Tag Archives: safe harbor

Tips for Avoiding Securities Litigation

Here are tips on how public companies can better protect themselves against securities claims — practical steps companies can take to help them avoid suits, mitigate the risk if they are sued and defend themselves more effectively and efficiently.

Avoiding suits

Companies can avoid many suits with what I’ll call “better-feeling” disclosures. Nearly all public companies devote significant resources to accounting that conforms with GAAP, and non-accounting disclosures that comply with the labyrinth of disclosure rules. Despite tremendous efforts in these areas, events sometimes surprise officers and directors — and the market — and make a company’s previous accounting or non-accounting disclosures appear to have been inaccurate. But plaintiffs’ lawyers decide to sue only a subset of such companies — a smaller percentage than most people would assume. What makes them sue Company A, but not Company B, when both have suffered a stock price drop because of a development that relates to their earlier disclosures?  There are a number of factors, but I believe the driver is whether a company’s disclosures “feel” fair and honest. Without the benefit of discovery, plaintiffs’ lawyers have to draw inferences about whether litigation will reveal fraud or a sufficient degree of recklessness — or show that the discrepancies between the earlier disclosures and later revelations was due to mistake or an unanticipated development.

What can companies do to make their disclosures “feel “more honest? An easy way is to improve the quality of their Safe Harbor warnings. Although the Reform Act’s Safe Harbor was designed to protect companies from lawsuits over forward-looking statements, there are still an awful lot of such actions filed. The best way to avoid them is by crafting risk warnings that are current and candid. A plaintiffs’ lawyer who reads two years’ worth of risk factors can tell whether the risk factors are boilerplate or an honest attempt to describe the company’s risks. The latter deters suits. The former invites them.Another way for companies to improve their disclosures is through more precision and a greater feel of candor in the comments they make during investor conference calls. Companies sweat over every detail in their written disclosures but then send their CEO and CFO out to field questions on the very same subjects and improvise their responses. What executives say, and how they say it, often determines whether plaintiffs’ lawyers sue — and, if they do, how difficult the case will be to defend. A majority of the most difficult statements to defend in a securities class action are from investor calls, and plaintiffs’ lawyers listen to these calls and form impressions about officers’ fairness and honesty.

Companies looking to minimize the risks of litigation should also take steps to prevent their officers and directors from making suspicious-looking stock sales — for obvious reasons, plaintiffs’ lawyers like to file suits that include stock sales. If a company’s officers and directors don’t have 10b5-1 plans, companies should establish and follow an insider trading policy and, when in doubt, seek guidance from outside counsel on issues such as trading windows and the propriety of individual stock sales, both as to the legal ability to sell, and how the sales will appear to plaintiffs’ lawyers. Even if officers and directors have 10b5-1 plans, companies aren’t immune to scrutiny of their stock sales — plaintiffs’ lawyers usually aren’t deterred by 10b5-1 plans, contrary to conventional wisdom. So companies should consult with their counsel about establishing and maintaining the plans, to avoid traps for the unwary.

Defending suits

Whether a securities class action is a difficult experience or a fairly routine corporate legal matter usually turns on the company’s decisions about directors’ and officers’ indemnification and insurance, choice of defense counsel and management of the defense of the litigation.

Deciding on the right director and officer protections and defense counsel require an understanding of the seriousness of securities class actions. Although they are a public company’s primary D&O litigation exposure, most companies don’t understand the degree of risk they pose. Some companies seem to take securities class actions too seriously, while others might not take them seriously enough.

The right level of concern is almost always in the middle. A securities class action is a significant lawsuit. It alleges large theoretical damages and wrongdoing by senior management and often the board. But the risk presented by a securities action is usually very manageable, if the company hires experienced, non-conflicted and efficient counsel and devotes sufficient time and energy to the litigation. Cases can be settled for a predictable amount, and it is exceedingly rare for directors and officers to write a personal check to defend or settle the case. On the other hand, it can be a costly mistake for a company to take a securities class action too lightly; even meritless cases can go wrong.

The right approach involves several practical steps that are within every company’s control.

Companies should hire the right D&O insurance broker and treat the broker as a trusted adviser.

There is a talented and highly specialized community of D&O insurance brokers. Companies should evaluate which is the right broker for them — they should conduct an interview process to decide on the right broker and seek guidance from knowledgeable sources, including securities litigation defense counsel. Companies should heavily utilize the broker in deciding on the right structure for their D&O insurance program and in selecting the right insurers. And, because D&O insurance is ultimately about protecting officers and directors, companies should have the broker speak directly to the board about the D&O insurance program.

Boards should learn more about their D&O insurers.

Boards should know their D&O insurers’ financial strength and other objective characteristics. But boards should also consider speaking with the primary insurer’s underwriting executives from time to time, especially if the relationship with the carrier is, or may be, long-term. The quality of any insurance turns on the insurer’s response to a claim. D&O insurance is a relationship business. Insurers want to cover D&O claims, and it is important to them to have a good reputation for doing so. The more the insurer knows the company, the more comfortable the insurer will be about covering even a difficult claim. And the more a board knows the insurer, the more comfortable the board will be that the insurer will cover even a difficult claim.

Boards should oversee the defense-counsel selection process, and make sure the company conducts an interview process and chooses counsel based on value.

The most important step for a company to take in defending a securities class action is to conduct an audition process through which the company selects conflict-free defense counsel who can provide a quality defense — at a cost that leaves the company enough room to defend and resolve the litigation within policy limits. Put differently, the biggest threats to an effective defense of a securities class action are the use of either a conflicted defense counsel, defense counsel who will charge an irrational fee for the litigation or counsel who will cut corners to make the economics appear reasonable.

