There are many posts on the NACD Board Leaders’ Blog discussing cybersecurity, but all of them deal with directors’ responsibilities toward the organizations where they are board members. In fact, corporate directors themselves may be targets for hacktivists or cybercriminals and need to make sure they have adequate protection. This protection should include both home and professional office.
Directors obviously will have access to sensitive insider information that many unauthorized parties would like get access to. Many directors will also be targets as high net worth individuals. Cyber criminals always target the weakest link, and as corporate information security improves, they increasingly will target the home networks of key executives and directors.
Breaches such as the one that occurred in the summer of 2017 at Equifax have put so much personal information into the hands of criminals that individuals increasingly will become targets. Directors represent a perfect demographic cross section to be attacked. Attack vectors may include phishing, ransomware, and social media.
Earlier this year, an employee of the National Security Agency was in the news as the hacker apparently stole government secrets from the comfort of his own home network. Directors with access to confidential strategic or financial information should make sure their home networks are protected above and beyond the usual consumer grade defenses. Another attack path may be through tools and services used by directors. In 2010 attacks were reported against a prominent meeting portal for corporate boards. It is not clear if any sensitive information was stolen at that time.
What more should directors do?
First, make sure your home network is built to corporate standards. You need a commercial firewall, not just a consumer router. Most critically, any devices—especially firewalls and routers—should be set to auto-update their security firmware. Auto-update is now included in the Windows 10 operating system, in most smart phones, and in many home network devices, but not in devices more than a few years old. Anything you put on your network will be found to have vulnerabilities, so this software and firmware update feature is critical to keep hackers out.
Password strength and protection represent a second critical area. Many breaches result from theft of user credentials such as username and password. You should use two-factor authentication to log in to sites with your financial or personal information. Two-factor verification utilizes a second security barrier to verify with the application or website that the person logging in is, in fact, you. For instance, applications for your smart phone such as Google Authenticator and Duo Security generate one-time tokens that serve as a second factor. More familiar is the text messaging that many sites still use to send one time codes to users. This process has been deprecated by the Federal government because of potential eavesdropping attacks, so use the dedicated security apps, if possible. Still other financial sites do not yet have any two-factor authentication available. For these, make sure to use strong passwords that contain at least 12 characters, and that preferably can be pronounced. Such complex passwords should be managed using password vaults like LastPass or KeyPass.
The last factor to consider is encryption. Never store any sensitive data online without encrypting it and protecting it using a password known only to you. It is true that collaboration sites like Dropbox do encrypt the data saved there, but the companies still have the encryption keys and can view the data. These keys can be hacked or stolen by a disgruntled employee. That level of encryption is fine for 99 percent of the information you store online. But for the other, essential 1 percent of information—especially personal or corporate sensitive material—only you should have the encryption key. Applications like Boxcryptor integrate with Dropbox and enable you to further protect your information.
These three security precautions will help you keep your personal and professional information secure. Since threats and vulnerabilities are constantly changing, you should keep up to date using the NACD Cyber-Risk Resource Center and other sources of information on this topic. Also consider attending the NACD Global Cyber Forum in Geneva, Switzerland, April 17–18, 2018. You’ll hear from leading international directors, executives, and security professionals on how to protect sensitive corporate information.
Frederick Scholl is president of Monarch Information Networks, and is adjunct professor of computer science at Lipscomb University in Nashville, TN. All thoughts expressed here are his own.
It’s way too early to make any judgments on board conduct in the Equifax controversy. That’ll be for the courts to decide, and they’ll take a long time getting there. But it’s not too early to draw some useful governance lessons from the situation, if media reports are to be believed. And these are lessons that apply regardless of whether the board serves a publicly held, privately owned or nonprofit corporation.
Some of these lessons relate to the board’s crisis management responsibilities. Others relate to the oversight of the board-CEO relationship. Still others invoke expectations of board cybersecurity oversight.
All of the possible lessons are premised on the increasing recognition of the inevitably of crisis, be it black swan or foreseeable, cybersecurity-related or “from out of left field.” For most complex enterprises, crises are just going to happen. The only questions are when, how big the crisis will be, and from what direction it will come. The most prescient of boards will embrace this inevitably and prepare for a corporate governance version of Defcon 3.
The other lessons are more practical in nature.
1. Emergency Succession The swiftness of Mr. Smith’s removal speaks to the “nuts and bolts” value of having an emergency executive succession plan. The sudden Smith transition is a shocking example of how emergency succession applies to circumstances beyond customary triggers such as death, health care and family considerations. In today’s crisis-oriented environment, the need to separate from, and replace even the youngest, seasoned and most successful executives can arise at a moment’s notice.
Succession is a part of the board’s basic responsibilities that often gets lost amid the confluence of best practices and consultant messaging. Such planning can be complicated. According to the New York Times, the Equifax board regarded many of its original replacement candidates as “tainted” by ties to the cyber breach—including some executives who are believed to have sold company stock after the breach was discovered but before it was disclosed to the public.
