Commissioner Aguilar Shares His Views on Directors’ Oversight of Cyber-Risk Management

On June 10, 2014, Commissioner Luis A. Aguilar spoke at a NYSE conference, “Cyber Risks and the Boardroom,” about what boards of directors should do to ensure that their companies are appropriately considering and addressing cyber threats.

Commissioner Aguilar was concerned that “there may be a gap that exists between the magnitude of the exposure presented by cyber-risks and the steps, or lack thereof, that many corporate boards have taken to address these risks.” Commissioner Aguilar stressed that boards should, among other matters:

  • review annual budgets for privacy and IT security programs;
  • assign roles and responsibilities for privacy and security; and
  • receive regular reports on breaches and IT risks.

Boards should also:

  • have a clear understanding of who at the company has primary responsibility for cybersecurity risk oversight and for ensuring the adequacy of the company’s cyber-risk management practices; and
  • put time and resources into making sure that management has developed a well-constructed response plan that is consistent with best practices for a company in the same industry (including a consideration of whether and how cyber-attacks should be disclosed to customers and to investors).

Commissioner Aguilar suggested that one conceptual roadmap boards should consider is the Framework for Improving Critical Infrastructure Cybersecurity, released by the National Institute of Standards and Technology (NIST) in February 2014. The NIST Cybersecurity Framework provides companies with a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk consisting of five concurrent and continuous functions:

(i)                 identify known cybersecurity risks to the company’s infrastructure;

(ii)               develop safeguards to protect the delivery and maintenance of infrastructure    services;

(iii)             implement methods to detect the occurrence of a cybersecurity event;

(iv)             develop methods to respond to a detected cybersecurity event; and

(v)               develop plans to recover and restore the company’s capabilities that were impaired as a result of a cybersecurity event.

Boards should work with management to assess their corporate policies to ensure how they measure up to the Framework’s guideline.

Commissioner Aguilar emphasized that cyber-risk is part of a board of director’s overall risk oversight responsibilities, in addition to liquidity and operational risks facing the company. Generally, the board’s risk oversight function lies either with the full board or is delegated to the board’s audit committee. But the board’s audit committee may not have the expertise, support, or skills necessary to add oversight of a company’s cyber-risk management to its agenda. Some boards create a separate enterprise risk committee.

There is obviously no “one-size-fits-all” way to address cybersecurity issues at the board level and each company should evaluate its board composition and determine what would be the most effective way for its board to oversee cyber-risk management.

Companies Listing on the NYSE Can Appoint an Internal Auditor Within a Year after an IPO

On August 22, 2013, the SEC approved the NYSE’s proposal that permits a company listing in conjunction with an IPO to comply with the internal audit function requirement of Section 303A.07(c) of the NYSE Listed Company Manual within one year of the listing date.  NYSE rules now require such company to have an internal audit function in place no later than the first anniversary of its listing date[1].  Previously, NYSE rules only required each listed company to have an internal audit function but did not provide any transition period for companies listing in connection with an IPO.  

The new one-year transition period for compliance with an internal audit function requirement expanded NYSE corporate governance provisions, to which a transition period applies in connection with an IPO.  Such provisions relate to the composition of the board of directors as well as the composition of the nominating, compensation and audit committees (see Section 303A.00). 

The NYSE believes that a transition period for establishing an internal audit function will make the company’s process of implementation of such function more effective and will reduce the costs it faces in its first year as a public company.  The NYSE also expects that this transition period would enable the company’s audit committee to play a significant role in the design and implementation of the company’s internal audit function. 

In case of a company availing itself of a one-year transition period with respect to its internal audit function, the audit committee must:

  • assist board oversight of the design and implementation of the internal audit function; and
  • meet periodically with the company personnel primarily responsible for the design and implementation of the internal audit function.

Once the company establishes its internal audit function, the audit committee must (i) assist board oversight of the performance of the company’s internal audit function, and (ii) meet periodically with internal auditors or other personnel responsible for the internal audit function.

In addition, if the listed company does not yet have an internal audit function because it is using the internal audit function transition period, the audit committee’s review with the independent auditor of any audit problems should include a discussion of management’s plans with respect to the responsibilities, budget and staffing of the internal audit function and its plans for the implementation of the internal audit function.  Once the transition period is over, the audit committee’s review with the auditors should include a discussion of the responsibilities, budget and staffing of the company’s internal audit function.

