Director and Shareholder Virtual Meetings Require Cybersecurity
Director and Shareholder Virtual Meetings Require Cybersecurity --- Despite COVID-19 pandemic disruptions, entities with shareholders must timely execute both director and shareholder meetings. Holding these meetings via the internet may mitigate health concerns, however, doing so raises the issue of cybersecurity.
November 24, 2020 New Jersey Law Journal
By Jonathan Bick Jonathan Bick is counsel at Brach Eichler in Roseland. He is also an adjunct professor at Pace and Rutgers law schools, and the author of “101 Things You Need to Know About Internet Law” (Random House 2000).
Despite COVID-19 pandemic disruptions, entities with shareholders must timely execute both director and shareholder meetings. The legal duty to conduct meetings has not been altered by prohibitions on gatherings. Holding director meetings and shareholder meetings via the internet may attenuate meeting difficulties while mitigating health concerns, however, doing so raises the issue of cybersecurity.
Complying with federal securities laws, applicable state laws and traditional corporate governance practices normally results in in-person directors’ meetings and shareholders meetings. Such meetings have been discouraged by pandemic regulations. Suitable use of existing technologies, and amendments in entity procedures and governance documents, allow internet communications to be lawfully integrated into director meetings and shareholder meetings to overcome COVID-19 related difficulty including “social distancing” requirements and bans on large gatherings. The use of said internet communication means that cybersecurity has become an urgent concern for companies.
Shareholder meetings predominantly choose directors at their meetings. Director meetings primarily address running the firm. Shareholder meetings and director meetings each have separate meeting requirements. The internet may be used to facilitate both director and shareholder meetings exclusively held through electronic means, and without any in-person component. However, recent data breach difficulties have demonstrated that officers and directors must take commercially reasonable cybersecurity precautions, or they may be exposed to individual liability.
The law of a company’s state of incorporation combined with a firm’s governing documents—usually the bylaws—will determine if a firm may lawfully conduct meetings via the internet. For public companies with shares registered with the Securities and Exchange Commission, additional rules govern requirements for filing and delivering proxy solicitation materials for internet meetings.
Some of the prerequisites for both shareholder and director meetings are similar with respect to adopting a virtual meeting format. For example, firms must have appropriate technical and security capabilities to ensure that virtual meeting have comparable standards to physical meetings (such as participant verification, record keeping, etc.). Furthermore, the virtual meeting participants should have comparable opportunity to participate as traditional meeting participants.
The requirements for conducting internet meetings vary among the states. COVID-19 inspired rules, regulations and statutes have temporarily made authorization and execution of virtual shareholder and director meetings easier than under normal circumstances.
More than 20 years ago Delaware law had authorized internet shareholders meetings. More specifically, Section 211 of the Delaware General Corporation Law allows a board to hold meetings via “remote communication” if authorized by an entity’s certificate of incorporation or bylaws.
Amendments to business law statutes, e.g., N.J.S. 14A:5-1, now authorize “cyber meetings.” Like Delaware, New Jersey requires trustworthy communications. Until recently, the New Jersey Business Corporation Act required that shareholders have the ability to participate in meetings by electronic means to the same extent that a corporation’s board of directors had the ability while still requiring a physical meeting to be held. On March 16, the requirement of a physical meeting had been temporarily eliminated. However, the enabling statute provided that a corporation’s board authorizes the format and provides guidelines to shareholders regarding participating in the approved format.
Similarly, in March, New York enabled virtual-only meetings by temporarily eliminating certain statutory requirement that certain meetings of shareholders be held at a physical location. These changes resulted from amendments to the New York Business Corporation Law, which had permitted shareholders of New York corporations who are not physically located at a meeting to participate via electronic communication.
Statutes enabling internet meetings usually have communications requirements. For example, Delaware requires “remote communication,” subject to three conditions: first, the identity of each person deemed present must be verified, as well as said person’s authorization to vote at the meeting; second, reasonable technological measures must be implemented to ensure that participation by attendees is “substantially concurrent”; and, third, a record is made of said participation.
Most other states that do not specifically provide for internet meetings have taken appropriate actions to temporarily allow remote director and shareholder meetings. Similarly, the SEC has issued guidance indicating that if a corporation is subject to the reporting requirements of Section 13(a) or 15(d) of the Securities Exchange Act of 1934, a corporation’s board may amend legal meeting necessities by filing a publicly available document with the Securities and Exchange Commission. For example, by filing a Form 8-K, and issuing a press release and subsequently posting it on the firm’s internet site.
