Tag Archives: sec

Ready to Comply With Fiduciary Standard?

Recent actions by the U.S. Department of Labor (DOL) are causing insurance and other financial services brokers to rethink their business models and how they communicate with their customers. That’s because the DOL recently finalized a controversial new standard broadening the definition of who constitutes a “fiduciary” under the Employee Retirement Income Security Act (ERISA).

Essentially, the rule, with an applicability date of April 10, 2017, heightens the duty of financial advisers for 401(k) plans and IRAs who are considered “brokers,” defined as registered representatives of a broker dealer paid commissions by the investments they recommend. Before the new rule, brokers were held to a standard of suitability, which meant that, when a broker recommended that a client buy or sell a particular security, the broker must have a reasonable basis for believing that the recommendation is suitable for that client. That standard allowed brokers to recommend an investment product that paid them a higher commission as long as it was suitable for the client, even though it may not be the best choice. Under the new fiduciary standard, brokers must put their clients’ interests ahead of their own in recommending investments.

See also: Do Brokers, Agents Owe Fiduciary Duty?  

The new standard for brokers puts them on par with investment advisers registered with the Securities and Exchange Commission or individual states, who were already required to meet the fiduciary standard. The change presents a challenge to the business model of brokers, who typically get paid from commissions, unlike registered investment advisers, who are paid a percentage fee based on the amount of plan assets under management.

New challenges for broker customer communications

The challenges the new rule poses for brokers don’t end with compensation. The new duty will directly affect any information brokers provide to customers in print or digital form that might be deemed a “recommendation” under the rule. A fact sheet provided by the DOL describes a “recommendation” as follows:

“A ‘recommendation’ is a communication that, based on its content, context and presentation, would reasonably be viewed as a suggestion that the advice recipient engage in or refrain from taking a particular course of action. The more individually tailored the communication is to a specific advice recipient or recipients, the more likely the communication will be viewed as a recommendation.”

A holistic view of the customer communications ecosystem

In short, every broker customer communication will now need to be audited to determine whether it constitutes a recommendation and modified if it would violate the new standard. This could be an onerous task.

Customer communications management (CCM) processes will be essential for complying with this new rule. Adding personalization to communications is a huge advantage to the adviser, but it is now critical to have a process for reviewing these personalized communications to confirm that they conform to the new legal reality.

CCM becomes even more critical considering the efficiency and control that can be gained by centrally managing this content. Scattered, decentralized communications processes will make it far more likely that an adviser will send noncompliant content to a customer, exposing the company and the adviser to considerable risk.

Many insurance agencies and other brokers use legacy systems to generate their customer communications, which makes it costly and time-intensive to modify them to ensure compliance with the new rule. IT departments have the skills to make the needed changes, but not the time or full expertise to review and audit the updated customer communications. Insurance organizations should give careful consideration to the following to identify potential obstacles to compliance:

  • Determine where customer information is stored. If it resides in multiple departmental systems, there is greater risk that advisers will send noncompliant communications to customers unless these systems are coordinated.
  • Consider whether existing CCM processes and systems are flexible enough to incorporate compliance review for today’s wide range of communications channels, including mobile, email, web pages and social media.
  • Analyze how customer activities are supported by different channels in the organization. Channel communications may be intertwined from a customer’s perspective, but managed separately within the organization. Achieving compliance will require understanding how communications appear to the customer.
  • Ensure that compliance officers and other regulatory personnel are engaged early in communications creation and automate approval processes to speed time-to-market and create audit trails.

With the new DOL rule, brokers want to know what constitutes a recommendation, and they want to know how to effectively communicate with customers in a compliant way. Ideally, insurance organizations will find strategies that allow brokers the freedom to personalize their customer communications so that they can differentiate from the competition, while at the same time receive the timely guidance they need to avoid making an unintentional recommendation.

See also: Fiduciary Liability Insurance in the Nonprofit Sector – What You Need to Know  

Accomplishing this will require a careful look at the current customer communications ecosystem and taking the necessary steps to ensure that compliance review is integrated into workflows in the most effective, yet least intrusive, way.

Mobile Messaging: How to Meet Rules

Insurance companies face numerous state, federal and international regulatory obligations with customer communications and relationship management. Failure to comply can be costly to reputations and bottom lines. In fact, the vast amounts of personal and sensitive data require businesses in the insurance, financial services and other highly regulated sectors by law to archive electronic messages and ensure customer privacy across communication channels. In our hyper-connected digitized world, these security requirements extend to include interactions done via mobile messaging, which has quickly emerged as the preferred and fastest-growing communication method.

