The D&O Diary

The D&O Diary

A PERIODIC JOURNAL CONTAINING ITEMS OF INTEREST FROM THE WORLD OF DIRECTORS & OFFICERS LIABILITY, WITH OCCASIONAL COMMENTARY

Executive Compensation: Do Clawbacks Lead to Certain Types of Earnings Manipulation?

Posted in Executive Compensation

business reportWhen Congress enacted stiff executive compensation clawbacks as part of the Dodd-Frank Act, the assumption was that the adoption of these kinds of measures would reduce the number of corporate restatements and increase investor confidence in financial reports. However, a new study focused on companies that have adopted clawback measures suggests that these gains may prove more illusory than assumed. As discussed in a January 20, 2015 Accounting Today article entitled “Clawbacks Can Lead to Accounting Gimmicks” (here), study by three academics from Hong Kong shows that while the clawback provisions may discourage one type of accounting manipulation, they may encourage another.

 

Section 954 of the Dodd-Frank Act requires the SEC to adopt rules requiring the national securities exchanges to prohibit the listing of the securities of any company that does not develop and implement provisions specifying that if the company restates its financial statements, the company will recover from any current or former officer of the company any incentive based compensation the officer received during the three-year period prior to the restatement. The SEC still has not issued the implementing regulations but many companies have voluntarily adopted clawback provisions.

 

The authors of the study referenced in the article analyzed financial reports from companies in the Russell 3000, comparing data from companies that adopted clawback provisions over the five year period preceding the passage of the Dodd-Frank Act with an equal number of non-adopters closely matched with them in other respects.

 

The authors found that the clawback provisions reduces the incidence of one kind of earnings manipulation – that is, “accruals management” – only to increase the incidence of another type of earning manipulation that if anything is more adverse to investors – “real-transactions management.” The first type, accruals management, refers to the manipulation of the various balance sheet items that require some element of estimation, such as bad debt reserves or estimates of inventory valuation.   Real transactions management involves altering actual expenditures to achieve a temporary earnings boost, such as by cutting research and development or by slashing prices or easting credit terms to boost sales.

 

Crawback provisions deter earnings manipulation through accruals management because high accruals tent to attract the attention of regulators and auditors, increasing the likelihood of a restatement that would trigger the clawback. Managing transactions, while obviously sub-optimal from a business perspective, are unlikely to attract the attention of auditors and regulators. Manipulating the transactions may produce a short run earnings and stock price upswing, but will likely be followed by downturns in subsequent years.

 

The authors found that the patterns of increased transaction manipulation was particularly pronounced among two types of companies – that is, companies with high-growth opportunities (and therefore likelier to experience a sharper stock price decline if they were to miss forecasts) and those with a high degree of transient institutional ownership (that is, the kinds of investors that focus on short-term earnings targets).

 

The authors of the study concluded that “mandating clawbacks, as Dodd Frank does, is at best of dubious value and may actually be counterproductive in its encouragement of management practices.” The authors added that “since the clawback mandated by Section 954 is more rigorous than what many firms have adopted on their own, it is reasonable to anticipate that the negative effects we saw in our study will come to pass when the law is fully enforced.”

 

Break in the Action: The D&O Diary will be on travel for the next few days so there will be an interruptoin in the normal publication schedule. Regular puiblication will resume later next week.

NERA Securities Litigation Report: Filings Flat, Number and Value of Settlements Plunge

Posted in Securities Litigation

NERAThe number of securities class action filings in 2014 was level with recent years’ filings but the number and dollar value of settlements during the year plunged, according to the latest annual report from NERA Economic Consulting. This year’s report is quite detailed and contains a number of new analyses of lawsuit filings and case resolutions. The January 20, 2015 report, entitled “Recent Trends in Securities Class Action Litigation: 2014 Full-Year Review” can be found here. NERA’s January 20, 2015 press release about the report can be found here. My own report about the 2014 securities class action lawsuit filings can be found here.

 

Number of Securities Lawsuit Filings: According to the report, there were 221 securities class action lawsuit filed in 2014. (Please see my note at the end of this post about NERA’s lawsuit counting methodology and how it differs from the methods used in other reports). The number of 2014 filings was essentially level with that of recent years; in 2013, there were, according to NERA, 222 filings, and 2012 and 2011 there were 212 and 228, respectively. The number of filings during the period 2009-2014, during which there was an annual  average number of annual filings of 220,  showed “remarkable stability.”

 

Increased Likelihood of Being Sued: While the number of filings has remained relatively stable in recent years, the likelihood of any one company with a listing on U.S. exchange experiencing a securities class action lawsuit has in fact increased significantly compared to historical levels. The reason for this greater likelihood is that while the number of lawsuit filings has remained relatively stable, the number of companies with listings on U.S. exchanges has declined significantly. In 1996, there were 8,783 companies with listings on U.S. exchanges. In 2014, there were 5,209 U.S. listed companies, representing a decline of 41%. This decline in the number of companies has, according to the report, “implications for the average probability of being sued.” This probability has increased from 2.3% over the 1996-1998 period to 4.2% in 2014.

 

Changing Mix of Cases: While the annual number of lawsuit filings has remained relatively stable in recent years, the mix of cases has changed. For example, in 2010, merger objection cases accounted for 31% of all securities class action filings during the year, whereas during 2014, merger objection cases accounted for only 18% of securities suit filings. At the same time, “traditional” securities lawsuit filings (that is, cases alleging violations or Rule 10b-5, Section 11 or Section 12) increased – the number of traditional filings increased 11% in 2014 compared to 2013 and 30% compared to 2010.

 

Impact of Halliburton Pendency on Filings: The report has an interesting observation about the possible effect of the pendency of the Halliburton case on the number of securities class action filings. Readers will recall that the Halliburton was a potentially important U.S. Supreme Court case that could have but that ultimately did not have a significant effect on securities class action litigation (about which refer here). The report notes that the number of securities class action filings was slow while Halliburton was pending, but that during the July-November period after the Supreme Court issued its opinion in the case, the average monthly number of filings increased 25%. The low number of filings during December brought down this monthly average, but even with this reduction the post-Halliburton monthly average number of filings was 14% higher than the monthly average while the case was pending. The NERA report carefully comments that “while we note the temporal correlation, we are not suggesting how much, if any, of the change in the filing activity is due to these decisions since we have not considered confounding factors.”

 

Aggregate Investor Losses: The aggregate value of investor losses represented by the 2014 securities lawsuit filings was at its lowest level during the period 2005-2014. (The investor loss variable is a proxy NERA uses for the aggregate amount investors lost from buying the defendant’s stock rather than investing in the broader market.) The $154 billion aggregate investor losses associated with the 2014 cases is just below the $159 billion in investor losses in 2013 but well below the $234 billion in 2012. The report notes that the lower number of aggregate investor losses in more recent years is “explained mainly by the almost complete absence of cases with very large investor losses.”

 

Motion to Dismiss Outcomes: The report notes that motions to dismiss are filed in 95% of all securities class action lawsuits, although courts rule on only about 80% of all motions filed (in other cases, the lawsuits settle or are withdrawn prior to court ruling). During the period 2000-2014 in cases in which rulings were issued on motions to dismiss, the motions were granted in 48% percent of cases, granted in part and denied in part in 26% of cases, and denied in 21%.

 

Changing Dismissal Rates: The rate at which cases have been dismissed has changed over time. The report notes that the dismissal rate for cases filed during the period 2000-2002, the dismissal rate was 32-36%; during the period 2004-2006, the dismissal rate was 43-47%; and the dismissal rate for cases filed during the period 2007-2009, the dismissal rate was at least 45%-52%. The reports authors are cautious about drawing conclusions based on this apparent rising trend in the dismissal rate  due to “the large fraction of cases awaiting resolution among those filed in recent years, and the possibility that the dismissals will be successfully appealed or re-filed.”

 

Outcome of Class Certification Motions: The report also has some information that is interesting to consider when evaluating the possible impact of the U.S. Supreme Court’s Halliburton decision. The report notes that 73% of cases are settled or dismissed before a motion for class certification is filed. In cases in which a motion for class certification has been filed, the court reaches a decision on the motion 56% of the time. Of the class certification motion rulings, 75% were granted and 12% were denied (with mixed rulings in other cases). The report notes that of the three post-Halliburton cases of which the authors aware in which the defendants sought to oppose class certification in reliance on the type of price impact evidence Halliburton authorized, that the motions were granted and the classes certified despite the price impact evidence.

 

Declining Number of Settlements and Slowing Case Resolution: The number of cases settled during 2014 declined for the third consecutive year and was at or close to an all-time low since the passage of the PSLRA. Overall, the number of cases resolved through settlement or dismissal also has been low for three years. At the same time, since 2011, the number of pending cases has been increasing, reaching 653 in 2014, a 19% increase from the lowest  pending number of pending cases in 2011 (547). This increase in the number of pending cases during a period when the number of filings was roughly constant suggests “a slow-down of the resolution process during that period.”

