A recent Woodruff Sawyer blog highlights some of the factors that may make the SEC more likely to charge an individual executive when bringing an enforcement action against the company arising out of disclosure issues. One of the factors identified is media attention, and this excerpt points out that the more interested the media is in a particular situation, the more likely it is that the SEC will be looking for individuals to hold accountable:
There is a strong correlation between media scrutiny and government enforcement risk. Pretend you run an unsexy widget-making business. You tell the street that you will be releasing a new widget imminently. Then things go sideways, the widget is never released, and your company’s stock price declines by 35%. While the plaintiffs’ bar may be very interested, the media doesn’t bat an eyelash. Will you be investigated and sued by the SEC? It’s possible, but if there’s no article in The Wall Street Journal, it’s equally possible that the government may never focus on your issues.
Now assume that you run a super-sexy tech company disrupting the industry with WaaS (widgets-as-a-service). When your company’s problems emerge, a story appears on the front page of the Journal, and The New York Times does a deep dive on your corporate culture three weeks later. This virtually ensures the government will come sniffing around. In high-visibility cases, the government may be especially focused on showing that they are not being soft on senior executives (if they have the evidence to back it up).
A lot of this is out of your control. Typically, enterprise-facing companies simply don’t have the same media allure as consumer-facing companies. But if as a consumer-facing company you can achieve your public relations and marketing goals without also becoming an object of media obsession, when challenges emerge, you may be happy that you are not front-page material.
Other factors pointed to by the blog as increasing the likelihood of charges against an individual include evidence that senior officials pressured others to take improper actions and the presence of cooperating witnesses in addition to documentary evidence.
Another interesting fact that the blog points out is that the percentage of SEC enforcement proceedings in which individuals are named has remained relatively constant regardless of which party is in power. From 2017 to 2023, the percentage of cases involving charges against individuals has consistently been in the range of 70%.
If you work with public companies, it’s essential to keep up not only with what’s going on with the SEC, the FTC and any other federal regulator that’s relevant to the company’s business, but also with developments in the Delaware. Those often come fast & furious, so it’s helpful to have a resource like this Wilson Sonsini report addressing Delaware corporate law & litigation developments. Here’s an excerpt from the report’s discussion of oversight claims:
As to board obligations, some of the 2023 cases from Delaware reinforced the traditional approach that oversight claims against boards are difficult theories for plaintiffs, that directors will not face exposure merely for making risky business decisions, and that directors, even if confronted with a crisis, will not be liable if they have taken appropriate steps from a fiduciary duty standpoint.
In one case, the Delaware Court of Chancery concluded that the plaintiffs were “nowhere close” to pleading oversight claims against the directors of an insurance company. There, the insurance company had shifted its business practice of underwriting professional liability insurance policies for smaller, lower risk physician groups in favor of underwriting policies for larger, riskier physician groups and hospitals, which created difficulty in calculating the company’s required loss reserves.
After the shift, the company struggled with forecasting the number and severity of claims, which resulted in a significant drag on the company’s performance. The court dismissed the oversight claims, noting that the facts suggested the board and audit committee had indeed spent significant time evaluating the business risk associated with the strategy shift and there was no indication that any of the directors had acted in bad faith.
The memo also addresses decisions dealing with M&A issues, ESG & corporate purpose, dual-class structures and controlling stockholders, and advance notice bylaws and activism. It also covers the 2023 amendments to the DGCL.
Last summer, I blogged about an SEC Report to Congress that included an itemized list by filing type of which data must be tagged using inline XBRL. Orrick’s Bobby Bee recently let us know that this resource has been updated and will continue to be updated on a regular basis for the next several years. Here’s the skinny from Bobby:
The most recent flavor of the SEC’s “Semi-Annual Report to Congress on Machine Readable Data for Corporate Disclosures” (iXBRL summary report & checklist) was released back in December. Turns out the SEC has to “submit this report to the Committee on Banking, Housing, and Urban Affairs of the Senate and the Committee on Financial Services of the House of Representatives every 180 days until December 23, 2029, when the provision requiring the report sunsets.” So, we’ll get regular 6-month updates of this iXBRL form check tool from the SEC – which is pretty nice! Seems like these updates can be found via the “Reports and Publications” log.
