Category Archives: Directors & Officers

January Surprise: Court Ruling on Post-Employment Restrictive Covenants in Delaware

by Jeremy Ben Merkelson, James K. Goldfarb, Travis J. Distaso, and Gerald Stein

From left to right: Jeremy Ben Merkelson, James K. Goldfarb, Gerald Stein, and Travis J. Distaso (photos courtesy of Davis Wright Tremaine LLP)

Equity and capital forfeiture for competition provisions given less scrutiny than other post-employment restrictive covenants

Companies subject to Delaware law were handed a welcome surprise in a recent Delaware Supreme Court decision bolstering the enforceability of certain post-employment restrictive covenants. The provisions at issue are so called “forfeiture for competition” provisions. They condition post-employment equity interests, distributions, return of capital, or other benefits upon a departing employee’s continuing compliance with certain post-employment restrictive covenants. Forfeiture for competition provisions frequently are at play in equity award agreements with executives and business partners. The recent decision provides for an alternative avenue for securing post-employment restrictive covenants when traditional non-competes may otherwise be unenforceable.

Continue reading →

Crossing a New Threshold for Material Cybersecurity Incident Reporting

by Helena K. Grannis, Rahul Mukhi, Jonathan S. Kolodner, Tom Bednar, Nina E. Bell, and James P. Abate

Helena K. Grannis, Rahul Mukhi, Jonathan S. Kolodner, Tom Bednar, Nina E. Bell, and James P. Abate (photos courtesy of Cleary Gottlieb Steen & Hamilton LLP)

In July 2023, the U.S. Securities and Exchange Commission (SEC) adopted ﬁnal rules to enhance and standardize disclosure requirements related to cybersecurity. In order to comply with the new reporting requirements of the rules, companies will need to make ongoing materiality determinations with respect to cybersecurity incidents and series of related incidents. The inherent nature of cybersecurity incidents, which are often initially characterized by a high degree of uncertainty around scope and impact, and an SEC that is laser- focused on cybersecurity from both a disclosure and enforcement perspective, combine to present registrants and their boards of directors with a novel set of challenges heading into 2024. Continue reading →

Boards of Directors Lovin’ It after McDonald’s? A Fresh Look at Directors’ Duty of Oversight in the New Era of Sanctions & Export Control Corporate Enforcement

by Brent Carlson and Michael Huneke

From left to right: Brent Carlson and Michael Huneke (Photos courtesy of authors)

In this era of heightened geopolitical tensions with a renewed focus on national security, a perfect storm of liability risk is brewing for boards of directors.

Sanctions and export controls violations can be costly and dangerous, with multi-billion-dollar fines and jail sentences imposed in 2023.

For companies engaged in international trade, these events engage directors’ fiduciary duties. Looking to bellwether Delaware corporate law, Delaware’s Chancery Court recently reiterated in the McDonald’s shareholder litigation that directors’ Caremark duty of oversight is a function of their duty of loyalty. As such, this reinforces the limits of the protections directors would otherwise have if it were instead a function of the duty of care—under both the business judgment rule and “exculpation,” i.e., the option corporations have to excuse in their certificates of incorporation directors’ liability for breaches of their duty of care (but not of loyalty).[1] Directors’ duty of oversight further requires ensuring that they receive information regarding any “central compliance risks,” not just “mission critical” risks, and that there is an appropriate response to red flags. Continue reading →

Looking Back at Fall 2023 PCCE Events: 3rd Annual Directors’ Academy

As we begin to prepare for a full schedule of events in 2024, starting with an event on Voluntary Self-Disclosure Policy for Export Controls Violations on January 16, 2024, the NYU School of Law Program on Corporate Compliance and Enforcement (PCCE) is taking a moment to reflect on our busy Fall 2023 program. In this post: our third annual PCCE Directors’ Academy on September 21-22, 2023.

Keynote speaker Heather Lavallee, CEO, Voya Financial, Inc. (©Hollenshead: Courtesy of NYU Photo Bureau)

Continue reading →

Thoughts for Boards: Key Issues in Corporate Governance for 2024

by Martin Lipton, Steven A. Rosenblum, Karessa L. Cain, and Carmen X. W. Lu

From left to right: Martin Lipton, Steven A. Rosenblum, Karessa L. Cain, and Carmen X. W. Lu (Photos courtesy of Wachtell, Lipton, Rosen & Katz)

Over the past year, expectations for directors have continued to evolve, bringing new challenges and responsibilities to the boardroom. The remarkable speed, volume and proliferation of channels through which information travels today continue to place more scrutiny on boards and heighten expectations regarding transparency and accountability. Director reputations that have been carefully built over decades are not immune from such pressures, particularly as activist investors hunt for underperformers and revisit former targets. The business environment has also become more complex: macroeconomic uncertainty, geopolitical tensions, regulatory unpredictability, political polarization, culture wars, cybersecurity threats, the growth of generative AI, and energy transition are among the issues that boards are now expected to navigate.

