aus3An exclusion sometimes found in D&O insurance policies precludes coverage for claims made by shareholders who have a specified percentage of ownership in the insured company. This type of exclusion is called a Major Shareholder Exclusion (or, sometimes, the Principal Shareholder Exclusion). An interesting May 6, 2015 decision (here) by the Supreme Court of Victoria (Melbourne) addressed the interesting question of what is the relevant point in time for determining the ownership percentage – at the time the claim is made or at the time the wrongful acts allegedly took place? The considerations discussed in the decision raise a number of issues about this type of exclusion. A May 15, 2015 memo from the Allens law firm about the decision can be found here.

 

Background

Effective June 20, 2008, Oxiana acquired all of the outstanding shares of Zinifex. Following the transaction, Oxiana was renamed OZ Minerals Ltd. (“OZ Minerals”) and Zinifex was renamed Oz Minerals Holdings Ltd. (“OZ Holdings”).

 

In February 2014, an OZ Minerals shareholder filed a representative action in the Federal Court of Australia against OZ Minerals alleging that there were misrepresentations in the merger transaction documents. OZ Minerals in turn filed a separate contribution proceeding against OZ Holdings and certain of its former directors and officers.

 

Prior to the merger transaction, OZ Holding (then Zinifex) had a directors and officers liability insurance policy in place with a policy period from March 31, 2008 to March 31, 2009. In connection with the merger transaction, OZ Holding purchased a discovery period endorsement which extended the policy’s expiration date to June 20, 2015. A run-off exclusion was also added to the policy at the same time providing that the insurer was not liable for any claim with respect to a wrongful act committed after June 20, 2008 (the date of the merger transaction).

 

The defendants in the contribution action submitted the claim to the D&O insurer. The D&O insurer denied coverage for the claim in reliance on the policy’s major shareholder exclusion. OZ Holdings commenced an action in the Supreme Court of Victoria (Melbourne) seeking a judicial declaration that the insurer is obliged to indemnify them against liability arising from the contribution claim.

 

The policy’s Major Shareholder and Board Position Exclusion provided that:

 

The Insurer shall not be liable to make any payment under this policy in connection with any Claim brought by any past or present shareholder or stockholder who had or has:

 

  • Direct or indirect ownership of or control over 15% [or] more of the voting shares or rights of the Company or of any Subsidiary, and
  • A representative individual or individuals holding a board position(s) with the company.

 

The parties agreed that neither of the two conditions were met before June 20, 2008.  The parties agreed that the first condition was met at the time the claim was made (since OZ Minerals acquired all of OZ Holdings shares in the merger transaction). The parties disputed whether the second condition was met at the time the claim was made, but the Court concluded that the second condition had been met at the time the claim was made as well.

 

The crux of the parties’ dispute was their disagreement about the point or points in time at which a claimant is to be assessed against the conditions in the exclusion clause. The declaratory judgment action plaintiffs contended that the exclusion was only intended to apply to exclude coverage for claims brought by claimants who satisfied the conditions at the time of the wrongful acts that gave rise to the contribution claim (that is, before June 20, 2008). The insurer argued that the words in the exclusion disclose an intention that it should operate at both the time of the alleged wrongful acts and the time the contribution claims were brought, so that coverage would be precluded for shareholders holding the specified share percentage either at the time of the wrongful act or at the time of the claim.

 

The May 6 Ruling 

In its May 6, 2015 opinion, the Court agreed with the insurer’s interpretation, holding that the exclusion applied if the two conditions were met either at the time of the wrongful acts or at the time the claim was made.   The court said that the insurer’s interpretation was “grammatical” and “accords with the structure of the policy.”

 

An important part of the Court’s analysis was its consideration of the insurer’s rationale for its interpretation of the exclusion (what the Court called the “commercial rationale”). The insurer had argued that it an insurer could reasonably seek to protect itself from a claim that might be the result of collaboration between a claimant major shareholder and the defendant company or that could involve the misuse of confidential company information to the claimant’s advantage. The insurer also contended that an insurer could reasonably seek to preclude coverage for a claim brought by a shareholder who might have been in a position to influence the company’s operations at the time the wrongful acts occurred. The Court said “the suggested commercial rationale is objectively reasonable.”

 

Discussion

There are several kinds of exclusions that can be found in D&O insurance policies precluding coverage for claims brought by certain claimants. For example, a standard D&O policy exclusion precludes coverage for claims brought by one insured against another insured. Some policies (typically those issued to banking institutions) preclude coverage for claims brought by regulators (the so-called regulatory exclusion). The major shareholder exclusion at issue in this case is another type of exclusion precluding coverage for claims asserted by a specified type of claimant.

 

This case illustrates the fundamental problem with the inclusion of a major shareholder exclusion on a D&O insurance policy. It can wind up precluding coverage for the very type of claim for which the insurance policy was designed. OZ Minerals had filed the contribution claim against OZ Holdings and its former directors and officers because OZ Minerals itself had been sued in a shareholder misrepresentation claim. The contribution claim in turn sought to hold the defendants in that action liable for their alleged responsibility for the misrepresentations alleged in the shareholder claim. Those are the very types of claims and allegations for which policyholders purchase D&O insurance, so that they can be protected from those types of claims.

 

The insurer in this case would no doubt justify the exclusion and its preclusive effect by the fact that OZ Holdings is suing its own 100%-owned subsidiary for contribution – a claim, the insurer might argue, that makes sense only as a mission by OZ Minerals to get access to OZ Holdings’ insurance policy. However, the exclusion at issue here precluded coverage not just for the claim against OZ Holdings but also for the claim against the former directors and officers – that’s what I mean  about the exclusion precluding the very type of claim for which these insurance policies are purchased.

 

From the policyholder perspective, the preferred approach is to have the major shareholder exclusion removed. However, while the preferred approach from the policyholder’s perspective is to remove the exclusion, obtaining a policy without a major shareholder exclusion is not always an option. If the exclusion’s removal is not an available option, there are a variety of ways the exclusion’s preclusive effect might be limited. For example, the ownership percentage could be increased to a higher level (although that would not have made a difference here, as OZ Holdings owned 100% of OZ Minerals).

 

In addition, the exclusion’s operation could be made subject to additional conditions, as was the case with the exclusion at issue here. Many major shareholder exclusions are conditioned only on a requirement that the claimant have a specified ownership percentage. Here, the exclusion was also conditioned on the requirement that the major shareholder also have board representation.

 

Another way the impact of the exclusion can be limited is by narrowing the point or points in time when the conditions can be met. The court here determined that the exclusion at issue was meant to address both past and present shareholders, and as the court found the conditions could be satisfied either if the shareholder had the specified ownership percentage at the time of the Wrongful Act or at the time the claim was made. More typically, the major shareholder’s preclusive effect is addressed to ownership only at the time the claim was made.  Typically, a major shareholder exclusion will not (as the exclusion here did) refer to past shareholders — although there are some standard versions of the exclusion out there in the marketplace that preclude coverage for both present and past shareholders owing the requisite percentage. Narrowing the exclusion’s wording so that it applies only to shareholders that have the requisite ownership percentage at the time the claim is made would at least eliminate the preclusion of coverage for claims by shareholders who previously had the requisite percentage of ownership prior to the claim but who did still have that ownership percentage when the claim is made.

 

2015 ACI D&O Conference in New York: On September 17 and 18, 2015, the American Conference Institute will be holding is 19th Forum on D&O Liability in New York. This annual event features an all-star line-up of speakers and will be co-chaired by my friends, Diane Parker of AWAC and Doug Greene of the Lane Powell law firm. Readers of the D&O Diary are entitled to a $100 discount off registration if they mention discount code DOD100. Information about the event including registration instructions can be found here. The event brochure can be found here.

 

ICYMI: Earlier today I published a post discussing a recent Delaware Supreme Court addressing questions surrounding the liabilities of independent directors in the M&A context. Due to user error (meaning, I goofed) no emails went out about this post. In case you missed it, the post can be found here.

del1On May 14, 2015, in a landmark ruling with important implications for the potential liabilities of independent directors of companies involved in M&A transactions, the Delaware Supreme Court held that in order to state a claim for damages against directors of a company that has an exculpatory provision in its corporate charter, a plaintiff must plead non-exculpated claims against the directors, even if the  company is involved in an interested transaction subject to “entire fairness” review. The Court’s opinion highlights the importance of the independent directors’ role and also underscores the importance of exculpatory charter provisions. The Court’s opinion in In re Cornerstone Therapeutics, Inc. can be found here.

 

Background

The Court’s ruling involved two different cases in which plaintiff shareholders had filed damages claims against the boards of companies where a controlling shareholder, that had board representation, was acquiring the remainder of the companies’ shares. In each case, the companies involved had formed a special committee of independent directors to review the transaction and to negotiate with the controlling shareholder. In each case, the companies’ minority shareholders had approved the transaction. Nevertheless, plaintiff shareholders filed lawsuits against the companies’ boards – including as defendants both the interested directors and the independent directors – alleging that the directors had breached their fiduciary duties by approving transactions that were unfair to the minority shareholders.

