SEF Central 2024: Masterclass - Managing a True Corporate Crisis/Major Internal Investigation
A transcript from last week’s Securities Enforcement Forum Central 2024 panel on managing corporate crises follows. The panelists were:
Rachel Copenhaver, Partner, Vedder Price
Brad Mroski, Partner & Managing Director, AlixPartners
Andrew Shoenthal, Counsel to the Regional Director, SEC
Luke Tenery, Partner, StoneTurn
You can find the video at Docket Media’s YouTube channel here, and the full conference agenda here.
00:00 - 00:27
Bruce Carton: Our next panel is Masterclass, Managing a True Corporate Crisis or Major Internal Investigation. This is a great topic and a great panel to discuss. Let me first introduce our moderator, Brad Murawski, Partner and Managing Director at Alex partners in Dallas. Brad has over 20 years of experience in forensic accounting, auditing, consulting, and litigation services, including six years as assistant chief accountant in the enforcement division of the SEC. Welcome, Brad.
00:28 - 00:29
Brad Mroski: Thanks, Bruce.
00:29 - 01:06
Bruce Carton: Very pleased to welcome Rachel Copenhaver, partner at Better Price in Chicago. Her practice focuses on representing clients in regulatory investigations and proceedings brought by the SEC, the FDIC, the US Attorney's offices, and other federal and state agencies. Welcome, Rachel. Always very pleased to welcome and welcome back Andrew Shoenthal. He's counsel to the SEC Regional Director in the Chicago office. He also has served for 10 years as a member of the Division of Enforcement Specialized Asset Management Unit and served as Senior Advisor to the unit's leadership. Welcome, Andrew.
01:06 - 01:07
Andrew Shoenthal: Good to see you again.
01:08 - 01:27
Bruce Carton: And finally, very pleased to welcome Luke Tenery, a partner at StoneTurn in Chicago. Luke has over 20 years of experience helping leading organizations mitigate complex cyber security, data privacy, and digital risks. And he frequently assists public companies and their boards. Luke, great to see you. Let me turn it over to you, Brad.
01:28 - 01:57
Brad Mroski: Okay, thanks, Bruce. Good morning, everybody. So we actually, we were going to have a fifth panelist. Asheesh [Goel] was going to join us and he had a drop off last minute which I think is a good thing given the depth of expertise we've got up here. I don't know how we would have fit him in. But let's get right at it. So Rachel, I'll start with you. We're talking about, master class is a bit of a misnomer because I think everybody in here does a lot of this work and we're all very good at it. So we . . .
01:57 - 02:19
Brad Mroski: thought we'd kind of pick on some unique aspects of investigations. We've all gotten that call. Three weeks to go before a filing's due, whistleblower complaint. We've got to run really quickly. What are some of the first things you're thinking about when you get that call in terms of how to organize yourself and what needs to happen first.
02:19 - 02:51
Rachel Copenhaver: Sure, so first thing, I have one of these clocks also in my office for moments like this when I get that call. But all jokes aside, I think it's a fast-paced time period. And so I was preparing for today, I was kind of thinking about three big buckets or ways that I'm getting ready in these moments. And I think that first bucket just to preview them is the who, and there's a lot of different ways to think about it, your cast of characters, your stakeholders, thinking about the people that are involved. And then the next piece . . .
02:51 - 03:16
Rachel Copenhaver: is the scope, how are we going to scope this thing? And then last but not least is the timing. I don't want to start with the timing because I think if you get too focused on the timing from the get-go, you're probably destined to fail. And I think you need to better understand the who and the scope to be able to figure out how are we gonna get this done, realistically are we gonna get this done, and what are the hurdles in the timetable to get us there. And so what do I mean by the who? . . .
03:16 - 03:54
Rachel Copenhaver: And I think starting with, well, who's my client, right? This whistleblower complaint came in. How did it come in? What's the protocol and what's the governing documents that's telling, is the audit committee my client? Is there a special litigation committee? Who am I reporting to? And understanding that reporting structure from day one is paramount. Because if you don't have that set up correctly, it's a false start immediately. And that's gonna be impactful for all the other communications that you're going to have with all other internal stakeholders and certainly with third parties, whether that's auditors, I know . . .
03:54 - 04:32
Rachel Copenhaver: we'll talk about that later when you're dealing with regulators, if you have the pleasure of talking to the SEC or other federal or state regulators, but establishing that critical who's the who, who's my client, and working and setting that up is critical from day one. And once you've done that, figuring out what you can about, if this is a, let's say if it's a brand new client of yours, really understanding as quickly as possible the dynamics of the company, the reporting structure, do the whistleblower allegations impact the board, the inner dynamics of the company, the C-suite? . . .