 

Declining Average and Median Settlements: Just as the number of settlements has declined in recent years, the average and median settlement amounts have also declined. Excluding merger objection cases, IPO laddering cases, and settlements over $1 billion, the average settlement in 2014 was $34 million, compared to $55 million in 2013 (adjusted for inflation), a decline of 38%. Even more interesting, the median settlement (excluding merger objection suits, IPO laddering cases and settlements in which the class received $0) during 2014 was only $6.5 million, the lowest median in ten years and adjusted for inflation the third lowest since the passage of the PSLRA. By contrast, the median in 2013 was $9.3 million and in 2012 was $12.6 million (both figures adjusted for inflation).

 

Declining Aggregate Plaintiffs’ Fees and Expenses: Mirroring this decline in average and median settlement value, the aggregate annual plaintiffs’ fees and expenses during 2014 of $619 million was far below that of 2013 (when equivalent figure was $1.164 billion). This figure was at its lowest level during 2014 since 2004 (when the aggregate amount was $487 million).

 

This detailed report contains a wealth of other information and analysis and it merits a complete reading at length and in full.

 

Readers will want to carefully note the “counting” methodology used in the NERA report to understand how the filing figures in the report differ from other published figures. In a footnote, the report’s authors explain that if multiple actions are filed against the same defendant and the same allegations but are filed in different circuits, the separate actions are treated as separate filings (and if they are later consolidated, the tally is revised accordingly). This methodology is different than that used in other published analyses, which count lawsuits against the same defendant and the same allegation only once regardless of whether or not there are separate complaints filed in different circuits. Also the NERA report also includes with the tally lawsuits that alleging only breach of fiduciary duty or other violations of the common law or that only involve claims under foreign or state law. Other published tallies only include a lawsuit in the count if it alleges a violation of the federal securities lawsuit. 

Fiduciary Duty as a Source of Board Focus for Long-Term Shareholder Value Creation

Posted in Corporate Governance

hbr4The fiduciary duties of members of corporate boards are usually invoked in connection with directors’ potential liability exposures. However, in their January 2015 Harvard Business Review article entitled “Where Boards Fall Short” (here), Dominic Barton, global managing director of McKinsey & Co., and Mark Wiseman, President and CEO of the Canada Pension Plan Investment Board, invoke directors’ fiduciary duties as a guidepost to help boards fulfill their “core mission” of “providing strong oversight and strategic support for management’s efforts to create long-term value.”

 

As the article’s title suggests, the authors believe that boards currently on falling short on this core mission. It isn’t just the authors themselves who think this; according to the authors’ survey of over 600 executives and directors, company officials think so, too. According to their survey, the most frequently identified source of pressure most responsible for their organizations’ over-emphasis on short-term financial results, cited by 47% of respondents, was the company’s board. An even higher percentage of respondents (74%) who identified themselves as corporate board members “pointed the finger at themselves.”

 

The answer to the short-termism problem, the authors suggest, is not “another round of good-governance box checking and hoop jumping.” A better starting point, they suggest, would be “to help everyone firmly grasp what a director’s ‘fiduciary duty is.” The law in most jurisdictions stresses two core aspects of fiduciary duty, loyalty and diligence. Nothing, the authors note, “suggests that the role of a loyal and prudent director is to pressure management to maximize short-term shareholder value to the exclusion of any other interest.” To the contrary, “the logical implication is that he or she should help the company thrive for years into the future.

 

If directors can keep their fiduciary duty firmly in mind, “big changes in the board room should follow.” If directors are focused on their fiduciary duty

 

They will spend more time discussing disruptive innovations that could lead to new goods, services, markets, and business models; what it take to capture value-creation opportunities with a big upside over the long-term; and shutting or selling operations that no longer fit. And they will spend less time talking about meeting next quarter’s earnings expectations, complying with regulations (although that must, of course, be done), and avoiding lawsuits.

 

In order to facilitate the “mental discipline of keeping long-term value creation in mind,” which would “help clarify choices and reform board behaviors,” the authors suggest four areas where “change is essential.”

 

First, the authors emphasize the importance of selecting the right people as directors. In particular, the authors suggest, “too many directors are generalists.” Boards all too often do not think about “attracting the right business expertise.” Boards that “combine deep relevant experience and knowledge with independence can help companies break through inertia and create lasting value.”

 

Second, boards should spend more quality time. The starting point is here is to first spend enough time. The authors suggest that public company directors “need to put in more days on the job and devote more time to understanding and shaping strategy.” Directors of large, complex firms should spend at least two days a month, or 24 days a year, on board responsibilities, in addition to attending regular board meetings. But more than the precise number of days, what “matters most” is “the quality and depth of strategic conversations that take place.” The example the authors give involves a company whose board members traveled to China before the company launched its Chinese initiative several years later. The board, the authors suggest, was anticipating and exploring directions that the company might later go.

 

In addition, the authors suggest that boards should develop nonfinancial metrics that will help guide strategy, particularly when the financial statements do not tell the entire story. Metrics the authors suggest include keys for gauging progress on key development activities, such as “implementing capital spending plans; achieving environmental, health and safety goals; and maintaining a healthy, well-funded balance sheet.”

 

Third, the authors suggest should engage with long-term investors, whose ownership position makes them “a counterforce” to the marketplace forces that encourage a short-term outlook. The survey respondents suggested that regularly communicating long-term strategy and performance to key long-term shareholders “would be one of the most effective ways to alleviate the pressure to maximize short-term returns and stock prices.”

 

Finally, the authors suggest that companies should restructure the way directors are compensated for their board service. The authors recommend a move toward “longer-term rewards.” The authors suggest that the way “to really get directors thinking and behaving more like owners, ask them to put a great portion of their net worth on the table.” The authors suggest a combination of giving directors incentive shares that only vest some years after the directors step aside, and requiring incoming directors to purchase equity with their own money. The goal is to insist on a material investment that more directly ties a director’s financial incentives to the company’s long-term performance.

 

I found the authors’ analysis interesting. I was particularly interested in the author’s use of fiduciary duty principles as a way to encourage better board performance. Fiduciary duty principles are invoked only as a potential source of director liability. (Ironically, the authors suggest that if directors spend more time focused on their fiduciary things, among the things that boards will spend less time worrying about is “avoiding lawsuits.”) The authors’ creative use of fiduciary duty  principles can help to “bring about a deep shift in culture, behavior and structure of public company boards,” to help companies to “deliver the kind of sustained value creation that long-term shareholders expect and that our society deserves.”

 

The Little Prince: From the web page of Jim Gelcer:

 

prince 

 

N.Y. Intermediate App. Ct. Allows D&O Insurers to Assert Public Policy Defense in Long-Running Bear Stearns Coverage Action

Posted in D & O Insurance

nystate1In the latest round in the long-running battle over whether there is D&O insurance coverage for the amounts Bear Stearns paid in settlement of an SEC enforcement action for alleged market timing, the D&O insurers may have finally found an issue on which they may be allowed to try to dispute coverage. Even though, in its January 15, 2015 opinion (here), the N.Y. Supreme Court, Appellate Division, First Department, affirmed the trial court’s dismissal of the carrier’s affirmative defense based on the “Dishonest Acts Exclusion,” the intermediate appellate court modified the trial court’s dismissal of the carriers’ affirmative defense based on the public policy doctrine precluding coverage for losses caused by intentionally harmful conduct. The intermediate appellate court has, however, already been reversed once before in this protracted coverage battle, so it remains to be seen where this latest development ultimately will leave the parties.  

 

Background

In 2006, the SEC notified Bear Stearns that the agency was investigating late trading and market timing activities that units of Bear Stearns allegedly had undertaken for the benefit of clients of the company. Bear Stearns ultimately made an offer of settlement and –without admitting or denying the agency “findings” – consented to the SEC’s entry of an Administrative Order, in which, among other things, Bear Stearns agree to pay a total of $215 million, of which $160 million was labeled “disgorgement” and $90 million as a penalty. Among other things the SEC Order expressly stated that “The findings herein are made pursuant to [Bear Stearn’s] Offer of Settlement and are not binding on any other person in this or any other proceeding.”

 

At the relevant time, Bear maintained a program of insurance that totaled $200 million. Bear Stearns sought to have the carriers in the program indemnify the company for the $160 million amount in the settlement labeled as “disgorgement.”  The carriers refused to pay, relying on several policy exclusions and public policy grounds, as well as on the doctrine providing against insurance for amounts that are in the nature of disgorgement. J.P. Morgan, into which Bear Stearns merged in 2008, filed an action in New York state court seeking a judgment declaring that the carriers’ policy provided coverage for the $160 million portion of the settlement, as well as the approximately $14 million paid to settle the parallel securities class action lawsuit, and defense fees.

