Following recent high-profile cyberattacks involving SolarWinds, Colonial Pipeline and others, the White House issued a memo to executive business leaders urging companies to take immediate actions to help protect not only companies themselves, but also customers and the broader economy. The memo follows the Executive Order signed by the President in May that was intended to strengthen the federal government’s cybersecurity defenses.
Among other recommendations, the White House memo urges businesses to adopt the five best practices outlined in the President’s Executive Order, including multifactor authentication, endpoint detection, endpoint response, encryption, and a skilled, empowered security team. In additional to operational and technical matters, this Jenner & Block memo includes a couple of helpful reminders for legal teams:
Importance of a Multi-Functional Team: Cybersecurity and information protection are broad efforts encompassing many different skills within a company. Legal counsel should be included in the team to advise about the application of relevant laws, regulations, and policies, and to prepare for potential litigation and enforcement actions.
Importance of Legal Privilege: Companies should consider how to maximize the application of legal privilege to internal factfinding efforts that are designed to address potential legal exposure from cybersecurity and data protection rules.
Recently, Deputy Attorney General Lisa Monaco also spoke up about increased risk of ransomware attacks, urging disclosure and cooperation with the FBI. This CNBC piece provides a summary of her remarks.
– Lynn Jokela
Tune in tomorrow for our webcast – “Cyber, Data & Social: Getting in Front of Governance” – to hear Melissa Krasnow of VLP Law Group, Lisa Beth Lentini Walker of Lumen Worldwide Endeavors, Sue Serna of Serna Social and Heidi Wachs of Stroz Friedberg/Aon discuss what boards need to know about cyber, data & social – risks & opportunities, monitoring new threats, managing compliance with changing laws & different jurisdictions, social media oversight, director liability issues and more!
We will apply for CLE credit in all applicable states for this 1-hour webcast. You must submit your state and license number prior to or during the program. Attendees must participate in the live webcast and fully complete all the CLE credit survey links during the program. You will receive a CLE certificate from our CLE provider when your state issues approval; typically within 30 days of the webcast. All credits are pending state approval.
No registration is necessary – and there is no cost – for this webcast for our members. If you are not yet a member, sign-up now to access the program. You can sign up online, send us an email at firstname.lastname@example.org – or call us at 800.737.1271.
– Lynn Jokela
Yesterday, the SEC announced that Renee Jones will serve as Corp Fin’s next Director. Renee most recently served as Professor of Law and Associate Dean for Academic Affairs at Boston College Law School, where she taught courses in corporations, securities regulation, startup company governance, and financial regulation. Previously, she represented private and public companies on corporate and securities matters at Boston law firm, Hill & Barlow. Coming in from academia isn’t entirely new, as John Coates was a long-time academic when he was appointed as the Division’s Acting Director, but traditionally the head of Corp Fin has been a practitioner.
Along with Renee’s appointment, after having served as Corp Fin’s Acting Director since February 2021, John Coates was named SEC General Counsel. Both appointments are effective June 21st.
– Lynn Jokela
It’s hard to believe it’s been a year since Marty passed away. In this podcast, Dave Lynn pays tribute to his great friend with a compilation of “greatest hits.” I hope you enjoy it as much as I did.
– Lynn Jokela
With news about cyber attacks seeming to crop up almost daily, considerations about potential ransomware attacks extend beyond information security officers. Alston & Bird recently issued a memo addressing considerations about ransomware attacks for the general counsel. Among other things, one of the items covered in the memo relates to how increased ransom payments have placed strains on the insurance industry. The memo warns that companies may encounter a more rigorous underwriting and renewal process than they’ve experienced in prior years.
Indeed, as companies seek to acquire new cyber-insurance policies or renew existing ones, the insurers’ enhanced diligence procedures may require additional disclosures or the implementation of new or more stringent cybersecurity procedures to meet the insurer’s standards. Policies can often require a checklist of specific security controls to be in place and periodically tested for effectiveness, for example, which are designed to mitigate the risk of ransomware.
Other insurers are taking different approaches. Just this week, one European insurer announced that it will no longer issue cyber-insurance policies in France that reimburse insureds for ransom payments.
There is also the risk that an insured company may find that its policy’s pre-approval process for the retention of outside counsel, forensic experts, ransom payment facilitators, and even the potential ransom payment itself is in tension with the company’s interest in a swift and immediate response to a ransomware event. The extent to which the policy includes recovery costs can pose an additional challenge if a policy does not treat expenses related to the forensic investigation, ransom payment itself (if applicable), and rebuilding affected systems as covered recovery costs.
