2025 is poised to be one of the strongest years thus far for cyber mergers & acquisitions (“M&A”). Although there have been relatively fewer deals than in recent years, deal value has spiked thanks to the comeback of megadeals, with deals announced this year including the $32 billion acquisition of Wiz, Inc. by Google LLC and the $25 billion acquisition of CyberArk Software Ltd. by Palo Alto Networks, Inc. The cyber industry—encompassing cybersecurity software, managed security services, threat intelligence, and related technology—has become a focal point for M&A activity as digital transformation accelerates and cyber threats proliferate. It has rapidly evolved from a niche technology vertical to a core pillar of enterprise risk management and digitization. As cyber threats escalate in frequency and sophistication, and as regulatory scrutiny intensifies, the M&A market for cybersecurity companies has become one of the most dynamic and strategically significant in the global deal landscape. The sector retains outsized strategic importance even as overall global M&A volumes fluctuate. As the value and risk profile of cyber assets differ markedly from those in other sectors, deal terms in cyber M&As have evolved to address unique challenges. This short article aims to offer a glimpse at some of the more distinctive considerations behind the contractual provisions shaping cyber industry deals, highlights key trends, and offers a forward-looking perspective for the last quarter of 2025 and beyond.
I. Cyber M&A Risk Profile
Unlike many other sectors, cybersecurity M&A is defined by the centrality of cyber risk—both as a value driver and as a potential deal-breaker. Cyber companies present a unique blend of opportunities and risks. Their value is often tied to proprietary technology, intellectual property (“IP”) assets, sensitive data, and the ability to maintain trust in the face of evolving threats. Buyers are acutely aware that the value of a cybersecurity target is inextricably linked to its own security posture, the integrity of its products, and its ability to withstand regulatory and reputational scrutiny. Unlike more traditional manufacturing or service businesses, cyber targets may have:
ongoing obligations to protect customer data and comply with a patchwork of global privacy laws
exposure to latent liabilities from past or undetected breaches
a customer base that is acutely sensitive to security incidents and regulatory scrutiny
These factors drive a different approach to diligence, risk allocation, and post-closing integration, which is often reflected in the deal terms negotiated by parties. Ultimately, cybersecurity M&A stands apart in that the very risk it seeks to manage lies at the core of the transaction itself.
II. Distinctive Aspects of Cyber M&A Purchase Agreements
A. Diligence and Disclosure Schedules
Cyber deals feature more extensive and technical disclosure schedules. In addition, a tiered approach to diligence is usually introduced, ranging from external vulnerability scans to intensive, tech-facilitated assessments of a target’s systems, codebase, and incident history. This is far deeper, more technical, and more rigorous than the standard diligence applied in most other tech or industrial deals. Sellers are expected to provide, among other things:
detailed inventories of data assets, security certifications and compliance reports
lists of all past and pending security incidents or breaches, regardless of materiality
descriptions of third-party vendor relationships and their security postures
documentation of software development practices, including open-source software (“OSS”) usage and vulnerability management
This level of disclosure is usually less common in non-cyber deals, where diligence may focus more on financial and operational matters. Simply put, the presence of unresolved vulnerabilities or a history of data incidents can materially impact valuation or even scuttle a deal.
B. Enhanced Representations and Warranties
In cyber M&A, certain representations and warranties (“R&Ws”)—particularly those addressing information technology (“IT”) and privacy and data protection, which are becoming much more prevalent in other deals as well—are receiving heightened attention and expanded scope. These provisions often address:
compliance with applicable data protection laws (most notably, the European Union’s General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), the California Consumer Privacy Act of 2018 (“CCPA”), and sector-specific regulations)
implementation and maintenance of “industry best practices” or “industry standard” security measures
absence of material data breaches or unauthorized access incidents
Cyber transactions frequently go further, demanding detailed disclosure and rigorous scrutiny of past incidents, third-party security audits, penetration-testing results, information on unresolved vulnerabilities, bug-bounty reports, incident response protocols, and remediation timelines. This level of specificity has become standard for significant cyber targets, and it often becomes a central point of negotiation given the risk of concealed vulnerabilities.
C. Indemnification
1. Survival Periods and Carve-Outs
Given the potential for latent cyber liabilities, buyers often negotiate longer survival periods for key nonfundamental R&Ws, such as those regarding IP, IT, and privacy and data protection—usually extending well beyond the customary twelve to eighteen months for general R&Ws.[1] In tech and cyber deals specifically, it is increasingly “market” to see “fundamental” rep treatment for those R&Ws, with survival periods at times matching those for due organization, authority, and tax matters. Carve-outs from indemnification caps for breaches of IP, IT, and privacy and data protection R&Ws are also more prevalent, covering undisclosed breaches, material unremediated vulnerabilities, and OSS license infringements, among other issues.
2. Special Escrows and Holdbacks
Data shows that parties are moving toward more surgical risk finance—smaller general escrows, plus targeted escrows and/or R&W insurance.[2] Buyers in cyber M&A tend to require a separate escrow or holdback specifically for data breach or privacy claims, with carefully calibrated escrow sizing that is more tightly linked to known risk items.
D. Post-Closing Integration and Talent Retention
Successful integration of cyber targets requires not only technical alignment but also retention of key personnel. The global shortage of cybersecurity professionals—estimated between 2.8 million and 4.8 million in 2025—remains a key challenge for both buyers and sellers. Buyers are purchasing not just technology, but also teams with deep domain expertise, making retention and integration strategies critical to deal success. Deals often include bespoke retention packages, noncompete clauses, and pre-closing as well as post-closing covenants to maintain research and development talent and other key employees.
III. Emerging Trends
A. Increasing Regulatory Scrutiny and Globalization
The regulatory environment for cyber companies is becoming more complex, with new laws in the United States, the European Union, and other jurisdictions imposing stricter requirements and higher penalties for data breaches. High-value cyber targets (or those with customers in critical infrastructure or government) face elevated regulatory scrutiny, including antitrust reviews and national security processes. Buyers often layer conditions precedent and “long-stop” dates around such reviews or offer reverse termination fee structures to hedge regulatory risk. The increasing national-security sensitivity around identity, secrets management, and infrastructure protection means counsel must factor regulatory timing into both the purchase agreement and the integration timetable.
B. Escalating Threat Landscape
The frequency and sophistication of cyberattacks continue to rise, with ransomware, supply chain attacks, and zero-day vulnerabilities making headlines. The rapid adoption of artificial intelligence (“AI”) and machine learning in cybersecurity tools is creating new opportunities—and new risks. While advances in AI enable streamlining threat detection and accelerating incident response, they have also empowered cybercriminals to deploy increasingly sophisticated, multistage attack strategies. Buyers are responding by requesting “materiality scrapes,” demanding more granular disclosure of security incidents, and requiring third-party cyber risk assessments, OSS audits, and general source code scans as closing conditions.
C. Continued Consolidation
Strategic buyers are continuing bolt-on consolidation—consolidating capabilities across key domains, such as cloud security, exposure, and identity management. This is driven by enterprise demand for integrated security stacks and AI-enabled controls, presenting such buyers with the opportunity to position themselves to meet evolving enterprise needs and capitalize on cross-platform value. Expect larger platform builds through 2026, which will mean more complex purchase agreements focused on customer-assignment mechanics.
D. Supply Chain and Third-Party Risk
Recent high-profile supply chain attacks have underscored the importance of third-party risk management. Buyers are increasingly scrutinizing the target’s vendor relationships, contractual protections, and incident response capabilities. Expect to see more:
R&Ws and covenants addressing third-party risk management frameworks
indemnification carve-outs for breaches arising from vendor failures
post-closing integration plans focused on supply chain security
Conclusion
Although cyber deals still look like tech deals on paper, the bargaining levers are increasingly cyber-native. The industry’s unique risk profile is reshaping M&A deal terms, with enhanced and special R&Ws, bespoke indemnification structures, targeted escrows, and rigorous diligence becoming the norm. Counsel who anticipate those items—and who can translate technical evidence into crisp contractual mechanics—will be the ones who close deals cleanly and preserve value for clients. As regulatory scrutiny intensifies and the threat landscape evolves, parties must stay agile, adapting contractual provisions to address emerging risks, from AI to supply chain vulnerabilities. For deal lawyers and other legal practitioners, understanding these trends and the data behind them is essential to navigating the world of cyber M&A—a dynamic, high-growth sector driven by structural demand, platform consolidation, and continuous innovation—in 2025 and beyond.
This is the tenth installment in the Year in Governance Series from the In-House Subcommittee of the ABA Business Law Section’s Corporate Governance Committee. Each month, the series will share key tips on a different corporate governance topic. To get involved in the Corporate Governance Committee, please visit the committee’s webpage.
A message from Kathy Jaffari: “As Chair of the Corporate Governance Committee, I would like to extend my sincere appreciation to the authors for this publication. The Corporate Governance Committee has ongoing opportunities for writing and volunteering with various projects, whether it’s an article you want to publish or a CLE that you want to present. Our Committee is dedicated to helping you promote informative resources for corporate governance practitioners. You may contact me at [email protected] to get involved.”
Special Committees of the board of directors serve an important governance function by preserving the integrity of the decision-making process when potential conflicts of interest arise or a director’s independence may be compromised. The effectiveness of Special Committees depends on appointing the right directors and establishing a thoughtful process. Here are ten tips to think about when forming a Special Committee.
Purpose. Special Committees are often formed when there is a potential conflict of interest or for matters that require a specialized focus. Composed of a subset of the board, these committees assume special duties for a limited duration, with the goal of creating an unbiased decision-making process. Example topics addressed in Special Committees include transactions involving a controlling shareholder, investigations of management’s conduct related to violations of the company’s code of conduct, or an unplanned CEO succession.
Formation and Authority. Special Committees are typically formed through delegation by the board in accordance with state corporation laws, organization bylaws, and other corporate governance documents. Responsibilities should be properly delegated and memorialized. Note that there are certain responsibilities that are nondelegable under state law, including authorizing dividends, issuing stock, and amending or repealing bylaws.
Who, When, What. Three threshold topics to consider with forming a Special Committee are (a) who should be on the Special Committee, (b) when they should meet, and (c) what will be discussed. These three considerations are interconnected. The right committee members will influence the meeting structure; the meeting structure will depend on the anticipated discussions; and the anticipated discussions will inform who should be included on the committee, with independence as a critical consideration. Strategic alignment across these three dimensions is crucial for the committee’s effectiveness and credibility. A Special Committee related to CEO succession will likely require a more significant time commitment than one focused on a related-party transaction.
External Advisers. Depending on the topic, it’s common for Special Committees to retain external advisers, including financial experts, outside counsel, and public relations firms. Independence is also a critical component when selecting advisers. While prior relationships with the company or the company’s directors and officers can be helpful in general engagements, it may be harmful when looking for an unbiased perspective.
Intentional Process and Recordkeeping. Actions of a Special Committee are often heavily scrutinized. Given this, it’s imperative to be intentional in the process of setting up the committee, ensuring proper communications, thoughtful materials, and independent advice. Be sure to keep not only records of the committee meetings (in the form of minutes) but also records related to committee membership determination, committee communications, and vetting of external advisers.
Committee Competence. Courts consider the composition of a Special Committee to be of central importance. Remind committee members that they have the same director fiduciary responsibilities when they sit on a Special Committee as in the rest of their board service. In fact, decisions made by a Special Committee can have a higher risk of being subject to litigation. Committee members should have relevant expertise and experience related to the matter at hand, so their participation is not questioned. And don’t discount the importance of good working relationships: mutual respect among the Special Committee members is essential to foster open dialogue, constructive debate, and collaborative decision-making.
Compensation. Consider the time and effort both during the Special Committee meetings and the homework required throughout the process. It’s common to provide directors with additional fees above their regular director compensation, either in the form of flat fees or meeting retainers. The chair of the Special Committee may receive additional compensation given the additional leadership responsibilities. It’s helpful to discuss compensation consideration with outside advisers to minimize any appearance of conflict.
Standard of Review. Decisions by the board of directors are typically reviewed under the business judgement rule where the assumption is that they acted in good faith, on an informed basis, and in the best interest of the company and shareholders. Courts have applied a higher standard of review, the entire fairness standard, if it appears that a director is conflicted in the decision-making process. However, creating a Special Committee in which the conflicted director is excluded from the process can shift the standard of review back to the more deferential business judgment rule.
No Charter, Typically. Unlike standing committees of the board, Special Committees of the board do not often have charters. Instead, the rules and responsibilities are determined by the board through delegation, and the members of the committee are appointed by the board through a formal approval process ensuring consideration of any conflicts. The delegation of authority should also provide clear direction on the use of external advisers and additional compensation.
Communications and Interactions. Provide clear guidelines related to interactions among the members of the Special Committee, its advisers, and the board to protect the independence of the Special Committee. The Special Committee should avoid interactions with conflicted directors or members of management on matters in the purview of the Special Committee unless necessary. These guidelines should be communicated to all participants in the process. Maintaining clear boundaries in communications and interactions protects the decision-making process by ensuring objectivity.
The views expressed in this article are solely those of the authors and not their respective employers, firms or clients.
This is the second installment in a series on damages available for intellectual property (“IP”) claims, focusing on patent damages. Understanding damages is essential for two reasons: it highlights the potential rewards of building a robust IP portfolio, and it offers a benchmark for assessing risk when facing an IP claim. Our previous article addressed trademark damages.
