Who can forget the famous lyrics to the 1968 Noel Harrison song “The Windmills of your Mind”? Mirroring many other facets of life, cybersecurity is “[L]ike a circle in a spiral, like a wheel within a wheel, never ending nor beginning.” As the threat landscape changes, as risk appetites shift, and as new regulations come into being, your organization’s approach to cyber risk also must continually adapt. Throw in the new European General Data Protection Regulation and it’s clear now is the time to be discussing these issues.
Oversight responsibility for cybersecurity has become a board-level responsibility. However, what cybersecurity actually means for a business is often still something of a mystery to some in this position.
Some corporate directors struggle to answer questions such as:
What is our ability to prevent, detect, contain and respond to a cyberattack?
How should our internal departments, such as information technology, legal, and communications—work together when an incident occurs?
What is our overall risk tolerance?
How does our level of preparedness compare to our competitors?
What is the potential impact of a cyber incident to our balance sheet?
What is the return on investment for additional security controls compared to the cost of obtaining cyber insurance coverage?
After last year’s major ransomware attacks, business interruption has become a topic for discussion in many corporate boardrooms. Total economic losses associated with WannaCry are estimated at $8 billion, with half a billion dollars attributed to business, or network, disruption. But there seems to be a lack of ideas on how to mitigate that exposure, how to assess and measure a potential business interruption risk, and how to evaluate this issue with suppliers.
One element of a mature cybersecurity program is cybersecurity insurance. While this is an important spoke in the wheel, it’s also important to understand that it is only one part of the whole.
There is a misconception about what cyber insurance actually is, and almost more importantly, what it is not. Recently, I talked with a medium-sized business about cyber insurance, and their thoughts before our meeting were along the lines of, “if we purchase cyber insurance, we do not need to invest in a cyber security program any longer. After all, we will be insured.”
Even though such a statement is issued infrequently, and would surely not come from any organization that has reached some degree of cyber maturity, it took me by surprise. Yes, risk transfer is important, but only as part of a broader approach to cyber resilience. In a world where systemic cyberattacks are becoming more frequent, nobody wants to be the low-hanging fruit.
In a nutshell, traditional cyber insurance is aimed at dealing with the financial impacts associated with a security or privacy event, including direct costs with managing the event, loss of income, paying extortion demands, as well as liability, including regulatory fines and penalties in jurisdictions where such costs are insurable.
Cyber insurance itself is not a single coverage. It can be packaged in a number of different ways to match an individual client’s insurance buying strategy and evolving cyber threats, risks, and emerging impacts. It can be a combination of first- and third-party offerings, responding to the direct losses of a cyber event as well as claims asserted by third parties.
It’s also important to say what this type of insurance does not address. Cyber insurance does not replace a cybersecurity program and does not negate the need for good security controls. In fact, some policies may require demonstration of certain best practices in cybersecurity in order to provide indemnification. In order for organizations to effectively manage cyber risk, they should have both an effective security program and insurance in place for when defenses fail.
Like all other risks, it is important to look at cyber risks as a continuous cycle of management, not just a one-time risk mitigation exercise. The cycle is one of determining the current risk posture, by looking at the likelihood of cyber threats and the impacts, as well as the current security controls in place.
Based on the internally-determined risk appetite, if certain risks are considered to be above the threshold, they need to be mitigated by additional controls. Once completed, this cycle will be carried out continuously, as the lyrics to “The Windmills of Your Mind” suggest.
As is the nature of risk, it is almost impossible to eradicate it completely, and there is always a residual risk. It is this residual risk that is picked up by cyber insurance, a necessity even for the most resilient among us.
Law firms that specialize in suing directors will scrutinize nearly every major transaction, public offering, stock drop, restatement, and press release filed by public companies. For instance, according to Cornerstone Research, stockholders file lawsuits challenging the majority of public company transactions valued at more than $100 million, with an average of three lawsuits per transaction. An effective defense of these almost-inevitable lawsuits can begin long before they are filed. With a few simple steps, directors can reduce the burden of these lawsuits and protect themselves from the most common tactics utilized by stockholders’ attorneys.
1. Vet conflicts early and often. Perhaps the easiest way to avoid fiduciary duty liability is to avoid situations where you have conflicting interests in a transaction or other board decision. Due to various protections under Delaware law, directors are rarely held liable for poor or ill-informed decisions if the directors are not self-interested (unless they are grossly negligent), and articles of incorporation almost universally protect directors from monetary damages for such decisions. By contrast, Delaware fiduciary duty law imposes exacting standards for directors who participate in board decisions when they have a material self-interest in that decision. Thus, any major board initiative should begin with a full analysis of each director’s potential self-interests, and this analysis should be updated throughout the initiative. Of course, this analysis requires you to stay organized with your outside business interests (e.g., your employer’s customers, suppliers, and competitors) and personal financial situation (e.g., ownership interests). Recusing yourself can be the stitch in time that saves nine.
