Securities Mosaic® Blogwatch
March 24, 2017
SEC Adopts T+2 Settlement Cycle for Securities Transactions
by Garrett A. DeVries & John Patrick Clayton

On March 22, 2017, the Securities and Exchange Commission (SEC) adopted an amendment to Rule 15c6-1(a) under the Securities Exchange Act of 1934 (“Exchange Act”) to shorten the standard settlement cycle for most broker-dealer transactions from three business days after the trade date (T+3) to two business days after the trade date (T+2). Specifically, Paragraph (a) of Rule 15c6-1, as amended, will prohibit broker-dealers from effecting or entering into a contract for the purchase or sale of a security (other than certain exempted securities) that provides for payment of funds and delivery of securities later than the second business day after the date of the contract, unless otherwise expressly agreed to by the parties at the time of the transaction. According to the Adopting Release, broker-dealers must begin complying with the amended rule no later than September 5, 2017.

According to the Adopting Release, the SEC believes that shortening the standard settlement cycle to T+2 will lead to a number of benefits that will be distributed across the financial system, some of which are discussed below.

Reduction in Risk to Central Counterparties (CCPs) in the Clearance and Settlement Process

As explained in the Adopting Release, a CCP is a clearing agency that interposes itself between the counterparties to securities transactions, acting functionally as the buyer to every seller and the seller to every buyer. According to the SEC, shortening the settlement cycle should reduce a CCP’s credit, market and liquidity risk exposure to its members because a T+2 settlement cycle would, assuming that current levels of trading activity remain constant, result in fewer unsettled trades at any given point in time and a reduced time period of exposure to such trades. According to the SEC, the amount and period of risk to which the CCP is exposed is a function of the length of the settlement cycle. Therefore, the SEC believes that shortening the settlement cycle should reduce the CCP’s overall exposure to the credit, market and liquidity risks discussed below.

  • Reduction of Credit Risk—CCPs assume credit risk of original counterparties through novating and guaranteeing trades so that it effectively acts as the counterparty to its members. As a result, CCPs face credit risk because they are exposed to the possibility that (a) a clearing member acting on behalf of purchasers of securities may fail to deliver the payment and (b) a clearing member acting on behalf of sellers of securities may fail to deliver the securities. In each case, the CCP assumes credit risk because it is required to meet its obligation to its members to deliver securities and to deliver cash.
  • Reduction of Market Risk—During the settlement cycle, CCPs also face market risk. For instance, if a member defaults during the settlement cycle, the CCP may be forced to liquidate open positions of the defaulting member and any collateral or other financial resources of the member that the CCP may hold to cover losses and expenses in adverse market circumstances. This is particularly problematic if the market value of the unsettled securities has increased after the trade date. In the case of a seller default, the CCP would be forced to obtain the replacement securities in the market at a higher price. In the case of a buyer default, the CCP may be forced to obtain cash to purchase the securities at a higher price, which could involve liquidation of its members’ collateral.
  • Reduction of Liquidity Risk—CCPs face liquidity risks during the settlement cycle if a member defaults, because the CCP may be forced to deploy financial resources to meet its end-of-day settlement obligations.

Reduction in Risk to CCP Members

A CCP takes a number of measures to manage the risks to which its members expose it. These measures may include collecting collateral and other financial resources and netting down the total outstanding exposure of a particular member. The extent to which a CCP applies these risk mitigation tools is controlled by the amount of unsettled trades that remain outstanding and the amount of time during which the CCP remains exposed to these risks. Accordingly, the SEC believes that reducing the amount of unsettled trades and the period of time during which a CCP is exposed to such trades will result in liquidity risk reductions for broker-dealers that are CCP members because a CCP will impose less resource obligations on its members.

Benefits to Other Market Participants

According to the Adopting Release, the SEC believes that shortening the standard settlement cycle will also lead to benefits to other market participants, including introducing broker-dealers, institutional investors and retail investors. For example, a shortened settlement cycle should allow these participants to have quicker access to funds and securities after executing the trade, which should further reduce liquidity risks and financing costs faced by market participants who use those proceeds to transact in other markets already operating on a T+2 settlement cycle. Other anticipated benefits for these other market participants include reduced margin charges and other fees that clearing broker-dealers may pass down, which, in turn, would reduce transaction costs generally and free up capital for deployment elsewhere in the markets by those participants.

Cross-Border Harmonization

The move to a T+2 settlement cycle is also expected to harmonize the settlement cycle in the U.S. with many non-U.S. markets that have already moved to a T+2 settlement cycle. This, according to the SEC, will reduce the degree to, and time during, which market participants are exposed to credit, market and liquidity risk arising from unsettled transactions. Furthermore, harmonizing the U.S. settlement cycle with non-U.S. markets will reduce the need for some market participants to hedge risks stemming from mismatched settlement cycles and reduce financing/borrowing costs for market participants engaging in cross-border transactions in both U.S. and non-U.S. markets.

Reduction in Systemic Risk

Reducing the period of time during which a CCP is exposed to credit, market and liquidity risk is also expected to enhance the overall ability of a CCP to serve as a source of stability and efficiency in the national clearance and settlement system. This reduces the likelihood that disruptions in the clearance and settlement process will trigger disruptions that extend beyond the cleared market. As discussed in the Adopting Release, clearing members are often members of larger financial networks, and the ability of a covered clearing agency to meet payment obligations to its members can directly affect its members’ ability to meet payment obligations outside of the cleared market. Accordingly, management of liquidity risk, such as that intended by the shorter settlement cycle, may mitigate the risk of contagion between asset markets.

Promotion of Technological Innovation and Changes in Market Infrastructures and Operations

Finally, according to the SEC, the move to the T+2 settlement cycle should promote technological innovation and changes in market infrastructures and operations. The SEC believes that this will incentive market participants to further pursue more operationally and technologically efficient processes, which may lead to further shortening of the standard settlement cycle.

March 27, 2017
Bridging the Week: March 20 to 24 and March 27, 2017 (SARs and Red Flags; International Spoofing; Pre-Execution Discussions; Making Capital Markets Great Again)
by Gary DeWaal

Last week, a registered broker-dealer was charged by the Financial Industry Regulatory Authority for failing to consider whether problematic trading by certain direct market access clients that caused it to limit or stop their trading also warranted filing suspicious activity reports with the Financial Crimes Enforcement Network. Additionally, stock traders were substantially penalized in Singapore and China for engaging in spoofing-type conduct following first-of-their-kind enforcement activities by local authorities. Finally, Jay Clayton, President Trump’s nominee to serve as Chairman of the Securities and Exchange Commission, testified before a Senate committee that, if confirmed, he hoped to enhance US capital markets to make them more attractive to potential new issuers – perhaps by reducing regulations. As a result, the following matters are covered in this week’s edition of Bridging the Week:

  • Clearing Firm’s Failure to File Suspicious Activity Reports in Response to Red Flags Charged as Violation of FINRA Requirements (includes Compliance Weeds);
  • Malaysian National Sentenced by Singapore Court to 16 Weeks Imprisonment for Stock-Based Spoofing; PRC Resident Fined by China Regulator for Similar Conduct (includes My View);
  • SEC Chairman Nominee Urges Making US Capital Markets Great Again (includes My View);
  • Floor Broker and Former Floor Broker Settle CME Disciplinary Action Alleging Pre-Execution Arrangement of Customer Fill (includes Compliance Weeds);
  • Brokerage Firms Fined Almost US $2 Million by HK Regulator for Position Reporting and Electronic Trading Systems Breaches;
  • Commentators Generally Supportive of CFTC’s Proposed Record Retention Amendments; and more.

Briefly:

  • Clearing Firm’s Failure to File Suspicious Activity Reports in Response to Red Flags Charged as Violation of FINRA Requirements: Electronic Transaction Clearing, Inc., a registered broker-dealer, was charged by the Financial Industry Regulatory Authority for failing to consider whether suspicious activity reports should have been filed with the Financial Crimes Enforcement Network after the firm limited or stopped certain direct market access customers’ trading activity. ETC had restricted trading by certain of its customers after 30 instances where the firm identified problematic conduct, including prearranged trades or trading without an apparent economic reason – red flags, charged FINRA. However, in connection with these circumstances, ETC did not additionally consider whether to file a SAR, despite also being advised that FINRA intended to bring charges against the firm for prior incidents of the same type (click here to access a copy of the FINRA Order Accepting ETC’s Offer of Settlement dated February 19, 2016). FINRA also charged ETC with not having an appropriate due diligence program for customers who might be foreign financial institutions; miscalculating amounts required to be set aside for its customers for parts of each month from August 2013 through March 2014 (i.e., reserve requirement); and violating Securities and Exchange Commission Regulation SHO for improper short sales handling, among other charges. FINRA seeks monetary penalties and other sanctions. Last year, the SEC set aside a determination by the Chicago Board Options Exchange, Inc. that ETC and two of its principals, Kevin Murphy and Harvey Cloyd, Jr., failed to apply its customer identification program to individuals trading on behalf of two omnibus accounts; failed to apply margin rules to the same traders; and failed to implement adequate surveillance tools for identifying suspicious activities of its customers. (Click here for details of this SEC determination in the article “SEC Overturns CBOE Determination That Individual Traders of Two Omnibus Accounts Were Customers Requiring Application of Customer Identification Rule” in the June 19, 2016 edition of Bridging the Week.)

