When founders picture legal risk, they picture contracts, IP disputes, and the occasional shareholder squabble. Criminal exposure feels like something that happens to other people in other industries. The reality is messier. A wire transfer that looks routine, a regulatory filing missed during a fundraising sprint, a heated incident at a company offsite, an employee accusation that escalates, any of these can put a founder or executive on the wrong side of a criminal inquiry long before civil lawyers can help.
And the cost of figuring out your defense plan after the fact is brutal. So how should a business leader think about criminal risk before there’s a knock at the door?
White-Collar Cases Are Not Slowing Down
The popular narrative is that white-collar enforcement waxes and wanes with each administration. The numbers tell a more layered story. According to TRAC at Syracuse University, federal white-collar prosecutions have hovered near historic lows in recent years, but state-level prosecutions, parallel civil enforcement, and regulatory referrals have picked up the slack. For a founder, the distinction is academic.
A subpoena from a state attorney general lands as hard as one from a U.S. Attorney.
The categories that catch business leaders off guard tend to be predictable. Wire fraud charges flowing from aggressive sales claims. Securities issues tied to early-stage fundraising. Tax matters that started as a bookkeeping shortcut. Workplace incidents that cross into assault or harassment territory.
None of these begin with a founder thinking, “This is criminal.” They begin with ordinary business pressure and end with an interview request.
The First 48 Hours Decide a Lot
Talk to any defense attorney long enough and the same theme surfaces: clients who call early have options, clients who call late have damage control. Prosecutors weigh cooperation, remediation, and the timing of counsel involvement when deciding whether to charge. Showing up prepared changes the conversation.
What “prepared” looks like in practice is unglamorous.
- Document hold. The instant something feels off, preserve emails, Slack history, and financial records. Routine auto-delete policies that were fine yesterday become a liability today.
- Single point of contact. Pick one person, usually outside counsel, to handle any government inquiry. Multiple voices create inconsistencies that prosecutors notice.
- Employee guidance. Staff have the right to speak with investigators, and also the right not to. Make sure they know both, in writing, without any hint of pressure.
- Insurance review. D&O policies often cover defense costs for criminal inquiries, but only if you notice the carrier on time. Read the policy before you need it.
Why a Local Defense Bench Matters More Than a Famous One
There’s a reflex among executives to hire the biggest name they can afford the moment trouble appears. Sometimes that’s right. More often, the lawyer who knows the local prosecutor, the local judge, and the local jury pool is worth more than a celebrity defender flying in from another state. Criminal practice is unusually relational, and prosecutors extend professional courtesies, like agreeing to a self-surrender or a delayed indictment, to lawyers they trust.
For a business with operations in the Carolinas, that means building a relationship with a firm that handles criminal defense matters in the state where your headquarters, your warehouse, or your key employees actually sit. Jurisdiction drives strategy. A federal wire fraud case venued in South Carolina plays out differently than the same charge in the Southern District of New York, from grand jury practice to sentencing norms.
Compliance Is Cheaper Than Defense, By a Wide Margin
Compliance programs get dismissed as overhead until they aren’t. A modest investment in written policies, anti-fraud training, and an internal reporting channel does two things at once. It reduces the odds of an incident, and it gives defense counsel something to point at when one happens anyway.
Prosecutors use the DOJ’s compliance evaluation guidance to decide whether a company gets charged, gets a deferred prosecution agreement, or walks away with a declination. The difference between those outcomes can run into the millions.
Founders who treat compliance as a brand exercise miss the point. The goal isn’t a poster in the breakroom. It’s a credible, documented record that the company tried to do the right thing, caught the issue, and acted on it. That record is what your lawyer leads with when the government comes calling.
Treat Criminal Risk the Way You Treat Cyber Risk
Most companies now run tabletop exercises for ransomware. Almost none run them for a criminal subpoena, an executive arrest, or a search warrant at the office. The exposure is comparable. The press cycle is uglier.
And the legal mechanics, who answers the door, who calls counsel, what gets said to employees and customers, deserve the same kind of rehearsed playbook.
The founders who weather these moments well aren’t the ones with the best luck. They’re the ones who built the relationships, the documents, and the muscle memory before the moment arrived. That’s not paranoia. It’s the same risk discipline you already apply everywhere else in the business.