It’s way too early to make any judgments on board conduct in the Equifax controversy. That’ll be for the courts to decide, and they’ll take a long time getting there. But it’s not too early to draw some useful governance lessons from the situation, if media reports are to be believed. And these are lessons that apply regardless of whether the board serves a publicly held, privately owned or nonprofit corporation.
Some of these lessons relate to the board’s crisis management responsibilities. Others relate to the oversight of the board-CEO relationship. Still others invoke expectations of board cybersecurity oversight.
All of the possible lessons are premised on the increasing recognition of the inevitably of crisis, be it black swan or foreseeable, cybersecurity-related or “from out of left field.” For most complex enterprises, crises are just going to happen. The only questions are when, how big the crisis will be, and from what direction it will come. The most prescient of boards will embrace this inevitably and prepare for a corporate governance version of Defcon 3.
The other lessons are more practical in nature.
1. Emergency Succession The swiftness of Mr. Smith’s removal speaks to the “nuts and bolts” value of having an emergency executive succession plan. The sudden Smith transition is a shocking example of how emergency succession applies to circumstances beyond customary triggers such as death, health care and family considerations. In today’s crisis-oriented environment, the need to separate from, and replace even the youngest, seasoned and most successful executives can arise at a moment’s notice.
Succession is a part of the board’s basic responsibilities that often gets lost amid the confluence of best practices and consultant messaging. Such planning can be complicated. According to the New York Times, the Equifax board regarded many of its original replacement candidates as “tainted” by ties to the cyber breach—including some executives who are believed to have sold company stock after the breach was discovered but before it was disclosed to the public.
2. Structuring the Separation There’s also the need to anticipate both the classification and the financial terms of executive separation in the context of a crisis environment. According to media reports, Mr. Smith’s separation was described as a retirement. Yet, the board announced that it was reserving the right to retroactively classify the separation as for-cause termination, based upon the ultimate findings of a board special committee charged with the responsibility for reviewing the data breach. Such a reclassification would have obvious and material implications for Mr. Smith’s compensation arrangements, including valuable stock awards.
This action by the Equifax board reflects several key realities of the crisis environment.
It will often be difficult to fairly ascertain the presence of cause for termination purposes in the direct aftermath of a crisis. The consideration of the results of an internal investigation may be a necessary and equitable precondition.
While not yet considered best practice, the use of clawbacks and other forms of executive compensation disgorgement arrangements is increasingly viewed as an effective response to executive fraud, malfeasance, or other misconduct. Clawback application has most recently been demonstrated by the actions of a financial services company board in response to a significant corporate controversy.
Boards must face the harsh reality of the need to impose separation in advance of intense scrutiny by the media, regulators, and possibly even legislators. The sometimes corporate brutality of “throwing executives under the bus” may be perceived as both part of an effective board response (i.e., to demonstrate board accountability), and necessary to preserve the reputation of the company and the interests of its stakeholders. According to the Wall Street Journal, the departures of the Equifax information officer and chief security officer were not considered by the board to be actions significant enough in stature. Thus, the concept of “strict accountability” for executives in the context of major corporate controversies may increasingly be considered an indirect part of the compact between the board and management.
3. The Standard of Conduct Another lesson is for the board to reconsider the effectiveness of its own cybersecurity oversight efforts. The leading judicial decisions have to date established a high Caremark-style barrier for demonstrating breach of cybersecurity oversight responsibilities. Notable in this regard was the decision of the court in the Home Depot case to extend the protection of the business judgment rule to the board’s conduct, despite its clearly expressed concerns about the speed with which the board implemented protective measures.
However, boards should not place unreasonable reliance on Caremark protection. As instances of cyberbreaches become more egregious, it is reasonable to project a stricter approach to director liability in future cases.