2. Treat all board communications formally. The documents that often cause the most trouble in litigation are informal e-mails between two directors. Even if e-mails contain nothing objectively negative regarding the board decision at issue, such e-mails can raise questions about the board’s deliberative process, especially if the issue raised in an e-mail was not discussed with the full board. A skilled plaintiff’s counsel can often interpret a casually written message in an unintended manner. In most instances, if a director raises any concern outside of a board meeting, the full board should resolve that concern and memorialize the process in a contemporaneous document (e.g., the minutes). If you have said anything in an e-mail that is inconsistent with your ultimate vote on an issue—even if you were just playing “devil’s advocate”—you should be prepared to square your communications with your vote. In other words, make sure your concerns are resolved through the deliberative process before making your decision.
3. Maximize efficiency in pressing circumstances. Perhaps underestimating how quickly and diligently directors and their advisors can work in exigent circumstances, plaintiffs’ attorneys often allege that board decisions were too rushed. For instance, in one of the more infamous Delaware fiduciary duty decisions, a financial advisor did not send any valuation materials to a board of directors until 9:42 p.m. on the night that the directors met to vote on a merger. The board met at 11 p.m. and approved the merger that night. Tight deadlines are often unavoidable, but directors can take steps to maximize the efficiency of the process. For instance, request early drafts of meeting materials, make your advisors work around-the-clock when necessary, and don’t wait until the board meeting to ask questions. At the end of the day, you need to be able to honestly state that you had enough time to fully consider any issues or concerns and come to a reasoned decision. Use your resources efficiently to get to that point.
4. Make your advisors an asset, not a liability. The quality and independence of a board’s advisors is a direct reflection on the quality and independence of the board’s process. This scrutiny begins when a board (or committee) selects its outside advisors. Stockholders may cry foul if directors simply accept management’s recommended advisor, especially if any member of management may have a self-interest in the relevant transaction.
To avoid these common allegations, interview multiple advisory firms, thoroughly inspect their potential conflicts, and negotiate for a fee structure that aligns the advisor’s incentivizes with the best interests of the stockholders. Stockholders also regularly allege that advisors are “deal cheerleaders” who bend their analysis to support the board’s wishes. To rebut these allegations, insist that your advisors objectively analyze the relevant issues, and ask them to obtain the board’s approval for any significant assumptions, methodology decisions, and other subjective portions of their analyses. To the extent possible, you should also resist your advisors’ efforts to load their work-product with disclaimers. Above all, carefully analyze your advisors’ work-product, ask questions, and do not rely on their opinions until you understand and approve of the efforts and reasoning underlying those opinions.
5. Ensure that the meeting minutes fully reflect the process. We cannot overstate the importance of minutes in litigation against directors. First, judges and juries typically place more weight on contemporaneous records of a board decision than after-the-fact testimony. Second, depositions often happen several months (if not years) after a challenged board decision, and minutes are an important tool for refreshing directors’ memories. Ask the board secretary to draft minutes promptly after a board meeting so that you can review them while the meeting is still fresh on your mind. When reviewing minutes, make sure that they accurately reflect a summary of the issues discussed, the specifics of any decisions reached, and a list of all attendees (plus mid-meeting arrivals and departures). Not every single statement made during a meeting can or should be part of the minutes, but it is important for the minutes to reflect every topic discussed at the meeting. Ask yourself: “If I’m questioned about this meeting at a deposition next year, will these minutes help me answer questions and show the court that we fulfilled our duties?”
6. Know the boundaries of the attorney-client privilege. The attorney-client privilege is not a guarantee that all correspondences with counsel are shielded from discovery. For instance, contrary to many directors’ (and attorneys’) beliefs, the attorney-client privilege does not protect every e-mail on which an attorney is copied. Rather, an e-mail is generally privileged only if the correspondence is sent in furtherance of requesting or providing legal advice. Parties in litigation are often required to redact the “legal advice” portion of e-mails and produce the remaining portions. Thus, an e-mail (or a portion of an e-mail) concerning purely business issues might not be shielded from production. Additionally, communications with certain persons that would ordinarily be privileged, including in-house and outside counsel, may not be privileged under certain circumstances. Further, even if a document is undisputedly privileged, litigants sometimes waive the attorney-client privilege for strategic reasons, such as when the board asserts that it made a challenged decision in reliance on advice from counsel. While it is vital to have open and honest communications with your counsel, it is also important to remember that those communications may be shown to an opposing party. If there is something you would not write down in a non-privileged e-mail, then consider calling your attorney instead of sending an e-mail.