There are already 1.6 billion people on messaging platforms world-wide, and projections are that, in 2017, more than 28.2 trillion will be messages sent.

See also: How Chatbots Change Open Enrollment  

Yet many of the most popular social mobile messaging platforms don’t meet the regulatory requirements set forth by the Securities and Exchange Commission (SEC) and other regulatory bodies. They are designed for peer-to-peer messaging instead of contemplating business communications and transactions. A case in point is the recent privacy concerns raised when WhatsApp, a popular messaging app, announced it would share customer data with Facebook. Compliance, legal and regulatory professionals shudder at the thought of “shared customer data.”

Consumers don’t want to use the same chat app for private, business interactions that they use for friends. As a result, adoption has been slow for social chat apps for insurance, as well as banking, healthcare, telecommunications and cable-TV and related services, via social chat apps that provide real transactional capabilities has been slow.

Likewise, most insurers and other highly regulated companies aren’t sold on using a social messaging service such as WhatsApp or Facebook for messaging with customers largely because of data privacy issues. So how can insurance companies embrace mobile messaging as the preferred way for customers to communicate, while still meeting regulatory, legal and internal policy requirements?

  1. Adopt a messaging platform that allows secure, encrypted messaging purposefully designed for business.
  2. Ensure mobile messages are effectively captured and archived in a secure filing cabinet.
  3. Ensure compliance and integration of your mobile messaging solution with other customer communication channels and enterprise systems.

See also: The Case for Personalization  

The insurance industry has built its foundation on managing risk and building a good reputation. By adopting mobile messaging to communicate with customers in real-time, insurers have an opportunity to create a deeper connection with customers, increase satisfaction and reduce costs while also building trust with customers. The opportunity to improve the customer experience is huge, while also successfully meeting the regulatory requirements around this next wave of change in communication.

Future of Securities Class Actions

Securities litigation has a culture defined by multiple elements: the types of cases filed, the plaintiffs’ lawyers who file them, the defense counsel who defend them, the characteristics of the insurance that covers them, the way insurance representatives approach coverage, the government’s investigative policies – and, of course, the attitude of public companies and their directors and officers toward disclosure and governance.

This culture has been largely stable over the nearly 20 years I’ve defended securities litigation matters full time. The array of private securities litigation matters (in the way I define securities litigation) remains the same – in order of virulence: securities class actions, shareholder derivative litigation matters (derivative actions, board demands and books-and-records inspections) and shareholder challenges to mergers. The world of disclosure-related SEC enforcement and internal corporate investigations is basically unchanged, as well. And the art of managing a disclosure crisis, involving the convergence of shareholder litigation, SEC enforcement and an internal investigation involves the same basic skills and instincts.

But I’ve noted significant changes to other characteristics of securities-litigation culture recently, which portend a paradigm shift. Over the past few years, smaller plaintiffs’ firms have initiated more securities class actions on behalf of individual, retail investors, largely against smaller companies that have suffered what I call “lawsuit blueprint” problems such as auditor resignations and short-seller reports. This trend – which has now become ingrained into the securities-litigation culture – will significantly influence the way securities cases are defended and by whom, and change the way that D&O insurance coverage and claims need to be handled.

Changes in the Plaintiffs’ Bar

Discussion of the history of securities plaintiffs’ counsel usually focuses on the impact of the departures of former giants Bill Lerach and Mel Weiss. But although the two of them did indeed cut a wide swath, the plaintiffs’ bar survived their departures just fine. Lerach’s former firm is thriving, and there are strong leaders there and at other prominent plaintiffs’ firms.

The more fundamental shifts in the plaintiffs’ bar concern changes to filing trends. Securities class action filings are down significantly over the past several years, but, as I have written, I’m confident they will remain the mainstay of securities litigation and won’t be replaced by merger cases or derivative actions. There is a large group of plaintiffs’ lawyers who specialize in securities class actions, and there are plenty of stock drops that give them good opportunities to file cases. Securities class action filings tend to come in waves, both in the number of cases and type. Filings have been down over the last several years for multiple reasons, including the lack of plaintiff-firm resources to file new cases as they continue to litigate stubborn and labor-intensive credit-crisis cases, the rising stock market and the lack of significant financial restatements.