The audit committee should also discuss with the board management’s activities with respect to the design and implementation of the internal audit function during the transition period, and after the transition period, the audit committee should review with the full board any issues that arise with respect to the performance of the internal audit function.

 Generally, a listed company must maintain an internal audit function to provide management and the audit committee with ongoing assessments of the company’s risk management processes and system of internal control, and the company can outsource an internal audit function to a third party service provider (other than the company’s independent auditor).   




[1] It is interesting to note that The NASDAQ Stock Market LLC (NASDAQ) does not have an internal audit function requirement.  Earlier this year, NASDAQ proposed, and later withdrew, an amendment to its listing requirements that each listed company establish and maintain an internal audit function to provide management and the audit committee with ongoing assessments of the company’s risk management processes and system of internal control.  The SEC received 42 comment letters on the proposal, and NASDAQ stated in its withdrawal that it was withdrawing the proposal to fully consider such comments and that it intends to file a revised proposal (see SEC Release No. 34-69792).

The SEC Approved PCAOB Rules on Communications with Audit Committees

On December 17, 2012, the SEC approved PCAOB proposed rules on Auditing Standard No. 16, Communications with Audit Committees.  Auditing Standard No. 16 supersedes PCAOB’s interim standards AU section 380, Communication with Audit Committees, and AU section 310, Appointment of the Independent Auditor.  Auditing Standard No. 16 is effective for audits of financial statements for fiscal years beginning on or after December 15, 2012 and applies to the audits of all issuers, including emerging growth companies established under the JOBS Act and foreign private issuers.

It is interesting to note that, among other matters, Auditing Standard No. 16 expands the inquiries of the audit committee required by Auditing Standard No. 12, Identifying and Assessing Risks of Material Misstatement, which requires the auditor to inquire of the audit committee regarding its knowledge of the risks of material misstatements, including fraud risks.  The inquiry required by Auditing Standard No. 16 goes beyond material misstatements and fraud risks and provides that the auditor “should inquire of the audit committee about whether it is aware of matters relevant to the audit, including, but not limited to, violations or possible violations of laws or regulations.” 

 In light of this inquiry, audit committees will need to discuss procedures for evaluating violations, including possible violations, of laws and regulations, especially considering the fact that this requirement does not include any materiality threshold.

ISS Releases 2013 Updates to Proxy Voting Guidelines

On November 16, 2012, the ISS released its final 2013 Updates to its U.S. Corporate Governance Policy. ISS also will release a FAQ document in December 2012 for further guidance. The Updates will be effective for meetings on or after February 1, 2013.

Highlights of the 2013 Updates include:

• Stock Pledges/Hedges: In response to comments, ISS will be taking a case-by-case approach in determining whether pledging of company shares rises to a level of serious concern for shareholders. Also in response to comments, ISS is including significant pledging of company stock as a failure of risk oversight and thus considered a governance failure for which directors should be held accountable (rather than communicating concern through a say-on-pay recommendation as originally proposed). However, hedging of company stock, through covered call, collar or other derivative transactions, will be considered a problematic practice warranting a negative voting recommendation on the election of directors.

• Failure to Act on Shareholder Proposals: ISS will keep its current policy in effect for 2013, with some modifications: ISS will recommend a negative vote for individual directors, committee members or the entire board, if the board failed to act on a shareholder proposal that received the support of either (i) a majority of the outstanding shares or (ii) a majority of the votes cast in the last year and one of the two previous years. Beginning in 2014, ISS will recommend a vote negative vote if the board failed to act on a shareholder proposal that received the support of a majority of shares cast in the previous year. Under the Update, the ISS now has the flexibility to recommend a negative vote on members of the board as deemed appropriate, not necessarily the full board. The ISS also has included more guidance on the case-by-case examination of the sufficiency of a company’s action in response to a majority-supported shareholder proposal.