Compliance Weeds: Applicable law and FinCEN rules require broker-dealers and other covered financial institutions (banks, Commodity Futures Trading Commission-registered future commission merchants and introducing brokers and SEC-registered mutual funds) to file a SAR with FinCEN in response to transactions of at least US $5,000 which a covered entity “knows, suspects, or has reason to suspect” involve funds derived from illegal activity; have no business or apparent lawful purpose; are designed to evade applicable law; or utilize the institution for criminal activity. In August 2015, for example, FINRA fined Aegis Capital Corp US $950,000 for selling unregistered penny stocks and related supervisory violations, and suspended and fined two individuals – Charles Smulevitz and Kevin McKenna – who served successively as chief compliance and anti-money laundering officers for the firm. According to FINRA, Mr. Smulevitz and Mr. McKenna failed to “reasonably” detect and review red flags of potentially suspicious transactions. As a result, they did not make a “reasoned determination whether or not to report the suspicious transactions to the Financial Crimes Enforcement Network … by filing a Suspicious Activity Report … as appropriate.” (Click here for further details in the article “FINRA Fines and Suspends Two CCOs for Supervisory and AML Violations” in the August 14, 2015 edition of Bridging the Week.) Recently, FinCEN said that covered institutions might also have to file SARs following cyber-events. (Click here for background in the article “FinCEN Issues Advisory Saying Cyber Attacks May Be Required To Be Reported Through SARs in the October 30, 2016 edition of Bridging the Week.) Covered financial institutions should continually monitor transactions they facilitate and ensure they maintain and follow written procedures to identify and evaluate red flags of suspicious activities and file SARs with FinCEN when appropriate. (Click here for a helpful overview of anti-money laundering requirements for broker-dealers, including SAR requirements. Click here for a similarly helpful compilation of AML resources for members of the National Futures Association.) Moreover, covered institutions should ensure that problematic transactions identified by non-AML personnel (e.g., compliance staff) that may be violative of legal or regulatory standards are evaluated by AML personnel to determine whether a SAR should be filed with FinCEN. Indeed, the more of a consolidated ledger a firm can maintain of potential problems identified across otherwise separate surveillance functions, the more likely a firm will be able to recognize and act holistically upon material red flags.

  • Malaysian National Sentenced by Singapore Court to 16 Weeks Imprisonment for Stock-Based Spoofing; PRC Resident Fined by China Regulator for Similar Conduct: Dennis Tey Thean Yang, a Malaysian national, was sentenced to 16 weeks imprisonment by a Singapore judge after he pleaded guilty to charges that he engaged in spoofing-type conduct involving the trading of contracts for differences and their underlying securities between October 2012 and January 8, 2013. (CFDs involving securities typically are contracts between an investment bank and an investor where the parties exchange the difference in the price of a specific quantity of a security between the beginning and end of the term of the contract.) According to the Monetary Authority of Singapore, during the relevant time, Mr. Tey placed “false orders” in the underlying securities listed on the Singapore Exchange in order to influence the prices in the corresponding CFDs offered by IG Asia Pte Ltd and CMC Markets Singapore Pte. After executing the CFDs, Mr. Tey cancelled his orders in the underlying securities. He realized profits of Sing $30,239 (US $22,000) through his activities, said MAS. Mr. Tey was charged with his alleged offenses following an investigation by MAS and the Commercial Affairs Department of the Singapore Police Force. This action marked the first criminal enforcement effort by the Singapore authorities. Separately, the China Securities Regulatory Commission sanctioned Hanbo Tang RMB 251 million (US $36.4 million) including disgorgement of RMB 42 million (US $2.1 million), for engaging in cross-border market manipulation in China using the stock connect arrangement between the Hong Kong Exchange and the Shanghai Stock Exchange. According to CSRC, Mr. Tang accomplished his objectives with the assistance of his trader, Tao Wang (who also was fined RMB 600,000 (US $87,000)) by using three accounts in HK and one in China to engage in various manipulative practices, including spoofing and wash trading of a stock listed on the Shanghai Exchange. (Click here for background on the Shanghai and Shenzen Stock Connect – a means to access China stock markets through accounts in HK.) Both Mr. Tang and Mr. Wang are citizens of China. This case was the first enforcement action by CSRC related to cross-border market manipulation.

My View: Last year, Michael Coscia, the first individual prosecuted and convicted under the provision of the Dodd-Frank Wall Street Reform and Consumer Protection Act that expressly prohibits spoofing, was sentenced to three years in prison. This was after Mr. Coscia settled civil actions related to the same conduct with the Commodity Futures Trading Commission, the Financial Conduct Authority and the CME Group by payments of aggregate fines of approximately US $3.1 million; disgorgement of profits; and a one-year trading suspension. Subsequent to his sentencing, Mr. Coscia appealed his conviction to a Federal Court of Appeals where oral arguments were held on November 10, 2016. (Click here for background on Mr. Coscia’s alleged offenses, conviction, sentencing, and appeal in the article “Federal District Court Approves Flash Crash Spoofer’s US $38 Million Settlement; Federal Appeals Court Appears Sympathetic to Michael Coscia’s Claim That Spoofing Prohibition Is Too Vague” in the November 20, 2016 edition of Bridging the Week.) As I have written many times, although Mr. Coscia’s conduct may have been problematic, he was convicted under a provision of law that prohibits “spoofing” but defines it as “bidding or offering with the intent to cancel the bid or offer before execution.” However, many legitimate orders, including stop loss orders, are placed with the goal or hope not to have the order executed, as that would mean the value of a position is declining. The Federal District Court judge overseeing Mr. Coscia’s trial did not have a problem with the clarity of the relevant statute and, in any case, believed that Mr. Coscia should have known his specific trading was prohibited. Soon we should know what the Court of Appeals thinks.

  • SEC Chairman Nominee Urges Making US Capital Markets Great Again: During testimony before the Senate Committee on Banking, Housing and Urban Affairs last week, Jay Clayton – nominated by President Donald Trump to become Chairman of the Securities and Exchange Commission – expressed concern that “our public capital markets are less attractive to business than in the past” and promised to pursue improvements to make them more attractive again. Reducing regulations could help this, he said. During his testimony, Mr. Clayton also suggested that fining companies for law violations may unfairly penalize shareholders and that “individual accountability drives behavior more than corporate accountability.” Mr. Clayton said, “Companies should be held accountable. If they make illicit profits, those profits should be disgorged. There should be deterrence at the company level but shareholders do bear those costs and we should keep that in mind.” Previously, President Trump nominated J. Christopher Giancarlo to serve as chairman of the Commodity Futures Trading Commission. His confirmation hearing before the Senate Committee on Agriculture Nutrition and Forestry has not yet been scheduled.

My View: In 2015, a not-for-profit think tank headed by Paul Volcker, former Chairman of the Board of Governors of the Federal Reserve System, called for a substantial overhaul of the federal regulatory system that oversees US financial services, including merging the Commodity Futures Trading Commission and the Securities and Exchange Commission. Claiming that the oversight of US financial institutions “is highly fragmented, outdated, and ineffective,” the Volcker Alliance issued a report that recommended the creation of a so-called “twin-peaks” model of regulation. This paradigm would consolidate prudential oversight currently administered by a number of banking and financial regulators into one new independent federal agency—a prudential supervisory authority—and collapse the CFTC and the SEC’s investor protection and capital markets oversight functions into another new independent body. (Click here for background on the Volcker Alliance’s proposal in the article “Volcker Alliance Calls for CFTC and SEC Merger Among Other Financial Oversight Agencies’ Reform “ in the April 26, 2015 edition of Bridging the Week.) Paul Atkins, a former SEC commissioner and current advisor to President Trump, has also called for a merger of the CFTC and SEC. (Click here for the Statement of Mr. Atkins before the Committee on Financial Services of the House of Representative on September 15, 2011.) For me, the alphabet soup of federal agencies with oversight over financial firms, products and markets needs to be rationalized, and the CFTC and the SEC should long ago have been merged. It is solely a naming convention to label financial products as either futures or securities (and now swaps too), and a terrible mistake to base regulatory structure on the nomenclature of products rather than their essential characteristics and purposes. Hopefully, after new chairpersons of the CFTC and SEC are confirmed, a debate on what is the most effective and efficient means of regulating our nation’s markets and participants can begin.

  • Floor Broker and Former Floor Broker Settle CME Disciplinary Action Alleging Pre-Execution Arrangement of Customer Fill: Oral Valentin, Jr., a former Commodity Futures Trading Commission-registered floor broker, agreed to pay a fine of US $35,000 and serve a 10-day CME Group trading suspension to resolve a disciplinary action brought by the Chicago Mercantile Exchange for allegedly receiving nonpublic information about a pending customer order for a Eurodollar options spread from a currently registered floor broker, and arranging and later executing his own order against the broker’s customer order. The CME claimed this transaction, which occurred on March 13, 2015, was a prohibited pre-negotiated and noncompetitive transaction. The floor broker, Mark Donahue, a CME member, also settled a corresponding disciplinary action by agreeing to pay a fine of US $20,000 and serving a 15-day trading suspension. Mr. Valentin, who is not a CME member, was recently registered as a floor broker from May 30, 2012 through June 11, 2013. Separately, Saxo Bank A/S, a member firm, agreed to pay an aggregate fine of US $190,000 to the Chicago Board of Trade and the Chicago Mercantile Exchange to resolve two disciplinary actions against it for the way it liquidated futures positions of its customers that were under-margined. According to the exchanges, on multiple dates between October 2014 and March 2015, Saxo employed a liquidation algorithm that automatically entered market orders for the entire amount of an under-margined customer’s positions. The exchanges said it did so without considering market conditions. As a result, on at least three occasions on the CBOT and two occasions on the CME, the liquidation caused “significant price movements.” CME Group said that the liquidations were a violation of its prohibition against entering actionable messages “with intent to disrupt, or with reckless disregard for the adverse impact on, the orderly conduct of trading or the fair execution of transactions.” (Click here for background in a special edition of Between Bridges dated March 20, 2o17, including My View.)

Compliance Weeds: Generally, for approved Globex-traded contracts, CME Group permits pre-execution communications to facilitate trading subject to strict requirements. (Pre-execution communications are never permitted in connection with open outcry transactions with the sole exception of CME options on S&P futures undertaken in accordance with large order execution rules.) These requirements include that the party on whose behalf a communication is being made previously must have consented to such communication and that no person involved in pre-trade communications may take advantage of information conveyed except to facilitate the relevant trade. Unfortunately, CME Group rules regarding cross trades vary by product and by futures and options. Even the mechanical steps for executing a cross trade following a conversation varies. There are Globex Crosses, Agency Crosses, Committed Crosses, and RFQ and RFC Crosses too. However, despite the complexity, the consequences of getting it wrong can be severe, resulting in not only potential CME Group sanctions, but possible sanctions by the Commodity Futures Trading Commission too. Fortunately, hidden in the middle of the relevant Market Regulation Advisory Notice related to pre-execution communications is a link to a very helpful matrix of eligible products and associated crossing protocols (click here to access). (Click here for further background in the article “CME Group Updates Its Pre-Execution Communication Rule to Reflect New Committed Crosses” in the January 31, 2016 edition of Bridging the Week.)