Although I don’t think the downturn in filings is, in and of itself, very meaningful, it has created the opportunity for smaller plaintiffs’ firms to file more securities class actions. The Reform Act’s lead plaintiff process gives plaintiffs’ firms incentives to recruit institutional investors to serve as plaintiffs. For the most part, institutional investors, whether smaller unions or large funds, have retained the more prominent plaintiffs’ firms, and smaller plaintiffs’ firms have been left with individual investor clients who usually can’t beat out institutions for the lead-plaintiff role. At the same time, securities class action economics tightened in all but the largest cases. Dismissal rates under the Reform Act are pretty high, and defeating a motion to dismiss often requires significant investigative costs and intensive legal work. And the median settlement amount of cases that survive dismissal motions is fairly low. These dynamics placed a premium on experience, efficiency and scale. Larger firms filed most of the cases, and smaller plaintiffs’ firms were unable to compete effectively for the lead plaintiff role or make much money on their litigation investments.

This started to change with the wave of cases against Chinese issuers in 2010. Smaller plaintiffs’ firms initiated most of them, as the larger firms were swamped with credit-crisis cases and likely were deterred by the relatively small damages, potentially high discovery costs and uncertain insurance and company financial resources. Moreover, these cases fit smaller firms’ capabilities well; nearly all of the cases had “lawsuit blueprints” such as auditor resignations or short-seller reports, thereby reducing the smaller firms’ investigative costs and increasing their likelihood of surviving a motion to dismiss. The dismissal rate has indeed been low, and limited insurance and company resources have prompted early settlements in amounts that, while on the low side, appear to have yielded good outcomes for the smaller plaintiffs’ firms.

The smaller plaintiffs’ firms thus built up a head of steam that has kept them going, even after the wave of China cases subsided. For the last year or two, following almost every “lawsuit blueprint” announcement, a smaller firm has launched an “investigation” of the company, and smaller firms have initiated an increasing number of cases. Like the China cases, these tend to be against smaller companies. Thus, smaller plaintiffs’ firms have discovered a class of cases – cases against smaller companies that have suffered well-publicized problems that reduce the plaintiffs’ firms’ investigative costs – for which they can win the lead plaintiff role and that they can prosecute at a sufficient profit margin.

To be sure, the larger firms still mostly can and will beat out the smaller firms for the cases they want. But it increasingly seems clear that the larger firms don’t want to take the lead in initiating many of the cases against smaller companies and are content to focus on larger cases on behalf of their institutional investor clients.

These dynamics are confirmed by recent securities litigation filing statistics. Cornerstone Research’s “Securities Class Action Filings: 2014 Year in Review” concludes that (1) aggregate market capitalization loss of sued companies was at its lowest level since 1997 and (2) the percentage of S&P 500 companies sued in securities class actions “was the lowest on record.” Cornerstone’s “Securities Class Action Filings: 2015 Midyear Assessment” reports that two key measures of the size of cases filed in the first half of 2015 were 43% and 65% lower than the 1997-2014 semiannual historical averages. NERA Economic Consulting’s “Recent Trends in Securities Class Action Litigation: 2014 Full-Year Review” reports that 2013 and 2014 “aggregate investor losses” were far lower than in any of the prior eight years. And PricewaterhouseCoopers’ “Coming into Focus: 2014 Securities Litigation Study” reflects that, in 2013 and 2014, two-thirds of securities class actions were against small-cap companies (market capitalization less than $2 billion) and that one-quarter were against micro-cap companies (market capitalization less than $300 million). These numbers confirm the trend toward filing smaller cases against smaller companies, so that now, most securities class actions are relatively small cases.

Consequences for Securities Litigation Defense

Securities litigation defense must adjust to this change. Smaller securities class actions are still important and labor-intensive matters – a “small” securities class action is still a big deal for a small company and the individuals accused of fraud, and the number of hours of legal work to defend a small case is still significant. This is especially so for the “lawsuit blueprint” cases, which typically involve a difficult set of facts.

