Category Archives: Corporate Governance

Cybersecurity Disclosure and Enforcement Developments and Predictions

by Francesca L. OdellRahul Mukhi, Tom Bednar, Nina E. Bell, and Greg Stephens

Photos of the authors

Left to right: Francesca L. Odell, Rahul Mukhi, Tom Bednar, and Nina E. Bell (Photos courtesy of Cleary Gottlieb Steen & Hamilton LLP) (Not Pictured: Greg Stephens)

The SEC pursued multiple high-profile enforcement actions in 2024, alongside issuing additional guidance around compliance with the new cybersecurity disclosure rules.

Together these developments demonstrate a continued focus by the SEC on robust disclosure frameworks for cybersecurity incidents. Public companies will need to bear these developments in mind as they continue to grapple with cybersecurity disclosure requirements going into 2025.

Continue reading

District Court Rules BlackRock’s Inclusion as 401(k) Investment Manager Breaches Company’s ERISA Duty of Loyalty

by Martin Lipton, David A. Katz, and Elina Tetelbaum

Photos of the authors

Left to Right: Martin Lipton, David A. Katz and Elina Tetelbaum. (Photos Courtesy of Watchell, Lipton, Rosen & Katz)

The District Court for the Northern District of Texas recently ruled that a company breached its fiduciary duties under the Employee Retirement Income Security Act of 1974 (“ERISA”) for permitting BlackRock’s inclusion as an investment manager of its employees’ retirement assets in a 401(k) Plan. After a four-day bench trial, the Court found that the company failed to “loyally act solely in the retirement plan’s best financial interests by allowing their corporate interests, as well as BlackRock’s ESG interests, to influence management of the plan.”   

Continue reading

AI Judgment Rule(s)

by Katja Langenbucher

Photo of Professor Katja Langenbucher

Photo courtesy of author

In an upcoming paper, I explore whether the use of AI to enhance decision-making brings about radical change for legal doctrine or, by contrast, is just another new tool. The essay submits that we must rethink the law’s implicit assumption that (and how) humans make the decisions that corporate law regulates. If there is movement in implicit assumptions about how people make decisions, legal rules need review.

Decision-making is the cornerstone of corporate life and of keen interest to a variety of scholarly disciplines. They range from rational-actor theories over behavioral approaches to neuro-economics and psychology. The law has its own theories on decision-making. Many are normative and specify decision procedures and outcomes. In addition, the law rests on implicit theories of decision-making: A legal rule will look different if, for instance, it assumes either that decision-making follows optimal choice patterns or that heuristics and biases guide human decisions.

Continue reading

DOJ Releases Updated Evaluation of Corporate Compliance Programs Guidance

by Ann SultanJohn E. Davis, and Kathryn Cameron Atkinson

Photos of the Authors.

Left to right: Ann Sultan, John E. Davis, and Kathryn Cameron Atkinson. (Photos courtesy of Miler Chevalier Chartered)

On September 23, 2024, in conjunction with a related speech at the Society of Corporate Compliance and Ethics (SCCE) Compliance & Ethics Institute by Principal Deputy Assistant Attorney General (PDAAG) Nicole M. Argentieri, the U.S. Department of Justice (DOJ) released an updated version of its guidance to prosecutors on the Evaluation of Corporate Compliance Programs (updated ECCP). The DOJ last updated this guidance in March 2023. View a redline comparison of the September 2024 updates to the March 2023 version here.

The DOJ’s substantive revisions for this round of updates focused primarily on using data and technology related to various compliance program elements, integrating and adapting to lessons learned from other companies, and reporting. As PDAAG Argentieri noted, the DOJ “regularly evaluate[s] our policies and enforcement tools, including the ECCP, to account for changing circumstances and new risks.”