Errors in counsel-selection most often occur when a company fails to conduct an interview process, or fails to consult with its D&O insurers and brokers, who are “repeat players” in D&O litigation and thus have good insights on the best counsel for a particular case. Although the Reform Act’s 90-day lead plaintiff selection process gives companies plenty of time to evaluate, interview, and select the right defense counsel for the case, many companies quickly hire their corporate counsel’s litigation colleagues, without consulting with brokers and insurers or interviewing other firms.

The right counsel may end up being the company’s normal corporate firm, but a quick hiring decision rarely makes sense under a cost-benefit analysis. The cost of hiring the wrong firm can substantial — the harm includes millions of dollars of unnecessary fees; hundreds of hours of wasted time by the board, officers and employees; an outcome that is unnecessarily uncertain; and an unnecessarily high settlement — and there’s very little or no upside to the company.

On the other hand, it costs very little to interview several firms for an hour or two each, and the benefit can be substantial – free and specialized strategic advice by several of the handful of lawyers who defend securities litigation full time, and potentially substantial price and other concessions from the firm that is ultimately chosen.  The auditioning lawyers can also provide guidance to the company on whether its corporate counsel faces conflicts and, if so, the potential harm to the company and the officers and directors from hiring corporate counsel anyway.

Next Up for Cyber: Class Action Suits

Last fall, I wrote about board oversight of cybersecurity and derivative litigation in the wake of cybersecurity breaches.  In this post, I’d like to focus on cybersecurity disclosure and the inevitable advent of securities class actions following cybersecurity breaches.  In all but one instance (Heartland Payment Systems), cybersecurity breaches, even the largest, have not caused a stock drop big enough to trigger a securities class action.  But there appears to be a growing consensus that stock drops are inevitable when the market better understands cybersecurity threats, the cost of breaches and the impact of threats and breaches on companies’ business models.  When the market is better able to analyze these matters, there will be stock drops.  When there are stock drops, the plaintiffs’ bar will be there.

When plaintiffs’ lawyers arrive, what will they find?  They will find companies grappling with cybersecurity disclosure.  Understandably, most of the discussion about cybersecurity disclosure focuses on the SEC’s Oct. 13, 2011, “CF Disclosure Guidance: Topic No. 2” (“guidance”) and the notorious failure of companies to disclose much about cybersecurity, which has resulted in a call for further SEC action by Sen. Rockefeller and follow-up by the SEC, including an SEC Cybersecurity Roundtable on March 24, 2014.  But, as the SEC noted in the guidance, and Chair White reiterated in October 2013, the guidance does not define companies’ disclosure obligations.  Instead, disclosure is governed by the general duty not to mislead, along with more specific disclosure obligations that apply to specific types of required disclosures.

Indeed, plaintiffs’ lawyers will not even need to mention the guidance to challenge statements allegedly made false or misleading by cybersecurity problems. Various types of statements — from statements about the company’s business operations (which could be imperiled by inadequate cybersecurity), to statements about the company’s financial metrics (which could be rendered false or misleading by lower revenues and higher costs associated with cybersecurity problems), to internal controls and related CEO and CFO certifications, to risk factors themselves (which could warn against risks that have already materialized) — could be subject to challenge in the wake of a cybersecurity breach.

Plaintiffs will allege that the challenged statements were misleading because they omitted facts about cybersecurity (whether or not subject to disclosure under the guidance). In some cases, this allegation will require little more than coupling a statement with the omitted facts. In cybersecurity cases, plaintiffs will have greater ability to learn the omitted facts than in other cases, as a result of breach notification requirements, privacy litigation and government scrutiny, to name a few avenues. The law, of course, requires more than simply coupling the statement and omitted facts; plaintiffs must explain in detail why the challenged statement was misleading, not just incomplete, and companies can defend the statement in the context of all of their disclosures. But in cybersecurity cases, plaintiffs will have more to work with than in many other types of cases.

Pleading scienter likely will be easier for plaintiffs, as well. With increased emphasis on cybersecurity oversight at the senior officer (and board) level, a CEO or CFO will have difficulty (factually and in terms of good governance) suggesting that she didn’t know, at some level, about the omitted facts that made the challenged statements misleading. That doesn’t mean that companies won’t be able to contest scienter. Knowledge of omitted facts isn’t the test for scienter; the test is intent to mislead purchasers of securities. However, this important distinction is often overlooked in practice.  Companies will also be able to argue that they didn’t disclose certain cybersecurity matters because, as the guidance contemplates, some cybersecurity disclosures can compromise cybersecurity. This is a proper argument for a motion to dismiss, as an innocent inference under Tellabs, but it may feel too “factual” for some judges to credit at the motion to dismiss stage.

As this analytic overview shows, cybersecurity securities class actions, on the whole, likely will be virulent. Companies, of course, are talking about cybersecurity risks in their boardrooms — and they should also think about how to discuss those risks with their investors. The best way for companies to lower their risk profile is to start to address this issue now, by thinking about cybersecurity in connection with all of their key disclosures, and enhancing their disclosures as appropriate.

Perfection and prescience are not required. Effort matters most. Companies that don’t even try will stand out. As I’ve written in the context of the Reform Act’s Safe Harbor for forward-looking statements, judges are skeptical of companies whose risk factors remain static over time, and look favorably on companies that appear to try to draft meaningful risk factors. I thus construct a defense of forward-looking statements by emphasizing, to the extent I can, ways in which the company’s risk disclosures evolved, and were tailored and focused. I predict that the same approach will prove effective in cybersecurity cases.