Yet most securities defense practices are in firms with high billing rates and high associate-to-partner ratios, which make it uneconomical for them to defend smaller litigation matters. It obviously makes no sense for a firm to charge $6 million to defend a case that can settle for $6 million. It is even worse for that same firm to attempt to defend the case for $3 million instead of $6 million by cutting corners – whether by under-staffing, over-delegation to junior lawyers or avoiding important tasks. It is worse still for a firm to charge $2 million through the motion to dismiss briefing and then, if it loses, to settle for more than $6 million just because it can’t defend the case economically past that point. And it is a strategic and ethical minefield for a firm to charge $6 million and then settle for a larger amount than necessary so that the fees appear to be in line with the size of the case.

Nor is the answer to hire general commercial litigators at lower rates. Securities class actions are specialized matters that demand expertise, consisting not just of knowledge of the law but of relationships with plaintiffs’ counsel, defense counsel, economists, mediators and D&O brokers and insurers.

Rather, what is necessary is genuine reform of the economics of securities litigation defense through the creation of a class of experienced securities litigators who charge lower rates and exhibit tighter economic control. Undoubtedly, that will be difficult to achieve for most securities defense lawyers, who practice at firms with supercharged economics. The lawyers who wish to remain securities litigation specialists will thus face a choice:

  1. Accept that the volume of their case load will be reduced, as they forego smaller matters and focus on the largest matters (which Biglaw firms are uniquely situated to handle well, on the whole);
  2. Rein in the economics of their practices, by lowering billing rates of all lawyers on securities litigation matters, and by reducing staffing and associate-to-partner ratios; or
  3. Move their practices to smaller, regional defense firms that naturally have more reasonable economics.

I’ve taken the third path, and I hope that a number of other securities litigation defense lawyers will also make that shift toward regional defense firms. A regional practice can handle cases around the country, because litigation matters can be effectively and efficiently handled by a firm based outside of the forum city. And they can be handled especially efficiently by regional firms outside of larger cities, which can offer a better quality of life for their associates and a more reasonable economic model for their clients.

Consequences for D&O Insurance

D&O insurance needs to change, as well. For public companies, D&O insurance is indemnity insurance, and the insurer doesn’t have the duty or right to defend the litigation. The insured selects counsel, and the insurer has a right to consent to the insured’s selection, but such consent can’t be unreasonably withheld. D&O insurers are in a bad spot in a great many cases. Because most experienced securities defense lawyers are from expensive firms, most insureds select an expensive firm. But in many cases that spells a highly uneconomical or prejudicial result, through higher than necessary defense costs or an early settlement that doesn’t reflect the merits but that is necessary to avoid using most or all of the policy limits on defense costs.

Given the economics, it certainly seems reasonable for an insurer to at least require an insured to look at less expensive (but just as experienced) defense counsel before consenting to the choice of counsel – if not outright withholding consent to a choice that does not make economic sense for a particular case. If that isn’t practical from an insurance law or commercial standpoint, insurers may well need to look at enhancing their contractual right to refuse consent or even to offer a set of experienced but lower-cost securities defense practices in exchange for a lower premium. It is my strong belief that a great many public company CFOs would choose a lower D&O insurance premium over an unfettered right to choose their own defense lawyers.

Because I’m not a D&O insurance lawyer, I obviously can’t say what is right for D&O insurers from a commercial or legal perspective. But it seems obvious to me that the economics of securities litigation must change, both in terms of defense costs and defense-counsel selection, to avoid increasingly irrational economic results.

Future of Securities Class Actions

Securities litigation has a culture defined by multiple elements: the types of cases filed, the plaintiffs’ lawyers who file them, the defense counsel who defend them, the characteristics of the insurance that covers them, the way insurance representatives approach coverage, the government’s investigative policies – and, of course, the attitude of public companies and their directors and officers toward disclosure and governance.

This culture has been largely stable over the nearly 20 years I’ve defended securities litigation matters full-time. The array of private securities litigation matters (in the way I define securities litigation) remains the same – in order of virulence: securities class actions, shareholder derivative litigation matters (derivative actions, board demands and books-and-records inspections) and shareholder challenges to mergers. The world of disclosure-related SEC enforcement and internal corporate investigations is basically unchanged, as well. And the art of managing a disclosure crisis, involving the convergence of shareholder litigation, SEC enforcement and an internal investigation, involves the same basic skills and instincts.

