Category: CyberSecurity

BOARD OVERSIGHT OF CORPORATION COMPLIANCE PROGRAMS: RECENT DOJ GUIDANCE AND WHAT TO DO NOW

BOARD OVERSIGHT OF CORPORATION COMPLIANCE PROGRAMS: RECENT DOJ GUIDANCE AND WHAT TO DO NOW
By Holly J. Gregory* and Rebecca Grapsas*

Boards should consider assessing the effectiveness of their compliance programs now in light of the DOJ’s recent guidance on evaluating compliance programs — whether or not the company currently has any compliance issues.

Each company should, at a minimum, have a basic effective compliance program in place. A program that exists “on paper” but is not effective is not sufficient. As well as making good business sense for a range of reasons, having an effective compliance program can influence a federal prosecutor’s decision on whether to charge a company for the bad acts of its employees or officers and the extent to which the company may receive credit for cooperation in a settlement. Having an effective compliance program can also help mitigate penalties if corporate wrongdoing is found

Oversight of a company’s “tone at the top” and its compliance program designed to establish and maintain that tone and detect problems is an important board responsibility.As fiduciaries, directors are required to assess the company’s compliance program in light of the legal and regulatory compliance framework and ensure that the company has appropriate compliance-related reporting and information systems and internal controls in place. It is a business judgment for the board to determine what compliance program best suits the company’s needs and the level of compliance risk it is willing to take.

Each company should, at a minimum, have a basic effective compliance program in place. A program that exists “on paper” but is not effective is not sufficient As well as making good business sense for a range of reasons, having an effective compliance program can influence a federal prosecutor’s decision on whether to charge a company for the bad acts of its employees or of cers and the extent to which the company may receive credit for cooperation in a settlement. Having an effective compliance program can also help mitigate penalties if corporate wrongdoing is found

The standard for effectiveness in compliance program design is set forth in Chapter 8 of the United States Federal Sentencing Guidelines, which provides that a company must:

Establish standards and procedures to prevent and detect criminal conduct

Ensure board oversight of the compliance program

Appoint a high-level individual (such as a chief compliance of cer) who has overall responsibility for the compliance program

Exercise due diligence to exclude unethical individuals from positions of authority

Communicate information about the compliance program to employees and directors

Monitor the compliance program’s effectiveness

Promote and consistently enforce the compliance program

Respond to violations and make necessary modi cations to the compliance program (US Sentencing Commission Guidelines Manual §§ 8B21(b), 8C25(f))

The Principles of Federal Prosecution of Business Organizations in the US Attorneys’ Manual provide that prosecutors should consider specific factors (known as the “Filip Factors”) in conducting corporate investigations, determining whether to bring charges and negotiating plea or other agreements. These factors include “the existence and effectiveness of the corporation’s pre-existing compliance program” and the corporation’s remedial efforts “to implement an effective corporate compliance program or to improve an existing one.” The Department of Justice (DOJ) emphasizes that critical factors in evaluating a compliance program are “whether the program is adequately designed for maximum effectiveness in preventing and detecting wrongdoing by employees and whether corporate management is enforcing the program or is tacitly encouraging or pressuring employees to engage in misconduct to achieve business objectives” US Attorneys’ Manual § 9-28.300, General Principle; § 9-28.800, Comment (2015)

In February 2017, the Fraud Section of the DOJ issued a resource entitled Evaluation of Corporate Compliance Programs. The document provides more speci c examples of how federal prosecutors will evaluate a company’s compliance program in the process of

The DOJ’s recent guidance for evaluating corporate compliance programs is also discussed in the most recent issue of Sidley’s Anti-Corruption Quarterly.

investigating and resolving an enforcement matter. The document emphasizes that “the Fraud Section does not use any rigid formula to assess the effectiveness of corporate compliance programs.” The document is the latest communication forming part of the Fraud Section’s Compliance Initiative, which began with the Fraud Section’s hiring of Hui Chen as full-time compliance counsel in November 2015.

