Here are seven critical areas of risk management to consider as you plan for 2019.
1. Securities Class Actions on the Rise
Securities class action lawsuits are on the rise, and data show this will likely persist in 2019.
IPOs are a consistent target for securities class action litigation. Adding to this dynamic is the recent decision in Cyan v. Beaver County Employees Retirement Fund. In this case, the U.S. Supreme Court decided unanimously that federal class action lawsuits brought under Section 11 of the Securities Act of 1933 could be brought in all state courts.
As a reminder, Section 11 means public companies are strictly liable for material misstatements in their S-1 registration statements, making newly public companies an easier target.
The reason the Cyan decision is significant is because there is typically a lower dismissal rate for Section 11 claims in state courts compared to federal courts.
2. #MeToo Impacts the Boardroom
The #MeToo movement that came out of Hollywood permeated almost every industry and is now a board-level issue in corporate America. Signet Jewelers and Wynn Resorts Ltd. are just two companies that have faced director and officer litigation as a result of sexual harassment and misconduct.
To prepare, boards of directors need to be willing to have the conversation of what they would do if it happened at their company, including walking through real scenarios and case studies.
The board will be a focus should an incident occur. To give the board a fighting chance to defend itself, it's best to take the temperature of the company sooner than later. In other words, do employees feel that the tone at the top is proactive about #MeToo-type issues?
3. Directors and Officers Face Criminal Prosecutions
No director or officer wants the news they are under investigation from any government agency, let alone the Department of Justice. That's because the DOJ can criminally prosecute individuals for wrongdoing, resulting in incarceration.
In a little bit of good news for those who fear inappropriate prosecutions, the DOJ announced in 2018 a "no piling on" policy that would coordinate within the agency and with outside agencies to help avoid "piling on" enforcements for the same misconduct.
While it may seem like the DOJ is easing up, it's a bad idea to become cavalier about compliance. For example, the DOJ increased the number of Foreign Corrupt Practices Act actions it took last year.
To prepare, companies will want to review their compliance policies and procedures on a regular basis and update them with changes in the law or as they become aware of enforcement activity at other companies.
It's also a good idea for directors and officers to make sure that indemnification agreements are up to date and able to help defend them quickly and easily if they are accused of wrongdoing.
4. M&A Litigation Persists
Companies that are involved in a merger or acquisition can almost always expect litigation to follow, though data show a downward trend in the percentage of M&A deals challenged by shareholders.
The average number of lawsuits per M&A deal has also declined.
This can be attributed to the Delaware Court of Chancery decision in the Trulia case in late 2015. The Delaware court took the position against allowing plaintiff attorneys to be awarded lucrative fees in exchange for "disclosure-only" settlements - those settlements in which plaintiff attorneys are awarded legal fees for doing nothing more for the shareholders they represent than force defendants to provide additional (and often relatively trivial) disclosures about the M&A deal.
However, the plaintiff's bar is nothing if not resourceful. Plaintiffs are now bringing cases that are likely to result in disclosure-only settlements in federal court, often with better results in terms of fee awards compared to what they were experiencing in state court.
5. Bad Actors Are Being Humiliated
The first Wells Fargo scandal came to light when it was revealed in 2016 that Wells Fargo employees had been secretly creating fake accounts without customers knowing it to boost sales figures and qualify for bonuses.
In 2018, the Federal Reserve published a letter it had written to the former lead director of Wells Fargo. The letter noted, among other things, that his "performance in that role is an example of ineffective oversight that is not consistent with the Federal Reserve's expectations for a firm of WFS's size and scope of operations." The letter was a rare instance of a regulator publicly shaming an independent director.
The investigation of Wells Fargo was significant, and along the way, multiple Wells Fargo executives were publicly shamed, with lawmakers calling Wells Fargo a criminal enterprise and comparing the former CEO to a common bank robber.
For independent directors, especially those serving on boards of companies in highly regulated industries, the message is clear: if they do not do their job well and fraud results, their conduct will be judged both harshly and publicly.
In striking the right balance of operating at the director level but still knowing what's going on in management, public company directors should know what their regulators expect.
And if there are wrongdoings, independent directors will need to get much closer to the company's day-to-day business than they typically do in their normal oversight role.
6. Board's Role in Cybersecurity
In February 2018, the Securities and Exchange Commission issued interpretive guidance for public companies on how to control and disclose cybersecurity risks and events.
The guidance, among other things, made note of the board's role in cybersecurity oversight: "To the extent cybersecurity risks are material to a company's business, we believe this discussion should include the nature of the board's role in overseeing the management of that risk."
The SEC also encouraged disclosure of "how the board of directors engages with management on cybersecurity issues," so that shareholders can assess the board's performance when it comes to the execution of its risk oversight duties. Boards of directors will want to ensure that cyber risk and its mitigation continue to be a regular topic of discussion.
They'll also want to review the SEC's interpretive guidance with counsel and refine the company's cyber policies and disclosures as needed.
Separately in 2018, SEC Commissioner Robert Jackson Jr. called cyber threats "the most pressing issue in corporate governance today." Also in 2018, the SEC settled with Yahoo for $35 million, the first penalty associated with a cyber disclosure investigation. All of this together is a clear signal that addressing cyber threats will be a primary area of focus for the SEC in the foreseeable future.
7. Social Expectations
BlackRock is the No. 1 U.S.-headquartered institutional investor, and its CEO Larry Fink publishes an annual and anticipated open letter. In the January 2018 edition, Fink said that in addition to maximizing shareholder value, public companies should have another goal: making a positive societal impact.
Fink noted that "to prosper over time, every company must not only deliver financial performance, but also show how it makes a positive contribution to society."
The letter was received with mixed reviews and presents a conundrum for boards of directors that believe maximizing shareholder value is their primary fiduciary duty. Directors and officers will want to be cautious when considering whether and how to implement Fink's vision. If a board decides to pursue the dual goals of maximizing shareholder value and maximizing societal good, it will want to be explicit about this with shareholders as a matter of good disclosure. Directors and officers should also review the BlackRock document titled, "BlackRock Investment Stewardship Engagement Priorities for 2018" and other useful documents at BlackRock.com.
Boards have a lot on their plates when it comes to planning for 2019. When it comes to thoughtful risk management for directors and officers, the seven items listed above provide a useful starting point.
About Priya Cherian Huskins
Huskins is a partner for Woodruf Sawyer.