But I’ve noted significant changes to other characteristics of securities-litigation culture recently, which portend a paradigm shift. Over the past few years, smaller plaintiffs’ firms have initiated more securities class actions on behalf of individual, retail investors, largely against smaller companies that have suffered what I call “lawsuit blueprint” problems such as auditor resignations and short-seller reports. This trend – which has now become ingrained into the securities-litigation culture – will significantly influence the way securities cases are defended and by whom, and change the way that D&O insurance coverage and claims need to be handled.

Changes in the Plaintiffs’ Bar

Discussion of the history of securities plaintiffs’ counsel usually focuses on the impact of the departures of giants Bill Lerach and Mel Weiss. But although the two of them did indeed cut a wide swath, the plaintiffs’ bar survived their departures just fine. Lerach’s former firm is thriving, and there are strong leaders there and at other prominent plaintiffs’ firms.

The more fundamental shifts in the plaintiffs’ bar concern changes to filing trends. Securities class action filings are down significantly over the past several years, but I’m confident they will remain the mainstay of securities litigation and won’t be replaced by merger cases or derivative actions. There is a large group of plaintiffs’ lawyers who specialize in securities class actions, and there are plenty of stock drops that give them good opportunities to file cases. Securities class action filings tend to come in waves, both in the number of cases and type. Filings have been down over the last several years for multiple reasons, including the lack of plaintiff-firm resources to file new cases as they continue to litigate stubborn and labor-intensive credit-crisis cases, the rising stock market and the lack of significant financial-statement restatements.

Although I don’t think the downturn in filings is, in and of itself, very meaningful, it has created the opportunity for smaller plaintiffs’ firms to file more securities class actions. The Reform Act gave plaintiffs’ firms incentives to recruit institutional investors to serve as plaintiffs. For the most part, institutional investors, whether smaller unions or large funds, have retained the more prominent plaintiffs’ firms, and smaller plaintiffs’ firms have been left with individual investor clients who usually can’t beat out institutions for the lead-plaintiff role. At the same time, securities class action economics tightened in all but the largest cases. Dismissal rates under the Reform Act are pretty high, and defeating a motion to dismiss often requires significant investigative costs and intensive legal work. And the median settlement amount of cases that survive dismissal motions is fairly low. These dynamics placed a premium on experience, efficiency and scale. Larger firms filed most of the cases, and smaller plaintiffs’ firms were unable to compete effectively for the lead plaintiff role, or make much money on their litigation investments.

This started to change with the wave of cases against Chinese issuers in 2010. Smaller plaintiffs’ firms initiated most of them, as the larger firms were swamped with credit-crisis cases and likely were deterred by the relatively small damages, potentially high discovery costs and uncertain insurance and company financial resources. Moreover, these cases fit smaller firms’ capabilities well; nearly all of the cases had “lawsuit blueprints” such as auditor resignations or short-seller reports, thereby reducing the smaller firms’ investigative costs and increasing their likelihood of surviving a motion to dismiss. The dismissal rate has indeed been low, and limited insurance and company resources have prompted early settlements in amounts that, while on the low side, appear to have yielded good outcomes for the smaller plaintiffs’ firms.

The smaller plaintiffs’ firms thus built up a head of steam that has kept them going, even after the wave of China cases subsided. For the last year or two, following almost every “lawsuit blueprint” announcement, a smaller firm has launched an “investigation” of the company, and these firms have initiated an increasing number of cases. Like the China cases, these cases tend to be against smaller companies. Thus, smaller plaintiffs’ firms have discovered a class of cases – cases against smaller companies that have suffered well-publicized problems that reduce the plaintiffs’ firms’ investigative costs – for which they can win the lead plaintiff role and can prosecute at a sufficient profit margin.

To be sure, the larger firms still mostly will beat out the smaller firms for the cases they want. But it increasingly seems clear that the larger firms don’t want to take the lead in initiating many of the cases against smaller companies, and are content to focus on larger cases on behalf of their institutional investor clients.

These dynamics are confirmed by recent securities litigation filing statistics. Cornerstone Research’s “Securities Class Action Filings: 2014 Year in Review” concludes that (1) aggregate market capitalization loss of sued companies was at its lowest level since 1997, and (2) the percentage of S&P 500 companies sued in securities class actions “was the lowest on record.” Cornerstone’s “Securities Class Action Filings: 2015 Midyear Assessment” reports that two key measures of the size of cases filed in the first half of 2015 were 43% and 65% lower than the 1997-2014 semiannual historical averages. NERA Economic Consulting’s “Recent Trends in Securities Class Action Litigation: 2014 Full-Year Review” reports that 2013 and 2014 “aggregate investor losses” were far lower than in any of the prior eight years. And PricewaterhouseCoopers’ “Coming into Focus: 2014 Securities Litigation Study” reflects that in 2013 and 2014, two-thirds of securities class actions were against small-cap companies (market capitalization less than $2 billion), and one-quarter were against micro-cap companies (market capitalization less than $300 million). These numbers confirm the trend toward filing smaller cases against smaller companies, so that now most securities class actions are relatively small cases.

