In the following guest post, Nir Kossovksy examines the issue of corporate governance for reputational risk, through the lens of the recently settled Meta derivative suit. Nir is the CEO of Steel City Re. I would like to thank Nir for allowing me to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Nir’s article.
***********************
Earlier this month, Meta Platforms (née Facebook) settled what was described in the press as an $8bn derivative lawsuit [1]. The case illustrates how directors increasingly are exposed to both 1st and 3rd-party losses from failing to oversee an increasingly wider scope of executive activity. Recently published reputation risk governance guidelines may help mitigate these exposures.
One of the key allegations was that Facebook’s board breached its fiduciary duties of oversight because the company violated a 2012 consent order from the FTC relating to users’ data privacy. The FTC fined Facebook $5 billion in 2019 for giving data access to Cambridge Analytica, a company that shareholders emphasized in the lawsuit as posing reputational risk, and for which Facebook’s oversight was allegedly not dutiful.
Through one lens, this is a case of an otherwise unremarkable failure to oversee compliance, which may imply managerial weaknesses in the legal department. A more interesting lens focuses on the reputational risks that were correctly anticipated, disclosed, but ultimately not effectively managed; and being allegedly mission critical to Facebook, not dutifully governed.
The Directors and Chief Risk Officers Risk Governance (DCRO) Institute has been following the creeping scope of board duties under Caremark since Marchand v. Barnhill. Because reputation is mission critical to most firms[2], the Institute concluded that boards needed to enhance their oversight of reputation risk management.
This past June, the Institute published its Guiding Principles for Reputation Risk Governance. Essential Principles for Boards of Directors comprising ten (10) principles to help boards govern reputation risk explicitly and be better equipped to protect firms’ value.
Briefly, there are three general themes to the ten principles (#1-10). The first four explicitly restate reputation, its risk, and accountability: It is (#1) a strategic asset and material risk; (#2) a board oversight duty; (#3) underpinned by operations and culture (not merely messaging); and (#4) an enterprise-wide phenomenon.
Moving beyond legacy communications-centric concepts, the next three principles declare that reputation risk oversight must be (#5) aligned with a company’s purpose and priorities while staying alert to stakeholder expectations and broader political, legal and regulatory matters; (#6) informed by a forward-looking intelligence system integrating issues and financial risks; and (#7) sensitive to the accelerating intersection of cyber threats, artificial intelligence, and digital influence.
The last three principles are personal. Helping board members implement these is an increasingly important service for those responsible for assuring that board members, as elected fiduciaries, can carry out their duties free from intimidation and threats.
Board members working together (#8) can help build resilient reputations through foresight, preparation, and disciplined execution. Interpersonal dynamics, however, are not without challenges. Last year, PwC’s annual board survey revealed that 25% of sitting board members wanted two or more peers replaced—a high water mark.
Board members individually face personal risks. These risks include third party liability, first party culpability[3], public humiliation[4], and going forward losses from personal reputational damage after “removal.” In the Meta Platforms case, according to the complaint,“the litany of directors forced out include Defendants Koum, Hastings, Desmond- Hellmann, Bowles, Chenault, and Zients.”[5]
These personal risks, notes the penultimate principle, (#9) are mitigated only partially by D&O Liability Insurance, and going forward, board members should consider also first-party Reputation Insurance.
The final principle (#10) acknowledges that reputation risk is typically laden with emotions—among stakeholders as well as board members. Directors must exhibit emotional intelligence, self-awareness, and clarity when facing stakeholders who feel betrayed, believe trust is being broken, and expectations are not being met or managed, for they lead to “stakeholders reassessing their relationship with the enterprise in ways that change their behaviors resulting in reduced revenue, increased costs, or eroded long-term value[6]—the sine qua non of a reputation crisis.”
[1] Second Amended and Consolidated Verified Stockholder Derivative Complaint. In Re Facebook Inc. Derivative Litigation. Consolidated. C.A. No. 2018-0307-JRS. November 4, 2021.
[2] https://ilr.law.uiowa.edu/people/leo-e-strine-jr
[3] Second Amended and Consolidated Verified Stockholder Derivative Complaint, ibid., p235.
[4] https://www.agendanews.com/c/4779584/644434
[5] Second Amended and Consolidated Verified Stockholder Derivative Complaint, ibid., p5.
[6] DCRO Institute Reputation Risk Governance Council. Guiding Principles for Reputation Risk Governance. Essential Principles for Boards of Directors. DCRO Institute, June 2025. p9.