Continue reading →

United States v. Calk: The Second Circuit Construes the Bank Bribery Act

by Jonathan Rusch

Photo courtesy of the author

In any U.S. bank’s anti-bribery and anti-corruption compliance program, one of the fundamental federal criminal offenses that the program must address is the Bank Bribery Act (Act), 18 U.S.C. § 215.[1] Subsection 215(a) of the Act sets out two separate offenses:

(1) “corruptly giv[ing], offer[ing], or promis[ing] anything of value to any person, with intent to influence or reward an officer, director, employee, agent, or attorney of a financial institution in connection with any business or transaction of such institution”[2]; and

(2) “as an officer, director, employee, agent, or attorney of a financial institution, corruptly solicit[ing] or demand[ing] for the benefit of any person, or corruptly accept[ing] or agree[ing] to accept, anything of value from any person, intending to be influenced or rewarded in connection with any business or transaction of such institution.”[3]

Maximum penalties for a violation of either offense include 30 years’ imprisonment and a fine not more than $1,000,000 or three times the value of the thing given, offered, promised, solicited, demanded, accepted, or agreed to be accepted, whichever is greater.[4]

Surprisingly — given New York’s status as the world’s leading financial center[5], and the fact that section 215, with periodic revisions, has been in force for more than 75 years — the United States Court of Appeals for the Second Circuit had no occasion to construe the scope of section 215 until November 28, in United States v. Calk.[6] This post will summarize and discuss the key elements of Calk.

Continue reading →

Cybersecurity Pros Discuss the Implications of the NYDFS’s New Amendments to its Cybersecurity Rule

On November 17, 2023, the NYU Law Program on Corporate Compliance and Enforcement (PCCE) hosted a standing-room-only full-day conference on Security, Privacy, and Consumer Protection. The conference addressed issues such as managing effective cybersecurity and privacy compliance programs, the use of “dark patterns” to manipulate consumer choices, and whether privacy regulation and enforcement actions actually prompt firms to update their privacy policies. A full agenda of the conference, along with speaker bios, is available here. In this post, several participants from the panel titled The NYDFS Cybersecurity Rule Amendments and Their Implications for Firms Beyond the Financial Sector share further thoughts on the issue.

Left to right: Justin Herring, Matthew Levine, Cheryl James, Edward Stroz, and Alexander Southwell (Moderator)(©Hollenshead: Courtesy of NYU Photo Bureau)

Continue reading →

Resisting Hindsight Bias: A Proposed Framework for CISO Liability

by Andrew J. Ceresney, Charu A. Chandrasekhar, Luke Dembosky, Erez Liebermann, Julie M. Riewe, Anna Moody, Andreas A. Glimenakis, and Melissa Muse

Top left to right: Andrew J. Ceresney, Charu A. Chandrasekhar, Luke Dembosky, and Erez Liebermann. Bottom left to right: Julie M. Riewe, Anna Moody, Andreas A. Glimenakis, and Melissa Muse. (Photos courtesy of Debevoise & Plimpton LLP)

On October 30, 2023, the U.S. Securities and Exchange Commission (“SEC” or “Commission”) charged SolarWinds Corporation’s (“SolarWinds” or the “Company”) chief information security officer (“CISO”) with violations of the anti-fraud provisions of the federal securities laws in connection with alleged disclosure and internal controls violations related both to the Russian cyberattack on the Company discovered in December 2020 and to alleged undisclosed weaknesses in the Company’s cybersecurity program dating back to 2018.[1] This is the first time the SEC has charged a CISO in connection with alleged violations of the federal securities laws occurring within the scope of his or her cybersecurity functions.[2] In doing so, the SEC has raised industry concerns that it intends to—with the benefit of 20/20 hindsight, but without the benefit of core cybersecurity expertise—dissect a CISO’s good-faith judgments in the aftermath of a cybersecurity incident and wield incidents to second guess the design and effectiveness of a company’s entire cybersecurity program (including as it intersects with internal accounting controls designed to identify and prevent errors or inaccuracies in financial reporting) and related disclosures and attempt to hold the CISO liable for any perceived failures.

Continue reading →

An Ounce of Prevention is Worth a Pound of Cure . . . or an Imposed Compliance Monitorship: A Fresh Look at the DOJ’s Corporate Enforcement Toolkit Applied to Sanctions and Export Controls Enforcement

by Brent Carlson and Michael Huneke

From left to right: Brent Carlson and Michael Huneke (Photos courtesy of authors)

In our last article, we discussed the evolution of export controls penalties.[1] Beyond monetary penalties, the U.S. Department of Justice (“DOJ”) has additional items in its corporate enforcement toolkit that dramatically increase the cost of non-compliance. These include the DOJ’s new policies requiring companies to claw back or withhold executive compensation, requiring CEOs and chief compliance officers to make pre-release compliance certifications, and expanding the grounds for appointing independent compliance monitors.

Such corporate enforcement trends significantly increase the value of making front-end investments to avoid the “pound of cure.” In this post, we take a “fresh look” at these trends with an eye towards sanctions and export controls enforcement and offer practical guidance for dealing with them. Continue reading →

Proxy Advisory Firm Issues Guidance on Cyber Oversight and Disclosure

by Steven Haas

Steven Haas (photo courtesy of author)

Glass Lewis & Co. recently published its updated Benchmark Policy Guidelines for 2024 (the “Policy”), which reflect investors’ continuing focus on corporate disclosure and board oversight of cyber risks. The Policy indicates that Glass Lewis may recommend “against” directors following a cybersecurity incident if it finds the board’s risk oversight or its post-incident response to be insufficient. The Policy also provides guidance on what Glass Lewis expects companies to disclose after such an incident.

Continue reading →