  • Brokerage Firms Fined Almost US $2 Million by HK Regulator for Position Reporting and Electronic Trading Systems Breaches: Merrill Lynch Far East Limited (MLFE) and Merrill Lynch (Asia Pacific) Limited (MLAP) were fined HK $15 million (approximately US $2 million) by the HK Securities and Futures Commission for not complying with large order position reporting requirements for futures and stock options; for deficiencies of governance, testing, recordkeeping and risk controls for MLFE’s electronic trading system for futures; and for distributing futures research reports without disclosing their market making activities. In response, the firms engaged an independent consultant during the last quarter of 2016 to review their internal controls related to these matters. In determining the firms’ sanction, SFC considered MLFE’s and MLAP’s “prompt cooperation.” Without this, said SFC, “similar failures would have resulted in a substantially higher level of fine.”
     
  • Commentators Generally Supportive of CFTC’s Proposed Record Retention Amendments: Comments received by the Commodity Futures Trading Commission by the close of its comment period to its recent proposal to revise its record retention rule were overwhelmingly supportive. In its January 2016 proposal, the CFTC proposed a new “technology neutral” recordkeeping requirement that would eliminate the existing requirement that electronic records be maintained in their native file format and preserved exclusively in a non-rewritable, non-erasable format. Instead, the revised rule would be more principles-based. Electronic records would have to be maintained in a manner that ensures their reliability and authenticity, and each person required to maintain regulatory records would have to create, put in place and adhere to written policies and procedures “reasonably designed” to ensure the person’s compliance with the Commission’s recordkeeping requirements. (Click here for background on the CFTC’s proposal in the article “New Records Retention Regime for 21st Century Proposed by CFTC” in the January 16, 2017 edition of Bridging the Week.) FIA’s comments were typical. They said “We… welcome and strongly support the proposed amendments.” Notwithstanding, the organizations recommended that the CFTC clarify that the proposed new rule extends to all required records, even if created prior to the effective date of such new rule. ICE Futures U.S. asked that the CFTC consider not requiring designated contract markets to keep every correction or amendment to every record. This is because, said IFUS, records are not defined for DCMs. As a result, noted IFUS, although it makes sense to keep an accurate history of certain information – for example audit trails and related audit trails – it does not make sense to for DCMs to keep copies of every proposed invoice and subsequent amendment, as well as drafts of meeting minutes, correspondence, sales presentations and other documents. The Edison Electric Institute asked the Commission to consider adding a provision in the final rule that makes clear that the new rule is not intended to add additional reporting requirements for entities that have limited recordkeeping obligations and are not registered with the agency. FIA, SIFMA and SunTrust requested the CFTC to work with the Securities and Exchange Commission to harmonize their recordkeeping rules. Consistent with this argument, a group of managed funds industry organizations, including the Managed Funds Association, requested that the CFTC adopt a substituted compliance regime so that persons registered with the SEC as investment advisers or are affiliated with IAs could comply with CFTC recordkeeping requirements by complying with recordkeeping mandates under the SEC’s recordkeeping rules for investment advisers.

And more briefly:

  • Most Securities to Settle in Two Not Three Days Beginning September 5: The Securities and Exchange Commission amended an existing rule to require broker-dealers to settle most securities purchases and sales two days after trade date as opposed to three days as currently done. Impacted securities will include stocks, bonds, municipal securities, exchange-traded funds and certain mutual funds; they will not include exempted securities. This new requirement is effective September 5. (Click here for background in the article “SEC Calls for T+2 Securities Transactions Settlements” in the October 2, 2016 edition of Bridging the Week.)
     
  • FINRA to Industry: Can We Talk More?: The Financial Industry Regulatory Authority sought comment on how to enhance its interactions with members and other stakeholders to better “understand what it regulates.” FINRA believes that, through engagement, it can “enrich its regulatory programs and identify ways to protect investors and promote market integrity that are more practical, tailored and effective.” FINRA will accept comments through May 5.
     
  • HK Regulator Amends Position Limit Regime: Rejects Blanket Hedging Exemption But Expands Excess Limits Regime: The Hong Kong Securities and Futures Commission published its conclusions regarding a number of proposed enhancements to its position limits and reportable position regime that it proposed in September 2016. (Click here for background in the article “HK Derivatives Regulator Proposes to Amend Position Limits Regime to Authorize Higher Excess Levels” in the September 25, 2016 edition of Bridging the Week.) Among other things, the regulator rejected introducing a hedging exemption, saying that its alternative client facilitation excess limit regime is “intended to provide a mechanism for market participants to use exchange-traded futures and options to hedge their relevant business activities.” As part of its updated requirements, SFC will recommend to the HK Legislative Counsel that it be given the authority to raise the cap on excess positions it may approve from 50 percent to 300 percent.
     
  • Australian Regulator Announces How It Will Assess Service Providers Offering Digital Ledger Technology: The Australian Securities and Investments Commission published a framework it will apply when considering whether use of distributed ledger technology by financial services providers will enable them to comply with their requirements to have adequate technological resources, risk management arrangements and adequate human resources. Six questions firms will be required to answer are (1) how will DLT be used; (2) what DLT platform is being used; (3) how is DLT using data; (4) how is DLT run; (5) how will DLT comply with law; and (6) how does DLT impact others.
March 27, 2017
"No Pay" Bylaws May Threaten Shareholder Lawsuits
by Anthony Rickey and Benjamin P. Edwards

After Delaware prohibited fee-shifting provisions in corporate bylaws,[1]scholars considered alternate means by which corporations might use private ordering to limit the ability of stockholder plaintiffs to bring lawsuits challenging corporate actions. For instance, Professor Sean Griffith suggested that corporations should adopt "no pay" provisions that, unlike fee-shifting provisions, would prohibit a corporation from paying the legal fees of stockholder plaintiffs.[2] Griffith’s proposal is similar to one put forward by another Delaware practitioner shortly before the fee-shifting ban.[3] Other commentators have suggested that such "no pay" bylaws may be the wave of the future.[4]

"No pay" provisions may be permissible under Delaware law, because they do not "impose liability on a stockholder for the attorneys’ fees or expenses of the corporation or any other party in connection with an internal corporate claim. . . ."[5] Nonetheless, like fee shifting, they may also curtail stockholder litigation by limiting the ability of plaintiffs’ counsel to recover fees. Indeed, unlike fee-shifting bylaws (which would generally allow for fees to be paid to successful stockholder plaintiffs), "no pay" bylaws could potentially preclude payments even to some successful litigants.

Although commentators have discussed these provisions in theoretical terms, several companies have already adopted "no pay" provisions. These provisions typically emerged at the same time that firms adopted fee-shifting provisions. For instance, the bylaws of one company provide that:

To the fullest extent permitted by law, in the event that any Claiming Party initiates or asserts any Claim or joins, offers substantial assistance to, or has a direct financial interest in any Claim against any Corporation Parties, then, regardless whether the Claiming Party is successful on its Claim in whole or in part, (i) the Claiming Party shall bear its own Litigation Costs, and (ii) the Claiming Party and the Claiming Party’s attorneys shall not be entitled to recover any Litigation Costs or, in a derivative or class action, to receive any fees or expenses as the result of the creation of any common fund, or from a corporate benefit purportedly conferred upon the corporation.[6]

The company approved this "no pay" bylaw, along with a fee-shifting bylaw, prior to Delaware’s ban on fee-shifting.[7] The revisions also included a severability clause purporting to preserve the remainder of the bylaws if a section were held to be unenforceable.[8]

We conducted a limited search of the Securities and Exchange Commission’s EDGAR database to look for other examples of "no pay" bylaws.[9] This revealed nine similar provisions, six involving Delaware corporations.

Company State of Incorporation "No Pay" Bylaw
Adoption Date
The LGL Group, Inc. DE 6/11/2014
Epiq Systems, Inc. MO 10/8/2014[10]
Air Industries Group NV 10/22/2014
Barnwell Industries, Inc. DE 12/12/2014
Frequency Electronics, Inc. DE 12/17/2014
Bridgeline Digital, Inc. DE 2/10/2015
PrimeEnergy Corp. DE 5/20/2015
Net Element Inc. DE 6/15/2015
Event Cardio Group Inc. NV 8/11/2016

At least two companies that adopted "no pay" bylaws, however, have since revoked them.[11]

It remains to be seen how the Delaware courts will respond to these "no pay" provisions.[12] The fact that several corporations adopted these provisions, often along with fee-shifting bylaws, before Delaware instituted its ban on fee-shifting argues in favor of their enforceability. After all, had the Delaware legislature meant to prohibit such bylaws, Sections 102(f) and 109(b) of the Delaware General Corporation Law could have been drafted to encompass them. On the other hand, the Court of Chancery might hold that provisions such as the one set forth above conflict with its equitable power to impose fees, particularly where those fees arise from a common fund, and are thus paid by the class as part of its recovery.

As of yet, Delaware courts do not appear to have addressed the enforceability of "no pay" bylaws. However, this survey suggests that it may be simply a matter of time before a test case emerges.

ENDNOTES

[1] See 2015 Del. Laws Ch. 40 (S.B. 75), available at http://legis.delaware.gov/BillDetail?legislationId=24380.

[2] See Sean J. Griffith, Private Ordering Post-Trulia: Why No Pay Provisions Can Fix the Deal Tax and Forum Selection Provisions Can’t (January 5, 2016); The Corporate Contract in Changing Times, Steven Davidoff Solomon and Randall S. Thomas, eds., (2017 Forthcoming); Fordham Law Legal Studies Research Paper No. 2855950, available at SSRN: https://ssrn.com/abstract=2855950.

[3] See A Thompson Bayliss & Mark Mixon. "No Pay" Provisions: The Forgotten Middle Ground in the Fee-Shifting Battle, Harvard Corporate Governance Blog, (June 1, 2016), available at https://corpgov.law.harvard.edu/2015/06/01/no-pay-provisions-the-forgotten-middle-ground-inthe-fee-shifting-battle/.