The document contains probing questions regarding the following eleven “sample” topics:

1. Analysis and remediation of underlying misconduct (including root cause analysis and prior indications)

2. Senior and middle management (including conduct at the top, shared commitment and oversight)

3. Autonomy and resources (including compliance function stature, experience, quali cations, empowerment, funding and outsourcing)

4. Policies and procedures (including design, applicability, gatekeepers, accessibility, operational integration, controls and vendor management)

5. Risk assessment (including methodology, information gathering and analysis, and manifested risks)

6. Training and communications (including form, content and effectiveness, communications about misconduct and availability of guidance)

7. Confidential reporting and investigation (including reporting mechanism effectiveness, investigation scope and response to investigations)

8. Incentives and disciplinary measures (including accountability, process and consistency)

9. Continuous improvement, periodic testing and review (including internal audit, control testing, interviews and evolving updates)

10. Third-party management (including risk-based and integrated processes, controls, relationship management and misconduct consequences)

11. Mergers and acquisitions (including due diligence process, integration in the M&A process and process connecting due diligence to implementation)

The questions are designed to look behind a company’s compliance program “on paper” and evaluate how the program has been implemented, updated and enforced in practice. Although some of the questions focus on the effectiveness of a company’s compliance program in the context of specific misconduct (for example, what caused the misconduct, whether there were prior indications of the misconduct and which controls failed), many of the questions focus on the compliance program more broadly, including, for example, whether compliance personnel report directly to the board, what methodology the company uses to identify, analyze and address the risks it faces, and how the company incentivizes compliance and ethical behavior.

Compliance program assessment is a key element of the board’s oversight of compliance programs. Boards should conduct such assessments periodically to identify areas for improvement in light of the company’s evolving risks and regulatory preferences with respect to compliance structures and practices. Periodic assessment of the compliance program, in a process overseen by the board or a board committee, helps ensure that the program continues to be “ for the purpose” by identifying areas for improvement, while also creating evidence of the company’s commitment to compliance for use in any future regulatory enforcement actions. Assessments should be risk-based to re ect the company’s changing risk environment and to help ensure that limited compliance resources are prioritized to focus on the most signi cant risks.

The assessment criteria should be based on the elements of an effective compliance program as described in DOJ guidance discussed above, including specific guidance from
regulators regarding the company’s industry. The assessment criteria should also reflect trends in settlement agreements, developing notions of recommended practices (both generally and within the company’s specific industry), and the practices of peer companies, to the extent that benchmarking data is available.

In conducting its assessment, the board should evaluate the following and consider how it would answer the specific questions set forth in the DOJ’s recent guidance:

■ The board’s level of oversight including availability of compliance expertise, private sessions with compliance personnel and information

■ Reporting lines and related structures

■ Experience, qualifications and performance of the chief compliance officer and compliance function

■ Compliance function responsibilities, budget and budget allocation (including employees, outside advisors and other resources), staff turnover rate and outsourcing

■ Written corporate policies and procedures regarding ethics and compliance (including legal and regulatory risks), and the process for designing, reviewing and evaluating the effectiveness of policies and procedures

■ Internal controls to reduce the likelihood of improper conduct and compliance violations

■ Ongoing monitoring, control testing and auditing processes to assess the effectiveness of the program and any improper conduct

■ Role of compliance in strategic and operational decisions

■ Key compliance risks, risk assessment processes and risk mitigation

■ Senior management conduct and commitment to compliance, and how the company monitors this

■ Communication efforts by the board, CEO, other senior executives, and middle management regarding expectations and tone

■ Education and training regarding compliance generally and the company’s program, policies and procedures at all levels

■ Understanding of corporate commitment to compliance at all levels

■ Awareness and use of mechanisms to seek guidance and/or to report possible compliance
violations, and fear of retaliation

■ Specific problems that have arisen, why they arose and how they were identified and resolved

■ Investigation protocols and experiences

■ Performance incentives, accountability, disciplinary measures and enforcement

■ Remediation and efforts to apply lessons learned

The DOJ’s recent guidance should help boards determine the assessment process that is appropriate for the company, evaluate whether the company’s program continues to be effective and t for purpose, and consider appropriate modi cations to the program.

Sidley Perspectives | JUNE 2017 • 4

*Holly J. Gregory is a partner in Sidley’s New York of ce and a co-leader of the rm’s global Corporate Governance and Executive Compensation practice. Rebecca Grapsas is counsel in Sidley’s Corporate Governance and Executive Compensation practice who works from both the rm’s New York and Sydney of ces. The views expressed in this article are those of the authors and do not necessarily re ect the views of the rm.

