The securities class action war is about far more than the height of the pleading hurdles plaintiffs must clear, the scorecard of motions to dismiss won and lost, or median settlement amounts.  It is a fight for strategic positioning—about achieving a system of securities litigation that sets up one side or the other to win more cases over the long term.  How this war plays out has real-world consequences for the people sued in securities class actions.

Defendants win a lot of battles.  The Private Securities Litigation Reform Act of 1995 was an enormous victory for the defense bar, imposing high pleading burdens on plaintiffs and establishing a safe harbor for forward-looking statements that, in Bill Lerach’s famous words, gives defendants “license to lie.”  The rate of dismissal is markedly higher than the dismissal rate in other types of complex federal litigation.  And cases that survive motions to dismiss typically settle for predictable amounts.

But despite their success in battle, defendants are losing the war.  The root of the problem is the defense side’s lack of a centralized command, which creates a mismatch in expertise, experience, and efficiency.

  • While the plaintiffs’ bar is relatively small, with about a dozen firms that dominate, the defense bar is highly splintered, comprising many dozens of firms that can credibly pitch a case, with multiple possible lead partners within each firm—some qualified and some, frankly, not qualified.  As a result, the average plaintiffs’ partner is many times more experienced than the average defense partner.
  • While the plaintiffs’ bar’s specialized composition and small size yield a unified approach, the splintered nature of the defense bar makes this impossible for defendants.
  • While the defense bar has achieved significant legislative and judicial success, it has come with costly collateral consequences.
  • While the plaintiffs’ bar’s contingent-fee structure incentivizes efficiency, the defense bar is wildly inefficient due to hourly billing and the view that D&O insurance reimbursement is “free money.”  This penalizes the defense firms’ clients—both in individual cases and on the whole—by leaving less insurance money for a vigorous defense and settlement.

How can the defense bar approximate the plaintiffs’ bar’s advantages?  Given the competitive legal environment and large-firm economics, the defense bar can’t achieve a centralized command on its own.  The only way to do so is to give greater control to D&O insurers, the player with the greatest economic and strategic stake in both individual cases and on the whole.

Winning the securities litigation war isn’t an abstraction or a dispute about allocation of money between law firms and insurance companies. It’s about the safety and comfort of real people who face securities litigation.  At the core of every securities case are people accused of doing something wrong—not just directors and officers, but also hard-working company employees who find themselves at the center of a securities suit.  Just the idea of securities class actions makes businesspeople uncomfortable.

So the most fundamental question we on the defense side must ask ourselves is: how does the system of securities litigation defense position directors and officers to withstand securities litigation safely and comfortably?

To state the obvious, defendants are entitled to a system that allows them a fair fight with sufficient insurance resources.

I have divided this analysis into three blog posts.  In this post (Part I), I explain how and why the plaintiffs’ bar is stronger than ever.  In my next post (Part II), I’ll analyze the current state of the defense bar and explain why defendants are losing the war despite winning many battles.  In the last post (Part III), I’ll explain why and how the solution to solving the current mismatch between counsel for plaintiffs and defendants lies in giving D&O insurers greater control of securities class action defense.

Part I: The Plaintiffs’ Bar Is Back—and Better than Ever

When I was a young lawyer, most of my cases were against Milberg Weiss Bershad Hynes & Lerach.  I still remember the San Diego office’s phone number by heart (619-231-1058)—remember when we had to call people to communicate with them?  Of course, there were several other strong plaintiffs’ firms and prominent lawyers, including some of my favorite lawyers in the plaintiffs’ bar—though from my vantage point, Lerach and Weiss loomed large.

The downfall of Lerach and Weiss is well-known, so I won’t recount it here.  Many defense lawyers still discuss it with odd glee.  To me, it was sad and unfortunate.  My direct contacts with them made huge impressions on me.  For example, one of Bill Lerach’s oral arguments remains the most impressive advocacy I’ve ever witnessed.  And I’ll always remember the throng of defense lawyers at the first IPO Securities Litigation hearing turning to watch Mel Weiss enter the Daniel Patrick Moynihan U.S. Courthouse Ceremonial Courtroom, on September 7, 2001.

Lerach and Weiss helped shape and police our system of disclosure and governance, and our markets, corporate governance, and retirement savings are better off for it.  I believe that most public company disclosure deciders see the image of Bill Lerach when they decide whether or not to disclose something.

So their exit naturally left a void in the plaintiffs’ bar.  But a remarkable thing has happened: their protégés, who are my contemporaries and counterparts—as well as other senior plaintiffs’ lawyers and their protégés, plus some new entrants into the plaintiffs’ securities class action market, described below—have not only filled the gap, but have bolstered the bar.  The plaintiffs’ bar is now back, and better than ever.

Looking back, several things converged to cause this.  The first was the stock options backdating scandal, which began with a study by University of Iowa professor Eric Lie that showed an unusually large number of stock option grants to executives at stock price lows.  Since few of the companies exposed in the scandal suffered stock-price drops, the vast majority of the dozens of options cases were filed as shareholder derivative claims, on behalf of the company, alleging breaches of fiduciary duty and proxy-statement misstatements.

At the time, the most prolific securities class action firm was Coughlin Stoia Geller Rudman & Robbins, the successor of Bill Lerach’s firm and the predecessor of Robbins Geller Rudman & Dowd.  If they filed a derivative suit on behalf of a company, it meant they could not sue the company in a securities class action.  For this simple reason, many people, including me, did not think they would file many options backdating derivative cases.

But they did—and they filed a lot of them.  Not only did they file a lot of them, they defeated motions to dismiss and achieved settlements involving unprecedented types of corporate governance reforms and plaintiffs’ attorneys’ fee awards.  Their large fee awards increased the fee awards of smaller plaintiffs’ firms.  By the time they were finished, the plaintiffs’ firms that filed options backdating cases made a mint.

Then, toward the end of the options backdating scandal, the credit crisis happened and started a new wave of shareholder litigation, this time both securities class actions and shareholder derivative actions.  The plaintiffs’ bar had a war chest and was ready for battle.  The larger plaintiffs’ firms won lead plaintiff roles in the mega securities class actions and also represented plaintiffs in large individual actions.

While that was going on, the Chinese reverse-merger scandal happened.  That created a new breed of securities class action plaintiffs’ firms.  Historically, the Reform Act’s lead plaintiff provisions incentivized plaintiffs’ firms to recruit institutional investors to serve as plaintiffs.  For the most part, institutional investors have retained the larger plaintiffs’ firms, and smaller plaintiffs’ firms have been left with individual investor clients who usually can’t beat out institutions for the lead-plaintiff role.  At the same time, securities class action economics tightened in all but the largest cases, placing a premium on experience, efficiency, and scale.  As a result, larger firms filed the lion’s share of the cases, and smaller plaintiffs’ firms were unable to compete effectively for the lead plaintiff role, or make much money on their litigation investments.