 

The disgorgement issue went forward first. The trial court denied the defendants’ motion to dismiss finding that there was a question whether the $160 million Bear Stearns had agreed to make were for improperly acquired funds and thus truly in the nature of disgorgement. The N.Y Supreme Court, Appellate Division, First Department reversed the trial court, saying that the settlement documents “are not reasonably susceptible to any interpretation other than that” Bear Stearns facilitated late trading and that the settlement of the allegations “required disgorgement of funds gained through that illegal activity.”

 

However, as discussed here, in June 2013, the New York Court of Appeals reversed the appellate court, and denied the defendants’ motion to dismiss J.P. Morgan’s declaratory judgment action, holding that the language in the settlement documents did not “decisively repudiate Bear Stearns’ allegation that the SEC disgorgement payment amount was calculated in large measure on the profits of others,” as opposed to ill-gotten gains by Bear Stearns itself.

 

On remand, J.P. Morgan moved for summary judgment based on the Dishonest Acts exclusion and based on the public policy doctrine precluding insurance coverage for monies paid by the insured as a result of intentional harm to others. In a February 28, 2014 opinion (here), New York (New York County) Supreme Court Judge Charles E. Ramos granted J.P. Morgan’s motion to dismiss the affirmative defenses based on the Dishonest Acts Exclusion on, finding that the SEC’s administrative order did not represent a final adjudication so as to trigger the Dishonest Acts Exclusion or the public policy defense. The insurers appealed.

 

The Dishonest Acts Exclusion provides that the policy does not apply to claims “based upon or arising out of any deliberate, dishonest, fraudulent or criminal act or omission … provided, however, such Insured(s) shall be protected under the terms of this policy … unless judgment or other final adjudication thereof adverse to such Insured(s) shall establish that such Insured(s) were guilty of any deliberate, dishonest, fraudulent or criminal act or omission.”

 

The January 15 Opinion

On January 15, 2015, in a 22-page opinion written by Associate Justice Angela M. Mazzarelli for a unanimous five-judge panel, the N.Y. Supreme Court, Appellate Division, First Department, affirmed the trial court’s ruling dismissing the carriers’ affirmative defense based on the Dishonest Acts Exclusion, but modified the trial court’s ruling as to the carriers’ affirmative defense based on public policy grounds.

 

The appellate court said that the insurers stressed the issue whether the resolution of the SEC enforcement action represented an “adjudication” for purposes of the exclusion, the insurers ignored the part of the exclusion requiring that any adjudication “establish” that the insureds were guilty of the precluded conduct. The dictionary, the court noted, defines establish as “to put beyond doubt,” adding that:

 

It can hardly be said that the SEC Order … put Bear Stearns’s guilt “beyond doubt,” when those same documents expressly provided that Bear Stearns did not admit guilt, and reserved the right to profess its innocence in unrelated proceedings. Again, in interpreting the policy we are guided by reason, and the defendants’ position that the settlement documents “establish” guilt is not reasonable.

 

However, while the appellate court held that the trial court had “properly dismissed” defendants’ affirmative defense based on the Dishonest Acts exclusion, the appellate court said that the trial court should not have dismissed the affirmative defense based on “the doctrine precluding, on public policy grounds, insurance coverage for monies paid by the insured as a result of intentional harm to others.”  

 

In addressing the apparent inconsistency in refusing to rely on the “findings” in the SEC Order as a basis to support the enforcement of the Dishonest Acts Exclusion while referring to the same findings as possible support for the invocation of the public policy doctrine, the appellate court said “we have a stronger interest in enforcing public policy than we do in regulating private dealings between insurance companies and their customers that do not have an impact on public policy.”

 

The court added that it is not the business of courts to prevent companies and their regulators “from agreeing to submit to language in consent order that preserves claims of innocence for the purposes of avoiding exclusions like the one at issue here.” At the same time, the court said, “courts should not countenance the use of such language for the purpose of preserving coverage for wrongful acts intended to harm others.”  The intermediate appellate court added that the N.Y. Court of Appeals had said that “one of the two situations in which the contractual language of a policy may be overwritten is where an insured engages in conduct ‘with the intent to cause injury.’”

 

Discussion

This case’s shuttle between the various levels of the New York state court system is the kind of thing that drives litigation parties and other non-lawyers absolutely nuts. The piecemeal appellate review of the parties’ disparate arguments not only has resulted in a protracted procedural history, but each stage seems to extend the eventual time of the ultimate resolution of this case further and further out into endless future. It would be one thing if this case were now going to go back to the trial court for further proceedings on the question of whether or not the provision of insurance for the SEC settlement would be against public policy. However, if the prior history of this case is any indication, it seems probable that if J.P. Morgan can find a basis to appeal, it will seek to have the N.Y. Court of Appeals address the intermediate appellate court’s ruling allowing the carriers to assert their affirmative defense on public policy issues.

 

If J.P. Morgan were to seek a further review by the Court of Appeals, the company likely will argue among other things that the intermediate court of appeals ruling here on the public policy issues arguably depends on a strained distinction that allowed the intermediate appellate court to reject the applicability of the SEC’s “findings” for purposes of triggering the Dishonest Acts Exclusion, yet rely on the very same “findings” as a sufficient basis from which to allege that Bear Stearns had an intent to cause harm sufficient to trigger the public policy doctrine.   J.P. Morgan has an incentive to pursue the review if it is able, if for no other reason than the last time around it was able to convince the Court of Appeals to reverse the intermediate appellate court.

 

For practitioners in this area, the intermediate appellate court’s consideration of the carriers’ defense based on the Dishonest Acts Exclusion makes for interesting reading. In particular, it is noteworthy not only that the appellate court considered whether or not the entry of the Consent Order represented an “adjudication” within the meaning of the exclusion. It is also noteworthy that the court emphasized the question of whether the entry of the consent order – even if it constituted an “adjudication” – “established” that Bear Stearns had been guilty of the precluded conduct. The word “established” is not often a focus of the discussion of the issues arising under this type of exclusion. This ruling underscores the fact that it is not alone sufficient that there may have been an adjudication, but the adjudication must establish that the exclusion applies.

 

The one thing that is clear at this point is that this long-running proceeding will go on. The SEC first launched its investigation in 2003. Bear Stearns entered the settlement with the SEC in March 2006. The insurance coverage case is already on it second passage through the appellate court system. But this dispute is far from over. The fundamental problem for everyone is that there is just too much money at stake. Anytime you have sums of money running approaching a fifth of a billion dollars in dispute, the possibility of compromise is going to prove elusive, if not impossible. 

 

Massive and Unusual Freeport-McMoRan Derivative Lawsuit Settlement Finalized

Posted in Shareholders Derivative Litigation

freeportThe parties to the Freeport-McMorRan Copper & Gold, Inc. Derivative Litigation have finalized an agreement to settle the consolidated litigation pending in the Delaware Chancery Court in exchange for a payment of $137.5 million and for the company’s agreement to adopt certain corporate governance reforms. The settlement represents the third largest derivative lawsuit settlement ever. It will largely be funded by D&O insurance. The settlement has what the plaintiffs’ lawyer called an “unprecedented provision” for the settlement proceeds (less attorneys fees and costs) to be paid the company’s shareholders in the form of a special dividend. The settlement, which was previewed in an earlier post (here), is subject to court approval.

 

The parties’ Stipulation and Settlement Agreement can be found here. Liz Hoffman’s January 15, 2015 Wall Street Journal article describing the settlement can be found here. A January 15, 2015 press release from one of the plaintiffs’ law firms about the settlement can be found here.

 

If approved, the settlement will resolve allegations by Freeport’s shareholders that the company overpaid when it bought McMoRan Exploration and Plains Exploration & Production companies for a combined $9 billion. The shareholders had alleged that the Freeport board had conflicts of interest while negotiating the company’s summer 2013 purchase of McMoRan and Plains, owing to overlapping boards and ownership of the three companies involved. A copy of the plaintiffs’ amended complaint can be found here.

 

According to the parties’ settlement stipulation, the $137.5 million settlement will be funded by a $115 million payment from the company’s D&O insurers plus another $22.5 million from Freeport itself. The specific carriers involved in funding the settlement are not identified by name in the settlement stipulation.

 

The settlement stipulation also provides that the settlement is “conditioned upon the Freeport Board resolving to declare a special dividend” of the settlement amount less attorneys’ fees (in an amount to be determined by the court) and costs.

 

The various “Corporate Governance Enhancements” to which the parties agreed as part of the settlement are detailed here.

