Not long ago I wrote about a speech by Andrew Ceresney, Director of the SEC’s Division of Enforcement, at the Directors Forum 2016 in San Diego. In his speech, Mr. Ceresney made a point of noting the SEC’s continuing commitment to pursue “gatekeepers” who fail to comply with their legal and professional obligations. (See this Doug’s Note.) This follows the now infamous Yates memo, which highlighted the Department of Justice’s modified prosecution procedures designed to hold individuals (rather than, or in addition to, corporations) accountable for perceived violations. (See this Featured Article.)
Now come recent comments by Lara Shalov Mehraban, an Associate Director in the SEC’s New York Regional Office, at a recent Practicing Law Institute conference, as reported by Stephen Joyce in Securities Law Daily, a Bloomberg BNA publication. Mr. Joyce states that Ms. Mehraban attempted to allay concerns about the SEC’s enforcement posture toward directors and other gatekeepers:
“Enforcement isn’t second guessing good-faith decisions by the board, but rather bringing cases where directors have either taken affirmative steps to participate in fraud or enabled fraudulent conduct by unreasonably turning a blind eye to obvious red flags.”
Ms. Mehraban stated that cases involving directors remain “rare,” and typically result when there is a “significant departure from normal corporate governance and appropriate conduct.”
Even so, she went on to state that outside directors are “key gatekeepers” who must “take concrete steps to learn all of the relevant facts and ensure that the company cease filing annual and quarterly reports until they are satisfied with the accuracy of the filings” any time they learn of information “suggesting that the company filings are materially inaccurate.”
In the realm of cyber attacks, Ms. Mehraban is reported as saying that companies may find themselves in trouble with the SEC Enforcement Department when they “fail to take reasonable steps to protect their customers’ information from cyber attacks….”
What should we make of this?
Ms. Mehraban’s statements do little to lessen the concerns of directors and other “gatekeepers” over the SEC’s recent emphasis on bringing enforcement actions against individuals. Enforcement decisions still depend on whether the staff believes gatekeepers have behaved “unreasonably” or failed to be sufficiently proactive in the face of red flags. This is particularly alarming in the context of cybersecurity, which continues to escalate in volume and complexity at a pace that the average company struggles to stay on top of.
Obviously, anyone who participates in fraud or gross misconduct should be punished. It is troubling, however, that the SEC now routinely describes directors as “gatekeepers,” a term that typically means someone who controls access to a location or, in this context, information. But as everyone knows, directors are responsible for providing oversightbased primarily on information provided by persons they have deemed competent to manage their areas of responsibility. It seems to me that labeling directors as gatekeepers suggests a level of individual involvement well beyond oversight. And while it may seem nitpicky to get hung up on a single word, the widespread application of “gatekeeper” status to boards of directors suggests a level of detailed scrutiny and involvement in processes beyond what is reasonable and sets an unrealistic tone of expectations. Increased director liability for failure to proactively tend the “gate” is sure to follow.
The SEC’s focus on individuals, including directors, is unlikely to abate any time soon. This heightens the importance of keeping boards of directors fully informed about the company’s risk management efforts, trained in the latest developments and proactive in the processes intended to identify and resolve compliance issues.