Directors and officers of both public and private companies operate in difficult, complex, and evolving business, legal, and regulatory environments. Challenges and risk exposures are unavoidable, and the speed of change shows no sign of slowing. Accordingly, it is imperative that directors and officers stay abreast of issues impacting the risk landscape and continually analyze how best to protect themselves. The recently released NACD Board Leadership report prepared with Marsh, “Evolving Directors & Officers Liability Environment Emerging Issues & Considerations,” identifies core areas of change and associated insurance concerns for directors & officers (D&O).
Four areas being closely watched today are discussed below.
Securities regulations and resulting enforcement and claims will change over the course of President Trump’s administration, although the extent of the change remains to be seen. Deregulation for financial institutions and other organizations is likely. Although deregulation may ease the regulatory burden on businesses in an effort to stimulate growth, it could lead to a rise in resulting claims due a potential decrease in transparency and mandated corporate guidelines.
We may also see a shift in how government regulatory agencies handle purported wrongdoing—perhaps with the assessment of fewer corporate penalties while continuing to hold culpable individuals accountable. Based on some of the recent U.S. Securities and Exchange Commission appointments — including the SEC Chair and co-heads of the SEC Division of Enforcement —many expect that the agency will continue to aggressively pursue culpable individuals.
Generally speaking, activism is on the rise, including environmental activism, shareholder activism, and other forms. The first climate change-related securities class action was filed in late 2016, and more are expected to follow. Some anticipate that, as a result of the Trump administration’s withdrawal from the Paris Agreement, environmental activists’ drive to advance their agenda—whether through civil litigation, shareholder resolution initiatives, or other means—will increase. In addition, we expect there to be more initiatives driven by state regulatory actions and non-governmental organizations.
Increase in Securities Claims
According to NERA Economic Consulting, the number of securities class action filings in the first quarter of 2017 was significantly higher than in past years. The number for the first quarter of 2017 stood at 144 filings of federal securities class actions, which is up from 102 filings in the first quarter of 2016. If filings continue at this rate, we expect there to be close to 500 securities class action filings in 2017 alone, a 66 percent increase from 2016. The rise in filings can be attributed to several factors including, but not limited to: the increase in merger objection-related filings in federal court; the increase in the number of securities plaintiff firms; and, arguably, a race to the courthouse before any new regulatory changes are implemented.
Cybersecurity-related losses continue to be one of the most worrisome potential exposures for companies. Despite some significant recent cyberbreaches, the first traditional securities class action litigation against directors and officers was only recently filed. The complaint generally alleges that the defendants made materially false and/or misleading statements about the breach. It also claims failure to disclose material adverse facts about the company’s business and operations specific to data protection, and the discovery and potential impact of the data breaches.
On the other hand, there have been a number of derivative lawsuits filed against companies’ directors and officers for alleged mismanagement of cybersecurity incidents. To date, defendants in this type of litigation have largely been successful in getting these cases dismissed by invoking the business judgement rule, among other defenses. However, a notable, recent settlement of one of these derivative actions while on appeal will likely continue to fuel the plaintiff’s bar’s drive to pursue cybersecurity-related D&O claims.
While each of the above can be viewed as discrete risks, they each share a common thread: increased exposure to directors and officers. As a best practice, all directors should regularly review their D&O insurance program with their insurance advisors to ensure adequate protection in the wake of the increasingly risky environment in which we live. Directors and the officers of their companies should ask themselves probing questions about their insurance coverage:
Does my D&O insurance program provide sufficient limits of liability?
Am I protected by Side-A Difference In Conditions insurance? If so, are those limits sufficient?
How will my D&O insurance coverage respond in connection with a regulatory investigation? Will I be covered to the extent there is an internal investigation associated with an external regulatory investigation?
Does the selection of insurers on my company’s D&O “tower” make the most sense should I need to turn to the insurers for coverage?
How narrowly tailored is the exclusionary language in my policies? How favorable is the severability language?
By reviewing these questions in conjunction with their insurance programs on at least an annual basis, directors and officers will be more adequately prepared for the scenarios outlined above.