Consequences for Securities Litigation Defense

Securities litigation defense must adjust to this change. Smaller securities class actions are still important and labor-intensive matters – a “small” securities class action is still a big deal for a small company and the individuals accused of fraud, and the number of hours of legal work to defend a small case is still significant. This is especially so for the “lawsuit blueprint” cases, which typically involve a difficult set of facts.

Yet most securities defense practices are in firms with high billing rates and high associate-to-partner ratios, which make it uneconomical for them to defend smaller litigation matters. It obviously makes no sense for a firm to charge $6 million to defend a case that can settle for $6 million. It is even worse for that same firm to attempt to defend the case for $3 million instead of $6 million by cutting corners – whether by under-staffing, over-delegation to junior lawyers or avoiding important tasks. It is worse still for a firm to charge $2 million through the motion to dismiss briefing and then, if it loses, to settle for more than $6 million just because it can’t defend the case economically past that point. And it is a strategic and ethical minefield for a firm to charge $6 million and then settle for a larger amount than necessary so that the fees appear to be in line with the size of the case. .

Nor is the answer to hire general commercial litigators at lower rates. Securities class actions are specialized matters that demand expertise, consisting not just of knowledge of the law but of relationships with plaintiffs’ counsel, defense counsel, economists, mediators and D&O brokers and insurers.

Rather, what is necessary is genuine reform of the economics of securities litigation defense through the creation of a class of experienced securities litigators who charge lower rates and exhibit tighter economic control. Undoubtedly, that will be difficult to achieve for most securities defense lawyers, who practice at firms with supercharged economics. The lawyers who wish to remain securities litigation specialists will thus face a choice:

  1. Accept that the volume of their case load will be reduced, as they forego smaller matters and focus on the largest matters (which big law firms are uniquely situated to handle well, on the whole);
  2. Rein in the economics of their practices, by lowering billing rates of all lawyers on securities litigation matters and by reducing staffing and associate-to-partner ratios; or
  3. Move their practices to smaller, regional defense firms that naturally have more reasonable economics.

I’ve taken the third path, and I hope that a number of other securities litigation defense lawyers will also make that shift toward regional defense firms. A regional practice can handle cases around the country, because litigation matters can be effectively and efficiently handled by a firm based outside of the forum city. And they can be handled especially efficiently by regional firms outside of larger cities, which can offer a better quality of life for their associates and a more reasonable economic model for their clients.

Consequences for D&O Insurance

D&O insurance needs to change, as well. For public companies, D&O insurance is indemnity insurance, and the insurer doesn’t have the duty or right to defend the litigation. Thus, the insured selects counsel, and the insurer has a right to consent to the insured’s selection, but such consent can’t be unreasonably withheld. D&O insurers are in a bad spot in a great many cases. Because most experienced securities defense lawyers are from expensive firms, most insureds select an expensive firm. But in many cases, that spells a highly uneconomical or prejudicial result, through higher than necessary defense costs or an early settlement that doesn’t reflect the merits, but that is necessary to avoid using most or all of the policy limits on defense costs.

Given the economics, it certainly seems reasonable for an insurer to at least require an insured to look at less expensive (but just as experienced) defense counsel before consenting to the choice of counsel – if not outright withholding consent to a choice that does not make economic sense for a particular case. If that isn’t practical from an insurance law or commercial standpoint, insurers may well need to look at enhancing their contractual right to refuse consent, or even to offer a set of experienced but lower-cost securities defense practices in exchange for a lower premium. It is my strong belief that a great many public company CFOs would choose a lower D&O insurance premium over an unfettered right to choose their own defense lawyers.

Because I’m not a D&O insurance lawyer, I obviously can’t say what is right for D&O insurers from a commercial or legal perspective. But it seems obvious to me that the economics of securities litigation must change, both in terms of defense costs and defense-counsel selection, to avoid increasingly irrational economic results.

