Securities Mosaic® Blogwatch
September 26, 2016
Bridging the Week: September 19 to 23 and September 26, 2016 (Supervision; Block Trades; EFRPs; Independence; Tag 50s; Insider Trading)
by Gary DeWaal

A futures commission merchant and its chief executive and chief risk officers were sued by the Commodity Futures Trading Commission for the firm's alleged failure to adequately respond to three exchanges’ inquiries related to a customer’s purported spoofing activities, as well as its failure to follow its own risk management policies. Additionally, a Russia-based bank and its UK subsidiary were charged by the CFTC with engaging in illicit futures block trades because their prices were purportedly not fair and reasonable. However, the prices of the block trades were mostly chosen at the midpoint of the prevailing bid-ask spread of the corresponding swaps contract at a time when the relevant futures market was apparently illiquid. Huh? As a result, the following matters are covered in this week’s edition of Bridging the Week:

  • FCM, CEO and CRO Sued by CFTC for Failure to Supervise and Risk-Related Offenses (includes Compliance Weeds);
  • Futures Block Trades' Prices at Midpoint of Related Swaps Bid-Ask Were Not Fair and Reasonable Says CFTC in Enforcement Action (includes Legal Weeds);
  • CME Group Overhauls EFRP Rule and Guidance; Clarifies Roles of Executing and Clearing Firms and Provides New Relief (includes Compliance Weeds);
  • Audit Firm Agrees to Two Fines Totaling $9.3 Million for Two Partners’ Cozy Relationship With Audit Client Contacts;
  • CME Group Describes Responsibilities of Clearing Members and Globex Order Placers for Tag 50s in Revised Advisory (includes Compliance Weeds);
  • Alleged EFRP and Wash Sale Violations Are Subjects of CME Group Disciplinary Actions Settlements;
  • Federal Reserve Proposes Rule to Severely Restrict Banking Organizations From Commodities Activities;
  • Hedge Fund Icon Sued by SEC for Alleged Insider Trading;
  • Follow-up: CFTC Rule Review Instructs CBOE Futures to Cease Issuing Warning Letters for Offenses Other Than Books and Records Offenses (includes My View); and more.

FCM, CEO and CRO Sued by CFTC for Failure to Supervise and Risk-Related Offenses

Advantage Futures LLC, Joseph Guinan, its majority owner and chief executive officer, and William Steele, who until May 2016 was Advantage’s chief risk officer, settled charges brought by the Commodity Futures Trading Commission related to the firm’s handling of the trading account of one customer in response to three exchanges’ warnings and for the firm’s alleged failure to follow its own risk management policies. The defendants agreed to pay a fine of US $1.5 million to resolve the CFTC’s enforcement action.

According to the CFTC, between June 2012 and April 2013, three exchanges alerted Advantage to concerns they had regarding the trading of one unspecified customer’s account which they considered might constitute disorderly trading, spoofing and manipulative behavior, in violation of the exchanges’ relevant rules.

The CFTC claimed that, initially, Advantage failed “to adequately respond to the Exchange inquiries and did not conduct a meaningful inquiry into the suspicious trading.” Among other things, said the CFTC, no person at Advantage talked to the relevant trader regarding the identified activity. Only after the three exchanges threatened to hold Advantage responsible for its customer's conduct, did Advantage cut off the trader’s access to three exchanges, observed the CFTC. However, noted the CFTC, Advantage failed to augment its oversight of the trader’s remaining trading or control his access to other exchanges “despite knowing that he employed the same strategy across all markets.”

In addition, charged the CFTC, Advantage did not follow its own risk management policies. Among other specific failures, said the CFTC, Advantage did not follow its risk management program (RMP) adopted pursuant to CFTC requirement (click here to access CFTC Rule 1.11) regarding the role of its credit committee; the use of risk ratings; the account opening process; and the implementation and review of risk tolerance levels.