4. The Self-Critique Perhaps the most basic governance lesson from Equifax is the need for board self-evaluation. Any board-driven internal investigation of a corporate controversy will benefit from consideration of the adequacy of the full board’s related oversight efforts. For example, the Wall Street Journal reported that weaknesses in Equifax’s cybersecurity measures were “apparent to outside observers in the months before the hack.” Was the board made aware of these weaknesses? If not, why not? Such a self-critique has been an accepted component of truly comprehensive internal investigations since the “Powers Report” from the Enron board. The willingness to consider how possible governance inadequacies may have contributed to crises can serve as a powerful demonstration of the board’s good faith and assumption of ultimate responsibility.
Equifax is not, as some have characterized it, the second coming of Enron. That’s unnecessary hyperbole at this point. As exaggerated as commentary may be, what is known about the crisis offers a valuable teaching moment to boards about expectations of fiduciary conduct in crisis situations, cybersecurity or otherwise.
Michael W. Peregrine, a partner in McDermott Will & Emery, advises corporations, officers and directors on matters relating to corporate governance, fiduciary duties and officer/director liability issues. His views are his own and do not necessarily reflect the views of McDermott Will & Emery, its clients, or NACD.
Law firms that specialize in suing directors will scrutinize nearly every major transaction, public offering, stock drop, restatement, and press release filed by public companies. For instance, according to Cornerstone Research, stockholders file lawsuits challenging the majority of public company transactions valued at more than $100 million, with an average of three lawsuits per transaction. An effective defense of these almost-inevitable lawsuits can begin long before they are filed. With a few simple steps, directors can reduce the burden of these lawsuits and protect themselves from the most common tactics utilized by stockholders’ attorneys.
1. Vet conflicts early and often. Perhaps the easiest way to avoid fiduciary duty liability is to avoid situations where you have conflicting interests in a transaction or other board decision. Due to various protections under Delaware law, directors are rarely held liable for poor or ill-informed decisions if the directors are not self-interested (unless they are grossly negligent), and articles of incorporation almost universally protect directors from monetary damages for such decisions. By contrast, Delaware fiduciary duty law imposes exacting standards for directors who participate in board decisions when they have a material self-interest in that decision. Thus, any major board initiative should begin with a full analysis of each director’s potential self-interests, and this analysis should be updated throughout the initiative. Of course, this analysis requires you to stay organized with your outside business interests (e.g., your employer’s customers, suppliers, and competitors) and personal financial situation (e.g., ownership interests). Recusing yourself can be the stitch in time that saves nine.
2. Treat all board communications formally. The documents that often cause the most trouble in litigation are informal e-mails between two directors. Even if e-mails contain nothing objectively negative regarding the board decision at issue, such e-mails can raise questions about the board’s deliberative process, especially if the issue raised in an e-mail was not discussed with the full board. A skilled plaintiff’s counsel can often interpret a casually written message in an unintended manner. In most instances, if a director raises any concern outside of a board meeting, the full board should resolve that concern and memorialize the process in a contemporaneous document (e.g., the minutes). If you have said anything in an e-mail that is inconsistent with your ultimate vote on an issue—even if you were just playing “devil’s advocate”—you should be prepared to square your communications with your vote. In other words, make sure your concerns are resolved through the deliberative process before making your decision.
3. Maximize efficiency in pressing circumstances. Perhaps underestimating how quickly and diligently directors and their advisors can work in exigent circumstances, plaintiffs’ attorneys often allege that board decisions were too rushed. For instance, in one of the more infamous Delaware fiduciary duty decisions, a financial advisor did not send any valuation materials to a board of directors until 9:42 p.m. on the night that the directors met to vote on a merger. The board met at 11 p.m. and approved the merger that night. Tight deadlines are often unavoidable, but directors can take steps to maximize the efficiency of the process. For instance, request early drafts of meeting materials, make your advisors work around-the-clock when necessary, and don’t wait until the board meeting to ask questions. At the end of the day, you need to be able to honestly state that you had enough time to fully consider any issues or concerns and come to a reasoned decision. Use your resources efficiently to get to that point.