Patent Infringement
Patent infringement is an unauthorized act that relates to the making, using, selling, or importing of an invention for which a patent has been issued, as stipulated by the Patent Act.[1] Section 271 of the act delineates several types of infringement, including direct infringement and indirect forms such as inducement and contributory infringement. Enforcement of these provisions has been influenced by the Leahy-Smith America Invents Act (“AIA”), which also introduced new post-grant proceedings affecting infringement disputes.
Patent Damages
Under the Patent Act, patent owners may seek to recover damages adequate to compensate for infringement.[2] The court may allow damages in the form of recovery for (1) lost profits, (2) reasonable royalties, and (3) treble damages (in cases of willful infringement). The Patent Act provides that a court should award a successful claimant damages “adequate to compensate for the infringement, but in no event less than a reasonable royalty for the use made of the invention by the infringer, together with interest and costs as fixed by the court.”[3] The Patent Act does not limit damages to certain types, and a judge can award other types of damages that may be appropriate under the facts of the case.
Damages are a question of fact; thus, juries can decide damages, but judges will do so if the case is not before a jury. Courts have significant levels of discretion when it comes to applying the above methods and determining how much to award in damages. Nonetheless, courts have developed equitable methods in an effort to balance compensating a successful plaintiff for losses while simultaneously avoiding windfalls.
Lost Profits
Damages for lost profits compensate a patent holder for profits it would have made had its patent not been infringed. Being awarded damages for lost profits requires a plaintiff, with some degree of specificity, to show a nexus of causation between sales lost and the infringement, meaning that the plaintiff must show that the infringement was the cause of the decline in sales.
For years, the lost profits calculation has been based on the four Panduit factors, delineated in Panduit Corp. v. Stahlin Bros. Fibre Works.[4] The four factors are the (1) “demand for the patented product,” (2) “absence of acceptable noninfringing [alternatives],” (3) capacity to exploit the demand, and (4) amount of profit the patentee would have made.[5]
Under the second prong, a patent owner may rely on proof of its established market share rather than proof of the lack of an acceptable noninfringing substitute. A showing under Panduit permits a court to reasonably infer that the lost profits claimed were in fact caused by the infringing sales, thus establishing a patentee’s prima facie case with respect to “but for” causation. A patentee need only show that there was a reasonable probability that the sales would have been made “but for” the infringement. The burden then shifts to the infringer to show that the inference is unreasonable for some or all of the lost sales.
Reasonable Royalties
A reasonable royalty is an amount that would have been paid to a patent holder had the patent holder given the infringer a license to sell the patented item. A common approach used to calculate a reasonable royalty is the “hypothetical negotiation,” which attempts to ascertain the royalty upon which the parties would have agreed had they successfully negotiated an agreement just before infringement began.
Often, reasonable royalties are calculated when the patent holder cannot prove the elements necessary to establish entitlement to lost profits. Courts look to several factors, as outlined in Georgia-Pacific Corp. v. United States Plywood Corp.[6] These factors include past and present royalties received by a patent holder for the patent at issue, the rates paid by the infringer for the use of similar patents, a patent holder’s policies and practices regarding the grant of licenses to its technology, the commercial relationship between the two parties, the patent’s profitability, the patent’s usefulness as compared to older models of similar technology, and the extent to which the infringer used the patented product and the value of that use. These factors, among others, are often established by expert opinion.
Treble Damages
Treble damages are designed as a punitive or vindictive sanction for infringement that is willful, wanton, malicious, bad faith, deliberate, consciously wrongful, flagrant, or the like. In these instances, under the Patent Act, a court may increase the damages up to three times the amount found or assessed.[7] Courts tend to award the maximum amount only when the infringement is egregious.
To prove treble damages, a plaintiff needs to show clear evidence of willful conduct by the infringer. Even if a plaintiff proves willful infringement, enhanced damages are not guaranteed; such a decision is at the discretion of the court.
Summation
Patent infringement damages are designed not only to compensate a patent holder for actual harm but also to deter willful violations of patent rights. By tailoring awards to the nature and severity of the infringement, courts strive to strike a balance between fair compensation in the face of infringement and the promotion of innovation.
* * *
Please tune in next month for part three of our series, in which we will discuss copyright damages.
When an insured is pursuing a representation and warranty insurance (“RWI”) claim, a critical consideration is whether diminution in value damages (“DIV Damages”) can be asserted as Loss covered by the RWI policy.[1] This article, being published in four parts, discusses Delaware mergers and acquisitions (“M&A”) damages law regarding DIV Damages and describes how an insured can pursue them as part of an RWI claim.
This is Part IV of this article; it discusses the limitations on, and other matters regarding, a DIV Damages award as part of an RWI claim. Part I of this article addressed (i) the principal differences between DIV Damages calculated using a multiple of EBITDA methodology (“MOE Methodology”) and DIV Damages calculated using a discounted cash flow methodology (“DCF Methodology”), and (ii) the evolution of cases involving DIV Damages calculated using an MOE Methodology under Delaware M&A damages law.[2]Part II of this article addressed the evolution of cases involving DIV Damages calculated using a DCF Methodology under Delaware M&A damages law. Part III of this article discussed the requirements for a DIV Damages award as part of an RWI claim.
Each part of this article contains practice tips for attorneys for insureds seeking recovery of DIV Damages as part of an RWI claim.
Limitations on DIV Damages With Respect to an RWI Claim
Delaware M&A contract damages law imposes four limitations on the recoverability of DIV Damages: (1) foreseeability; (2) certainty; (3) avoidability; and (4) no windfall.[3]
1. Foreseeability
Foreseeability deals with the concept of consequential damages, for which recovery is limited under principles that hearken back to the 1854 English common law contract case of Hadleyv. Baxendale.[4] Consequential damages may be one of the most misunderstood terms in the common law, including U.S. common law.[5] That said, a number of cases have held that DIV Damages are typically general (direct) damages, not consequential (indirect) damages, and therefore not subject to the special foreseeability requirements applicable to the recovery of consequential (indirect) damages.[6]
2. Certainty
Certainty is the most important limitation on DIV Damages under Delaware M&A contract damages law.
a. Two Levels of Certainty
There are two levels of certainty in the proof of damages under Delaware M&A contract damages law:
proof that the nonbreaching party suffered damages as the result of the R&W Breach in question; and
the determination of the amount of damages suffered.[7]
The law requires reasonable certainty that the nonbreaching party suffered damages and, to a lesser degree, of the amount of damages suffered.[8] Once the fact that damages were suffered has been established, the determination of the amount of damages (often also referred to as the “quantum of damages”) suffered requires only “a basis to make a responsible estimate of [such] damages.”[9] Mathematical certainty of the quantum of damages is not required.
All of the foregoing said, courts will not award DIV Damages that are based on mere speculation or conjecture—that is, are too uncertain.[10]
b. Wrongdoer Rule
Uncertainties in determining the amount of damages suffered “are generally resolved against the wrongdoer.”[11] In this context, “wrongdoer” simply means the breaching party; no level of culpability or misconduct is required.[12]
Although there does not appear to be any case law on this subject, a valid argument can be made that the RWI carrier, which effectively stands in the shoes of the breaching party for purposes of recovery under an RWI policy, should be subject to this same “wrongdoer rule.” This would have the effect of the insured’s being in the same position against the RWI carrier as it would be in pursuing a claim against the seller that had committed the R&W Breach in question.
The wrongdoer rule is not a universal solvent requiring all uncertainty regarding the quantum of damages to be resolved in favor of the nonbreaching party, but only uncertainty arising from the R&W Breach of the breaching party.[13]
c. Need for Effect Post-Acquisition
With respect to proof that the insured suffered a diminution in value of the target business as a result of the R&W Breach in question, consideration should be given to whether the shortfall in EBITDA or in projected cash flows actually would have occurred after the Acquisition even if the R&W Breach in question had never occurred. In a lost customer case, for example, this consideration would include any evidence, known at the time of breach, that the customer would likely have been lost, or reduced its purchases of products or services from the target business, in the near term after the Acquisition anyway.[14]
3. Avoidability
The issue of avoidability[15] can arise with respect to DIV Damages in at least three ways:
a. Avoided Costs
The avoided costs principle requires that DIV Damages take into account costs that can be avoided which are associated with earning lost revenues.[16] This is relevant in calculations such as determining the deemed effect of the loss of a customer on Measurement Period EBITDA or on projected cash flows for the target business.
b. Mitigation by Reducing Loss
Mitigation requires that the target or the insured take or avoid actions after the Acquisition to reduce the amount of loss that would otherwise be suffered. Because DIV Damages are calculated based on the parties’ expectations ex ante (“before the event”),[17] and because the R&W Breach is deemed to have occurred when the representations and warranties were made (as of signing of the Acquisition Agreement, as of closing of the Acquisition, or both), these types of mitigation activities can only be taken after the Acquisition to reduce the amount of loss deemed to be applicable to the Measurement Period (such as by trying to reduce the amount of expenses incurred after the Acquisition that relate back to the Measurement Period in the case of DIV Damages calculated using an MOE Methodology).
c. Mitigation by Replacing Lost Business, Subject to the Lost Volume Seller Principle
Mitigation also requires that the target or the insured take actions after the Acquisition to replace revenues that would otherwise have been lost. However, a contract damages principle known as the “lost volume seller” may come into play. In simple terms, unless the target is capacity-constrained, sales of products or services to new customers or additional sales to existing customers are treated as additive to those suffered as a result of the R&W Breach, and therefore they are not considered replacement for the lost revenues.[18] For example, if the target has lost a customer and can add a new customer after the Acquisition, and it would have been able to provide products or services to both the lost customer and the new customer, then the target and the buyer are entitled to both, and the addition of the new customer does not replace the old customer.
As to either type of mitigation, only reasonable efforts to try to mitigate are required, and the costs of those efforts incurred by the target or the insured are typically covered Loss.[19]
4. No Windfall
Although identified as a separate and independent limitation under Delaware M&A contract damages law, the “no windfall” limitation is often treated in the case law as an additional reason not to award, or to limit the amount of, damages by reason of one of the proof requirements described in Part III of this article or one of the other limitations described above.[20]
Other Considerations in Pursuing DIV Damages With Respect to an RWI Policy Claim
In addition to the requirements and limitations described in this article, a number of other considerations can come into play in pursuing DIV Damages with respect to an RWI Claim, including the following:
1. Check the RWI Policy and the Acquisition Agreement First
It may seem obvious, but any evaluation of whether an insured is entitled to recover DIV Damages under an RWI policy should start with an examination of the RWI policy and the Acquisition Agreement in question. Each should be examined to determine that it does not operate to prohibit recovery of DIV Damages under the RWI policy and, preferably, that one or both of them affirmatively permit recovery of DIV Damages. Although affirmative coverage is preferable, silence on the issue is acceptable under applicable Delaware M&A contract damages law.[21]
2. Can an RWI Claimant Recover Both DIV Damages and Out-of-Pocket Damages?
Generally speaking, the answer is yes, a claimant can recover both DIV Damages and out-of-pocket damages resulting from the same R&W Breach.[22] For example, in the case of DIV Damages calculated using an MOE Methodology, if the target or the seller failed to pay or take into account an expense that it should have paid or taken into account during the Measurement Period and such failure is the subject of an R&W Breach, and the target or the buyer is required to bear that expense after the Acquisition as a recurring loss, then the insured should be able to claim both the out-of-pocket damages suffered by virtue of the target’s or the buyer’s having to pay that expense and the DIV Damages resulting from the deemed reduction in Measurement Period EBITDA caused by treating that expense as if it had been incurred during the Measurement Period.
At least two countervailing arguments can be made that the claimant would thereby be entitled to a:
Double Recovery: A double recovery in respect of the same R&W Breach—for example, recovering both DIV Damages and a purported working capital shortfall required to earn the lost revenue represented by the DIV Damages—may not be permitted.[23]
Recovery in Excess of Purchase Price: Recoveries of loss in respect of the same R&W Breach that would be calculated so as to exceed the purchase price paid for the target business by the buyer may or may not be permitted.[24]
3. Should Post-Acquisition Actions or Omissions by the Target or the Insured Be Taken Into Account in Evaluating DIV Damages?
Generally speaking, the answer is no, post-Acquisition actions or omissions by the target or the insured should not be taken into account in evaluating DIV Damages. As noted above, DIV Damages are generally evaluated based solely on the parties’ expectations ex ante,[25]and thus post-Acquisition actions or omissions would not be within those expectations.[26]
That said, there are exceptions to this general rule, principally:
post-Acquisition mitigation, as discussed above;[27]
post-Acquisition events that go to the no windfall limitation;[28]
post-Acquisition actions or omissions that serve to confirm (rather than prove) a determination involved in evaluating DIV Damages, such as whether a diminution in Measurement Period EBITDA is recurring in nature, what the parties’ reasonable expectations were ex ante,[29]or whether the target or the insured has acted consistently with the insured’s position that the target business suffered a diminution in value as a result of the R&W Breach in question.[30]
4. Does a Seller or an RWI Carrier Have to Put Forward a Competing Calculation of DIV Damages?
Generally speaking, the answer is no, a seller or an RWI carrier does not have to put forward a calculation of DIV Damages that competes with the calculation put forward by the buyer/insured. Under M&A damages law, the burden is on the buyer/insured to establish its damages. That said, Delaware M&A damages law cases have often unfavorably noted that the seller did not put forward a competing calculation of damages in adopting the buyer’s calculation.[31]
The question of whether or not to put forward a competing calculation of DIV Damages is a real dilemma for a seller or an RWI carrier:
Risk of Putting Forward: On the one hand, putting forward a competing calculation runs the risk of being interpreted as having accepted the other side’s position that R&W Breach and Loss have been proven, and more importantly that DIV Damages are merited, in at least the amount set forth in the competing calculation, no matter how strongly and articulately the competing calculation is put forward as an argument in the alternative.
