Ronald Wood, managing director, Major, Lindsey & Africa, Michelle Oroschakoff, managing director and chief legal officer of LPL Financial, Ashwin Ram, partner at Steptoe & Johnson.
Along with a new administration coming into office at the start of 2021 came changes in policy and regulatory priorities. Michelle Oroschakoff, managing director and chief legal officer of LPL Financial; Ashwin Ram, partner at Steptoe & Johnson; and Ron Wood, managing director at Major, Lindsey & Africa, look at how these priorities are impacting the legal landscape.
Since the Biden administration has come into office, have you seen any priority shifts or regulatory actions that have directly affected, or are likely to affect, your clients’ businesses, and if so, is the affect likely to be positive or negative, and how big is it likely to be?
Michelle: What we think will happen is that the Biden administration’s priorities will play themselves out through regulatory appointments and the regulatory agencies. Among the areas where we believe you’ll see the most impact in financial services is more focus on:
- Consumer protection and enforcement priorities, making sure that firms are transparent about the fees they charge and their conflicts of interest. This is a continuation of what the SEC has traditionally been concerned about; that was a priority under the prior administration as well.
- Cybersecurity and privacy, especially with the rise of ransomware attacks. Regulators expect firms to safeguard data and be transparent about incidents. Of course, the issue of whether to pay or not pay with respect to ransomware continues to be part of that focus.
- Making sure environmental, social and governance (ESG) topics are treated properly, requiring public companies to disclose their ESG practices and then ensuring that the asset management industry is following and living up to the ESG claims that they market.
Ashwin: First, we expect an increase in investigations and enforcement. The underlying current for this investigation and enforcement expansion is going to be data. The government has been slicing and dicing data in different ways for decades, but I think we’re going to see a concerted effort to not just aggregate data, which has been happening, but to also meaningfully dissect it and be able to meaningfully deploy data analysis in investigations and prosecutions.
Should there be an investigation of a particular company? Are there problematic sectors where industry practice itself is a gray area? We’ve already seen this playbook in the healthcare space, for example. And more recently with the PPP program from the SBA, in the context of disaster relief loans. The government took a page out of its SIGTARP book from the 2008–2009 financial crisis, and instead of focusing on banks, it focused on entities and individuals who received SBA and PPP funds. There’s currently over a hundred prosecutions in the U.S. involving PPP funds. The next wave of investigations will focus on outlier corporate and individual decision-making on whether a loan was necessary or not. But the overall point is that data is going to be essential to the current administration’s priorities.
Ron: All day, every day we are talking with law firms about growth needs, priorities and just general market trends. At the same time, we are constantly engaging with professionals, both at the partner and the associate levels. From a partner perspective, just to echo some of the things that you’ve heard from both Michelle and Ashwin, we’ve had demands for data privacy and cybersecurity talent for probably the entire two years that I’ve been here; it’s a very high priority. Some firms find themselves on the short end of talent, either because they never built it in in the first place or because they’ve determined that it has become such a critical part of every matter, not only on the litigation side but on the corporate side, that they just have to strengthen their bench. So, we’ve seen a lot of movement there.
Similarly, Michelle talked about ESG, and that has become a very big practice area in the span of six months. There are approximately three firms nationally that have really driven demand. Other firms are now starting to look at those firms as market leaders, and some firms at a lower level are starting to express some interest in ESG. But these three firms are just laying out big numbers to get good quality talent.
Similarly, healthcare is a broad topic. It can refer to provider groups like doctor groups or facility operators, but it also extends over into things like pharmaceuticals, medical devices and life sciences. If there are two practice areas that are driving the world, it’s private equity and life sciences. Put them together and there’s a huge demand for that. We have seen demands for litigation and corporate people all up and down the scale in everything that touches the healthcare system.
How are you seeing your organization and/or clients address ESG requirements?