Internet meetings are more susceptible to technology-based fraud than traditional meetings. Traditional meetings allow participants to identify each other and to assess which participant is responsible for each meeting comment. Due to internet techniques commonly known as “spoofing” (the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source) and “phishing” (messages that appear to be sent from a legitimate company’s website or domain address, but in fact are not), result in email identity fraud. Internet server hacking (invasion) may result in fraudulent impersonations.
Even when participants of an internet meeting have accurately identified each other, the internet meeting platform controller may serve different images and sound communications to each participant, thus fraudulently misrepresenting the intent of participants. Similarly, the Internet meeting platform controller may serve different results of meeting votes to each participant, thus fraudulently misinforming participants. Most of said difficulties may be ameliorated by minimizing cybersecurity-related risks for their organization.
Some best practices and steps that officers and directors should take include, reviewing with the internet meeting provider vendor the ways in which shareholders can join the annual meeting and participate. Internet meeting provider vendors usually provide a variety of management and control options. For example, “view only” access to guests, which allows guest to see and hear a meeting. Questions from shareholders would be submitted in a chat function.
Other steps might include: forming a committee to advise executives and boards; preparing standard operating procedures related to cybersecurity; and periodically conducting an internet meeting risk assessment. Additionally, in order to ensure that an organization has appropriate procedures related to internet meetings, officers and directors should be educated on cybersecurity policies.
Finally, a review of the firm’s technology infrastructure for data security and information management, to ensure that it is current and updated regularly (anti-virus and anti-malware software, encryption, etc.) for internet meetings, should be part of the agenda at board meetings. This review should include an acceptable cyber-incident response plan, and ensuring that it is updated and practiced.
Some features of internet meetings are common to both director and shareholder meetings. In particular, the internet can be used to facilitate voting and meeting-related communications. Internet proxy voting, internet direct voting, internet meeting notices (N.J.S. 14A:1-8.1 permits certain notices to shareholders to be given via the internet), and meeting transactions are elements of both director and shareholder meetings.
Such features require trustworthy communications, since the authentication of votes cast, confirmation of the identity of the internet speaker and the trustworthiness of corporation-sponsored internet facilities are common to both director and shareholder meetings. The internet’s traditional approach to communication is based on a client-server model of interaction; communicating parties establish a relationship and then proceed to transfer information where data contained within IP packets are transported along a single path.
Regrettably, this approach is easily subverted by using proxy servers that enable one party to fraudulently represent itself as another. However, this issue may easily be ameliorated or eliminated by the use of Named Data Networking (NDN) architecture, which prevents the use of proxy servers by naming the data instead of its location (IP address). NDN transforms data so as to allow trustworthy internet communications.
Normally, the internet secures the communication channel or path between two communication points (with or without encryption). However, NDN and related content-centric networking (CCN), combined with content-based networking, data-oriented networking or information-centric networking (ICN) is being used by some firms and is likely to be used increasingly for internet meetings when cybersecurity is required, such as at director and shareholder internet meetings.
This approach allows the decoupling of trust in data from trust in hosts and servers, enabling trustworthiness beyond encryption. Today, however, an entity worried about fraudulent internet directors and shareholders meetings need only change its entity governances to require strong encryption be used for its internet meeting communications.
Director and shareholder meetings are considered differently by the courts, nevertheless both require cybersecurity to provide the same level of security as traditional meetings. Company internet meeting rules have been considered by the courts and codified by legislatures for more than two decades, and from the beginning cybersecurity was required.
Most laws and cases dealing with entity governances that allow internet meetings require assurance that certain reasonable cybersecurity measures are employed so as to insure that an internet meeting will be substantially as secure as a traditional meeting. Due to the continued development of the internet, most statutes do not set forth the precise nature of those cybersecurity measures. However, reasonable measures to ensure cybersecurity for an internet meeting most likely include the following: proper notice of the internet meeting, including acceptable instructions detailing how to participate; prior consent to using the internet meeting format from all the participants; sufficient internet communication security to ensure the participants’ communications and voting are trustworthy; all participants are able to hear and concurrently speak with one another, as well as participate in all meeting matters; and securing evidence that an internet meeting is allowed by appropriate legislative statute and entity governance.