Risk of Not Putting Forward: On the other hand, not putting forward a competing calculation runs the risk of the seller’s or RWI carrier’s missing its best chance to challenge the other side’s calculation, and more importantly, opening itself up to the other side’s taking advantage of the absence of a competing valuation, based on the type of adverse findings set forth in the case law described above.
Conclusion
Because of the potential magnitude of DIV Damages, an evaluation of whether or not an RWI claimant is entitled to recover DIV Damages as a result of an R&W Breach and, if so, the amount of such DIV Damages, can be the most critical aspect of an RWI claim. This is so even if the claimant is ultimately unsuccessful, in part or in whole, in pursuing the DIV Damages since it still “raises the stakes” for the RWI carrier.
That said, a weak or poorly supported claim for DIV Damages can be detrimental to an insured’s RWI claim if it reduces the insured’s credibility with the carrier with respect to the rest of the RWI claim. As a result, a firm understanding of the relevant M&A damages law, and the tactics and strategy, involved in pursuing DIV Damages can be critical to the success of the insured with respect to its overall RWI claim.
Practice Tips for Attorneys for Insureds
In the RWI policy claim assertion phase, consider the following actions:
Present a claim for DIV Damages with credible and convincing evidence of the shortfall in Measurement Period EBITDA and the validity of the multiple, or of the loss of projected cash flows, as the case may be, and have the forensic accounting firm or valuation firm participate in that presentation.
Propose a meeting, actual or virtual, with the RWI carrier and its advisors to walk through the evidence supporting the DIV Damages claim, particularly any spreadsheets included in the presentation.
Continue to have the target and the insured avoid any action or omission calling into question any material element of the DIV Damages.[32]
This article is the fourth in the RWI Practice Insights series by John T. Capetta.
The author of this article thanks his colleagues Mark Gregory and Aria Antonopoulos, and his guide as to all things private equity and valuation related, Doug Karp of private equity advisory firm Pacific Partners, for their contributions to this article and to this series of articles.
This article focuses on buyer-side RWI policies and U.S. law (principally Delaware case law). For purposes of this article:
DIV Damages are a form of expectation damages in which the amount of the damages is the difference between (i) the value of the target business as represented to the buyer, almost always the purchase price paid for the target business by the buyer, and (ii) the value of the target business after giving effect to the diminution in the target business resulting from a breach of the Acquisition Agreement representations and warranties (“R&W Breach”) or from fraudulent misrepresentation or deceit regarding the target business.
Although there are other methods to calculate DIV Damages, this article focuses on those calculated by using either (i) in the case of a multiple of EBITDA methodology (“MOE Methodology”), (a) an actual or deemed shortfall in the EBITDA of the target business for a specified measurement period (“Measurement Period EBITDA”) caused by the R&W Breach or the fraudulent misrepresentation or deceit, times (b) the multiple applied by the insured to the Measurement Period EBITDA in determining the purchase price to pay for the target business; or (ii) in the case of a discounted cash flow methodology (“DCF Methodology”), the loss of future cash flows and of terminal value over a specified period caused by the R&W Breach or the fraudulent misrepresentation or deceit, discounted to present value by the application of a discount factor.
The period of time for which the historical EBITDA is measured in an MOE Methodology and the period of time for which the projections used in a DCF Methodology are included are each referred to in this article as the Measurement Period.
As used in this article:
the term Loss has the definition set forth in the RWI policy;
the term Acquisition Agreement includes stock purchase agreements, merger agreements, asset purchase agreements, and other types of business combination agreements by which a buyer acquires a target business from a seller;
the term Acquisition refers to the business combination contemplated by the Acquisition Agreement;
the term the buyer and the term the insured are often used interchangeably;
the term target and the term target business are used interchangeably;
the term R&W Breach also includes a claim under an RWI policy with respect to a tax indemnification provision in the Acquisition Agreement; and
the phrase without required disclosure by the seller refers to a failure by the seller to make a disclosure to the buyer even though required to do so by a representation and warranty in the Acquisition Agreement.
“Expectation damages” are also sometimes referred to by courts as expectancy damages.
Although relevant M&A damages law regarding DIV Damages may apply with respect to fraudulent misrepresentation or deceit (each a tort) regarding the target business as well as an R&W Breach (a breach of contract), DIV Damages with respect to an RWI claim can only be asserted for an R&W Breach and therefore will always be subject to M&A contract damages law. However, note in this regard the argument described in Footnote 3 of Part III of this article with respect to an R&W Breach in the form of a claim under the tax indemnity provision in an Acquisition Agreement. ↑
The Restatement (Second) of Contracts identifies foreseeability, certainty, and avoidability as limitations on contract damages, but not a “no windfall” limitation. However, Section 351(3) of the Restatement sets forth the following as a type of additional limitation: “A court may limit damages for foreseeable loss by excluding recovery for loss of profits, by allowing recovery only for loss incurred in reliance, or otherwise if it concludes that in the circumstances justice so requires in order to avoid disproportionate compensation.” Restatement (Second) of Contracts § 351(3) (A.L.I. 2024). “Delaware courts have often looked to the Restatement (Second) of Contracts as persuasive authority for interpreting basic contract principles . . . .” Thompson St. Cap. Partners IV, L.P. v. Sonova U.S. Hearing Instruments, LLC, No. 166, 2024, 2025 WL 1213667 (Del. Apr. 28, 2025). However, it does not appear that any Delaware case has cited to Section 351(3) as a basis for limiting M&A contract damages. ↑
The preeminent commentator in the United States with respect to M&A contract law generally, and to the confusion surrounding the meaning of the term “consequential damages” specifically, is Glenn D. West, a retired M&A and private equity partner at Weil, Gotshal & Manges. West has written a series of articles on the meaning of that term and the often-unintended consequences of waiving its applicability in an Acquisition Agreement. See, e.g., the following articles authored or co-authored by West:
For an M&A lawyer, West’s articles are the gold standard and essential to practicing M&A law knowledgeably. ↑
See, e.g., Taylor Precision Prods., Inc. v. Larimer Grp., Inc., No. 15-CV-04428, 2023 WL 6785802, at *4 (S.D.N.Y. Oct. 13, 2023); Powers v. Stanley Black & Decker, Inc., 137 F. Supp. 3d 358, 386 (S.D.N.Y. 2015). Although there appears not to have been a case under Delaware M&A contract damages law explicitly holding that DIV Damages are direct damages, as opposed to consequential damages, all of the Delaware M&A contract damages law cases involving DIV Damages discussed in this article seem to assume that they are direct damages (i.e., damages that may fairly and reasonably be considered arising naturally from the R&W Breach in question). See, e.g., Cobalt Operating, LLC v. James Crystal Enters., LLC, No. 714, 2007 WL 2142926, at *29 (Del. Ch. July 20, 2007), aff’d, 945 A.2d 594 (Del. 2008) (unpublished table decision). ↑
SIGA Techs., Inc. v. Pharmathene, Inc., 132 A.3d 1108,1130–31 (Del. 2015). Although SIGA is not a DIV Damages case, it is a Delaware Supreme Court case that speaks authoritatively on certain principles of Delaware contract damages law, such as certainty, the wrongdoer rule, and the use of post-breach information. ↑
In re Dura Medic Holdings, Inc. Consol. Litig., 333 A.3d 227, 262 (Del. Ch. 2025) (“The law does not require certainty in the award of damages where a wrong has been proven and injury established. Responsible estimates that lack m[a]thematical certainty are permissible so long as the court has a basis to make a responsible estimate of damages.”) (footnotes and internal quotation marks omitted); NetApp, Inc. v. Cinelli, No. 2020-1000, 2023 WL 4925910, at *24 (Del. Ch. Aug. 2, 2023). ↑
SeeNetApp, 2023 WL 4925910, at *24; Great Hill Equity Partners IV, LP v. SIG Growth Equity Fund I, LLLP, No. 7906, 2020 WL 948513, at *20 and *23 (Del. Ch. Feb. 27, 2020). See also Taylor, 2023 WL 6785802, at *5. In each of the foregoing cited cases, the court rejected a buyer’s claim for DIV Damages based, at least in part, on a lack of certainty:
NetApp: In NetApp, after setting forth the principles of Delaware M&A contract damages law regarding certainty, Vice Chancellor Will went on to state: “Nonetheless, the court cannot award damages based on speculation or conjecture. An award of expectation damages presupposes that the plaintiff can prove damages with reasonable certainty.” NetApp, 2023 WL 4925910, at *24 (footnotes and internal quotation marks omitted). Vice Chancellor Will then went on to reject the buyer’s claim for loss of synergistic value as being speculative. Id. at *24–26. A few notes regarding NetApp and Vice Chancellor Will’s rejection of the buyer’s claim for DIV Damages in the form of loss of synergistic value:
Lack of Proximate Cause as Well: As discussed in Part III of this article, Vice Chancellor Will also found that the buyer’s claim for loss of synergistic value lacked the requisite proximate causal relationship with the R&W Breach and fraud asserted by the buyer. Those two findings—lack of certainty and lack of proximate cause—were interrelated in NetApp, and often are interrelated when a claim for DIV Damages is rejected.
Nomenclature: The standard that Vice Chancellor Will applied in NetApp and that the Delaware courts generally apply in rejecting a claim for DIV Damages is “speculation or conjecture,” meaning “too uncertain.” While it is tempting to write or say “too speculative or conjectural,” that is not the standard used for the certainty limitation.
Great Hill: In Great Hill, as discussed in Footnote 24 of Part III of this article, Vice Chancellor Glasscock rejected the buyer’s claim for DIV Damages primarily on the basis that there was a lack of proximate cause between the DIV Damages asserted and the R&W Breach and fraud that the buyer had been able to establish at trial regarding the threatened termination of the relationship between payment processor PayPal and the target company Plimus.
Lack of Certainty as Well: In addition to the lack of proximate cause, Vice Chancellor Glasscock described a lack of certainty regarding the buyer’s assertion of DIV Damages.
Intertwining: Unlike NetApp, in which Vice Chancellor Will set out in separate sections the lack of proximate cause and the lack of certainty, in Great Hill Vice Chancellor Glasscock intertwined the lack of proximate cause and the lack of certainty in one section.
Use of One Quarter of EBITDA as the Measurement Period: On a side note regarding certainty, in Great Hill, Vice Chancellor Glasscock also drew attention to the issue of whether the buyer’s reliance on a multiple of just one quarter of EBITDA was nonspeculative. See Great Hill, 2020 WL 948513, at *21 n.266 (“This assumes that it is non-speculative to base the damages for the loss of the PayPal relationship on a multiple of Q4 2011 EBITDA. I do not reach the question of whether such a snapshot approach to damages is reliable here.”).
Taylor: In Taylor, applying New York M&A damages law, Judge Carter of the United States District Court for the Southern District of New York rejected the second of the buyer’s two claims for DIV Damages based on a lack of certainty.
Allowed First Claim for DIV Damages: The first claim for DIV Damages was with respect to an undisclosed fall-off in the sale of stock-keeping units (“SKUs”) to two of the target business’s largest customers, Target and Walmart.
Disallowed Second Claim for DIV Damages: The second claim for DIV Damages tried to leverage that fall-off in sales of SKUs to two customers into a claim for an overall fall-off in the target business.
Disallowed Use of Reduced Multiple: The Taylor case appears to be unique with respect to the buyer’s calculation of its second claim for DIV Damages, which was based on a proposed reduction of the multiple that the buyer had applied to the portion of the target business other than to Target and Walmart.
Lack of Responsible Estimate: In rejecting that second claim for DIV Damages, Judge Carter stated as follows regarding certainty: “While the law does not require damages to be calculated with mathematical precision, they must be capable of measurement based on known reliable factors without undue speculation. . . . While the Court acknowledges that it is ’reasonably certain’ that Plaintiff would have lowered its growth expectation for the Business had it known of the lost SKUs, Plaintiff has not provided a ‘stable foundation for a reasonable estimate’ of such damages as required by New York law.” Taylor, 2023 WL 6785802, at *5.
