From Boardroom Resources, I have attached below a short (13 minute) video interview by TK Kerstetter with Damian Brew, Managing Director/FINPRO at Marsh USA, Inc. In summary, Mr. Brew comments that although directors in general are not sued very often, derivative requests and suits against directors are increasing, and, as you already know, cybersecurity and related liability is a hot area. Mr. Brew also advises that directors be sure that their D&O coverage includes coverage for investigation costs. Mr. Kerstetter ended the discussion with good advice: directors should have processes in place, follow them, and document what they have done.
Some additional thoughts about the Yates Memo and similarly governmental representations about cooperating with governmental entities.
Essentially, I view the governmental representations as follows, Government: “Give us everything that you have, make sure that you do a complete, timely and voluntary investigation, report to us before the problem or issue otherwise becomes known to us or to the public, and find out and report to us who is at fault – then we will decide if your investigation is sufficient, whether you have reported enough, and what credit, if any, we will give to you for your efforts and reporting – and whatever credit we give to you doesn’t mean that a different governmental entity with authority to investigate and punish or prosecute will not do so, or that they will also give you credit, and how much credit they might give you, if any.”
That having been said, if you are on a board, or an audit or other committee that is delegated the responsibility to investigate an issue or a situation, regardless of the Yates Memo or any other similar memo or position, you should do a complete investigation, and report, and address and remedy the issue or situation – but it’s also not like you need to fall on your sword.
Someone is either responsible or guilty, or they are not, or there is insufficient evidence to indicate which. And, in performing your investigation and trying to determine what happened and fault, you certainly need to know the background facts or evidence that actually exist; the conflicting evidence; the facts or evidence that don’t exist; the law, regulation, rule, standard or pronouncement that supposedly has been or that might have been violated (and, for example, whether the law, etc. that was supposedly violated is clear, or is vague, incomplete or ambiguous, or is in some manner unlawful or unenforceable, or is in some manner uncertain or subject to change depending on the situation, or even speculative); the burden of proof and who has the burden of proof on the issue; the standard or degree of proof that would be required to determine fault; causation; proximate causation and other causation events; actual fault and apportionment of fault between different people and factors; damages; and mitigation. In other words, when doing investigations there can be a lot to be done to determine what happened and fault, and it isn’t always entirely neat and clean, or even clear.
One additional comment: if you are a board member who is involved in an investigation, be sure that you are independent in fact and independent in appearance, and if you aren’t, you should not be doing or involved in the investigation.
Best, Dave Tate, Esq., San Francisco and California.
Below is the Kerstetter/Brew interview.