Category: Risk Management

NACD Insight & Analysis: SEC Whistleblower Program

Published by

In Thursday’s NACD Directors Daily, the Wall Street Journal reported on the actions large companies have taken in response to the SEC’s proposed whistleblower program. While the SEC has received hundreds of comment letters opposing various provisions of the proposed rules, the Journal reported on more than two dozen of the country’s largest companies that have asked the SEC to revise the proposed rules. One of the more contentious issues is the proposed “bounty” that would be rewarded to a whistleblower if the company receives a sanction of more than $1 million. That bounty could range between 10 and 30 percent of the penalty paid by the company.

The article covers both sides of the debate surrounding the new whistleblower program. Businesses fear that employees will bypass the internal compliance programs and whistleblowing hotlines mandated by Sarbanes-Oxley, and report directly to the SEC. On the other hand, attorneys defending whistleblowers argue that requiring the use of internal reporting channels prior to the SEC would discourage fraud reporters for fear of losing anonymity. The SEC has just weeks to issue final rules that balance the use of internal reporting systems with reporting fraud.

Since the SEC first proposed rules on the new program last fall, NACD has worked to amplify the voice of the director on this issue. In our comment letter, we voiced concerns similar to the reservations expressed by the companies in the Journal article. Our letter stressed that the SEC should work to enhance and strengthen the internal reporting channels already in place, rather than bypass those channels by going directly to the SEC with an issue. Encouraging internal reporting can help management address and solve issues in the early stages, which in many cases are best solved by internal human resources professionals.

In the past months, NACD has also met and discussed the possible consequences of the proposed whistleblower rules with key members of the regulatory and investor communities to discuss your concerns and suggestions as we heard them in our survey prior to submitting our comment letter. In addition, last week’s edition of NACD BoardVision features NACD’s Managing Director & CFO, Peter Gleason discussing the whistleblower provisions with PwC’s John Barry.

Social Media and Compliance – It’s All a Matter of XYZ

Published by

Despite the SEC’s 2008 interpretive admonition that all communications made by or on behalf of a company—even those made by employees on social media, blogs, and shareholder forums—are subject to relevant provisions of federal securities laws, widespread corporate adoption of appropriate compliance procedures in that regard remains elusive at small and large public companies alike. In an eye-opening IR Web Report article published in April 2010, Dominic Jones set forth a litany of issues facing investor relations professionals with respect to social issues, arriving at the austere conclusion that at literally hundreds of public companies studied, investor relations professionals are exposing their companies to material compliance risks by failing to suitably monitor the use of social media.  One of the principal impediments to widespread boardroom assessment of these risks is that many directors simply don’t have substantive experience with social media, its use, misuse, and potential legal and regulatory consequences.

To illustrate the potential scope of issues of which directors should be aware in this regard, consider the following hypothetical:  XYZ is a public company that manufactures widgets.  XYZ has an investor relations manager, and several employees throughout the organization who regularly contribute to XYZ’s website, XYZ’s industry blog, XYZ’s Facebook and Twitter accounts, and occasionally to their own Facebook and Twitter accounts.  XYZ is planning on releasing its quarterly earnings press release at
1:00 pm ET (during market hours) on its website; the results are far in excess of consensus estimates.  At 12:50 pm, a third-party financial blog that follows XYZ posts a note to the financial blog’s Facebook page stating that its “channel checks weren’t impressive – going to be a tough quarter for XYZ.  That said, we love their new ABC 5000 widget which will be a HUGE winner for them.”  At 12:52 pm, Sally, from XYZ sales and marketing, replies on the financial blog’s Facebook page that she “like[s] this posting,” and puts a link to that Facebook page on XYZ’s industry blog.  At 12:54  pm, Jim, an XYZ engineer, responds to a pejorative Tweet about XYZ by a friend who works for XYZ’s largest competitor, by posting a link on his personal Twitter page to a summary of a third-party analyst note reiterating that XYZ is a “strong buy.”   At 12:56 pm, Larry, XYZ’s investor relations manager, updates XYZ’s official Facebook and Twitter pages to remind people that the earnings release is forthcoming, but erroneously instructs people to look for the release on the wire, instead of at XYZ’s website.  The earnings release is posted on XYZ’s website precisely at 1:00 pm ET, but isn’t picked up by the wire services until 1:03 pm.  During the three-minute gap, the stock rises 10 percent.  Later that afternoon, Margaret and some of her overworked, dissatisfied colleagues in XYZ’s factory intentionally and untruthfully “tweet” in their personal Twitter accounts that the ABC 5000 is being shipped with a critical design flaw. The next morning, one of the research analysts covering XYZ elects to downgrade the stock due to the prior day’s price increase, but since it’s not good news, Larry decides not to state anything about that on XYZ’s website, Facebook or Twitter accounts.