The China cases changed this dynamic.  Smaller plaintiffs’ firms initiated the lion’s share of them, as the larger firms were swamped with credit-crisis cases and likely were deterred by the relatively small damages, potentially high discovery costs, and uncertain insurance and company financial resources.  Moreover, these cases fit smaller firms’ capabilities well; nearly all of the cases had “lawsuit blueprints” such as auditor resignations and/or short-seller reports, thereby reducing the smaller firms’ investigative costs and increasing their likelihood of surviving a motion to dismiss (and thus reducing the likelihood of dismissal and no recovery).  The dismissal rate was indeed low, and limited insurance and company resources prompted early settlements in amounts that, while on the low side, yielded good outcomes for the smaller plaintiffs’ firms.

With these recoveries, these firms built up momentum that kept them going even after the wave of China cases subsided.  For the last several years, following almost every “lawsuit blueprint” announcement, a smaller firm has launched an “investigation” of the company, and they have initiated an increasing number of cases.  Like the China cases, these cases tend to be against smaller companies.  Thus, smaller plaintiffs’ firms have discovered a class of cases—cases against smaller companies that have suffered well-publicized problems (reducing the plaintiffs’ firms’ investigative costs) for which they can win the lead plaintiff role and that they can prosecute at a sufficient profit margin.

As smaller firms have gained further momentum, they have expanded the cases they initiate beyond “lawsuit blueprint” cases—and they continue to initiate and win lead-plaintiff contests primarily in cases against smaller companies brought by retail investors.  The securities litigation landscape now clearly consists of a combination of two different types of cases: smaller cases brought by a set of smaller plaintiffs’ firms on behalf of retail investors, and larger cases pursued by the larger plaintiffs’ firms on behalf of institutional investors.  This change is now more than five years old, and appears to be here to stay.

Plaintiffs firms thus have us surrounded—no public company can fly under the radar anymore.  Plaintiffs’ firms of all types have made a lot of money over the past decade.  They’re now filing a record number of cases, even subtracting out the federal-court merger cases.  And on the whole, they’re strong lawyers, with some genuine superstars among them.

Yet, though expanded, the number of firms is small, with about a dozen in the core group.  This gives them the practical ability to take common strategic, economic, and legal positions—even if they don’t always see eye-to-eye or get along.

***

Next week, in Part II, I’ll analyze the current state of the defense bar and explain why defendants are losing the war despite winning key legislative and judicial battles.  And the following week, in Part III, I’ll discuss why and how giving greater control of securities class action defense to D&O insurers would solve the current mismatch between counsel for plaintiffs and defendants.

Note:   I later published a wrap-up post in response to questions and comments I received.

The history of securities and corporate governance litigation is full of wishes about the law that we later regret (or will), or are happy were not granted.  Many of these are not obvious—and some will surprise people.  From certain case-by-case tactical decisions such as establishment of special litigation committees, to the (failed) attempt to abolish the fraud-on-the-market doctrine, to the very high standard for director liability for oversight failures, not everything that seems helpful to companies really is.

I will publish a series of blog posts on this topic over the coming months.  This month’s post discusses the Private Securities Litigation Reform Act, with a focus on two provisions: the safe harbor for forward-looking statements (“Safe Harbor”), and lead plaintiff procedures.

Overview of the Reform Act

The Reform Act was passed by the Contract-with-America Congress to address its perception that securities class actions were reflexive, lawyer-driven litigation that often asserted weak claims based on little more than a stock drop, and relied on post-litigation discovery, rather than pre-litigation investigation, to sort out the validity of the claims.  The Reform Act, among other things:

  • Imposed strict pleading standards for showing both falsity and scienter, to curtail frivolous claims by increasing the likelihood that they would be dismissed.
  • Created the Safe Harbor, to encourage companies to make forecasts and other predictions without undue fear of liability.
  • Imposed a stay of discovery until the motion-to-dismiss process is resolved, to prevent discovery fishing expeditions and to eliminate the burden of discovery for claims that do not meet the enhanced pleading standards.
  • Created procedures for selecting a lead plaintiff with a substantial financial stake in the litigation, to discourage lawyer-driven actions and the “race to the courthouse.”

Over my career as a securities litigator, I’ve seen both sides of the securities-litigation divide that the Reform Act created.  In the first part of my career, I witnessed the figurative skid marks in front of courthouses, as lawyers raced to the courthouse to file claims before knowing if there really was a claim to be filed—the emblem of the problems Congress sought to correct.  And in the 21 years since, I’ve seen the Reform Act both succeed and fail to achieve the results Congress intended.

Having lived the before and after, I would not argue that the Reform Act has not helped companies and their directors and officers.  It certainly has.  But it is a mixed bag.  Indeed, I can argue that even the heightened falsity and scienter pleading standards have caused harm.  For example, the pleading standards lead even the most prominent defense lawyers to rely heavily on the lack of words in a complaint—the securities litigation equivalent of “neener neener neener”—instead of using the complaint and judicially noticeable facts to cogently explain why the defendants didn’t say anything false, much less on purpose.

Over-reliance on the pleading standards is a strategic mistake.  The Reform Act’s standards give judges enormous discretion; they can dismiss most complaints, or not, with little room to challenge their decisions upon appeal.  Winning motions recognize the human element to this discretion.  Even if a complaint is technically deficient, judges are less likely to dismiss it (certainly less likely to dismiss it with prejudice) if they nevertheless get the feeling that the defendants committed fraud.  Effective motions use the leeway given to defendants by the Reform Act, and now the Supreme Court’s decisions in Omnicare, Inc. v. Laborers District Council Construction Industry Pension Fund, 135 S. Ct. 1318 (2015), and Tellabs, Inc. v. Makor Issues & Rights, Ltd., 551 U.S. 308 (2007), to build a robust factual record that gives judges a sense of comfort that they are not only following the law, but that by strictly applying the Reform Act’s protections, they are also serving justice.  And even if the judge doesn’t dismiss the case, he or she will leave the motion to dismiss process with a better feeling about the case going forward.  But the pleading standards can be an attractive nuisance, distracting defense lawyers from the best way to defend their clients.