4. Make your advisors an asset, not a liability. The quality and independence of a board’s advisors is a direct reflection on the quality and independence of the board’s process. This scrutiny begins when a board (or committee) selects its outside advisors. Stockholders may cry foul if directors simply accept management’s recommended advisor, especially if any member of management may have a self-interest in the relevant transaction.
To avoid these common allegations, interview multiple advisory firms, thoroughly inspect their potential conflicts, and negotiate for a fee structure that aligns the advisor’s incentivizes with the best interests of the stockholders. Stockholders also regularly allege that advisors are “deal cheerleaders” who bend their analysis to support the board’s wishes. To rebut these allegations, insist that your advisors objectively analyze the relevant issues, and ask them to obtain the board’s approval for any significant assumptions, methodology decisions, and other subjective portions of their analyses. To the extent possible, you should also resist your advisors’ efforts to load their work-product with disclaimers. Above all, carefully analyze your advisors’ work-product, ask questions, and do not rely on their opinions until you understand and approve of the efforts and reasoning underlying those opinions.
5. Ensure that the meeting minutes fully reflect the process. We cannot overstate the importance of minutes in litigation against directors. First, judges and juries typically place more weight on contemporaneous records of a board decision than after-the-fact testimony. Second, depositions often happen several months (if not years) after a challenged board decision, and minutes are an important tool for refreshing directors’ memories. Ask the board secretary to draft minutes promptly after a board meeting so that you can review them while the meeting is still fresh on your mind. When reviewing minutes, make sure that they accurately reflect a summary of the issues discussed, the specifics of any decisions reached, and a list of all attendees (plus mid-meeting arrivals and departures). Not every single statement made during a meeting can or should be part of the minutes, but it is important for the minutes to reflect every topic discussed at the meeting. Ask yourself: “If I’m questioned about this meeting at a deposition next year, will these minutes help me answer questions and show the court that we fulfilled our duties?”
6. Know the boundaries of the attorney-client privilege. The attorney-client privilege is not a guarantee that all correspondences with counsel are shielded from discovery. For instance, contrary to many directors’ (and attorneys’) beliefs, the attorney-client privilege does not protect every e-mail on which an attorney is copied. Rather, an e-mail is generally privileged only if the correspondence is sent in furtherance of requesting or providing legal advice. Parties in litigation are often required to redact the “legal advice” portion of e-mails and produce the remaining portions. Thus, an e-mail (or a portion of an e-mail) concerning purely business issues might not be shielded from production. Additionally, communications with certain persons that would ordinarily be privileged, including in-house and outside counsel, may not be privileged under certain circumstances. Further, even if a document is undisputedly privileged, litigants sometimes waive the attorney-client privilege for strategic reasons, such as when the board asserts that it made a challenged decision in reliance on advice from counsel. While it is vital to have open and honest communications with your counsel, it is also important to remember that those communications may be shown to an opposing party. If there is something you would not write down in a non-privileged e-mail, then consider calling your attorney instead of sending an e-mail.
7. Use a board-specific e-mail address. By exclusively using a non-personal e-mail address for board-related correspondences, you can significantly reduce the odds of personal e-mails (or e-mails concerning your other business endeavors) becoming subject to discovery. Too often, we see directors using their “day job” e-mail addresses for their directorial correspondences; this can lead to situations where your employer’s confidential information must be copied, reviewed by your outside counsel, or (worse yet) produced to the opposing party in litigation. The same holds true for personal e-mail addresses, which some directors use for their family’s bank statements and board-related e-mails. The best way to potentially avoid this situation is to proactively segregate board-related e-mails to a different e-mail account. Some companies create e-mail addresses for their directors. If yours does not, consider creating an e-mail account and conducting board-related business solely from that address.
Craig Zieminski and Andrew Jackson are litigation attorneys at Vinson & Elkins LLP. They specialize in representing companies and their directors in lawsuits alleging breaches of fiduciary duties, partnership agreement duties, merger agreements, and federal securities laws.
