Boards Should Put Time and Resources into Cybersecurity Issues – It Is Good for Business and Works as a Defense Strategy

We have previously blogged about Commissioner Aguilar’s recommendations at a NYSE conference, “Cyber Risks and the Boardroom” on what boards of directors should do to ensure that their companies are appropriately considering and addressing cyber threats. On October 20, 2014, the United States District Court for the District of New Jersey dismissed a derivative lawsuit (Palkon v. Holmes, Case No. 2:14-CV-01234) filed against directors and certain officers, including General Counsel, of Wyndham Worldwide Corporation (WWC). The Court’s opinion can be viewed as a real life validation of the principles outlined in the Commissioner’s speech. Continue reading “Boards Should Put Time and Resources into Cybersecurity Issues – It Is Good for Business and Works as a Defense Strategy”

ISS Guidelines for 2015 Proxy Season – More Holistic Review of Board Leadership Structure

On November 6, 2014, ISS released its 2015 proxy voting guidelines which update its benchmark policy recommendations. The updated policies will be effective for shareholder meetings held on or after February 1, 2015. Benchmark policy changes include ISS’ adoption of a more holistic approach to shareholder proposals calling for independent board chairs. ISS has focused on board leadership because shareholder proposals related to this issue have become quite frequent. ISS also cited a recent study finding that “retention of a former CEO in the role of chair may prevent new CEOs from making performance gains by dampening their ability to make strategic changes at the company” as one of the reasons for the policy update.

ISS has updated its “Generally For” policy with respect to such proposals to add new governance, board leadership, and performance factors to the analytical framework and to look at all of the factors in a holistic manner. Factors, which are not explicitly considered under the current policy, include the “absence/presence of an executive chair, recent board and executive leadership transitions at the company, director/CEO tenure, and a longer (five-year) total shareholder return (TSR) performance period.”

Under the new policy, ISS would recommend to generally vote “FOR” shareholder proposals requiring that the chairman’s position be filled by an independent director, taking into consideration the following:

  • The scope of the proposal (i.e., whether the proposal is precatory or binding and whether the proposal is seeking an immediate change in the chairman role or the policy can be implemented at the next CEO transition);
  • The company’s current board leadership structure (ISS may support the proposal under the following scenarios: the presence of an executive or non-independent chair in addition to the CEO; a recent recombination of the role of CEO and chair; and/or departure from a structure with an independent chair);
  • The company’s governance structure and practices (ISS will consider the overall independence of the board, the independence of key committees, the establishment of governance guidelines, board tenure and its relationship to CEO tenure; the review of the company’s governance practices may include, but is not limited to, poor compensation practices, material failures of governance and risk oversight, related-party transactions or other issues putting director independence at risk, corporate or management scandals, and actions by management or the board with potential or realized negative impact on shareholders);
  • Company performance (ISS’ performance assessment will generally consider one-, three, and five-year TSR compared to the company’s peers and the market as a whole); and
  • Any other relevant factors that may be applicable.

Board Oversight of Political Contributions Is Gradually Becoming a Corporate Governance Standard

On September 24, 2014, the Center for Political Accountability and the Zicklin Center for Business Ethics Research published their fourth annual index of corporate political disclosure and accountability (2014 Index), which focuses on political spending disclosure of the top 300 companies in the S&P 500 Index. The 2014 Index reviews companies’ political transparency and oversight practices and policies disclosed on their websites and describes:

 

  • the ways that companies manage, oversee and disclose political spending;
  • the specific spending restrictions that many companies have adopted; and
  • the policies and practices that need the greatest improvement.

The 2014 Index demonstrates that a majority of reviewed companies continues to have some level of board oversight of their political contributions and expenditures; however, the percentage of such companies is going down as the number of reviewed companies increases (the 2014 Index reviewed 300 top companies in the S&P 500 Index compared to 200 reviewed companies in 2012 and 2013). For example,

  • 55% of companies said that their boards of directors regularly oversee corporate political spending compared to 62% of companies in 2013 and 56% in 2012;
  • 37% of companies said that a board committee reviews company policy on political spending compared to 57% of companies in 2013 and 49% in 2012; and
  • 44% of companies said that a board committee reviews company political expenditures compared to 56% of companies in 2013 and 45% in 2012.