Continue reading

Takeaways from the Dismissal of Most of the Government’s Case Against the SolarWinds CISO

by Ilona Cohen

Photo of the author

Photo courtesy of the author

Last year, the government filed a landmark lawsuit alleging that SolarWinds and its Chief Information Security Officer (CISO) misled the public about the company’s cybersecurity practices before and after a major cyberattack. The charges surprised leaders in the industry and forced many companies to reevaluate their own security programs. In a recent development, however, a judge in New York dismissed most of the charges against the company and SolarWinds’ CISO, leaving many to wonder what these developments mean for them.

The case against SolarWinds was filed by the Securities and Exchange Commission (SEC), a government agency that has interpreted its authority broadly to regulate publicly traded companies. The court did not agree with the SEC’s use of that authority in key respects and dismissed allegations that the statements in SolarWinds’ press releases, blog posts, podcasts, and certain SEC filings, misrepresented the company’s cybersecurity risks and controls.

Continue reading

Treasury’s Report on AI (Part 2) – Managing AI-Specific Cybersecurity Risks in the Financial Sector

by Avi Gesser, Erez Liebermann, Matt Kelly, Jackie Dorward, and Joshua A. Goland

Photos of authors.

Top: Avi Gesser, Erez Liebermann, and Matt Kelly. Bottom: Jackie Dorward and Joshua A. Goland (Photos courtesy of Debevoise & Plimpton LLP)

This is the second post in the two-part Debevoise Data Blog series covering the U.S. Treasury Department’s report on Managing Artificial Intelligence-Specific Cybersecurity Risks in the Financial Services Sector (the “Report”).

In Part 1, we addressed the Report’s coverage of the state of AI regulation and best practices recommendations for AI risk management and governance. In Part 2, we review the Report’s assessment of AI-enhanced cybersecurity risks, as well as the risks of attacks against AI systems, and offer guidance on how financial institutions can respond to both types of risks.

Continue reading

BlackRock’s Voting Choice Program Expands to Accommodate Diverging Client Priorities with More Tailored Voting Guidelines

by Adam O. Emmerich, David A. Katz, Karessa L. Cain, Elina Tetelbaum, and Carmen X. W. Lu

Photos of the authors

Left to right: Adam O. Emmerich, David A. Katz, Karessa L. Cain, Elina Tetelbaum and Carmen X. W. Lu. (Photos courtesy of Wachtell, Lipton, Rosen & Katz)

In recent years, one of the most significant developments in corporate governance has been the adoption and expansion of voting choice programs by the largest institutional investors.  Such changes have come in response to growing scrutiny and pressure from asset owners and regulators with diametrically opposed and fervently held views on the role of environmental and social issues such as climate change and diversity, equity and inclusion (DEI) in investment decisions.  In furtherance of this trend, BlackRock has now adopted separate voting guidelines tailored towards specific funds and investors.

Early this month, BlackRock released climate and decarbonization stewardship guidelines for its funds with explicit decarbonization or climate-related investment objectives or other funds where clients have instructed BlackRock to apply these guidelines to their holdings.  These new guidelines will supplement BlackRock’s benchmark policies applicable to all assets under management and will focus attention on how companies have aligned their business model and strategies to meet the goals of the Paris Agreement.  A total of 83 funds with $150 billion of combined assets are expected to be covered by the new guidelines.  BlackRock has indicated that it will apply the guidelines to those companies held by covered funds and clients who have opted into the guidelines and that produce goods and services that “contribute to real world decarbonization,” have a “carbon intensive business model” or face “outsized impacts from the low carbon transition,” based on their Scopes 1, 2, and 3 greenhouse gas emissions. 