 

The settlement does not resolve the plaintiffs’ claims against Credit Suisse. Interestingly, the settlement agreement specifies that the settlement is conditioned upon the provision of a “complete waiver of any and all rights the D&O Carriers had, have, may have or will have to subrogation as to any amounts that may be recovered on Freeport’s behalf from Credit Suisse or any third party in the prosecution of claims” related to the transactions at issue. Presumably the carriers are well aware of this requirement and agreed to it in principle in advance.

 

As detailed in my list of the largest derivative lawsuit settlements (here), this settlement represents the third largest shareholder derivative lawsuit settlement ever, eclipsed only by the $139 million News Corp.  settlement (here), and the $275 million Activision settlement (here).

 

The settlement’s provision for the special dividend payment to the company’s shareholders is interesting. One of the defining characteristics of shareholder derivative litigation as opposed to direct shareholder litigation is that in a derivative lawsuit the claimants assert the company’s own claims and seek a recovery from the defendants on behalf of the company itself, by comparison to a direct lawsuit in which the claimants assert their own claims and seek a recovery on their own behalf. However, in this derivative lawsuit settlement, the settlement proceeds net of fees and costs are to be funneled to the shareholders in the form of a settlement dividend, producing a result that in the end is tantamount to the kind of outcome typically sought in a direct action.

 

The plaintiffs’ lawyers’ press release to which I linked above quotes one of the attorneys as saying “We are pleased to be able to provide the shareholders of Freeport a significant monetary recovery.” That is not an unexpected kind of thing for a plaintiff lawyer to say upon settling a shareholder suit, it is just an unusual thing to be said after the settlement of a derivative lawsuit. More typically there would be a reference to producing shareholder value, which is a different message that saying a settlement is providing shareholders a “significant monetary recovery.”  I am sure I am not the only one that thinks that the dividend feature of this settlement arguably blurs the lines between a derivative lawsuit and a direct action.

 

Alison Frankel has an interesting January 15, 2015 post on her On the Case blog (here) about this aspect of the Freeport settlement, which includes an examination of the question whether a derivative lawsuit settlement with a feature like this to facilitate payment to shareholders might become a new model. 

 

When I first heard about this settlement, I wasn’t sure what to think about the special dividend feature, and I had concerns that many insurance carriers might have qualms about having their insurance proceeds fund a dividend payment to their policyholder’s shareholders. But if you think of the dividend payment as simply a means for providing the proceeds of the settlement to the shareholders, it arguably is no different than the distribution of a class action settlement through more conventional class action litigation mechanisms. Just the same, I would expect carriers to have a certain wariness about getting dragged into funding shareholder dividends.

 

The payment of the settlement proceeds to the shareholders in the form of a special dividend raises an interesting insurance coverage question. Typically, it is contended that a shareholder derivative lawsuit settlement is not indemnifiable, because of the circularity problem involved with having the company indemnify the defendant for his or her payment to the company. For that reason, derivative lawsuit settlements generally are considered to trigger the Side A coverage under a D&O insurance policy, providing insurance for claims that cannot be indemnified whether due to insolvency or legal prohibition.

 

However, if the derivative lawsuit settlement payment is to be made to or at least for the direct benefit of the shareholders, the circularity problem drops out, and the settlement arguably is indemnifiable. If that were to be the case, the settlement would trigger the Side B coverage for indemnifiable claims. This matters because many companies carry significantly more Side A insurance than traditional insurance including Side B coverage. I am not sure whether any of these questions directly affected this settlement, but I could see it raising concerns in future cases where the parties tried to emulate this settlement and include a requirement for the settlement proceeds to be paid to shareholders in the form of a special dividend.

 

It is interesting to note that the derivative lawsuit involved here initially filed as merger objection lawsuits, although they continued on after the merger transactions closed. The phenomenon of merger objection litigation has been something of a hobby horse issue for litigation reformers in recent years, owing to the fact that almost every M&A transaction these days attract lawsuits and that many of the merger objection suits result in settlements that consists on nothing more than the defendant company’s agreement to additional disclosures about the transaction and the agreement to pay the plaintiffs’ attorneys’ fees. However, this case represents an example of the unusual merger objection case that results in a significant cash settlement. And even more unusually, the settlement proceeds here are to be paid directly to the shareholders. It would be difficult for critics of shareholder litigation to argue, as is often said of merger objection lawsuits, that these suits did not produce anything of value for shareholders.

 

Special thanks to a loyal reader for providing me a link to a news article about the settlement.  Thanks also to another loyal reader for providing me with copies of the settlement papers.

 

Second Circuit Splits With Ninth Circuit, Holds Item 303 Omissions Can Be Actionable in Section 10(b) Claims

Posted in Securities Litigation

secondsealOn January 12, 2015, the Second Circuit ruled, “as a matter of first impression” for the appellate court, that a failure to make a disclosure required by Item 303 of Reg. S-K is an omission that can serve as a basis for a Section 10(b) securities fraud claim, but only if the other requirements to state a Section 10(b) claim – such as materiality and scienter – have been met. In ruling that a failure to make an Item 303 disclosure can state an actionable Section 10(b) claim, the Second Circuit reached a different conclusion on the issue than did the Ninth Circuit in an October 2014 decision on the same question. The Second Circuit’s January 12, 2015 opinion in Stratte-McClure v. Morgan Stanley can be found here.

 

Background 

This case involves a claim by Morgan Stanley shareholders that the company and certain of its directors and officers made misleading statements to conceal the company’s exposure to and losses from a massive propriety trade the company had structured involving subprime mortgage backed derivative securities. Among other things, the plaintiffs alleged that the company failed to disclose – as, the plaintiffs’ alleged, the company was required to do by Item 303 of Reg. S-K – that the company’s proprietary subprime mortgage-backed derivative investment would have an unfavorable material effect on revenue. The district court dismissed the plaintiffs’ claims, including the plaintiffs’ claims made in reliance on Item 303, and the plaintiffs appealed.

 

Item 303 of Reg. S-K, entitled “Management’s discussion and analysis of financial condition and results of operations,” imposes disclosure requirements on companies filing SEC-mandated reports, including quarterly filings on Form 10-Q. The requirements include the obligation to “describe any known trends and uncertainties … that the registrant reasonably expects will have a material … unfavorable impact on … revenues or income from continuing operations.”

 

The January 14 Opinion 

On January 14, 2015, in a 32-page opinion by Judge Debra Ann Livingston for a unanimous three-judge panel, affirmed the district court, holding that a failure to make an Item 303 disclosure can be actionable under Section 10(b), but ruling that in this case the plaintiffs’ claim in this case was properly dismissed because the plaintiffs did not adequately plead scienter.

 

In ruling that a failure to make a disclosure required by Item 303 can be actionable, the appellate court reasoned that Item 303 imposed an affirmative disclosure duty on reporting companies. Omitting a required disclosure item, the court said, “can render … financial statements misleading.” The Court said “due to the obligatory nature of these regulations, a reasonable investor would interpret the absence of Item 303 disclosure to imply the nonexistence of ‘known trends or uncertainties… that the registrant reasonably expects will have a material unfavorable impact.’”

 

However, the appellate court added that the failure to make a required Item 303 disclosure “is not by itself sufficient to state a claim for securities fraud under Section 10(b),” noting that the Rule 10b-5 make only ‘material’ omissions actionable.”

 

The court said that the plaintiff must first allege that the defendant failed to comply with the requirements of Item 303, in order to establish that “the defendant had a duty to disclose.” Having established the duty to disclose, the plaintiff must then allege that the omission was material, and further that, as with any Section 10(b) claim, the plaintiff must also sufficiently plead scienter.

 

The appellate court went on to conclude that the plaintiffs had not adequately pled scienter, and affirmed the district court’s dismissal of the case.

 

The Second Circuit expressly acknowledged that in ruling that an omission of a disclosure required under Item 303 can be actionable its conclusion was “at odds with” the Ninth Circuit’s October 2, 2014 opinion in In re NVIDIA Corp. Securities Litigation. In that case, the Ninth Circuit held that Item 303’s duty is not actionable under Section 10(b), in reliance on language in an earlier opinion written by then-Judge (and now Supreme Court Justice) Samuel Alito when he was on the Third Circuit, stating that because the materiality standards for Rule 10b-5 and Item 303 differ significantly, a violation of Item 303 “does not automatically give rise to a material omission under Rule 10b-5.”

 

The Second Circuit felt that this language merely suggested, without deciding, that in certain instances a violation of Item 303 could give rise to a material omission. At a minimum, the Second Circuit noted, the language “is consistent with our decision that failure to comply with Item 303 … can give rise to liability under Rule 10b-5 as long as the omission is material … and the other elements of a Rule 10b-5 have been established.”