Robert P. Silvers is a respected expert on Internet of Things security and effective corporate planning and response to cybersecurity incidents. Silvers is a partner at Paul Hastings and previously served as the Obama administration’s assistant secretary for cyber policy at the U.S. Department of Homeland Security. Silvers will speak at NACD’s 2017 Global Board Leaders’ Summit in October and NACD’s Technology Symposium in July.
Robert P. Silvers
Cybersecurity breaches pose a growing threat to any organization. As we’ve seen in recent years, and indeed in recent weeks, the most sophisticated companies and even governments aren’t immune from cyberattack. Ransomware has become a global menace, and payment data and customers’ personal information are routinely swiped and sold on the “dark web” in bulk. Next-generation Internet of Things devices are wowing consumers, but they are also targets, as Internet connectivity becomes standard-issue in more and more product lines.
How do directors prepare for this landscape? Everyone now acknowledges the importance of cybersecurity, but it is daunting to begin to think about implementing a cybersecurity plan because it’s technical, fast-moving, and has no “silver-bullet” solutions. Most boards now consult regularly with the organization’s information security team, but the discussions can be frustrating because it’s hard to gauge readiness and where the organization really stands in comparison to its peers. Sometimes directors confide in me, quietly and on the sidelines, that their real cybersecurity strategy is one of hope and prayer.
There are steps directors can take now to prepare for incidents so that when they occur the company’s response is well oiled. With the right resources and preparation, boards can safely navigate these difficult and unforeseen situations. Three key strategies can assist directors as they provide oversight for cybersecurity risks:
Building relationships with law enforcement officials
Having incident response plans in place (and practicing them)
Staying educated on cybersecurity trends
1. Building Relationships With Law Enforcement Officials
It’s no secret that relationships are central to success. Building the right relationships now, before your worst-case scenario happens, will help manage the situation. The Federal Bureau of Investigation is generally the lead federal investigative agency when it comes to cybercrime, and the United States Secret Service also plays an important role in the financial services and payment systems sectors.
Boards should ensure company management educates law enforcement officials from these agencies about the company’s business and potential risks. In turn, the company should ask law enforcement to keep it apprised of emergent threats in real time. There should also be designated points of contact on each side to allow for ongoing communications and make it clear whom to contact during an incident. This is critical to ensuring that the company has allies already in place in the event that a cyberattack occurs.
2. Having—and Practicing—Incident Response Plans
Directors should ask to see copies of the company’s written cyberbreach response plan. This document is essential. A good incident response plan addresses the many parallel efforts that will need to take place during a cyberattack, including:
a. Technical investigation and remediation;
b. Public relations messaging;
c. Managing customer concern and fallout;
d. Managing human resources issues, particularly if employee data has been stolen or if the perpetrator of the attack is a rogue employee;
e. Coordination with law enforcement; and
f. Coordination with regulators and preparedness for the civil litigation that increasingly follows cyberattacks.
An incident response plan is only valuable if it is updated, if all the relevant divisions within a company are familiar with it, and if these divisions have “buy in” to the process. If the plan is old or a key division doesn’t feel bound by it, the plan isn’t going to work. Directors should insist the plan be updated regularly and that the company’s divisions exercise the plan through simulated cyber incidents, often called “table-top exercises.” Indeed, table-top exercises for the board itself can be an excellent way to familiarize directors with the company’s incident response plan and its cyber posture more generally.
3. Staying educated on cyber security trends
As your board is building relationships with law enforcement officials and preparing an incident response plan, directors should also be educating themselves on cyber risk. Cybersecurity becomes more approachable as you invest the time to learn—and it’s a fascinating subject that directors enjoy thinking about. Do you know what a breach will look like for your company? What protocols do you have in place in case something happens?
According to the 2016–2017 NACD Public Company Governance Survey, 89 percent of public company directors said cybersecurity is discussed regularly during board meetings. Since a majority of directors in the room agree that cybersecurity is worth discussing, directors should collectively and individually prioritize learning the ins and outs of cyber risks.
One easy way to stay up to date on the latest is to ask the company’s information technology security team for periodic reports of the most significant security events that the company has encountered. This will give directors a feel for the rhythm of threats the company faces day in and day out.