[4] See Kevin LaCroix, "More about Litigation Reform Bylaws: Will ‘No Pay’ Provisions Succeed Where Forum Selection Bylaws Have Failed?", The D&O Diary, at http://www.dandodiary.com/2017/01/articles/securities-laws/litigation-reform-bylaws-will-no-pay-provisions-succeed-forum-selection-bylaws-failed/.

[5] See 8 Del. C. § 109(b) (prohibiting fee-shifting bylaws); see also 8 Del. C. § 102(f) (prohibiting fee-shifting provisions in certificate of incorporation). An "internal corporate claims" are defined as "claims, including claims in the right of the corporation, (i) that are based upon a violation of a duty by a current or former director or officer or stockholder in such capacity, or (ii) as to which this title confers jurisdiction upon the Court of Chancery." 8 Del. C. § 115. See also Griffith, supra n. 2, at 16-17 (arguing that "no pay" provisions are consistent with recent amendments to the DGCL).

[6] Bridgeline Digital, Inc., Form 10-Q, Ex. 3.2, Art. VIII, Sec. 8(b) (Amended and Restated Bylaws, as amended Feb. 10, 2016) (Feb. 17, 2015). These bylaws appear to be the most recent version. See Bridgeline Digital, Inc., Form 10-K at 74 (Dec. 19, 2016).

[7] See Bridgeline Digital, Inc., Form 10-Q, Ex. 3.2, Art. VIII, Sec. 8(a).

[8] See id., Art. VIII, Sec. 9 ("If any provision (or any part thereof) of these By-laws shall be held to be invalid, illegal or unenforceable as applied to any circumstance for any reason whatsoever: (i) the validity, legality and enforceability of such provisions in any other circumstance and of the remaining provisions of these By-laws (including, without limitation, each portion of any section of these By-laws containing any such provision held to be invalid, illegal or unenforceable that is not itself held to be invalid, illegal or unenforceable) shall not in any way be affected or impaired thereby and (ii) to the fullest extent possible, the provisions of these By-laws (including, without limitation, each such portion containing any such provision held to be invalid, illegal or unenforceable) shall be construed for the benefit of the corporation to the fullest extent permitted by law so as to (a) give effect to the intent manifested by the provision held invalid, illegal or unenforceable, and (b) permit the corporation to protect its directors, officers, employees and agents from personal liability in respect of their good faith service. Reference herein to laws, regulations or agencies shall be deemed to include all amendments thereof, substitutions therefor and successors thereto, as the case may be.").

[9] Specifically, we used SEC’s Full-Text Search feature for the phrase "Claiming Party shall bear its own Litigation Costs." This search is likely underinclusive, as it would not return a no-pay bylaw that used alternate language to arrive at the same result.

[10] The "no pay" provision applied to actions brought in courts outside those selected by the company in its forum selection bylaw. See Epiq Systems, Inc., Form 8-K, Ex. 3.1 § 7.7(c) (filed Oct. 9, 2014) (imposing fee-shifting and "no pay" provision where plaintiff "brings a Covered Action in any forum other than a Chosen Court").

[11] See Epiq Systems, Inc., Form 8-K (filed June 7, 2016) (repealing forum selection bylaw which included "no pay" provision); Net Element, Inc., Form 8-K (filed July 10, 2015) (removing "no pay" provision "[t]o preemptively comply with the State of Delaware legislation that has been passed to amend the Delaware General Corporation Law to prohibit Delaware stock corporations from adopting bylaws with fee-shifting provisions").

[12] In at least one case, a plaintiff stockholder challenged a "no fee" provision adopted by a Delaware company (along with a fee-shifting provision) as unenforceable under Delaware law. However, the company rescinded the bylaw, rendering the lawsuit moot, before the Court of Chancery could rule on the issue. See StemCells, Inc., Form 8-K (filed July 1, 2016) (describing litigation in Guardino v. Stemcells, Inc., C.A. No. 12266-CB (Del. Ch.)).

This post comes to us from Anthony Rickey, a litigator and founder of Margrave Law, and Benjamin P. Edwards, an assistant professor at Barry University’s Dwayne O. Andreas School of Law (leaving in May 2017 to become an associate professor at the University of Nevada, Las Vegas’ William S. Boyd School of Law).


March 27, 2017
Gibson Dunn on Justice Holland's Lasting Imprint on Corporate Law
by James Hallowell and Lauren Sager

In early February, Justice Randy Holland, the longest-tenured member of the Delaware Supreme Court, announced his plans to retire at the end of March 2017. At the time of his appointment in 1986 by Governor Michael N. Castle, Justice Holland was the youngest person ever to serve on the Court. He became its longest serving member in 2009.

According to our research, during his 33-year tenure, Justice Holland authored over 800 electronically reported decisions and imparted a legacy of addressing several key areas of Delaware corporate law. In reviewing his most cited decisions, it is clear Justice Holland has left a lasting imprint – most notably through his jurisprudence articulating the fiduciary duties of the directors of Delaware corporations and on the standard for judicial review of controlling shareholder takeovers. These four landmark decisions are among his most cited:[1]

  • Kahn v. M&F Worldwide Corp., 88 A.3d 365 (Del. 2014)
  • Stone ex rel. AmSouth Bancorporation v. Ritter, 911 A.2d 362 (Del. 2006)
  • Malone v. Brincat, 722 A.2d 5 (Del. 1998)
  • Kahn v. Lynch Commc’n Sys., Inc., 638 A.2d 1110 (Del. 1994)

A discussion of these decisions reveals Justice Holland’s lasting impact on Delaware corporate law.

In his two most cited decisions, Stone and Malone, Justice Holland established critical bounds for the fiduciary duties owed by directors under Delaware corporate law. In Stone the Delaware Supreme Court affirmed the Chancery Court’s standard for director oversight responsibility set forth in In re Caremark Int’l Deriv. Litig, 698 A.2d 959 (Del. Ch. 1996), requiring directors to take some affirmative measures to ensure legal compliance. Stone, 911 A.2d at 370. Rejecting the theory of the so-called "triad" of fiduciary duties, the Supreme Court, through Justice Holland, also confirmed that the duty of good faith does not set forth an independent basis, in addition to the duties of care and loyalty, for director liability under Delaware corporate law, but is instead included within the duties of care and loyalty. As a result, the Court confirmed that directors’ failure to act in good faith toward the corporation may result in a (non-exculpated) breach of the duty of loyalty. Id

The Court of Chancery characterized the Stone complaint as "a classic Caremark claim." In Caremark, the Court of Chancery laid out a test for assessing a director’s potential personal liability for failing to act in good faith in discharging his or her oversight duties: "where a claim of directorial liability for corporate loss is predicated upon ignorance of liability creating activities within the corporation…only a sustained or systemic failure of the board to exercise oversight…will establish the lack of good faith that is a necessary condition to liability." 698 A.2d at 971. In Stone, the Court of Chancery dismissed the shareholder plaintiffs’ derivative claims against the director defendants, based on the Caremark standard, and the Supreme Court upheld that decision, finding that demand was not excused because there was no basis for an oversight claim where there had been a reasonable reporting system in place for directors to rely upon in their oversight role. The Stone decision presents a nuanced standard—a high bar to demonstrate liability, and an emphasis on good faith to spur appropriate director conduct—that is likely to endure and add to Justice Holland’s legacy.

In Malone, the Delaware Supreme Court further clarified, and significantly broadened, the standard for a state law breach of fiduciary duty arising out of alleged disclosure violations. The Court also addressed the intersection of Delaware corporate law and federal securities laws on corporate disclosure rules. In Malone, plaintiffs filed a class action against the directors of Mercury Finance Corporation, alleging they breached their fiduciary duty of disclosure by intentionally overstating the company’s financial condition. The Court of Chancery dismissed the case, finding that the directors had no fiduciary duty of disclosure in the absence of a request for shareholder action and that the shareholders must therefore seek any remedy solely under federal law.

The Supreme Court upheld the dismissal of plaintiffs’ suit, but under a different rationale. Justice Holland opined that, even in the absence of a request for shareholder action, "directors who knowingly disseminate false information that results in corporate injury or damage to an individual stockholder violate their fiduciary duty." 722 A.2d at 9. Directors have a responsibility to exercise their fiduciary duties whenever they communicate publicly or directly with shareholders about corporate matters. Id. at 10. Further, federal securities laws did not preclude a state suit for breach of fiduciary duty. Id. Similar to his emphasis on director "good faith" in Stone, Justice Holland in Malone highlighted the need for "honesty" on the part of Delaware directors when dealing with shareholders and the corporation. As the Malone court stated, under Delaware law, "directors’ fiduciary duties include the duty to deal with their stockholders honestly." Id. This emphasis on basic, common sense director duties serves as another enduring legacy stemming from Justice Holland’s decisions in the area.

Finally, Justice Holland has left a lasting imprint on the law regarding tansactions involving controlling stockholders. In the third of his most cited decisions, Kahn v. Lynch, the Supreme Court, with Justice Holland writing, concluded that entire fairness remained the exclusive standard for breach of fiduciary duties when a corporation is acquired by a controlling shareholder in a "interested merger." 638 A.2d at 1116. The Court also clarified the burden of proof in controlling shareholder buyouts. Before Kahn v. Lynch, Delaware courts placed the burden on controlling shareholders to demonstrate fairness to minority shareholders. In the Khan v. Lynch decision, the Delaware Supreme Court held that defendants can shift the burden of persuasion to plaintiffs if the defendants show that the transaction was either approved by (i) "an independent committee of directors," or (ii) "an informed majority of the minority shareholders." 638 A.2d at 1117.

Justice Holland modified the standard for these so-called "freeze-out transactions" twenty years later in Kahn v. M&F Worldwide, another of his oft-cited decisions. In Kahn v. M&F Worldwide, the Delaware Supreme Court held that, while entire fairness remains the standard for review for mergers involving the controlling shareholder, the Court can instead apply the highly deferential business judgment standard "if and only if" the following six necessary conditions are met: "(i) the controller conditions the procession of the transaction on the approval of both a Special Committee and a majority of the minority stockholders; (ii) the Special Committee is independent; (iii) the Special Committee is empowered to freely select its own advisors and to say no definitively; (iv) the Special Committee meets its duty of care in negotiating a fair price; (v) the vote of the minority is informed; and (vi) there is no coercion of the minority." 88 A.3d at 645 (emphasis in original). In revisiting this closely followed issue and adopting the business judgment standard under certain specific situations, Justice Holland once again returned to his emphasis on nuanced and practical analysis of the fiduciary obligations of Delaware corporate directors.