7. Use a board-specific e-mail address. By exclusively using a non-personal e-mail address for board-related correspondences, you can significantly reduce the odds of personal e-mails (or e-mails concerning your other business endeavors) becoming subject to discovery. Too often, we see directors using their “day job” e-mail addresses for their directorial correspondences; this can lead to situations where your employer’s confidential information must be copied, reviewed by your outside counsel, or (worse yet) produced to the opposing party in litigation. The same holds true for personal e-mail addresses, which some directors use for their family’s bank statements and board-related e-mails. The best way to potentially avoid this situation is to proactively segregate board-related e-mails to a different e-mail account. Some companies create e-mail addresses for their directors. If yours does not, consider creating an e-mail account and conducting board-related business solely from that address.
Craig Zieminski and Andrew Jackson are litigation attorneys at Vinson & Elkins LLP. They specialize in representing companies and their directors in lawsuits alleging breaches of fiduciary duties, partnership agreement duties, merger agreements, and federal securities laws.
Directors and officers of both public and private companies operate in difficult, complex, and evolving business, legal, and regulatory environments. Challenges and risk exposures are unavoidable, and the speed of change shows no sign of slowing. Accordingly, it is imperative that directors and officers stay abreast of issues impacting the risk landscape and continually analyze how best to protect themselves. The recently released NACD Board Leadership report prepared with Marsh, “Evolving Directors & Officers Liability Environment Emerging Issues & Considerations,” identifies core areas of change and associated insurance concerns for directors & officers (D&O).
Four areas being closely watched today are discussed below.
Securities regulations and resulting enforcement and claims will change over the course of President Trump’s administration, although the extent of the change remains to be seen. Deregulation for financial institutions and other organizations is likely. Although deregulation may ease the regulatory burden on businesses in an effort to stimulate growth, it could lead to a rise in resulting claims due a potential decrease in transparency and mandated corporate guidelines.
We may also see a shift in how government regulatory agencies handle purported wrongdoing—perhaps with the assessment of fewer corporate penalties while continuing to hold culpable individuals accountable. Based on some of the recent U.S. Securities and Exchange Commission appointments — including the SEC Chair and co-heads of the SEC Division of Enforcement —many expect that the agency will continue to aggressively pursue culpable individuals.
Generally speaking, activism is on the rise, including environmental activism, shareholder activism, and other forms. The first climate change-related securities class action was filed in late 2016, and more are expected to follow. Some anticipate that, as a result of the Trump administration’s withdrawal from the Paris Agreement, environmental activists’ drive to advance their agenda—whether through civil litigation, shareholder resolution initiatives, or other means—will increase. In addition, we expect there to be more initiatives driven by state regulatory actions and non-governmental organizations.
Increase in Securities Claims
According to NERA Economic Consulting, the number of securities class action filings in the first quarter of 2017 was significantly higher than in past years. The number for the first quarter of 2017 stood at 144 filings of federal securities class actions, which is up from 102 filings in the first quarter of 2016. If filings continue at this rate, we expect there to be close to 500 securities class action filings in 2017 alone, a 66 percent increase from 2016. The rise in filings can be attributed to several factors including, but not limited to: the increase in merger objection-related filings in federal court; the increase in the number of securities plaintiff firms; and, arguably, a race to the courthouse before any new regulatory changes are implemented.
Cybersecurity-related losses continue to be one of the most worrisome potential exposures for companies. Despite some significant recent cyberbreaches, the first traditional securities class action litigation against directors and officers was only recently filed. The complaint generally alleges that the defendants made materially false and/or misleading statements about the breach. It also claims failure to disclose material adverse facts about the company’s business and operations specific to data protection, and the discovery and potential impact of the data breaches.
On the other hand, there have been a number of derivative lawsuits filed against companies’ directors and officers for alleged mismanagement of cybersecurity incidents. To date, defendants in this type of litigation have largely been successful in getting these cases dismissed by invoking the business judgement rule, among other defenses. However, a notable, recent settlement of one of these derivative actions while on appeal will likely continue to fuel the plaintiff’s bar’s drive to pursue cybersecurity-related D&O claims.
While each of the above can be viewed as discrete risks, they each share a common thread: increased exposure to directors and officers. As a best practice, all directors should regularly review their D&O insurance program with their insurance advisors to ensure adequate protection in the wake of the increasingly risky environment in which we live. Directors and the officers of their companies should ask themselves probing questions about their insurance coverage:
Does my D&O insurance program provide sufficient limits of liability?
Am I protected by Side-A Difference In Conditions insurance? If so, are those limits sufficient?
How will my D&O insurance coverage respond in connection with a regulatory investigation? Will I be covered to the extent there is an internal investigation associated with an external regulatory investigation?
Does the selection of insurers on my company’s D&O “tower” make the most sense should I need to turn to the insurers for coverage?
How narrowly tailored is the exclusionary language in my policies? How favorable is the severability language?
By reviewing these questions in conjunction with their insurance programs on at least an annual basis, directors and officers will be more adequately prepared for the scenarios outlined above.