Also, claimed the CFTC, Advantage did not establish risk-based limits for each customer, as required based on position size, order, margin requirement or similar factors. (Click here to access CFTC Rule 1.73(a)(1).) Instead, observed the CFTC, Advantage relied on position limits for its risk-based pre-control limits, which it said was “an inadequate risk-based control method” for day trader customers.

The CFTC charged that when Advantage submitted its RMP manual, credit and risk policies and procedures manual and chief compliance officer annual report to it on “multiple occasions” between November 2013 and May 2015, Mr Guinan and Mr. Steele “knew that the documents did not accurately represent Advantage’s actual practices” and therefore contained false or misleading statements in violation of applicable law. (Click here to access Commodity Exchange Act Section 6(c)(2), 7 USC §9(2).)

All three respondents were charged by the CFTC with failure to supervise, Advantage and Mr. Steele were charge with failure to comply with the firm’s risk management program requirements, while Advantage alone was charged with failure to establish risk-based limits and submission of false documents to the CFTC.

In addition to payment of a fine, Advantage agreed to implement strengthened procedures related to its risk management program and risk department in order to resolve the CFTC’s charges.

Compliance Weeds: CFTC staff recently issued guidance regarding its views on effective risk management programs by futures commission merchants. As part of their regulatory obligation, FCMs must address market, credit, liquidity, foreign currency, legal, operational, settlement, segregation, technological, capital risks and any other applicable risks in their RMPs. Staff's advice went beyond restating the mere four corners of the relevant regulation, and provided insight into specific elements of FCM RMPs and periodic risk exposure reports they had reviewed. These provisions included, among others, descriptions of the technical systems used by FCMs to conduct their business and how the systems interacted for risk management purposes and the procedures for monitoring relevant risks. It may be useful in light of the CFTC’s enforcement action against Advantage for FCMs to consider their own RMPs against the contents of other RMPs identified in the staff guidance. (Click here for a discussion of the staff’s guidance in the article, “CFTC Staff Issues Guidance on Elements of an Effective FCM Risk Management Program” in the March 13, 2016 edition of Bridging the Week.) Moreover, all FCMs should periodically review all adopted procedures, including those pertaining to their RMP, to assess if they are being followed and, if not, to amend or implement them as appropriate.

In addition to the CFTC’s authority to bring actions against FCMs for failure to supervise, CME Group clearing members are expected to “suspend or terminate” a non-member’s customer’s Globex access if the exchange “determines that the actions of the non-member customer threaten the integrity or liquidity of any contract or violate any Exchange rule or [applicable law]." Moreover, “[i]f a clearing member has actual or constructive notice of a violation of Exchange rules in connection with the use of Globex by a non-member for which it has authorized a direct connection and the clearing member fails to take appropriate action, the exchange member may be found to have committee an act detrimental to the interest or welfare of the Exchange.” (Click here to access CME Group Rule 574.) ICE Futures U.S. has equivalent requirements. (Click here to access IFUS Rules 27.04 (c)(iii) and (d).) Clearing members should not ignore an exchange’s or other third party’s identification of the possible problematic trading of any customer and, at a minimum, should evaluate such trading for compliance with its own requirements.

Briefly:

  • Futures Block Trades' Prices at Midpoint of Related Swaps Bid-Ask Were Not Fair and Reasonable Says CFTC in Enforcement Action: JSC VTB Bank (VTB), a Russia-based bank, and VTB Capital PLC (VTB Capital), a UK-based bank that is ultimately 94% owned by VTB, were sued by the CFTC for engaging in block trades with each other contrary to CME Group rules, in that the prices of the block trades were not “fair and reasonable.” According to the CFTC, between December 2010 and June 2013, the two companies engaged in more than 100 block trades involving CME Group’s Russian Ruble/US Dollar futures contracts. The CFTC alleged that the companies engaged in these transactions to transfer certain Russian Ruble/US dollar risk from VTB to VTB Capital. However, in doing so, said the CFTC, the defendants chose a price for their block trades that “typically” reflected the midpoint between the prevailing bid-ask spread of the over-the-counter RUB/USD swap. The CFTC said that, because the defendants did not seek other block trade prices from other counterparties, the prices chosen by the defendants for their block trades were not fair and reasonable prices, as required by CME Group rules. Thus the block trades were unlawful noncompetitive trades under the applicable CFTC rule. (Click here to access CFTC Rule 1.38(a).) To resolve the CFTC’s complaint, defendants agreed to pay a fine of US $5 million and to institute or enhance procedures to avoid noncompetitive transactions.