These oft-cited decisions demonstrate Justice Holland’s lasting impact on Delaware jurisprudence and will continue to shape these important areas of corporate law.

ENDNOTES:

[1] Through an empirical approach compiling the number of cases and secondary sources (such as treatises and statutory supplements) available through WestlawNext’s KeyCite service, we selected Justice Holland’s most cited cases as of the beginning of March 2017.

This post comes to us from Gibson, Dunn & Crutcher LLP. It was previously published in the Delaware Business Court Insider’s March 14, 2017 edition, available here.


March 27, 2017
Did Say-on-Pay Reduce or “Compress” CEO Pay?
by Blaine Martin, Clement Ma, Ira Kay, Pay Governance
Editor's Note: Ira Kay is a Managing Partner at Pay Governance LLC. This post is based on a Pay Governance publication by Mr. Kay, Blaine Martin, and Clement Ma.

In the Dodd-Frank Act legislation after the 2008 Financial Crisis, the inclusion of shareholder SOP voting was driven by bipartisan Congressional support to “control executive compensation…” at corporations. In 2009, a former SEC chief accountant said, “Executive compensation at this point in time has gotten woefully out of hand… The time to adopt ‘say on pay’ type legislation is certainly past due.”[1] Politicians, regulators, and some institutional shareholders clearly thought that, “The impetus for passage of Dodd-Frank’s say-on-pay requirement in 2011 focused on remedying ‘excessive’ CEO pay.”[2]

Some of the original economic, governance, and social objectives of this legislation are certainly debatable. However, the proponents clearly intended to reduce CEO pay levels.

After 5 years of SOP votes, it is now possible to review the pre- and post-SOP statistical impact on CEO compensation. With sufficient historical data post-SOP, we answer 2 fundamental questions regarding this legislation’s consequences:

Key Takeaways

  • SOP was implemented to reduce or freeze CEO pay. Pay Governance reviewed broad trends in S&P 500 CEO pay levels pre- and post-SOP to test the impact of this legislation.
  • Median S&P 500 CEO pay increased 27% for the 4 years after SOP implementation relative to the 3 years preceding SOP.
  • The continued upward trend in median CEO pay post-SOP, combined with shareholder support for SOP averaging >90%, suggest that SOP may have bolstered the executive pay model by documenting broad, transparent shareholder support.
  • However, the rate of CEO pay increases at the median of our sample slowed to low single digits post-SOP. While SOP may have influenced this lower increase rate, CEO pay rate increases or decreases have traditionally tracked broader economic factors (eg, CEO pay declined during the pre-SOP financial crisis).
  • *While CEO pay increased at the median, the overall distribution of CEO pay compressed. This was indicated by a narrowing ratio between the sample’s 90th and 10th percentiles after SOP implementation.
  • Our analysis of year-over-year trends at the top and bottom of the CEO pay distribution indicates that CEO pay at the 90th percentile was generally flat in the post-SOP years, while CEO pay generally increased 2%-13% annually in the rest of the distribution.
  • We believe that proxy advisors’ and shareholders’ focus on the highest-paying S&P 500 companies, and the diminished benchmarking of CEO pay to the 75th percentile, may have slowed CEO pay growth at many companies.
  • We conclude that SOP did not reduce overall S&P 500 CEO pay levels, but it may have slowed the rate of growth in median CEO pay and has possibly sustained a flat amount of CEO pay at the 90th percentile of the sample.
  • For all companies—particularly those with CEO pay at the 90th percentile of the S&P 500—it is important to use executive compensation strategically and creatively to recruit, retain, and motivate executive talent while maintaining strong corporate governance standards.

1) Did the amount of S&P 500 CEO pay decline since SOP (2011)? 2) Does the CEO labor market structure have a more compressed compensation range post-SOP?[3]

SOP implementation increased proxy advisors’ governance impact. These quasi-regulatory bodies have influenced qualitative changes to executive compensation program design over the past 6 years: an increased weight of performance-based stock awards, the use of TSR as a performance metric, the virtual elimination of excise-tax gross-ups on CIC severance, and the increased prevalence of stock ownership guidelines, among others.

However, this viewpoint addresses the most quantifiable potential impact: SOP’s effect on CEO pay opportunity structure and amounts. Our research found that median CEO pay has continued to rise post-SOP. While this continued increase was disappointing to the architect and other advocates of SOP,[4] this was not surprising to corporate directors, executives, and most institutional investors. It is arguably another example of the CEO labor market’s relative competitiveness. Shareholders at a clear majority of companies endorse the labor market: of the >14,000 SOP votes Pay Governance has tracked for major US companies (the Russell 3000) over the past 6 years, only 2.1% failed.

Background

In order to answer the questions above, we assessed CEO pay level trends before and after SOP. Pay Governance assembled a multi-year database of 222 S&P 500 companies for the fiscal years 2008-2015 (3 years of data pre-SOP [first vote in 2011] and 4 years of data post-SOP).[5] We focus our analysis on CEO target total direct compensation because total CEO pay (as disclosed in the proxy) has been—and remains—the primary emphasis of SOP, proxy advisory firms, shareholders, and the media. Our analysis of this large, multi-year data set (summarized below) provides factual data on the recent CEO pay level history, from which we draw conclusions about SOP’s role and influence on the CEO pay market.

Amidst the economic/stock market recovery and many other concurrent governance changes, SOP represented a single—but potentially dominant—corporate governance impact on CEO pay levels. While our findings provide insight into the broad pre- and post-SOP CEO pay market, they cannot isolate the specific impact of SOP. Thus, our summary findings represent a broad historical perspective on CEO pay from 2008-2015, split by the dominant corporate governance shift in 2011: SOP. We then interpret the impact and role that SOP may have had on these findings.

Question 1: Did the amount of S&P 500 CEO pay decline since SOP (2011)?

We examined median S&P 500 CEO pay for the 3 years before SOP (2008-2010) and the 4 years after SOP (2012-2015). Table 1 below indicates that median CEO pay for 2008-2010 was $8M, compared to $10.2M for the 4-year post-SOP period (2012-2015). Thus, total CEO pay post-SOP was 27% above pre-SOP levels.

While some commentators may have expected SOP to decrease or flatten median CEO pay among S&P 500 companies, this was not the case. It is not possible to prove that SOP caused the continued increase over the reviewed period or that CEO pay would have increased further had SOP not been in place. However, the continued upward trend in median CEO pay post-SOP occurred simultaneously with high levels of shareholder support for executive pay programs (average SOP support: >90%). The combination of these 2 phenomena suggests that SOP may have bolstered the executive pay model by documenting broad, transparent shareholder endorsement.

For most companies, TSR post-SOP is significantly above TSR pre-SOP, with a median of 15.3% versus 1.2% on an annualized basis. This higher overall median TSR post-SOP may have provided support for Compensation Committees’ increasing CEO pay levels at most companies based on proxy advisor and institutional investor comparisons of CEO pay and TSR. Nevertheless, it appears that TSR was not a significant factor in the size of individual company CEO pay increases post-SOP. For example, we found that companies in the 90th percentile (which effectively had flat CEO pay post-SOP) had approximately the same TSR as companies in the 10th percentile (which experienced major increases in pay post-SOP). This, as well as the observation that company size measured using revenue scope and market cap were the most significant differentiators of CEO pay levels both pre- and post-SOP, are shown in Appendix 2.

Based on the time period reviewed (2008-2015 in Table 2 below), low single-digit pay increases at the median appear to be lower post-SOP than pre-SOP. However, CEO pay decreased in 2008-2009 during the financial crisis[6] and was reduced dramatically in 2001 when the Tech Bubble burst. These decreases indicate that companies did adjust CEO pay—both up and down—based on company, stock market, CEO labor market, and overall economic events before the regulatory pressure of SOP. We will continue to monitor this issue.

Question 2: Does the CEO labor market structure have a more compressed compensation range post-SOP?[7]

While the trend in median S&P 500 CEO pay levels is clearly up, how did SOP affect the range of CEO pay within the S&P 500? To answer this question, we looked at the compression of CEO pay, measured by comparing the ratio between the 90th and 10th percentiles of the sample for the years pre- and post-SOP. Table 3 below demonstrates that CEO pay was more concentrated in the years after SOP: the ratio between the 90th and 10th percentiles decreased from 447% pre-SOP to 297% post-SOP. This indicates that the lowest-paid CEOs received large pay increases post-SOP and the highest-paid CEOs received effectively zero increases. Thus, while CEO pay increased at the median post-SOP, the extremes of the sample moved closer together after SOP implementation. This is consistent with our consulting experience with very large and often very successful companies. While some advocates may attribute this finding as a SOP success, it may also indicate restricted executive motivation and corporate performance.

We examined year-over-year CEO pay trends at various percentiles of the S&P 500 sample to provide further insight into the observed CEO pay squeeze. Table 2 above shows that, post-SOP, CEO pay generally increased at all levels of the distribution with the exception of the 90th percentile. At the 90th percentile of the S&P 500, CEO pay has generally been flat since 2010. Thus, the shrinking ratio between 90th and 10th percentile CEO pay—shown in Table 3—is being driven primarily by larger CEO pay increases at the lowest-paying S&P 500 companies (the 10th percentile) and stable CEO pay at the highest-paying companies (the 90th percentile).

Companies with 90th percentile CEO pay are generally among the largest public companies globally by revenue. Appendix 2 shows that CEO pay opportunity is significantly correlated with company revenue and market cap scope. However, CEO pay at the 90th percentile has remained relatively flat since 2010 despite above-median TSR, a 17% increase in 90th percentile revenue scope, and a 50% increase in 90th percentile market cap between 2010-2015 (see Appendices 3 and 4). Since CEO pay at the 90th percentile did not increase with the substantial increase in scope, SOP implementation and the associated corporate governance changes may have played a role in continuing relatively-flat CEO pay at the 90th percentile of S&P 500 companies.

