Trending Oversight Topics
Governance Surveys
Center for Inclusive Governance
A Call for Transparency Amid a Shifting Legal and Regulatory Landscape
05/03/2023
The increasing complexity of the legal and regulatory landscape is challenging the board’s fiduciary duties of care and loyalty. Emerging trends ushering in a call for fairness and transparency are of paramount importance to directors as they underpin board oversight and governance.
Duty of care requires directors to make decisions pursuant to the corporation’s interests with the diligence and prudence expected of a reasonable person in similar circumstances. Duty of loyalty requires directors to place the company’s and shareholders’ interests before their own. These responsibilities entail setting appropriate expectations with investors and other stakeholders and reporting the company’s progress toward meeting those expectations in a fair and transparent manner. Done well, these actions engender confidence and trust in the marketplace.
The discussion below highlights examples of a shifting legal and regulatory landscape. It offers diagnostic questions that underscore a vital message for corporate directors: trust is an essential element of an organization’s success and reputation.
As stakeholder expectations and reliance on voluntary and obligatory disclosures increase, there are signs that legislators, regulators, and the plaintiffs’ bar are gearing up for action. The following are 10 trends contributing to a shifting legal and regulatory landscape. Some of these trends are interrelated. Their relative importance will vary by company depending on the industry, facts, and circumstances.
-
Heightened regulatory scrutiny and enforcement. The US Securities and Exchange Commission’s (SEC) Climate and ESG Task Force in the Division of Enforcement and the European Union’s (EU) Corporate Sustainability Reporting Directive increase scrutiny and the enforcement of environmental, social, and governance (ESG) representations in public filings and sales and marketing materials, increasing the likelihood of the exposure of misleading, inconsistent, or inaccurate ESG representations.
-
Mandatory cybersecurity disclosures. The SEC’s proposed cybersecurity disclosure rules express and imply various registrant obligations by drawing attention to consumer data protection; according to the SEC, the rules would benefit investors by “providing greater transparency” regarding the registrant’s strategies and actions to manage relevant cyber threats. They also impact 8-K filings, incorporating a process for materiality analysis that potentially serves as a basis for civil litigation.
-
Increasing number of shareholder derivative suits. Earlier this year, shareholders of a major oil company filed suit alleging that the company’s directors were personally liable for its failure to set meaningful emissions targets. In addition, numerous workplace safety, diversity and inclusion, and employee discrimination shareholder suits have been filed for fiduciary breaches of duty (loyalty and oversight), some of which allege false and misleading disclosures regarding board diversity. This activism is expected to continue.
-
Evolution of the Caremark standard. In 2019 and 2020, four decisions regarding Caremark claims survived motions to dismiss. In one case, the Supreme Court of Delaware concluded that the facts set forth in the complaint created “a reasonable inference that the directors consciously failed to… [ensure] a reasonable information and reporting system existed.” Thus, the burden of proof can be met by plaintiffs if the board doesn’t take necessary steps. The recent Delaware Court of Chancery decision to deny a motion to dismiss a shareholder derivative suit against a company officer defendant also sends a message that the duty of loyalty under the Caremark standard applies to corporate officers as well.
-
Escalating books and records exposure. In a 2021 case, books and records demands under 8 Del. C. § 220 were used by the plaintiff as the basis for conducting pre-complaint discovery to obtain the necessary facts to support a Caremark claim. This case could set a precedent for future discovery efforts by plaintiffs attempting to hold directors personally liable on a wide range of director oversight obligations.
-
Expanded disclosures to investors. Institutional investors, asset managers, and proxy advisory firms have emerged as de facto standard-setters as they use ESG to screen investments and evaluate corporate performance. These developments have increased the importance of fair and transparent sustainability reporting.
-
Increased focus on disclosure controls. The SEC’s recent $35 million settlement with a video game publisher piggybacked a charge of failure to maintain proper disclosure controls onto the commission’s enforcement action over alleged mishandling of employee harassment complaints and workplace misconduct. Currently, there are developments in the market in favor of segmenting the controls underlying ESG reporting, labeling them as internal control over sustainability reporting (ICSR), which would further spotlight their importance to investors, regulators, and the plaintiffs’ bar.
-
Proliferating data privacy regulations. This is a well-known trend as legislation modeled after the EU’s groundbreaking General Data Protection Regulation continues to evolve in various states and in countries around the world to assure consumers that their personal information remains private. The large fines assessed in recent years suggest that regulators are increasing their focus on organizations that fail to comply, making the protection of individual rights and corporate data governance imperatives.