The pleading standards have also spawned a sideshow of “confidential witnesses,” primarily former employees who provide plaintiffs’ lawyers with internal corporate information to help them meet the pleading standards.  In addition to raising whistleblower issues, causing fights over misuse of confidential information, and airing dirty laundry, the use of confidential witnesses has resulted in fights between plaintiffs’ lawyers and recanting witnesses requiring judicial intervention.

In one especially contentious dispute, Judge Rakoff spent a day taking testimony from recanting witnesses and a plaintiffs’ investigator, and took additional time to write an opinion commenting on this issue after the parties had settled the litigation.  He concluded his nine-page opinion as follows:

The sole purpose of this Memorandum … is to focus attention on the way in which the PSLRA and decisions like Tellabs have led plaintiffs’ counsel to rely heavily on private inquiries of confidential witnesses, and the problems this approach tends to generate for both plaintiffs and defendants.   It seems highly unlikely that Congress or the Supreme Court, in demanding a fair amount of evidentiary detail in securities class action complaints, intended to turn plaintiffs’ counsel into corporate “private eyes” who would entice naïve or disgruntled employees into gossip sessions that might support a federal lawsuit.  Nor did they likely intend to place such employees in the unenviable position of having to account to their employers for such indiscretions, whether or not their statements were accurate.  But, as it is, the combined effect of the PSLRA and cases like Tellabs are likely to make such problems endemic.

We may well see this problem as one of the underpinnings of a legislative attempt to reform the Reform Act one day.

In any event, and regardless of one’s views of the pleading standards’ overall benefits, two other Reform Act provisions certainly have grown to be problematic for public companies: the Safe Harbor, and the lead plaintiff provisions.

The Safe Harbor for Forward-Looking Statements

The Safe Harbor was a centerpiece of the Reform Act.  Lawsuits prompted by announcements of missed earnings forecasts deterred companies from giving valuable earnings guidance.  Congress sought to encourage guidance and other forward-looking statements by precluding liability if the statements were accompanied by “meaningful cautionary statements” or made without “actual knowledge” that they were false.  15 U.S.C. § 77z-2(c)(1); 15 U.S.C. § 78u-5(c)(1).

Yet the Safe Harbor is anything but safe.  In the 21 years of the Reform Act, surprisingly few dismissals are based solely the Safe Harbor; instead, courts either use it as  fallback grounds for dismissal, or just sidestep it—which has resulted in some significant legal errors.  The most notorious erroneous Safe Harbor decision was written by one of the country’s most renowned judges, Judge Frank Easterbrook, in Asher v. Baxter, 377 F.3d 727 (7th Cir. 2004).  Judge Easterbrook read into the Safe Harbor the word “the” before “important” in the phrase “identifying important factors,” to then hold that discovery was required to determine whether the company’s cautionary language contained “the (or any of the) ‘important sources of variance’” between the forecast and the actual results.  Id. at 734.

The reason for this judicial antipathy was best articulated by Bill Lerach, who famously said that the Safe Harbor would give executives a “license to lie.”  Judges have tended to agree with his conclusion.  Some have been quite explicit about it.  For example, in In re Stone & Webster, Inc. Securities Litigation, the First Circuit called the Safe Harbor a “curious statute, which grants (within limits) a license to defraud.”  414 F.3d 187, 212 (1st Cir. 2005).  And the Second Circuit, in its first decision analyzing the Safe Harbor—15 years after the Reform Act was enacted, illustrating the degree of judicial avoidance—correctly interpreted “or” to mean “or,” but stated that “Congress may wish to give further direction on …. the reference point by which we should judge whether an issuer has identified the factors that realistically could cause results to differ from projections.  May an issuer be protected by the meaningful cautionary language prong of the Safe Harbor even where his cautionary statement omitted a major risk that he knew about at the time he made the statement?”  Slayton v. American Express Co., 604 F.3d 758, 772 (2d Cir. 2010).  Probably for this reason, the Safe Harbor has not deterred plaintiffs’ counsel from continuing to bring false forecast cases.  Twenty-one years later, a great many securities class actions still focus on earnings forecasts and other forward-looking statements.

Much of this problem is self-inflicted.  We defense lawyers have worsened the judicial antipathy and reluctance to issue rulings on Safe Harbor grounds by making hyper-technical arguments that are detached from any notion that the challenged forward-looking statements aren’t false in the first place.  Most challenged forward-looking statements are true statements of opinion—an especially strong argument under the Supreme Court’s Omnicare decision—and don’t even need the Safe Harbor’s protection.  But by bypassing the falsity argument, and falling back on the Safe Harbor, defense counsel plays right into plaintiffs’ hands.  Many defense lawyers try to overcome this problem by emphasizing that Congress intended to immunize even unfair forward-looking statements, if they are accompanied by appropriate warnings.  But judges don’t like caveat emptor, and they don’t like liars—regardless of Congressional intent.  A much better way to defend forward-looking statements is to show that they were true statements of opinion and then use the Safe Harbor as a fallback argument.  It makes the judge feel comfortable dismissing the claim in either or both ways.  But few defense lawyers take that approach.

Finally, companies and their outside corporate counsel have contributed to the Safe Harbor’s lack of safety by failing to describe their risks in a fresh and detailed way each quarter.  When I evaluate a securities class action complaint that challenges forward-looking statements and other statements of opinion (which comprise nearly all securities cases), one of the first things I look for is the progression of the risk factors each quarter.  Using a chart, I read them from start to finish, just as the judge will when we create the context for our arguments against falsity and to support the application of the Safe Harbor.  Are the risk factors specific or generic?  Do they change over time or are they static?  Do the changes in the risk factors track disclosed changes in business conditions?  Etc.  But companies and their outside corporate counsel frequently devolve to boilerplate, and fail to draft careful disclosures that make a judge feel comfortable that they were trying to disclose their real risks each quarter.

Lead Plaintiff Procedures

The symbol of the pre-Reform Act era is the race to the courthouse among plaintiffs’ lawyers to file a complaint first and thus win the lead counsel role.  Congress intended the heightened pleading standards and the Safe Harbor to play a role in fixing that problem, because they are meant to incentivize plaintiffs to do more pre-filing investigation.  However, the Reform Act’s lead plaintiff provisions—which require the court to choose a lead plaintiff and lead plaintiff’s counsel after a beauty contest—undermine that goal, since only the lead plaintiff has an economic incentive to invest much time and money in an investigation.  So although the initial filer no longer has a competitive advantage by being the first plaintiff to file, the initial complaint is still routinely filed without any real investigation or worry about satisfying the pleading standards.

