Many company boards are anxious in the current regulatory environment with stepped-up efforts by the federal government and the risk of lawsuits looming on many fronts.
For instance, Mary Jo White took over the helm at the Securities and Exchange Commission (SEC) last year and announced in an October speech that, “one of our goals is to see that the SEC’s enforcement program is—and is perceived to be—everywhere, pursuing all types of violations of our federal securities laws, big and small.”
It is known as the “broken windows” strategy, where if “a window is broken and someone fixes it, it is a sign that disorder will not be tolerated,” she explained. “But, when a broken window is not fixed, it is a signal that no one cares, and so breaking more windows costs nothing.”
Given this strategy, it comes as no surprise that pressing issues such as cybersecurity are of great concern to boards.
“Ten years ago, it probably was not high on anyone’s agenda,” Steven Blonder, a principal at Much Shelist, says about cybersecurity. Now it either is a priority or should be a priority for boards, he adds.
For example, many board members at numerous companies watched the events surrounding Target’s massive data breach.. It led to the early exit of Target’s CEO Gregg Steinhafle, and calls for the shareholders to replace many of the company directors. The company reacted slowly to the events, critics charged, and the breach could likely have been avoided.
The breach is a reminder, too, that general counsel have a role to play when it comes to preparedness for cyber risks and developing an effective response to an incident, advises Deborah Meshulam, chair of the Securities Enforcement Practice at DLA Piper.
“It’s important for in-house counsel to be engaged and attentive,” Meshulam says. Board members need to know, that the company is on top of cybersecurity issues, has the right processes in place and is conducting risk assessments.
What makes the situation even more challenging is that the SEC has not come out with much in the way of rules recently when it comes to cybersecurity. Nevertheless, it is a priority for the commission, which wants public companies to provide disclosure and period reports.
In fact, the SEC has not updated its privacy and security regulation since 2008 when an interim rule was issued, according to an analysis by law firm Reed Smith. It was followed in October 2011 by SEC guidance on cybersecurity. The SEC continues to be concerned about adequate disclosure. To help clarify matters, on March 26 the SEC held a roundtable on cybersecurity.
Considering what has taken place at the SEC, Nancy Wojtas, head of the public companies practice at Cooley LLP, and previously was the counsel to two SEC chairs, identified questions that board members should ask about cybersecurity. They include:
When was cybersecurity last on the board’s agenda?
Who is responsible for managing cybersecurity in a company?
Does the board ever meet with that person?
Is the company confident that its valuable information is properly managed and safe from cyberthreats?
How high is that confidence level?
When did the company last experience a cyber or information-security breach?
What steps did the company take to mitigate the impact of the breach?
Was disclosure of the breach made in the company’s periodic report?
Is the company prepared for a breach and is there a team in place?
In addition, during a recent SEC webcast, John Reed Stark, managing director of Stroz Friedberg, and a former chief of the SEC Enforcement Division’s Office of Internet Enforcement, said that companies need to regularly review and update their policies and systems for cybersecurity, Bloomberg BNA reported. They also need to train employees, provide resources for cybersecurity issues, and show they provided a “methodical response” to incidents.
The Financial Industry Regulatory Authority (FINRA) announced in January that for it, too, cybersecurity is a priority. Broker-dealers need to have policies and procedures in place to protect customer data from attacks, according to Reed Smith. The following month, FINRA announced a cybersecurity “sweep” to assess how broker-dealers are managing cybersecurity. FINRA also sent examination sweep letters to some 20 broker-dealer firms.
Companies need to have best practices in place for whistleblowers, as well, and need to be prepared for enforcement of the Foreign Corrupt Practices Act (FCPA).
Another important trend relates to succession planning, which is often discussed too broadly. There are no formal regulations in place for succession planning, Wojtas adds. If a CEO suddenly leaves office there could be a drop in stock price. On average, it takes three months to a replace a CEO. Then it takes even more time for that CEO to get up to speed in the new job.
Wojtas also says that as a result of the Sarbanes-Oxley Act, the full board is actually losing some of its authority. The audit committee now has “a lot of power,” she says. But all board members, not just those on the audit committee, could end up getting sued if a problem arises regarding a lack of oversight, she adds.
Another area of interest for the SEC is proxy advisory firms. Recently, Institutional Shareholder Services (ISS) advised shareholders to remove seven out of 10 board members in response to the breach at Target, and there could be a push by regulators for more disclosures by these firms.
In fact, the current environment for board members has led to a shrinking number of board members. “Fewer people want to be on public company boards,” explains Christine Edwards, a partner at Winston & Strawn.
During the October speech, White acknowledged that the SEC’s focus on gatekeepers “may drive away those who would otherwise serve in these roles, for fear of being second-guessed or blamed for every issue that arises.” But she adds that “we will not be looking to charge a gatekeeper that did her job by asking the hard questions, demanding answers, looking for red flags and raising her hand.”
Also, Bradley Bondi, a former counsel to two SEC commissioners, who now heads up the Securities Enforcement and Investigations practice at Cadwalader, Wickersham & Taft, says that many concerns in the boardroom relate to board members taking on additional responsibilities as “gatekeepers.”
“The SEC is looking more at directors as gatekeepers,” Bondi explains. “Directors are the next frontier for the SEC enforcement program.”
Still another key issue for boardrooms is what Edwards has described as “voyeurism” around executive compensation. “A lot of transparency is required around executive compensation,” she says. It relates to why people are paid and what they are paid.
In addition, Bondi says the SEC appears to be taking a greater role on regulation through enforcement rather than through a process like rule making. But enforcement “is not the most effective and appropriate way to do things,” Bondi adds.
Given such laws as the Dodd-Frank Act, there continues to be increased emphasis on oversight, too, which makes it difficult to undertake long-term strategic planning on boards, Edwards says.
“Clients say they don’t have enough time to sit back and think about where the business is going,” she notes.
As board members address these issues, they need input from GCs, who themselves need to be aware of the many regulatory concerns facing companies.