Based on our consulting experience, there may be many reasons for this compression:

  • Due to the rigid structure of the proxy advisors’ P4P tests, higher-paying companies—even if larger than most economic peers—are more at risk of an “against” recommendation from proxy advisors and, thus, SOP challenges. This can occur, and has occurred, at long-term high-performing companies that have experienced a temporary dip in relative TSR performance and have been pressured to freeze CEO pay. To the extent that this occurs, the regulatory framework of SOP may restrict the use of incentive compensation and labor market efficiencies.
  • Additionally, proxy advisors’ ongoing criticisms of pay-benchmarking philosophies above an industry peer group’s median have made this practice uncommon in the SOP environment. Thus, some of the largest and highest-paying companies in the S&P 500 now benchmark executive pay against the median of peer groups that may be different in scope, industry, and business model, potentially resulting in lower year-over-year increases in CEO pay.
    • However, companies below the median of the S&P 500 sample—especially the 10th percentile—experienced relatively large pay increases. This could be because they had a wider selection of industry peers and could benchmark CEO pay to the median of an appropriately-sized industry peer group, which may have been higher than their current CEO pay level.
  • Recent memos by prominent institutional shareholders have indicated a focus on the absolute quantum of CEO pay when those investors cast their SOP votes. This heightened focus, they argue, is justified by the income inequality debate and the associated company reputational risk of “excessive” CEO pay. One memo clarified screening criteria, focusing on the absolute quantum of CEO pay for companies paying their CEOs significantly above the average for Dow 30 companies. In our sample, this level of pay would generally be included in the top 10% of highest-paid CEOs. [8]
  • Alternatively, the recent relatively flat pay at the high end of the S&P 500 sample could indicate a steady-state for top talent among the largest public companies in the US and globally. If correct, this could be an advantage for private companies in the short-term.
Conclusions

The data reviewed in this viewpoint provide useful context for the post-SOP CEO pay environment. We found that CEO pay continued to increase after SOP—possibly at a slower rate than historical CEO pay increases—and that CEO pay distribution was narrower after SOP than it was before shareholder voting on executive compensation was implemented.

These findings are generally consistent with our intuitive understanding of the CEO pay market post-SOP. SOP implementation as well as the increased attention by shareholders and proxy advisors on the highest-paid S&P 500 CEOs may have continued a moderating effect on the 90th percentile of the S&P 500 CEO pay market. In contrast, the rest of the CEO pay distribution experienced ongoing pay increases as companies in the lower 3 quartiles increased pay to compete for top corporate management talent.

For all companies, but particularly those companies with CEO pay opportunity levels at the higher end of the S&P 500, continued monitoring of the pay market remains important. To the extent that SOP may have constrained the market for CEO talent of these highest-paying companies, the focus will continue to be on strategically and creatively using executive compensation in order to balance the tension: motivating executive talent while maintaining strong P4P linkage and corporate governance standards.

Appendix

Endnotes

1Lynn Turner. As cited in: Lisa Zagaroli. “Will financial crisis give shareholders a say in exec pay?” McClatchy. January 8, 2009. http://www.mcclatchydc.com/news/article24522490.html.(go back)

2Michael Bauch. “Executive Pay: How Much Do Shareholders Really Care?” Investopedia.http://www.investopedia.com/articles/personal-finance/112013/executive-pay-how-much-do-shareholders-really-care.asp.(go back)

3We define CEO pay compression as the convergence of CEO pay distribution. In this post, we measure compression by comparing ratio changes between research sample’s 90th and 10th percentiles.(go back)

4Ross Kerber. “Dodd-Frank co-author disappointed on pay votes, cites fund managers.” Reuters. March 27, 2015. http://in.reuters.com/article/ceo-pay-barneyfrank-idINL2N0WR16B20150327.(go back)

5Our sample was limited to 222 companies to ensure data continuity for all sample companies across several consolidated databases. Data were provided using Equilar.(go back)

6Equilar. “2009 and 2010 CEO Pay Strategies Reports.” 2009 and 2010. www.equilar.com.(go back)

7We define CEO pay compression as convergence in CEO pay distribution. In this post, we measure compression by comparing ratio changes between the 90th and 10th percentiles of the research sample.(go back)

8State Street Global Advisors Worldwide Entities. “Guidelines for Mitigating Reputational Risk in C-Suite Pay.” June 1, 2016. https://www.ssga.com/investment-topics/general-investing/2016/Guidelines-for-Mitigating-Reputational-Risk-in-C-Suite-Pay.pdf.(go back)

9The sample used for this analysis is different than the S&P 500 CEO sample used for Pay Governance’s recent viewpoint, “S&P 500 CEO Compensation Increase Trends,” which excludes CEOs that were not in their roles for at least 3 years. We note that both samples indicate similar median CEO pay levels and year-over-year changes.(go back)

March 27, 2017
The Americas - 2017 Proxy Season Preview
by Sean Quinn, ISS
Editor's Note: Sean Quinn is the Head of U.S. Research at Institutional Shareholder Services Inc. This post is based on an ISS publication.

Proxy season is in full swing in Latin America, and is just beginning to heat up in Canada and the United States, and some early trends are already becoming evident across the Americas. Interestingly, there seems to be a slow but potent convergence of the governance world, composed of so many individual markets, as investor concerns expand to all markets and sectors. Things like boardroom composition, engagement practices, enhanced disclosure, continually evolving regulation, investor stewardship, environmental & social focus from investors and issuers, transparency in compensation, and pay that is aligned with performance are factors that are now being considered by investors in markets across the Americas. Activism, whether promulgated by traditional activists, large investors or small, concerned special-interest groups, or others, is appearing in every market, and gender diversity and climate-change response are concerns for issuers and investors alike.

Since 2015, proxy access has been the single dominant issue in the U.S. market. Although a majority of S&P 500 companies have adopted some form of proxy access, proponents continue to identify new targets while seeking line-item changes at companies that have already adopted proxy access. Board composition, director accountability, and shareholder rights will be key themes in 2017; these can be expected to propel a number of targeted shareholder proposals and campaigns against directors. Sustainability and long-term value creation remain high priorities for investors and will drive dialogue and shareholder action, as necessary.

Advisory votes on say-on-pay frequency will return to ballots in 2017. Recent controversies at companies such as Wells Fargo will shift investor attention to risk mitigators in compensation programs and the expansion of existing policies to guard against reputational risks.

Environmental and social shareholder proposals are expected to feature prominently in this year’s U.S. proxy season, as proponents seek to replicate success on various environmental issues, board diversity, and human-capital issues amongst a decline in overall governance- and compensation-related proposals. Political issue proposal filings are also expected to decline as companies increase transparency related to their political activities.

In Canada, there have already been some eyebrow-raising moments involving M&A activity and shareholder proposals, but nothing earth-shattering as of yet. Based on filed proposals, and the results from last year, there will be a set of meetings worth following closely (check for updates in ISS publications). Compensation is a focal point for investors, as always, and a proposed change to stock option taxation drove some issuers to a premature response.

The Government of Canada released new Bill C-25 proposed regulations which supplement and facilitate certain proposed amendments to the Canada Business Corporations Act (CBCA), announced last fall. The proposed regulations would come into effect at the same time that the final amendments under Bill C-25 are effective. Majority voting requirements and mandatory board diversity disclosure are two of the main corporate governance topics covered in the updates.

While the Latin America region has been slow in its recovery from a sluggish economy, new laws and regulatory changes are being implemented at an accelerated pace in different countries trying to shake off a massive corruption scheme with cross-border and regional implications. Some of the changes, such as the remote voting card in Brazil, will directly impact the landscape of the 2017 proxy season.

Other market-specific changes stem from common trends in the region, such as the adoption of comply-or-explain corporate governance rules, anti-corruption regulations, the push for increased transparency and accountability, and the increased focus in compliance mechanisms to reduce financial, legal, and reputational risks.

March 26, 2017
Does the Market Value Professional Directors?
by Aida Sijamic Wahid, Kyle Welch
Editor's Note: Aida Sijamic Wahid is Assistant Professor of Accounting at University of Toronto Rotman School of Management; Kyle T. Welch is Assistant Professor of Accountancy at George Washington University School of Business. This post is based on a recent paper authored by Professor Wahid and Professor Welch.

Professional directors, as often defined by academics and practitioners, are independent directors whose only vocation consists of serving as corporate directors on one or more boards. Such directors hold no other full-time employment. Currently, over 84 percent of corporate boards include at least one professional director. Since the 1970’s academics across disciplines have argued that professional directors enhancing corporate governance (e.g. Eisenburg 1975, Barr 1976, Gilson and Kraakman 1991, Fram 2005, Pozen 2010). Many argue that specialized labor on boards will lead to higher quality and more rigorous governance as more dedicated directors have fewer competing commitments (e.g. Fram 2005, Pozen 2010, Bainbridge and Henderson 2013). These arguments seemed to have gained currency in practice as the portion of boards composed of professional directors has increased over the last decade. In addition, a survey conducted in 2004 found that around 67 percent of directors asked were in favor of appointing professional directors to improve board quality (Felton 2004).

The only empirical evidence examining the effectiveness of professional directors comes from director surveys which offer conflicting views on the value of professional directors (Larcker and Miles 2011, Felton 2004). Despite the arguments in favor of professionalization of corporate boards, the suggested positive relationship between professional directors and the quality of governance is not straightforward. Economic theory suggests that professional directors may be less independent. A professional director’s vocational prestige, social status, and income depend mainly on retaining the directorships. Consistent with this notion, a survey of CEOs finds that CEOs view a professional director’s primary aim to be the preservation of their board seat (Sonnenfeld et al., 2013). Corporate directorships are also lucrative[1] and the prospect of losing power and income by being removed from a board could act as a perverse incentive to rubber-stamp management’s proposals and appease the executives. It is also possible that professional directors do not channel the additional time available to them into more rigorous monitoring. Ultimately, it is an empirical question whether professional directors are more or less valuable than other independent directors.