 

Discussion

This outcome of this appeal represents something of a win-the-battle-lose-the-war deal for the plaintiffs here. In the face of adverse recent precedent from the Ninth Circuit on the issue, the plaintiffs managed to persuade the appellate court on an issue of first impression for the Second Circuit that an Item 303 omission can be actionable under Section 10(b). But then having established that principle, the appellate court nevertheless affirmed the district court’s dismissal of the case based on the conclusion that the plaintiffs’ scienter allegations were insufficient.

 

The plaintiffs’ bar in general may be heartened by the Second Circuit’s conclusion that an Item 303 omission can be actionable. However, their celebration is likely to be muted, as the Second Circuit included significant limitations on plaintiffs’ ability to assert these kinds of claims. First of all, to make out the omission in the first instance, the plaintiffs are going to have to establish that the allegedly omitted information was actually known to the defendants and significant. Second, as the Paul Weiss law firm noted in its January 14, 2015 about the Second Circuit’s ruling (here), even if the plaintiff can show that the disclosures were inadequate, in many cases, as in this case, “plaintiffs will face significant difficulties showing that the defendants intended to mislead investors by omitting information or were consciously reckless in that respect.”

 

In any event, we now have a split between the Second and the Ninth Circuits on this issue. This case – or at least this issue – could now find its way to the U.S. Supreme Court. As the Paul Weiss firm noted in its memo, “the issue may now be ripe for potential review by the Supreme Court.” The Supreme Court has shown an inexplicable interest in taking up securities cases in recent years, so the plaintiffs in this case may well decide to try their luck. Or as the issue percolates up in another circuit, the disappointed litigant in another case may try to catch the Supreme Court’s attention on the issue. Given the split in the circuits, this could be the kind of securities law issue that might catch the attention of the highest court.

 

It probably should be noted that while the Second Circuit’s opinion in this case is at odds with the Ninth Circuit’s opinion in the NVIDIAcase, it arguably comes as no surprise as the Second Circuit’s holding about Item 303 is  consistent with its2012 opinion in the Panther Partners case, in which the Second Circuit held that an Item 303 omission can state an actionable Section 11 claim, as discussed here.

As Part of White House Cyber Security Initiative, President Proposes Uniform Data Notification Rules

Posted in Cyber Liability

whAs previously discussed on this blog (refer for example here), over the years there have been a number of different responses from the federal government to the threat of cyberattacks on U.S. companies and infrastructure, but overall the government’s track record on the issue is mixed. However, according to a January 12, 2015 Wall Street Journal article entitled “White House Aims to Harden Cyberattack Defense” (here), the White House is about to try again to address the issue, through new legislative proposals to be announced this week and in the President’s upcoming State of the Union address,  and through an executive order to be introduced later this year. These initiatives arise as Department of Homeland Security data show that the number of cyber incidents reported to the agency has more than doubled in two years.

 

In a January 12, 2015 speech at the Federal Trade Commission, President Obama previewed  a number of the initiatives he will be detailing in the State of the Union address, as discussed further below.  According to the Journal, the White House’s proposals overall will focus on improving company disclosures around cyber breach events and on “improving how threats are shared between the U.S. government and companies.” The Journal article notes that “Sharing information [has] long been a thorny project given that companies are reluctant to share details of breaches and government agencies want to keep their own intelligence closely by.”

 

The Journal article also details statistical information from the Department of Homeland Security showing that the number of cyber incidents reported to the agency during the 2013 fiscal year (which ended September 30, 2013), more than doubled compared to the number of reports during the 2011 fiscal year. A graphic accompanying the article shows that in fiscal 2014, there were 228,700 cyber incidents reported to the agency, compared to just over 100,000 in the 2011 fiscal year. A note to the graphic comments that the statistics reflects cyber intrusions targeting government agencies, companies, organizations, and individuals in the U.S, and adds the further comment that “the actual number could be higher.”

 

In his January 12 speech at the Federal Trade Commission (here), President Obama announced his introduction of the Personal Data Notification & Protection Act, in order to implement nationwide, uniform consumer data breach notification rules. (Right now, there are 47 different state laws that govern data breach notifications.) As the President described the legislation in his speech, “under the new standard that we’re proposing, companies would have to notify consumers of a breach within 30 days.  In addition, we’re proposing to close loopholes in the law so we can go after more criminals who steal and sell the identities of Americans —- even when they do it overseas.”

 

The President’s speech also announced the White House’s introduction of the Student Digital Privacy Act, which is meant to stop the sale of sensitive student data for non-education purposes, as well as his support for a Consumer Privacy Bill of Rights. As discussed on a January 12, 2015 CNN article (here), the President’s forthcoming State of the Union address (which he will deliver to Congress on January 20, 2015)will include greater detail on the initiatives he introduced in his speech at the FTC.

 

The Department of Homeland Security data, while perhaps understating the issue, confirm a sense that I think most of us have about this issue, which is that it is quickly growing worse. It is hard to tell now from the publicly available information, but the extent of the White House’s disclosure-related approach to cyber security issues may be restricted to the consumer data breach notification questions.  But it is in any event not a surprise that the White House has chosen to focus on disclosure-related issues. Indeed, a disclosure focus has been among the principal responses of a number of federal agencies that have already tried to grapple with the issue.

 

Certainly that was among the approaches that the SEC took, when it issued guidance on cyber security related issues.  On October 12, 2011, the SEC issued guidance regarding the disclosure obligations of public companies relating to cyber security risks and cyber incidents. The focus of this guidance was on whether information concerning cyber security and cyber incidents rose to the level of a disclosure obligation either as a risk factor under Regulation S-K Item 503(c) or in the MD&A Section of a Company’s mandatory SEC disclosure.

 

The focus of the SEC’s guidance was the question that companies are to ask themselves with respect to cyber security issues – that is, whether the “costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition.” If this question is answered in the affirmative, then, the agencies guidance specifies, there are a number specific categories of information that the company might address. The discussion of these issues might include the following:

  • Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
  • To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;
  • Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
  • Risks related to cyber incidents that may remain undetected for an extended period; and
  • Description of relevant insurance coverage.

As I discussed in another post (here), these disclosure issues have proven to be an area of focus for the SEC’s Division of Corporate Finance. Just the same, as discussed here, a study based on a review of actual disclosures in companies’ periodic filings shows that very few companies are actually including disclosures in their periodic reports about cyber incidents at the companies. The small number of companies including this information represents “a seemingly low number given the number of attacks that appear in the press on a regular basis.” The report notes further that none of the companies that disclosed actual attacks included the associated cost, even though the SEC’s Guidance requests the dollar costs of the attacks that have occurred.

 

It is possible that the White House’s disclosure-related approach to these issues will be limited to the consumer data breach notification requirements, and will not extend or relate to the requirements for breach notifications to investors. However, even if the White House does not go in that direction, I think there will continue to be pressure on these issues, from the SEC as well as from investors themselves.  

 

I also continue to believe that at some point, perhaps in the near future given the administration’s focus on cyber security issues, that the SEC or another enforcement agency will seize upon developments at a particular company as a test case and in order to make an example. Among the many downsides to this approach if it were to be put into action is that the enforcement action could look a lot like kicking a company when it is down or blaming the victim for its misfortune.  In any event, it is clear that cyber security-related disclosure issues will remain a key focus in the months ahead and are likely to continue to be a source of scrutiny and of challenge for companies as they all seek to grapple with the cyber security concerns.

  

Professional Liability Insurance: Two Policies But No Coverage Due to Untimely Notice

Posted in D & O Insurance

8thIn a January 9, 2015 opinion (here), the Eighth Circuit, applying Missouri law, held that there was no coverage under either of two successive professional liability insurance policies issued by the same insurer for a claim against its insured, LSi-Lowry Systems, because the claim was first made before the inception of the second policy and because LSi had not given timely notice of claim under the first policy. The appellate court rejected LSi’s argument that its email exchange with a dissatisfied customer during the policy period of the first of the two policies did not constitute a claim.

 

Background

LSI sold Hodell-Natco Industries business software and software support services. The software went live on March 1, 2007 and software performance issues immediately emerged. In a lengthy series of emails that followed between the two companies, Hodell complained about the performance issues and demanded that LSi remedy the defects. Within days, Hodell threatened legal action. On April 27, 2007, Hodell sent emails asking “who will pay for damages” and advising that the company had retained legal counsel. On June 25, 2007, Hodell demanded that LSi correct the problems “or reimburse Hodell-Natco for the expense.”

 

On July 24, 2007 Hodell’s lawyer sent LSi a letter stating that the company is “compelled to declare [LSi] in material default of their agreements,” advising that Hodell “will pursue all legal and equitable remedies available to us,” and demanding that LSI have their attorneys contact Hodell’s counsel in order to “discuss an amicable resolution to this matter.” LSi acknowledge receipt of the letter, asking “You are asking for remedies (ie money?) Correct?”