Legal Weeds: Block trades are a type of noncompetitive transaction permissible under rules of the Commodity Futures Trading Commission if they are executed strictly in accordance with the applicable exchange’s rules. If they are not so executed, the transaction may be a violation of not only the applicable exchange’s rules, but of applicable law and CFTC rules. (Click here for background regarding block trades in the article, “Block Trade Requirements Must Be Followed Strictly; No Chips Off the Old Block Trade Rules Permitted” in the January 10, 2016 edition of Bridging the Week.) According to CME Group, the prices of block trades must be fair and reasonable considering (1) the size of the transaction; (2) the prices and sizes of other transactions in the same contract at the equivalent time; (3) the prices and sizes of transactions in other relevant markets; and (4) the circumstances of the markets or the parties to the block trade. Here, according to the CFTC complaint, the price of the allegedly problematic block trades was the midpoint of the bid-ask spread of the related swap instrument. Moreover, VTB claimed that, at the time of execution of the allegedly problematic block trades, the market in the RUB/USD futures contract was illiquid. Given these circumstances, it is hard to understand how the CFTC concluded that the prices of the relevant futures contracts were not fair and reasonable. That being said, CME Group prohibits block trades between accounts with common beneficial ownership unless each party’s decision to trade was made independently. Given that VTB and VTB Capital appear to be under common beneficial ownership and acted in concert to effectuate a risk transfer from VTB to VTB Capital, it seems odd that the CFTC did not allege that this aspect of the relevant block trades was problematic, as opposed to the quality of the prices. Indeed, the CFTC noted in its Order that “[t]he block trades by design, did not create any market risk to the combined VTB entities because, ultimately, any financial gains and losses from these trades were consolidated on VTB’s books.” Ordinarily exchanges give wide latitude to the prices decided between parties to a block trade because such prices are reported to the public independently of trade prices in the ordinary market, are not included in the daily trading range and will not set off any conditional orders. (Click here to access CME Group’s Market Regulation Advisory Notice regarding block trades; click here to access similar guidance by ICE Futures U.S.) Regrettably, it is not clear what message the CFTC is endeavoring to provide traders and execution facilities regarding acceptable prices for block trades going forward.

  • CME Group Overhauls EFRP Rule and Guidance; Clarifies Roles of Executing and Clearing Firms and Provides New Relief: The CME Group self-certified amendments to its rules and guidance related to exchange for related position transactions that, among other things, make clear that firms executing or clearing EFRPs must exercise “due diligence” to identify situations where a customer’s EFRP transactions may be “non-bona fide,” and permit EFRPs to contain multiple exchange components that may not have the same market bias. CME amendments also permit any third party, not just members, to facilitate as principal the related position component of an EFRP; make clear that the related position associated with an exchange of an exchange-traded option for an option transaction must be an over-the-counter option and that all account statements confirming EFRPs must “uniquely” identify such transactions (e.g., not just identify them generically as Ex-pit); and authorize commodity trading advisors, account controllers or other persons acting on behalf of another person not to have to pass along to an ultimate customer the initiating and offsetting foreign currency leg of an immediately offsetting foreign currency EFRP. In connection with EFRPs involving equity index contracts, CME Group eliminated the requirement that the related position component have a historical correlation to the index of 90 percent or greater and replaced it with a requirement that related position stock baskets simply be “highly correlated” to the index, without referencing a specific percentage. Absent objection by the Commodity Futures Trading Commission, CME Group’s new rule and guidance will be effective October 4.