The lead plaintiff procedures were also designed to prevent lawyer-driven litigation, by providing that the lead plaintiff is presumptively the plaintiff with the largest financial loss—i.e., a plaintiff with “skin in the game.”  While that goal is salutary, it has spawned complex and mixed results.  The Reform Act’s lead plaintiff process incentivized plaintiffs’ firms to recruit institutional investors to serve as plaintiffs.  For the most part, institutional investors, whether smaller unions or large funds, retained the more prominent plaintiffs’ firms, and smaller plaintiffs’ firms were left with individual retail investor clients who usually can’t beat out institutions for the lead plaintiff role.  At the same time, securities class action economics tightened in all but the largest cases.  Dismissal rates under the Reform Act are pretty high, and defeating a motion to dismiss often requires significant investigative costs and intensive legal work.  And the median settlement amount of cases that survive dismissal motions is fairly low.  These dynamics placed a premium on experience, efficiency, and scale.  Larger firms filed the lion’s share of the cases, and smaller plaintiffs’ firms were unable to compete effectively for the lead plaintiff role, or make much money on their litigation investments.

But nature abhors a vacuum—here, a securities litigation system that leaves out retail investors and smaller plaintiffs’ firms.  So, it was inevitable that these alienated groups would find a way to bring securities class actions. As I’ve chronicled previously, this void started to be filled with the wave of cases against Chinese issuers in 2010.  Smaller plaintiffs’ firms initiated the lion’s share of these cases, primarily on behalf of retail investors, as the larger firms were swamped with credit-crisis cases and likely were deterred by the relatively small damages, potentially high discovery costs, and uncertain insurance and company financial resources.  Moreover, these cases fit smaller firms’ capabilities well; nearly all of the cases had “lawsuit blueprints” such as auditor resignations and/or short-seller reports, thereby reducing the smaller firms’ investigative costs and increasing their likelihood of surviving a motion to dismiss.  The dismissal rate has indeed been low, and limited insurance and company resources have prompted early settlements in amounts that, while on the low side, appear to have yielded good outcomes for the smaller plaintiffs’ firms.

With these gains in efficiency, market share, and money, these smaller plaintiffs’ firms have continued to file a large number of securities class actions on behalf of retail investors.  Like the China cases, these tend to be against smaller companies.  Thus, smaller plaintiffs’ firms have discovered a class of cases—cases against smaller companies that have suffered well-publicized problems that reduce the plaintiffs’ firms’ investigative costs—for which they can win the lead plaintiff role and that they can prosecute at a sufficient profit margin.

We now have two classes of prominent plaintiffs and plaintiffs’ firms:  larger firms with institutional investor clients, as Congress intended, and smaller plaintiffs’ firms with smaller individual clients, which Congress sought to displace.   In a sense, we’re back to where we started, but now with more aggressive institutional investors to boot.

Smaller plaintiffs’ firms’ permanent arrival on the scene has led to two sets of additional problems.

First, smaller plaintiffs’ firms have ratcheted up the number of press releases by plaintiffs’ firms seeking plaintiffs to file a securities class action.  There have always been plaintiff law firm “investigations” to try to find plaintiffs to file lawsuits, but there has been nothing short of an avalanche in recent years.  This is so for a number of reasons. Unlike larger plaintiffs’ firms that have spent 21 years cultivating institutional investor clients as the Reform Act envisioned, smaller plaintiffs’ firms generally don’t have existing attorney-client relationships with potential plaintiffs who own a wide range of securities—so they need to recruit plaintiffs for particular cases. Smaller plaintiffs’ firm successes are drawing more smaller firms into the securities class action business.  This competition is resulting in an “investigation” following nearly every negative corporate announcement.  Increasingly, this is so even if the stock price drop is relatively small—indeed, I’ve seen more investigations and subsequent securities class actions follow single-digit stock drops than ever before, likely because the of the number of smaller-firm players and the reality that a small case is better than none.  The press release process is repeated after a lawsuit is filed.  As the Reform Act requires, the first filer publishes a press release announcing the filing. Other smaller plaintiffs’ firms then publish their own announcements that a lawsuit has been filed in order to find a good lead plaintiff contestant.  Each firm publishes their own notice, and the firms then publish reminders leading up to the lead plaintiff filing deadline 60 days later.

To put it mildly, this process is a real nuisance, especially for smaller companies. Investors, employees, and other stakeholders who don’t understand this process sometimes perceive that the company is falling apart.  Dealing with their concerns can cause officers and directors to become distracted.  The result can be further deterioration of the company’s business and financial condition, and an unwarranted sell-off of the company’s stock.  This can be about more than money—for example, development of life-saving drugs can be slowed or even derailed. Obviously, none of that is good.  I doubt the plaintiffs’ lawyers themselves would disagree, but instead would say that they’re simply working under the Reform Act’s lead plaintiff procedures.

Second, the fervent competition among smaller plaintiffs’ firms is affecting the types of cases filed and settlement dynamics.  Although the smaller plaintiffs’ firms’ bread-and-butter are “lawsuit blueprint” cases that often have difficult facts, they are also filing many low-merit cases, such as challenges to earnings guidance.  At the same time, the intense competition sometimes results in more difficult and protracted litigation, meritorious or not.  There are usually other smaller plaintiffs’ firms on the scene through tag-along derivative suits or as co-lead securities class action counsel, and none of the firms wants the others to see it as a pushover for wanting to settle for an amount they’d otherwise gladly take.  That said, it’s also true that smaller plaintiffs’ firms are defeating an increasing number of motions to dismiss and can be formidable adversaries—which of course gives them greater leverage and leads to more difficult litigation to defend and resolve.

Conclusion

Although these issues won’t make the legislative agenda anytime soon, we defense lawyers can make a difference.  We can:

  • Emphasize the truth of the challenged statements through the tools the Reform Act and Supreme Court have provided, and avoid over-reliance on the Safe Harbor and pleading standards.
  • Ask courts to impose clear leadership and coordination between and among securities class action and derivative plaintiffs’ counsel.
  • Educate companies about the reasons for the frustrating flurry of press releases.

In 2015, the Private Securities Litigation Reform Act* turned twenty years old.

Over my career as a securities litigator, I’ve seen both sides of the securities-litigation divide that the Reform Act created.  In the first part of my career, I witnessed the figurative skid marks in front of courthouses, as lawyers raced to the courthouse to file claims before knowing if there really was a claim to be filed – the emblem of the problems Congress sought to correct.  And in the 20 years since, I’ve seen the Reform Act both succeed and fail to achieve the results Congress intended.