Since directors are tasked with protecting shareholder interests, we begin by examining how equity-market participants respond to firms’ appointment of professional directors. Our director-level analysis compares market reactions to appointments of professional directors with the reaction to appointments of other independent directors (non-professional independent directors). We use a subset of director appointments which are announced via press releases by filing 8- forms with the SEC, alerting the investors to a material event. Using the subset of director appointments which occur outside of the regular nomination/election cycle provides a distinct advantage as such appointments usually contain no or little other confounding information.

We find cumulative abnormal returns surrounding professional director appointments are negative and significantly lower than returns from the appointment of non-professional independent directors. Although the majority of boards have at least one professional director (~84 percent), this result could still be attributable to firm type; i.e. it is plausible that strongest boards do not appoint professional directors. Consequently, we repeat the analysis holding the firm constant and find similar results, suggesting that firm characteristics do not drive the reaction. The negative market response might also be driven by director-specific attributes—that is, professional directors might be of lower quality or different. We repeat the analysis with a matched sample of directors, where the matched sample is formed by matching directors on demographic characteristics (e.g. age, gender), the level of busyness (as measured by the number of board seats) and vocational/educational characteristics (e.g. prior functional work experience, education). We find consistent results, suggesting that ability, qualifications, and other observable characteristics of directors do not seem to drive the negative market response.

To explore professional directors perceived monitoring ability, we repeat the above analysis while separating the firms into two subgroups: firms with low and high monitoring needs, as proxied by three different agency-cost measures (high leverage, low efficiency, and low insider ownership). We find that the negative market response is driven by the group of firms that experiences high agency cost. The concentration of negative market reaction to the appointment of professional directors only within the subset of companies requiring high monitoring suggests that investors view professional directors as less effective monitors.

In addition to the director-level analyses, we conduct firm-level tests to measure board effectiveness, measured in terms of firm performance, CEO performance-turnover sensitivity, pay-performance sensitivity, the likelihood of M&A transactions, and market response to the announcement of M&A transactions. The firm-level analyses show that boards with a higher proportion of professional directors are significantly less CEO-performance-turnover-sensitive and exhibit lower pay-performance sensitivity. Such firms are also more likely to engage in acquisition activity; when they do so, they exhibit significantly lower stock returns surrounding the transaction announcement measured over one- and three-day windows. We also find that boards with a higher proportion of professional directors exhibit lower Tobin’s Q and lower efficiency, as measured by sales turnover; we find no such difference in profitability.

To our knowledge, this is the first study to examine the consequence of professional directors empirically. Given the increased professionalization of corporate boards, it is important to determine whether appointing professional directors enhances or degrades boards’ ability to monitor the CEO and protect shareholder interests. Our study contributes to the ongoing regulatory debate about both, what constitutes director independence and also, whether imposing limitations on directors’ responsibilities and commitments is warranted. Further, this study shows that director incentives may be an important determinant of boards’ monitoring effectiveness. In that sense, this paper answers the call for further research into incentives of independent directors (Bebchuk and Weisbach, 2010, Brickly and Zimmerman, 2010). By not treating independent directors as homogenous, this study also contributes to the stream of literature that examines the board composition and characteristics that produce better and worse governance outcomes.

 

The complete paper is available for download here.

Endnotes

1Median compensation amounts to $240,000 for outside directors at Fortune 500 companies (Towers Watson, 2014)(go back)

March 26, 2017
SEC Obtains Freeze Order In Suspicious Trading Case
by Tom Gorman

Suspicious trading cases have become a staple of SEC insider trading enforcement. Typically the cases involve outsized trading in advance of a significant corporate event. The only way for the SEC to avoid the possible transfer of the trading profits out of the account and perhaps the country, is to file a complaint with little more than the account documents, the trading and a sketch of the transaction milestones seeking a freeze order. The request is usually granted. See, e.g., SEC v. Yin, Civil Action No. 17 CV 972 (S.D.N.Y. Filed Feb 10, 2017)(Chinese national trades prior to announcement that Comcast will acquire DreamWorks, yielding over $29 million in profits). In many instances the Commission has been successful in later proving the allegations in these complaints. In others it has not (here).

The SEC’s latest action in this regard involves two Israeli traders, using U.S. brokerage accounts, to generate profits of almost $5 million from trading in advance of a takeover. An asset freeze order was entered at the time the complaint was filed. SEC v. Darvasi, Civil Action No. 17-cv-2088 (S.D.N.Y. Filed. March 23, 2017).

The action centers on the acquisition of Mobileye, N.V. by Intel Corporation, announced before the opening of trading on March 13, 2017. Following the deal announcement the share price increased 28%. Defendant Dr. Ariel Darvasi is a Professor of Genetics at the Center for Research on Pain, Hebrew University of Jerusalem. Defendant Dr. Amir Waldman is a self-employed engineer who earned his Ph.D. at Hebrew University of Jerusalem. Movileye is a Netherlands entity with its principal office in Jerusalem, Israel.

A number of Mobileye’s directors and officers are members of the Hebrew University science community. The firm developed software and technology for Advanced Driver Assistance Systems used for autonomous driving. The technology was commercialized at Hebrew University of Jerusalem while Dr. Waldman was working on his doctorate at the school. The firm’s shares were listed on the NYSE. Intel is a large, well known, U.S. chip maker and technology firm.

Intel began formal discussions with Mobileye in late January 2017. Principals of the two firms met in New York in late January. By the end of January 2017 all the members of Mobileye’s board had discussed the possible transaction. On February 1, 2017 the two firms executed a non-disclosure agreement.

The first meetings that included legal and financial advisers were held on February 9, 2017. The discussions proceeded. A definitive agreement was entered into on March 12, 2017. It called for a tender offer valued at about $15.3 billion or $63.54 per share. That price represented a premium to market of about 34.7%.

Dr. Darvasi had an account at Interactive Brokers LLC. Ten days prior to the execution of the definitive Agreement for the tender offer, he liquidated the only holdings in the account – about 40,000 shares of Teva Pharmaceutical Industries — at a loss of over $600,000. The same day – March 2, 2017 – he purchased 30,000 shares of Mobileye, using all of the cash in the account and margin debt. The stock had a value of $1.4 million.

The Doctor’s only other trade in Mobileye occurred when he purchased shares on January 5, 2016. After the market closed on that date Mobileye announced it was deploying a mapping technology and a new strategic partnership with Volkswagen. He sold the shares the next day at a loss of $4,820.

Dr. Waldman also had an account at Interactive Brokers. Beginning in early November, and continuing through February 2017, he traded Mobileye options. Typically he purchased the options with strike prices that were about 4 to 11% out of the money compared to the share closing price at the time. Dr. Waldman usually held the options for about two weeks and sold them prior to expiration. His bullish trading yield gains.

Beginning on February 1, 2017, the date Intel and Mobileye executed a nondisclosure agreement, Dr. Waldman changed his trading pattern. He began accumulating Mobileye options at strike prices above the firm’s then current performance. By March 10, 2017 he held 5,339 Mobileye call options, purchased for $237,581.

On the day of the deal announcement Dr. Darvasi sold 100 Mobileye shares for a gain of $1,473.45. He had unrealized gains on his remaining 29,900 shares of about $427,000. Dr. Waldman sold 1,697 of his options on the same day, realizing profits of about $1,539,813. As of that date he had unrealized profits of about $2.96 million on his remaining holdings. Dr. Waldman also withdrew $200,000 from his brokerage account on March 13, the maximum amount permitted on any day.

Mobileye has extensive contacts in the science and academic community at Hebrew University, according to the complaint. The defendants are part of that community. Each defendant, on information and belief, possessed inside information at the time of their respective securities transactions, the complaint claims. The complaint alleges violations of Exchange Act Sections 10(b) and 14(e). The case is in litigation. See Lit. Rel. No. 23789 (March 24, 2017).

March 25, 2017
New York Cybersecurity Regulations for Financial Institutions Enter Into Effect
by Daniel Ilan, Jonathan Kolodner, Katie Dunn, Michael Krimminger
Editor's Note: Michael Krimminger is a partner at Cleary Gottlieb Steen & Hamilton LLP. This post is based on a Cleary Gottlieb publication by Mr. Krimminger, Jonathan Kolodner, Daniel Ilan and Katie Dunn.

While the New York Cybersecurity Regulations represent a softening in key respects from the requirements set forth in the initial proposal, the regulations impose minimum standards that exceed existing federal standards and introduce new requirements, including obligations to critically evaluate cybersecurity practices to ensure compliance, maintain detailed documentation demonstrating compliance and report cyber events to the New York Department of Financial Services.

Overview

On March 1, 2017, the New York Department of Financial Services’ (DFS) Cybersecurity Regulations (the Regulations) entered into effect.[1] Under the Regulations, any individual or non-governmental partnership, corporation, branch, agency, association or other entity operating under a license, registration, charter, certificate, permit, accreditation or similar authorization under New York banking, insurance or financial services laws (with narrow exceptions described below) (Covered Entities) is required to formally assess its cybersecurity risks and establish and maintain a cybersecurity program designed to address such risks in a “robust” fashion.

The Regulations are a direct response to the increasing number of cyber-attacks on insurers and financial institutions, such as the 2015 cyber-attack on Anthem, Inc. in which 78 million unencrypted records containing personal information were stolen and the 2016 cyber-attack on the central bank of Bangladesh in which stolen SWIFT credentials and malware were used to illegally transfer $81 million of funds held at the Federal Reserve Bank of New York.

These Regulations represent the first comprehensive state regulations to address cybersecurity threats. Under the Regulations, Covered Entities must comply with a number of detailed requirements, the majority of which are already practiced by Covered Entities that are subject to the Gramm-Leach-Bliley Act (GLBA), the federal statute regulating the collection, use, protection and disclosure of non-public personal information by financial institutions. For example, the Regulations essentially duplicate the mandate under the GLBA that requires Covered Entities to implement a comprehensive written information security program. However, some requirements of the Regulations exceed the minimum standards established by GLBA or constitute entirely new obligations, discussed in detail below.

This post highlights some key terms of the Regulations, as well as key changes from the DFS’s initial proposed regulations issued on September 13, 2016 and discussed in our alert memo “New York Regulators Propose Cybersecurity Requirements for Financial Institutions” published on September 19, 2016.