 

On January 23, 2008, Hodell sent LSi an email stating “We are offering you the chance to resolve this situation by refunding the TOTAL funds we’ve paid to LSi,” adding “Don’t you carry professional liability insurance for this type of issue? …In an effort to avoid a dragged-out lawsuit, we made a proposal to resolve this matter in a manner that gave us a small amount of relief, far short of our total cost.”

 

On November 21, 2008, Hodell filed a lawsuit against LSi in the Northern District of Ohio asserting claims for fraud, breach of contract, negligence and negligent misrepresentation arising from the performance issues with the software. On December 8, 2008, LSi first notified its professional liability insurer of the Hodell’s claims.

 

LSi had two successive professional liability insurance policies issued by the same insurer. The first was issued for the policy period April 23, 2007 to April 23, 2008; the second was effective from April 23, 2008 to April 23, 2009. Both policies required LSi to provide notice during the policy period of any “claim made against [it]” or “any circumstance that could reasonably be expected to give rise to a claim.” In the 2007 policy, a “claim” was defined as “a demand receive [sic] by the Insured for money, including the service of suit or institution of arbitration proceedings involving the Insured.” In the 2008 policy, the definition of a “claim” changed to “a demand received by you for money or services, including the service of suit or institution of arbitration proceedings involving you arising from any alleged wrongful act.” (Emphasis added).

 

The insurer denied coverage for Hodell’s lawsuit against LSi and instituted an action in the Eastern District of Missouri seeking a judicial declaration that neither of its policies provided coverage for the lawsuit. The district court granted the insurer’s motion for summary judgment, agreeing with the insurer that LSi did not provide timely notice of claim during the policy period of the 2007 policy, when, the district court held, the claim was first made. LSi appealed.

 

The January 9 Opinion

On January 9, 2014, in an opinion by Judge Jane Louise Kelly for a unanimous three-judge panel, the Eighth Circuit affirmed the district court, holding that there was no coverage for the claim under either of the two professional liability insurance policies.

 

The district court had concluded there was no coverage under the 2007 policy because LSi did not give notice of claim or potential claim to the insurer within the 2007 policy period. The appellate court said “We agree with the district court,” quoting the district court’s statement that “by the plain language of the 2007 policy, there is no coverage.”

 

The district court also found that there was no coverage under the 2008 policy because it concluded that the email communications between LSi and Hodell during the period March 2007 and April 23, 2008, when the 2008 policy incepted, constituted a claim. The appellate court said, quoting with approval from the district court opinion, “We agree with the district court that the communications ‘show that Hodell blamed LSi for the functionality problems of the software, requested that LSi fix the issues, and expected LSi to pay the associated costs.’”

 

The appellate court also rejected LSi’s argument that the district court had erred in relying on the definition of “claim” in the 2008 policy – which included “a demand for money or services” – but rather should have analyzed the question using the definition of “claim” in the 2007 policy, which defined a claim solely as “a demand for money.” LSi argued that Hodell did not make a claim against LSi during the 2007 policy period because Hodell did not make a specific demand for money.

 

The appellate court said “As an initial matter, we question whether the definition of a claim in the 2007 policy would apply when determining coverage under the 2008 policy.” But, the court added, in any event, the term “claim” in both policies included a “demand for money” within the definition. The court reviewed the various statements in the email communications and concluded that “Regardless of which definition applies, the result is the same: The communications between Hodell and LSi prior to the date coverage began under the 2008 policy constituted a ‘demand for money’ and therefore amounted to a ‘claim.’”

 

The appellate court also rejected LSi’s contention that the email correspondence at most reflected Hodell’s dissatisfaction with LSi’s performance of its contract, which would not be covered under the policy, rather than a claim of negligence, and therefore, LSi argued it was not required to give the insurer notice of claim. The court said “While the evidence may support the assertion that Hodell believed LSi had breached its contract, Hodell made it clear to LSi it intended to pursue all legal and equitable remedies – not just a suit premised on breach of contract.”

 

Finally, the appellate court rejected LSi’s argument that the insurer should have been required to show that it was prejudiced in order to rely on the LSi’s failure to give timely notice as a defense to coverage. The appellate court said that “Missouri law does not require an insurer to show prejudice under a claims made policy.”

 

Discussion

It is a common misunderstanding for those not immersed in insurance terminology that a claim is a lawsuit and that if there isn’t a lawsuit there isn’t a claim. Just the other day, the general counsel of one of my clients contested my suggestion that his company should give notice of claim to its insurers, telling me that there was no need to give notice because no lawsuit had been filed or served. (I managed to persuade him otherwise.)

 

Most liability policies define the term “claim” more broadly than just a lawsuit. Indeed, in recent years, there has been a steady evolution of policy language broadening of the definition of the term “claim.” The general industry view is that a broader definition of the term claim is in the policyholder’s interests. But this case is a reminder that if the policy’s definition of claim has been met, the definition has been met for all purposes, including for purposes of the determination of the “claims made” date. In this instance — as in the case I discussed last week (here) where service of a subpoena prior to the policy period was held to be a claim and to establish the date on which a claim was first made — a broader definition of the term “claim” can in some circumstances wind up precluding coverage for the policyholder.

 

It is pretty clear that the district court and the appellate court thought that LSi had sat on its rights. The email correspondence in 2007 and early 2008 does reflect a steady stream of threats of litigation and demands for recompense. The email chain also reflects the claimant’s query – somewhat ironic in retrospect – asking whether LSi had professional liability insurance for this sort of dispute. I will say that this case is a good illustration of the reason for my standard rule of thumb about giving notice , which everyone around me has heard me say a million times, and that is – always give notice. No matter what, put the notice in and worry later about whether there is coverage or what the impact of the notice will be on the renewal.

 

Just the same, there is something frustrating to me about the outcome of this case. The carrier was on the risk throughout the period of the dispute and when the lawsuit was filed. This isn’t a case where the coverage had moved to a different carrier between the first policy period and the second policy period (which was an issue in the case about the SEC subpoena, which I discussed in a post last week). The carrier here had been paid two annual premiums to provide coverage for exactly the kind of lawsuit that was filed against LSi. To be sure, the appellate court said that under applicable law the carrier did not have to show prejudice in order to be able to deny coverage for the untimely notice, but it does seem unsatisfying that the carrier is off the hook for a process delay that caused no harm. The policyholder is deprived of the coverage for which it paid through a simple failure to recognize that circumstances amounted to a claim under the policy though the delay in giving notice caused no harm.

 

In the end, this decision is a reminder that under a liability policy, both the policyholder and the insurer have duties. A liability insurance policy involves more than just an insurer’s duty to pay certain kinds of losses under certain circumstances. It also involves certain duties for the policyholder, too, including the duty to give timely notice in the event of a claim. The policyholder’s provision of timely notice is a prerequisite to coverage. As harsh as it may seem, the risk is on the policyholder that the policyholder might fail to recognize that a given set of circumstances involves a claim and therefore fail to give timely notice. The lesson is that policyholders must be diligent in protecting their interests. (My earlier post about policyholder’s obligations in the insurance policy can be found here.)

 

Guest Post: Changing the Cyber Security Playing Field in 2015

Posted in Cyber Liability

wei As I have noted in a number of recent posts, there have been a host of significant cyber security developments, including among the Sony Pictures Entertainment hack attack. These developments have a number of important implications for the cyber security arena in the year ahead. In the following guest post, Paul Ferrillo of the Weil Gotshal law firm takes a look at the implications of these developments for companies and their executives. A version of this alert was initially distributed as a Weil client alert. 

I would like to thank Paul for h is willingness to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to readers of this blog. Please contact me directly if you are interested in submitting a guest post. Here is Paul’s guest post.

****************************************** 

“If this incident [Sony] isn’t a giant wake-up call for U.S. corporations to get serious about cybersecurity, I don’t know what is. I’ve done more than two dozen speaking engagements around the world this year, and one point I always try to drive home is that far too few organizations recognize how much they have riding on their technology and IT operations until it is too late. The message is that if the security breaks down, the technology stops working – and if that happens the business can quickly grind to a halt. But you would be hard-pressed to witness signs that most organizations have heard and internalized that message, based on their investments in cybersecurity relative to their overall reliance on it.”

– Author Brian Krebs, Dec. 20, 2014.[i]

“For those worried that what happened to Sony could happen to you, I have two pieces of advice. The first is for organizations: take this stuff seriously. Security is a combination of protection, detection and response. You need prevention to defend against low-focus attacks and to make targeted attacks harder. You need detection to spot the attackers who inevitably get through. And you need response to minimize the damage, restore security and manage the fallout.”

– Professor Bruce Schneier, Dec. 19, 2014.[ii]

Without a doubt, the last month in the world of cyber security has been tumultuous. It has now been confirmed that two companies in the United States have potentially been the subject of cyber-terrorism. Servers have been taken down or wiped out. Businesses have been significantly disrupted. Personally identifiable employee information has been shoveled by the pound onto Internet credit card “market” sites. The cyber security world has changed. And two of the most respected men in cyber security have both iterated similar messages: it is time for U.S. corporations to take this stuff seriously.