04:32 - 05:02
Rachel Copenhaver: Because if you do have whistleblower allegations that are impacting any of those dynamics, that's gonna impact your reporting structure. Because let's say something impacts a senior level executive, you might need to have some type of recusal put into effect to make sure, and better understanding the situations as we were getting ready for this call. We were talking about what if you have a nosy executive who wants to be the first to know what's going on, trying to set all of that foundational concepts from day one about What are the dynamics of the company? Who am I . . .
05:02 - 05:38
Rachel Copenhaver: calling? Who am I talking to? How often are we talking? Are we, I'm having updates with you every single day at four p.m. Or however, establishing that from day one is critical. And then thinking externally, what are the other relevant stakeholders that you need to be mindful of if you're a public company you're thinking about your auditors if you're if you're getting ready for a filing we're talking about a 10K or 10Q you're also dealing with a whistleblower you know I'm assuming you know the whistleblower already went to the SEC. And so I think you have . . .
05:38 - 06:08
Rachel Copenhaver: to make that assumption. So you're already thinking about, you're not picking up the phone yet by any means, but you're thinking that's already kind of playing out in your head as well. And similarly, if you're not gonna make that deadline, already thinking about, you know, are we gonna have to file a 12b-25. So I think you're thinking about all of that from the moment you get that call, already thinking about how you're gonna work through all of that and then I think scoping it is critical as well figuring out what are the allegations pertain . . .
06:08 - 06:43
Rachel Copenhaver: to are we dealing with financial reporting issues are we dealing with a labor and employment issue what documents do we have how are we going to collect all of this information I know this morning there was off-channel communications, SEC orders that came through, so it's hard not to think about communications and how quickly they can disappear. So I'm thinking already at this point in those early days, how are people communicating? How are we doing the legal code notice? How are we preserving things? How can we get all of these communications that we might need quickly safeguarded . . .
06:43 - 07:05
Rachel Copenhaver: and turned off so we can look at all that? And so then I think once you're figuring out the who, once you're figuring out how are we scoping this, how are we getting our arms around the issues and what we need to look at, then I think you're looking at the timing. How are we gonna get this done in a realistic timeframe, if possible, with an open mind and taking it day by day as much as possible.
07:06 - 07:34
Brad Mroski: Yeah, it's a good point. What I'm gathering from your answer is that there's a lot of moving parts and a lot of the times you have to kind of quarterback the situation because There's so many stakeholders. Management's really interesting because, you know, in a situation where, let's say, you've got three weeks to get a filing due, they're dying to know the information that you really can't share with them because they're saying, hey, I've gotta work on my filing. And so, you know, how you can leverage your client if it's the audit committee to actually be that . . .
07:34 - 08:09
Brad Mroski: kind of gating, gating helpful advocate for you to say, hey, you gotta, you gotta just go along your process, but you can't really be under the tent until, until you can be under the tent. Auditors is, is a whole other issue and how you kind of tag them along in a way that's gonna allow them to get their work done if there is a chance of getting the filing done on time. Andrew, from time to time, When we do these investigations, we do come across what could arguably be violations of the securities laws. And I know . . .
08:09 - 08:35
Brad Mroski: you're probably going to have some perspectives on self-reporting and the benefits of self-reporting and the cooperation. From our perspective, sometimes historically we've been a little bit challenged in terms of selling it to our clients and advocating for self-reporting in certain situations. So maybe you can talk a little bit about the SEC's views there. Sure. Shockingly. Don't forget your disclaimer.
08:35 - 09:10
Andrew Shoenthal: Oh, no. You all came here to hear my disclosure. I know it's the most important thing of today. I should have it tattooed, but knowing our office, they'll probably change it the next day. So before I say a single other word, my presentation remarks are provided in my official capacity as counsel to the regional director of the Chicago office and does not necessarily reflect the views of the commission, the commissioners, or other members of the staff, period. So yes, I do have some views on that. Funny enough, when I worked in my prior life, and my . . .
09:10 - 09:45
Andrew Shoenthal: prior prior life, I worked at a law firm and did a lot of internal investigations, and clients would ask, what do I get for cooperation? And the way I thought about it, it wasn't a philosophical question, it wasn't a theological question of what does cooperation make me a good person? They want to know, practically speaking, what do I get for cooperating? And now I've been on the SEC for a while, and I can see there's a gap sometimes in the understanding. one side thinks it's cooperation, the other side says it's not meaningful enough. So what does . . .