Another option is for directors to take a professional course and get certified. The NACD Cyber-Risk Oversight Program is a great example of a course designed to help directors enhance their cybersecurity literacy and strengthen the board’s role in providing oversight for cyber preparedness. Consider these options to keep yourself as educated and informed as possible.
The more you can prepare individually, the better off you will be when you have to provide oversight for a cybersecurity breach at your company.
Champions of business women have been honored each year since 2001 by the prominent civil rights organization Legal Momentum with its Aiming High Award. Stephanie Drescher, global head, business development and investor relationship management at Apollo Global Management, is one of three honorees this year.
The seventeenth annual Legal Momentum Aiming High Awards were presented at a luncheon on June 15 in New York City.
In addition to Drescher, this year’s award recipients are:
Brad S. Karp, chair, Paul, Weiss, Rifkind, Wharton & Garrison, and winner of the Man of Distinction honor
Lisa Garcia Quiroz, senior vice president, president of the Time Warner Foundation, and chief diversity officer of Time Warner
Economics and psychology might seem like an unlikely academic pairing for a Barnard College undergrad, but it was a natural combination for Stephanie Drescher—and one that helped inform her career. By applying the analytical aspects of economics with an understanding of what drives collaborative work environments, she developed a keen sense of how to achieve optimal results within complex organizations.
Drescher has since distinguished herself as one of the most successful women in the global private equity industry. After spending the first 10 years of her career at JPMorgan Chase & Co. in a variety of roles, including serving on the boards of the firm’s private equity and venture capital businesses, she joined Apollo Global Management in 2004, heading the firm’s business development and investor relationship operations.
Founded in 1990, Apollo currently has $197 billion in assets under management, and Drescher has played an influential role in building the firm into the financial powerhouse it is today. Drescher recently reflected on her career and role as a mentor in a telephone interview.
How did mentorship position you for success in the financial sector?
Early on in my career, I saw many examples of women who were in leadership positions, and they were great role models for me. That was certainly one element of being able to see a path forward. Equally as important were men who throughout my career have served as mentors and sponsors. These people came to know me quite well and were crucial in helping guide me as I developed professionally.
One key piece of advice I received early on: think of yourself as the CEO of your own career and have a board of directors you can reach out to for advice as you encounter new challenges. That framework is one that I often share with others as they set out in their careers.
How does Apollo cultivate a collaborative atmosphere?
The first thing that comes to mind is our investment committee. Everyone is invited to contribute. If you are the most recent addition to the investment team, or you’ve been there since day one, everyone sits around one—now very big—table to discuss the investments. It’s a very deliberate way to create an opportunity for everyone to learn from one another, and evaluate each opportunity from different perspectives.
I think it’s a testament to the strength of our firm that we’ve been able to maintain such a productive, collaborative atmosphere even amid our tremendous growth. When I joined, we had fewer than 100 people and managed around $15 billion. Roll forward to today, and we’re managing upwards of $200 billion with more than 1,000 people on staff. Our core culture remains the same, which enables us to deliver best-in-class performance to our global investor base.
In your experience, are investors pressing more on diversity and inclusion issues?
It’s certainly a topic of increasing interest and conversation with our institutional investors. They have many choices as to where they invest their capital, and ultimately, they want to work with firms that are focused on doing their part in terms of diversity and inclusion.
How is Apollo working to fortify talent pipelines internally and in its portfolio companies?
We are proud of a number of initiatives that we started at Apollo. In 2014, we launched our veteran’s initiative, which encourages Apollo and its portfolio companies to recruit, hire, and retain veterans and their spouses. That has been a great success.
We also recently launched the Apollo Women’s Empowerment initiative, which I co-chair with our global head of credit. We have spent a great amount of time developing a steering committee with a number of initiatives to allow for development of our women networking, and engagement with industry groups, external leaders, and the community.
How do you serve as a mentor to young women?
It starts with a commitment to engage with the wider community, which is very important for all of us at the firm. A specific area of interest for me has been my involvement with the Young Women’s Leadership Network. It’s a group of all-girls schools in underserved communities that prepare their students for college. I think it’s just another way of ensuring that as we rise in our own careers, we look to lift those around us by serving as mentors, sounding boards, and role models.