This alert does not aim to recount the parade of horribles of 2014; rather, we write to suggest three modifications that are highly achievable in the corporate world that have the potential to make our cyber security world a little bit better in 2015.

More Cyber Governance – More NIST Discussions – More Information Sharing

On the first day of Christmas, my true love gave to me: the NIST cyber security framework.

In reality, on February 12, 2014, the Obama Administration, through the National Institute of Standards (NIST), announced the NIST Cyber Security Framework to “allow organizations – regardless of size, degree of cyber risk or cybersecurity sophistication – to apply the principles and best practices of risk management to improve the security and resilience of critical infrastructure.”[iii] In sum, the Framework focuses U.S. infrastructure companies on 5 basic principles:

                1) Describing their current cybersecurity posture

                2) Describing their target state for cybersecurity

                3) Identifying and prioritizing opportunities for improvement within the context of a   continuous and repeatable process

                4) Assessing progress toward the target state

                5) Communicating among internal and external stakeholders about cybersecurity risk[iv]

In sum, NIST focuses companies on two simple questions: (1) where are they currently with cybersecurity, and (2) where do they want to be in the future?

Even more elegant is the simple way the Framework steers conversations regarding how a company should review its core processes of protecting its most precious IP, trade secrets or customer information:

  • Identification – Developing the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. In other words, what are the most prized IP assets, and where are they located, e.g. off-line servers, network servers, or the cloud.
  • Protection – Developing and implementing systems to protect the company’s most valuable IP assets.
  • Detection – Developing and implementing the appropriate activities to identify the occurrence of a cybersecurity event. An event may be nothing after it is appropriately investigated. An event that is missed or not apprehended as something more severe might turn into a catastrophic incident resulting in a mega-breach.
  • Respond – Developing an Incident Response Plan.
  • Recover – Developing and implementing the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.[v]

A thorough reading of the history behind the Framework will point to two conclusions: (1) it was not meant to become the national standard for cyber security best practices here in the United States (the Framework expressly says adoption of its principles is “voluntary,” though many will argue that it is already de facto a national standard being used by the government and its third-party vendors), and (2) the Framework was designed so that executives and employees of any company could, using a common language, determine the “what, who, where, when and how” to protect its most valuable intellectual property assets.

Though some take issue with the lack of specificity regarding implementation of the standard, we would argue that is the point. No company is the same. No IP is the same. Therefore, there is no one perfect method for protecting a company’s data. But there was a need to help companies organize their discussions around cyber security in a way that could be used by all directors, officers, and employees, whether they are technologically savvy not, to better their cyber security posture and defenses. And that is what the Framework is all about.

However, if the Framework has become at the very least a national standard for cyber security, then are companies actually using it to facilitate discussions aimed to better their cyber security posture? How often are they using it? Annually? Quarterly? Are they using it at all? And if companies are not using the de facto national standard for cyber security, then why is that the case?

If companies are using the Framework, how are they documenting discussions concerning improving their cyber security posture? Or are they just not documenting their cyber related discussions at all? Good cyber governance starts with information and discussion, traveling from bottom to top and then from top to bottom. There is no “run and hide” option here as that could land a board of directors with a major cyber breach on its hands and no documentation to rely upon to show they exercised their fiduciary duties of oversight over the enterprise’s risk management. It could also land the company in further hot water with the plaintiffs’ bar, which is becoming ever more successful, requiring the company to prove it did as best it could regarding cyber security despite the fact that a hacker still accessed its network.[vi]

More (and Better) Employee Training and Education

Employee cyber training and education concepts could themselves be the subject of any number of articles or books. We mention them here in an attempt to raise two points to consider:

          1.       Employee phishing and spearphishing training is imperative.

Some of the most notorious espionage cyber campaigns against companies and industries have started from the most innocent looking emails sent to an unsuspecting company employee or executive under the guise of an email from a bank or credit card company. When the employee unsuspectingly opens the email or its attachment, it drops malware on the company computer, which quickly spreads to the network. “Once on a system, the malware gathers information such as the operating system version, computer name, user name, and local IDs, as well as system drive and volume information. All the data that is collected is encrypted and sent to a cloud account … in an apparent attempt to avoid detection by anti-malware tools.”[vii] Then the hacker goes to work stealing the company’s most valued business information, including business plans, M&A-related information, consumer information, and personally identifiable information.[viii]

The above threat vector is called “phishing,” or its more advanced cousin, “spear phishing,”[ix] when an email “phishes” for an unsuspecting and usually innocent employee to inadvertently wreak havoc on a company by opening it. “91 percent of cyber-attacks start with spear phishing….”[x]“Phishing remains a very real threat to organizations of any size. Symantec research showing a 91% increase in spear-phishing attacks from 2012 to 2013 tells us that much.”[xi] Says another expert, “”The pool of spear phishing targets in 2015 will be larger and not just limited to a select few, like executives….”[xii]

Many companies train their employees monthly using random phishing emails aimed to look like they came from either the company itself or another trusted source. Training employees on anti-phishing techniques should lower the success rate of phishing emails. Indeed one study showed that in one company, “between 26% and 45% of employees at those companies were Phish-prone, or susceptible to phishing emails. Implementation of [training] immediately reduced that percentage by 75%; with subsequent phishing testing over four weeks resulting in a close to zero phishing response rate across all three companies.”[xiii]

Training is a good idea. Investing in more training this year would be an even better idea.

          2.       Employee intrusion detection training is also essential.

Many companies now employ a host of various intrusion detection devices to attempt to detect a cyber-intrusion. These devices generally collect reams and reams of information called “logs,” which could contain evidence of either network anomalies or common host-based artifacts of data theft. These could include:

  • Evidence of abnormal user activity;
  • Evidence of login activity outside expected hours;
  • Odd connection durations;
  • Unexpected connection sources;
  • Evidence of abnormally high CPU or disk utilization;
  • Evidence of File Artifacts associated with the use of common compression tools; and
  • Evidence of recently installed or modified services.[xiv]

These logs are obviously very long and complicated. Given that many data breaches have occurred on a company’s servers long before they are discovered (an average of 229 days), and given that many of the high-end intrusion detection devices companies are employing are very good technically, many argue that there is a perceived mismatch between man and machine.

We are not sure there is good answer to the man v. machine question. Some intrusion detection systems are so sophisticated that a lot of the high-level examination and analytical work can be done automatically, saving time and effort chasing false alerts and highlighting potentially malicious activity. Others are not. We express no opinion other than caveat emptor.

Nevertheless, company employees should be thoroughly trained repeatedly about their intrusion detection systems so that false positives can be ignored and potential dangerous incidents can be identified. Many intrusion detection vendors offer such training routinely, and it should be taken advantage of at all levels, as the more time malware is on company servers, the more time there is for it to wreak havoc on the network.

A Table-Topped, Battle-Tested, Infantry-to-Board of Directors, Incident Response Plan

In previous alerts,[xv] we have spoken at length about the value of Incident Response Plans (IRPs).[xvi] Below are some additional relevant facts:

  • The Ponemon 2014 Cost of Data Breach Study: United States reported that the average cost for each lost or stolen record was $195. However, if a company has a formal incident response plan in place prior to the incident, the average cost of a data breach was reduced as much as $17 per record. Appointing a CISO to lead the data breach incident response team reduced the cost per lost or stolen record by $10.[xvii]

There has been much talk in the industry of the importance of a chief information security officer, or CISO. Though every organization has to make its own determination as to whether such a position is needed within its company, at the very least someone needs to be 100% responsible for network security issues. That role is often filled by the CISO.

According to the above statistics, a CISO can often be an incredible asset to any mid-to-large size company. As noted in one recent retailer breach, the company “didn’t have an advocate at the C-level, as an executive, advocating for IT security investment…..If [the company’s] senior management had known of such risks and what was at stake, they would have “made very different choices” as to how it structured its organization, and how it invested in capabilities to defend the company’s data.”[xviii]

  • IRPs should be practiced at least once a quarter and the owner of the IRP (presumably the CISO) should update the plan as needed to account for new plans, new vendors, or new data protection strategies.
  • IRPs should be practiced by everyone – from IT departmental heads, to CEOs, to board members – and should include vendors, forensic consultants, IR/PR consultants and lawyers to make the training as real as possible. It’s important to practice for the worst.  If something less than that occurs, then everyone should be on the same page when the next incident happens. If something in the IRP doesn’t work, then it would be good to know that beforehand, rather than during an actual data breach.