 

In both cases, the independent directors had moved to dismiss the claims against them. Their dismissal motions relied on the fact that each of the companies had an exculpatory clause in their corporate charters. (As discussed here, Delaware Corporations Code Section 102(b)(7) authorizes shareholders to include a clause in a corporation’s charter eliminating personal liability of a director to shareholders for monetary damages for breach of fiduciary duty, provided that such clause does not eliminate liability (1) for “any breach of the director’s duty of loyalty,” (2) “for acts or omissions not in good faith or which involve intentional misconduct or a knowing violation of law,” and (3) “for any transaction from which the director derived an improper personal benefit.”) The defendants argued that the plaintiffs had failed to plead non-exculpated allegations against them, and therefore that the claims against them should be dismissed.

 

The plaintiffs contended that because the share purchases represented interested transactions, the “entire fairness” standard of review applied. (As discussed here, the entire fairness standard is Delaware’s “most onerous standard,” which applies when the board “labors under actual conflict of interest.” When the standard applies, the defendants must establish that the transaction “was the product of both fair dealing and fair price.” The transaction must be “objectively fair, independent of the board’s beliefs.”) The plaintiffs argued that because interested parties were involved in the transactions, the possibility of conflict of interest justified a pleading-stage inference of disloyalty – not just as to the interested directors, but as to the independent directors as well.

 

In each case, the trial court judges, relying on prior Delaware Supreme Court case authority, agreed with the plaintiffs and denied the motions to dismiss. However, because they were troubled by the result (that is, that the independent directors had to remain as defendants in the case even though the plaintiffs had pled no non-exculpated misconduct against them), the trial court certified interlocutory appeals of the cases to the Delaware Supreme Court. The two cases were consolidated for purposes of the appeal.

 

 The May 14 Decision

In a unanimous opinion written by Chief Justice Leo E. Strine, Jr., the Delaware Supreme Court reversed the lower court rulings and remanded the cases for further proceedings. The Court said that “even if a plaintiff has pled facts that, if true, would require the transaction to be subject to the entire fairness standard of review, and the interested parties to face a claim for breach of their duty of loyalty, the independent directors do not automatically have to remain defendants.” If the independent directors are “protected by an exculpatory charter provision and the plaintiffs are unable to plead a non-exculpated claim against them, those directors are entitled to have the claims against them dismissed.”

 

In reaching its decision, the Court examined the effect of the exculpatory provisions in the respective companies’ corporate charters. The Court said that “when a director is protected by an exculpatory charter provision, a plaintiff can survive a motion to dismiss by that director defendant by pleading facts supporting a rational inference that the director harbored self-interest adverse to the stockholders’ interests, acted to advance the self-interest of an interested party from whom they could not be presumed to act independently or acted in bad faith.” The mere fact that the plaintiff had pled facts sufficient to support the application of the entire fairness standard does not, by itself, relieve the plaintiff of the requirement to plead a non-exculpated claim against each independent director defendant.

 

In support of its decision, the Court noted, among other things, that a contrary ruling would “increase costs for disinterested directors, corporations and stockholders, without providing a corresponding benefit.” A contrary ruling would also “create incentives for independent directors to avoid serving as special committee members or to reject transactions solely because of their role in negotiating on behalf of shareholders.” The “fear” that directors might face personal liability for “potentially value-maximizing business decisions” might be dissuaded from making those kinds of decisions is the reason that Section 102(b)(7) was adopted in the first place.

 

Discussion

The Court’s opinion underscores the importance of exculpatory charter provisions. The provisions not only provide substantial liability protection for corporate directors but they provide a form of protection may be invoked at the initial pleading stage. It provides a way for directors who qualify for the provision’s protection to extricate themselves from liability lawsuits at the outset.

 

The Court’s opinion also highlights the importance of the independent directors’ role. The Court emphasized the ways in which disinterested directors can protect the interests of the corporation and of minority shareholders, even when the corporation is involved in a transaction with an interested party.

 

It is important to note that the protective effect of the Court’s ruling extends only to the independent directors. The defendants who were the interested parties to the transaction will remain in the case. If it is later established that the interested parties violated their fiduciary duties, they will held liable to the minority shareholders. But where the plaintiffs have alleged no facts to suggest that independent directors had engaged in non-exculpated misconduct, the independent directors are entitled to have the claims against them dismissed – even where the plaintiffs have pled sufficient facts to require the application of the entire fairness standard.

 

The fact that the independent directors can be dismissed even when the entire fairness standard applies is significant. The entire fairness standard is, as the Court itself has said, “onerous.” The requirements to meet the standard are high. But even where the high standard applies, plaintiffs must still present allegations that each director defendant individually engaged in non-exculpated misconduct in order for the claims against that defendant to survive a motion to dismiss.

 

Francis Pileggi’s May 16, 2015 post on his Delaware Corporate & Commercial Litigation Blog about the Supreme Court’s ruling can be found here. Frank Reynolds’ May 15, 2015 Thomson Reuters article about the ruling can be found here.

 

Special thanks to a loyal reader for sending me a copy of the Delaware Supreme Court opinion.

 

ICYMI: Delaware Senate Passes Bill Barring Fee-Shifting Bylaws: On May 12, 2015, the Delaware Senate passed Senate Bill (S.B.) 75 (here) that would amend Delaware law to prohibit Delaware stock-based companies from adopting fee-shifting bylaws. The bill also expressly allows companies to adopt forum-selection clauses that establish Delaware as the exclusive venue for any shareholder litigation.

 

As readers will recall, as discussed here, in May 2014, the Delaware Supreme Court in the ATP Tour, Inc. v. Deutscher Tennis Bund case had upheld the validity of a corporate bylaw provision shifting fees to an unsuccessful litigant in shareholder litigation. The ruling proved to be highly controversial (as discussed, for example, here). Early efforts last year to address the ruling in the legislature ultimately were tabled and in the interim the debate about fee-shifting by laws has continued to rage. Now that the Senate has voted to approve the legislation banning fee-shifting bylaws for Delaware stock corporations, the legislation will now move to the Delaware House for its consideration.

 

A May 13, 2015 memo from the Ballard, Spahr law firm discussion the Delaware Senate’s action on the bill can be found here.

 

D&O Liabilities in China: The potential liabilities of corporate directors and officers are of course dependent on the requirements of applicable law. That means that corporate officials’ liability exposures can vary from state to state. There are even greater variations from country to country. In a global economy, questions about the potential liability of directors and officers in non-U.S. countries arise with increasing frequency. Given China’s huge and growing role in the global economy, questions about the potential liability of directors and officers under Chinese law are increasingly frequent.

 

For that reason, readers may be interested in reviewing this May 8, 2015 article entitled “D&O Liability Insurance: Legal Issues under PRC Law” (here) by Jia Hui of the DeHeng Law Offices. The article provides a good overview of the basic legal duties and liability exposures of directors and officers under Chinese law. As the article points out, in light of the various accounting scandals involving Chinese companies that have arisen, these considerations are increasingly important.

weilAmong the many concerns arising in the current cybersecurity environment is the question of the security of data housed in “the Cloud.” In the following guest post Paul Ferrillo and Jeffrey Osterman of the Weil, Gotshal & Manges law firm and Grady Summers , SVP, Cloud Analytics at Mandiant/FireEye, take a look at the questions businesses and their boards of directors should be asking before adopting a cloud-based strategy. The post also includes a cloud security checklist. A version of this article previously was published as a Weil client alert.

 

I would like to thank Paul, Jeffrey and Grady for their willingness to publish their article on my site. I welcome guest post submissions from responsible authors on topics of interest to readers of this blog. Please contact me directly if you would like to submit a guest post. Here is Paul, Jeffrey and Grady’s guest post.

 

***************************************

 

It is fitting that just over 40 years after Neil Armstrong walked on the moon and uttered some of the most famous words ever spoken, “one small step for [a] man, one giant leap for mankind,” NASA, along with cloud service provider Rackspace, jointly launched an open-source cloud-software initiative known as OpenStack. The OpenStack project is intended to help organizations manage cloud-computing resources running on standard hardware. The early code came from NASA’s Nebula platform as well as from Rackspace’s Cloud Files platform. Launched with the intent to provide consumers with a high tech, yet low-cost method to store vast amounts of data off premises in a safe and efficient manner, the cloud has transformed the way global enterprises do business.[i] Yet, despite the cloud’s increasing popularity, hardly a day goes by when industry professionals do not question the security of data kept in the cloud. According to Gilad Parann-Nissany, CEO and co-founder of cloud encryption company Porticor (recently acquired by Intuit):

In the cloud, data security poses new risks and challenges. We are no longer concerned just with burglars breaking into our offices to steal computers, but rather with the data belonging to complete systems deployed to the cloud…Instead, security in the cloud becomes not about protecting our hardware, but rather protecting the sensitive information regardless of its physical location. For this, burglar alarms are irrelevant and firewalls are only one part of the approach for security in the cloud.