09:45 - 10:24
Andrew Shoenthal: it mean? So it leads some members of the defense bar, obviously not a single person in this room, to suggest that the SEC should do a better job of defining what cooperation is, whether it's through a pronouncement, a checklist, something akin to what some U.S. Attorney's offices have done throughout the country. But for me, cooperation is not a mathematical formula. Like if you do X, you get Y. If you do X, you get $50 off. It's not the way things work because to me cooperation is a standard and it's a standard based on conduct and it's . . .
10:24 - 11:05
Andrew Shoenthal: okay if you think about it in the law it makes sense that it would be that way because if misconduct lies on the spectrum for example from negligence to intentional, shouldn't cooperation also exist on that spectrum? And so, for me, at least, the way to get an understanding of cooperation is really from pronouncements, which are primarily OIPs, the Orders Instituting Proceedings, or in settlement documents. And I will tell you, over the past year, there have been a series of OIPs and press releases which make very clear, at least in my humble opinion, what cooperation is and what . . .
11:05 - 11:53
Andrew Shoenthal: cooperation is not. And we're not, for the SEC we're talking about meaningful cooperation. So what's meaningful cooperation? And it's more than complying with the subpoena, producing documents, or just being nice. It's gotta be that extra step. It basically means proactively cooperating with the staff and the investigation, and as well as remediating those violations. So what does that mean practically speaking? Well, it varies by case. Again, if cooperation is a standard, it's based on the standard applying to that particular case. So For example, it's providing detailed financial analyses and explanations and summaries of factual issues. It's proactively . . .
11:53 - 12:37
Andrew Shoenthal: identifying key documents for the staff. Even the documents the staff may not have asked for or even identified. It's also facilitating interviews with former employees. It's also identifying other issues and problems that even if they are not technically called for by the subpoena, they're somehow related to it or influence it. And again, that's just my view at least. Cooperation also means addressing the harm from the alleged misconduct. So that means proactively returning money to harmed investors or remediating or ceasing the unlawful, alleged unlawful behavior. And to be clear, none of these things, if you don't do . . .
12:37 - 13:18
Andrew Shoenthal: these things, it's not like you're gonna get penalized by the commission, which kinda makes sense because if it's cooperation and it's meaningful, you're going beyond what you're required to do. So what does this mean in practice? Let's get beyond the abstraction of what cooperation is. What does it mean? Well, there have been in the last month a rash of cases, series of cases, where cooperation has been noted, explained, and there's been relief given. I'll give you an example. So just last week, the SEC charged 11 institutional investment managers for not reporting securities holdings on Forms 13F . . .
13:18 - 13:54
Andrew Shoenthal: and 13H. And both the press releases and the OIPs. I recommend reading them. I know they may get a little boring after a while, but there's some nuggets in there. If you read those 11 OIPs and lay them side by side, you'll notice that two of them are very different than the remaining 9. one was with Dixon Mitchell, I recommend reading that one, and pardon my Dutch, because it's National Nederlander. I'm sure I'll get cascaded for that pronunciation. But in those both cases, they paid no penalties, while the other nine paid penalties of between $175,000 . . .
13:55 - 14:37
Andrew Shoenthal: and $725,000. And they did that because they actually reported the alleged violations to the SEC, and they also assisted by providing helpful documents that were beyond what was called for in the subpoena. Another interesting case, which is even more detailed, was from February of 2023, called Cloopen. It's even more interesting because it was a Chinese overseas company. And in that case, the SEC went through paragraph by paragraph, explaining exactly what Cloopen did to get no penalty in that case. According to the OIP, they recognized that there were issues with revenue recognition and as soon as . . .
14:37 - 15:20
Andrew Shoenthal: they saw issues with revenue recognition, they hired an internal, they did an internal investigation with outside counsel and they immediately reported it to the SEC. They identified the staff who were involved, they censored them, fired some, they also made monetary compensation as well. And again, the order's really clear about what took it from simply being helpful to meaningful cooperation at that point. And I will also point out that there were a series of cases just last week where cooperation led to a reduction in penalty or not seeking certain remedies like an internal compliance consultant. And again, . . .
