Global Crisis Management: Reflections On 2018 and Thinking Ahead, From the Board’s Perspective
January 16, 2019
Fueled by a steady stream of corporate scandals leading up to and coming out of the financial crisis, in 2018, the focus for senior management and boards of directors at a number of major global firms was on crisis management.
High-profile examples are many, as are examples of companies’ responses to a crisis itself becoming a story: from the entertainment industry’s reaction to the Harvey Weinstein revelations and the continuous bumbling of corporate responses to #MeToo allegations to delays in reactions to and disclosure of personal data breaches at a long list of companies ranging from retailers to airlines, 2018 illustrated that it is not just the event, but often the response to the event, that matters most. Recent prominent post-mortems of how companies respond to crises, however, also provide useful guidance for directors and management on how to prepare to ultimately face a crisis.
For boards of directors, ensuring that the company is ready to respond to a crisis requires an ongoing and robust commitment to understanding the challenges the company faces, ensuring that the company has in place adequate procedures for surfacing potential issues of concern before they develop into crises, and challenging management on crisis response plans before a crisis emerges. Boards should ensure that management is practicing for crisis response, including running tabletop exercises on topics of major concern to the company. Those exercises should include drafting press statements and testing such statements by professionals.
One important area of focus for all companies should be the plan to respond to whistleblower complaints. Whistleblower complaints, both internal and to regulators, continue to be a primary driver of enforcement action. Because whistleblower complaints can be and often are made confidentially, they can lead to a company finding itself in a full-blown crisis with little warning. Whistleblower complaints to the SEC have continued a multi-year climb from 334 in 2011 to more than 5,200 in 2018. Notably, while accounting-related complaints continue to be prominent, the most significant category of SEC whistleblower complaints in 2018 was “Other.”1 Having in place clear and effective policies and practices to respond to whistleblower complaints and, importantly, avoiding the appearance of retaliation against whistleblowers should be at the top of every board’s crisis management agenda.
Credible and substantiated allegations of sexual harassment against the powerful and the prominent catapulted the #MeToo movement into the board room. Activist shareholders and plaintiffs’ lawyers have increasingly targeted boards and board members for failing to adequately respond to “red flags” concerning misconduct of senior executives and misuse of corporate funds to pay victim settlements and alleged harassers. In February 2018, the Delaware Chancery Court approved a $90 million settlement with the board and certain officers of 21st Century Fox, to be paid by the company’s D&O insurance, resolving such claims related to conduct by Roger Ailes and Bill O’Reilly.2 A similar matter is pending against the board of Wynn Resorts for the alleged conduct of its former CEO.
For boards, the important lesson of the last year is to anticipate management issues, and challenge management on its plans to address harassment allegations if they arise. For example, is the board sufficiently apprised of the terms of employment for senior executives and the options that exist for suspending or removing them? Has the company thought broadly, globally and pro-actively about policies and procedures regarding workplace harassment? Is the board informed about the prevalence of harassment at the company? Does corporate culture support and encourage internal reporting, and is management trusted to respond to allegations of harassment?
Cybersecurity has continued to be the instigator of crises in 2018, as in past years. The continued fallout from Yahoo!’s handling of data breaches between 2014 and 2016 illustrates how the response to a crisis – in this case, the largest corporate data breach to date – can spawn exposure on multiple fronts. In April, Altaba, the Yahoo! successor, paid $35 million to the SEC to settle allegations of failing to provide adequate disclosures of its 2014 personal data breach in its financial disclosures. That resolution followed an earlier $80 million settlement of a shareholder derivative lawsuit3 against Yahoo!’s CEO, Chief Information Officer, and General Counsel arising from allegedly inadequate disclosures of data breaches in 2014, 2015, and 2016.4 Finally, in October, Altaba announced it had reached a further at least $50 million settlement with a class of users whose data had been stolen (this settlement remains subject to court approval).5 Of these, only the recent class action settlement arises directly from the underlying issue. Inadequate responses and incomplete disclosures were the basis for almost 70% of the company’s liability to this point.
More generally, cybersecurity crises move fast, and the damage can be done in the early days. All 50 states now have laws in place requiring notification in the event of data breaches, and the SEC’s 2018 guidance on cybersecurity, released in February, both encourages timely and complete disclosure of data breaches and restates the importance of ensuring that company insiders do not trade on information concerning data breaches prior to public disclosure.6 Similar guidance has been adopted by authorities in other jurisdictions.7 And, critically, other stakeholders, such as customers, investors, clients and the media, expect real-time information regarding cyber-breaches. All companies should have contingency plans in place for data breaches, and those plans should include means for ensuring that disclosure of information to the public and to regulators is complete, timely and accurate.
While avoiding corporate crises remains a prime objective of boards and management, the nature of the issues that will face companies in 2019 remains uncertain. The lessons that can be drawn from the past, however, are that the companies that successfully weather corporate crises are those that respond with accurate and timely information, with decisive action, particularly where senior executives are implicated, with transparency to regulators and authorities, and with understanding of the impact that the issue may have on clients, customers and other stakeholders.
* * *
In 2018, Cleary Gottlieb published the first edition of our Global Crisis Management Handbook, a go-to guide for the legal and practical implications that frequently arise in a large-scale corporate crisis or other cross-border investigation. The Handbook is designed to be a useful, practical desk reference, and contains helpful checklists keyed to particular phases of crisis management and incident response, cross-referenced to substantive and up-to-date guidance written by Cleary Gottlieb lawyers around the world. The Handbook is available to download here.
[1] SEC Whistleblower Program, 2018 Annual Report to Congress, https://www.sec.gov/files/sec-2018-annual-report-whistleblower-program.pdf.
[2] Fox’s Unusual $90M Scandal Deal Gets Chancery’s OK, https://www.law360.com/articles/1011154/fox-s-unusual-90m-scandal-deal-gets-chancery-s-ok.
[3] https://www.sec.gov/litigation/admin/2018/33-10485.pdf
[4] In re Yahoo! Inc. Securities Litigation, No. 17 Civ. 373 (LHK) (N.D. Cal.).
[5] In re Yahoo! Customer Data Security Breach Litigation, No. 16 Md. 2752 (LHK) (N.D. Cal.).
[6] Commission Statement and Guidance on Public Company Cybersecurity Disclosures, https://www.sec.gov/rules/interp/2018/33-10459.pdf.
[7] See e.g., https://www.clearygottlieb.com/news-and-insights/publication-listing/hong-kong-sfc-and-hkma-issue-new-guidelines-for-reducing-and-mitigating-hacking-risks.