Michelle: When you think about the ratings agencies, which have developed to give companies ESG scores, which are now increasingly important to investors, one of the things that those ratings agencies do is look at your publicly available information. You could be doing a ton of good work, but if it’s not publicly available, no one’s going to know about it except for the people inside your company.
So, what you’re seeing is companies are being more deliberate about how they approach and report on ESG issues and developing strategies for making incremental improvements in each of the areas over time. They are also focusing on how they are documenting what they’re reporting to make sure that what they are saying publicly is accurate. We’ve been focused on making sure that we have a consistent, coherent message that we provide through our annual sustainability report and other publicly available information, such as our proxy statement. Our head of marketing and corporate communications is responsible for our ESG program. She’s a senior executive and she reports on our efforts and progress to our board, which oversees our program.
Ashwin: Institutional and individual investors alike are focused on ESG. So, it is important to understand the role and significance of ESG, which is more than just a means to identify material risks or growth opportunities that a company would need to potentially disclose in financial reporting—which investors would like to know. Proactively thinking about ESG involves understanding how you are part of an overall ecosystem in terms of our hiring decisions, diversity and inclusion, and investment priorities. ESG impacts our overall ecosystem as lawyers representing companies and investors. So, it is woven within the fabric of everything that we do and has a major impact.
As Ron said earlier, there are a couple of firms that are just ahead of the curve here with ESG. However, it’s more than just a niche practice. ESG should be and will soon become a part of everyone’s practice in certain respects because you’re going to see it whether you’re on the regulatory, transactional or even litigation side of the house.
Ron: ESG predates the administration and is not necessarily a feature of that or a policy change. It is something that originated organically within law firms because of the broader social community and companies that want to be good corporate citizens.
So, ESG is not necessarily a legal practice; it is, as Ashwin said, a way of identifying risks in areas that people are now principally invested in. Good citizenship may suggest that we treat each other equitably and fairly and morally, and there are ways that lawyers can help guide clients in either their disclosure or their internal practices that make them stand out—or at least not attract the wrong kind of attention.
Truthfully, it’s more of an advisory business than an actual practice, but enough people are interested in building that, so we anticipate that that’s going to be an ongoing growth area for the lateral market for the foreseeable future. It may eventually catch up to more important practices like data [privacy], which started out very slowly and has been a conscious feature of the landscape for a while. (It’s only been in the past two or three years that people have really begun to chase after data talent.)
What are some of the trends and actions you are seeing regarding complying to data and the privacy regulations?
Michelle: I’d say there are issues on a number of fronts. One is the fragmented regulatory landscape; it would be good to be unified under a national data protection act of some sort. Financial services and healthcare are both industries that have access to a lot of personally identifiable and important information for consumers, so we have to be especially careful in protecting that information. California has led the way with respect to consumer privacy, passing the California Consumer Privacy Act a few years ago and really setting the bar nationally. (We are a company that has a lot of operations in California and has one of our headquarters here in California.) Now, we would love to see a national standard for data privacy because when different states are passing their own versions of the same rules, it becomes hard for national companies to be adjusting their practices frequently to be in compliance with each different state.
The other is this war for talent, both on the technical side and on the legal-regulatory side. It’s difficult to recruit data scientists, as there’s a huge demand for people who have technical expertise in data protection. We’ve also found that it’s increasingly challenging to recruit chief privacy officers and people in the legal field who understand what all the rules and regulations are in our heavily regulated industry. Then there is the technical side. You need talent who can protect the data and make sure that we have good cyber defenses. Anyone who’s paid attention over the past 15–20 years would tell you the threat landscape is always evolving.
Which leads to the third thing, which is making sure that your defenses remain robust and that you as a company stay in front of it, not only on your behalf but also for all your vendors. Once you’ve gotten good at addressing one particular area, the bad guys move on to something different. Ten years ago, the big thing was distributed denial of service attacks and how to be prepared for those. While those are still an issue, now ransomware is more of an issue than it was. So, we always have to be thinking about what the landscape looks like and whether we have the right protections in place.