Corporate Governance and Change

Corporate Governance and Change

A Quick Review Of Basics

By: Saul Winsten,General Counsel
The Winsten Group.Trusted Counsel LLC.
A national Legal, Business, and Corporate Affairs firm
thewinstengroup.com

What is “Governance”?

Governance has been defined in different ways. For our purposes, corporate governance may be understood to mean the system, processes and relationships by which a corporation is controlled and directed. Boards of Directors are responsible ultimately for governance, the control and direction of the corporation they serve.
For brevity our discussion will focus on this topic as applied to closely-held and family-owned business corporations.

What has changed?

With ever increasing market competition, and pace and magnitude of technological change, the challenges encountered by closely-held and family-owned businesses and their Boards have grown. The traditional or legacy structures for governance, or legacy leadership may no longer be appropriate. New governance structure, processes, and leaders may be called for.

Questions concerning governance often include questions concerning the role and responsibilities of the Board, and how governance may be evolving in response to change. Below is a quick review of basic principles, and of some increasingly common business adaptations to change.

Basic Principles:

The Role and Responsibilities of Boards

Board responsibilities are separate from those of management. Boards are not to manage the business; executive management has that responsibility. The Board’s role and its responsibilities include:

1.To advise and consult with management on corporate strategy, operational performance & effectiveness, key performance metrics, executive performance and compensation, risk management, and growth and change matters
2.To provide oversight of and approve corporate strategy and strategic plans, major
acquisitions and divestitures, management and business performance, strategic matters,
company resource planning and needs, legal compliance, protection of assets, budget and
significant financing, mergers, and corporate reorganizations
3.To plan for executive and Board succession, select new executives, and
recommend new Board members

Board Requirements

Boards and Board members must act solely in and for the interest of the corporation. Board members should be qualified to carry out Board responsibilities, be informed and knowledgeable of matters that may come before the Board, exercise prudent business judgement, and act free from conflicts of interest that compromise such action and judgement.

Fiduciary Duties

Boards of Directors and individual Board Members have “Fiduciary Duties”, to act prudently, in and for the interest of the business and shareholders, with care, honesty, prudence, and in good faith.

The primary fiduciary duties have been referred to as “Duty of Care”, and “Duty of Loyalty”. Some courts and securities regulation also refer to a “Duty of Candor” or “Duty of Disclosure”. Various courts have identified and discussed specific aspects of these duties.

The “Duty of Care” requires Board members act with knowledge of the pertinent facts and circumstances, with care, after due consideration of all relevant information.

The “Duty of Loyalty” requires Board members act in the best interests of the corporation and shareholders, and to ensure that actions are taken in good faith.

“Good Faith” has been defined by Black’s Law Dictionary as requiring Board members act with “(1) honesty in belief or purpose, (2) faithfulness to one’s duty or obligation, (3) observance of reasonable commercial standards of fair dealing in a given trade or business, (4) absence of intent to defraud or to seek unconscionable advantage”.

Liability for Breach of Fiduciary Duties

Boards and individual Directors have been found liable for breach of their fiduciary duties.

Defense to Claim of Breach of Fiduciary Duties

A defense to an action against a Board for Board action is sometimes called “the business judgement rule”. Under that rule, a court generally will not “second guess” a Board decision if the Board: (i) followed a reasonable and informed process; (ii) took into account all relevant facts and circumstances; and (iii) made its decision” in good faith”.

Adaptations to Change
These include but are not limited to:

Enhanced Board “on-boarding” and education

To properly prepare new Board members for joining the Board and carrying out Board responsibilities, businesses and organizations are paying increasing attention to proper orientation, introduction and education of Board members. The need for such action increases with the size of the organization, complexity of the organization and its activities, demands of shareholders and stakeholders, and the nature and complexity of risks to which the organization is subject.

Use of Board Committees:

As the quantity and complexity of matters that Boards are to act upon have increased, the use of committees and the need for enhanced committee and Board expertise has increased.

Some matters, particularly complex matters requiring special expertise, are increasingly delegated to committees of the Board, which in turn make recommendations for Board deliberation and action. Committees such as Compensation, Audit, Governance, and Nominating, among others, are common.
Many Boards have an Executive Committee of corporate officers, who are tasked with developing recommendations on policy and other matters for Board action.