15:20 - 15:57
Andrew Shoenthal: there's value to that, to I'm sure your client, not having to pay an internal compliance consultant for that. And so, couple weeks ago, there were a series of cases against credit raging agencies. And this was for record keeping failures. So it was part of the off-channel communication cases that you've seen. Again, lay out those six OIPs, two of those OIPs, one by the name of A.M. Best and the other called Demotech, made very clear that they weren't required to do any undertaking such as hiring an internal compliance consultant because of the cooperation they gave. . . .
15:58 - 16:34
Andrew Shoenthal: And again, the orders go through what cooperation meant in that situation. Basically early in the process they identified the issue, they took steps such as having certain computer systems and record-keeping things in place and alerted the SEC what they were doing even before they were asked to do it. And again another point I like to make is that cooperation is also seen by not bringing a case. And this is a little, the SEC does not publicize, nor I don't think many people in this room would want their clients to publicize, a declination or an investigation that's . . .
16:34 - 17:05
Andrew Shoenthal: closed. But I can tell you that in those cases, in many of those cases, cooperation was a factor that led the SEC not to do anything. And again, I can't point you to a record of matters that were closed because of the cooperation, but again, similar things. Proactive steps early, full and transparent production of information, as well as analyses that are not normally required or called for by the subpoena.
17:05 - 17:40
Rachel Copenhaver: I just want to jump in on the cooperation point and of the hypo fact pattern with the whistleblower that you had talked about is when we think about cooperation I mean there if there's multi there's multiple facets to it right so you know a lot of the focus obviously is on cooperation, but also thinking about the self-report, thinking about in the context of this whistleblower, the self-policing aspect. We might have, the company here might have a really great story about a whistleblower policy and a whistleblower program that worked really well and caught something, controls working. So as part of . . .
17:40 - 18:14
Rachel Copenhaver: the investigation we might not just be focusing on what did this whistleblower bring to our attention, part of it is well how did this how did this get reported and how did it work? And let's highlight that if we're going to self-report it and be able to tell the SEC and any regulators that this is an example of a program that works effectively. We investigated it, we figured it out, and then in addition to talking about if we self-report, also talking about remediation, fixing it to the extent there's anything in the financial reporting program or any . . .
18:14 - 18:51
Rachel Copenhaver: other aspect of the company that needs to get remedied, whether it's doing other kind of training, discipline, there's so many other things that you can highlight beyond just cooperating, bringing in witnesses, translating documents, doing some of those other things. There's four other pieces to the puzzle that are part of ways that you can earn and exemplify and sit across from the table from your regulators and say we have exemplified extraordinary cooperation through ABC, and D, and we think that this is an example of a situation where we don't think a case should be brought, or let's . . .
18:51 - 19:46
Rachel Copenhaver: talk about whether or not we need to do an independent compliance consultant, or whether undertakings are necessary, or what types of charges. So that empowers you to have that dialogue later on down the line, but I think also in the defense bar, part of it is educating our clients, you know, maybe not day one when you get that call about a whistleblower complaint came in and we have to file a 10k in three weeks, but being able to educate them on what's seaboard, why do I care, what does this mean, what does this look like, and what are the tangible benefits of it besides just a declination, you don't just want to swing from the fences, but what does this look like? And being able to give them some examples, whether it's press releases, OIPs, and other tangible examples to be able to educate them.
19:46 - 20:39
Andrew Shoenthal: So another thing, just to jump up on your point is I also think cooperation can reduce the internal costs for the client or for the reporting entity especially in the context of an internal investigation when it comes to an SEC investigation. Because if you've done your homework, if you've interviewed the people, if you've already pulled the documents, you've already gone top to bottom, and you have a story, guess what? When the SEC comes and obviously very politely knocks on the door, they're going to ask for the same materials. So you've already done the homework. Obviously, there may be more homework. I promise that. But you're already more than halfway there. In fact, when you get a subpoena, or you get a request, or a voluntary request, you may have already done most of those things on that check sheet, on that list.
20:40 - 21:04
Brad Mroski: I wanna circle back to that. But I do wanna, I wanna follow up on something you said, Andrew. The, you'd mentioned that cooperation can result in not getting an ICC or the like. I mean, is that really the case though? I mean, is the decision on whether to impose a compliance consultant, does that hinge on cooperation or is it more remediation? And is remediation cooperation or is that table stakes?