– Lynn Jokela
Last year’s Rule 14a-8 amendments may or may not be here to stay. The Senate “fast-track” deadline under the Congressional Review Act – which could have undone the amendments – expired at the end of May, according to Daniel Pérez of the GW Regulatory Studies Center. Now though, Rule 14a-8 is among the items listed in the SEC’s new Reg Flex Agenda – which was posted Friday as part of a federal agency-wide reveal of the new Administration’s plans for rulemaking.
The Rule 14a-8 amendments are listed in the Reg Flex Agenda’s section for “proposed rulemaking” – targeting April 2022 for a proposal. Among other items included in the agenda’s proposed rulemaking stage, with some targeted to potentially come along quickly, are:
– Rule 10b5-1 – October 2021
– Climate change disclosure (climate-related risks & opportunities) – October 2021
– Human Capital Management disclosure – October 2021
– Enhanced cybersecurity risk governance disclosure – October 2021
– SPACs – April 2022
– Proxy Voting Advice – April 2022
And, among items included in the pre-rule stage are the exempt offerings framework and gamification (out of the Division of Trading & Markets).
The SEC’s regulatory agenda is non-binding and doesn’t really mean a lot other than it identifies the SEC Chair’s priorities. Stay tuned, these agendas tend to change over time.
As for Rule 14a-8, the rule amendments adopted last fall remain intact and are currently effective – although the Commission adopted a transition period that says the final amendments first apply to any proposal submitted for meetings held on or after January 1, 2022. We’ll be following any Commission action or agency statements about the rulemaking closely and will be sure to blog about it.
To get up to speed on the Rule 14a-8 amendments before a shareholder proposal lands on your desk, check out our “Shareholder Proposals Handbook”- it’s been updated and incorporates the 14a-8 amendments, members can access it at no charge right here on TheCorporateCounsel.net.
– Lynn Jokela
Increased gender and ethnic diversity on public company boards is generally viewed positively. Nasdaq’s board diversity listing proposal has generated a bit of back and forth discussion as some have questioned the empirical research Nasdaq cited as justification for the proposal – John blogged back in April with one take on it and then Liz blogged about another take on it in May. Last week, the SEC issued a notice stating that it designated a longer period to consider Nasdaq’s proposed rule change. August 8 is the new date by which the Commission shall either approve or disapprove Nasdaq’s proposed rule change, as modified by Amendment No. 1.
Besides the back and forth that John and Liz blogged about, there’s been quite a number of comment letters about Nasdaq’s proposal and the Commission’s notice says it’s extending the period so it has sufficient time to consider the proposed rule change and the comment letters. And, for those reading the latest Reg Flex Agenda closely, you probably noted that corporate board diversity is among items listed in the proposed rulemaking stage, which includes an October 2021 target date.
– Lynn Jokela
With stakeholders continuing to look for disclosure about board diversity, we’re starting to see increased company disclosure. To help stakeholders compare disclosure practices, KPMG (along with the help of ESGauge) recently launched a free new tool that tracks disclosure about board diversity. Here’s the press release, which includes some initial findings and a link to the tool.
KPMG’s tool facilitates comparison of disclosure practices by sector, index (Russell 3000 and S&P 500) and company size. When preparing next year’s proxy statement disclosure about board diversity, this tool might help in-house counsel see how much companies in their industry and size range are disclosing about board and individual director diversity and related policies and help ensure their disclosure is keeping step!
For more board diversity info, Deloitte and the Alliance for Board Diversity recently released a 44-page report examining representation of women and racial/ethnic minorities on boards among Fortune 100 and Fortune 500 companies. See this Cooley blog for a recap of some of the report’s findings.
– Lynn Jokela
Big thanks to member Sundance Banks for alerting us to what appears to be a pretty widespread whistleblower hoax, and to others who have provided more background over the last few days, including WilmerHale’s Susan Muck & Kevin Muck. Many companies maintain an email inbox at which employees can submit concerns about accounting or compliance matters, in addition to their third-party ethics hotline. An anonymous gmail account has been pinging those inboxes with a message that starts like this:
Dear Ethics Committee,
I am a long-time employee, but for the purpose of this report, I request to remain anonymous. I also do not want to name the person this report is about, at least for the time being. I would like to bring to your attention an incident that happened a while back to see whether it warrants any action on my part.