A way to visualize the unique challenges of data security in the cloud is that where before we had brick walls and steel locks to keep us safe; we now must construct mathematical walls as barriers to our data.[ii]

As more and more businesses are considering moving some or all of their data storage needs to the cloud, here are three “50,000 foot” questions American businesses and boards of directors are asking themselves (or should be asking their IT security professionals) before adopting a cloud-based strategy:

  1. How can the board assure itself from a governance perspective that the cloud-based environment that it is being asked to approve is acceptably secure, as compared with the company’s previous on-site computer environment, and meets the security, privacy, and regulatory needs of my company?[iii]
  2. What visibility and ability does the company have if there is a cloud-based breach and its information is subject to exfiltration? Does the company have the ability to conduct incident response and remediation or is it totally at the mercy of the cloud service provider (CSP)?[iv]
  3. What is the “best” way to assure that the company’s cloud-based data is as secure as possible given what it knows about the CSP that it has chosen?

90% of All Organizations Have Security Concerns about the Cloud

A recent study noted that “an overwhelming majority of 90% of organizations are very or moderately concerned about public cloud security. Today security is the single biggest factor holding back faster adoption of cloud computing.”[v] The Cloud Security report notes that the top concerns are:

  1. General security concerns over the storage of data in the cloud;
  2. Data loss and leakage risks;
  3. Loss of control over security procedures applied day to day over the company’s data; and
  4. Lack of visibility to assure regulatory compliance.[vi]

How would these concerns potentially materialize? Our experience tells us that, to the extent attackers are targeting data in cloud-hosted environments, they’re doing it in distinctly old-fashioned ways. That is, despite concerns about the cloud being inherently insecure, attackers are using the same methods to compromise cloud resources as they have used for many years for on-site computer systems: the theft of employee credentials generally started via spear phishing attacks. Thus, we recommend that organizations approach cloud security like they would any other environment: by understanding their data and the threats against it, and ensuring that the environment is instrumented to prevent, detect, and respond to attacks. This can be hard, though, when IT security teams lack the necessary visibility to do their jobs.

This lack of visibility was illustrated in a recent Ponemon study entitled “The Cloud Multiplier Effect.” The study, based on a survey of 613 IT and security professionals, found that increasing use of cloud services can increase the probability of a $20 million data breach by as much as 3 times. It also revealed other key findings, including:

  • 36 percent of business-critical applications are housed in the cloud, yet IT isn’t aware of nearly half of them;
  • 66 percent of respondents believe that their organizations’ use of the cloud diminishes their ability to protect sensitive or confidential information; and
  • 72 percent of respondents don’t believe that their cloud service provider would notify them immediately if they had a data breach involving the loss or theft of their intellectual property or business confidential information.[vii]

Cloud-related breaches in 2014 included Dropbox, Google Drive, and the alleged Apple iCloud breach. More recently, SendGrid, the cloud email service, reported it had been hacked through a phishing scheme that compromised an employee’s account.[viii] Certainly these high-profile breaches, such as Dropbox (from which 7 million passwords were reportedly stolen) have left many questioning whether the cloud can be safely used to store sensitive data.

Types of Cloud Computing

We refer generally to “cloud computing,” but this can refer to anything from a hosted application to rented servers in a shared facility. It is helpful to recognize the three major categories of cloud computing:

  1. Infrastructure as a Service (IaaS): In this model, the CSP is responsible for basic IT resources (servers) and the networks on which they run. The customer is generally responsible for maintaining the operating systems and software necessary to run the applications, plus the data placed in the cloud environment. Thus, while the CSP is responsible for protecting the infrastructure itself, data security in an IaaS environment is generally the responsibility of the customer.
  2. Platform as a Service (PaaS): Here the CSP provides the infrastructure, the operating system, and a set of services that organizations use to build applications. These building blocks are invoked through Application Programming Interfaces (APIs) and might include services for storage, databases, data processing, machine learning, etc. The customer is responsible for application deployment, and responsibility for security is generally shared between the customer and the CSP.
  3. Software as a Service (SaaS): Here the CSP provides for nearly everything, including the infrastructure and software provided to the customer. Thus, security in an SaaS environment generally is the responsibility of the provider, and it is the consumer’s role to ensure the CSP’s security processes meet the security and compliance requirements of the customer’s business.

Cloud Compliance, Security, and Visibility

As CSPs move “up the stack” to offer robust PaaS and SaaS services, they begin to shoulder more of the burden for securing their customers’ data. However, it will always be the responsibility of the customer to ensure that its constituents’ data is secure. Since a customer can’t always directly participate in securing this data, it must ensure that the service contract, together with any associated statement of work and/or service level agreement (SLA) provided by the CSP meets its needs. The parameters of these contractual arrangements will usually include information about service availability, incident response definitions and services, breach response notifications and timing, technical compliance and vulnerability management, and log management and forensic capabilities, together with an allocation of liability if these standards are not achieved.

While we have found that most large CSPs do an outstanding job of securing their environments – and dedicate tremendous resources to this task – all of the above categories of services must be described in generalities, meaning “here’s how they generally work.” The proof is really in the terms and conditions of the contractual commitments that the CSP agrees to make, and the sad fact is that many cloud service customers do not understand the value of substantive contracts with detailed terms relating to security.

Here are the most important issues to consider when contemplating a migration of important data to the cloud under an SLA:

  1. Breach and incident response – Cloud customers must understand how the CSP defines events of interest vs. security incident, what events/incidents the CSP reports to the cloud customer, and in which way. Customers should understand when and how quickly they will be notified if the CSP: suffers a breach, what information will they will be given by the CSP to help analyze the incident, will they have the opportunity (given the potential SLA in place) to participate in the incident response process, and will they be given the opportunity to contact and interact with the CSP’s own incident response team?
  2. Where is the customer’s data going to be “stored”? This is probably one of the most important questions for a customer, both from a legal perspective (meaning under what circumstances can data be subpoenaed or accessed through a court request or judicial process) and a privacy perspective (meaning how must data, such as personally identifiably information, be stored and protected).
  3. Does the CSP itself adhere to any standardized security practice or protocol, like the NIST cybersecurity framework, or ISO 27001? Does the CSP have FedRamp certification or a certification from the Security Trust and Assurance Registry certification program?
  4. Does the customer have the ability to audit or independently assess the security provided by its CSP to make sure the provider is compliant with various legal, industry, customer and regulatory requirements it may be subject to?
  5. What is the CSP’s patch management process in case software or application vulnerability is discovered, which could then impact the security of the data stored?
  6. What sort of back up procedures does the CSP have in place if the customer’s data is lost, stolen or deleted?

Thinking About Making a Move to the Cloud? Cloud Security Checklist

There is no perfect checklist of how, when, and where to move data to a cloud-based environment. Some factors, such as cost, may make the decision easy, while on the other hand, the perceived lack of control over your data security or your compliance risks may make the decision harder. At the end of the day, it is your business judgement what sort of data you are comfortable moving to the cloud (you might be comfortable moving human resources, payroll, or other specific applications[ix]), and what sort of data you are not comfortable moving to the cloud (you might draw the line at PII or financial records and information). A separate book alone could be written on this sort of balancing act.

From a data security perspective, though, there are certain security measures that should be investigated by potential cloud customers before they make the decision to move their data to a cloud-based environment. This area is highly technical (and thus security professionals and cyber-governance and cybersecurity lawyers should also be consulted before making this decision), but we try below to boil down these measures into objectives for directors and officers to consider when asked to finally approve a move to the cloud:

  1. How is security built into the cloud architecture and applications and data that are going to be moved to the cloud-based environment? Is there a constant lifecycle of updates and vulnerability reviews given that the computing ecosystem is never static?
  2. What data am I putting in the cloud? Is it general company HR data, customer PII, financial records, or something else less sensitive?
  3. Will the data stored in the cloud be encrypted while at rest or only when it is in motion to and from the cloud? What sort of encryption is available at my CSP?
  4. How is suspicious activity monitored on the cloud? By the CSP only, or will the customer have visibility into security monitoring? Will cloud security be continuously monitored by the CSP?
  5. What degree of visibility does the CSP make available to the customer (audit logs and metadata recording administrative changes, account usage, system logs, etc.), and can this data be flexibly consumed into your own internal security monitoring systems?
  6. What sorts of intrusion detection systems are in place to detect threats to the cloud-based environment, such as malware threats, or suspicious network traffic?

So You Are Moving to the Cloud – Governance Issues Ultimately Rule the Day

This article is not meant to dissuade a company from considering using the cloud to increase efficiency in its businesses. On the contrary, our goal is to allow readers to engage in more informed discussions that will ultimately lead to a greater degree of comfort with both the decision to move to the cloud and the risk management tools, procedures, and contractual protections surrounding that move.

The cloud undoubtedly provides businesses with unique opportunities to manage their data in not only a cost efficient manner, but also potentially in a manner which is just as safe and secure as on-site storage systems. The cloud is not, however, a binary solution to data management challenges. And time is slim to consider all the options. Whatever the path you choose, you should consider how things may look at the end of the day if your company is breached, and some constituency (i.e., a regulator, state AG, or investor) looks back to potentially criticize your decision to move to the cloud. Have your checklists answered, discuss the answers to your checklists with your IT staff and outside experts, and document your decisions that balance the business and efficiency needs of the company with the level of security and service being offered by your cloud service provider.

[i] See “The next generation of cloud computing,” available at http://www.pwc.com/en_US/us/increasing-it-effectiveness/assets/next-generation-cloud-computing.pdf (noting “Cloud computing is the fastest-growing trend in enterprise technology today – and for the foreseeable future. Forrester Research predicts the global cloud computing market will mushroom from $40.7 billion this year to $241 billion by 2020.”).