21:06 – 22:05
Andrew Shoenthal: So I want to do some linguistic jujitsu here for a moment. But I will say this is that when you're looking at cooperation on a spectrum, so for example, in those off-channel communication cases with A.M. Best and the other party where there was no internal compliance consultant, the Commission felt that based on the actions that those respondents took prior to the investigation, assured the staff and the commission that the company recognized the problem and was going to treat it. Why do you need an internal compliance consultant in that case? Usually you want an internal compliance consultant to ensure that the entity recognizes its issues and corrects those issues. But if you've already done the homework, so to speak, I don't know why homework is on my mind, it's probably kids, but then putting an ICC in a place seems duplicative and doesn't seem tailored to the particular respondent in that case.
22:08 - 22:29
Brad Mroski: Okay, so Rachel and Luke, I promise we're gonna get to you. This is, they're giving me some threads here though. So Rachel, you've got, let's kind of flip it a little bit. You've got a situation where, and Andrew I will say, the SEC at least in my view has done a really nice job over the last three or four years of messaging the value of cooperation.
22:29 - 22:31
Andrew Shoenthal: I will take credit for that fully, so thank you very much.
22:31 - 22:44
Brad Mroski: Well I mean It used to be that you were lucky to get a sentence or two in an OIP and now you're getting a paragraph and a press release and so it's helpful for us when we talk to our clients and try and advocate in instances where we think it's the right decision.
22:44 - 23:08
Andrew Shoenthal: Yeah, you're right. It used to be like the SEC or the staff acknowledges the remedial efforts done by the respondent. It'd be like one or two sentences. But again, if you read the OIPs, I would say, over the past two years, there are paragraphs that are listing it. So again, no check sheet about what cooperation is and what it isn't, but just read the facts and it'll give you a sense of what it is that you're right.
23:09 - 23:48
Brad Mroski: So Rachel, you've got a situation where maybe you're doing an investigation. Let's say they're not going to make that three-week deadline. For whatever reason, there's ambiguity in the facts and you're still running things down but there's not a clear-cut violation of law that you would run and self-report to the SEC on. What's the calculus on whether you still self-report if you're going to file a 12b-25 for example you know you're going to come on their radar. How do you think about those situations and whether you proactively go to the SEC and say FYI we're looking into this you're going to see a delayed filing we've got this.
23:48 - 24:52
Rachel Copenhaver: I think this you're having conversations with obviously your your auditor when you're making the audit committee and you're having these discussions internally. Once you kind of have made the call that you're going to be delayed in your filing, And even if you're at that point where you're still figuring out whether or not there's smoke there, I think that at this point, you're probably getting, you probably wanna pick up the phone and give Andrew a call and say, we have been engaged. It can be a very quick call. You know, we're on it. We've been retained. We're looking into it. And, you know, we want to continue to have an open dialogue. We're gathering facts and, you know, continue to have that conversation. But I think if you're at that point where you're, I think that fact-finding is gonna happen, you're gonna get that scrutiny. You know you have a whistleblower. I think that already has a heightened risk profile going for you. So I think with all of that in that fact pattern, I would make the call.
24:54 - 25:11
Brad Mroski: So Luke, obviously you specialize in cyber and data related issues and cyber and AI and data issues have really come to the forefront over the last couple of years. What are some of the unique considerations that companies need to be thinking about when they have a crisis in those areas?
25:12 - 25:55
Luke Tenery: Sure. So the art of what I say will be to not cannibalize part of the cybersecurity topic a little bit later today, but more touching on some of the crisis-related aspects, perhaps with some practical guidance there. I'll just generally say, at least though in sort of two key themes, why some of these elements from a digital perspective are of kind of heightened import beyond just what we are mostly numb to from a news media standpoint, one. Over the last year or so, even some of our critical infrastructure providers in the digital space kind of think big . . .
25:55 - 26:34
Luke Tenery: tech. Even for them we've seen play out in some cases through regulator inquiries, in other cases the news. The trend that we sort of identify from our perspective is even the tech footprint in a state has become even larger in many cases than even some of the largest tech players can protect themselves. And what's more, obviously some of the key aspects of modern enterprise are digital now. And so that sort of hybrid touch between the business issue and the tech one is oftentimes indiscernible and thus some of those issues are sort of driving some of the . . .
26:34 - 27:22
Luke Tenery: primary impacts that we are seeing play out from a modern corporate crisis perspective. And I think the other piece which I won't touch on too much other than some of the the correct crisis relationship to it, but over the last year and again some of the attorneys later this afternoon, but I will give a preview in case some of you don't return after lunch. Some of the recent SEC cybersecurity rulemaking has certain notice obligations or disclosure obligations that fall into the item 1.05, that have a host of kind of requirements to notify around certain materiality components . . .