My boss, whom I’ve worked with for years now, and in any respect had been a stand-up person I look up to, has confided in me about stock trading they’ve made the past year. He/She shared with me the fact that they’ve bought and sold a significant amount of [our company’s shares/one of our major business partner’s shares]. When I asked how often they traded and how much money did they earn, he/she just smiled and said: “let’s just say I know something others don’t. That’s what working in this company for __ years will get you”, indicating how long they worked in the company. A couple of days later, he/she called me to their office for a quick chat. We began talking about normal work affairs, but towards the end of the conversation, the boss asked me to close the door. When I did, he/she brought up the conversation about the stock trading again, telling me it’s probably for the best I don’t share this with anyone. I immediately responded that I didn’t and had no intention to do so. I also mentioned that this is not my business. The boss looked at me for a while and said that they knew they could count on me. They also mentioned that I am a very good employee and that he/she really appreciates me. The boss has been nothing but nice to me since then.
The message continues for a few more paragraphs and honestly seems pretty believable. But it quickly came to light as a scam when several companies contacted outside counsel about next steps, and the lawyers recognized that multiple clients were receiving very similar submissions. At least 25 companies have received this – the full number is likely much higher. Until Snopes starts debunking fake whistleblower messages, what should you do – or not do – if you receive this email or something like it?
1. Contact your outside counsel – a key takeaway here is that outside counsel can be very helpful in spotting commonalities that could be red flags.
2. Don’t respond until you’ve verified that the submission is legit – this is tricky, because whistleblower submissions typically trigger a cascade of policies & procedures, including prompt notification of directors and outside auditors, and responding to the whistleblower to get more information. But if you get this exact email, know that even regulators agree that it isn’t genuine and companies shouldn’t spend resources responding. They don’t want you engaging with potential criminals, if you can help it.
3. Don’t provide additional info to the whistleblower until you’ve verified that the submission is legit – again, this is delicate, but even responding with seemingly benign info could give the scammer points of contact in the legal, compliance or finance departments for future phishing schemes or illegitimate requests for money transfers.
4. Don’t download files or click on links – this version of the email doesn’t contain any files or links, but if you’ve already responded and received any sort of follow-up communication, don’t open it.
5. Alert your directors & auditors – this incident underscores the need for strong cybersecurity training and good email hygiene, and they should be on the lookout for scams.
6. Don’t forward the email – the scammer may be able to collect more email addresses if you do that. Copy & paste the content into a new message – or take a screenshot – if you need to share something that seems suspicious.
A very troubling aspect of this hoax – in addition to it coming at a time when the White House has warned all companies to be on high-alert about cybercrime – is that it undermines an important system that companies and regulators rely on to prevent wrongdoing. I don’t want to suggest in any way that you ignore whistleblower complaints – but in light of this, it’s probably worth doing a gut-check with outside counsel before responding. I’ve been told that regulators are also taking this incident very seriously.
Quick Poll: What’s the Fake Whistleblower’s Endgame?
Like a chain email that just won’t stop, or one of those Facebook “warnings” from 2009 that periodically recirculates for no apparent reason, the endgame here is a bit of a mystery. Vote for your favorite theory in this anonymous poll:
– Liz Dunshee
It is with a heavy heart that I share the sad news that we lost a legend of the SEC’s Division of Corporation Finance and the securities bar, Abbie Arms. Abbie passed away on May 19, 2021 at the age of 73 after a long and difficult battle with lung disease. For many years, Abbie served in key senior positions in Corp Fin, where she shaped regulatory policy on many important capital markets and public company issues.
Abbie was a brilliant securities lawyer who was highly skilled at analyzing complex issues and formulating appropriate regulatory responses that were consistent with the Commission’s investor protection mandate. Abbie loved working at the SEC and mentoring and teaching young lawyers in the Division. In my formative years at the SEC, I learned much about the operation of the Securities Act from being in meetings with Abbie, and I still use and value those insights to this day.
After leaving the SEC, Abbie practiced for many years at Shearman & Sterling LLP, where she was able to assist the firm’s clients with her extraordinary knowledge and skills as a securities lawyer. She also served as a Trustee of the SEC Historical Society from 2007-2013. Abbie was a loving and compassionate person who was loved and admired by her family, friends, co-workers and community. We will greatly miss Abbie and we offer our sincerest condolences to her family and many friends.
– Dave Lynn