[ii] See “Cloud Computing Issues and Challenges,” available at http://www.porticor.com/2014/11/cloud-computing-security-issues-and-challenges/.

[iii] “Compliance (64%) was seen as the biggest cloud security challenge,” according to one recent report issued by CipherCloud. See “Compliance remains the key cloud security challenge, according to the CipherCloud report,” available at http://www.cloudcomputing-news.net/news/2015/mar/26/compliance-remains-key-cloud-security-challenge-according-ciphercloud-report/.

[iv] See “Majority of firms say they aren’t confident in responding to cloud-based data threats,” available at http://www.cloudcomputing-news.net/news/2015/apr/08/majority-firms-say-they-arent-confident-responding-cloud-based-data-threats/ (noting that 60% of the global respondents in a recent survey were not confident they had the ability to proactively respond to cloud-based data threats).

[v] See “Cloud Security Spotlight Report,” available at http://www.infosecbuddy.com/wp-content/uploads/2015/03/Cloud-Security-Spotlight-Report-2015.pdf (hereinafter, the Cloud Security Report).

[vi] Id.

[vii] See “The Cloud Multiplier Effect on Data Breaches,” available at https://blog.cloudsecurityalliance.org/2014/06/04/the-cloud-multiplier-effect-on-data-breaches/.

[viii] See “SendGrid admits hack, says all customers must reset their passwords,” available at http://venturebeat.com/2015/04/28/sendgrid-admits-hack-says-all-customers-must-reset-their-passwords/.

[ix] See “Navigating security in the cloud,” available at http://www.pwc.com/en_US/us/it-risk-security/assets/pwc-navigating-security-in-cloud.pdf.

 

insurancefilesIn many cases, companies’ D&O insurance programs are structured in several layers, with one or more policies of excess of insurance written over top of a primary layer. The excess insurance is often said to be written on a “follow form” basis, meaning that the primary policy’s terms govern the operation of the excess policies. However, even in programs that are intended to be “follow form,” the excess policies will sometimes have terms that cause them to operate differently, sometimes in unexpected and even undesirable ways. In addition, there are a number of other considerations to keep in mind when selecting the insurers to include in the excess layers.

 

In an interesting April 2014 article (here), Tom Bentz of the Holland & Knight law firm takes a look at the issues that can arise with excess D&O insurance. As Bentz correctly notes, “few excess D&O policies truly follow the terms and conditions of the primary D&O insurance policy.” Instead, the excess policies include various additional terms and conditions that “have the potential to significantly affect the overall protection” of the D&O insurance program.

 

In order to illustrate his point, Bentz identifies several of the kinds of excess insurance policy features that can be critical in the event of a claim.

 

First, Bentz refers to the excess D&O insurance policy provision that specifies when the excess insurance will “attach” – that is, what is required in order for the excess insurance to be triggered. In many instances, excess D&O insurance policies were written with a provision stating that that the excess insurer’s liability for any loss will attach only after the insurers of the underlying policies have exhausted their limits in payment of loss. The problem with this language is that if, for example, the policyholder is in a dispute with one of the underlying carriers and reaches a compromise to accept less than the full amount of the underlying insurance, there is an uninsured gap.

 

As I have discussed in prior posts (for example, here), a number of courts have now held that even if the policyholder funds the gap, the underlying insurance was not exhausted by the insurers’ payment of loss, and accordingly the excess insurer’s obligations have not been triggered.

 

As Bentz notes in his article “to avoid this unfair result, insureds need to negotiate excess insurance policies so that they recognize payments made by the underlying insurers, the insureds, or other source.” Indeed, this kind of provision has now become fairly standard. But as noted below, these kinds of provisions will not address all of the kinds of gaps that can arise and create questions as to whether the excess insurers’ policies have been triggered.

 

Another excess D&O insurance policy term that Bentz discusses in his article is the provision found in some policies requiring disputes between the insured and the insurer to be resolved by arbitration. This can be a problem if the separate excess policies in the different layers of insurance have separate arbitration provisions. It is possible that different policies could require that the arbitration take place in different geographic locations, using different arbitration processes and applying different jurisdiction’s laws. As Bentz notes, “the type of inconsistency could force an insured to fight multiple battles on multiple fronts with potentially inconsistent results.” Bentz suggests first attempting to have all of the arbitration provisions removed. If that is not possible he suggests  that “an insured should seek to have all of the insurers agree to one arbitration method with only on choice of law provisions and one required venue to resolve any potential coverage disputes.”

 

In addition to the items that Bentz identified in his article, there are several additional considerations that should be kept in mind with respect to excess D&O insurance.

 

The first is the excess carrier’s financial strength. All too often, excess D&O insurance is viewed as generic and fungible. However, the ability of any given excess D&O insurer to pay claims when the time comes should not be overlooked. It doesn’t happen often, but carriers do become insolvent, and when that happens, it makes a big mess. There are still cases working their way through the system because of the insolvency in the early 2000s of Reliance National and The Home. When a carrier in insurance program is insolvent and unable to pay a claim, it not only creates an uninsured liability exposure, but it also creates the kind of “gap” that avoids coverage for any carriers that were above the insolvent insurer in the insurance tower.

 

For example, as discussed here, in June 2013, the Second Circuit held in the Commodore International case that excess D&O insurance is not triggered even if losses exceed the amount of the underlying insurance, where the underlying amounts have not been paid due to the insolvency of underlying insurers. (Commodore had both Reliance and The Home in its insurance tower.)

 

It is important to think about the problems that can arise from this type of insolvency gap. This is not an issue that can be “fixed” with the type of wording cited above, which provides that the excess D&O insurance will be triggered if the underlying amount is paid by the underlying insurer, the insured, or any other source. When the underlying insurer is insolvent, there is just an underlying uninsured gap. The excess carriers will take the position that they have to obligation to “drop down” to take the place of or attach at the underlying carrier’s attachment point. For that reason, the financial stability of all of the carriers in the insurance program should be an important consideration. In particular, excess D&O insurance should not be viewed as generic and fungible. The excess carrier’s financial ability to honor its payment obligations is an important and potentially differentiating consideration.

 

It is also important to keep in mind that in the event of a significant D&O claim, the excess D&O insurer(s) may be directly involved in the claims resolution. The excess carriers’ responsiveness and claims handling capabilities could well affect whether or not a claim is resolved expeditiously. The claims handling capabilities of the primary D&O carriers are often considered and discussed, as they should be, because the primary carrier will take the lead in handling any claims that will arise. However, because of the role that excess insurers can play in the resolution of claims, the excess insurers’ claims handling experience and reputation should be kept in mind as well.

 

There is one final thing that should be considered with respect to the excess insurers. It is often a good idea to try to include in the line up of carriers on a D&O insurance program excess insurers who might be willing to move the primary position in subsequent years, if the primary carrier were to change its appetite for the risk or seek to get off the account. It is just a good idea to have an excess insurer as a reserve to take the primary position if the need should arise.

 

Another set of issues to keep in mind with respect to excess D&O insurance are the considerations involved in deciding how the excess insurance should be layered and structured, as I discussed in an earlier post, here.

del1In a detailed May 4, 2015 opinion (here), Vice Chancellor Travis Laster of the Delaware Chancery Court extensively reviewed the rights of an insolvent company’s creditors to pursue derivative claims against the company’s directors. As Francis Pileggi put it in a May 6, 2015 post on his Delaware Corporate and Commercial Litigation blog (here), Laster’s opinion in Quadrant Structured Products Company, Ltd. v. Vincent Vertin et al. is “destined to be cited as a seminal ruling for its historical and doctrinal analysis of important principles of Delaware corporate law.”

 

Background  

Prior to the credit crisis, Athilon Capital Corp. guaranteed credit default swaps that one of its subsidiaries wrote on senior tranches of collateralized debt obligations. To fund its operations, Athilon raised debt financing by issuing various notes. Athilon suffered significant losses during the financial crisis. In the wake of these events, one of Athilon’s debt holders (EBF) acquired all of Athilon’s outstanding equity securities. As the company’s sole stockholder, EBF reconstituted the board, after which it made a number of moves to address Athilon’s financial situation.

 

In October 2011, Quadrant Structured Products Company, another of Athilon’s noteholders, filed a derivative lawsuit in Delaware Chancery Court against Athilon’s board. Quadrant contended that the directors’ actions, which Quadrant alleged were made to benefit EBF and to the detriment of the company, breached their fiduciary duties. Quadrant argued that under Delaware law, it had the right as a creditor to assert a derivative claim against the Athilon directors because the company was insolvent.  In an earlier post (here), I discussed Vice Chancellor Laster’s October 2014 ruling in the Quadrant lawsuit, in which Laster denied in part the defendants’ motion to dismiss.

 

Following the motion to dismiss denial, Athilon made a number of additional financial moves that the defendants contend returned the company to solvency. The defendants then moved for summary judgment. The defendants argued that for a creditor to have standing to maintain a derivative action, the corporation on whose behalf the creditor sues must be insolvent at the time of the suit and continuously thereafter. The defendants argued that whether or not Athilon was insolvent at the time Quadrant filed suit, Athilon’s current balance sheet shows that it is now solvent, and therefore that Quadrant no longer had standing to pursue the derivative lawsuit.