Last month, the WSJ published a report on Elon Musk’s drug use which noted concerns among board members and company executives about his behavior’s potential implications for his companies. Since the report makes it clear that Musk’s directors & executive officers are aware of this behavior, a recent blog from UCLA’s Stephen Bainbridge discussed whether their oversight responsibilities under Caremark might be implicated if they fail to take action. As this excerpt from his blog explains, Prof. Bainbridge doesn’t believe that directors & executive officers would face liability in this situation:
[W]hat liability exposure does the board have when it is aware of a problem and decides to do nothing? I think the answer should be that the board would not be held liable. Granted, a board can be held liable for acting in bad faith not only for acting with “’subjective bad faith,’ that is, fiduciary conduct motivated by an actual intent to do harm” to the corporation, In re Walt Disney Co. Derivative Litig., 906 A.2d 27, 64 (Del. 2006), “but also intentional dereliction of duty.” Lyondell Chem. Co. v. Ryan, 970 A.2d 235, 240 (Del. 2009).
At least on these facts, however, I doubt whether a board decision to do nothing would rise to the level of “intentional dereliction of duty.” First, as VC Will explained, The Caremark doctrine is not a tool to hold fiduciaries liable for everyday business problems. Rather, it is intended to address the extraordinary case where fiduciaries’ “utter failure” to implement an effective compliance system or “conscious disregard” of the law gives rise to a corporate trauma. … Officers’ management of day-to-day matters does not make them guarantors of negative outcomes from imperfect business decisions.” Hence, even if the board’s decision not to act was “imperfect” that board cannot be held liable as “guarantors of negative outcomes.”
Second, as I discussed at considerable length in my post My Pillow, Inc. and the perennial question of whether Caremark claims should lie when boards fail to monitor the CEO’s personal life, the Delaware courts have held in several cases that ““directors of Delaware corporations generally have no duty to monitor the personal affairs of other directors and officers.” Granted, saying there is no duty to monitor such affairs is not the same as saying that there is no duty to intervene when such affairs are brought to the board’s attention, but it tends to support the proposition that the board has little liability exposure in this area.
Prof. Bainbridge also pointed out that, related to his first point, Delaware courts have held that while the business judgment rule doesn’t have any bearing on a claim that the directors’ inaction was the result of ignorance, it does apply to a conscious decision not to act, which he thinks this case would seem to involve.
About this time last year, the Delaware Chancery Court made it clear that Caremark claims could be brought not only against corporate directors, but also against corporate officers. Recently, in Segway v. Hong Cai, (Del. Ch.; 12/23), the Chancery Court held that Caremark claims against corporate officers were subject to the same high pleading standards as those targeting corporate directors.
The case involved allegations that a former VP of Finance had breached her duty of oversight because “she knew or should have known there were potential issues with some of [the Company’s] customers, which caused [the Company’s] accounts receivable to continuously rise” and that she failed to address these issues or bring them to the attention of the board. Vice Chancellor Will dismissed the complaint, and this excerpt from a Sheppard Mullin blog on the decision explains her reasoning:
The Court of Chancery sided with the Officer, noting that the Company’s allegations are “an ill fit for a Caremark claim.” A plaintiff may state a claim for failure of oversight against a director or officer where such person acted in bad faith by (i) utterly failing to implement any reporting or information systems or controls; or (ii) having implemented such a system or controls, consciously failing to monitor or oversee their operations, including by ignoring red flags. And, with respect to officers, the scope of an officer’s duty of oversight would need to fall within the officer’s sphere of corporate responsibility.
The Court found that generic financial matters such as learning of issues with unspecified customers, revenue decreases, and increases in receivables “are far from the sort of red flags” that could trigger liability. The Company failed to allege facts that would suggest bad faith; rather the Company sought to have the Officer “answer for a decrease in sales and an increase in receivables” with the benefit of “20/20 hindsight.”
Barker-Gilmore recently released its 2024 Aspiring General Counsel Report. Among other things, the report notes that if you want to be a GC, it sure helps to be anointed as a potential successor by your company’s management. According to the report, management-identified successors receive professional development in the form of expanded responsibilities, increased board exposure, leadership training and “stretch” assignments at higher rates than their peers generally. Here are some of the report’s other findings:
– 42% of Managing Counsel and 11% of Senior Counsel report being identified by management as potential successors to the sitting General Counsel.
– Being identified as a potential successor is more likely to keep Senior Counsel (60%) from pursuing other opportunities than it is for Managing Counsel (42%).
– In-house counsel that have received executive coaching (35%) are more likely to be identified as a successor than their counterparts without executive coaching (26%).
– Most identified successors are currently Deputy General Counsel (58%)
– 23% of potential successors identify as a race or ethnicity other than “white.”