PCAOB Adopts New Auditing Standard No. 18, Related Parties

On June 10, 2014, the Public Company Accounting Oversight Board (PCAOB) adopted Auditing Standard No. 18, Related Parties, as well as amendments to certain PCAOB auditing standards regarding significant unusual transactions and other related amendments to PCAOB auditing standards. Auditing Standard No. 18 superseded the PCAOB’s auditing standard AU sec. 334, Related Parties, which was issued in 1983. The new auditing standard and amendments will be effective, subject to approval by the SEC, for audits of financial statements for fiscal years beginning on or after December 15, 2014.

Generally, under the new standard, auditors will be required to engage in a detailed analysis of transactions with related parties and inquire of management regarding:

a.         the names of the company’s related parties during the period under audit, including changes from the prior period;

b.         background information concerning the related parties (for example, physical location, industry, size, and extent of operations);

c.         the nature of any relationships, including ownership structure, between the company and its related parties;

d.         the transactions entered into, modified or terminated, with its related parties during the period under audit and the terms and business purposes (or the lack thereof) of such transactions;

e.         the business purpose for entering into a transaction with a related party versus an unrelated party;

 f.         any related party transactions that have not been authorized and approved in accordance with the company’s established policies or procedures regarding the authorization and approval of transactions with related parties; and

 g.        any related party transactions for which exceptions to the company’s established policies or procedures were granted and the reasons for granting those exceptions.

In addition to obtaining information regarding related party transactions from management, auditors will be required to inquire of others within the company regarding their knowledge of the foregoing matters. The auditor is expected to identify others within the company to whom inquiries should be directed, and determine the extent of such inquires, by considering whether such individuals are likely to have knowledge regarding such matters as:

a.         the company’s related parties or relationships or transactions with related parties;

b.         the company’s controls over relationships or transactions with related parties; and

c.         the existence of related parties or relationships or transactions with related parties previously undisclosed to the auditor.

The audit committee, or its chair, will also be questioned by the auditor regarding:

a.         the audit committee’s understanding of the company’s relationships and transactions with related parties that are significant to the company; and

b.         whether any member of the audit committee has concerns regarding relationships or transactions with related parties and, if so, the substance of those concerns.

The auditor will be required to communicate to the audit committee the results of the auditor’s evaluation of the company’s identification of, accounting for, and disclosure of its relationships and transactions with related parties, as well as other significant matters arising from the audit regarding the company’s relationships and transactions with related parties including, but not limited to:

a.         the identification of related parties or relationships or transactions with related parties that were previously undisclosed to the auditor;

b.         the identification of significant related party transactions that have not been authorized or approved in accordance with the company’s established policies or procedures;

c.         the identification of significant related party transactions for which exceptions to the company’s established policies or procedures were granted;

d.         the inclusion of a statement in the financial statements that a transaction with a related party was conducted on terms equivalent to those prevailing in an arm’s-length transaction and the evidence obtained by the auditor to support or contradict such an assertion; and

e.         the identification of significant related party transactions that appear to the auditor to lack a business purpose.

Commissioner Aguilar Shares His Views on Directors’ Oversight of Cyber-Risk Management

On June 10, 2014, Commissioner Luis A. Aguilar spoke at a NYSE conference, “Cyber Risks and the Boardroom,” about what boards of directors should do to ensure that their companies are appropriately considering and addressing cyber threats.

Commissioner Aguilar was concerned that “there may be a gap that exists between the magnitude of the exposure presented by cyber-risks and the steps, or lack thereof, that many corporate boards have taken to address these risks.” Commissioner Aguilar stressed that boards should, among other matters:

  • review annual budgets for privacy and IT security programs;
  • assign roles and responsibilities for privacy and security; and
  • receive regular reports on breaches and IT risks.