See, e.g., SIGA, 132 A.3d 1108, at 1131; Dura Medic, 333 A.3d 227, at 262–63; Taylor, 2023 WL 6785802, at *4. Cf. NetApp, 2023 WL 4925910, at *25 (“Resolving uncertainty against [the seller by virtue of the wrongdoer rule] does not relieve [the buyer] of its burden to present expectation damages that are not speculative.”) (footnote omitted). Note that NetApp involved a buyer trying to obtain the difference between a synergistic value for the target business and the value without such synergies, based on a DCF Damages methodology, rather than the difference between the purchase price it paid for the target business and the value of the target business after taking into account a shortfall in Measurement Period EBITDA, based on a multiple of EBITDA methodology. In NetApp, because the buyer was trying to recover a loss of synergistic value, DIV Damages based on a multiple of EBITDA methodology would not have achieved that result (i.e., because the Measurement Period EBITDA would not have taken post-Acquisition synergies into account). Although the principal focus of the damages analysis in NetApp was on the Chancery Court’s rejection of synergistic damages, the Court did award DIV Damages (but using a multiple of revenues rather than of EBITDA) to the buyer in a much smaller amount. Id. at *29. ↑
Cf. SIGA, 132 A.3d 1108, at 1131 (“SIGA is correct that the trial court did not have unbridled authority to dress up punitive damages as expectation damages by importing the willfulness of the breach into the damage award. And it is not every contract case where the court should assess the bona fides of the breaching party. But in a case about expectation damages caused by breach of a Type II agreement, where the wrongdoer caused uncertainty about the final economics of the transaction by its failure to negotiate in good faith, willfulness is a relevant factor in deciding the quantum of proof required to establish the damages amount.”) (footnote omitted). For a discussion of the “no fault” nature of M&A contract damages generally, and exceptions thereto with respect to certain types of covenant breaches, see Theresa Arnold, Amanda Dixon, Madison Whelan Sherrill, Hadar Tanne, & Mitu Gilati, The Cost of Guilty Breach: Willful Breach in M&A Contracts, 62 B.C. L. Rev. I-32 (2021). In a sense, the “upgrading” of a contractual R&W Breach to the tort of fraud, with the resulting exposure to punitive damages and other enhanced remedies, can be viewed as a way to “punish” a breaching party for an R&W Breach accompanied by “fault.”
In Surf’s Up Legacy Partners, LLC v. Virgin Fest, LLC, No. N19C-11-092, 2024 WL 1596021 (Del. Super. Ct. Apr. 12, 2024), Delaware Superior Court Judge Wallace made reference to the possibility of a plaintiff’s recovering punitive damages based on a contractual breach, even in the absence of the commission of a tort such as fraud. Id. at *23 n.287 (“Punitive damages may be appropriate for egregious cases of willful and malicious breach of contract. [T]his Court has phrased the test for punitive damages in breach of contract cases in various ways . . . [t]he import of these cases suggests that punitive damages may not be awarded for breach of contract unless the intentional breach is similar in character to an intentional tort. . . . Virgin Fest has failed to prove malice or willfulness in those actions—or that such actions effectively equate to torts.”) (citations and internal quotation marks omitted). The Surf’s Up case appears to be an outlier among the DIV Damages cases under Delaware law with respect even to the possibility of punitive damages for an R&W Breach, and the cases cited by Judge Wallace in Footnote 287 of Surf’s Up were all Delaware Superior Court cases (not Delaware Chancery Court cases, arguably having greater precedential value, or Delaware Supreme Court cases). Whether “contractual breach punitive damages” would be recoverable under an RWI policy is beyond the scope of this article, and in the first instance would be an issue under the RWI policy’s definition of “Loss” and the wording of any exclusion applicable to punitive damages. ↑
See, e.g., SIGA, 132 A.3d 1108, 1132 (“Where uncertainty could not be traced to SIGA’s breach, the Court of Chancery did not resolve the uncertainty against SIGA. . . . The court did not apply the wrongdoer rule to resolve all uncertainty against SIGA, where SIGA’s breach was not the cause of the lack of information.”) (footnote omitted); NetApp, 2023 WL 4925310, at *25 (“[T]he pervasive uncertainty in the Combined Projections is not a result of [the target company’s] misrepresentations; it is due to NetApp making optimistic predictions about the unknown. Whether NetApp would deliver on its prognostications depended on how NetApp operated the combined entity—a matter squarely in NetApp’s hands.”) (footnote omitted); Great Hill, 2020 WL 948513, at *23 (“The uncertainty of damages here, if attributable to any party, is attributable to the Plaintiffs. They could have, but did not, provide a non-speculative way to quantify damages from the loss of PayPal.”) (footnote omitted). ↑
Another justification for not awarding DIV Damages to an insured with respect to a customer that would have been lost, or that would have reduced its purchases of products or services from the target business regardless of the R&W Breach, is the lack of proximate cause between the R&W Breach and the Loss. ↑
Two notes regarding avoidability:
Avoided Costs as Element of Calculation: Avoided costs as a reduction to DIV Damages is arguably more an element of the calculation of the amount of DIV Damages than it is an example of the avoidability limitation on contract damages.
Consequence of Failure to Mitigate as Element of Calculation: Although mitigation is often referred to as a “duty,” it is actually simply an element of the calculation of recoverable damages. In other words, the only adverse consequence arising from a failure to comply with the “duty to mitigate” is a reduction of recoverable damages, not a separate liability in respect of the failure.
See, e.g., Neri v. Retail Marine Corp., 30 N.Y.2d 393 (N.Y. 1972); Dura Medic, 333 A.3d 227, at 260 (“The [Buyers] could not ‘mitigate’ the damages from the lost customers by obtaining new customers. The Buyers could only mitigate their losses from the two customers by cutting expenses or somehow convincing the customers to come back.”). See alsoRestatement (Second) of Contracts § 347, cmt. f (A.L.I. 2024). ↑
See, e.g., Dura Medic, 333 A.3d 227, at 260 (“The Sellers bore the burden of proving that the Buyers failed to mitigate damages by not using reasonable efforts to reacquire [the lost customers]. The Sellers failed to meet their burden.”) (footnotes omitted), and at 260 n.58 (“A non-breaching party need not hazard undue risk, burden, or humiliation in mitigating costs and damages. Mitigation is subject to a rule of reasonableness . . . .”) (quoting W. Willow-Bay Ct., LLC v. Robino-Bay Ct. Plaza, LLC, 2009 WL 458779, at *8 (Del. Ch. Feb. 23, 2009)). Although there are Delaware contract damages law cases that address recovery of costs expended by a nonbreaching party in attempting to mitigate damages, see, e.g., Wise v. Western Union Telegraph Co., 181 A. 302, 305 (Del. Super. Ct. 1935); Katz v. Exclusive Auto Leasing, Inc., 282 A.2d 866, 868 (Del. Super. Ct. 1971), the RWI policy itself will often provide for recovery of reasonable costs incurred in attempting to mitigate losses by treating such costs as covered Loss under the RWI policy, in some cases even if the efforts to mitigate are unsuccessful. ↑
See, e.g., NetApp, Inc. v. Cinelli, No. 2020-1000, 2023 WL 4925910, at *23 (Del. Ch. Aug. 2, 2023) (the court determined that the buyer’s synergistic valuation of the target business was speculative and not sufficiently certain, and was not limited to losses that were proximately caused by the R&W Breach, and also found that the buyer’s damages expert’s “conclusion would deliver a windfall to [the buyer].”), and at *27 (“awarding [the buyer] damages in excess of the purchase price would amount to a windfall”) (citing Paul v. Deloitte & Touche, LLP, 974 A.2d 140, 146 (Del. 2009) (“breach of contract damages should not provide a ‘windfall’ to the plaintiff”)). ↑
See Interim Healthcare, Inc. v. Spherion Corp., 884 A.2d 513, 549 (Del. Super. Ct. 2005) (“The Court first considers whether the plaintiffs’ expectancy damages claim is legally viable in the context of this highly negotiated contract between two sophisticated parties. Clearly, the Agreement does not expressly contemplate expectancy damages; they are nowhere mentioned or even insinuated in the contract. The sole remedy for breach identified in the Agreement is indemnification . . . . Here, although the Agreement does not specifically provide for expectancy damages, it also does not specifically exclude them. Accordingly, if other remedies (including expectancy damages) are factually viable, then they are legally viable as well.”) (footnote omitted).
Even though, as discussed in Part I of this article, DIV Damages are not actually “multiplier damages,” it is still better to avoid an argument that the term “multiplier damages” precludes DIV Damages, particularly those calculated using an MOE Methodology.
RWI policies have evolved in many ways since they were first introduced in the United States more than two decades ago. One of those ways is that some general exclusions have been omitted and some made more insured-friendly. In the early days, some RWI carriers included in their RWI policies an exclusion with respect to multiple of EBITDA damages and the like. (For a discussion of how such exclusions may have arisen from D&O policy exclusions regarding the multiple portion of multiplied damage awards, such as in the case of antitrust treble damage awards, see Michael Gill & Frank Mascari, Confusion Reigns: Applying the Multiplied Damages Exception in Representations and Warranties Insurance Policies, Bloomberg L. (Jan. 24, 2016).) Over time, RWI carriers were persuaded to give up such an exclusion and let their RWI policies be silent on the issue, thus following applicable law instead, such as the Cobalt line of cases. As a result, modern RWI policies should not contain such an exclusion. ↑
See, e.g., Cobalt Operating, LLC v. James Crystal Enters., LLC, No. 714, 2007 WL 2142926, at *30 (Del. Ch. July 20, 2007), aff’d, 945 A.2d 594 (Del. 2008) (unpublished table decision) (buyer awarded indemnification for free airtime credits provided to advertisers after the Acquisition, in addition to DIV Damages, in respect of the R&W Breach and fraud by the seller). Section 347 of the Restatement (Second) of Contracts explicitly recognizes this by providing that: “Subject to the limitations stated in §350-53, the injured party has a right to damages based on his expectation interest as measured by (a) the loss in the value to him of the other party’s performance caused by its failure or deficiency, plus (b) any other loss, including incidental or consequential loss, caused by the breach, less (c) any cost or other loss that he has avoided by not having to perform.” Restatement (Second) of Contracts § 347 (A.L.I. 2024). See Vici Racing, LLC v. T-Mobile USA, Inc., 763 F.3d 273, 293 (3d Cir. 2014) (paraphrasing § 347 of the Restatement (Second) of Contracts). ↑
But cf. In re Bracket Holding Corp. Litigation, No. N15C-02-233, 2020 WL 764148, at *3–4 (Del. Ch. Feb. 7, 2020) (“Defendants claim that the damages awarded are an impermissible double recovery based on the alleged inflated purchase price and shortfall in working capital, reflecting that the jury double count[ed] working capital. . . . However, . . . the jury . . . would have been free to . . . calculate the damages to include the amount [the buyer] overpaid for the [target] plus the shortfall in the working capital.”), rev’d on other grounds, Express Scripts, Inc. v. Bracket Holdings Corp., 248 A.3d 824 (Del. 2021). ↑
For example, if a target had lost all of its customers prior to the Acquisition without required disclosure by the seller, the DIV Damages would equal the entire purchase price. To then compensate the buyer as well for out-of-pocket damages it suffered after the Acquisition in connection with the same R&W Breach would entitle the buyer to damages greater than the purchase price it had paid.
Cf. NetApp, 2023 WL 4925910, at *26–27 (in addition to being speculative and not all being the proximate result of the R&W Breach and fraud in question, “awarding NetApp [synergistic] damages [of $37.7 million] in excess of the purchase price [of $35.0 million] would amount to a windfall.”). ↑
See SIGA Techs., Inc. v. Pharmathene, Inc., 132 A.3d 1108, 1133–34 (Del. 2015) (“The Court of Chancery recognized that post-breach evidence could be used in order to aid in its determination of the proper expectations as of the date of the breach, but relied on such evidence sparingly. According to the court, it also limited the use of such evidence to the parties’ expectations, and in all other respects determined that the post-breach evidence was irrelevant to measure expectation damages at the time of the breach. We find after reviewing the record that the Court of Chancery properly limited the use of post-breach evidence to confirm its conclusions as to the parties’ reasonable expectations at the time of breach, or used the evidence to adjust the damages award in SIGA’s favor.”) (footnotes and internal quotation marks omitted). See also, e.g., Taylor Precision Prods., Inc. v. Larimer Grp., Inc., 2018 WL 4278286, at *33 (S.D.N.Y. Mar. 26, 2018) (“Because contract damages are measured at the time of the breach[,] inquiry into the performance of [the acquired] assets and market conditions in the months following the acquisition is improper, as evidence subsequent to the breach may neither offset not enhance [buyer’s] general damages.”) (citations and internal quotation marks omitted). ↑
See the subsection above titled “Avoidability” in the section titled “Limitations on Damages.” For a discussion of avoided costs and of the types of mitigation activities a jilted buyer was found by the court to have taken after a failed Acquisition, seeWaveDivision Holdings, LLC v. Millennium Digital Media Systems, L.L.C., No. 2993, 2010 WL 3706624, at *24 (Del. Ch. Sep. 17, 2010). ↑
See, e.g., NetApp, 2023 WL 4925910, at *27 (“Just four months after closing, NetApp decided to end-of-life [target company] Cloud Jumper’s VDI product. NetApp never attempted new sales of Cloud Jumper software, even though the product performed as expected. It retained Cloud Jumper’s existing customers, intellectual property, and personnel. The Cloud Jumper engineering team was moved to develop a new VDI product within Spot—another (significantly larger) company acquired by NetApp. In such circumstances, awarding NetApp damages in excess of the purchase price would amount to a windfall.”) (footnotes omitted).