27:22 - 27:57
Luke Tenery: of the cyber incident. And what we're seeing though around some of that driver of the incident playing out in the public are probably some of the most, as I mentioned, some of the most tangible crises that we're actually seeing playing out in the public, whereas many that you may hear, you may not even ever actually see or hear play out in the news in terms of the dynamics playing out with the regulators or from an investigation standpoint. And the reason I can say that is because over the last year with this new rule, we know that . . .
27:57 - 28:45
Luke Tenery: some firms have actually probably over disclosed with their lack of certainty in certain cases on what might constitute something that's material. But transitioning just into a few practical guidance points from what we've assessed as some of the dimensions around a modern kind of corporate crisis, particularly with the digital firm that we tend to focus on quite heavily, are really kind of five key themes that we've identified as really healthy things or good hygiene from almost taking best practices from a crisis management standpoint, but then also overlaying that with aspects of kind of the more modern or . . .
28:45 - 29:35
Luke Tenery: digital enterprise. But firstly, organizations, ones that are, and I'll just generally say too, heading into these five, we see a direct correlation between positive outcomes, both out in the news media, reputation, and then from regulator concern, when there is quality and consistency behind the communications. We know that from broader case study and also public SEC enforcement actions, there's generally problems when the victim organization or the firm that experienced a problem didn't have consistency of communications and different releases of information about a cyber incident, and then what ultimately gets disclosed from a regulatory or compliance standpoint. So . . .
29:35 - 30:17
Luke Tenery: from a top five standpoint, number one, planning. Firms oftentimes may have plans, but they're not updated. Surveying what's happening from a more recent whistleblower dynamic where that might meet the digital firm aspects of different cyber attacks. If you don't know how to respond for your organization what a ransomware event is now, and you end up having one and you're a covered entity, things will only get worse from there if you don't have a plan for some of the low hanging fruit. The other, sort of number two I would say is the dimension around materiality, as I . . .
30:17 - 31:00
Luke Tenery: mentioned. Firms, if they don't have a sense for what might constitute a material sort of digital issue for them, or digital impact issue, that again is a problem. That would sort of kind of fall into the realm of we could reasonably experience a ransomware attack and how could that materially impact our investors. Organizations literally need to have an answer for that now and integrate that into their plans. And thirdly, from a planning perspective, the communications piece is obviously key, but I think there's nuance to that. I think we can see through certain aspects of the SolarWinds . . .
31:00 - 31:50
Luke Tenery: case and others, where in terms of certain material aspects of the incident not being elevated, not just beyond the CISO, but perhaps even into other organizational circles, we'll talk about audit in a moment, or other key stakeholders around who knew what and when, what they did, what may have failed in the cyber response or other aspects of control failure. All those things Oftentimes are addressed by just good communications around the right need to know. So communications will be key. Thirdly, I would just generally say from a business impact standpoint, firms, when they're thinking about materiality, one . . .
31:50 - 32:31
Luke Tenery: of the ways they do that, at least from a digital sense, is conducting what's called a business impact assessment. That may sound very straightforward, but the overall quantification around those issues has really advanced substantially over the last handful of years, especially with, some of you have probably been involved with business impact and business interruption claims as a result to cyber incidents, and those feed into good knowledge around what could an organization could reasonably identify as material for them. And then I guess I think I actually converged one of my kind of top five items, but the . . .
32:31 - 33:10
Luke Tenery: final one would be drills and exercises. What was just sort of making sure we're planned and prepared, regulators and entities are very interested in, firms also that are ensuring that they're in sort of the financial lingo, controls are tested, not just present, but tested and working. And so I would just generally add that from a cyber perspective, when we're thinking about the plans that we start with, that finally that we're also practicing and planning with actual drills and preparedness exercises associated with that. If we have time, we can come back to what some of those might . . .
33:10 - 33:14
Luke Tenery: look like in the digital enterprise, but I'll pass it back to you, Brad.
33:15 - 33:59
Brad Mroski: Great, thanks for that. So Andrew, I want to circle back, I promised I would. You're the man of your word. You mentioned, you know, the process of an investigation, the SEC may come, you may be asking for the same stuff. I want to turn that a little bit in terms of what's the thought at the SEC in terms of how the quality of an internal investigation can actually affect the SEC scope and implicit in that question is the credibility of the team that did the internal investigation, and maybe you can even weave in, because I know you've got experience on what you've viewed as a good investigation versus not so good investigation. I think that would be interesting for the audience.