Boards should also:

  • have a clear understanding of who at the company has primary responsibility for cybersecurity risk oversight and for ensuring the adequacy of the company’s cyber-risk management practices; and
  • put time and resources into making sure that management has developed a well-constructed response plan that is consistent with best practices for a company in the same industry (including a consideration of whether and how cyber-attacks should be disclosed to customers and to investors).

Commissioner Aguilar suggested that one conceptual roadmap boards should consider is the Framework for Improving Critical Infrastructure Cybersecurity, released by the National Institute of Standards and Technology (NIST) in February 2014. The NIST Cybersecurity Framework provides companies with a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk consisting of five concurrent and continuous functions:

(i)                 identify known cybersecurity risks to the company’s infrastructure;

(ii)               develop safeguards to protect the delivery and maintenance of infrastructure    services;

(iii)             implement methods to detect the occurrence of a cybersecurity event;

(iv)             develop methods to respond to a detected cybersecurity event; and

(v)               develop plans to recover and restore the company’s capabilities that were impaired as a result of a cybersecurity event.

Boards should work with management to assess their corporate policies to ensure how they measure up to the Framework’s guideline.

Commissioner Aguilar emphasized that cyber-risk is part of a board of director’s overall risk oversight responsibilities, in addition to liquidity and operational risks facing the company. Generally, the board’s risk oversight function lies either with the full board or is delegated to the board’s audit committee. But the board’s audit committee may not have the expertise, support, or skills necessary to add oversight of a company’s cyber-risk management to its agenda. Some boards create a separate enterprise risk committee.

There is obviously no “one-size-fits-all” way to address cybersecurity issues at the board level and each company should evaluate its board composition and determine what would be the most effective way for its board to oversee cyber-risk management.

Spreading Sunshine in Private Equity

Title: Spreading Sunshine in Private Equity

On May 6, 2014, Andrew J. Bowden, Director of the SEC’s Office of Compliance Inspections and Examinations (“OCIE”), gave a speech entitled “Spreading Sunshine in Private Equity” to the Private Fund Compliance Forum (sponsored by Private Equity International) in New York.

The OCIE administers the SEC’s “examination and inspection” program, and oversees a multitude of registrants, including investment advisers, investment companies and broker-dealers. As a result of the Dodd-Frank Act, many private equity and other funds are now required to register with the SEC and are also subject to SEC inspection and certain other regulatory requirements. This statutory change brought an end to the minimal regulatory environment in which most private equity funds operated in for decades.

At the outset, Director Bowden presented an overview of the OCIE’s initial efforts to understand, and begin oversight of, the private equity industry. Director Bowden highlighted certain differences – some inherent and some borne of practice – in the private equity industry that pose different regulatory (including disclosure) challenges than those associated with regulating publicly-traded registrants. Some of these differences, certain of which have been addressed publicly by other SEC officials, include:

  • A private equity fund’s control over its privately-held portfolio companies, and the ability of the fund to influence the management and decision-making of such companies;
  • The typically “voluminous” limited partnership agreement that permits a fund a wide latitude of control and contains terms that are often subject to varying interpretations; and
  • That a fund typically is not subject to significant scrutiny by its limited partners (i.e., the lack of information rights).

Given these differences, Director Bowden described a number of observations from more than 150 examinations of private equity funds conducted by OCIE. In over half of the examinations, Director Bowden noted that OCIE found what it believes to be “violations of law or material weaknesses in controls” with respect to the treatment of fees and expenses. Director Bowden seemed to, at a fundamental level, take the position that private equity funds do not adequately disclose to investors the manner in which the funds allocate fees and expenses. For instance, the Director noted the typical practice of allocating “operating partner” expenses to a fund’s portfolio companies or to the fund itself, which the Director characterized as creating a “back door” fee that investors do not expect. In addition, Director Bowden spent some time discussing the inconsistent valuation methodologies that are sometimes used by a private equity fund, especially during the fundraising cycle, although he noted that OCIE only seeks to ensure consistency of valuation methodologies and has no intention of determining the type of methodologies employed by any particular fund.

In his concluding remarks, the Director stated that there is room for improvement in the overall compliance programs of many funds. In addition to promoting a culture of compliance, Director Bowden posited that funds would foster more effective compliance by involving compliance personnel in the deal-making process, including participating in investment committee meetings and reviewing deal memos.

Recent Panel Discussion of Enhancing the Audit Committee Report: A Call to Action

On April 22, 2014, the John L. Weinberg Center for Corporate Governance and the Center for Audit Quality, hosted a panel discussion of a recent report, Enhancing the Audit Committee Report: A Call to Action (Call to Action). The report was issued last November by the Audit Committee Collaboration, a group of organizations, including, among others, National Association of Corporate Directors, Association of Audit Committee Members, Inc., The Directors’ Council, and Center for Audit Quality. The Call to Action encourages all public company audit committees to “voluntarily and proactively improve their public disclosures to more effectively convey … the critical aspects of the important work that they currently perform.”

Generally, the only public company disclosures that an audit committee is required to make consist of (i) an audit committee report under Item 407(d)(3) of Regulation S-K, which is included in the proxy statement, and (ii) a copy of the audit committee’s charter mandated by the stock exchange on which the company’s stock is listed. The committee’s charter is usually posted on the company’s website (or it may be included as an appendix to the company’s proxy statement). Item 407 requires that only information about the audit committee’s discussions with management and independent auditors, the committee’s recommendation to the board that the audited financial statements be included in the company’s annual report on Form 10-K, and the name of each member of the audit committee.

Based on its review of 2013 proxy statements, the Call to Action provides examples of audit committee reports that expanded the limited required disclosure by clarifying the scope of the audit committee’s duties, clearly defining the audit committee’s composition and providing relevant information about: 

  • factors considered when selecting or reappointing an audit firm
  • selection of the lead audit engagement partner
  • factors considered when determining auditor compensation
  • how the committee oversees the external auditor
  • the evaluation of the external auditor

Panelists’ views ranged from encouraging audit committees to take a fresh look at their audit committee reports and add some of the foregoing suggested disclosures to make the reports more transparent to concerns about disclosure overload and potential lawsuits.

Disclosure Pendulum May Start Swinging Back

During the last decade, I have been continuously amazed with the increasing level of public company regulation.  The general direction of the Sarbanes-Oxley Act and the Dodd-Frank Act, and naturally the SEC rules implementing these acts, has always been more and more disclosure (the more granular and detailed — the better).  It seemed like the disclosure pendulum was swinging higher and higher towards overregulation and that it would never go back.  But the report on public company disclosure issued by the SEC on December 20, 2013, as mandated by the JOBS Act, gives a lot of hope that the disclosure pendulum may eventually start swinging back. 

This Report on Review of Disclosure Requirements in Regulation S-K, which largely follows the concepts outlined by SEC Chair Mary Jo White in her October speech before the National Association of Corporate Directors, recommended to Congress a comprehensive review of SEC disclosure rules and forms focusing on the following potential areas:

  • modernizing and simplifying Regulation S-K requirements in a manner that reduces the costs and burdens on companies while still providing material information;
  • eligibility for further scaling of disclosure requirements and definitional thresholds for smaller reporting companies, accelerated filers and large accelerated filers;
  • evaluating whether Industry Guides still elicit useful information and conform to industry practice and trends;
  • reviewing financial reporting requirements of Regulation S-X and financial statement disclosure requirements of Regulation S-K (e.g., annual and quarterly selected financial data disclosure and the ratio of earnings to fixed charges); and
  • disclosure requirements contained in SEC rules and forms (e.g., Forms 10-Q and 8-K).

The Staff provided detailed guidance on its suggested review of Regulation S-K, which would address the following issues:

  • principles-based approach as an overarching component of the disclosure framework (e.g., using a disclosure model of current MD&A requirements) (which may have an unintended consequence of leading to more disclosure rather than less);
  • current scaled disclosure requirements and whether further scaling would be appropriate for emerging growth companies or other categories of issuers;
  • filing and delivery framework based on the nature and frequency of the disclosures (e.g., a “core” disclosure or “company profile” filing with information that changes infrequently, periodic and current disclosure filings with information that changes from period to period, and transactional filings that have information relating to specific offerings or shareholder solicitations); and
  • readability and navigability of disclosure documents (e.g., the use of hyperlinks) as well as replacing quantitative thresholds (e.g., Item 103 (Legal Proceedings), Item 404 (Transactions with Related Persons, Promoters and Certain Control Persons) and Item 509 (Interests of Named Experts and Counsel) with general materiality standards.

In addition to these issues, the Staff identified the following specific areas of Regulation S-K disclosure that could benefit from further review:

  • risk-related requirements, such as risk factors, legal proceedings and other quantitative and qualitative information about risk and risk management, with potential consolidation into a single requirement;
  • relevance of current requirements for the description of business and properties;
  • corporate governance disclosure requirements (to confirm that the information is material to investors);
  • executive compensation disclosure (to confirm that the required information is useful to investors);
  • offering-related requirements (in light of the changes in offerings and the shift from paper-based offering documents to electronically-delivered offering materials); and
  • exhibits to filings (to confirm whether the required exhibits remain relevant and whether other documents should be added).

I cannot wait for the SEC to start proposing rules implementing these suggestions and creating a more effective disclosure mechanism that would work for the 21st century.   

 

Board Diversity and Political Contributions Disclosure Continue to Get ISS Support

On December 19, 2013, ISS published its U.S. Proxy Voting Summary Guidelines that are effective for meetings of stockholders held on or after February 1, 2014.  This blog post highlights ISS’ position on two social issues: board diversity and political contributions.  

Board Diversity

Consistent with its guidelines last year, ISS continues to recommend voting for stockholder requests for reports on a company’s efforts to diversify the board unless:

  • the gender and racial minority representation of the company’s board is reasonably inclusive in relation to companies of similar size and business; and
  • the board already reports on its nominating procedures and gender and racial minority initiatives on the board and within the company.

ISS will make recommendations on a case-by-case basis on proposals asking a company to increase the gender and racial minority representation on its board.  In providing its recommendation, ISS will take into account the following factors:

  • the degree of existing gender and racial minority diversity on the company’s board and among its executive officers;
  • the level of gender and racial minority representation that exists at the company’s industry peers;
  • the company’s established process for addressing gender and racial minority board representation;
  • whether the proposal includes an overly prescriptive request to amend nominating committee charter language;
  • the independence of the company’s nominating committee;
  • whether the company uses an outside search firm to identify potential director nominees; and
  • whether the company has had recent controversies, fines, or litigation regarding equal employment practices.

Political Contributions

In connection with proposals related to political contributions, ISS continues to generally recommend voting for proposals requesting greater disclosure of a company’s political contributions and trade association spending policies and activities, considering:

  • the company’s current disclosure of policies and oversight mechanisms related to its direct political contributions and payments to trade associations or other groups that may be used for political purposes, including information on the types of organizations supported and the business rationale for supporting these organizations; and
  • recent significant controversies, fines, or litigation related to the company’s political contributions or political activities.

However, recognizing that businesses are affected by legislation at the federal, state and local level, ISS recommends voting against proposals barring a company from making political contributions. ISS is being practical and concedes that barring political contributions can put the company at a competitive disadvantage.

NASDAQ Proposal to Amend its Independence Standards for Compensation Committee Members Is Effective

Last week we blogged that NASDAQ proposed to amend its independence standards for compensation committee members, which amendments would align NASDAQ’s approach to compensation committee independence with that employed by the NYSE.   On December 11th, the SEC published a notice of filing and immediate effectiveness of the proposed rule change. Companies are required to comply with the compensation committee independence rules by the earlier of the date of their first annual meeting after January 15, 2014, or October 31, 2014.