A situation that highlights the use of post-Acquisition evidence in support of the no windfall limitation is a termination threat by a major customer or supplier of the target business without required disclosure by the seller, which otherwise might have resulted in a DIV Damages claim, but for the fact that the customer or supplier did not terminate, or even adversely change the pricing of, its relationship with the target business post-Acquisition. Without the use of such post-Acquisition evidence, the buyer of the target business could arguably make out a claim for DIV Damages on the basis that if it had known of the termination threat pre-Acquisition, it would have reduced its purchase price for the target business accordingly, if the basis for such a claim were only the buyer’s reasonable expectations ex ante. ↑
SIGA, 132 A.3d 1108, at 1133 (“the [C]ourt [of Chancery] could consider post-breach evidence when determining the reasonable expectations of the parties before or at the time of the breach.”) (footnote omitted). See, e.g., S.C. Johnson & Son, Inc. v. DowBrands, Inc., 294 F. Supp.2d 568, 588 (D. Del. 2003) (“[T]he Court finds the fact that SCJ did not make any sales of DowBrands’ products in Latin America from the date of closing until the end of its fiscal year which was five months later and that they sold less than $1 million in bags and wraps in Latin America seventeen months after closing persuasive.”), rev’d on other grounds, 111 F. Appx. 100 (3d Cir. 2004). ↑
See, e.g., Great Hill, 2020 WL 948513, at *23 n.284 (“Because I find that the Plaintiffs have failed to meet their burden with regard to the damages methodology, I do not reach the Defendants’ contentions that Plimus’s downturn was not as severe as suggested by Great Hill and that explanations exist for any downturn other than the allegations lodged by Great Hill. Indeed, Great Hill’s own annual report for 2011 noted that Plimus’s Q4 2011 EBITDA declined primarily due to 25 incremental hires necessary to support Plimus’[s] anticipated growth.”) (internal quotation marks omitted). ↑
See, e.g., Cobalt Operating, LLC v. James Crystal Enters., LLC, No. 714, 2007 WL 2142926, at *29 (Del. Ch. July 20, 2007), aff’d, 945 A.2d 594 (Del. 2008) (unpublished table decision) (the seller ”Crystal did not provide its own valuation evidence”); Surf’s Up Legacy Partners, LLC v. Virgin Fest, LLC, No. N19C-11-092, 2024 WL 1596021, at *23 (Del. Super. Ct. Apr. 12, 2024) (the seller “has failed to provide any valuation of [the target business]—besides the transaction price—that could warrant providing less than what the indemnification cap maximally allows.”). ↑
For those who have read this far and still may be wondering, the first part of the title of this article is taken from an old Woody Allen joke, which goes as follows: “Some guy hit my fender the other day, and I said unto him, ‘Be fruitful and multiply.’ But not in those words.” ↑
Three nearly simultaneous actions of the Federal Trade Commission (“FTC”) in September confirmed its intentions with respect to employee noncompetes. In the first two related actions, the FTC indicated it will not defend its 2024 rule banning virtually all worker noncompetes and will instead focus on efforts to rein in the use of “unfair and anticompetitive” noncompetes. The FTC’s third action notified the public of its intent to accomplish its goals, at least in part, through a wide-ranging request for the public to identify employers using noncompetes, followed by targeted enforcement actions.
Specifically, on September 4, 2025, the FTC voted 3–1 along party lines to approve a complaint against the largest pet crematorium in the U.S. and a settlement of that action that bans the company from using noncompete clauses in many of its employment agreements. The complaint alleges that, in 2019, the pet cremation company and its subsidiary adopted a policy requiring noncompete agreements for all newly hired employees, which typically barred the employees from working in the pet cremation industry anywhere in the U.S. for one year after their departure. According to the FTC’s complaint, the only employees not subject to noncompetes are those working in California, which has a statutory prohibition on such restrictions.
The complaint emphasized the fact that the noncompetes were imposed on employees regardless of (1) their responsibilities, compensation levels, or skills, and (2) even in the absence of a nearby operational facility. The FTC also pointed out that, in one instance, employees were required to enter into noncompetes only to have the facility at which they worked closed and their employment terminated within weeks. Commissioner Rebecca Slaughter, who was briefly reseated pursuant to a court order, dissented: “one-off enforcement is no substitute for the FTC’s meaningful, marketwide noncompete rule that will protect workers across the country.”
The settlement with the FTC bars noncompete agreements except in limited circumstances. Specifically excluded from the noncompete prohibition are those entered into by directors, officers, or senior employees, in conjunction with the grant of equity or equity interests. Further, the settlement does not prohibit noncompete agreements in conjunction with the sale of a business, provided that individuals subject to restriction have a pre-existing equity interest in the business being sold. Notably, the settlement also bars employee agreements restricting employees from soliciting customers, except those current or prospective customers with whom the employee had “direct contact or personally provided service” in the last twelve months.
The FTC’s second action, also on September 4, was to issue a Request for Information Regarding Employer Noncompete Agreements in an effort to identify “which specific employers continue to impose noncompete agreements.” The request is not aimed at studying the use of worker restrictions and does not seek information from employers wanting to justify their use of noncompetes; instead, it is focused solely on gathering information about employers that are currently using noncompete agreements. For example, it seeks the employer names, job functions, and salaries of those workers covered, scope of restrictions (e.g., geography, duration), enforcement practices, harm to employee mobility (e.g., moving and legal costs, lost higher wages, etc.), lost opportunity to start new businesses, harm to rival employers, and loss of innovation. The request specifically calls for information about instances where noncompetes have harmed health care workers. Among the most interesting is a request for the names of employers that use nonsolicitation or nonrecruitment agreements limiting former workers from working with former customers or former employees.
The third action, filed the following day, was the FTC’s unopposed motions to dismiss both its Fifth and Eleventh Circuit appeals of the two district court decisions holding that the agency’s rule banning worker noncompetes exceeded the FTC’s authority.[1] By dismissing these appeals, the agency has acceded to the vacatur of the final Non-Compete Clause Rule. The vote to abandon the defense of the rule was 3–1 along party lines. Commissioner Slaughter dissented on the basis that the rule received overwhelming support in the form of 25,000 supportive comments out of the approximately 26,000 total comments received. She was also critical of the majority’s decision to simply drop the defense of the rule instead of allowing for a public notice and comment period:
The law does not permit the agency to void this popular rule under cover of darkness by simply withdrawing from litigations. The law requires that we hear from the American people. In absence of that legally required process, the action the Commission takes today should not hamper the agency in the future.
Whether or not the FTC followed the correct process, this administration will not defend the 2024 noncompete ban. This means the Northern District of Texas decision, which universally vacated the FTC’s noncompete rule, and the Middle District of Florida decision, which preliminarily enjoined the FTC’s enforcement of its rule against the named plaintiff there, as well as the conflicting Eastern District of Pennsylvania decision, which refused to enjoin the FTC rule, all remain on the books without appellate court review.
Although the FTC acknowledges that noncompetes can serve “valid purposes in some circumstances,” it is also concerned with the impact on workers of the often knee-jerk reliance on the clauses. These FTC actions and the agency leadership’s statements make clear that the agency intends to discourage the blanket use of worker noncompetes, hopes to use the public to relatively quickly identify such employers, and intends to take action against “the worst offenders [to] restore fairness to the American labor market.” The FTC could issue cease-and-desist letters, or it could go so far as to launch burdensome investigations and pursue administrative or federal court lawsuits under the FTC Act. However, the FTC has been consistent in its stance that noncompetes in the context of sale of business agreements are subjected to substantially less scrutiny.
Employers considering the use or continued use of noncompetes should evaluate all potentially applicable state laws. These state laws have changed rapidly and may include minimum compensation thresholds, notice periods, garden leave requirements, maximum time limitations, and other similar requirements. In addition, to mitigate FTC Act risks, firms should, at a minimum:
document the justifications for their noncompetes;
limit their use to employees with job responsibilities relevant to those justifications;
narrow the restrictions in terms of geography, timeframe, and types of later employment;
consider the use of less restrictive options, such as nondisclosure and nonsolicitation agreements and, where possible, use less restrictive alternatives; and
where less restrictive alternatives are not sufficient, document why they are not adequate.
Firms should also be aware that the Department of Justice and the FTC remain concerned with agreements among companies not to solicit or poach each other’s employees. Companies using no-poach agreements should consider the same factors above.
Ryan, LLC v. FTC, No. 24-10951 (5th Cir.); Properties of the Villages v. FTC, No. 24-13102 (11th Cir.). ↑
The past several months have brought a head-spinning number of recent regulatory and legal developments, both in terms of new obligations and duties, many still well-established in law, that may no longer be enforced. Consequently, audit committees are confronted with shifting corporate compliance and ethics priorities while new risks to financial reporting, including cyber and artificial intelligence, continue to be identified.
The burden on audit committees continues to grow. Just over thirty-five years ago, the Treadway Commission recommended that “all public companies should be required by SEC rule to establish audit committees composed solely by independent directors,” a recommendation that the U.S. Securities and Exchange Commission (“SEC”) rejected at the time.[1] The SEC, however, has made the operation of audit committees a principal focus since then. Recent actions from the SEC’s Enforcement Division emphasize audit committees’ obligations, and potential liability, in new contexts, including the integration of acquired financial reporting functions after a merger.[2] Pronouncements by the then-acting SEC chair and acting director of enforcement show that the SEC intends to continue the recent enforcement agenda, at least as far as that agenda pursues accounting and financial reporting fraud.[3]
Perhaps more significantly, and notwithstanding the actual and contemplated regulatory and legal changes that appear in the daily news, audit committees’ obligations to report significant audit matters to outside auditors remain in place, and those external auditors may compel investigation and, potentially, public disclosure. Further, audit committees must also remain diligent about their increasing responsibilities under state law, even in Delaware, which recently has revisited its corporate laws, but not in a way that alters the responsibilities of audit committees.
Against this backdrop, audit committees must find support where they can while meeting their mounting obligations under applicable listing standards and federal and state law. As the subject matter within the audit committees’ purview continues to move beyond financial reporting and the operation of internal controls to other areas of risk, such as cybersecurity, audit committees’ need for expert advice will grow correspondingly. In this article, we outline what is driving this growth in the responsibilities of audit committees, as well as some practical solutions that audit committee members may consider as they meet those responsibilities.
The Evolution of the Responsibilities of Audit Committees
In 1987, the Treadway Commission recommended the establishment of audit committees as a best practice for public companies.[4] However, public companies were not immediately required to establish audit committees. This did not occur until more than a decade after the Treadway Report, with the SEC’s approval in 1999 of standards requiring fully independent audit committees with at least three members for companies listed on the NYSE and Nasdaq.
These standards were codified in 2002 through the enactment of the Sarbanes-Oxley Act of 2002 (“Sarbanes-Oxley”).[5] In addition to the rules promulgated by the SEC pursuant to Sarbanes-Oxley, in 2003 the SEC approved new corporate governance rules for NYSE- and Nasdaq-listed companies, further solidifying the audit committee requirements. Following the 2008 financial crisis, the 2010 Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank”) focused on enhancing corporate governance—in part through audit committees.[6] Dodd-Frank, among other things, increased financial incentives and protections for whistleblowers[7] and expanded the SEC’s enforcement capabilities, including by empowering the SEC to initiate enforcement actions against entities and individuals that “knowingly or recklessly provide substantial assistance to another in violation of [the securities laws].”[8] Together, Sarbanes-Oxley and Dodd-Frank advanced the role of audit committees from simply a recommended “best practice” for corporate oversight[9] to a primary company mechanism for maintaining sound corporate governance.
The increase in audit committee obligations has only accelerated, particularly as regulators have sought to identify corporate functions into which responsibilities could be placed. Whereas the role of the audit committee initially was to oversee the financial reporting function, the audit committee’s mandate looks a lot different today, with oversight of financial reporting and auditing now only one component of an audit committee’s many responsibilities, which can often include other areas such as cybersecurity, data privacy, and environmental, social, and governance (“ESG”) reporting.[10] Indeed, approximately half of audit committees now rank cybersecurity as their number-one area of focus.[11] In 2019, then–SEC Chairman Jay Clayton observed that “the scope of an audit committee’s work is broad and includes a variety of important responsibilities,”[12] including being instrumental in setting the tone at the top for financial reporting, monitoring compliance with auditor independence rules, collaborating with internal stakeholders with respect to the implementation of generally accepted accounting principles (“GAAP”) standards, overseeing internal control over financial reporting, and maintaining adequate communications with external auditors.[13]
At the same time, the SEC has continuously affirmed the requirements of outside auditor independence and the audit committee’s obligation to ensure that independence,[14] which, among other things, has elevated the responsibilities of audit committees and outside auditors while also creating tension where outside auditors must balance client relationships with independence.
To be sure, audit committee members have their own interests to consider. The SEC long has described audit committees as gatekeepers for investor protection and regularly emphasizes this role in its enforcement actions. In one enforcement action, which the SEC described as “a cautionary tale of what happens when an audit committee chair fails to perform his gatekeeping function,” the SEC delisted a company’s shares when the audit committee failed to investigate suspected financial fraud.[15] Regulators have also levied penalties against individual members of the audit committee. For example, in In re Shirley Kiang, the SEC brought an enforcement action where a company’s audit committee chair signed a public filing certifying that the purported acting chief financial officer (“CFO”) was the actual acting CFO despite a contrary admission by the company’s chairman and chief executive officer (“CEO”).[16] The SEC ordered the audit committee chair to cease and desist from causing any additional violations and permanently prohibited the audit committee chair from signing any additional public filings required by Sarbanes-Oxley.[17] In another enforcement action, the SEC charged a company’s audit committee chair, in addition to the CFO and CEO, with violations of antifraud and other securities law for failing to act appropriately when he learned about the CEO’s scheme to concoct phony revenue numbers—and sought officer-and-director bars, injunctions, disgorgement, civil penalties, and other relief.[18]
The critical role of audit committees and their mounting responsibilities have endured notwithstanding changes in administration. On January 21, 2025 Mark T. Uyeda was named then-acting chairman of the SEC, taking over for former Chair Gary Gensler.[19] Uyeda, who was first sworn in as a commissioner on June 30, 2022, previously stressed the importance of audit committees in helping companies lower the likelihood of accounting violations and resulting enforcement actions.[20] Specifically, Uyeda noted—although years earlier—that audit committees have a duty to (1) actively oversee and understand the accounting policies, estimates, and judgments made by management in their preparation of the financial statements, including a responsibility to determine whether internal controls are effective; (2) appoint, compensate, and oversee the company’s auditor, including a responsibility to determine whether the external auditor is “independent under the myriad of rules that govern independence”; and (3) contribute to “a culture of cooperation between management and the auditor, while still ensuring that differing views on important issues are raised to the [audit] committee.”[21] Companies that fail to abide by the then-acting commissioner’s recommendations will likely be subject to enforcement actions.[22] As of April 21, 2025, Paul S. Atkins was sworn in as chairman of the SEC.[23] These duties will likely remain in place as Chairman Atkins seeks to ensure the U.S. remains a safe and secure place to invest. Accordingly, the burden on audit committees not only remains intact but may continue to grow.
