Anyone who has ever met Brad S. Karp knows first-hand that he is a man of distinction. Recently he was celebrated for still another outstanding trait: his commitment to lifting up the women around him and supporting their paths to business leadership. The chair of Paul, Weiss, Rifkind, Wharton & Garrison was honored for his prodigious part in championing the advancement of women at the 17th annual Legal Momentum Aiming High Awards.
The 47-year-old gender rights organization provides advocacy and legal reform services to ensure the personal rights and safety for women and girls. It has been giving its Aiming High award since 2001 to women in the legal profession who work to elevate and advance the work of their sisters.
Karp accepts the Man of Distinction Award.
Karp is only the second recipient of the “Man of Distinction” award. Beginning last year led by Legal Momentum President and CEO, Carol Robies-Román, the organization made the astute decision to include men among its honorees. J. Michael Cook, former chair and CEO of Deloitte & Touche, was the first man-of-distinction honoree at the 2016 luncheon.
In addition to Karp, this year’s Aiming High award recipients are: Stephanie Drescher, global head, business development & investor relationship management, Apollo Global Management; and Lisa Garcia Quiroz, who is now president of the Time Warner Foundation and the company’s first chief diversity officer.
Drescher was introduced by John J. Suydam, chief legal and compliance officer at Apollo, who extolled Drescher’s quiet confidence, unflappability, and superior listening skills. As a leader, Drescher has displayed an innate ability to build relationships with Apollo stakeholders including management, clients, and its 989 employees in 15 offices around the globe.
Garcia Quiroz (left) and Drescher received the Aiming High award from Legal Momentum in June.
Janet Murguía, president and CEO of the National Council of La Raza, introduced her colleague and friend, Garcia Quiroz. Prior to joining Time Warner, Quiroz was at Time Inc., where she founded People en Español and Time for Kids. Murguía praised Quiroz as a cultivator of talent, particularly of storytellers.
At Time Warner, Quiroz led the creation of a company-wide talent incubator called One Fifty to identify and develop stories that would resonate with younger and more diverse audiences. “Lisa understands in her heart that greater diversity builds strength across communities,” said Murguia. “She is tireless and fearless.”
Quiroz spoke of her decision to attend Harvard Business School—rather than the law school, which would have been her father’s preference. “The universe conspired to bring me into media with a social activist heart,” Quiroz said.
Karp was introduced by his colleague, Valerie E. Radwaner, vice chair of Paul Weiss. Radwaner lightheartedly extolled Karp as “a force for feminists.” “Brad believes in gender equality and social justice issues as shown by how he leads Paul Weiss. He understands that real change only happens by bringing dozens of different voices to the table,” Radwaner said.
Directors and officers of both public and private companies operate in difficult, complex, and evolving business, legal, and regulatory environments. Challenges and risk exposures are unavoidable, and the speed of change shows no sign of slowing. Accordingly, it is imperative that directors and officers stay abreast of issues impacting the risk landscape and continually analyze how best to protect themselves. The recently released NACD Board Leadership report prepared with Marsh, “Evolving Directors & Officers Liability Environment Emerging Issues & Considerations,” identifies core areas of change and associated insurance concerns for directors & officers (D&O).
Four areas being closely watched today are discussed below.
Securities regulations and resulting enforcement and claims will change over the course of President Trump’s administration, although the extent of the change remains to be seen. Deregulation for financial institutions and other organizations is likely. Although deregulation may ease the regulatory burden on businesses in an effort to stimulate growth, it could lead to a rise in resulting claims due a potential decrease in transparency and mandated corporate guidelines.
We may also see a shift in how government regulatory agencies handle purported wrongdoing—perhaps with the assessment of fewer corporate penalties while continuing to hold culpable individuals accountable. Based on some of the recent U.S. Securities and Exchange Commission appointments — including the SEC Chair and co-heads of the SEC Division of Enforcement —many expect that the agency will continue to aggressively pursue culpable individuals.
Generally speaking, activism is on the rise, including environmental activism, shareholder activism, and other forms. The first climate change-related securities class action was filed in late 2016, and more are expected to follow. Some anticipate that, as a result of the Trump administration’s withdrawal from the Paris Agreement, environmental activists’ drive to advance their agenda—whether through civil litigation, shareholder resolution initiatives, or other means—will increase. In addition, we expect there to be more initiatives driven by state regulatory actions and non-governmental organizations.
Increase in Securities Claims
According to NERA Economic Consulting, the number of securities class action filings in the first quarter of 2017 was significantly higher than in past years. The number for the first quarter of 2017 stood at 144 filings of federal securities class actions, which is up from 102 filings in the first quarter of 2016. If filings continue at this rate, we expect there to be close to 500 securities class action filings in 2017 alone, a 66 percent increase from 2016. The rise in filings can be attributed to several factors including, but not limited to: the increase in merger objection-related filings in federal court; the increase in the number of securities plaintiff firms; and, arguably, a race to the courthouse before any new regulatory changes are implemented.
Cybersecurity-related losses continue to be one of the most worrisome potential exposures for companies. Despite some significant recent cyberbreaches, the first traditional securities class action litigation against directors and officers was only recently filed. The complaint generally alleges that the defendants made materially false and/or misleading statements about the breach. It also claims failure to disclose material adverse facts about the company’s business and operations specific to data protection, and the discovery and potential impact of the data breaches.
On the other hand, there have been a number of derivative lawsuits filed against companies’ directors and officers for alleged mismanagement of cybersecurity incidents. To date, defendants in this type of litigation have largely been successful in getting these cases dismissed by invoking the business judgement rule, among other defenses. However, a notable, recent settlement of one of these derivative actions while on appeal will likely continue to fuel the plaintiff’s bar’s drive to pursue cybersecurity-related D&O claims.