33:59 - 34:40
Andrew Shoenthal: Yeah. I'm a consumer of internal investigation reports. So I'm the reader, or a reader. Obviously the board may read it, and other people, but I used to write them back when I billed billable hours. And to me, it's very clear that there are some reports that are good and there are some reports that are bad. And to me, what separates the good from the bad is actually two points. First is scope. I think Rachel talked, I heard the word scope several times and she's right. When I'm reading a report which seems to either be too narrow . . .
34:40 - 35:19
Andrew Shoenthal: or doesn't seem to address the underlying issue or the alleged misconduct, it raises lots of questions. You know, what documents did you look at? What documents didn't you look at? Who did you talk to? Who didn't you talk to? Again, the better that the scope is finally tuned to the concerns of the board as well as the SEC, the more weighty or meaty that report is or worthwhile at least to the commission. And again, I'm not saying some reports can't be narrow in scope, but you judge the narrowness or the broad breadth of it based on . . .
35:19 - 35:53
Andrew Shoenthal: the alleged misconduct that's there. And again, if you're looking at it objectively, and I'll get into that, and you don't talk to the people that your natural sort of investigative mind goes to, the SEC is going to ask the same questions as well. And the second key thing for me at least, what separates a good report from a bad report is tone. And what do I mean by tone? Look, I have a teenager at home and so I know exactly what tone is. If you had the privilege or the honor of raising a teenager you know
35:53 - 36:35
Andrew Shoenthal: exactly what I'm meaning about tone. So to me tone hints at the objectivity of the report. To me the tone is the gestalt so to speak. My German is not as good as someone else's, but the gestalt in this case is the overall feeling and atmosphere that's infused, or the world view that's infused within the internal report. That you can pull out of it and get a sense of what was done and what wasn't done. And to me, tone signifies the internal investigations' objectivity in approaching the problem at hand. So again, a report that focuses on . . .
36:35 - 37:16
Andrew Shoenthal: the who, what, where, when, leads to a stronger why and how. If you go in initially, and I've seen this in reports, and obviously no one would admit that they do this but when you see the why Being fronted without explaining the who what where when it makes it seems as if the internal investigation Was trying to back into a worldview and I got to tell you again the more I read it and they see the objectivity, the professionalness of it, the professional curiosity, if that is such an expression, that's in the internal report, it's worth . . .
37:16 - 37:49
Andrew Shoenthal: so much more. Because again, and I would think if you're providing this to the board or a special committee, if they're looking at it and they're asking the same questions as why didn't you talk to this person? Why was it limited in this way? Why was it, I'm gonna be asking the same exact questions. And so again, a good internal report, again I think in my view, if I can sell this, is actually cheaper in the long run for the firm that commissioned it because it probably covers much of the same ground than an investigative enforcement . . .
37:49 - 38:20
Andrew Shoenthal: attorney will do. Again, they may not check everything. They may not, you know, they may duplicate that on the record testimony, even though you did it, because obviously some key people need to be put in question. But generally speaking, the objectiveness in the tone that's expressed in the internal report is something that really makes the report either valuable or just unvaluable. I don't wanna say invaluable, because that wouldn't make sense. But that's just my view, obviously, on it. . . .
38:21 – 39:04
Brad Mroski: All right. So let me put you on a pointed question here. You could... We're going to come in. Rachel and I are going to come in. We're going to present the work we did. We're not gonna give you a report because nobody does written reports anymore but we're gonna show you a PowerPoint deck and we're gonna talk through the scope and we're gonna you know talk about all these great things we're gonna talk about the keywords that we used for electronic communication review. Is it your expectation that you know we've obviously pinpointed our keywords around the issues of the allegations. Are you expecting to see the more general fraud terms and kick the tires on, you know, did we keyword search fraud or illegal or those things?
39:04 - 39:36
Andrew Shoenthal: Yeah, I mean, look, if you want to put the word fraud through your search engine, you're probably going to get a lot of mishits. And back up the truck. Be careful what you wish for. Yeah, exactly. Be careful. I always say that, You know, if you ask for broad things, you're going to get broad responses back. So here's what I would say is, it's all based on the alleged or the alleged misconduct that you're coming to me. If it is something that appears based on your work that was pigeonholed, so to speak. It's a small group, . . .