-
Rising importance of directors’ and officers’ (D&O) risk insurance. Risk insurance, coupled with improved risk predictors, assumes greater importance as expanded disclosure requirements and the related D&O exposures proliferate through enforcement, civil litigation, and shareholder suits.
-
Supply chain-related representations. Scope 3 emission disclosures will be a game changer for supply chain relationships as issuers will be required to disclose emissions by those activities for which they are indirectly responsible both upstream and downstream in the value chain. Issuers should expect increased regulatory and vendor and customer ecosystem attention to reducing—with emphasis on discontinuing—reliance on high-emitting suppliers.
While the trends highlighted above present potential minefields for corporate directors and the companies they serve, there are actions boards can take to shore up their governance and oversight. The following are suggested questions that boards may find useful to ask when crafting a road map for effective governance and oversight.
Fairness and Transparency in ESG Strategy and Reporting
-
Is the company’s ESG strategy, including net-zero emissions transition plans, credible and realistic? How reliable is the company’s methodology for measuring, tracking, and reporting its greenhouse gas emissions? Is management satisfied that emissions data are suitable to support public disclosures?
-
What is the company’s confidence level that it can deliver on the sustainability goals and targets it communicates to the public?
Litigation Matters
-
Based on recent enforcement and regulatory and litigation trends affecting the board’s ESG oversight, what are the specific requirements for directors to avoid personal liability? Is the expertise of the board and senior executives aligned with the ESG risks facing the organization?
-
Is the company prepared to respond to large-scale litigation and the related enterprisewide document requests? To that end, has an assessment been performed addressing topics such as these:
-
Legal data collection readiness testing to evaluate preparedness for pre-complaint discovery
-
The process for identifying and managing ESG-related risks
-
Lessons learned from recent ESG shareholder litigation relative to board oversight approach and actions
-
A formal litigation response team with the competency and resources to respond appropriately in accordance with applicable legal requirements
-
Policies for informing the board when litigation commences or is reasonably expected
-
Protocols to address pre-litigation discovery under books and records requests, including legal holds—the process by which an organization preserves potentially relevant information when litigation is either pending or reasonably anticipated—and policies for limiting the scope of discoverable books and records
-
-
Should the company engage a third-party review of potential shareholder exposure? Should assessments of the ESG strategy, performance monitoring, and disclosure process be subject to legal privilege to preempt third parties from obtaining access to the confidential results?
-
To what extent will D&O insurers scrutinize corporate governance policies, stock price volatility, reporting practices, activist shareholder risk, and other factors when assessing litigation exposure during the underwriting process? Would proactive reviews or audits of ESG compliance facilitate preferred or more attractive, cost-effective coverage? Would assessing risk reduce downstream risk (litigation or regulatory sanctions) and, correspondingly, result in lower insurance premiums?
Disclosure Matters
-
What are management’s protocols for reviewing corporate disclosures and representations prior to publication? How should the company balance its desire to showcase its sustainability commitments with increased exposure to litigation risk? Are there steps that would limit exposure to greenwashing accusations in light of recent litigation claims and SEC and other, non-US regulatory investigations?
-
Has the company reviewed the disclosures in the annual report (10-K in the United States), proxy materials, website content, marketing collateral, and sustainability reports for consistency?
-
Is there a periodic assessment of the design and operating effectiveness of ICSR by qualified, objective evaluators, including the internal audit function? If there are areas to improve the design or execution of ICSR, are steps taken to address them on a timely basis?
Cybersecurity, Data Privacy, and Supply Chain Matters
-
Does management have a documented process for identifying and managing cybersecurity risks? Does the company access the Cybersecurity and Infrastructure Security Agency threat landscape database and advisories to facilitate improvements to cybersecurity infrastructure?
-
Does the company have in place privacy and data protection risk management processes to facilitate alignment with proliferating global and state requirements as well as accurate, transparent, and timely disclosures?
-
How will the company address the disclosures required in its annual reports, including its policies and procedures to identify and manage cyber risks and the board and management’s related cybersecurity expertise?
-
What are the board-level considerations in assuming, transferring, or mitigating legal risk with the company’s contractual partners, including under applicable country- and state-specific data-sharing obligations? When was the last time corporate third-party contracts were reviewed in light of recent ESG developments?
As noted earlier, this conversation is about building trust in the marketplace. Trust is earned through setting and articulating credible goals and strategies, establishing accountability for results, and emphasizing fairness and transparency in market-facing communications. These are the ultimate mechanisms for navigating the changing legal and regulatory environment successfully. The rise of stakeholder capitalism makes it important for boards to prioritize building and maintaining trust in their decision-making and communications with management.
Jim DeLoach is managing director of Protiviti. DeLoach is the author of several books and a frequent contributor to NACD Directorship Online.