• Peer Groups: The new methodology incorporates information from companies’ self-selected pay benchmarking peer groups in order to identify and prioritize Global Industry Classification Standard (GICS) industry groups beyond the subject company’s own GICS classification. The methodology draws peers from the subject company’s GICS group as well as from GICS groups represented in the company’s peer group, while maintaining the approximate proportions of these industries in the final peer group where possible. The methodology additionally focuses initially at an 8-digit GICS resolution to identify peers that are more closely related in terms of industry. Finally, when selecting peers, the methodology prioritizes peers that maintain the company near the median of the peer group, are in the subject company’s peer group, and that have chosen the subject company as a peer. The peer group methodology maintains its focus on identifying companies that are reasonably similar to the subject company in terms of industry profile, size, and market capitalization. Other changes to the peer group methodology include using slightly relaxed size requirements, especially at very small and very large companies, and using revenue instead of assets for certain financial companies.

• Realizable Pay: Realizable pay is being added to the research report for large capitalization companies. Realizable pay will consist of the sum of relevant cash and equity-based grants and awards made during a specified performance period being measured, based on equity award values for actual earned awards, or target values for ongoing awards, calculated using the stock price at the end of the performance measurement period. Stock options or stock appreciation rights will be revalued using the remaining term and updated assumptions, as of the performance period, using the Black-Scholes Option Pricing model. The realizable pay consideration may mitigate or exacerbate the CEO’s pay for performance concerns.

• Voting on “Say on Golden Parachute” Proposals: The Update will (i) include existing change-in-control arrangements maintained with named executive officers rather than focusing only on new or extended arrangements and (ii) place further scrutiny on multiple legacy problematic features (e.g. single trigger equity, tax gross –ups, etc.) in change in control agreements.

New PCAOB Standard for Communications with Audit Committees

On August 15, 2012, the Public Company Accounting Oversight Board (PCAOB) adopted Auditing Standard No. 16, Communications with Audit Committees.  This standard sets forth matters that the auditor should discuss with audit committees prior to the issuance of the auditor’s report.  Standard No. 16 supersedes PCAOB’s interim standards AU sec. 380, Communication with Audit Committees, and AU sec. 310, Appointment of the Independent Auditor.  The PCAOB expects Standard No. 16, which is subject to the SEC approval, to be effective for audits of fiscal years beginning on or after December 15, 2012.  In addition, the PCAOB will request, subject to the SEC’s separate determination, that this standard apply to the audits of emerging growth companies established under the JOBS Act.

Standard No. 16 enhances certain existing auditor communication requirements and adds new communication requirements that provide the audit committee with additional information about the audit, including the following:

  • an overview of the overall audit strategy, including timing of the audit, significant risks the auditor identified, and significant changes to the planned audit strategy or identified risks;
  • information about the nature and extent of specialized skill or knowledge needed in the audit, the extent of the planned use of internal auditors, company personnel or other third parties, and other independent public accounting firms, or other persons not employed by the auditor that are involved in the audit;
  • the basis for the auditor’s determination that he or she can serve as principal auditor, if significant parts of the audit will be performed by other auditors;
  • situations in which the auditor identified a concern regarding management’s anticipated application of accounting pronouncements that have been issued but are not yet effective and might have a significant effect on future financial reporting;
  • difficult or contentious matters for which the auditor consulted outside the engagement team;
  • the auditor’s evaluation of going concern;
  • departure from the auditor’s standard report; and
  • other matters arising from the audit that are significant to the oversight of the company’s financial reporting process, including complaints or concerns regarding accounting or auditing matters that have come to the auditor’s attention during the audit.

PCAOB Issues Release About its Inspection Process to Assist Audit Committees

On August 1, 2012, the Public Company Accounting Oversight Board (PCAOB) issued Release No. 2012-003, Information for Audit Committees about the PCAOB Inspection Process.  This release was issued to assist audit committees in understanding the PCAOB’s inspection process of audit firms and gathering useful information about those inspections.  The release also includes certain questions an audit committee may want to ask their audit firm about the PCAOB inspection.  These questions include the following:

  • Was the company’s audit selected for PCAOB inspection?
  • Did the PCAOB identify deficiencies in other audits that involved auditing or accounting issues similar to issues presented in the company’s audit?
  • What were the audit firm’s responses to the PCAOB findings?
  • What is the audit firm changing to address any quality control issues?
  • What is the progress of the quality control remediation process?
  • What are the inspected years about which the PCAOB has made a final determination about the audit firm’s remediation efforts and what is the nature of that determination?
  • Has the PCAOB provided initial indications that the audit firm may not have sufficiently remediated any items?

The release can be obtained from the following link: