Global Crisis Management Series:  This post is part 5 in a series concerning topics further elaborated on in Cleary Gottlieb’s Global Crisis Management Handbook—a desk reference for spotting issues and avoiding common mistakes when faced with a crisis.  The current version is available here.

Effectively dealing with a crisis often requires disclosure to government authorities, shareholders, and other stakeholders, even when many facts remain unknown.  Companies must toe a delicate line when assessing when, to whom, and how much to disclose, especially in the absence of complete information. 

Mandatory Disclosure

One of the first things a company should consider in a crisis is whether disclosure to authorities is mandatory.  Mandatory disclosure obligations vary widely across legal regimes and may be imposed by Congress, government regulators, self-regulatory bodies, or even stock exchanges.  For example, regulated entities may face immediate disclosure obligations to report violations of financial laws to FINRA (Rule 4530) or annual disclosure obligations to report misconduct to the CFTC in the entity’s chief compliance officer report (although earlier disclosure of a crisis may be advisable).  Often the relevant laws, rules, and regulations do not specify what information must be disclosed, injecting substantial discretion into what is otherwise a mandatory obligation.

Requirements under the federal securities laws generate a particularly important set of mandatory disclosure obligations because of the breadth of the obligations and because both the SEC and private parties may bring suit when companies fail to meet them.  Regulation S-K, for example, imposes affirmative obligations on registrants to disclose “any material pending legal proceedings” and “proceedings known to be contemplated by governmental authorities,”[1] and “any known trends or uncertainties that have had or that the registrant reasonably expects will have a material favorable or unfavorable impact on net sales or revenues or income from continuing operations.”[2]  Even where companies have no affirmative obligation to disclose a crisis, they should consider whether facts uncovered in managing the crisis may render other statements materially misleading.  In a crisis, time is of the essence.  Nonetheless, courts generally agree that companies are permitted a reasonable amount of time to investigate potential wrongdoing before any disclosure obligation attaches.[3]

Finally, one particularly complex and growing strain of mandatory disclosure and notification obligations that has emerged in recent years relates to cyber-breaches of personal information stored by a company.  When certain personal information has been compromised, these statutes require notification to, variously, state attorneys general, credit reporting agencies, and affected customers.  Disclosure obligations vary across all 50 states depending on the type and format of information acquired and the number of residents of that state that are affected, further complicating a company’s ability to quickly respond to such a crisis.  Still, these laws often require rapid reporting.  For example, companies doing business in New York must disclose any breach of data “in the most expedient time possible and without unreasonable delay,” albeit with the caveat that companies may first take measures to determine the “scope of the breach.”[4]  Global privacy regimes impose similar obligations.  Most notably, Europe’s General Data Protection Regulation requires notification to competent authorities within 72 hours of having “become aware” of a data breach.[5]

Voluntary Disclosure

Enforcement authorities confer a variety of benefits on companies that self-report issues, ranging from granting cooperation credit to full amnesty.  Self-reporting generally allows companies to influence the tone of the investigation and the flow of information—critical elements lost when a whistleblower or journalist brings an issue to light.  On the other hand, concessions made in self-reporting may be admissible against the company in a civil case.  Further, self-reporting, and the ongoing cooperation that generally follows, can impose significant costs and generate uncertain risks, especially where the company has not yet established the full extent of wrongdoing or where undiscovered misconduct awaits.  Self-reporting is a central element of government policies that address leniency.  For example, the DOJ Justice Manual generally considers voluntary disclosure as a “factor” in evaluating “overall cooperation,”[6] and specific FCPA guidelines offer certain prescribed benefits to companies, such as declination or a 50% reduction in a sentence, for self-reporting, cooperating, and appropriately remediating any wrongdoing.[7]  Other agencies, such as the EPA, have formal voluntary disclosure programs with concrete steps for the company to follow in order to receive credit.

The timing of voluntary disclosures can be critical to the degree of leniency received.  Most notably, the DOJ Antitrust Division’s Leniency Program provides “only one corporate leniency per conspiracy,” and as such the Division has a formal “marker” system for corporations to report a possible criminal antitrust violation while preparing to make additional disclosures.  In certain rare cases a company may preserve an anonymous marker while gathering additional information.[8]  Other authorities have strict disclosure timelines to receive credit.  For example, the EPA allows 9 months to disclose certain violations after acquiring a new company to receive a penalty mitigation for violations prior to the acquisition.[9]  In all cases, companies should be mindful that a clock will be ticking once an issue is discovered, and there will be a need to balance expediency with diligence and to be mindful that disclosure may be necessary even when not all the facts are known.

Disclosures Based on Prior Resolutions

Prior agreements with authorities often generate ongoing disclosure obligations.  In particular, deferred or non-prosecution agreements (DPAs and NPAs) help companies avoid sanctions but can create pitfalls when handling future crises, and therefore companies should consider carefully the scope and nature of any reporting obligations created by such agreements.  Disclosure obligations under a DPA or NPA may extend beyond the conduct that is the subject of the agreement.  Even if not formally part of such an agreement, regulators may expect that a company subject to a DPA, NPA, or monitorship would disclose additional wrongdoing even if that wrongdoing is unrelated to the underlying conduct.  As such, companies should be mindful of both explicit and implicit disclosure obligations arising from settlements with regulators.

Disclosure to Commercial Partners

Though government regulators and agencies should be the first consideration, it is also important to consider whether a company needs to make disclosures to its commercial partners, customers, or suppliers.  Such considerations are inevitably fact specific but can work to mitigate the collateral business consequences and disruptions—both reputational and legal—that crises can pose.

In short, the decisions about when, to whom, and how much to disclose are some of the most important decisions that a company will make at the outset of a crisis.  Often these decisions will have to be made without full information, and an appropriate public relations strategy will be part and parcel of these considerations in order to fully consider the implications of speaking about a crisis.

[1] 17 C.F.R. § 229.103.

[2] 17 C.F.R. § 229.303.

[3] See, e.g., Gruber v. Gilbertson, No. 16-cv-9727, 2018 WL 1418188, at *10 (S.D.N.Y. Mar. 20, 2018) (Defendants “are permitted a reasonable amount of time to evaluate potentially negative information and to consider appropriate responses before a duty to disclose arises.” (citation omitted)); Higginbotham v. Baxter Int’l, Inc., 495 F.3d 753, 761 (7th Cir. 2007) (“Taking the time necessary to get things right is both proper and lawful.”).

[4] N.Y. Gen. Bus. Law § 899-AA.

[5] EU General Data Protection Regulation, Regulation (EU) 2016/679, Art. 33.

[6] Dep’t of Just., “Justice Manual,” § 9-28.900 (2018),

[7] Dep’t of Just., “Justice Manual,” § 9-47.120 (2018),

[8] Dep’t of Just., “Frequently Asked Questions About the Antitrust Division’s Leniency Program and Model Leniency Letters” at 2-3 (Jan. 26, 2017),

[9] EPA, “EPA’s Interim Approach to Applying the Audit Policy to New Owners” (May 15, 2018),