Sources of Ongoing and Escalating Pressure on Audit Committees
Obligations Imposed on Auditors by the Securities Exchange Act of 1934 and Auditing Standards
Audit committees must comply with a complex regulatory regime imposed by regulators and the listing standards. For example, the NYSE and Nasdaq require audit committees to have at least three members who are independent and financially literate.[24] While audit committees are not required to include a financial expert under SEC regulations, they are required to disclose why they do not have one if a financial expert does not serve on the committee.[25] Audit committees are responsible for overseeing external and internal auditors and addressing disputes between management and auditors.[26] They must also include a report with the company’s proxy statement stating whether the audit committee (i) discussed the company’s financial statements with management, (ii) reviewed with auditors all matters necessary for discussion under Public Company Accounting Oversight Board (“PCAOB”) AU 380, and (iii) received disclosures regarding the auditors’ independence under PCAOB Ethics and Independence Rule 3526.[27]
Existing auditing standards also impose substantial obligations on auditors, particularly after an auditor identifies an illegal act. Under Auditing Standard (“AS”) 2405, Illegal Acts by Clients, the auditor must evaluate the impact of the illegal act on sums presented in the financial statements, such as loss contingencies, and consider the adequacy of disclosures related to the illegal act. Apart from financial statement impact, the auditor must determine whether the illegal act affects the audit itself by impairing the reliability of representations made by management. In addition to requiring the auditor to assess the consequences of an illegal act on the financial statements and audit under AS 2405, section 10A also requires the auditor to assess management’s response to the illegal act. If the auditor concludes that appropriate remedial action has not been taken to address an illegal act materially impacting the financial statements, and the auditor issues a nonstandard opinion or withdraws as a result thereof, the auditor must report those conclusions to the client’s board of directors. The client’s board of directors then has one business day to report the auditor’s findings to the SEC.
While less common, section 10A of the Securities Exchange Act of 1934 (“Exchange Act”) requires the auditor to determine the likelihood that an illegal act has, in fact, occurred and to assess the potential effect of the act on the client’s financial statements when an auditor believes an illegal act may have occurred.[28] Section 10A sets a high bar for a violation, but its application is expansive. It defines illegal act broadly as “an act or omission that violates any law, or any rule or regulation having the force of law.”[29] The section’s requirements also are triggered regardless of the materiality of the possible illegal act. Section 10A imposes reporting requirements on the auditor—specifically, to inform management of the possible illegal act and to ensure that the audit committee or board of directors or both are “adequately informed” of it.[30] These reporting requirements are triggered unless the act is “clearly inconsequential.”[31]
In sum, the auditor ultimately has four obligations with respect to possible illegal acts under PCAOB standards and Section 10A: (1) to determine whether an illegal act occurred; (2) to understand the quantitative and qualitative effect of the illegal act on the client’s financial statements and on the audit itself; (3) to determine whether management has taken sufficient remedial action to address the illegal act; and (4) to make required reporting to the client’s management, board of directors, and audit committee. Failure to strictly comply with these obligations can subject auditors to severe penalties, and it is the audit committee’s job to oversee these determinations and to ensure that auditors maintain adequate independence to make these determinations.
Increased Pressure on Audit Committees Through Rulemaking and Enforcement
Audit committee obligations continue to be informed by those placed on their outside auditors. And, as outside auditors face greater scrutiny and tighter regulations, their demands of audit committees inevitably grow.
In 2024, in response to reports by the PCAOB of a troubling increase in deficiency rates found in its recent inspections, the SEC’s chief accountant, Paul Munter, released a statement emphasizing the importance of auditors and audit committees for the proper functioning of our capital markets and calling on auditors and audit committees to enhance their focus on audit quality.[32] Since then, the SEC has approved updated PCAOB Quality Control Standards, which raised the existing requirements for audits.[33] The purpose of the update was to improve audit quality, but the update inevitably increased pressure on auditors to meet, and indirectly on audit committees to monitor auditor compliance with, the heightened quality standards.
Additionally, in August 2024, the SEC approved two PCAOB proposals updating and amending a variety of rules. The new AS 1000, General Responsibilities of the Auditor in Conducting an Audit, consolidates and modernizes general principles and responsibilities for auditors conducting an audit.[34] Moreover, amendments to AS 1105, Audit Evidence, and AS 2301, The Auditor’s Response to the Risks of Material Misstatement, address the use of technology-assisted data analysis in audit procedures—clarifying the auditor’s responsibilities when using analytical tools to conduct an audit.[35] The SEC also approved the PCAOB’s amendments to Rule 3502, Responsibility Not to Knowingly or Recklessly Contribute to Violations, which governs liability of a person at a public accounting firm who contributes to the firm’s violation of the laws, rules, and standards enforced by the PCAOB. Notably, the amended Rule 3502 lowered the standard for an associated person’s contributory liability from recklessness to negligence.[36]
Failure to comply with these constantly evolving standards may result in severe consequences for auditors. In 2013, the SEC charged three auditors for violating federal securities law.[37] The investigation was designated “Operation Broken Gate,” highlighting the SEC’s position that auditors are gatekeepers to the financial markets.[38] The three auditors were charged with myriad violations of the Exchange Act and the SEC’s Rules of Practice, which resulted in the auditors being suspended from practicing as accountants.[39] The SEC has continued to enforce its rules as the regulatory regime has become more complex. In May 2024, the SEC charged BF Borgers CPA PC and its owner with violations of the PCAOB’s standards in more than 1,500 audits over more than twenty years.[40] As a result, BF Borgers and its founders were forced to pay civil penalties and prohibited from appearing before the SEC as accountants.[41]
This regulatory attention is directed at auditing firms of all sizes, including the very largest. In June 2023, the SEC charged Marcum LLP with firm-wide quality control deficiencies, resulting in a $10 million fine and censure. SEC leadership was unsparing in connecting its observations about Marcum’s alleged quality control deficiencies to the firm’s financial interests:
“Public company auditors occupy positions of trust that are critical to protecting investors and our capital markets more broadly,” said SEC Chair Gary Gensler. “Marcum neglected its essential gatekeeper function in service to its own growth. Marcum took on more than 600 new SPAC clients for a nearly six-fold increase in just one year, churning out audits at an unsustainable pace causing widespread quality control and audit standard violations that put its clients and the investing public at risk.”
“Throughout the SPAC boom of the last several years, Marcum prioritized increased revenue over audit quality: its aggressive pursuit of business growth far outpaced any commensurate development of an already weak system of quality controls,” said Gurbir S. Grewal, Director of the Division of Enforcement. “From 2020 through 2021, the market saw more than 860 SPACs complete IPOs and Marcum audited nearly half of them, without adequate consideration for its ability to serve as gatekeepers.”[42]
The PCAOB’s Evolving Standards
As if existing pressures were not enough, the PCAOB has considered additional auditing standards while existing Quality Control Standards continue to evolve.[43] The PCAOB has a heightened interest in policing fraud at public companies and has opted to shift that burden to auditors.
One recent example of shifting standards from the PCAOB is the adoption of QC 1000, A Firm’s System of Quality Control, and its delayed implementation. QC 1000 was adopted on May 13, 2024.[44] The new Quality Control Standard will require all auditors to design, implement, and operate a quality control system within the standard’s framework.[45] Each audit firm will be required to evaluate the effectiveness of its quality control system by September 30 and report the results of that evaluation on Form QC to the PCAOB by November 30.[46] The firm’s principal executive officer will bear the ultimate responsibility for the quality control system.[47] However, firms must also designate separate individuals who will also be responsible for: (a) the system as a whole, (b) compliance with the ethics and independence requirements, (c) the monitoring and remediation process, and (d) other components of the quality control system if appropriate.[48]
QC 1000 was scheduled to become effective on December 15, 2025. Less than six months before the scheduled effective date, on August 28, 2025, the PCOAB postponed QC 1000’s implementation to December 15, 2026.[49] Indeed, the Center for Audit Quality (“CAQ”) requested that implementation be delayed, citing concern that its member firms would be unable to comply by December 2025.[50] While firms now have another year to prepare for the implementation of QC 1000, it still represents a significant change to the existing landscape with increased costs for auditors.[51] These costs and some of QC 1000’s additional requirements will inevitably creep upward, placing additional responsibilities on audit committees.
Obligations Imposed on Audit Committees by Delaware Law
In addition to federal laws and regulations and applicable listing standards, audit committees face additional pressure from Delaware law. Despite the prevalence of federal law, the fiduciary duty analysis of an audit committee’s conduct remains an issue of state law controlled by the state of incorporation.
As has widely been reported, Delaware, via Senate Bill 21 (“SB 21”), recently enacted amendments to its corporate law that protect conflicted directors in various contexts by improving predictability of certain areas of Delaware corporate law and minimizing exposure to potential litigation.[52] SB 21 also limits the scope of “books and records” actions pursuant to section 220 of the Delaware General Corporation Law. More specifically, shareholders may request only formal corporate documents and board materials, not director, officer, and manager communications such as emails and texts.[53] At the outset, and perhaps obviously, changes to Delaware corporate law or other state corporate law do not directly impact auditors’ obligations, and thus what audit committees must do as a practical matter remains unchanged. It is far from clear, however, how recent changes to Delaware law will affect audit committee obligations when evaluating conflict transactions.
Despite changes to Delaware law pursuant to SB 21, many obligations of directors remain intact. Under In re Caremark International Inc. Derivative Litigation,[54] which remains good law, simply forming an audit committee and hiring an auditor are not enough for directors to avoid liability. A Caremark claim is based on a director’s failure to oversee the company’s operation, which results in a breach of the duty of loyalty.[55] An audit committee that meets sporadically, devotes inadequate time to its work, or notices accounting irregularities and chooses to ignore them will not have fulfilled its obligations pursuant to Delaware law.[56] If circumstances require an audit committee to meet more frequently to identify and address red flags, then directors fail to satisfy their fiduciary duties by only meeting when prompted by federal securities laws.[57]
As Caremark litigation has become more prevalent, the doctrine has become a potent tool for plaintiffs. Traditionally, Caremark claims rarely survived a motion to dismiss, which may have caused audit committees to place a lower priority on Caremark. But the potential for liability under Delaware law was brought back into focus by Marchand v. Barnhill in 2019, which demonstrated the case-by-case analysis applied by Delaware courts.[58] In Marchand, the Delaware Supreme Court held that Caremark “require[s] that a board make a good faith effort to put in place a reasonable system of monitoring and reporting about the corporation’s central compliance risks.”[59] Delaware courts remain skeptical of Caremark claims and have reiterated that “how directors choose to craft a monitoring system . . . is a discretionary matter” and that the laws good faith requirements do not necessarily “require a system to the plaintiffs’ liking.”[60] Nevertheless, plaintiffs have begun to apply Caremark in more creative ways, and the Delaware courts, to a certain extent, have entertained these arguments. For example, the Delaware Court of Chancery indicated that an audit committee’s failure to adequately identify internal cybersecurity risks and notify directors could subject directors to Caremark liability.[61]
Although audit committees may initially focus on their obligations pursuant to federal law, they should not overlook the risk of liability pursuant to Delaware law (or other applicable state law). It is imperative that audit committees monitor, identify, and address red flags. Given the ever-expanding role of audit committees, it is likely that the number of potential red flags within the audit committee’s purview will continue to grow.
Conclusion
These dynamics—pressure from the SEC, national securities exchanges, and accounting authorities; recent rulemaking and enforcement; proposed amendments from the PCAOB; and Delaware law—have created a maze of laws and regulations for auditors to navigate. As audit committees’ core financial and audit oversight responsibilities are increasing in nature and complexity to meet changing regulations and accounting standards, audit committees are also facing “scope creep,” with new responsibilities falling to the audit committee.[62] Audit committees do not appear to be at risk of diminished responsibility under changing regulatory priorities. As a result, the current dynamic regulatory and legal environment provides no reprieve to audit committees.
Because of the shifting legal landscape, audit committees should consider thoroughly reviewing their existing procedures and reporting systems. This may require a reallocation of responsibilities to better balance directors’ workload and oversight functions. Boards should be cognizant of the growing workload for members of audit committees as their responsibilities, likewise, have increased. Boards should also be aware of the resources necessary to support those growing responsibilities.
We encourage audit committees to regularly engage with management, legal counsel, and outside auditors in order to ensure that they have an adequate understanding of the evolving and growing issues within their purview.