 

The May 4 Ruling  

In his May 4, 2015 opinion, Vice Chancellor Laster denied the defendants’ motion for summary judgment. He said that the question of whether or not Delaware imposes a continuous insolvency requirement in order for creditors to have standing to assert a derivative claim is a “question of first impression.” In his ruling, he rejected “the defendants’ attempt to impose a continuous insolvency requirement for creditor derivative claims.”

 

He said that “to bring a derivative action, a creditor-plaintiff must plead and later prove that the corporation was insolvent at the time the suit was filed.” Because he found that Quadrant had introduced sufficient material to support a reasonable inference that Athilon was insolvent at the time Quadrant filed suit, and therefore he denied the defendants’ motion for summary judgment.

 

In making these determinations, Laster broadly surveyed the legal principles underpinning derivative litigation in Delaware, including the rights of creditors to assert derivative claims under some circumstances. He reduced the various principles pertaining to these issues to a succinct bullet point list:

 

  • There is no legally recognized “zone of insolvency” with implications for fiduciary duty claims. The only transition point that affects fiduciary duty analysis is insolvency itself.

 

  • Regardless of whether a corporation is solvent or insolvent, creditors cannot bring direct claims for breach of fiduciary duty. After a corporation becomes insolvent, creditors gain standing to assert claims derivatively for breach of fiduciary duty.

 

  • The directors of an insolvent firm do not owe any particular duties to creditors. They continue to owe fiduciary duties to the corporation for the benefit of all of its residual claimants, a category which now includes creditors. They do not have a duty to shut down the insolvent firm and marshal its assets for distribution to creditors, although they may make a business judgment that this is indeed the best route to maximize the firm’s value.

 

  • Directors can, as a matter of business judgment, favor certain non-insider creditors over others of similar priority without breaching their fiduciary duties.

 

  • Delaware does not recognize the theory of “deepening insolvency.” Directors cannot be held liable for continuing to operate an insolvent entity in the good faith belief that they may achieve profitability, even if their decisions ultimately lead to greater losses for creditors.

 

  • When directors of an insolvent corporation make decisions that increase or decrease the value of the firm as a whole and affect providers of capital differently only due to their relative priority in the capital stack, directors do not face a conflict of interest simply because they own common stock or owe duties to large common stockholders. Just as in a solvent corporation, common stock ownership standing alone does not give rise to a conflict of interest. The business judgment rule protects decisions that affect participants in the capital structure in accordance with the priority of their claims.

 

In summarizing his ruling on the issues raised in the defendants’ summary judgment motion, Laster said “in my view … to maintain standing to sue derivatively, a creditor must establish that the corporation was insolvent at the time the creditor filed suit. The creditor need not demonstrate that the corporation continued to be insolvent until the date of judgment.” Laster then added a note of modesty, with his observation that “to state the obvious, this is the opinion of one trial judge. The Delaware Supreme Court may well disagree.”

 

By contrast to Delaware law, courts applying Pennsylvania law have applied the “deepening insolvency” theory to hold that directors of a company in the zone of insolvency have duties for which the company’s creditors may seek to hold them liable. For a recent post discussing a decision in which the Third Circuit applied these principles in holding the directors of nonprofit entity liable, refer here.

ofacAs part of its conduct of foreign affairs and of its national security program, the U.S. government has instituted a series of economic and trade sanctions against a number of countries and a long list of designated individuals. The various sanctions programs are administered by the Office of Foreign Asset Control (OFAC) within the U.S Department of Treasury.  The sanctions programs OFAC administers include broad trade embargoes of Iran, North Korea, Sudan, Syria, Crimea and Cuba.

 

As part of its enforcement power, OFAC has authority to file civil liability actions. In collaboration with the U.S. Department of Justice, OFAC can also pursue criminal actions. OFAC’s exercise of its enforcement authority has recently resulted in a number of high profile penalties and settlements. These settlements have a number of significant implications, and, among other things, may raise concerns about the possibility of D&O insurance coverage for the companies involved.

 

Since 2008, OFAC has filed nearly 250 civil enforcement actions that have resulted in penalties or settlements. The aggregate amount of the enforcement action penalties and settlements during that period is over $3.8 billion. In 2014, the agency’s enforcement actions resulted in penalties and settlements of over $1.2 billion, the agency’s highest annual total.

 

Two recent enforcement actions illustrate the nature and scope of the government’s sanctions enforcement efforts.

 

On March 25, 2015, the U.S. Department of Justice announced that a subsidiary of Schlumberger Ltd. had entered a guilty plea and agreed to pay a $232.7 million penalty for conspiring to violate sanction programs by “willfully facilitating transactions and engaging in trade with Iran and Sudan.” Under the plea agreement, the subsidiary agreed to submit to a three-year probationary period during which it would agree to various types of government supervision. The DoJ’s March 25, 2015 press release can be found here.

 

The $232.7 penalty includes a $77.5 million criminal forfeiture and a $155 million criminal fine. According to a March 26, 2015 FCPA Blog post (here), the fine is the largest ever criminal fine in connection with a prosecution under the International Emergency Economic Powers Act.

 

In the Schlumberger action, the government alleged that between 2004 and 2010, a business unit of the subsidiary provided oilfield services to customers in Iran and Sudan. The government also alleged that while the subsidiary had policies and procedures to ensure that it did not violate U.S. sanctions, it failed to train its personnel to ensure that they complied with the sanctions requirements. As a result, the company approved capital expenditure requests from Iran and Sudan, made business decisions specifically concerning Iran and Sudan, and provided technical service and expertise in connection with drilling projects in Iran and Sudan.

 

In a separate sanctions-related enforcement action, on March 25, 2015, OFAC announced that PayPal, Inc. had agreed to pay the agency $7.65 million settle the company’s potential civil liability for processing 486 transactions totaling $43,934 in alleged violation of U.S. sanctions programs. Specifically, the company was alleged to have mailed to ensure that its payment processing operations blocked prohibited transactions with sanctioned countries (including Iran, Sudan, Cuba) and sanction-designated individuals. The company was also alleged to have processed 136 transactions for a PayPal account registered to Kursad Zafar Cire, an individual designated under a sanction program relating to “Weapons of Mass Destruction Proliferators and Their Supporters.” The agency’s March 25, 2015 press release regarding the PayPal settlement can be found here. The FCPA Blog’s March 27, 2015 post about the settlement can be found here.

 

The types of fines and penalties entered in these sanctions enforcement actions would not be covered by D&O insurance, as the typical D&O insurance policy definition of Loss covered under the policy expressly provides that Loss does not include fines, penalties and matters deemed uninsurable under applicable law.

 

However, as discussed in a May 8, 2015 post on the Orrick law firm’s Policyholder Insider blog (here), there may be coverage for the costs incurred in connection with the investigation that precedes the settlement or penalty. As the blog post puts it, “companies forced to incur costs responding to and defending against these investigations should closely inspect their D&O policies to determine whether they provide coverage.”

 

Depending on the specific nature of the sanctions enforcement investigation involved, the government’s investigation may constitute a “Claim” triggering the policy’s coverage. However, it should be noted that public company D&O insurance policies provide entity or company coverage only for “Securities Claims.” In most circumstances, a sanctions violation investigation or enforcement action would not meet the policy’s definition of a Securities Claim. Many carriers would like take the position that because a sanctions violation investigation or enforcement action does not meet the definition of a “Securities Claim,” there is no coverage under the policy’s entity coverage for the investigation or enforcement action.

 

As the blog post also notes, even if there is no formal proceeding and no subpoenas have been issued  the  “Pre-Claim Inquiry” costs coverage found in many more up-to-date D&O insurance policies these days could be triggered. This policy feature provides coverage for costs associated with interviews and responses to document requests from an “Enforcement Body,” as defined in the policy. The scope of the coverage available will of course depend both on the nature of the governmental inquiries and the specific policy wording involved. However, it should be noted that this coverage is typically available only to Insured Persons – that is, individual directors and officers. It is typically not available to the corporate entity itself.

 

Because there may be possibilities to find at least some coverage under the D&O insurance policy, the law firm blog post suggests, “policyholders should not assume that simply because the fines imposed for failure to adhere to economic sanctions would not be covered, other associated costs incurred by the company in connection with the OFAC investigations also are not.” As the blog post concludes, it always pays to think carefully about coverage and to read the policy carefully.

 

In addition to possible coverage for sanction-related investigative costs, the D&O insurance could also become relevant in the event of a follow-on civil lawsuit asserting claims against company officials in connection with a sanctions investigation and penalty. As noted in an earlier post  (here), there are examples of shareholders filing derivative lawsuits against company officials after the company has paid a sanctions-related penalty or settlement. The earlier post described a shareholder derivative lawsuit filed against the board of J.P. Morgan Chase after the company reached an $88.3 million settlement with OFAC. The company’s D&O insurance could be called upon to fund the defense of a claim of this type. In addition, the D&O insurance potentially could fund a settlement of the lawsuit as well, although, as I noted in my earlier post, there are some potentially interesting questions about the possibility of insurance funding the settlement of this this type of claim.