Next Up for Cyber: Class Action Suits

Last fall, I wrote about board oversight of cybersecurity and derivative litigation in the wake of cybersecurity breaches.  In this post, I’d like to focus on cybersecurity disclosure and the inevitable advent of securities class actions following cybersecurity breaches.  In all but one instance (Heartland Payment Systems), cybersecurity breaches, even the largest, have not caused a stock drop big enough to trigger a securities class action.  But there appears to be a growing consensus that stock drops are inevitable when the market better understands cybersecurity threats, the cost of breaches and the impact of threats and breaches on companies’ business models.  When the market is better able to analyze these matters, there will be stock drops.  When there are stock drops, the plaintiffs’ bar will be there.

When plaintiffs’ lawyers arrive, what will they find?  They will find companies grappling with cybersecurity disclosure.  Understandably, most of the discussion about cybersecurity disclosure focuses on the SEC’s Oct. 13, 2011, “CF Disclosure Guidance: Topic No. 2” (“guidance”) and the notorious failure of companies to disclose much about cybersecurity, which has resulted in a call for further SEC action by Sen. Rockefeller and follow-up by the SEC, including an SEC Cybersecurity Roundtable on March 24, 2014.  But, as the SEC noted in the guidance, and Chair White reiterated in October 2013, the guidance does not define companies’ disclosure obligations.  Instead, disclosure is governed by the general duty not to mislead, along with more specific disclosure obligations that apply to specific types of required disclosures.

Indeed, plaintiffs’ lawyers will not even need to mention the guidance to challenge statements allegedly made false or misleading by cybersecurity problems. Various types of statements — from statements about the company’s business operations (which could be imperiled by inadequate cybersecurity), to statements about the company’s financial metrics (which could be rendered false or misleading by lower revenues and higher costs associated with cybersecurity problems), to internal controls and related CEO and CFO certifications, to risk factors themselves (which could warn against risks that have already materialized) — could be subject to challenge in the wake of a cybersecurity breach.

Plaintiffs will allege that the challenged statements were misleading because they omitted facts about cybersecurity (whether or not subject to disclosure under the guidance). In some cases, this allegation will require little more than coupling a statement with the omitted facts. In cybersecurity cases, plaintiffs will have greater ability to learn the omitted facts than in other cases, as a result of breach notification requirements, privacy litigation and government scrutiny, to name a few avenues. The law, of course, requires more than simply coupling the statement and omitted facts; plaintiffs must explain in detail why the challenged statement was misleading, not just incomplete, and companies can defend the statement in the context of all of their disclosures. But in cybersecurity cases, plaintiffs will have more to work with than in many other types of cases.

Pleading scienter likely will be easier for plaintiffs, as well. With increased emphasis on cybersecurity oversight at the senior officer (and board) level, a CEO or CFO will have difficulty (factually and in terms of good governance) suggesting that she didn’t know, at some level, about the omitted facts that made the challenged statements misleading. That doesn’t mean that companies won’t be able to contest scienter. Knowledge of omitted facts isn’t the test for scienter; the test is intent to mislead purchasers of securities. However, this important distinction is often overlooked in practice.  Companies will also be able to argue that they didn’t disclose certain cybersecurity matters because, as the guidance contemplates, some cybersecurity disclosures can compromise cybersecurity. This is a proper argument for a motion to dismiss, as an innocent inference under Tellabs, but it may feel too “factual” for some judges to credit at the motion to dismiss stage.

As this analytic overview shows, cybersecurity securities class actions, on the whole, likely will be virulent. Companies, of course, are talking about cybersecurity risks in their boardrooms — and they should also think about how to discuss those risks with their investors. The best way for companies to lower their risk profile is to start to address this issue now, by thinking about cybersecurity in connection with all of their key disclosures, and enhancing their disclosures as appropriate.

Perfection and prescience are not required. Effort matters most. Companies that don’t even try will stand out. As I’ve written in the context of the Reform Act’s Safe Harbor for forward-looking statements, judges are skeptical of companies whose risk factors remain static over time, and look favorably on companies that appear to try to draft meaningful risk factors. I thus construct a defense of forward-looking statements by emphasizing, to the extent I can, ways in which the company’s risk disclosures evolved, and were tailored and focused. I predict that the same approach will prove effective in cybersecurity cases.