Matters requiring special expertise may be delegated to a committee which includes members with that special expertise.

An example of a committee tasked with matters requiring special expertise is the Audit Committee. This committee is charged with developing recommendations concerning matters concerning accounting policies, financial reporting, and other audit related matters. It is responsible for oversight of the independent auditor, internal financial control policies, financial risk management policies, and the performance of the internal audit function.

Another example is the Nominating and/or Governance Committee where identification of desired qualified candidates for Board service, selection of nominees for Board positions, governance standards and processes, Board and CEO evaluation may be discussed and recommendations made.

Other committees requiring specialized knowledge may be used by a business’ Board. These include Cybersecurity, Technology, Legal, Finance, Strategic Planning, M&A, HR, Ethics/Corporate Responsibility, and Environmental Committees, for example.

Addition of Independent and Specially Qualified Directors:

Another response increasingly used by Boards of closely held businesses, including family-owned or managed businesses, is the addition “Independent Directors” to their Boards. These Independent Directors assist the Board in carrying out its responsibilities by bringing independent thought, needed specialized expertise, and special perspective to those Boards. Examples of the knowledge and expertise sought and retained for Independent Directors include proven industry and outside business leadership, legal, finance, technology, cybersecurity, and other specialized expertise.
Some courts, notably Delaware, have addressed the issue of what makes a Board member “independent”.

Use of Board Counsel

Some larger businesses and organizations have retained special Board Counsel to provide independent advice and guidance on Board and governance matters of special concern. Board Counsel have been found especially useful where perspective, guidance, and advice independent of Board or executive leadership relationships, is desired.

Conclusion

Governance changes are driven by a number of factors. Growth, market competition, disruptive technology, regulatory requirements, and succession generated dynamics for example, may compel a company to change the way it does business, manages risk, and the way it is governed.
Businesses and organizations that will succeed are those prepared for change.

Heads Up: Boards, Businesses, Leaders- CyberSecurity, Risks and Responsibility, Heightened Requirements.

Dickinson Wright

Corporate boards recognize that cybersecurity is and will remain a high priority because of the attendant risks on so many levels. And two recent matters – one a case and the other a high profile internal investigation – portend that an imminent frontier in corporate monitoring will be cybersecurity.

Cybersecurity is “hot” and will stay “hot” for corporations, executives, regulators, law enforcement and legislators. Rarely is there a corporate compliance discussion in 2017 where cyber isn’t “the” topic or a material part of the discussion. Corporate boards recognize that cybersecurity is and will remain a high priority because of the attendant risks on so many levels. And two recent matters – one a case and the other a high profile internal investigation – portend that an imminent frontier in corporate monitoring will be cybersecurity.

Recent governmental attention to corporate cybersecurity programs suggests strongly that cyber oversight will be the next priority area for corporate compliance monitoring. The Securities and Exchange Commission (SEC), for example, announced in January 2017 that cybersecurity compliance procedures would be a key focus for its Office of Compliance Inspections and Examinations (OCIE) this year.i OCIE previously announced cybersecurity as a priority for its 2016 examination program,ii tracking its September 2015 cybersecurity examinations initiative.iii Considering prior enforcement actions by the SEC against investment advisors and broker-dealers to address allegedly inadequate cybersecurity policies that enabled data breaches, the SEC’s announcement is no surprise. Similarly, the Federal Trade Commission (FTC) has been flexing its enforcement muscle through actions alleging that policy failures led to the exposure of confidential consumer information.iv These actions consistently result in settlements that impose cybersecurity enhancements designed to prevent similar future incidents. In the absence of an informed and sufficient monitoring program, however, it is difficult to assess effectively whether the corporations are implementing the negotiated settlements properly and, perhaps more importantly, as expected by the agency.