While each of the above can be viewed as discrete risks, they each share a common thread: increased exposure to directors and officers. As a best practice, all directors should regularly review their D&O insurance program with their insurance advisors to ensure adequate protection in the wake of the increasingly risky environment in which we live. Directors and the officers of their companies should ask themselves probing questions about their insurance coverage:
Does my D&O insurance program provide sufficient limits of liability?
Am I protected by Side-A Difference In Conditions insurance? If so, are those limits sufficient?
How will my D&O insurance coverage respond in connection with a regulatory investigation? Will I be covered to the extent there is an internal investigation associated with an external regulatory investigation?
Does the selection of insurers on my company’s D&O “tower” make the most sense should I need to turn to the insurers for coverage?
How narrowly tailored is the exclusionary language in my policies? How favorable is the severability language?
By reviewing these questions in conjunction with their insurance programs on at least an annual basis, directors and officers will be more adequately prepared for the scenarios outlined above.
Robert P. Silvers is a respected expert on Internet of Things security and effective corporate planning and response to cybersecurity incidents. Silvers is a partner at Paul Hastings and previously served as the Obama administration’s assistant secretary for cyber policy at the U.S. Department of Homeland Security. Silvers will speak at NACD’s 2017 Global Board Leaders’ Summit in October and NACD’s Technology Symposium in July.
Robert P. Silvers
Cybersecurity breaches pose a growing threat to any organization. As we’ve seen in recent years, and indeed in recent weeks, the most sophisticated companies and even governments aren’t immune from cyberattack. Ransomware has become a global menace, and payment data and customers’ personal information are routinely swiped and sold on the “dark web” in bulk. Next-generation Internet of Things devices are wowing consumers, but they are also targets, as Internet connectivity becomes standard-issue in more and more product lines.
How do directors prepare for this landscape? Everyone now acknowledges the importance of cybersecurity, but it is daunting to begin to think about implementing a cybersecurity plan because it’s technical, fast-moving, and has no “silver-bullet” solutions. Most boards now consult regularly with the organization’s information security team, but the discussions can be frustrating because it’s hard to gauge readiness and where the organization really stands in comparison to its peers. Sometimes directors confide in me, quietly and on the sidelines, that their real cybersecurity strategy is one of hope and prayer.
There are steps directors can take now to prepare for incidents so that when they occur the company’s response is well oiled. With the right resources and preparation, boards can safely navigate these difficult and unforeseen situations. Three key strategies can assist directors as they provide oversight for cybersecurity risks:
Building relationships with law enforcement officials
Having incident response plans in place (and practicing them)
Staying educated on cybersecurity trends
1. Building Relationships With Law Enforcement Officials
It’s no secret that relationships are central to success. Building the right relationships now, before your worst-case scenario happens, will help manage the situation. The Federal Bureau of Investigation is generally the lead federal investigative agency when it comes to cybercrime, and the United States Secret Service also plays an important role in the financial services and payment systems sectors.
Boards should ensure company management educates law enforcement officials from these agencies about the company’s business and potential risks. In turn, the company should ask law enforcement to keep it apprised of emergent threats in real time. There should also be designated points of contact on each side to allow for ongoing communications and make it clear whom to contact during an incident. This is critical to ensuring that the company has allies already in place in the event that a cyberattack occurs.
2. Having—and Practicing—Incident Response Plans
Directors should ask to see copies of the company’s written cyberbreach response plan. This document is essential. A good incident response plan addresses the many parallel efforts that will need to take place during a cyberattack, including:
a. Technical investigation and remediation;
b. Public relations messaging;
c. Managing customer concern and fallout;
d. Managing human resources issues, particularly if employee data has been stolen or if the perpetrator of the attack is a rogue employee;
e. Coordination with law enforcement; and
f. Coordination with regulators and preparedness for the civil litigation that increasingly follows cyberattacks.
An incident response plan is only valuable if it is updated, if all the relevant divisions within a company are familiar with it, and if these divisions have “buy in” to the process. If the plan is old or a key division doesn’t feel bound by it, the plan isn’t going to work. Directors should insist the plan be updated regularly and that the company’s divisions exercise the plan through simulated cyber incidents, often called “table-top exercises.” Indeed, table-top exercises for the board itself can be an excellent way to familiarize directors with the company’s incident response plan and its cyber posture more generally.
3. Staying educated on cyber security trends
As your board is building relationships with law enforcement officials and preparing an incident response plan, directors should also be educating themselves on cyber risk. Cybersecurity becomes more approachable as you invest the time to learn—and it’s a fascinating subject that directors enjoy thinking about. Do you know what a breach will look like for your company? What protocols do you have in place in case something happens?
According to the 2016–2017 NACD Public Company Governance Survey, 89 percent of public company directors said cybersecurity is discussed regularly during board meetings. Since a majority of directors in the room agree that cybersecurity is worth discussing, directors should collectively and individually prioritize learning the ins and outs of cyber risks.
One easy way to stay up to date on the latest is to ask the company’s information technology security team for periodic reports of the most significant security events that the company has encountered. This will give directors a feel for the rhythm of threats the company faces day in and day out.
Another option is for directors to take a professional course and get certified. The NACD Cyber-Risk Oversight Program is a great example of a course designed to help directors enhance their cybersecurity literacy and strengthen the board’s role in providing oversight for cyber preparedness. Consider these options to keep yourself as educated and informed as possible.
The more you can prepare individually, the better off you will be when you have to provide oversight for a cybersecurity breach at your company.