As the 2023 proxy season comes to a close, attacks by high-profile activist hedge funds at blue-chip companies continue to dominate headlines, and a close review of campaigns conducted during the first season under the SEC’s new universal proxy rules reveals changes to strategy and tactics that companies, activists and their advisors are carefully considering. As such, it’s no surprise that activism preparedness continues to rank high on the priority list of many public company boards.
But as this past year has shown, a public attack by an activist is not the only form of corporate crisis. The current macroeconomic environment and depressed valuations have led to bidders (both strategic and financial sponsors) more regularly making unsolicited and, in some cases, even openly hostile M&A approaches. Sophisticated hedge funds specializing in short attacks are growing bolder and expanding their targets to more mature, global companies, with several campaigns leading to significant stock price reactions, governmental investigations and executive departures. ESG continues to be a focus, but companies now face increasing tension between pro-ESG and anti-ESG groups, with areas of vulnerability expanding beyond shareholder proposals to litigation, state legislation, and possible state AG investigations and federal Congressional investigations, as well as potentially significant business, reputational and financial risks (e.g., via boycotts or aggressive social media campaigns), all of which can be interrelated and even fuel one another. The landscape for director (and officer) liability for Caremark (oversight) claims continues to evolve, in cases ranging from cyberattacks and allegations of employee sexual misconduct to more traditional areas of risk including natural disasters, critical regulatory and enforcement compliance issues and fraud. Boards now also find themselves operating in an era of rapid-fire and unprecedented regulatory change in critical areas, including antitrust and environmental policy — not to mention accelerating business and industrial change via technological disruption (including GenAI) that continues to upend and threaten business models.
In our experience, the boards that respond most effectively to major corporate crises are those that approach crisis preparedness proactively and holistically rather than from a reactive posture focused on individual risk silos. While there is no one-size-fits-all approach and each company (and each board) is different, the following questions may be helpful to consider in making sure the board is prepared.
- Does the board know what may be coming? Is the board receiving periodic briefings from relevant experts inside the company (e.g., compliance, legal, cyber, government relations) on the company’s most likely vulnerabilities? Are outside advisors providing input to management and the board on industrywide developments, company-specific threats and relevant current issues (e.g., the impact of universal proxy on the company’s vulnerability to shareholder activism and the potential impact of relevant DOJ corporate enforcement priorities)? Is the company monitoring the shareholder base (including its list of registered holders) for suspicious activity and informing the board of critical investor feedback? Is it monitoring the corporate website to detect visits by activists, potential bidders and their respective advisors, as well as from government agencies and regulators?
- Are there policies designed to protect directors (and officers) from potential Caremark claims? Is the board regularly briefed on enterprise risks and is there a process for internal and external yellow and red flags (including from whistleblowers) to be elevated to senior management and ultimately the board? Have policies and procedures been implemented to develop a record of the board’s good faith efforts to implement and monitor oversight systems and develop policies to escalate risks that are mission critical to the company?
- Does the company have processes in place to identify and address reputational risks associated with an increasingly polarized political and cultural climate? Does the company have workable processes for surfacing potentially significant reputational risks that could be associated with public-facing communications or marketing activities? Has management reviewed with the board the company’s plans for addressing external political or social developments and controversies that may not directly affect the company’s core business but as to which there is pressure from employees, customers or the general public for the company to take a stand?
- Is the long-range plan updated and sensitized to the new economic landscape? Has management updated the company’s long-range plan and key assumptions for the current macroeconomic environment? Are assumptions and sensitivities discussed with management and clearly understood so as to maintain appropriate flexibility for the board in the event an unsolicited bidder or activist approaches?
- Is the company communicating its strategy and the board’s expertise appropriately? Does the company have a plan to present the company’s long-term strategy to large shareholders and other key stakeholders? Are director bios in the company’s proxy statement and investor website drafted to communicate why and how each director’s background, skillsets and experience add unique value to the board, as opposed to being limited to recitations of employment history and more general rationale? Does the board have an informed list of potential board candidates in case needed?
- Has ESG disclosure been vetted? Has the company’s ESG (including DEI and sustainability) disclosure been vetted for compliance with evolving regulations, as well as investor, proxy advisor and other stakeholder expectations and from a litigation risk perspective? Has such disclosure been reviewed for potential backlash from ESG and anti-ESG perspectives?
- Does the board periodically evaluate its structural defenses to activism and takeovers? Have management and advisors reviewed with the board potential updates to its charter and bylaws to address the new universal proxy rules and where applicable state law (e.g., officer exculpation for Delaware companies)?
- Is there a protocol for directors and senior executives to follow if they receive inbounds from an activist, unsolicited bidder or other third party? Does the board receive periodic reminders of best practices for notetaking, emails, texts and other communications with a view toward protecting attorney-client privilege and preparing for potential litigation and proxy fights, taking into account key recent cases and enforcement actions where emails and texts were the primary source of evidence for civil plaintiffs and/or regulators?
- How will the board make decisions in a live-fire crisis? Have management and the relevant advisors developed and taken the board through action plans to familiarize directors with the cadence, tactics and timelines of potential crisis scenarios and sensitize directors at a high level to the merits and pitfalls of a range of possible response options when the company is attacked?
- Does the company have a knowledgeable and integrated crisis response team? Does the company have a playbook with identified internal leaders who will be the decisionmakers for various types of crises? Does the company have outside counsel, a financial advisor, a crisis PR firm and other relevant specialists engaged or on standby for potential crisis scenarios? Is the internal and external response team sensitized to the company’s culture, priorities and vulnerabilities? Does outside counsel have the breadth of expertise to cover the relevant threat landscape (including corporate governance, activism, hostile M&A, bet-the-company litigation, white collar (SEC/DOJ), Congressional investigations, ESG and cyber)?
As with any effective advance preparation exercise, in the context of crisis preparedness, asking the right questions is just the first step. A reflexive “yes to all” should not be the goal. Instead, we encourage board leadership to work with fellow directors, senior management teams (particularly the general counsel) and trusted advisors to consider these questions as part of an effort to develop a crisis response program that is carefully tailored to the company’s specific needs. It is equally important that the program not be static. The most effective crisis programs are revisited and regularly updated as needed to address a rapidly evolving threat and risk landscape.