Ashwin: Michelle focused on the legal and regulatory side, with California’s recent privacy pronouncements, which are shifting into focus still. On the cyber intrusion front, 10 years ago, I suspect most companies, including governments, didn’t have robust cyber intrusion plans. At the time, I think people had been talking about the next greatest threat to the existence of nation states in a post-nuclear world would be cyber-attacks. That’s going to continue to be true for decades to come, but only more recently have government, municipalities and companies coordinated to a meaningful degree. All those things are going to continue to be incredibly important regardless of administration—this is one of the unique areas where you have a constantly growing area of focus regardless of the administration in place.
From an enforcement standpoint, the use of data is dramatically changing. Over the last few years, data has been driving investigations. Whether it’s trading patterns or billing records for healthcare providers, there are groups of analysts working for different government agencies who are tasked with querying publicly available—and some not publicly available—databases to look for outliers.
For example, say you are the number three biller in the country for a particular diagnostic code and it turns out you only have two people in your clinic who perform that particular service within your hospital. An analyst will say, that’s a data outlier. Why is this provider number three in the entire nation for this diagnostic code for this health procedure? It doesn’t make sense. So, the analyst will refer the case to an agent and the agent will look at it. All of this ultimately comes from the use of data. Note that this is different than merely collecting certain data because too much data that is not meaningfully organized or interpreted could literally paralyze an investigation. So, the challenge is effectively leveraging data to advance an investigation. This is different than the legal-regulatory side of data privacy that we’ve been talking about it. Now we’re talking about how the government and essentially law enforcement entities use data to build a case. This trend is likely going to continue to be leveraged under the Biden administration, maybe even more aggressively than prior administrations.
Going back to our original point about an increase in the overall number of investigations and prosecutions, I think we’d be remiss if we didn’t talk about how the modern investigation has changed dramatically in the past 25 years. Printed emails or type written correspondence are not driving investigations any more. It’s all terabytes and terabytes of data, emails, financial records, etc.—and no one human or even groups of agent teams could ever go through the entire discovery from a case by manually flipping through the pages. So, we’re in a situation where many of the investigations that you see and hear about in the news involves overwhelming volumes of data that require special tools to analyze and understand. You’re using artificial intelligence or other searching techniques to defend and make a case, so the way in which we fundamentally deal with data has changed. That impacts investigations in a number of ways, including thinking about how we store and protect data, government intrusions and attorney-client privilege issues.
The big picture point here is the way in which data is being used in investigations is dramatically changing, and the complications and issues it raises are potential opportunities for people being investigated to leverage to help favorably conclude investigations.
How are you seeing organizations be held accountable for compliance with these regulations?
Michelle: The SEC is focused on making sure that they have a rigorous and robust enforcement program in place. That’s something that we support. It appears that their focus is on identifying and deterring particularly egregious conduct that would cause a large amount of harm to investors.
Ashwin: If you look at Lisa Monaco’s speech from the end of October 2020, talking about corporate enforcement priorities, there are some fundamental changes that are happening between the Trump and Biden administrations. One is this notion of what is sufficient or effective cooperation. The calculus changes depending on how cooperation is evaluated and assessed. So does the risk reward analysis underlying the benefits of cooperation. If you have to completely lay out every potential improper practice that may have been uncovered from your investigation, even if it’s not within the core scope of the government’s initial inquiry, that makes the decision whether to cooperate more complex.
The reason that’s so important is because the government has finite resources. If everyone said they weren’t going to cooperate, the system would literally shut down, absent a massive expansion of the enforcement resources currently in place. So, it’s one thing to say we’re going to be more aggressive. There’s going to be an increase in prosecutions and investigations. We’re going to leverage data. We’re going to do all these things. But if there are insufficient rewards for a company’s cooperation, it changes the calculus. In the short run, what that means is there’s essentially a lot more work to do in the investigations/enforcement space for companies and their counsel. In the longer term, there has to be an ebb and flow because of government resource constraints and related considerations.