Directors and officers of both public and private companies operate in difficult, complex, and evolving business, legal, and regulatory environments. Challenges and risk exposures are unavoidable, and the speed of change shows no sign of slowing. Accordingly, it is imperative that directors and officers stay abreast of issues impacting the risk landscape and continually analyze how best to protect themselves. The recently released NACD Board Leadership report prepared with Marsh, “Evolving Directors & Officers Liability Environment Emerging Issues & Considerations,” identifies core areas of change and associated insurance concerns for directors & officers (D&O).
Four areas being closely watched today are discussed below.
Securities regulations and resulting enforcement and claims will change over the course of President Trump’s administration, although the extent of the change remains to be seen. Deregulation for financial institutions and other organizations is likely. Although deregulation may ease the regulatory burden on businesses in an effort to stimulate growth, it could lead to a rise in resulting claims due a potential decrease in transparency and mandated corporate guidelines.
We may also see a shift in how government regulatory agencies handle purported wrongdoing—perhaps with the assessment of fewer corporate penalties while continuing to hold culpable individuals accountable. Based on some of the recent U.S. Securities and Exchange Commission appointments — including the SEC Chair and co-heads of the SEC Division of Enforcement —many expect that the agency will continue to aggressively pursue culpable individuals.
Generally speaking, activism is on the rise, including environmental activism, shareholder activism, and other forms. The first climate change-related securities class action was filed in late 2016, and more are expected to follow. Some anticipate that, as a result of the Trump administration’s withdrawal from the Paris Agreement, environmental activists’ drive to advance their agenda—whether through civil litigation, shareholder resolution initiatives, or other means—will increase. In addition, we expect there to be more initiatives driven by state regulatory actions and non-governmental organizations.
Increase in Securities Claims
According to NERA Economic Consulting, the number of securities class action filings in the first quarter of 2017 was significantly higher than in past years. The number for the first quarter of 2017 stood at 144 filings of federal securities class actions, which is up from 102 filings in the first quarter of 2016. If filings continue at this rate, we expect there to be close to 500 securities class action filings in 2017 alone, a 66 percent increase from 2016. The rise in filings can be attributed to several factors including, but not limited to: the increase in merger objection-related filings in federal court; the increase in the number of securities plaintiff firms; and, arguably, a race to the courthouse before any new regulatory changes are implemented.
Cybersecurity-related losses continue to be one of the most worrisome potential exposures for companies. Despite some significant recent cyberbreaches, the first traditional securities class action litigation against directors and officers was only recently filed. The complaint generally alleges that the defendants made materially false and/or misleading statements about the breach. It also claims failure to disclose material adverse facts about the company’s business and operations specific to data protection, and the discovery and potential impact of the data breaches.
On the other hand, there have been a number of derivative lawsuits filed against companies’ directors and officers for alleged mismanagement of cybersecurity incidents. To date, defendants in this type of litigation have largely been successful in getting these cases dismissed by invoking the business judgement rule, among other defenses. However, a notable, recent settlement of one of these derivative actions while on appeal will likely continue to fuel the plaintiff’s bar’s drive to pursue cybersecurity-related D&O claims.
While each of the above can be viewed as discrete risks, they each share a common thread: increased exposure to directors and officers. As a best practice, all directors should regularly review their D&O insurance program with their insurance advisors to ensure adequate protection in the wake of the increasingly risky environment in which we live. Directors and the officers of their companies should ask themselves probing questions about their insurance coverage:
Does my D&O insurance program provide sufficient limits of liability?
Am I protected by Side-A Difference In Conditions insurance? If so, are those limits sufficient?
How will my D&O insurance coverage respond in connection with a regulatory investigation? Will I be covered to the extent there is an internal investigation associated with an external regulatory investigation?
Does the selection of insurers on my company’s D&O “tower” make the most sense should I need to turn to the insurers for coverage?
How narrowly tailored is the exclusionary language in my policies? How favorable is the severability language?
By reviewing these questions in conjunction with their insurance programs on at least an annual basis, directors and officers will be more adequately prepared for the scenarios outlined above.