 

On a different but somewhat related topic, in an earlier post (here) I examined the personal liability of corporate officials under U.S. import laws.

 

Petrobras Scandal Roils Brazilian D&O Market: According to a May 6, 2015 article in Global Insurance Intelligence (here), the Petrobras scandal (discussed in a prior post, here) is “forcing the insurance industry in Brazil to rethink how it supplies directors and officers liability insurance (D&O) cover amid fears that loss ratios to rise.”

 

In the wake of the Petrobras scandal, demand for D&O insurance is soaring as buyers are becoming aware of the need for the product. At the same time, a debate has emerged on the question whether the policy should protect those who have admitted to bribery or even to those merely accused of bribery. At a minimum loss ratios are sure to rise as the costs associated with the scandal spill through the insurance market. So, the article concludes, “the future of D&O in Brazil looks turbulent. Demand will increase, yet higher loss ratios could also become the norm. Insurers and reinsurers alike will need to tread carefully to balance these two factors.”

weilBy now, everyone knows that the Internet can be a dangerous place. But while just about everyone knows about the pervasiveness of Internet scams, many users still fall prey to the tricksters’ latest ploys. In this guest post, Paul Ferrillo and Randi Singer of the Weil, Gotshal & Manges law firm take a look at the latest scams and how they succeed. They also discuss the steps that companies can take to try to protect themselves from these kinds of things. A version of this article previously was published as a Weil client alert

 

I would like to thank Paul and Randi for their willingness to publish their article on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Paul and Randi’s guest post.

 

****************************************

 

It seems that just like in old times (in cyberspace that means last year) the existence of “snake-oil” salesmen[i] on the Internet is getting worse, not better.  Rather than selling something medicinal or at the very least useful, these snake-oil salesmen of today have one intent only:  to steal your personal information or worse, to distribute malware to your computer.  One recent report issued by Symantec in April 2015[ii] literally details scores of scams all designed to steal information and potentially ruin your computer (and others’ as well) and steal your personal information.  We detail them not out of morbid curiosity of the utter gall of the snake-oil salesmen, but to hopefully inform and prevent the inadvertent “click on the link” circumstances which you and your company would rather avoid. We also point to other recently issued reports noting that other scams like phishing and spear phishing continue to be a bothersome and dangerous component of company emails.[iii] At the end of the day, as we discussed in our last article,[iv] continuous employee training and awareness of these sorts of scams is truly a strong part of the Holy Grail of Cybersecurity, along with certain network hardware components that can help stop “bad” emails before they get to your employees’ desktops.

Social Media Scams

“Where attacks of yesteryear might have involved a foreign prince and promises of riches through shady exchanges of currency,…. today’s phishers scan social media for birthdays, job titles and anything else that can be used to create the appearance an email request is coming from a legitimate source.”[v] As the Symantec Report points out, a lot of these email scams and offers are now generated through the explosive growth of social media sites such as Facebook, Twitter, and Pinterest. Here are some of them:

  • Manual Sharing – These rely on victims to actually do the work of sharing the scam by presenting them with intriguing videos, fake offers, or messages that they can then share with their friends;[vi]
  • Fake Offerings – These scams invite social network users to join fake events or groups with incentives such as free gift cards. Joining often requires the users to share credentials with the attacker or send a text message to a premium rate number;[vii]
  • Likejacking – Using fake “Like” buttons, attackers trick users into clicking website buttons that install malware and may post updates on a user’s newsfeed, thereby spreading the attack;
  • Fake Applications – Users are invited to subscribe to an application that appears to be integrated for use with a social network, but is not as described and may be used to steal credentials or harvest other personal data; and
  • Affiliate programs – When you click on the link, these might allow you to get a free smartphone, airline ticket, or gift card. Caveat emptor: Nothing in life is free, especially when malware is attached thereto.

Phishing Attacks – Email Scams – Email Hijacking

We have talked in the past about the prevalence of phishing or spear phishing attacks against U.S. public companies. As noted in the recently issued 2015 Verizon Data Breach Investigation Report,[viii]

Social engineering has a long and rich tradition outside of computer/network security, and the act of tricking an end user via e-mail has been around since AOL installation CDs were in vogue…

The first “phishing” campaigns typically involved an e-mail that appeared to be coming from a bank convincing users they needed to change their passwords or provide some piece of information, like, NOW. A fake web page and users’ willingness to fix the nonexistent problem led to account takeovers and fraudulent transactions.[ix]

Phishing campaigns have evolved in recent years to incorporate installation of malware as the second stage of the attack. Lessons not learned from the silly pranks of yesteryear and the all-but-mandatory requirement to have e-mail services open for all users has made phishing a favorite tactic of state-sponsored threat actors and criminal organizations, all with the intent to gain an initial foothold into a network.

Some of the statistics set forth in the Verizon Report are cause for concern:

  • 23% of recipients now open phishing messages and 11% click on the links;
  • 50% of the recipients open emails and click on the links within the first hour;
  • The median time to first click on the link: one minute, 22 seconds!![x]

How Do You Stop Malicious Social Media/Spear Phishing/Email Campaigns

Obviously there are no good answers to these questions, especially in an era when the bad guys are sending such socially engineered emails that they look like they could come from your husband, wife, son, or daughter. They are that good. But here are some points to consider:

  1. Anti-phishing training: As we noted in our previous article, many argue that the weakest link in cybersecurity is the person who is sitting in the chair in front of his or her computer. As such, we strongly advocate a consistent training program, as provided by various organizations,[xi] which can provide tailored solutions to your employee base, or specific sections of your employee base (like your IT department or your finance department), to help them change their behavior and discern between “good” emails and potential “really, really bad” emails which may contain malware packages just waiting to go off when someone opens the email or clicks on the link. Choose a program which can provide metrics and reports to either your compliance or IT security department, which might point out areas of risk such as divisions, departments, or employees who need further training.
  2. Increase user training and advise workers on safe practices when using Facebook, Twitter, Snapchat, and other online services: Simply put, there are bad actors out there who will attempt to lure your employees into doing things or sharing information which may, at its core, contain or share malicious code with others. Adopt policies and procedures to educate your employees on social media website scams, which may include limiting use of such sites to their own devices. “It is key that all staff receive security awareness training covering your acceptable usage policy for social networking. Promoting good practice and improving user behavior are the best methods of reducing the risks from this form of communication.”[xii]
  3. Employ DMarc Based Technology: Many companies have chosen to employ a technology-based solution founded on DMarc, or “Domain-based Message Authentication, Reporting & Conformance.”[xiii] “DMarc is an Internet protocol specification that … provides visibility into email flows, and can tell receiving servers to delete spoofed messages immediately upon receipt, thus ensuring that only legitimate emails are delivered to inboxes.”[xiv] Dmarc allows companies to “pre-qualify” email providers who are “approved” to send your employees emails from those who may be attempting to spoof or clone domain names to send your employees malicious emails.
  4. Sandboxing: Deploy a solution that checks the safety of an emailed link when a user clicks on it. The hardware solution that is employed[xv] examines the link-driven email and analyzes it against known malicious email threats and URLs and then “quarantines” them using anti-spam and anti-virus threat engines to see if those emails exhibit “bad” characteristics. These solutions can be used both “on premises” and if your email is handled by cloud mailboxes.[xvi] It is better to check and stop the email before it gets to an employee’s desk where it could be inadvertently opened and spread malware to your network. Beware that not all sandboxing technology works the same, and it may not be 100% effective against all threat vectors, especially as bad actors get more and more sophisticated in masking their attacks.

High profile attacks in 2014 and 2015 all have seemed to contain one common element: some employee, either high-level, low-level, or one targeted specifically for his or her password and administrative privileges information, opened a malicious email which set off a catastrophic set of consequences for a company. Though there are many solutions that can be potentially employed to stop this pattern of doom and gloom, not one can be said to be entirely effective. Instead, the set of approaches described above, when used jointly, may help companies reduce the risk of potentially being spear phished “to death” by bad actors.

[i] The existence of the first “snake-oil salesmen” date back at least to the time of the First Intercontinental Railroad in 1863.

[ii] See “Symantec Internet Threat Report 2015,” available at http://www.symantec.com/index.jsp (hereinafter, the “Symantec Report”).

[iii] See e.g. “Phishing Email Baits Indiana Medical Center, Health Data Exposed,” available at http://www.nextgov.com/cybersecurity/threatwatch/2015/04/breach/2233/; “SendGrid: Employee Account Hacked, Used to Steal Customer Credentials,” available at https://krebsonsecurity.com/2015/04/sendgrid-employee-account-hacked-used-to-steal-customer-credentials/.

[iv] See “Is Employee Awareness and Training the Holy Grail of Cybersecurity?” available at https://www.dandodiary.com/2015/03/articles/cyber-liability/guest-post-is-employee-awareness-and-training-the-holy-grail-of-cybersecurity/.

[v] See “Data Breach Methods Getting More Sophisticated, Report Says,” available at http://www.govtech.com/data/Data-Breach-Methods-Getting-More-Sophisticated.html.