The SEC has a well-established track record for using independent corporate monitors across a broad range of cases. The FTC, on the other hand is in its infancy doing so, somewhat surprisingly. In a September 2016 settlement, the FTC jumped into the monitorship space by imposing a monitor to ensure compliance with a settlement that required a company to change fundamentally its compensation structure by rewarding actual sales rather than recruitment of new distributors. Although that FTC settlement did not present a cybersecurity issue, the FTC nevertheless set the stage to connect monitorships with the agency’s already active regulatory attention to cybersecurity matters. An example of such an opportunity presented on March 1, 2017 when Yahoo announced, in its Form 10-K filed with the SEC,v that as a result of an internal investigation associated with three cybersecurity incidents – including the theft of data from more than one billion accounts – the Company “took certain remedial action, notifying 26 specifically targeted users and consulting with law enforcement.” The 10-K describes the cyber-centric “other remedial actions” as follows:

The Board has directed the Company to implement or enhance a number of corrective actions, including revision of its technical and legal information security incident response protocols to help ensure: escalation of cybersecurity incidents to senior executives and the Board of Directors; rigorous investigation of cybersecurity incidents and engagement of forensic experts as appropriate; rigorous assessment of and documenting any legal reporting obligations and engagement of outside counsel as appropriate; comprehensive risk assessments with respect to cybersecurity events; effective cross-functional communication regarding cybersecurity events; appropriate and timely disclosure of material cybersecurity incidents; and enhanced training and oversight to help ensure processes are followed.

The 10-K also references 43 related class action lawsuits and the company’s cooperation with the SEC, the FTC, the United States Attorney’s Office for the Southern District of New York, and two State Attorneys General. Additionally, the General Counsel and Secretary resigned, receiving no severance payments. Moreover, the CEO gave up $12 million in stock and did not receive her 2016 cash bonus. It is easy to see where breaches and remediation as Yahoo disclosed could become the door-opener for a cybersecurity monitor.

Traditional corporate monitoring models allow for the implementation of an independent monitor to oversee an organization’s compliance with imposed obligations over a period of time. Independent monitors, by operation of the monitorship agreement, typically receive access to the subject company’s personnel, files, books, and records that fall within the scope of the settlement agreement and have authority to take necessary steps to become fully informed regarding the monitored company’s operations, within the parameters of the agreement. The independent monitors also are free to communicate with the regulatory body (or agency) regarding the monitored company’s corrective measures (or lack thereof). If the subject organization is found not to have complied with the terms of the settlement (i.e., not adhering to the compliance and other policies, procedures and steps designed to remediate and correct the conduct that gave rise to the settlement), then penalties can be assessed, including reinstitution of the criminal or regulatory action(s), and extension of the monitorship. And, particularly in the cybersecurity area, systems vulnerabilities easily can challenge the test of compliance with the settlement terms.

Cybersecurity-related regulatory actions, however, usually do not follow this model. Instead, many cybersecurity settlements and consent orders mandate only that independent third-party professionals periodically assess and report on the implementation of information privacy and cybersecurity safeguards. Because cybersecurity settlement agreements do not typically include an active independent monitor with the requisite background and experience to assess an organization’s remedial cybersecurity measures on a granular level, the benefits of an imbedded qualified professional to ensure true remediation are absent from the impacted company. Ideally, a cybersecurity monitor would and should have through knowledge, skill, training, experience, or education sufficient up-to-date technical expertise and a measurable level of experience – preferably a minimum of five years of demonstrable experience dealing with cybersecurity or incident responses – to act in a cyber-monitoring capacity. Also, the cybersecurity monitor should hold a minimum of one relevant technical certification. Instead, the present norm is the less beneficial periodic spot-checking undertaken by professionals who likely do not have the level of knowledge of the organization or an in-depth appreciation of the issues surrounding what gave rise to the settlement and need for remediation in the first place.

This seemingly minimalist approach to corporate cybersecurity monitoring is surprising because proper implementation of cybersecurity safeguards is, by design, meant to be tailored to a specific organization. It is not always clear, however, that proper implementation necessarily will satisfy regulators’ expectations. For example, many experts view the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity (the “Cybersecurity Framework”) to be a benchmark for modern digital security implementation standards. In a seeming inherent contradiction, the FTC has opined that (1) the Cybersecurity Framework is not something with which an organization can “comply,” and (2) even if an organization follows the NIST Cybersecurity Framework (which the FTC describes as “a set of industry standards and best practices to help organizations identify, assess, and manage cybersecurity risks”), then that does not necessarily mean an organization’s cybersecurity policies will withstand regulatory scrutiny.vi Additionally, cybersecurity enforcement actions often are precipitated by incidents exposing sensitive third-party information, which in turn result in the near inevitable perceptions of an absence of cybersecurity buy-in from management teams and a failure to fully appreciate various cybersecurity risk vectors. Periodic spot-checks of corporate policies, and even implemented practices, can miss these issues; meanwhile, an independent and informed monitor with appropriate in-depth knowledge of a company’s remedial efforts undertaken pursuant to a settlement agreement would be well-positioned to identify and remediate corporate deficiencies while simultaneously satisfying regulators’ expectations.