The report also found that women are slightly more likely to be identified as a successor than men (53% vs. 47%), and that women are most likely to have been identified as a potential successor in the consumer (75%), industrial/manufacturing (60%) and financial services (56%) industries.
Allianz has issued its 13th annual “risk barometer,” which identifies the top 10 risks for the upcoming year based on a survey of 3,069 respondents from 92 countries including Allianz customers, brokers, industry trade organizations, risk consultants, underwriters, senior managers, claims experts, as well as other risk management professionals in the corporate insurance segment.
“Cyber incidents” tops the list again after taking the top spot last year, but for the first time by a clear margin and across all company sizes. The report described AI’s contributions to increasing cyber threats:
AI adoption brings numerous opportunities and benefits, but also risk. Threat actors are already using AI-powered language models like ChatGPT to write code. Generative AI can help less proficient threat actors create new strains and variations of existing ransomware, potentially increasing the number of attacks they can execute. An increased utilization of AI by malicious actors in the future is to be expected, necessitating even stronger cyber security measures.
Voice simulation software has already become a powerful addition to the cyber criminal’s arsenal. Meanwhile, deepfake video technology designed and sold for phishing frauds can also now be found online, for prices as low as $20 per minute.
ICYMI, even your annual meeting isn’t safe! On other happy topics, “business interruption” (including supply chain disruption), which has frequently been a top risk in years past, is now at no. 2 followed by “natural catastrophes.” I promise my intention was not to disrupt your sleep tonight when I started writing this blog…
Sometimes there’s no specific 8-K item triggered and no item where disclosure neatly fits, but a company wants to get certain information out there and turns to Item 7.01 or 8.01. This general scenario is not new, but this Cleary alert suggests 7.01 or 8.01 might be more frequently utilized when companies discover cybersecurity incidents but have yet to make a materiality determination. As Dave recently blogged, “the Titanic effect is real in many cybersecurity breaches, in that one can easily misperceive that the giant iceberg lurking under the surface is just some harmless floating ice,” and the SEC will be looking at disclosures with the benefit of hindsight. Here’s an excerpt from Cleary’s alert:
Given the number of moving pieces and factors to consider, it is likely that it may take some time to reach a definitive conclusion around materiality for any given cybersecurity incident. If a registrant waits until it has come to a final conclusion around materiality, a significant amount of time may have passed since the initial discovery of the incident.
The SEC has been extremely focused on the timeliness of disclosure of cybersecurity incidents, and while an incident may appear to be immaterial for some period of time and non-disclosure at that time would be technically compliant with the disclosure rules, if the incident is later determined to be material, there is likely to be a tremendous amount of scrutiny around the timing of that determination. As a result, registrants will want to think carefully about the potential benefits of putting out disclosure on Form 8-K under Item 7.01 (Regulation FD Disclosure) or Item 8.01 (Other Events) (and/or in a press release or other Regulation FD-compliant channel) promptly after discovering a cybersecurity incident, while the materiality of the incident is still under consideration (including if they do not believe the incident will likely be deemed material).
The alert describes a number of potential benefits of using this approach initially:
[T]here is no preemptive concession by the registrant of the event’s materiality in a potential future litigation or otherwise. In some circumstances, disclosure more quickly than the usual four day Form 8-K deadline will be appropriate.
We have seen an increasing number of registrants adopt this practice, even ahead of the Item 1.05 requirement becoming effective, and believe it can be an effective communication tool, while also mitigating regulatory and other risk. By disclosing early, a registrant will give itself some breathing room to come to a materiality determination in an expeditious but methodical way that considers all necessary factors. In addition, providing prompt disclosure may provide some protection from stock-drop lawsuits following a potential later announcement that the incident has been determined to be material.
Additionally, registrants may need to alert and provide ongoing updates to certain external stakeholders. For example, registrants may need to coordinate logistics with vendors if their systems are inaccessible, or may be unable to meet their immediate obligations to customers due to production or operational issues. These types of issues will necessitate real-time engagement with impacted constituencies. Putting out public disclosure will facilitate this dialogue and alleviate any concerns around claims of selective disclosure in violation of Regulation FD.
It concludes this point by saying that this practice is expected to continue but “[w]hether Item 7.01 or Item 8.01 is appropriate (the latter of which carries with it an implicit element of materiality and is filed, not furnished) will be a facts and circumstances determination.”
