By Jacquelyn Lumb
The Practising Law Institute’s corporate governance conference featured panel discussions on the responsibilities of directors serving on compensation, audit, nominating, and governance committees. Panelists also addressed the upcoming proxy season and the status of proxy access initiatives. Lara Mehraban, the SEC’s New York regional director, talked about developments in enforcement involving boards of directors. Cases against directors are rare, she said, because most embrace their responsibilities. When the SEC has brought an action, it is because the director either participated in the fraud or turned a blind eye to obvious red flags.
Enforcement. Mehraban cited, as an example, the recent action against 11 Superior Bank officers and directors for concealing the extent of loan losses during the financial crisis. Nine of the officers and directors agreed to settle the SEC’s charges. She also mentioned the 2014 action against Agfeed Industries, in which the SEC charged the audit committee chair for delaying disclosure about an accounting fraud of which he had become aware.
Areas that present heightened enforcement risk include internal controls and cybersecurity, according to Mehraban. She pointed to cases against Steinmart in September 2015 for the improper valuation of inventory and inadequate internal accounting controls, and against JDA Software Group in 2014 for materially misstating its revenue, net income, and other financial metrics due to inadequate internal controls surrounding revenue recognition.
Cybersecurity. The panelists discussed whether cybersecurity should be moved away from auditing committees since they already have so many responsibilities that fall under their jurisdiction. Former Corporation Finance Director Meredith Cross, a partner at Wilmer Cutler and a co-chair of the PLI program, said the audit committee could hand it off but it could not forget about the issue. Former SEC Chair Harvey Pitt, the CEO of Kalorama Partners, added that it is not possible to form a separate committee for every issue, but cybersecurity may be a better fit for the compliance or risk management committees.
The panelists agreed that an audit of a company’s cyber efforts was a good idea, particularly in the financial services and health care industries, which have been key targets for cyber attacks.
Addressing wrongdoing. Pitt talked about boards’ responses to allegations of wrongdoing. He said boards should demand to know if a company has been served with a subpoena. The board needs to be assertive. For example, he said that management and defense counsel may see no need for an internal investigation out of concern about protecting certain documents, but directors want to salvage the company. He warned that government inquiries must be given credence.
Pitt also noted that when allegations of misconduct come from a whistleblower, many companies and directors write it off as a complaint by a disgruntled employee. However, he said they must consider whether the issue is valid and deal with the motivation behind it later. The company’s general counsel may be able to conduct the investigation, but Pitt said a company may want an independent party to oversee the investigation so the company can defend itself if someone says it was not a valid inquiry. Many companies start by being dismissive about allegations against someone who is considered a “good guy,” he noted.
Pitt was asked whether a person who was involved in misconduct, but was retained by the company, should see an impact on his or her incentive compensation. If a company places a premium on compliance, Pitt said even minor acts should not be ignored and there should be some consequence. He said that compensation is one of the best places to make the point that even minor violations have consequences.