[vi] See “Beware of Nepal charity scams,” available at http://www.usatoday.com/story/money/personalfinance/2015/05/03/weisman-nepal-charity-scams/26755507/ (highlighting that “Email and text message solicitations for charities as well as solicitations you find on social media are also not to be trusted. Once again, you cannot be sure as to who is actually contacting you and these solicitations carry the additional danger of having links or attachments that, if clicked on or downloaded, will install malware on your computer or smartphone that will steal the personal information from your device and use it to make you a victim of identity theft.”).

[vii] See “5 Scams to Watch for in 2015,” available at https://www.allclearid.com/blog/5-scams-to-watch-for-in-2015.

[viii] See 2015 Verizon Data Breach Investigations Report,” available at http://www.verizonenterprise.com/DBIR/2015/ (hereinafter, the “Verizon Report”).

[ix] See “Banking Malware Taps Macros,” available at http://www.databreachtoday.com/banking-malware-taps-macros-a-8186 (describing the Bartalex macro malware scheme, in which a social-engineering attack tells recipients that their Automated Clearing House electronic-funds transfer was declined, and invites the recipient to click a link to “view the full details,” which leads to a Dropbox page that lists specific instructions, including the need to enable Microsoft Office macros).

[x] See Verizon Report.

[xi] See, e.g. the comprehensive anti-phishing training services offered by www.phishme.com.

[xii] See “Social networking best practices for preventing social network malware,” available at http://searchsecurity.techtarget.com/answer/Social-networking-best-practices-for-preventing-social-network-malware.

[xiii] See “DMARC – What is it?” available at http://dmarc.org/.

[xiv] See “How To Reduce Spam & Phishing With DMARC,” available at http://www.darkreading.com/application-security/how-to-reduce-spam-and-phishing-with-dmarc/a/d-id/1319243.

[xv] For instance, one of these solutions is the FireEye EX prevention series. See “Threat Prevention Platforms that Combat Email-Based Cyber Attacks,” available at https://www.fireeye.com/content/dam/fireeye-www/global/en/products/pdfs/fireeye-ex-series.pdf.

[xvi] See e.g. “Email Threat Prevention Cloud,” available at https://www.fireeye.com/content/dam/fireeye-www/global/en/products/pdfs/fireeye-email-threat-prevention-cloud.pdf.

Burkhardniklasrahlmeyer_ProfilePictureIn the following guest post, Dr. Burkhard Fassbach and Dr. Niklas Rahlmeyer imagine a possible shareholder presentation about D&O insurance at an annual meeting of shareholders in Germany.  Fassbach is an Of Counsel with the Dusseldorf based D&O-Specialist Law Firm Hendricks. Rahlmeyer is an attorney in the corporate practice group of the Dusseldorf office of Field Fisher Waterhouse LLP. I would like to thank both for their willingness to publish their guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to readers of this blog. Here is the guest post.

 

***********************************

 

In the wake of a significant increase of D&O claims, (activist) shareholders are determined to meticulously scrutinize D&O policies at shareholders’ meetings. The chairs presiding at such meetings as well as members of the supervisory and the executive board should be prepared accordingly.

 

The shareholders are likely to chime in with the following:

 

“Dear Mr. Chair, dear supervisory and executive board members,

 

as a stockholder of this corporation, I rise to speak at our today’s shareholder meeting so as to discuss the topic of D&O insurance. As you are all well aware, the D&O insurer’s promise to defend its insureds against unfounded claims for damages is at the heart of the insurance contract. If these claims turn out to be valid, the insurer’s ensuing duty is to indemnify its insureds by effecting payment to the policyholder. According to case law, the insurer’s promises to both defend and indemnify are conterminous and based on equal legal footing.

 

As a shareholder, I am deeply troubled with whether the D&O insurance coverage taken out for our company is going to protect our corporation’s assets when the chips are down. Please recall the slush funds at Siemens. In that case, where the damage amounted to EUR 1.6 billion and the insurance sum was set at EUR 250 million, the insurance carriers eventually paid out the petty amount of EUR 100 million. I, personally, am incapable of discerning asset protection here. Likewise, the shareholders of Deutsche Bank will have to dig deep into their pockets. When former chair Breuer, during a Bloomberg TV interview, rendered detrimental comments relating to media entrepreneur Kirch, this cost Deutsche Bank EUR 925 million. It is the shareholders who are most likely going to have to foot the bill resulting from this squander of capital.

 

As you all know: Executive board members and supervisory board members who commit a breach of duty are jointly and severally liable to the corporation for such damages as result from their breach of duty. Don’t get me wrong, dear members of the executive board: I have complete trust in the way you are conducting business. However, as a shareholder, I ought not to lose sight of the worst-case scenario. Since the worst case did not spare former icons of the German economy, it is potentially not going to halt here.

 

My first inquiry is this: Do you deem the insurance sum of the D&O policy that is currently in place appropriate with respect to the risks our company is exposed to? Secondly: Have you concentrated on analyzing current developments in the D&O insurance arena in Germany? Please bear with me while I would like to render some background information in this regard:

 

The product of D&O insurance has its origin in the U.S. Unlike German law, U.S. law does not know an institutionalized separation of monitoring and management.  As a consequence of the nonreflecting adoption of American coverage concepts in Germany, both the executive and the supervisory board members are insured persons that are commonly insured under the roof of the identical insurer.

 

Can this work? I raise this question, because, in a D&O damage event, members of the supervisory board and members of the executive board are potentially prone to having colliding interests. Reasoning that attack is the best form of defense, defendant members of the executive board, in a virtual routine of behavior, serve third-party notices on their supervisory board colleagues. To put it crudely: The D&O insurer then ‘represents’ two opposing parties. In this case, the insurer is ensnared in an inherent conflict of interest.  The only viable solution is to separate one party from the representing insurer.

 

This flows from the precept that, in accordance with the legal precedents set forth by Civil Division IV of the German Federal Supreme Court in charge of insurance law matters, the insurer shall protect the interests of the insured person in the same way a lawyer retained by that person would do. On these grounds, insurance coverage concepts are under debate in Germany that forestall conflicts of interest between executive and supervisory board members. Following those concepts, insurance coverage for both organs is separately placed with different carriers. In D&O lingo this is called ‘Twin-Tower’ or ‘Two-Tier-Trigger’-concept.

 

There are strong arguments backing this concept: It is upon the supervisory board to monitor management. The inherent crux of this duty to monitor has been appositely couched in an expert opinion to the 70th German Legal Colloquium. May I quote: ‘As the monitoring of management rests with the supervisory board, any mistake made by management is theoretically susceptible to being converted into a mistake by the supervisory board’, which amounts to the statement that, had the supervisory board lived up to its monitoring duty, the mistake would have been averted in the first place.

 

According to the German Federal Supreme Court’s ‘ARAG doctrine’, a supervisory board is subject to the duty to independently investigate the viability of a corporation’s compensation claims against executive board members. If the supervisory board does not fulfill its duty to pursue viable claims, this constitutes a breach of duty vis-à-vis the corporation, and the corporation, in turn, has a claim against the blundering supervisory board members.

 

The question inevitably becomes: Is it apt to perceive the supervisory board as a huntsman such as would reflect the ideal laid down by the German Federal Supreme Court? Or does the supervisory board feel inhibited due to potentially becoming the hounded through third-party notices? Indeed, the supervisory board’s independence with respect to the review of potential claims and their out-of-court assertion is most naturally heavily compromised for ‘fear of third-party notices’.

 

The residual risk bearers, the shareholders, take the greatest interest in the replenishment of the assets of the damaged corporation. Accordingly, we, the shareholders, take a fundamental interest in a supervisory board’s acting independently. For that matter, separate D&O coverage for members of the supervisory board works as a valuable contribution to effective corporate governance, because the supervisory board’s independence in pursuing claims against executive board members is ensured at the level of D&O insurance. Thus, I ask you: Do you share my view in light of a shareholder-value concept?

 

Thank you very much for your attention.”

floridaAt a time when cyber liability and other hot topics dominate the discussion, potential corporate liability arising from environmental disclosures often does not receive the attention it should. However, as I have previously noted on this blog, environmental issues have been and remain an area on which plaintiffs’ lawyer have been focused. A recently filed securities class action lawsuit underscores the significance of environmental issues and the connection of these issues to corporate liability exposures.

 

On April 30, 2015, plaintiffs’ lawyers filed a securities class action lawsuit in the Middle District of Florida against Rayonier Advanced Materials (RYAM) and certain of its directors and officers. RYAM is a relatively new publicly traded company. It was formed as a result of the June 30, 2014 spin-off of the Performance Fibers Division of Rayonier, Inc.

 

The securities class action lawsuit relates to RYAM’s January 28, 2015 fourth quarter and full year earnings release (here). Among other things, in the press release, RYAM announced that it was increasing its reserve for environmental liabilities associated with discontinued operations by $69 million. This reserve represents the company’s estimate of its likely costs associated with the remediation and maintenance of disposed operational sites.

 

According to the plaintiffs’ lawyers’ May 4, 2015 press release (here), RYAM’s financial statement were misleading because the company had improperly recorded or failed to record its liabilities for environmental remediation and related obligations and failed to provide sufficient disclosures to investors to permit “meaningful evaluation of the true scope and extend of the environmental remediation and related liabilities, which were associated with decades of environmental pollution.”