2. Structuring the Separation There’s also the need to anticipate both the classification and the financial terms of executive separation in the context of a crisis environment. According to media reports, Mr. Smith’s separation was described as a retirement. Yet, the board announced that it was reserving the right to retroactively classify the separation as for-cause termination, based upon the ultimate findings of a board special committee charged with the responsibility for reviewing the data breach. Such a reclassification would have obvious and material implications for Mr. Smith’s compensation arrangements, including valuable stock awards.
This action by the Equifax board reflects several key realities of the crisis environment.
It will often be difficult to fairly ascertain the presence of cause for termination purposes in the direct aftermath of a crisis. The consideration of the results of an internal investigation may be a necessary and equitable precondition.
While not yet considered best practice, the use of clawbacks and other forms of executive compensation disgorgement arrangements is increasingly viewed as an effective response to executive fraud, malfeasance, or other misconduct. Clawback application has most recently been demonstrated by the actions of a financial services company board in response to a significant corporate controversy.
Boards must face the harsh reality of the need to impose separation in advance of intense scrutiny by the media, regulators, and possibly even legislators. The sometimes corporate brutality of “throwing executives under the bus” may be perceived as both part of an effective board response (i.e., to demonstrate board accountability), and necessary to preserve the reputation of the company and the interests of its stakeholders. According to the Wall Street Journal, the departures of the Equifax information officer and chief security officer were not considered by the board to be actions significant enough in stature. Thus, the concept of “strict accountability” for executives in the context of major corporate controversies may increasingly be considered an indirect part of the compact between the board and management.
3. The Standard of Conduct Another lesson is for the board to reconsider the effectiveness of its own cybersecurity oversight efforts. The leading judicial decisions have to date established a high Caremark-style barrier for demonstrating breach of cybersecurity oversight responsibilities. Notable in this regard was the decision of the court in the Home Depot case to extend the protection of the business judgment rule to the board’s conduct, despite its clearly expressed concerns about the speed with which the board implemented protective measures.
However, boards should not place unreasonable reliance on Caremark protection. As instances of cyberbreaches become more egregious, it is reasonable to project a stricter approach to director liability in future cases.
4. The Self-Critique Perhaps the most basic governance lesson from Equifax is the need for board self-evaluation. Any board-driven internal investigation of a corporate controversy will benefit from consideration of the adequacy of the full board’s related oversight efforts. For example, the Wall Street Journal reported that weaknesses in Equifax’s cybersecurity measures were “apparent to outside observers in the months before the hack.” Was the board made aware of these weaknesses? If not, why not? Such a self-critique has been an accepted component of truly comprehensive internal investigations since the “Powers Report” from the Enron board. The willingness to consider how possible governance inadequacies may have contributed to crises can serve as a powerful demonstration of the board’s good faith and assumption of ultimate responsibility.
Equifax is not, as some have characterized it, the second coming of Enron. That’s unnecessary hyperbole at this point. As exaggerated as commentary may be, what is known about the crisis offers a valuable teaching moment to boards about expectations of fiduciary conduct in crisis situations, cybersecurity or otherwise.
Michael W. Peregrine, a partner in McDermott Will & Emery, advises corporations, officers and directors on matters relating to corporate governance, fiduciary duties and officer/director liability issues. His views are his own and do not necessarily reflect the views of McDermott Will & Emery, its clients, or NACD.
Law firms that specialize in suing directors will scrutinize nearly every major transaction, public offering, stock drop, restatement, and press release filed by public companies. For instance, according to Cornerstone Research, stockholders file lawsuits challenging the majority of public company transactions valued at more than $100 million, with an average of three lawsuits per transaction. An effective defense of these almost-inevitable lawsuits can begin long before they are filed. With a few simple steps, directors can reduce the burden of these lawsuits and protect themselves from the most common tactics utilized by stockholders’ attorneys.
1. Vet conflicts early and often. Perhaps the easiest way to avoid fiduciary duty liability is to avoid situations where you have conflicting interests in a transaction or other board decision. Due to various protections under Delaware law, directors are rarely held liable for poor or ill-informed decisions if the directors are not self-interested (unless they are grossly negligent), and articles of incorporation almost universally protect directors from monetary damages for such decisions. By contrast, Delaware fiduciary duty law imposes exacting standards for directors who participate in board decisions when they have a material self-interest in that decision. Thus, any major board initiative should begin with a full analysis of each director’s potential self-interests, and this analysis should be updated throughout the initiative. Of course, this analysis requires you to stay organized with your outside business interests (e.g., your employer’s customers, suppliers, and competitors) and personal financial situation (e.g., ownership interests). Recusing yourself can be the stitch in time that saves nine.
2. Treat all board communications formally. The documents that often cause the most trouble in litigation are informal e-mails between two directors. Even if e-mails contain nothing objectively negative regarding the board decision at issue, such e-mails can raise questions about the board’s deliberative process, especially if the issue raised in an e-mail was not discussed with the full board. A skilled plaintiff’s counsel can often interpret a casually written message in an unintended manner. In most instances, if a director raises any concern outside of a board meeting, the full board should resolve that concern and memorialize the process in a contemporaneous document (e.g., the minutes). If you have said anything in an e-mail that is inconsistent with your ultimate vote on an issue—even if you were just playing “devil’s advocate”—you should be prepared to square your communications with your vote. In other words, make sure your concerns are resolved through the deliberative process before making your decision.
