide corporate whistleblowers with financial rewards. The pilot program, to be implemented later this year on a yet-to-be-announced date, will be designed to further incentivize the immediate report of corporate misconduct to the DOJ by providing whistleblowers with a portion of forfeitures resulting from their complaints. The pilot program is another step by the DOJ to encourage companies to invest in a culture of compliance and to report misconduct as soon as it is brought to the company’s attention.
One year ago, the Deputy Attorney General announced a focus on building robust Voluntary Self-Disclosure (“VSD”) programs designed to encourage corporations to immediately report misconduct, and has now turned to incentivizing individuals to come forward through the new pilot program. The DOJ has “recognized there’s another way we can encourage individuals to report misconduct: by rewarding whistleblowers. And how do we do that? Money,” said Monaco in a speech on Thursday.
The memo notes that unlike the SEC’s whistleblower program, the DOJ’s applies to non-public companies and extends beyond misconduct implicating the federal securities laws. The policy amps up the incentives for employees of private companies to report misconduct to the government and may help explain why those seven little guys seem so darn happy about going off to work in the morning.
While we’re on the topic of whistleblowers, this CLS Blue Sky blog from Ropes & Gray discusses the recent SCOTUS decision in Murray v. UBS Securities, LLC , in which the Court overturned a 2nd Circuit decision and held that “Sarbanes-Oxley does not include a retaliatory intent element, and that such requirement would be inconsistent with the statute’s burden-shifting framework.” This excerpt from the blog discusses its potential impact on whistleblower retaliation claims:
The Court’s opinion in Murray lowers the bar for plaintiffs asserting claims of whistleblower retaliation under Sarbanes-Oxley, which could embolden employees and change the settlement calculus in those cases. Proving the employer’s intent is often difficult, particularly when a number of factors and personnel can influence the termination decision. The more lenient “contributing factor” standard may increase litigation risk and reduce the likelihood of an early resolution.
The blog also says that the Murray decision highlights the fact that whistleblower protection laws encompass not only terminations but other unfavorable personnel actions as well, regardless of retaliatory intent.
Warrior Met Coal filed its definitive proxy materials last week, and they include not one, but FIVE separate shareholder proposals from the United Mine Workers of America. Since Rule 14a-8 limits a proponent to a single shareholder proposal, how did the union avoid this limitation? As this excerpt from Michael Levin’s article in The Activist Investor email newsletter explains, the UMW did it through the shrewd use of Rule 14a-4(c)(2):
SEC Rule 14a-4 prescribes how companies and activists solicit proxies from shareholders. Activists usually do so only when they compete for BoD seats. Yet, 14a-4 applies to shareholder proposals, too.
UMW will not rely on HCC to distribute proxy materials to shareholders for its five proposals. Instead, UMW will itself send those materials to shareholders. It drafted proxy materials with its case for the five proposals, filed them with the SEC, hired a vendor to collect proxies (apparently not a proxy solicitor, though), and will distribute proxy materials using notice-and-access. It committed to soliciting shareholders representing a majority of HCC voting power, pursuant to SEC rules (Rule 14a-4(c)(2)). It will then collect its own proxy cards from shareholders, counting votes itself. It estimates this effort will cost $15,000, not much at all.
Thus, shareholders submit proxy cards to UMW, instead of to HCC. Shareholders can also vote for incumbent directors and the routine HCC proposals (say-on-pay and auditor appointment) on the UMW card.
In order to appreciate what the UMW did, and the box it put the company in, a little explanation of Rule 14a-4(c)(2) is probably in order. That rule says that if a company receives timely notice of a shareholder proposal for its annual meeting, its proxy holders may exercise discretionary voting authority on that proposal if the company discloses the nature of the proposal and how its proxy holders intend to vote on it.
The rule goes on to say that the company can’t exercise this authority if the proponent tells it in writing that it intends to deliver proxy materials to the holders of enough shares to approve the proposal under applicable law. This statement has to appear in the proponent’s own proxy materials and the proponent must immediately inform the company when it has satisfied the rule’s minimum solicitation requirement.
Putting together a proxy statement and soliciting votes from a large percentage of the outstanding shares sounds like it might be expensive enough to deter most shareholders from using Rule 14a-4(c)(2), but in the age of notice & access, that cost is a lot more manageable. In fact, the UMW’s preliminary proxy statement discloses that it estimates the cost of its solicitation to be only approximately $15,000.
Now, here’s how the UMW compelled Warrior Met to include all of its proposals in the company’s own proxy materials. Although the UMW didn’t nominate any directors, as permitted by the universal proxy rules, it included the company’s slate on its own proxy card along with its five proposals. As Michael points out in his article, that decision made it more likely that shareholders would return the union’s proxy card, and if enough shareholders opted to return that card, the union could potentially control whether the company obtains a quorum for the meeting.
Since the company won’t have visibility into how many shareholders are returning the UMW’s card, it may not be in a position to know whether its quorum is in jeopardy or how many shares are being voted in favor of the shareholder proposals until late in the game. That put the company in a position where it needed to make it less likely that shareholders would return the UMW’s card, and the only way to do that was by including the union’s proposals in its own proxy materials.