As fanciful as it might sound to directors who are less social media savvy, fact patterns like these are playing out routinely, and the panoply of issues created in the process can be vexing.  Though Sally mightn’t have been intentionally seeking to mislead investors, what does it mean to an XYZ investor when an XYZ employee says they “like” a financial blog posting which predicts, among other things, doom for XYZ’s impending quarter; what if an XYZ investor reasonably relied on that and sold her stock eight minutes before a 10-percent rally? Similarly, Jim mightn’t have intended to mislead his Twitter followers by directing them to a summary of a positive analyst report, but are there ramifications to XYZ for its  employee omitting regulatory disclaimers in connection with what can be construed to be investment advice? Larry didn’t intend to misguide investors by directing them away from XYZ’s website for the earnings release, but, having done so, the three-minute news lapse could well have been costly to certain investors given the stock movement. Lastly, the intentionally false and misleading Tweets by Margaret and her colleagues are, per the SEC’s interpretation referenced above, attributable to XYZ.  It’s also plausible that Larry’s purposeful omission of the analyst’s downgrade could garner some regulatory attention if XYZ’s website, Facebook and Twitter accounts are, by design, places where the preponderance of XYZ’s investors are induced to get their information about XYZ.

Whether attuned to social media or not, a practical way for directors to start evaluating these risks is by simply providing this hypothetical to a company’s communications managers in advance of the next board meeting, and asking appropriate personnel to make a presentation about how and to what extent there are procedures in place to effectively manage these and associated risks. One thing’s for certain: these are challenges that are going to multiply, not diminish.

*        *        *        *        *

Adam J. Epstein, an NACD member, is a director of OCZ Technology Group, Inc., and is the founding principal of Third Creek Advisors, LLC (“TCA”), which acts as a special advisor to small-cap boards with respect to corporate finance and capital markets. Prior to founding TCA, Mr. Epstein was co-founder and principal of Enable Capital Management, LLC, an investment firm whose funds have invested directly in hundreds of small-cap companies.  Preceding several senior operating roles in retail and technology, Mr. Epstein began his career as an attorney at Brobeck, Phleger & Harrison.  Mr. Epstein has been featured on CNN, ABC News, and in The Wall Street Journal.  Mr. Epstein can be contacted by email at

Straighten Up and Fly Right: IT Risk Governance for Non-Techie Directors

Published by


Virginia Gambale

Jet Blue Director Virginia Gambale heard the news about the airline’s fed-up flight attendant—the one who exited the plane via the emergency slide, cursing passengers as he touched down on the tarmac—well before some of the company’s senior executives. Social media savvy Virginia uses a web tool to track all mention of companies on whose boards she sits, and as soon as someone tweeted news of the incident, she was on it.

 Virginia, a former CIO with Merrill Lynch and Bankers Trust, shared the story at NACD’s Director Professionalism®—The Master Class, held this week in Clearwater, FL. She was one of a number of dedicated NACD members honing her board leadership skills and using peer expertise to identify and explore innovative solutions to persistent and emerging challenges.

Virginia urged her peers with non-IT backgrounds to become more involved in oversight of the company’s technology strategy. “Ask questions,” she said. “If people tell you that deadlines are being missed, that delivery of services isn’t possible, or that it’s just too complicated to get something done, then you don’t have the right strategy and you may need to change your CIO. Ask the CIO to talk about allocation of resources and find out how the dollars are spent between maintenance and innovation. You can make the same judgments as you would on any other area of the business.”

 “Ask ‘What is our model for technology leadership?’” advises Virginia, and ask to be walked through the governance model and strategy for partners and communications with customers. “Read the company culture: Is IT a partner or service provider? How closely integrated is it with your lines of business? What, why and where are you outsourcing, and what effect is that having on your risk? Virtual roads and highways need to be maintained, but you can outsource a lot of this and pay only for what you use,” she said.

Virginia urges boards to make sure they have at least one person charged with asking these and other questions. “It can be helpful to have a technology and operations
sub-committee sitting under audit or risk,” she recommends, especially if the company needs to find a new CIO. Failing this, the board should consider hiring an outside consultant.

“Security breaches, brand tarnish, information leaks or, at worst, a death can do your company real harm,” said the director who joined the Jet Blue board around the time of the Valentine’s Day “Ice Incident.” And, she added, “You can’t risk disintermediation—the business boneyard is filled with companies where the strategists at board and C-suite level failed to ask the right questions and fooled themselves for too long.”

“Today, every man, woman and child has access to instant information,” she reminded the group. “Use social media intelligently—it can supply you with useful information about what your customers think. And remember, if a mind created it, a mind can break it. Be mindful of the need for ongoing vigilance and sound practice in information security.”

Other directors sharing their expertise with peers attending NACD’s Master Class included Office Depot Compensation Rear Admiral (Retired) Chairman Marty Evans, Winn Dixie Director Charlie Garcia, who discussed the implications of America’s growing Hispanic population for board composition, and Major General (Retired) Hawthorne “Peet” Proctor, who spoke about the characteristics of exemplary board leadership.

To learn more about NACD’s Director Professionalism-The Master Class in 2011, click here. Already attended the Master Class? Contact to find out how you can become a 2011 NACD Board Leadership Fellow.