The US Department of Justice (DoJ) and the SEC have in recent years ramped up corporate enforcement in the areas of cyber-security, AI, financial crime, corruption, sanctions and trade controls. This impacts public and private companies and they – along with their boards – face increasingly complex legal and compliance obligations.
SEC and DoJ priorities
The available metrics confirm that enforcement authorities are taking an increasingly aggressive approach to policing corporate misconduct. In 2022, the SEC imposed combined monetary remedies of more than $4 bn, the most in history. The commission set another record in 2023 when it awarded $600 mn in awards to whistleblowers.
The DoJ launched its own corporate whistleblower incentive reward program in 2024 while continuing to focus enforcement efforts and resources on cyber-security, AI, anti-corruption and national security, including sanctions and trade controls.
Although their efforts have spanned many sectors, both the DoJ and SEC have particularly targeted the healthcare, technology and finance industries, with extra scrutiny of companies’ use of cyber-related tools, AI and crypto assets. Both agencies have also issued guidance stressing the importance of individual responsibility, proactive and robust compliance, responsible gatekeeping and self-reporting and effective remediation.
Notable DoJ and SEC enforcement trends also include:
- Charging individuals – The DoJ and the SEC have been aggressively investigating conduct of gatekeepers such as compliance executives, auditors and lawyers
- Increasing use of clawbacks – Section 304 of the Sarbanes-Oxley Act, Rule 10D-1 and the DoJ’s compensation pilot program all provide avenues for the federal government to claw back funds obtained illicitly by companies and individuals
- Use of sweeps – Recent enforcement sweeps have focused on off-channel communications, public company cyber-security disclosures and whistleblower matters.
Compliance: What boards need to know
One of the most effective ways for companies and boards to mitigate the risk of DoJ and SEC investigations is to implement a meaningful and effective compliance program appropriate for their company’s size, operations and sophistication.
Regulators expect companies to have a robust compliance program that functions in practice – not just on paper – and that management and directors will play an appropriate role in the implementation and oversight of compliance efforts. Although no program is perfect, companies and their boards must ensure that violations, if any, occur despite an effective compliance program, not due to a weak one.
Our top recommendations include:
- Foster a compliance culture – A compliance program should reflect an earnest, good-faith effort to prevent and remediate any identified misconduct. Businesses should set a strong tone from the top and embrace strong leadership from the middle that makes clear misconduct is not tolerated, with appropriate involvement by the board
- Be proactive – Companies should make a genuine effort to prevent corporate misbehavior before it happens. Boards should understand the strengths and weaknesses of their compliance program before they must defend it in an investigation
- Consider size and scale – Sophisticated businesses are expected to have sophisticated compliance programs, but smaller businesses should not ignore compliance. Perfection is not the standard against which any company will be measured but failing to make any effort will be perceived by regulators as an unacceptable disregard for compliance
- Build, implement and monitor internal controls to detect and prevent issues – Periodic risk assessments are now table stakes, particularly for sophisticated companies and boards. Companies need to identify, calibrate and assess both the spectrum of applicable risks and existing mitigation efforts to develop a reasonable action plan for compliance
- Promptly and thoroughly investigate whistleblower claims – Most government whistleblowers try to report internally first. Companies should create a safe space for stakeholders to report misconduct and follow up by acknowledging, investigating and remediating reported misconduct
- Make compliance everyone’s job – It can be hard to notice signs of trouble for the company but there is no need to go it alone. Compliance leaders within a company can and should work with administrative partners in human resources, information systems/IT, internal audit, corporate security and finance, and check in with each other regularly. Regular reports to the board on compliance efforts will likewise establish the seriousness with which a company treats compliance, and a direct line of communication between compliance leaders and the board will be expected for large companies.
Ultimately, a culture of compliance serves as a foundation for tangible business benefits, particularly when it comes to risk management and the protection of corporate assets, personnel and revenue. Although the implementation of a robust compliance culture can be challenging and can take time, compliance ultimately improves company performance by mitigating the risk of investigation and penalties, boosting corporate reputation and achieving better operational performance through thoughtful and effective corporate governance.
Investigations: What boards need to know
Even the development of a strong compliance program cannot eliminate the risk of potential concerns. When issues arise, they must be handled quickly and effectively. The best way to deal with investigations – internal and external – is to have a game plan in place before the issue arises.
To that end, it is recommended that companies and their boards consider proactively:
- Preparing policies and procedures governing investigations that identify who will conduct (internal audit or outside counsel) and oversee (general counsel, the board, the audit committee) the investigation
- Ensuring the company has access to appropriate subject matter expertise
- Ensuring key data is accessible and retained consistently according to a document-retention policy
- Ensuring you have appropriate directors & officers insurance coverage
- Cultivating corporate relationships with enforcement authorities such as regulators and FBI field offices
Ensuring the company’s compliance program is reasonably designed to identify and mitigate the business risks faced by the company, and that corporate compliance teams are appropriately staffed, resourced and independent.
Companies may first learn of a potential issue with the arrival of a grand jury or regulatory subpoena, a voluntary information request, a phone call from the government, a whistleblower report from a current employee, former employee or third party or – in the worst case scenario – a search warrant.
In the event of a government inquiry or investigation, companies and directors will initially need to consider the following, among other factors:
- Whether it is in the company’s best interests to co-operate and to what extent, including whether early co-operation might foreclose or encourage a more extensive inquiry
- How to respond to government requests for tolling agreements, which essentially freeze the clock for enforcement teams, allowing them more time to investigate
- How to address burdensome requests for documents and information
- How to proactively identify and preserve relevant data and custodians
- Whether applicable data privacy and data protection laws may restrict the company’s ability to share data with regulators
- How to allocate time for proffers, interviews and investigative testimony
- Whether individuals at the company will need assistance with retaining counsel
- Whether communications with or the transmission of information to government actors, affiliates and other third parties, such as insurance carriers, could result in privilege waivers.
Once begun, corporate investigations move quickly. Companies and their directors will need to consider applicable disclosure and reporting obligations, what to relate to auditors, how best to keep the board informed and how to identify and halt continuing violations, how to contain and respond to information leaks and how best to manage publicly disclosed information.
There are many challenges to confront in conducting an effective and efficient investigation. But perhaps the most important steps a company can take should be taken before an investigation begins: building robust compliance programs, setting the right tone at the senior and middle-management levels, engaging in periodic risk assessments and compliance program updates and having a response plan in place.
Taking such steps will help companies and their directors to mitigate the risk of legal violations and to start any investigation from a position of strength rather than disadvantage.
Adam Goldberg, David Oliwenstein and Tony Phillips are partners and members of the corporate investigations and white-collar team at Pillsbury Winthrop Shaw Pittman