Press Release, U.S. Sec. & Exch. Comm’n, supra note 2. ↑
Order Instituting Cease-and-Desist Proceedings Pursuant to Section 21C of the Securities Exchange Act of 1934, Making Findings, and Imposing a Cease-and-Desist Order at 2, In re Shirley Kiang, No. 3-15816 (Mar. 27, 2014). ↑
The PCAOB had previously recommended amendments to AS 2405, Illegal Acts by Clients, including replacing “illegal acts” with “noncompliance with laws and regulations” and explicitly including fraud within the definition of noncompliance with laws and regulations. SeeNoncompliance with Laws and Regulations, PCAOB.org (June 6, 2023). This change would have expanded the potential wrongdoing that auditors are required to review and report, but the project was abandoned in 2025. ↑
Letter from Dennis J. McGowan, CAQ, to George Botic, Acting Chair of PCAOB, Re: PCAOB Standard A Firm’s System of Quality Control and Other Amendments to PCAOB Standards Rules, and Forms (SEC Release No. 34-100968), at 2 (July 23, 2025) (“Despite these significant efforts, a number of our member firms remain concerned about their ability to confidently comply with QC 1000 by the effective date. We also continue to see that certain concerns raised by firms and the CAQ during the standard-setting process have manifested as real implementation challenges for several of our member firms.”) ↑
In re Plug Power Inc. S’holder Derivative Litig., No. 2022-0569, 2025 WL 1277166, at *14 (Del. Ch. May 2, 2025) (dismissing Caremark claims based on audit committee’s response to SEC comment letters). ↑
Firemen’s Ret. Sys. of St. Louis v. Sorenson, 2021 WL 4593777 (Del. Ch. Oct. 5, 2021). ↑
What Exactly Is This Private Target Deal Points Study, Anyway?
The Private Target Deal Points Study is a publication of the Market Trends Subcommittee of the Business Law Section’s M&A Committee. It examines the prevalence of certain provisions in publicly available, private target M&A transactions during a specified time period. The Private Target Deal Points Study is the preeminent study of M&A transactions, widely utilized by practitioners, investment bankers, corporate development teams, and other advisors.
What Time Period Will Be Covered by the Study?
The 2025 iteration of the Private Target Deal Points Study will analyze publicly available definitive acquisition agreements for transactions executed and/or completed either during calendar year 2024 or during the first quarter of calendar year 2025.
What Industries Will Be Covered by the Study?
The deals in the Private Target Deal Points Study reflect the broad array of industries of the deals that were conducted in our time period. In this year’s study, the technology, healthcare/pharma/biotech, and industrial goods & services / manufacturing sectors were the largest sectors, together making up approximately 41 percent of the deals.
What Is the Size of the Transactions of the Study?
The transactions analyzed in the Private Target Deal Points Study were in the “middle market,” with purchase prices ranging between $25 million and $900 million; purchase prices for most deals in the data pool were $200 million or below.
Where Are You in the Process of Releasing the Study?
Almost all of our ten issue groups have turned in their data, and we are processing and analyzing it, running quality control checks, and finalizing the slides.
Can You Share Any Sneak Preview Data?
We shared a couple of sneak preview data points with attendees at the meeting of the Market Trends Subcommittee at the ABA’s M&A Committee meeting in September and encourage you to sign up for the M&A Committee and its various subcommittees if you haven’t already—at the following link: Join the BLS M&A Committee.
We can give you a peek ahead (understand, however, that our process is still ongoing and thus these data points may not be final):
Number of deals referencing RWI has come back up
The sneak peek: Representations and warranties insurance (“RWI”) has been a huge game changer in M&A deals. We measure whether a deal in our study pool utilized RWI by the closest proxy we can access: whether the purchase agreement references RWI. (Of course, RWI may have been obtained without such a reference in the purchase agreement.) The 2023 version of the Private Target Deal Points Study showed RWI references dropping to 55 percent (down from nearly two-thirds of deals referencing RWI in the 2021 version of the Study). In 2025, we are back to nearly two-thirds (64 percent) of all deals in the Study pool referencing RWI.
Sellers benefiting from fewer closing conditions related to legal proceedings
The sneak peek: Stand-alone conditions to closing related to legal proceedings challenging the transaction dropped down from 46 percent in the 2023 version of the Study to 35 percent in this iteration of the Study. In that subset of deals where this condition was included, it is now more likely to be limited to governmental proceedings only (as opposed to any legal proceedings).
Please keep an eye out for our study and for an In the Know webinar to be scheduled, during which the chairs and issue group leaders will provide analysis and key takeaways from the results of the 2025 Private Target M&A Deal Points Study.
A junior-level staff member reports that she is being bullied by a supervisor. A mid-level staff member appears to be using the nonprofit organization’s credit card for occasional personal purchases. A senior-level staffer reports alleged financial improprieties relating to a federal grant. The CEO reports that the board chair is acting too familiar, with personal comments and affectionate touches. In each of these circumstances, a nonprofit may be called upon to conduct an internal investigation. This article provides practical tips for conducting defensible and effective internal investigations.
1. The Preliminary Assessment
Before an investigation commences, the organization must swiftly assess the nature of the allegations to ascertain whether there are any immediate threats to physical safety or business operations that can and should be managed. For example, if an employee reports a credible threat of workplace violence, of course, the first step is to notify local law enforcement and implement any other interim measures reasonably calculated to protect employee safety. The organization also should assess immediate threats to the organization itself. For example, if it is alleged that an employee is using the employer’s credit card for personal purchases, the organization may want to put a temporary hold on the employee’s account or monitor the account more closely while the investigation is pending. In other circumstances, where there are concerns about evidence preservation, the organization may direct IT to capture a forensic snapshot of a computer.
Other preliminary considerations concern the nature of the allegations and the party best suited to conduct the investigation. Regarding the nature of the allegations, one should ask, “If the allegations are true exactly as they are presented, do they amount to a violation of the law or organizational policy?” Not all allegations warrant a timely and costly investigation. Imagine, for example, that the organization has a policy prohibiting open-toed shoes in the workplace. An employee reports that her supervisor “bullied” her by admonishing her for wearing flip-flops to work. Even though the organization likely has an anti-bullying policy, it is not reasonable to conclude that a supervisor’s effort to enforce a workplace dress code by itself amounts to bullying. Carefully making these preliminary assessments can protect the organization from unnecessary expenditure of time and resources. Be careful, though, not to summarily dismiss actionable claims simply because they do not incorporate expected buzzwords. A report that an employee is being treated dissimilarly from other employees from different racial backgrounds must be investigated, whether or not the complainant expressly labels the differential treatment as “discrimination.”
Moreover, the organization must evaluate who is best suited to conduct an investigation, which requires thoughtful analysis of potential legal, reputational, financial, operational, and ethical risks facing the organization. Human resources staff may be well suited to address more routine workplace matters. Other matters may require an external investigator. For example, assume a party alleges that the chief human resources officer harbors bias against her. Depending on the facts, it may be prudent for an organization to engage an external, independent investigator to extinguish any claims about compromised neutrality. Alternatively, if sensitive allegations are raised involving the CEO and the board chair, or if the allegations implicate legal or other high-profile matters, it may be prudent to engage external legal counsel to conduct a privileged investigation.
Finally, note that not all internal investigations need to be “independent” ones (although some do call for such independence). Be sure to carefully consider the role of attorney-client privilege (although not all internal investigations are designed to be or remain privileged), and be sure to involve legal counsel at the outset of and throughout all internal investigations (if legal counsel is not conducting the investigation). For instance, if a forensic audit needs to be conducted as part of an investigation, presuming it is a privileged investigation, the nonprofit will want legal counsel to retain the forensic audit firm so that the audit firm’s work product is protected by privilege.
2. Identifying Governing Laws and Organizational Policies
Once the organization decides to proceed with an investigation, the lead investigator must determine which laws and organizational policies govern. For example, if an employee alleges that they are being sexually harassed by a supervisor, Title VII of the Civil Rights Act of 1964 (depending on the size of the organization), state laws, and organizational policies are likely implicated. Notably and importantly, allegations may evolve over time; as such, the investigator must be able to identify when other policies or laws are triggered. Of course, as is true for all operations, the organization must follow policies to a tee. Failure to do so will usually create legal exposure for the entity.
3. Planning the Investigation Strategy
Next, the lead investigator must thoughtfully craft an investigation strategy. What steps does the organization’s policy require? In what order? What is the scope of the investigation? What is being investigated? What is not being investigated? What information must be acquired to substantiate or refute a policy violation? Who may have personal knowledge of the facts underlying the allegations? What might each person be able to tell the investigator? Who else may have valuable information? What tangible evidence might exist that will help the investigator acquire needed information (e.g., account statements, video footage, text messages, emails)? Which witness should be interviewed first? Last? When should each witness be notified? A thoughtful strategy is key to a successful investigation.
4. Conducting Interviews
There is an art and a science to conducting investigative interviews that involves everything from building rapport, to funneling information, to deescalating emotions. While a full treatment of interview methodology is not possible here, a brief comment on the art of the question may prove valuable. Certainly, an investigator will prepare by broadly identifying key topics and questions. Even so, the most defensible investigation will derive from organic conversation, which almost never follows a prepared script. The best investigators ask open-ended questions, listen, and pull threads, taking cues from the interviewees regarding how the conversation will proceed. For example, imagine a sexual harassment investigation. The organization’s policy prohibits “severe or pervasive” sex-based misconduct, and the investigator must engage the interviewee in a neutral manner to make a finding of fact as to whether the described conduct was “severe or pervasive.” Often, investigators’ first instinct is to parrot the policy, asking, “Would you describe the conduct as ‘severe or pervasive?’” That is not a good strategy. The more defensible approach is to ask neutral, open-ended questions such as the following: “What did he say next?” “Tell me more.” “How often did that happen?” Asking open-ended questions and letting the interviewee guide the conversation enables the investigator to elicit unprimed information and better carry out their role as a neutral fact-finder.
From time to time, an investigator may encounter an uncooperative complainant, respondent, or witness. As matter of law, and with some exceptions, employers can require that employees participate in internal investigations, though again, this kind of action should be undertaken only upon advice of legal counsel. (Generally, volunteer leaders such as officers and directors cannot be compelled to participate in such investigations.) When an investigation must proceed without a complainant, respondent, or others, the investigator should clarify that findings of fact will be made without the benefit of the uncooperative party’s input. That admonishment sometimes prompts the uncooperative party to participate, when they initially would not.
5. Gathering and Evaluating Evidence
During interviews, interviewees may refer to emails, text messages, social media posts, photographs, and other evidence to support their representations. Make note of this tangible evidence and ask the interviewee to send documents and information after the interview concludes.
6. Making Findings of Fact
With all evidence acquired, the investigator must ask themselves, “What facts are not in dispute?” Mark those down, as they are as germane to the investigation as disputed facts. Next, identify disputed facts. Of the disputed facts, which facts are corroborated? Does an email or video footage verify a particular version of a story? Did multiple witnesses share the same recollection? If an information gap persists, is there any way the gap can be closed, either through an additional interview or through acquiring additional tangible evidence?
On occasion, but rarely, an investigator may be required to make a finding of fact based on a credibility assessment alone—that is, a determination regarding whose version of events is more likely to be true. Ideally, credibility assessments should be grounded in objective criteria. Did one individual’s story change over time while the other’s remained intact (of course, keeping in mind trauma-informed practices where appropriate)? What are the parties’ underlying motives—who had more to lose? Did you hear the same story from multiple disinterested parties and a different story from one individual? All of these questions and more can help an investigator make reasoned credibility findings.
Unless the law, or the organization’s employee handbook or governing policies, require a higher standard of proof, findings of fact should be based on a “preponderance of the evidence”—that is, “Is it more likely than not that [the event in question] did or did not occur?” For each finding of fact, the investigator should be able to produce clear and articulable grounds underlying the finding.
7. The Investigation Report
Finally, and importantly, findings of fact should be memorialized in a written investigation report. At a minimum, the report should include a recitation of the allegations, a description of the investigation methodology, a list of operative policies and procedures, a description of the evidentiary standard, a statement of undisputed facts, and factual findings (including the evidentiary grounds upon which the findings are based), and potentially recommendations as well, depending on the role of the investigator.
While the aforementioned tips generally reflect sound investigation practices, each circumstance is unique, especially in a remote-work environment, where multiple jurisdictions’ laws may graft onto the employer (as state employment laws generally apply based on the jurisdiction in which the employee principally works). Further, each fact pattern is unique. An investigation into a potential misappropriation of federal funds may trigger federal reporting obligations. Significant diversions of assets such as embezzlement and theft are required to be reported on the IRS Form 990. A sexual misconduct investigation involving a California employee may require a host of rights and protections not required in other jurisdictions. And, of course, when, how, and to what extent to keep the nonprofit’s volunteer leadership involved is always a key consideration; generally speaking, keeping at least the entity’s senior volunteer leaders informed (be it the board chair, executive committee, or full board of directors) is certainly prudent, but always with strict confidentiality reminders.
Finally, whether an organization decides to proceed with an in-house investigation, outsource the investigation to an independent third party, or engage an attorney (whether in-house or external), it is crucial that the investigator is knowledgeable about the law and best practices for each of many unique circumstances. In all cases, it is advisable to consult legal counsel throughout the process.