Key Changes From Initial Draft

Following the publication of the initial proposed regulations on September 13, 2016, the DFS received over 150 comments, many of them criticizing the proposed regulations for being overly prescriptive and insufficiently tied to the results of the risk assessment required to be conducted by the Covered Entity. In response, the DFS published revised proposed regulations on December 28, 2016 which showed movement toward greater flexibility and individualization and reflected a more risk- adjusted approach. The final Regulations were posted to the State Register on February 16, 2017.

In the final Regulations, the entire cybersecurity program as well as the applicability and implementation of certain specific security measures (including penetration testing and vulnerability assessments, use of multi-factor authentication and encryption of non-public information) are explicitly contextualized by (i.e., the need to comply with them depends on) the risk assessment conducted by the Covered Entity. In addition, other requirements were softened by including materiality qualifiers (such as in the notice to superintendent requirement) and reducing the minimum frequency of certain requirements from annual to periodic.

Furthermore, in response to concerns about confidentiality, under the final Regulations any information provided by a Covered Entity pursuant to the Regulations is exempt from disclosure under other state or federal law.

However, the final Regulations are more onerous than the initial proposal in one significant regard, specifically with respect to documentation obligations. While the Regulations principally act to codify the existing practices of sophisticated institutions, Covered Entities must now maintain evidence comprehensively documenting such practices (including all records, schedules and data supporting the certificate of compliance for five years) and make such documentation available to the DFS upon request.

Key Terms

The Regulations are broader than the GLBA in two important respects, described below.

Covered Entities

The GLBA and the Regulations significantly overlap but are not entirely co-extensive in terms of applicability. The GLBA applies to “financial institutions,” defined as any institution significantly engaged in financial activities, such as lending, insuring or providing investment services. By contrast, the Regulations apply to any non-governmental entity operating under a “certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Laws,” which could encompass an extremely broad range of businesses given the vast scope of New York banking, insurance, and financial services laws.

Nonpublic Information

Under the Regulations, the scope of the definition of Nonpublic Information is significantly broader than under the GLBA.

The information protected by the GLBA is limited to personally identifiable financial information, whereas the definition of Nonpublic Information protected under the Regulations encompasses all nonpublic electronic information, even if not personally identifiable or financial information, that is (1) business-related information “the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the business, operations or security of the Covered Entity,” (2) concerning an individual which, because of an identifier such as a name or number, could be used to identify such individual in combination with other data, such as a social security number, driver’s license, financial account information, or biometric records or (3) created by or derived from a health care provider or an individual and related to the health or condition of any individual or family member (except age or gender).

The expanded definition of Nonpublic Information appears to reflect the Regulations’ broader scope, intended to address cybersecurity risks generally, whether or not related to privacy.

Key Requirements

If the entity and the information are covered, the Regulations include new requirements that have not previously been included in the GLBA, described below.

Personnel

Each Covered Entity must designate a qualified individual to act as a chief information security officer (CISO), responsible for developing and presenting a written report to the board of directors on at least an annual basis. The report must cover the Covered Entity’s cybersecurity program and material cybersecurity risks. Unlike the initial proposed regulations which required the CISO to be employed by the Covered Entity, the final Regulations allow for the CISO to be employed by an affiliate or a third party service provider.

In addition, each Covered Entity must utilize qualified cybersecurity personnel sufficient to manage the Covered Entity’s cybersecurity risks and to perform or oversee the core cybersecurity functions.[2]

Reporting obligations

A Covered Entity must notify the DFS of any act or attempt to gain unauthorized access to, or to disrupt or misuse, its information system or information stored on such system (such act or attempt, a Cybersecurity Event) that (i) triggers a notice requirement with respect to a government body, self-regulatory agency or any other supervisory body or (ii) has a reasonable likelihood of materially harming a material part of normal operations. The notification to the DFS must occur within 72 hours after the Covered Entity determines that such an event has occurred.

Furthermore, beginning February 15, 2018, the chairperson of the board of directors of each Covered Entity must submit on an annual basis a signed certification stating that, to the best of the board of director’s knowledge, their institution’s cybersecurity program complies with the Regulations.

While the Regulations are silent with regards to the penalties for filing a false or incorrect certification, a certifying officer whose Covered Entity is subsequently found to be non-compliant could potentially incur personal civil liability.

Documentation obligations

Each Covered Entity must make all documentation and information relevant to its cybersecurity program available to the DFS upon request, including but not limited to the following: (1) written cybersecurity policy, (2) annual CISO report to board of directors, (3) documentation of cybersecurity monitoring and testing (including penetration testing and vulnerability assessments), (4) records for its systems designed to reconstruct material transactions and audit trails, (5) written procedures, guidelines and standards relating to application security, risk assessment and third party service provider security, (6) written incident response plan, (7) annual certification of compliance (and all records, schedules and data supporting the certificate for a period of five years) and (8) documentation of all areas, systems or processes that require material improvement, updating or redesign, and the remedial efforts planned and underway to address such deficiencies.

Third party service providers

Each Covered Entity must implement written policies and procedures addressing security concerns associated with third parties who provide services to the Covered Entity and maintain, process or otherwise have access to its Nonpublic Information through the provision of such services. These policies must include, to the extent applicable, identification and risk assessment of third party service providers, minimum cybersecurity practices required to be met by such third party service providers, due diligence processes to evaluate the adequacy of such third party service providers’ cybersecurity practices and periodic assessment of such third party service providers based on the risk they present and the continued adequacy of their cybersecurity practices.

These policies and procedures must also contain relevant guidelines for due diligence or contractual protections relating to third party service providers, including those addressing: (1) the third party service provider’s policies and procedures for access controls, (2) the third party service provider’s policies and procedures for use of encryption, (3) notice from the third party provider of a Cybersecurity Event directly impacting the Covered Entity’s information systems or Nonpublic Information being held by the third party service provider and (4) representations and warranties addressing the third party service provider’s cybersecurity policies and procedures that relate to the security of the Covered Entity’s information systems or Nonpublic Information.

Limited Exceptions

Covered Entities with (1) fewer than 10 employees, including independent contractors, of the Covered Entity or its affiliates located in New York or responsible for the business of the Covered Entity, (2) less than $5,000,000 in gross annual revenue in each of the last three fiscal years from New York business operations, or (3) less than $10,000,000 in year-end total assets (including the assets of its affiliates) qualify for an exemption from certain of the requirements under the Regulations. However, such Covered Entities must still establish and maintain a cybersecurity program and a written cybersecurity policy (including with respect to third parties), limit access privileges, conduct a periodic risk assessment of information systems, limit data retention and report any Cybersecurity Events discussed above under “Reporting obligations” to the DFS within 72 hours.

Covered Entities that (a) do not control, access, generate or possess Nonpublic information other than information relating to their affiliates and are subject to Article 70 of New York insurance law or (b) do not operate, maintain, or use any information systems and do not control, access, generate or possess Nonpublic Information qualify for an exemption from the majority of the requirements under the Regulations; however, such Covered Entities must still conduct periodic risk assessments, implement third party service provider security policies and limit data retention.

A Covered Entity must file a notice of exemption within 30 days of determining that it is exempt.

Transition Periods

The Regulations entered into effect on March 1, 2017, and Covered Entities generally have 180 days from such date in which to comply with most requirements. However, Covered Entities will have additional transitional periods to comply with certain provisions, specifically: (a) one year to comply with the requirements relating to (i) the CISO’s first written report, (ii) penetration testing and vulnerability assessments, (iii) risk assessment, (iv) multi-factor authentication and (v) cybersecurity awareness training for all personnel, (b) 18 months to comply with the requirements relating to (i) audit trails, (ii) application security, (iii) limitations on data retention, (iv) monitoring the activity of authorized users and (v) encryption of nonpublic information and (c) two years to comply with the requirements relating to third party service provider security policies.

Conclusion

The Regulations highlight the ongoing shift in public policy towards a more careful and regulated approach with respect to data privacy and serve as a timely reminder of the importance of continually assessing and managing risk in an environment of escalating cybersecurity threats. In this context, it is important to bear in mind that other legislative measures addressing cyber risks are expected to be adopted at both the state and federal level, including the proposal from the Board of Governors of the Federal Reserve Systems, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corporation for rules regarding enhanced cyber risk management standards for certain entities under such agencies’ supervision (mainly large financial institutions). For entities subject to both the Regulations and such other legislative measures, compliance with the various requirements and standards may become complicated and costly so it is hoped that these other measures will be largely consistent with the Regulations.

Endnotes

123 NYCRR § 500.(go back)

2Under the Regulations, each Covered Entity’s cybersecurity program must perform the following six “core” functions: (1) identify and assess cybersecurity risks that may threaten the security or integrity of Nonpublic Information stored on the Covered Entity’s information systems, (2) use defensive infrastructure and implement policies and procedures to protect information systems and Nonpublic Information from unauthorized access, disruption and misuse, (3) detect attempts at unauthorized access, disruption or misuse, (4) respond to such attempts to mitigate any negative effects, (5) recover from such events and restore normal operations and service and (6) fulfill regulatory reporting obligations. (go back)

View today's posts

3/27/2017 posts

AG Deal Diary: SEC Adopts T+2 Settlement Cycle for Securities Transactions
Bridging the Week: Bridging the Week: March 20 to 24 and March 27, 2017 (SARs and Red Flags; International Spoofing; Pre-Execution Discussions; Making Capital Markets Great Again)
CLS Blue Sky Blog: "No Pay" Bylaws May Threaten Shareholder Lawsuits
CLS Blue Sky Blog: Gibson Dunn on Justice Holland's Lasting Imprint on Corporate Law
The Harvard Law School Forum on Corporate Governance and Financial Regulation: Did Say-on-Pay Reduce or “Compress” CEO Pay?
The Harvard Law School Forum on Corporate Governance and Financial Regulation: The Americas - 2017 Proxy Season Preview
The Harvard Law School Forum on Corporate Governance and Financial Regulation: Does the Market Value Professional Directors?
SEC Actions Blog: SEC Obtains Freeze Order In Suspicious Trading Case
The Harvard Law School Forum on Corporate Governance and Financial Regulation: New York Cybersecurity Regulations for Financial Institutions Enter Into Effect

Blog posts are subject to copyrights held by the authors and are republished here with permission. Views expressed are those of the authors alone. Infringement Notification.