In this blog post, I assign grades to each of the Reform Act’s key provisions, and an overall grade.  The Reform Act’s successes and failures derive from an amalgam of factors, ranging from Congressional insight and oversight, to good and bad lawyering by plaintiffs’ and defense lawyers alike, to good and bad judging.  The grades I assign are necessarily based on a defense perspective, and mine at that – but I do try to be fair.

Grading the Reform Act’s Key Provisions

The Reform Act was passed by the Contract-with-America Congress to address its perception that securities class actions were reflexive, lawyer-driven litigation that often asserted weak claims based on little more than a stock drop, and relied on post-litigation discovery, rather than pre-litigation investigation, to sort out the validity of the claims.  The Reform Act, among other things:

  • Imposed strict pleading standards for showing both falsity and scienter, to curtail frivolous claims by increasing the likelihood that they would be dismissed;
  • Created a Safe Harbor for forward-looking statements, to encourage companies to make forecasts and other predictions without undue fear of liability;
  • Imposed a stay of discovery until the motion-to-dismiss process is resolved, to prevent discovery fishing expeditions and to eliminate the burden of discovery for claims that do not meet the enhanced pleading standards; and
  • Created procedures for selecting a lead plaintiff with a substantial financial stake in the litigation, to discourage lawyer-driven actions and the “race to the courthouse.”

Following are my grades for each of these provisions:

Falsity Pleading Standard – Grade: D

The Reform Act requires a plaintiff to plead the element of a false or misleading statement with particularity.  Indeed, the statute says that “if an allegation regarding the statement or omission is made on information and belief, the complaint shall state with particularity all facts on which that belief is formed.” 15 U.S.C. § 78u-4(b)(1) (emphasis added).

Yet this powerful tool is now almost a museum piece.  I don’t just mean the “all facts” part – an issue plaintiffs and defendants heavily litigated for years,  before courts converged around the proposition that plaintiffs only need to include enough detail to adequately plead the claim.  Rather, I mean that most defense firms now merely go through the motions of attacking and analyzing plaintiffs’ falsity allegations.

How could that have happened?  To be blunt, it’s mostly through bad lawyering by defense lawyers, who got sidetracked by the Safe Harbor and the scienter pleading standard (see below), and by self-indulgent statutory analysis, such as what Congress meant by the term “all facts.”  In doing so, they overlooked the more basic but powerful point: the Reform Act’s falsity standard must be a higher and different hurdle than Rule 9(b), requiring a robust analysis of the falsity allegations.  And when they got distracted, defense counsel took their eye off their main job: to stick up for their clients’ honesty.

Indeed, the core argument of virtually every motion to dismiss should be that the defendants told the truth and said nothing false.  The Reform Act, and now the Supreme Court’s decision in Omnicare, Inc. v. Laborers Dist. Council Const. Industry Pension Fund, 135 S. Ct. 1318 (2015), leave securities defense lawyers with broad latitude to attack falsity.  A proper falsity analysis always starts by examining each challenged statement individually, and matching it up with the facts that plaintiffs allege illustrate its falsity.  From there, the truth of what the defendants said can be supported in numerous ways that are still within the proper scope of the motion-to-dismiss standard:  showing that the facts alleged do not actually undermine the challenged statements, because of mismatch of timing or substance; pointing out gaps, inconsistencies, and contradictions in plaintiffs’ allegations; demonstrating that the facts that plaintiffs assert are insufficiently detailed under the Reform Act; attacking allegations that plaintiffs claim to be facts, but which are really opinions, speculation, and unsupported conclusions; putting defendants’ allegedly false or misleading statements in their full context to show that they were not misleading; and pointing to judicially noticeable facts that contradict plaintiffs’ theory.

These arguments must be supplemented by a robust understanding of the relevant factual background, which defines and frames the direction of any argument based on the complaint and judicially noticeable facts.  Yet most motions to dismiss do not make a forceful argument against falsity that is supported with a specific challenge to the facts alleged by the plaintiffs.  Some motions superficially assert that the allegations are too vague to satisfy the pleading standard, but do not engage in a detailed defense of the challenged statements.  Others simply attack the credibility of “confidential witnesses” without addressing in sufficient detail the content of the information the complaint attributes to them.  And others fall back on the doctrine of “puffery,” essentially conceding that the statements may have been lies, but contending that they were not specific or important enough to be taken seriously.  By focusing on these and similar approaches, a brief may leave the judge with the impression that defendants concede falsity, and that the real defense is that the false statements were not made with scienter.  Not only is this an argument not available for Section 11 and 12 claims, but defense counsel’s failure to attack falsity allegations in detail actually undermines the argument that defendants did not have scienter.

The Reform Act’s falsity pleading standard was an enormous gift for defense attorneys, which enables them to mount a strong and vibrant defense on a motion to dismiss if it is used correctly.  But because it has not been used to its potential, I give it a D.

Scienter Pleading Standard – Grade: C

The Reform Act says that “with respect to each act or omission alleged to violate this chapter, [plaintiffs must] state with particularity facts giving rise to a strong inference that the defendant acted with the required state of mind,” i.e., scienter. 15 U.S.C. § 78u-4(b)(2).

Defense lawyers have billed billions of dollars analyzing and briefing what these simple words mean.  We argued for years about the meaning of “the required state of mind” – did it mean actual intent, recklessness, or a hybrid?  We litigated how courts must consider whether plaintiffs have pleaded a “strong inference” of that state of mind, an issue ultimately decided by the Supreme Court in Tellabs, Inc. v. Makor Issues & Rights, Ltd., 551 U.S. 308 (2007), which held that courts must weigh inferences of scienter to decide whether the alleged inference of fraud is stronger than opposing innocent inferences.  We then argued over whether Tellabs did away with the various “rules” courts had established, such as the amount or percentage of stock holdings a defendant had to sell before his or her sales suggested scienter, and whether looking at stock sales, or any other type of scienter allegation, in isolation was even allowed.  And we have argued over the degree of particularity Congress intended to require, and engaged in thousands of “did so, did not” spats over whether the allegations met the standard for which we were arguing.

For defendants, the overall outcome of all of this is decent.  The dismissal rate is pretty good, and the vast majority of dismissals are based on plaintiffs’ failure to plead scienter.  But the defense counsel community’s intense focus on improving the defendant-friendly scienter standard contributed to the distraction that sidetracked good falsity analysis.  And to what end?  I would bet a great deal that the difference between plain old “recklessness” and a slightly higher degree of recklessness has made no real difference in the dismissal rate.  A judge who believes that a defendant didn’t mean to say something false would not deny a motion to dismiss simply over a slightly different formulation of the legal standard.