Properly addressing modern and emerging corporate and regulatory cybersecurity concerns demands a new compliance prism and model as part of settlement agreements with government agencies. Rather than simply accepting periodic external assessments, matters involving cybersecurity should be addressed more effectively through the use of a cyber-knowledgeable independent corporate monitor. That monitor will be able to appreciate the technical cyber and substantive needs of the subject company, have intimate knowledge of that company, and understand the goals and objectives of the regulatory body with the cyber-compliance expectations. Equally important is that the monitor will be in a position to ensure – from an informed position – that the company implements proper cybersecurity practices, and the Board, management and staff receive appropriate cyber-training. Thus, the not-too-distant future is now for cybersecurity monitoring and monitors.

i U.S. Securities & Exchange Commission, SEC Announces 2017 Examination Priorities (Jan. 12, 2017), https://www.sec.gov/news/pressrelease/2017-7.html

ii U.S. Securities & Exchange Commission, SEC Announces 2016 Examination Priorities (Jan. 11, 2016), https://www.sec.gov/news/pressrelease/2016-4.html

iii U.S. Securities & Exchange Commission, OCIE’s 2015 Cybersecurity Examination Initiative (Sept. 15, 2015), https://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf

iv E.g., Federal Trade Commission v. Wyndham Worldwide Corporation, 799 F.3d 236 (3d Cir. 2015); Federal Trade Commission v. D-Link Corp., No. 3:17-cv-00039 ((N.D. Cal. Compl. filed Jan. 5, 2017))

v https://www.sec.gov/Archives/edgar/data/1011006/000119312517065791/d293630d10k.htm

vi See Andrea Arias, Fed. Trade Comm., The NIST Cybersecurity Framework and the FTC (Aug. 31, 2016), https://www.ftc.gov/news-events/blogs/business-blog/2016/08/nist-cybersecurity-framework-ftc

Boards and Business Executives Beware- Possible Liability For Data Breach

Publication By Michael Best
Albert Bianchi, Jr.Michelle L. Dama, Adrienne S. Ehrhardt
MARCH 3, 2017CLIENT ALERT

Executives and Board Members Could Face Liability for Data Breaches

Executives and Board Members Could Face Liability for Data Breaches
By now, most everyone is aware that Yahoo was hacked in both 2013 and 2014 and had names, passwords, and other account data of between 500 million and one billion of its users stolen. Following the breach, various class action lawsuits brought against Yahoo by consumers and small business users of Yahoo ensued. The stolen data and lawsuits also caused Verizon to reduce its offer to purchase Yahoo by $350 million. Unfortunately for Yahoo, its inability to protect private account data has led to additional negative consequences.
In late February 2017, a group of Yahoo shareholders, guided by the Oklahoma Firefighters Pension and Retirement System, sued Yahoo, as well as some of its executives and board members, including the chairman of its Board of Directors, co-founder, and current CEO, for breach of their fiduciary duty to the shareholders stemming from the stolen account data. Although the complaint is sealed (and thus unavailable to the public), the lawsuit, which appears to be the first of its kind, seems to assert that Yahoo and its executives breached their fiduciary duty to shareholders by failing to disclosure the data security breaches to Yahoo account holders.
This lawsuit will be one to keep an eye on to see whether a failure to properly handle a data breach, and possibly even the data breach itself, can be considered a breach of a fiduciary duty to shareholders. Although this case appears to be the first of its kind, if it continues moving forward, it will undoubtedly spur like cases for other similarly situated entities that have suffered a security breach.
Other businesses that have been hacked and had personal account data stolen may be next in line for similar shareholder lawsuits. As such, the shareholder suit against Yahoo and its executives is yet another warning of how important it is for business to approach the need to properly protect personal data seriously. Whether its employee or customer information, businesses need to be on their guard and prepared to prevent and handle data breaches.