We blogged last June about how corporate communications by public company employees may need to be retained due to generally applicable statutory recordkeeping obligations and that guidance from March clarified that the DOJ expects all companies to maintain and enforce policies to ensure that all “business-related” electronic data and communications are preserved. Ephemeral messaging and off-channel communications got a lot of attention this summer after the SEC settled numerous enforcement actions with broker-dealers and investment advisers. And, in fact, this blog was perfectly timed since the SEC announced a new sweep this morning.
A new development in late January underscores the dangers of business use of ephemeral messaging and off-channel communications beyond the broker-dealer and investment adviser space. The DOJ and FTC announced an update to their preservation notices and instructions for responding to discovery, and the FTC stated that it may even refer cases to criminal prosecutors when companies fail to preserve documents covered by an FTC investigation or action.
This Nelson Mullins alert says the added preservation language clarifies that preservation responsibilities extend to new methods of collaboration, defines “Collaborative Work Environments” and “Messaging Applications” and outlines in detail information that needs to be provided regarding policies and procedures for retention and destruction of documents, including “chats, instant messages, text messages, and other methods of communication.” The language will apply to second requests, voluntary access letters, and compulsory legal processes. The platforms mentioned in the updated guidance include Slack, Microsoft Teams and Signal, but the alert notes that it also covers any other collaboration tools or platforms used, plus social media accounts like X, Facebook, or Snapchat. The alert gives this example:
[I]f a company involved in a merger becomes aware that a second request will be issued but fails to suspend the “auto delete” function of its Microsoft Teams collaboration platform, it may find itself in hot water that runs deeper than the substance of the merger investigation itself.
– Consider implementing policies to prevent employees from using unapproved apps or personal accounts for business communications
– “Only approve platforms that give IT personnel admin-level control over data retention settings” rather than any that would permit employees to control their own data-retention settings
– Take steps to ensure data will be retained as soon as a litigation or investigation hold is issued on all necessary platforms, including by disabling any autodelete features immediately
Vanguard has issued its 2024 voting policies, which are now effective (for meetings held after February 1st) and apply to Vanguard-advised funds. This Alliance Advisors post discusses key updates and says: “Overall, Vanguard has enhanced its disclosure expectations related to board composition and provided more details on its approach to executive compensation programs, advance notice requirements and exclusive forum provisions.” Here’s an excerpt from the alert:
– Board and committee independence: Vanguard is relaxing its majority independence standard for the entire board at controlled companies (those in which a majority interest is held by company insiders or affiliates). However, it expects a majority of key committee members at controlled companies to be independent.
– Board composition: Vanguard has added a new section to its guidelines on board composition that replaces its discussion on diversity and qualifications disclosure. Vanguard looks to companies to disclose their perspectives on the appropriate board structure and composition and how these elements support the firm’s strategy, long-term performance and shareholder returns. It wants issuers to provide regular disclosure regarding their director nomination process, their process for evaluating board composition and effectiveness, and their identification of gaps and opportunities to be addressed through board refreshment and evolution. Vanguard expects disclosure of each director’s tenure, skills and experience in a skills matrix. Disclosure of directors’ personal characteristics (such as gender, race and ethnicity) may be done on an aggregate or individual director level.
– Escalation process for director and committee accountability: In certain instances, Vanguard will vote against directors as a means of expressing concern regarding governance failings or other issues that are unaddressed by a company. It has eased its policy of penalizing boards for not making sufficient progress on board diversity. Instead, absent a compelling reason, Vanguard will vote against the nominating/governance committee chair, or another relevant board member, if the board is not taking action to achieve board composition that is appropriately representative, relative to its market and the needs of its long-term strategy.
The summary also describes some clarifications or expanded discussions of poison pills, advance notice bylaws and exclusive forum provisions.
Over on the CompensationStandards.com blog yesterday, Liz shared tweaks made to Vanguard’s case-by-case approach to compensation-related ballot items (including say-on-pay). As she reminded readers, Wellington makes voting decisions for some Vanguard funds and also released its policies (see the full policies and a summary of changes on Wellington’s policy portal). And, as always, you now also need to keep track of policies that apply when investors are using “proxy voting choice.”
Yes, voting choice complicates things, but at least the proxy advisors and institutional investors seem to have mostly gone easier on public companies with their policy updates this season (knock on wood). I wonder how often descriptions of these summaries in prior years have used phrases like “relaxing its majority independence standard” or “eased its policy.” And, looking at how we’ve characterized other policy updates this season, we’ve used words like “a holiday miracle” and “a few reasonable updates.”