39:36 - 40:12
Andrew Shoenthal: let's say, a small division. I can understand why you wouldn't go out from that. But if it's something that crosses multiple lines, multiple offices, it's conduct that's pervasive, then I would think, why wasn't the scope a little bit more broadened out and things like that. Again, it's an art, not a science, that's why we're doing this panel. But I will say, having sat through also a lot of presentations, the really good ones have the binder of documents, because again in my view, facts are not privilege, but we can debate that at length if you want to. . . .
40:13 – 41:09
Andrew Shoenthal: They give you the presentation and they give you a binder. And the binder has broken down by individual or by area, and it's all there. And so then I take the binder, go back to my beautiful clean office, and I start flipping through it and reading it. And then if you produce the PowerPoint to me, hypothetically, I can then try to match them together and see how it works. I don't know if that fully answers your question, but to me, again, this is not, I'm not, I don't think any staff attorney is expecting you to turn over every stone or look under in every foxhole for every potential issue at a company. But what they're looking for is knowing what you know now based on the allegations or the whistleblower or whatnot, what did you look at and does it make sense as compared to the alleged misconduct?
41:09 - 41:39
Brad Mroski: That's a helpful answer. I'll take it. Okay. Okay, we've got just a couple minutes left, but I wanted to touch on Rachel, auditors, because they're always prevalent in, you know, whether it's the digital work that Luke does, or it's the financial reporting work that I do, or, you know, how do we manage auditors as part of the process, keep them apprised enough to not slow us down, but also manage them from doing their own investigation and all the nuances that go into it.
41:39 - 42:15
Rachel Copenhaver: I think in the fact pattern that was presented, I think they're doing their own work for sure at the same time we're doing our work in connection with the whistleblower allegations. That is definitely parallel work simultaneously happening. So I think it's making sure that we can do our work and having a conversation or having a similar reporting channel, figuring out whether that's gonna be outside counsel that's been retained to look in or if we're retained through the audit committee. Is it going to be the audit committee chair that's going to be giving updates to the audit . . .
42:16 - 42:49
Rachel Copenhaver: firm that's doing, you know, wanting to check in? My preference is typically to not have that be the audit committee chair talking to the auditor. I would prefer that that be outside counsel. But having a regular cadence where updates are being given, starting out with, hey, we're being retained, focusing on the process, this is what we're looking at, these are the people, you know, I'm open to, again, these are facts, right? Being very mindful of what's attorney work product, what's gonna be privileged, but who are we speaking to? We're gonna be looking at search terms. I . . .
42:49 - 43:54
Rachel Copenhaver: have had a lot of instances where working with auditors asking, well, what search terms are you using? What are you pulling? Can I see them? Can I have whatever you're looking at? Can I have notes? And so those are conversations that you're having, but I've generally found that if you pick up the phone and give regular updates to the auditors and have an you know a rapport and an open dialogue that that goes a long way to having to have that process go not perfectly but to go more you know as seamless as it can and then when you get to those deadlines having conversations about what needs to happen and then being very mindful of you know if there's a whistleblower and anything that needs to happen I mean And if there's an investigation in the future, you know, you might be seeing any documents or anything that you're giving to the audit firm be produced in the SEC. So you have to be very mindful of staying in your lane, getting the auditor the information that they need, keeping and protecting the attorney-client privilege and attorney work product in connection with your investigation. And . . .
43:54 - 44:12
Rachel Copenhaver: then if you're deciding you do need to self-report, just being mindful that you're being consistent with where you draw the line with privilege because if you are you know We can't use privilege as a shield and a sword In all these different circumstances, and if you choose to do that it will definitely come to bite you in the long run
44:12 - 44:33
Brad Mroski: Yeah, yeah, we generally say you want you want to keep the auditors in your hip pocket. And more importantly, I mean, if there's an issue with scope from their perspective, you want to know that sooner than later so you have time to react. But 30 seconds, Luke, any thoughts from you on auditors and how you manage them in the cyber context? Because they're bringing their specialists in on those.
44:33 - 45:09
Luke Tenery: Beyond them just wanting to know what was exposed or what, who, what, when and where, they're going to do certain reasonableness checks and those generally include questions around other material aspects of the firm. If they were impacted, if they're seemingly not immediately, they want to know if they're impacted. And I think the other biggie is just confirming that there's still integrity to the financials and ensuring that whatever kind of collateral or residual risk from a particular impact didn't impact the financials also and making sure you're prepared for assurances around that.
45:10 - 45:17
Brad Mroski: Great and we are perfectly in time. Thanks very much to the panel. Appreciate it. Thank you. Thank you.