But defendants have achieved this decent dismissal rate without their defense counsel making the best possible arguments for them.  As with falsity, the primary flaw in most defense arguments against scienter is with defense counsel’s failure to engage in a fact-specific analysis of the complaint’s allegations about what the defendants knew in regard to each specific challenged statement.  All too often, defendants allow themselves to be sidetracked by technicalities, or even worse, drawn to the plaintiffs’ preferred ground of battle, focusing on arguing about the sufficiency of the circumstantial evidence that plaintiffs use to create the impression that the defendants must have done something wrong.

Both of these flaws are found in defense counsel’s typical approach to plaintiffs’ arguments under the “core operations” inference of scienter and the “corporate scienter” doctrine.  Each of these theories allows a plaintiff to avoid pleading specific facts establishing the speaker’s scienter.  For example, the core operations inference posits that scienter can be inferred where it would be “absurd to suggest” that a senior executive doesn’t know facts about the company’s “core operations.”  Many motions to dismiss set up some formulation of this statement as a legal rule and then use it to make a simplistic syllogistic argument.  Such arguments devolve into “did not, did so” debates, and thus play into plaintiffs’ hands because they are detached from knowledge of falsity.  Instead, the right approach to the core operations inference is to understand that it requires a falsity so blatant that we can strongly infer that the executive had knowledge of the exact facts that made the statement false – not just the subject matter of the facts.  The most effective defense against the core operations inference thus focuses on falsity first, to show that even if a statement is false, it is at least a close call – making it hard for plaintiffs to contend that defendants must have known of this falsity.  But this can’t be done effectively if the argument against falsity does not vigorously attack the falsity allegations.

For these reasons, I give defense counsel’s use of the scienter pleading standard an overall grade of C: a B for the results and a D for how we got there.

Safe Harbor – Grade: D

The Safe Harbor for forward-looking statements was a centerpiece of the Reform Act.  Companies were being sued following announcements of missed earnings forecasts, which deterred companies from giving valuable earnings guidance.  Congress sought to encourage companies to give guidance and make other forward-looking statements by shielding such statements from liability if they are accompanied by “meaningful cautionary statements” or made without “actual knowledge” that they were false.  15 U.S.C. § 77z-2(c)(1); 15 U.S.C. § 78u-5(c)(1).

Yet the Safe Harbor is anything but safe.  In the 20 years of the Reform Act, surprisingly few dismissals are based solely the Safe Harbor; instead, courts either use it as  fallback grounds for dismissal, or just sidestep it – which has resulted in some significant legal errors.  The most notorious erroneous Safe Harbor decision was written by one of the country’s most renowned judges, Judge Frank Easterbrook, in Asher v. Baxter, 377 F.3d 727 (7th Cir. 2004).  Judge Easterbrook read into the Safe Harbor the word “the” before “important” in the phrase “identifying important factors,” to then hold that discovery was required to determine whether the company’s cautionary language contained “the (or any of the) ‘important sources of variance’” between the forecast and the actual results.  Id. at 734.

The reason for this judicial antipathy was best articulated by Bill Lerach, who famously said that the Safe Harbor would give executives a “license to lie.”  Judges have tended to agree with this conclusion.  Some have been quite explicit about it.  For example, in In re Stone & Webster, Inc. Securities Litigation, the First Circuit called the Safe Harbor a “curious statute, which grants (within limits) a license to defraud.”  414 F.3d 187, 212 (1st Cir. 2005).  And the Second Circuit, in its first decision analyzing the Safe Harbor – 15 years after the Reform Act was enacted, illustrating the degree of judicial avoidance – correctly interpreted “or” to mean “or,” but stated that “Congress may wish to give further direction on …. the reference point by which we should judge whether an issuer has identified the factors that realistically could cause results to differ from projections.  May an issuer be protected by the meaningful cautionary language prong of the safe harbor even where his cautionary statement omitted a major risk that he knew about at the time he made the statement?”  Slayton v. American Express Co., 604 F.3d 758, 772 (2d Cir. 2010).  Probably for this reason, the Safe Harbor has not deterred plaintiffs’ counsel from continuing to bring false forecast cases.  Twenty years later, a great many securities class actions still focus on earnings forecasts and other forward-looking statements.

We as a defense community have worsened the judicial antipathy and reluctance to issue rulings on Safe Harbor grounds, by making hyper-technical arguments that are detached from any notion that the challenged forward-looking statements aren’t false in the first place.  Most challenged forward-looking statements are true statements of opinion, and don’t even need the Safe Harbor’s protection.  But by bypassing the falsity argument, and falling back on the Safe Harbor, defense counsel plays right into plaintiffs’ hands.  Many defense lawyers try to overcome this problem by emphasizing that Congress intended to immunize even unfair forward-looking statements, if they are accompanied by appropriate warnings.  But this species of the disfavored defense of caveat emptor rings hollow.  Judges don’t like caveat emptor, and they don’t like liars – regardless of Congressional intent.  A much better way to defend forward-looking statements is to show that they were true statements of opinion, and then use the Reform Act as a fallback argument.  It makes the judge feel comfortable dismissing in either or both of two ways.  But few defense lawyers take that approach.

Finally, companies and their outside corporate counsel have contributed to the Safe Harbor’s lack of safety by failing to describe their risks in a fresh and detailed way each quarter.  When I evaluate a securities class action that challenges forward-looking statements and other statements of opinion (which comprise nearly all securities cases), one of the first things I look for is the progression of the risk factors each quarter.  I have a chart made, and I read them start to finish, as the judge will when we create the context for our arguments against falsity and to support the application of the Safe Harbor.  Are the risk factors specific or generic?  Do they change over time or are they static?  Do the changes in the risk factors track disclosed changes in business conditions?  Etc.  But companies and their outside corporate counsel frequently devolve to boilerplate, and fail to draft careful disclosures that make a judge feel comfortable that they were trying to disclose their real risks each quarter.

So, I give the Safe Harbor a D.

Lead Plaintiff Procedures – Grade C

The symbol of the pre-Reform Act era is the race to the courthouse among plaintiffs’ lawyers to file a complaint first and thus win the lead counsel role.  Congress intended the heightened pleading standards and the Safe Harbor to play a role in fixing that problem, because they are meant to incentivize plaintiffs to do more pre-filing investigation.  However, the Reform Act’s lead plaintiff provisions – which require the court to choose a lead plaintiff and lead plaintiff’s counsel after a beauty contest – undermine that goal, since only the lead plaintiff has an economic incentive to invest much time and money in an investigation.  So although the initial filer no longer has a competitive advantage by being the first plaintiff to file, the initial complaint is still routinely filed without any real investigation or worry about satisfying the pleading standards.