2015

For many companies, it is probably time to get serious. The events of December 2014 have proved that we have most likely entered into a whole new phase of cyber-intrusions, cyber-attacks and cyber-terrorism. Our network perimeters have plenty of penetration points to attack. And the Emperor’s New Clothes are showing.

The events of late 2014 will require a new round of discussion with boards of directors and their C-Suite executives about company cyber security policies and what companies can do to mitigate the cyber risks involved. The critical IP assets of a company need to be fully and completed identified and protected as best as possible, using a variety of strategies including virtualization and private cloud strategies. History has shown strong perimeter defenses are no barrier to a determined hacker. Board discussions must occur, changes/improvements need to be documented, and incident response plans (including provisions for the absolute destruction of data, not just theft or tampering) need to be reviewed, modified as necessary and practiced. At a minimum, companies can insure for some of their cyber risk exposures through cyber insurance. Network security takes a village, involving every employee of the company. A culture of security needs to be instilled in every person touching a keyboard or a keypad.

Additionally, as cyber breaches have impacted varying industries in the U.S., each has come away with separate lessons to be learned from each event. Because not all malware is one-of-a-kind, information sharing would be incredibly helpful to all organizations.  We cannot defeat this problem alone. We need to work together in a public/private partnership to share threat information. In this vein, Congress should pass the Cybersecurity Information Sharing Act as soon as possible in the coming term.[xix]

By using some of the strategies we outline above, we can hopefully do a better job this year protecting our companies, businesses, and employees.

We need to do better in 2015.

We wish our clients, business colleagues and friends a Happy, Healthy and Safe Cyber New Year.


[i] See “FBI: North Korea to Blame for Sony Hack,” available here.

[ii] Mr. Schneier, a security technologist, is a fellow at the Berkman Center for Internet and Society at Harvard Law School. His recent Op-Ed Essay in the Wall Street Journal is available here.

[iii] See “NIST Releases Cybersecurity Framework Version 1.0,” available here.

[iv] See the Framework, available here.

[v] Id. See generally, “Understanding and Implementing the NIST Cyber Security Framework,” available here.

[vi] See e.g. “Banks’ Lawsuits Against Target for Losses Related to Hacking Can Continue,” available here; “Another Target data-breach lawsuit can proceed, judge says,” available here.

[vii] See “’Inception’ Cyber Espionage Campaign Targets PCs, Smartphones,” available here.

[viii] See “Hackers Stealing Business Secrets to Game the Stock Market,” available here; “ICANN targeted by Spear Phishing attack, several systems impacted,” available here.

[ix] Spear phishing is a psychologically more compelling form of phishing based upon socially engineering the email to the unsuspecting employee.  See e.g. “3 low-tech threats that lead to high-profile breaches,” available here.

[x] See “APT Mitigation: The Human Way,” available here.

[xi] See “Phish Your Own Staff: Arming Employees to Beat Modern Attacks,” available here.

[xii] See “Spear Phishing: A Bigger Concern in 2015,” available here.

[xiii] See “New KnowBe4 Statistics Reveal Security Awareness Training Reduces Phishing Susceptibility by 75%,” available here.

[xiv] See Luttgens, Pepe and Mandia, “Incident Response and Computer Forensics,” (3rd Ed. 2014) at pg. 263-264.

[xv] See “The Importance of a Battle-Tested Incident Response Plan,” available here.

[xvi] See “The Importance of a Battle-Tested Cyber Incident Response Plan,” available here.

[xvii] See “Is Your Company Ready for a Big Data Breach?  The Ponemon Second Annual Study on Data Breach Preparedness,” available here.  

[xviii] See “Target’s Lack of CISO Was ‘Root Cause’ of Systems Breach,” available here.

[xix] See “Eyes turn to the next Congress as Sony hack exposes cybersecurity flaws,” available here.

D&O Insurance: No Coverage for Enforcement Action Because Claim First Made When SEC Subpoena Served Before Policy Inception

Posted in D & O Insurance

massA recurring D&O insurance coverage issue involves the question of whether or not a subpoena constitutes a claim, as I have noted on prior posts (for example, here). When this issue comes up, the dispute is usually over whether or not there is coverage under the policy for the costs of responding to the subpoena and ensuing costs. But there are other implications if a subpoena is a claim, as was demonstrated in a January 6, 2015 decision (here) by District of Massachusetts Judge Rya Zobel.

 

Judge Zobel ruled that there was no coverage under Biochemics, Inc’s D&O insurance policy for defense costs incurred in an SEC investigation and enforcement action against the company and its CEO where the company had been served with an investigative subpoena before the policy commenced. Judge Zobel held that the claim was first made when the subpoena was served before the policy incepted and therefore was not covered under the policy..

 

Background

On May 5, 2011, the SEC entered a formal order of investigation against BioChemics and its officers On May 9, and September 12, 2011, the SEC served Biochemics with document subpoenas. The subpoenas referenced the formal order of investigation. In January 12, 2012 the SEC served deposition subpoenas on the company’s CEO and two other individuals. In March 2012, the SEC served subpoenas for additional documents on the company and its CEO. The 2012 subpoenas referenced the May 2011 formal order. In December 2012, the SEC filed an SEC enforcement action against Biomedics, its CEO, and two stock promoters who had worked with BioChemics.

 

This coverage dispute involves the D&O insurance policy that Biochemics had in place during the period November 13, 2011 and November 13, 2012. Biochemics had D&O insurance in place before November 2011, but the insurance had been issued by a different insurance carrier. Biochemics notified the new D&O insurer of the January and March 2012 subpoenas. The insurer denied coverage, contending that the entire SEC investigation was a single “claim” that has commenced when the SEC issued its first document subpoena in May 2011, before the insurer’s policy went into effect.

 

Biochemics and its CEO initiated a lawsuit against the insurer seeking coverage under the D&O insurance for the defense costs incurred in the investigation and enforcement action. The parties cross-moved for summary judgment.

 

The claims made D&O insurance policy at issue provided that “Coverage under this Policy shall apply only with respect to Claims deemed to have been first made during the Policy Period and reported to the insurer in accordance with the terms herein.”

 

The policy defined “Claim” to mean, among other things, any “civil, arbitration, administrative or regulatory proceeding against any Insured commenced by … the filing of a notice of charge, investigative order or like document.”

 

The policy also specifies that all Claims “arising from the same Wrongful Act and all Interrelated Wrongful Acts shall be deemed to be first made on the earlier date that (1) and of the Claims is first made against an Insured under this Policy or any prior policy.”

 

The January 6 Decision 

In her January 6, 2015 order, Judge Zobel granted the insurer’s motion for summary judgment and denied the plaintiffs’ motion. In reaching this conclusion, Judge Zobel stated that:

 

The triggering events are all part of a single SEC Investigation under the Formal Order. Each subpoena was issued under, and referred to, the original Formal Order, and investigated the same officers and company for the same pattern of security violations through public misstatements. Under the clear language of the policy and on the record before the court, the subpoenas all constituted a single “Claim” under the policy.

 

Because, Judge Zobel said,  the investigation and enforcement action — that is, “the Claim at issue”  –was “’first made’ before the policy period”  it is, “therefore, not covered under the policy.”

 

Discussion

It is interesting to me that this decision reaching the conclusion that the claim was first made when the first subpoenas were served in May 2011 omits the usual debate about whether or not a subpoena is a claim. That probably is because the company was looking for coverage for the defense fees incurred in connection with the January and March 2012 subpoenas, and so couldn’t really take the position that a subpoena is not a claim. Just the same, it is noteworthy that Judge Zobel seemed to accept that a subpoena is a claim, without the usual dispute over whether a subpoena is a “proceeding” or whether a subpoena can trigger coverage without an allegation of a Wrongful Act.

 

The more practical question here is why Biochemics sought coverage for the SEC investigation and enforcement action from the carrier that issued the November 2011-November 2012 policy, and not from the carrier whose policy was in force prior to November 2011. There is no way to tell from Judge Zobel’s opinion alone, but I am guessing that Biochemics did not give notice to the prior carrier of the May and September 2011 subpoenas, and only sought insurance coverage from any carrier once the January and March 2012 subpoenas were served. At some point, it must have occurred to Biochemics that it should have sought coverage from the prior carrier but perhaps by then it was too late. UPDATE: An alert reader points out that Footnote 1 to Judge Zobel’s opinion may shed some additional light on this issue. Footnote 1 says “Claims are also pending in this action against plaintiffs’ insurance brokerage firm and an individual broker; thay are not at issue at the current juncture.”

 

In any event, the important point here is that if a subpoena is a claim, then it is a claim for al purposes under the policy, including for purposes of determining the claims made date. The usual scenario is that an insured is seeking to establish that a subpoena is a claim in order to be able to establish coverage. Here, the fact that a subpoena is a claim and service of a subpoena establishes the claims made date wound up precluding coverage for this policyholder.