Continue reading

Incident Response Plans Are Now Accounting Controls? SEC Brings First-Ever Settled Cybersecurity Internal Controls Charges

by Andrew J. Ceresney, Charu A. Chandrasekhar, Luke Dembosky, Erez Liebermann, Benjamin R. Pedersen, Julie M. Riewe, Matt Kelly, and Anna Moody

Photos of the authors

Top left to right: Andrew J. Ceresney, Charu A. Chandrasekhar, Luke Dembosky and Erez Liebermann. Bottom left to right: Benjamin R. Pedersen, Julie M. Riewe, Matt Kelly and Anna Moody. (Photos courtesy of Debevoise & Plimpton LLP)

In an unprecedented settlement, on June 18, 2024, the U.S. Securities & Exchange Commission (the “SEC”) announced that communications and marketing provider R.R. Donnelley & Sons Co. (“RRD”) agreed to pay approximately $2.1 million to resolve charges arising out of its response to a 2021 ransomware attack. According to the SEC, RRD’s response to the attack revealed deficiencies in its cybersecurity policies and procedures and related disclosure controls. Specifically, in addition to asserting that RRD had failed to gather and review information about the incident for potential disclosure on a timely basis, the SEC alleged that RRD had failed to implement a “system of cybersecurity-related internal accounting controls” to provide reasonable assurances that access to the company’s assets—namely, its information technology systems and networks—was permitted only with management’s authorization. In particular, the SEC alleged that RRD failed to properly instruct the firm responsible for managing its cybersecurity alerts on how to prioritize such alerts, and then failed to act upon the incoming alerts from this firm.

Continue reading

European Union Finally Adopts Corporate Sustainability Due Diligence Directive

by Samantha Rowe, Patricia Volhard, Jin-Hyuk Jang, John Young, Ulysses Smith, Jesse Hope, Harry Just, and Andrew Lee

Photos of the authors

Top left to right: Samantha Rowe, Patricia Volhard, Jin-Hyuk Jang and John Young. Bottom left to right: Ulysses Smith, Jesse Hope, Harry Just and Andrew Lee. (Photos courtesy of Debevoise & Plimpton LLP)

On 24 May 2024, the European Council (the “Council”) formally adopted the Corporate Sustainability Due Diligence Directive (the “CSDDD” or the “Directive”). The regime introduces human rights, environmental and governance due diligence obligations for in scope companies’ and their subsidiaries’ operations, and in their “chain of activities”, which are companies’ supply and distribution chains.

Continue reading

The Need to Integrate Externalities, Market Failures, and Collective Action Problems in Antitrust Analysis—Thoughts on the US House Judiciary Committee Report on ESG Investigation and the Rebuttal Report

by Maurits Dolmans

Photo of the author.

Photo courtesy of Cleary Gottlieb Steen & Hamilton LLP.

On June 11, 2024, the US House Judiciary Committee released an interim staff report titled “Climate Control: Exposing the Decarbonization Collusion in Environmental, Social and Governance (ESG) Investing” (the “Majority Report). This was followed by a hearing by the House Judiciary Committee on June 12.

The Majority Report contains strongly worded conclusions.  It argues that a “climate cartel’ of left-wing environmental activists and major financial institutions has colluded to force American companies to ‘decarbonize’ and reach ‘net zero.’”  Organizations like Climate Action 100+, Ceres, CalPERS, and Arjuna, for instance, allegedly “declared war on the American way of life,” to limit how Americans “drive, fly, and eat.”  They did this “by forcing corporations to disclose their carbon emissions, to reduce their carbon emissions, and … handcuffing company leadership and muzzling corporate free speech and petitioning.”  Employing nice alliteration, it is said they “collude to kill carbon.”  It is suggested that corporate compliance with the goals of the Paris Agreement raises prices to American consumers—ignoring the OPEC+ output reductions, the wars in Ukraine and the Middle East, and the Houthi attacks on shipping, but also the long-term costs of climate change, the findings of the International Energy Agency that no new fossil fuel development is needed to meet current and expected demand, and that renewables and nuclear energy are increasingly cheaper than fossil fuels.  The Majority Report boasts of the effect of antitrust threats in causing firms to shy away from cooperation to mitigate the climate risk.

Continue reading