 

The plaintiffs’ complaint (which can be found here) specifically alleges that:

 

(1) Defendants incorrectly accounted for RYAM’s remediation and long-term monitoring and maintenance for environmental liabilities; (2) as a result, the Company understated its Environmental Reserves; (3) as a result, the Company did not record appropriate reserves as required by GAAP; (4) as a result, the Company did not disclose a range of possible reserves for probable and reasonably estimable environmental remediation and related liabilities as required by GAAP; (5) as a result, RYAM did not properly estimate known and probable environmental remediation obligations as required by GAAP; and (6) as a result, RYAM did not maintain adequate internal and financial controls.

 

The complaint also alleges that RYAM misled investors about the demand for its product, and that contrary to the company’s representations, demand for acetate was slowing. The complaint further alleges that the company made misrepresentations regarding the debt incurred in connection with the spin-off.

 

As this case and other recent case filings show, environmental issues are an area of increasing focus for plaintiffs’ lawyers. As I have noted, a number of these environmentally focused shareholder lawsuits have proven to be viable. At a minimum, these cases underscore the fact that reporting companies’ environmental compliance disclosures are facing increasing scrutiny, making the quality of the environmental disclosures increasingly important. As I noted in connection with the recent shareholders derivative lawsuit involving Duke Energy, environmental concerns can also lead to mismanagement claims based on alleged breaches of fiduciary duties.

 

The typical D&O liability insurance policy will contain an exclusion for loss arising from claims for pollution and environmental liabilities. However, many of these exclusions also contain a provision carving back coverage for shareholder claims. This case shows the importance of this kind of coverage carve back. The carve back ensures that directors and officers hit with this kind of shareholder suit filed in wake of an environmental incident are able to rely on their  D&O insurance to defend themselves against the shareholder suit.

 

In recent years, a number of D&O insurance carriers have introduced policy forms that eliminate the pollution exclusion altogether but that also incorporate into the policy’s definition of “Loss” a provision stating that Loss will not included environmental remediation or cleanup costs.

 

An April 28, 2015 article in Corporate Counsel entitled “D&O Insurance for Environmental Liability Exposures” (here) discusses the D&O insurance issues relating to environmental liability in more detail

dealReps and Warranties insurance has been available for several years now, but there is no doubt that more recently there has been an increase in the product uptake. Indeed, according to an April 29, 2015 article from George Wang of the Haynes and Boone law firm (here), reps and warranties insurance “has gained popularity as a tool to decrease transaction liability exposure in M&A transactions” and more recently there has been a “dramatic increase” in the use of reps and warranties insurance products.

 

As I have detailed in prior posts (for example, here), reps and warranties policies can preserve deal value by shifting potential liability for breaches of transaction representations and warranties discovered after deal closing. In exchange for an upfront payment, the policy may reduce or eliminate the need for seller escrows or holdbacks for contingent liabilities – an arrangement that could be particularly attractive in the current low interest rate environment. Although the policies are available either for the buyer or the seller, most policies are buyer-side policies.

 

According to the law firm memo’s author, there are a number of reasons why these insurance products have become more popular. The most basic reason involves simple economics – “the cost to obtain coverage today is significantly lower than the premiums charged even five years ago.” At the same time, the market for reps and warranties has “expanded greatly” (and is growing larger all the time).

 

In addition to these economic considerations, there are several other reasons why the product has become more popular: first, there has been an increase in what the author describes as “middle-market deals” (that is, deals ranging from between $25 million and $2 billion), as opposed to “mega public deals.”

 

Second, private equity sellers increasingly are trying to limit their indemnity exposure and limit escrow and holdback obligations. In addition, these private equity sellers may want to be able to close out their funds and fully distribute sales proceeds to their investors.

 

Third, in a consideration that I have seen becoming increasingly important, buyers in a competitive auction process are trying to use the inclusion of a reps and warranties policy (which would reduce the need for seller escrows and holdbacks) in a competitive auction process, as a way to enhance their bid relative to competitors.

 

Fourth, in what is also an increasingly important consideration, where a transaction involves a seller that the buyer considers a high-risk indemnitor or a foreign seller, the buyer may want to implement the reps and warranties insurance to avert a possible collection risk (such as when a seller based in a jurisdiction that my not offer reassuring means of recourse if a breach occurs). The law firm memo’s author notes that reps and warranties policies “can be particularly useful in the context of cross-border transactions … to facilitate middle-market transactions involving foreign buyers or sellers of domestic U.S.-based businesses.”

 

Fifth, reps and warranties insurance “may be attractive in situations involving multiple sellers who may have different levels of indemnity obligations to a prospective buyer (i.e., several versus joint and several liability) or in the case of an equity rollover transaction or partial management buyout situation in which a majority buyer may not want to seek post-closing claims against a continuing management team that comprises the selling group.” The insurance product avoids the possibility that the buyer might have to assert a claim against, and thus demotivating, the post-deal management team.

 

Another reason for the increased uptake of the product is that a recurring past concern about the insurance product can now be addressed through policy wording (at least when the product is properly put together). As I noted in prior posts (here and here), the have been recurring questions whether the product would provide appropriate protection for multiple-based damages – for example, where the damages are expressed as a multiple of a negotiated EBITDA. It is now possible in the marketplace for a buyer to obtain a policy allowing the recovery of damages based upon a multiple of earning, “but the parties must take care in negotiating the specific terms of the [insurance] and waiver of consequential, special, and indirect damage provisions, lost profits and diminution of earnings provisions in the underlying acquisition agreement to obtain the intended deal consequences.”

 

There are two more practical reasons why the product is increasingly popular. First, the process for obtaining a reps and warranties binder has been streamlined, and, second, there is now more of a track record of the insurers actually paying claims. The law firm memo’s author notes that “while claim history information is anecdotal, it is generally understood that claims are asserted in about 20 percent of issued policies and that most claims fall within the self-retention loss of the issued policies (1-2 percent of the enterprise value).” At the same time, “insurers recognize the necessity to pay, and to maintain their reputation for responding to, legitimate claims.”

 

M&A Transactions: Important Run-Off Insurance Issues: There are other important insurance issues involved when companies enter an M&A transaction. Care must be taken to ensure that the acquired entity is properly incorporated into the acquiring company’s D&O and E&O insurance. In addition, the acquired company’s D&O insurance and E&O insurance programs must be restructured into a run-off, or “tail” policies, so that liabilities relating to the acquired company’s operations prior to its acquisition are properly insured.

 

In an interesting May 1, 2015 memo (here), Thomas S. Novak of the Sills, Cummis & Gross law firm takes a look at the issues that can arise in connection with the selling company’s liability insurance program. The memo is interesting and addresses the key considerations that arise in connection with the selling company’s run-off insurance. The article also discusses related issues, such as the question of whether the insured should give a notice of circumstances that could give rise to a claim prior to the deal date. Novak is correct when he states at the conclusion of his memo that “careful consideration of your existing insurance program, risk profile and future business strategy is essential to avoid unexpected gaps in coverage.”

 

While I recommend Novak’s memo, I do disagree with him on one issue that is a point of emphasis in his memo. Indeed, in memo’s title, he asserts that “delegating M&A insurance issues to a broker is risky business.” He adds, to underscore how supposedly risky it is to rely on an insurance broker, that “the bottom line is that an insurance broker does not know corporate law or your business as well as you do.”

 

With all due respect to Novak, I think his emphasis on the danger of relying on an insurance broker is off the mark. It has been my privilege as an insurance broker to work with many outside counsel while they represented many different companies, and in many cases these lawyers are quite knowledgeable about insurance issues. By and large, however, these lawyers generally lack day-to-day knowledge of the insurance marketplace. Even lawyers that have very detailed knowledge about the insurance issues and other legal considerations have limited knowledge about the mechanics of the D&O insurance procurement process; of the various carriers in the marketplace and of their peculiarities of their expectations and practices; and of the range of likely possibilities available from any given carrier in any given circumstances. Only a knowledgeable and experienced insurance broker can address these and the many other practical factors involved in any insurance transaction.

 

Novak would have been providing better advice if, rather than trying to scare company officials about how dangerous it is for them to rely on their insurance brokers, he had communicated that the best approach is for companies to ensure that their brokers and their outside counsel work together collaboratively.

 

The most important consideration when it comes to insurance brokers is for companies to make sure that they have knowledgeable and experienced brokers involved in their insurance placement. Indeed, if companies have appropriately knowledgeable and experienced brokers involved, there usually is no need for the companies to incur the additional expense of involving outside counsel – as in fact is the case for many of our clients and the clients of other knowledgeable and experienced brokers.

 

Ten FCPA Facts You Need to Know: Here at The D&O Diary, we are big fans of the FCPA Professor Blog (here), which is written by Southern Illinois University Law School Professor Mike Koehler. We recommend the blog as one of the best resources available on all things relating to the FCPA. In addition, Professor Koehler has also published an interesting May 1, 2015 paper entitled “Ten Seldom Discussed Foreign Corrupt Practices Act Facts that You Need to Know” (here). His paper provides a number of interesting observations about the FCPA, including its limitations and its differences from similar anti-corruption laws in other jurisdictions, and what he characterizes as the SEC’s and DoJ’s questionable track record in enforcing the statute. The article is worth a read.