Holly Peterson is Counsel at Tenenbaum Law Group PLLC. She regularly conducts internal investigations for nonprofit organizations and educational institutions on complex employment and governance matters. Holly can be reached at [email protected].
If your clients use artificial intelligence (“AI”) tools for content creation, something that is incredibly likely given AI’s widespread adoption of late, two federal court decisions from June 2025—Kadrey v. Meta Platforms, Inc.[1] and Bartz v. Anthropic PBC[2]—just changed their liability exposure. Both rulings found that AI training constitutes fair use, but each emphasized that businesses using AI-generated content remain liable for any copyright infringement in the outputs that they create and publish.
These cases focused on AI training specifically, but, in doing so, they also addressed output liability—highlighting risks that many businesses haven’t fully considered or prepared for. For example, a marketing firm using AI to draft client proposals faces the same copyright liability that it would for human-authored content that infringes, but it may not have policies addressing this exposure. Similarly, a law firm generating brief templates with AI faces potential copyright issues that don’t exist when using AI for case research. Understanding how these decisions analyze AI technology helps business lawyers better advise clients on managing copyright risks in all aspects of AI-generated content creation.
What the Courts Actually Decided
Both courts distinguished between AI training (how systems learn from data) and AI generation (when users prompt systems to create content). While training received fair use protection, the judges emphasized that businesses using AI tools remain liable for copyright infringement in the outputs that they create and use.
Judge Chhabria in Kadrey introduced a “market competition” theory that could dramatically expand copyright liability. Traditional copyright law requires that infringing works serve as substitutes for originals—someone reads the copy instead of buying the original. The Kadrey court suggested that AI-generated content might infringe simply by competing with copyrighted works, even without direct substitution. Under this theory, a consulting firm using AI to generate market research reports could face liability if those reports compete with copyrighted research, regardless of whether clients would have purchased the original reports.
Judge Alsup in Bartz took a different approach, fragmenting the analysis into separate questions about data acquisition and training. His decision suggests that how AI companies obtained their training data could affect fair use protection for end users. Companies using AI systems trained on unauthorized content might face greater liability than those using systems trained only on licensed materials—though most businesses have no visibility into their AI providers’ training data sources.
Immediate Business Risk Assessment
These decisions create different exposure levels depending on how clients use AI tools.
Content creation presents the highest risk under the new Kadrey framework. An advertising agency using AI to create campaign materials that resemble existing advertisements faces potential liability even if the AI outputs serve different purposes than the originals. A marketing firm generating social media content with AI tools must consider whether those outputs compete with copyrighted posts, graphics, or campaign materials.
Professional services face more complex analysis. A law firm using AI to draft contracts or briefs creates potential exposure if outputs closely resemble copyrighted legal materials, particularly specialized forms or distinctive arguments from legal publications. However, a firm using AI for case research or document review operates in safer transformative use territory because these applications serve different purposes than the original materials.
Healthcare organizations using AI for patient communications or educational materials must monitor whether outputs resemble copyrighted medical publications or patient education resources. Financial services firms generating investment analysis or client reports with AI face liability if those outputs compete with copyrighted financial research or proprietary investment strategies.
Operational applications like customer service chatbots or internal documentation generally present lower risks, but companies should still establish policies preventing deliberate reproduction of copyrighted materials.
Five Critical Questions Before Using AI for Content Creation
Business lawyers should walk clients through this assessment before implementing AI content generation:
Does the AI output compete in the same market as copyrighted works? If yes, document why the use serves different purposes and implement review procedures.
Can you identify the training sources for your AI system? If using commercial AI services with opaque training data, which will often be the case, strongly consider additional safeguards against reproducing copyrighted content.
Do you have policies preventing deliberate copying? Establish clear guidelines prohibiting employees from prompting AI systems to reproduce known copyrighted materials.
Can you demonstrate transformative purpose? Document how AI usage serves legitimate business functions distinct from consuming original copyrighted works.
Do you have review procedures for high-risk outputs? Implement screening for AI-generated content intended for publication, marketing, or external distribution.
Practical Compliance Framework
Companies should implement documentation showing good-faith efforts to prevent copyright infringement. This includes maintaining records of AI implementation purposes, establishing clear usage policies that prohibit deliberate reproduction of copyrighted content, and providing employee training on both AI capabilities and copyright limitations.
For higher-risk applications like content creation, establish review procedures before publication or distribution. A simple workflow requiring human review of AI-generated marketing materials, social media posts, or client communications can demonstrate reasonable efforts to prevent infringement while preserving operational benefits.
Employee training should emphasize that fair use protection isn’t automatic. Staff need to understand that prompting AI systems to create content “in the style of” specific copyrighted works or asking for materials that closely mimic known publications creates liability exposure. Clear examples help: asking ChatGPT to “write a blog post about cybersecurity” generally presents low risk, while asking it to “write a blog post like the recent Harvard Business Review article on cybersecurity” creates potential problems.
Companies should also address inherited liability from AI systems trained on questionable datasets. While legal standards remain unclear, businesses can demonstrate good faith by avoiding AI services known to have used unauthorized training materials and transitioning to providers with transparent data sourcing when feasible.
Documentation should include regular risk assessments evaluating AI applications across different business functions. Higher-risk uses like creative content generation require additional safeguards, while operational applications like data analysis face lower exposure.
Litigation Strategy Implications
These recent court decisions shift copyright litigation strategy significantly. Discovery will focus on internal policies, employee training, and evidence of intentional copying rather than just comparing AI outputs to copyrighted works. Companies that can show robust compliance frameworks and good-faith efforts to prevent infringement strengthen their defense position.
The Kadrey market competition theory creates new motion practice challenges. Even businesses demonstrating transformative purpose might face factual disputes about market competition that survive early dismissal motions. This makes settlement discussions more attractive, particularly when focused on prospective compliance measures rather than retrospective damages.
Defense strategies should emphasize documented transformative purposes and compliance with recognized governance frameworks. Companies maintaining clear records of legitimate business purposes for AI usage, comprehensive employee training, and procedures for addressing potential copyright issues will have stronger positions in any litigation.
Managing Uncertainty During Appeals
While these district court decisions will likely face appellate review, the two- to three-year timeline for resolution means that businesses must address current exposure. The cost of implementing reasonable AI governance policies remains modest compared to potential copyright litigation expenses, making cautious compliance a sound business decision regardless of how these legal theories ultimately develop.
Companies should monitor legal developments while implementing protective measures now. Basic documentation, employee training, and usage policies provide protection against various liability theories, not just the specific approaches in Kadrey and Bartz. These measures also demonstrate good faith in any future litigation, providing valuable leverage regardless of how appellate courts rule.
The key insight from these decisions is that businesses cannot simply assume that AI tool usage is protected. While AI training generally receives fair use protection, companies using AI-generated content must implement appropriate safeguards and compliance measures. Those establishing robust governance frameworks now—treating these decisions as important guidance while they work through the appellate process—will be best positioned regardless of how this legal landscape ultimately develops.
No. 23-cv-03417-VC, slip op. (N.D. Cal. June 25, 2025). ↑
No. 24-cv-05417-WHA, slip op. (N.D. Cal. June 23, 2025). ↑
This is the ninth installment in the Year in Governance Series from the In-House Subcommittee of the ABA Business Law Section’s Corporate Governance Committee. Each month, the series will share key tips on a different corporate governance topic. To get involved in the Corporate Governance Committee, please visit the committee’s webpage.
A message from Kathy Jaffari: “As Chair of the Corporate Governance Committee, I would like to extend my sincere appreciation to the authors for this publication. The Corporate Governance Committee has ongoing opportunities for writing and volunteering with various projects, whether it’s an article you want to publish or a CLE that you want to present. Our Committee is dedicated to helping you promote informative resources for corporate governance practitioners. You may contact me at [email protected] to get involved.”
The attorney‑client privilege—a cornerstone of sound governance—allows for candid legal advice, but it can be waived through common missteps, and small missteps can waive protection for the entire board of directors. These ten tips offer practical advice to preserve the privilege.
Master the fundamentals. Broadly, a communication is privileged if it seeks or provides legal advice and is maintained as confidential. It is the content of the communication that matters, not the label: copying in-house counsel on a purely business email chain and marking it “Privileged” does not make it so. Remember that the privilege belongs to the corporation, not individual directors—a distinction that becomes critical during investigations or when the interests of directors (individually or as a group) diverge from those of the company.
Wear multiple hats, but—preferably—not at the same time. In-house counsel who also have business roles routinely offer business, not legal, advice. That business advice is not protected by the attorney-client privilege. Sometimes counsel’s advice is “mixed” because the business and legal advice are intertwined. If litigation ensues, you will need to examine each communication to categorize it as business, or legal, or mixed advice. When the board is seeking legal advice from in-house counsel who has dual roles, it should be made clear—at the meeting and in the minutes—and the transition into seeking legal advice should be expressly memorialized. As for documents, separate the legal and business documents to the extent possible. If the documents have mixed content, try to separate and label the legal sections. This will make it easier to identify—and, later, protect—privileged information.
Protect the privilege when drafting minutes. Board meeting minutes should record that legal advice was received on a particular topic but need not summarize the substance of that advice. For executive sessions where legal matters are discussed with counsel present, keep a separate set of privileged minutes prepared by counsel. These privileged legal minutes should be maintained by counsel, follow retention policies, and be redacted before they are shared outside the privilege circle, such as with auditors. Recordings for board and committee meetings are strongly discouraged, but if audio or video recordings are created, they should be destroyed right away: the minutes are the sole official record, making it much easier to isolate and protect the privilege.
Manage digital communications. To maintain confidentiality, you must demonstrate an intent to maintain privacy. But many directors use employer-provided email accounts, personal email accounts, and other informal channels of communication that undermine any expectation of privacy and jeopardize privilege. Explicitly discourage substantive texting by directors, as text messages are discoverable in litigation. The ideal approach is for directors to use a secure board portal for all substantive communications. Another option is to issue company-hosted email accounts for directors and have them use only those accounts for all substantive communications. Alternatively, directors can also use a dedicated, secure personal account exclusively for board work. It may help to remind directors how litigation typically proceeds: that is, the collection and review of all emails and text messages and then a review for relevance. This reality check may help focus the directors’ minds on following these protocols.
Admit only necessary third parties. Third parties generally waive privilege unless their presence is necessary to provide or receive legal advice. For example, counsel advising about the propriety of insurance reserves may need an actuary present to explain the underlying analysis. When third parties are essential to effective communication, have counsel state why their presence is needed to obtain legal advice, and ensure counsel states this rationale on the record for inclusion in the minutes. To the extent possible, engage and direct the third parties through outside counsel. If the third party is not essential for the legal advice—e.g., bankers, public relations personnel, board observers, etc.—excuse them and memorialize that action in the minutes.
Treat AI tools as potential third parties. Boards should establish clear protocols for using new technologies, including artificial intelligence (“AI”). To begin, a board should use only enterprise-grade technology with verified confidentiality protections. Turn off auto-recording on collaboration platforms, and for executive sessions discussing legal matters, consider avoiding AI transcription entirely: handwritten notes still work just fine. If the company uses AI to summarize or analyze large volumes of materials (such as board books), ensure that the tools used have been vetted for confidentiality, cybersecurity, and the appropriate data-use restrictions.
Insulate Special Committee investigations. When a Special Committee is formed, that committee—not the full board—becomes the “client” for purposes of the investigation. It is helpful to have separate counsel for the Special Committee run the process, provide the relevant Upjohn warnings, and report substantive findings only to unconflicted directors. Any advisors (e.g., forensic accountants, bankers) engaged for the Special Committee should be retained by counsel for a defined legal purpose, with committee counsel controlling the distribution of drafts and materials. Resist sharing detailed findings with conflicted directors or the full board: such disclosure can waive the privilege. And be clear about this approach when the Special Committee is formed.
Navigate cross-border investigation challenges. Attorney-client privilege rules may be different internationally. For example, in European Union competition matters, communications with in‑house counsel are not privileged. You should therefore default to local outside counsel and keep sensitive cross‑border advice in counsel‑controlled channels. Before sending any board materials to regulators, coordinate with counsel and assume that the voluntary disclosure of privileged materials risks broader waiver in subsequent litigation. When cooperating, prioritize facts and nonprivileged documents, and avoid waivers unless there is a deliberate, board‑approved strategy.
Treat the privilege like it matters. Treat privilege as you would any other governance risk: educate new directors during onboarding and re-educate current directors. Train directors and key executives on the fundamentals: legal versus business boundaries, proper use of the board portal, and communication protocols. Use clear subject lines like “Privileged & Confidential—Request for Legal Advice re [topic],” but use the labels appropriately. Also, consider having your outside counsel assess your privilege practices as they would in litigation, and conduct annual privilege audits to review practices and identify vulnerabilities.
Prepare for privilege challenges. Even if the board follows each of these tips, privilege may be challenged in litigation or inadvertently waived. Establish clear protocols now: designate who is empowered to waive privilege (typically only the board or authorized officers), document your privilege procedures, and maintain a privilege log for sensitive matters. Understand the consequences of waiver (including deliberate waivers), which can extend beyond a single document to the entire subject matter. When litigation looms, do not wait to implement a legal hold, and seek a Rule 502(d) order to protect against inadvertent waiver. By implementing these protocols, you can create a culture that minimizes risk and preserves the attorney-client privilege.
The views expressed in this article are solely those of the authors and not their respective employers, firms or clients.
Connect with a global network of over 30,000 business law professionals