The lead plaintiff procedures were also designed to prevent lawyer-driven litigation, by providing that the lead plaintiff is presumptively the plaintiff with the largest financial loss – i.e., a plaintiff with “skin in the game.”  While that goal is salutary, it has spawned complex and mixed results.  The Reform Act’s lead plaintiff process incentivized plaintiffs’ firms to recruit institutional investors to serve as plaintiffs.  For the most part, institutional investors, whether smaller unions or large funds, retained the more prominent plaintiffs’ firms, and smaller plaintiffs’ firms were left with individual investor clients who usually can’t beat out institutions for the lead plaintiff role.  At the same time, securities class action economics tightened in all but the largest cases.  Dismissal rates under the Reform Act are pretty high, and defeating a motion to dismiss often requires significant investigative costs and intensive legal work.  And the median settlement amount of cases that survive dismissal motions is fairly low.  These dynamics placed a premium on experience, efficiency, and scale.  Larger firms filed the lion’s share of the cases, and smaller plaintiffs’ firms were unable to compete effectively for the lead plaintiff role, or make much money on their litigation investments.

This started to change with the wave of cases against Chinese issuers in 2010.  Smaller plaintiffs’ firms initiated the lion’s share of these cases, as the larger firms were swamped with credit-crisis cases and likely were deterred by the relatively small damages, potentially high discovery costs, and uncertain insurance and company financial resources.  Moreover, these cases fit smaller firms’ capabilities well; nearly all of the cases had “lawsuit blueprints” such as auditor resignations and/or short-seller reports, thereby reducing the smaller firms’ investigative costs and increasing their likelihood of surviving a motion to dismiss.  The dismissal rate has indeed been low, and limited insurance and company resources have prompted early settlements in amounts that, while on the low side, appear to have yielded good outcomes for the smaller plaintiffs’ firms.

The smaller plaintiffs’ firms thus built up a head of steam that has kept them going, even after the wave of China cases subsided.  For the last year or two, following almost every “lawsuit blueprint” announcement, a smaller firm has launched an “investigation” of the company, and they have initiated an increasing number of cases.  Like the China cases, these cases tend to be against smaller companies.  Thus, smaller plaintiffs’ firms have discovered a class of cases – cases against smaller companies that have suffered well-publicized problems that reduce the plaintiffs’ firms’ investigative costs – for which they can win the lead plaintiff role and that they can prosecute at a sufficient profit margin.

To be sure, the larger firms still mostly can and will beat out the smaller firms for the cases they want.  But it increasingly seems clear that the larger firms don’t want to take the lead in initiating many of the cases against smaller companies, and are content to focus on larger cases on behalf of their institutional investor clients.  The result is now two classes of plaintiffs and plaintiffs’ firms:  larger firms with institutional investor clients, as Congress intended, and smaller plaintiffs’ firms with smaller individual clients, which Congress sought to displace.   In a sense, we’re back to where we started, but now with more aggressive institutional investors to boot.

As a result, from the defense perspective, I give the lead plaintiff procedures a C.

Discovery Stay – Grade: A

The Reform Act’s automatic stay of discovery was also meant to prevent plaintiffs from filing a lawsuit without adequate investigation, and conducting formal discovery to fish for facts to support it.  The discovery stay has saved defendants and their insurers many billions of dollars in discovery costs, and prevented millions of hours of unnecessary distraction by employees who have been able to focus on their jobs instead of helping their lawyers and electronic discovery consultants collect documents.  Although the statute contains several exceptions, there has been relatively little litigation over their application, especially over the last decade; the plaintiffs’ bar has shown restraint and efficiency in not over-litigating the discovery stay.  The discovery stay has worked well.

Conclusion:  The Reform Act’s Overall Grade

Grade: C+

In outlining this post, I originally organized my thoughts around this question: Are companies and their directors and officers really better off than they were 20 years ago?  Although it may seem absurd that a defense lawyer could even think about answering that question “no,” it really is a fair question.  I could make the case that the Reform Act’s tools have actually hindered the overall effectiveness of securities litigation defense by distracting from its core purpose: to convince a judge or jury that the defendants didn’t say anything false.  That is best done by thinking about the defense of the litigation overall, through trial – which not only sets the case up for a better defense on the merits, but results in better motion-to-dismiss results, for the reasons I’ve described.  But instead, the Reform Act tempts defense counsel to rely on technicalities, which can result in a mediocre defense, and an increased liability and economic exposure that overall are harmful to public companies, their directors and officers, and insurers.

 

* I never call the Reform Act the “PSLRA.”  The Reform Act was meant to reform securities litigation, not PSLRA-ize it.

Over the past three years, I’ve been outspoken about the need for better board oversight of cyber security, as well as the need for better cyber security disclosure.  The severity of the cyber threat is so significant to companies, as well as to the nation’s economy and security, that boards have no choice but to pay attention.  Indeed, I can easily envision a world where, as a practical matter, directors face a heightened risk of personal liability for cyber-security problems.  And over the past several years, there has developed an army of talented IT, legal, and insurance professionals ready to help boards manage this threat, and there are some very proactive, outspoken, and conscientious directors who are trying to lead the way.

Yet surveys still say that, on the whole, directors aren’t sufficiently engaged, and companies aren’t providing directors with sufficient information and support.

How in the world could that be so?

Below, I examine two of the underlying problems, and provide solutions: (1) a suite of problems that I call “cyber freak-out,” and (2) an odd lack of concern about director liability.

Cyber Freak-Out

The average corporate director was 47 years old when Amazon became a public company.  Although that was also almost 20 years ago, and most people who serve on boards have grown comfortable with computers and the basics of technology, there is nevertheless a fundamental sense of discomfort with discussion around the IT aspects of cyber security.

