Volume 2, January 2023
by Al Rottkamp, MBA, MS, CRISC, SSCP, ITIL4, CLSSGB, CBET
For liability to attach under the Caremark theory, the board must have failed to provide any reasonable oversight in a sustained and systematic fashion or the information reporting system on which the board relied must be deemed to be a total failure. Pretty high standards.
Although the Courts 1996 Caremark Decision raised the bar for actively monitoring compliance, a recent court decision reminded plaintiffs of their high requirements.
In Construction Industry Labors Pension Fund (SolarWinds behalf), et al. v. Mike Bingle, et al., SolarWinds stockholders alleged that SolarWinds directors failed adequate oversight of the cybersecurity risk, thereby allowing the attack, and devaluing the company.
After review, the Delaware Court of Chancery found that while the directors ‘failed to prevent a large corporate trauma, the plaintiffs failed to plead specific facts to infer bad faith liability on the part of the directors.’
For reasons discussed in the case documents, the court found the SolarWinds director defendants:
1. Were not credibly alleged to have allowed the company to violate law
2. Ensured that the company had at least a minimal reporting system about corporate risk, including cybersecurity
3. Were not alleged to have ignored red flags of cyber threats to imply a conscious disregard of a known duty
The court did not say the company did a great job, only that the efforts were enough to dismiss the case.
The message – something is better than nothing.
As a result of this case and others, insurance carriers are reviewing their D&O and E&O policy offerings in terms of client requirements, covered terms and premiums. Carriers are reviewing board meeting documents and recommending external audits.
The law is predominately reactive and for Congress to enact new laws, the situation has to negatively affect thousands, if not millions of people. One such crises evolved in the 1980’s. A large company was elevating greed to a new level by hiding liabilities and counting money they really didn’t have in the bank. The scam negatively impacted thousands of investors, wiping out savings accounts and retirement funds. And, executives were aware of the accounting issues.
Enron was founded in 1985 by Kenneth Lay with the merger of two natural-gas-transmission companies; the business model included trading contracts for electricity and natural gas and, other products like rights to high-speed telecommunications networks. It used a complex online platform designed to hedge the company’s bets.
In 2000, the business started to crumble. The CEO and others had concealed all financial losses by applying mark-to-market accounting and off-balance-sheet transactions. Mark to market aims to provide a realistic appraisal of a company’s current financial situation based on current market conditions, not the book value. Off-balance sheet transactions may expose institutions to credit risk or liquidity risk, which is not reflected on the balance sheet. In essence, the company kept building and reporting on profits that were yet to be earned and invisible liabilities.
The Securities and Exchange (SEC) probe deteriorated the stock: a $90 stock in 2000 had fallen to just 0.26 cents per share in late 2001. Enron filed for bankruptcy in December 2001. Investors lost over $60 Billion. Both Enron and its accounting firm, Author Andersen were indicted.
The Sarbanes Oxley Act (SOX) of 2002 was passed by Congress in response to accounting irregularities with Enron and its accounting firm Arthur Andersen. It applies to all publicly traded companies: a few provisions apply to private companies.
In March 2002, Author Andersen was found guilty of obstruction of justice for shredding truckloads of documents (evidence) related to the Enron audit. Although the Supreme Court eventually reversed the conviction in 2005, the impact destroyed the firm. Andersen eventually advised the SEC it would cease auditing public companies.
Enron CEO Kenneth Lay was indicted in 2004 by a grand jury for his role in wide-ranging schemes to defraud the, public. A jury convicted him, but charges were dropped after he died at the age of 64 in 2006. Former CFO Andrew Fastow pled guilty to securities and wire fraud in 2004 and was sentenced to six years in prison. After his release, Andrew Fastow became a public speaker on business ethics.
There are several key provisions of SOX intended to reform corporate reporting and, the accounting profession. SOX requires corporate executives, the CEO and CFO, to personally sign their corporate financial reports; to certify the accuracy of their company’s financial statements; to maintain and assess internal controls to prevent inaccurate, misleading, missing, or fraudulent financial data; and imposes criminal penalties for misleading shareholders and altering documents to impede an investigation. SOX also established an oversight board for the accounting profession that regulates the relationship between corporations and accounting firms and shields corporate whistleblowers from retaliation.
It’s clear: under SOX the CEO and CFO are personally accountable for providing stakeholder reports that fairly present in all material aspects, the financial and the operational status of the company. The price of noncompliance is high. Executives face fines of up to $1 million and ten-years imprisonment for knowingly certifying SOX non-compliant financial reports. Those penalties are enhanced for executives who willfully certify non-compliant financial reports: up to $5 million and up to twenty years imprisonment. Additionally, SOX criminalizes the falsification and/or destruction of records to impede or influence an investigation. SOX could be extended into nonprofit healthcare organizations if bondholders and donators (financial stakeholders) perceive their investments are in peril.
CAREMARK AND SOX
In summary, under the Caremark theory, the board must have failed to provide any reasonable oversight in a sustained and systematic fashion or the information reporting system on which the board relied must be deemed to be a total failure. Under SOX, the CEO and CFO are personally accountable for providing stakeholder reports that fairly present in all material aspects, the financial and the operational status of the company.
The message: know your business, document your decisions, and present in all material aspects, the true status of the company.
RENOVO SOLUTIONS manages the entire medical technology asset life cycle, from procurement to disposal.
Our engineering staff maintain, service, and calibrate medical devices from basic vital signs monitors to state of the art imaging.
We work with manufacturers and your clinical, financial, and technical departments to maintain optimum patient flow during purchases, reallocation, repairs, operating system upgrades and disaster recovery.
RENOVOSecure offers an array of services, from advisory services to on-site engineers and virtual CISO’s, that plan, implement, and monitor a reasonable cybersecurity framework utilizing CIS Controls and NIST best practices. A reasonable cybersecurity framework is becoming a legal and insurance requirement.
RENOVO staff can function as independent external auditors providing the board a level of visibility, not previously provided. Our program correlates IT risk metrics to patient care and financial risk in relevant terms. Additionally, the external audit can provide an independent review for cybersecurity insurance premium reduction.
Plan now to achieve your corporate mission with reduced personal cybersecurity liability.
This article is for awareness and not to be considered a legal opinion or legal advice. Consult proper counsel.