3. Maximize efficiency in pressing circumstances. Perhaps underestimating how quickly and diligently directors and their advisors can work in exigent circumstances, plaintiffs’ attorneys often allege that board decisions were too rushed. For instance, in one of the more infamous Delaware fiduciary duty decisions, a financial advisor did not send any valuation materials to a board of directors until 9:42 p.m. on the night that the directors met to vote on a merger. The board met at 11 p.m. and approved the merger that night. Tight deadlines are often unavoidable, but directors can take steps to maximize the efficiency of the process. For instance, request early drafts of meeting materials, make your advisors work around-the-clock when necessary, and don’t wait until the board meeting to ask questions. At the end of the day, you need to be able to honestly state that you had enough time to fully consider any issues or concerns and come to a reasoned decision. Use your resources efficiently to get to that point.
4. Make your advisors an asset, not a liability. The quality and independence of a board’s advisors is a direct reflection on the quality and independence of the board’s process. This scrutiny begins when a board (or committee) selects its outside advisors. Stockholders may cry foul if directors simply accept management’s recommended advisor, especially if any member of management may have a self-interest in the relevant transaction.
To avoid these common allegations, interview multiple advisory firms, thoroughly inspect their potential conflicts, and negotiate for a fee structure that aligns the advisor’s incentivizes with the best interests of the stockholders. Stockholders also regularly allege that advisors are “deal cheerleaders” who bend their analysis to support the board’s wishes. To rebut these allegations, insist that your advisors objectively analyze the relevant issues, and ask them to obtain the board’s approval for any significant assumptions, methodology decisions, and other subjective portions of their analyses. To the extent possible, you should also resist your advisors’ efforts to load their work-product with disclaimers. Above all, carefully analyze your advisors’ work-product, ask questions, and do not rely on their opinions until you understand and approve of the efforts and reasoning underlying those opinions.
5. Ensure that the meeting minutes fully reflect the process. We cannot overstate the importance of minutes in litigation against directors. First, judges and juries typically place more weight on contemporaneous records of a board decision than after-the-fact testimony. Second, depositions often happen several months (if not years) after a challenged board decision, and minutes are an important tool for refreshing directors’ memories. Ask the board secretary to draft minutes promptly after a board meeting so that you can review them while the meeting is still fresh on your mind. When reviewing minutes, make sure that they accurately reflect a summary of the issues discussed, the specifics of any decisions reached, and a list of all attendees (plus mid-meeting arrivals and departures). Not every single statement made during a meeting can or should be part of the minutes, but it is important for the minutes to reflect every topic discussed at the meeting. Ask yourself: “If I’m questioned about this meeting at a deposition next year, will these minutes help me answer questions and show the court that we fulfilled our duties?”
6. Know the boundaries of the attorney-client privilege. The attorney-client privilege is not a guarantee that all correspondences with counsel are shielded from discovery. For instance, contrary to many directors’ (and attorneys’) beliefs, the attorney-client privilege does not protect every e-mail on which an attorney is copied. Rather, an e-mail is generally privileged only if the correspondence is sent in furtherance of requesting or providing legal advice. Parties in litigation are often required to redact the “legal advice” portion of e-mails and produce the remaining portions. Thus, an e-mail (or a portion of an e-mail) concerning purely business issues might not be shielded from production. Additionally, communications with certain persons that would ordinarily be privileged, including in-house and outside counsel, may not be privileged under certain circumstances. Further, even if a document is undisputedly privileged, litigants sometimes waive the attorney-client privilege for strategic reasons, such as when the board asserts that it made a challenged decision in reliance on advice from counsel. While it is vital to have open and honest communications with your counsel, it is also important to remember that those communications may be shown to an opposing party. If there is something you would not write down in a non-privileged e-mail, then consider calling your attorney instead of sending an e-mail.
7. Use a board-specific e-mail address. By exclusively using a non-personal e-mail address for board-related correspondences, you can significantly reduce the odds of personal e-mails (or e-mails concerning your other business endeavors) becoming subject to discovery. Too often, we see directors using their “day job” e-mail addresses for their directorial correspondences; this can lead to situations where your employer’s confidential information must be copied, reviewed by your outside counsel, or (worse yet) produced to the opposing party in litigation. The same holds true for personal e-mail addresses, which some directors use for their family’s bank statements and board-related e-mails. The best way to potentially avoid this situation is to proactively segregate board-related e-mails to a different e-mail account. Some companies create e-mail addresses for their directors. If yours does not, consider creating an e-mail account and conducting board-related business solely from that address.
Craig Zieminski and Andrew Jackson are litigation attorneys at Vinson & Elkins LLP. They specialize in representing companies and their directors in lawsuits alleging breaches of fiduciary duties, partnership agreement duties, merger agreements, and federal securities laws.