This discomfort yields a suite of problems that I diagnose collectively as “cyber freak-out.”  Cyber freak-out includes one or more of the following stated or unstated excuses for not tackling cyber security issues:

  • Excuse: The audit committee handles risks, so that’s the right group to handle cyber security.
    • Reality: Cyber security is an enterprise risk that the full board needs to understand and decide how to manage – even if it is ultimately given to a committee.  And the audit committee has too much work already.
  • Excuse: Being hacked is inevitable, so we can’t do much about it.
    • Reality: The reality is cyber security oversight isn’t just about preventing attacks – it’s also about deciding what assets to protect and how to respond to a breach, among other issues.
  • Excuse: Cyber security is an IT issue, and the IT folks have told us for years that we’re safe.
    • Reality: The world of cyber security poses higher risks now, and it’s incumbent upon the board to ask hard questions of the IT department.  There are outside consultants galore who can give the board an independent evaluation. And cyber security is not just an IT issue.  Most cyber attacks can be prevented through employee education – which presents issues of employee training and corporate culture, which even a Luddite director can help shape.
  • And there are several more things few people say out loud, but I fear that too many think:
    • Excuse: We should have been on top of this earlier, so engaging in a full-scale program of cyber security readiness will make us look bad.
    • Excuse: I don’t want to ask a dumb question, and don’t think I can ask a smart one.
    • Excuse: If I wait long enough, one of my fellow directors will get up to speed and lead us through what we need to do.

Reality: The absurdity of these excuses speaks for itself.

Another common mistake is to assume that cyber attacks are limited to companies with personal information, like credit card numbers or health information.  That is wrong:  Any company with valuable assets – including trade secrets – is and will be a target.  The reason that companies with personal information grab the headlines is that their breaches have become public because of breach-notification laws.  Companies that aren’t subject to breach-notification laws rarely disclose cyber breaches.  One of the country’s leading cyber-security lawyers to public companies said at the SEC’s Cybersecurity Roundtable in March 2014 – in the presence of SEC Chair White and Commissioners Aguilar (who gave an important speech in June 2014 on board oversight of cyber security), Gallagher, Piwowar, and Stein:

I would say that I really can’t think of a case – and we’ve worked a lot –  where the disclosure thinking or analysis was driven by the securities law issues, frankly.

Basically there are other state laws, other situations that are going to create a disclosure obligation, and that’s what drives it. And I think just to be someone speaking from the trenches in terms of the reality of what really happens, there is a tremendous disincentive to disclose a breach.

I believe that the well-known cyber breaches are the very tip of the iceberg, and the much larger cyber security problem is, and will be, beneath the surface until companies start disclosing cyber security issues because of their yet-unenforced federal securities law obligations.  A company whose IP has been stolen, or whose business has been interrupted, faces various disclosure issues.   The issue isn’t just whether a breach is material.  It’s much broader: a cyber security breach could make any number of statements misleading, including financial statements, earnings guidance, statements about internal controls, and statements about the status and prospects of the business operations.  Yet most directors seem to believe that cyber security is just a problem for banks, retailers, and health-care providers and insurers.  That’s just not so.

The problem with cyber freak-out is that it undercuts directors’ main defenses to shareholder claims of breach of fiduciary duty.  There are two main claims for breach of fiduciary duty in this area:

The first type of claim is for a failure to act, or a failure to engage in appropriate oversight, under a standard articulated in a leading case called Caremark.  The court in Caremark called the claim it branded “possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment.”  To be liable for a failure of oversight – a type of breach of the duty of loyalty – a director must fail to establish any system for detecting problems, or if a system exists, must deliberately fail to monitor it or follow up on red flags.  Thus, the only way a director can be liable for a failure of oversight is to not even try – or in the cyber security context, to be paralyzed by cyber freak-out.

In contrast to a claim for inaction, the second type of claim is based on director action.  Such claims are governed by the business judgment rule, which protects from second-guessing a decision made by informed and disinterested directors.  A shareholder can overcome the presumption, however, if the challenged decision was not informed.  Cyber freak-out can result in challenged cyber-security decisions being insufficiently informed, and thus outside the protection of the business judgment rule.

Thus, directors will not be liable if they in fact oversee cyber security, and make decisions about cyber security based on adequate information. Boards need to just pay attention and start somewhere – there’s no secret sauce, and perfection isn’t required.  There’s no cyber-security intelligence test.  An inquisitive director can do a good job overseeing cyber security without even being a computer user.

Director Liability

On the one hand, diligent directors don’t face real risk of liability for cyber security oversight.  On the other hand, I believe the fear of director and officer liability needs to increase before directors and officers and their companies sufficiently tune up their cyber security oversight and disclosures.

Although I don’t wish a lawsuit on anyone, much less actual liability, I think some jarring liability event is necessary: Just as Bill Lerach, Mel Weiss, and other prominent securities class action plaintiffs’ lawyers have greatly improved the quality of corporate disclosure, and corporate-law decisions like Smith v. Van Gorkom have improved board decision-making processes, so too would a cyber-security liability jolt improve cyber-security oversight and disclosure.  But at the moment, directors and officers observe that stocks generally haven’t dropped enough to trigger securities class actions, and the handful of shareholder derivative cases haven’t been virulent.  And the shareholder derivative litigation dismissal in Wyndham, while great for Wyndham’s directors, probably set cyber security oversight back.  The Wyndham decision, resting on the board’s post-breach process in deciding to reject a shareholder demand on the board, was virtually meaningless in its impact on the law governing board oversight of cyber security.

But securities and corporate governance litigation involving cyber security problems is indeed coming.  And it may be ugly.  The more directors and officers are on notice about the severity of cyber security problems, and the less action they take while on notice, the easier it will be for plaintiffs to prove their claims.  We not only could see a sharp uptick in the number of claims, but they could be quite difficult for directors and officers to defend, until cyber security oversight and disclosure improve.  I worry about this dynamic a lot.

I also worry about SEC enforcement concerning cyber security. The SEC has been struggling to refine its guidance to companies on cyber security disclosure, trying to balance the concern of disclosing too much and thus providing hackers with a roadmap, with the need to disclose enough to allow investors to evaluate companies’ cyber security risk.  But directors and officers shouldn’t think the SEC is going to announce new guidance or make new rules before it begins enforcement activity around cyber security disclosures.  All it takes to trigger an investigation of a particular company is some information that the company’s disclosures are rendered false or misleading by inadequate cyber security.  And all it takes to trigger broader enforcement activity by the staff is a perception that companies aren’t taking cyber security disclosure seriously.  That may or may not be preceded by further cyber security disclosure guidance.  And companies need to be concerned about whistleblowers, including over-worked and under-paid IT personnel, lured by the SEC’s whistleblower bounty program, and about auditors, who will soon be asking more frequent and difficult questions about cyber security.

Conclusion

Greater cyber security oversight, and better corporate disclosure, are inevitable.  I hope that they happen naturally, as the result of good counseling by the advisors who are ready and able to help, rather than only developing after we are hit by the inevitable wave of shareholder litigation and SEC investigations and enforcement actions.