Compliance Weeds: For EFRPs, one party must sell the exchange contract and buy approximately the same quantity of the related position (or the market exposure associated with the related position), while the other party must buy the exchange contract and sell the same approximate quantity of the related position or associated market exposure. The related position must be the cash commodity associated with the exchange contract or a by-product, a related product or an over-the-counter derivative instrument of such commodity that is reasonably correlated to the exchange contract. EFRPs must result in a real transfer of a cash commodity between the parties or a legal binding agreement between the parties governing the related position consistent with prevailing market conventions. Transitory EFRPs – where one EFRP is contingent on the execution of another EFRP or related position transaction and where the overall transaction results in the liquidation of the related position without either party incurring market risk – are strictly prohibited

  • Audit Firm Agrees to Two Fines Totaling $9.3 Million for Two Partners’ Cozy Relationship With Audit Client Contacts: Ernst & Young agreed to pay fines totaling US $9.34 million to resolve charges that two of its partners maintained personal relationships with their contacts at their audit clients that were too close to maintain auditor impartiality and objectivity. In one action naming E&Y, Robert Brehl, Pamela Hartford and Michael T. Kamienski, the SEC charged that, between March 2012 and June 2014, Ms. Hartford, who at first was the engagement partner and then the coordinating partner on E&Y’s engagement with an unspecified public company that was an audit client, maintained a romantic relationship with Mr. Brehl, who at the time was the chief accounting officer at the client. However, during this time, said the SEC, E&Y represented that it was independent in connection with audit reports filed with the agency. However, “[a] reasonable investor with knowledge of all relevant facts and circumstances concerning Hartford’s personal relationship with Brehl would conclude that Hartford was not capable of exercising objective and impartial judgment with respect to the audits of the Issuer.” According to the SEC, Mr. Kamienski was the coordinating partner on E&Y’s engagement prior to Ms. Fulton’s appointment, and had a senior role with E&Y afterwards. The SEC claimed that from early June 2013 through June 2014, he “was aware of facts” that suggested the romantic relationship but did not perform a “reasonable inquiry” to follow up or forward his knowledge to a group within E&Y charged with ensuring the audit firm’s independence from its clients. To resolve this matter, E&Y agreed to pay a fine of US $4.366 million while Ms. Hartford and Mr. Brehl consented to pay fines of US $25,000 each. Ms. Hartford, Mr. Brehl and Mr. Kamienski also agreed to be suspended from practicing before the SEC as accountants with the right to apply for reinstatement. E&Y also agreed to pay a separate fine of US $4.975 million as a result of an “inappropriate close personal relationship” between Gregory Bednar, a former E&Y partner, and the former chief financial officer of another public company that also was an E&Y audit client. Here the SEC cited numerous personal interactions from 2012 through 2014, including events with families and large expenditures on sporting events and other items, that it claimed compromised the independence of E&Y and rendered false E&Y’s representations to the SEC regarding its independent relationship with its client. For example, said the SEC, “[d]uring the relevant period, Bednar and the CFO exchanges hundreds of personal texts, emails and voicemails that did not include meaningful business-related discussions.” To resolve charges also brought against him personally, Mr. Bednar agreed to pay a fine of US $45,000 and likewise consented to be suspended from practicing before the SEC with a right to be reinstated after three years.
     
  • CME Group Describes Responsibilities of Clearing Members and Globex Order Placers for Tag 50s in Revised Advisory: CME Group updated its guidance related to Tag 50 IDs – identifiers that are used to identify natural persons placing messages (including orders) onto Globex – in order to clarify the responsibilities of clearing members and message placers. Among other things, CME Group reiterated that clearing members are responsible to ensure that all Tag 50 IDs utilized by its customers are unique at the clearing member level, and that all non-administrative messages, including orders, include the correct Tag 50 IDs. CME Group also reconfirmed that registration of Tag 50 IDs through its Exchange Fee System is mandatory for certain persons affiliated with members (including clearing members), as well as all other persons that receive preferential fees from any of the CME Group’s exchanges. CME Group said it is the obligation of clearing members to ensure that all Tag 50 IDs required to be registered are, in fact, registered and updated promptly, as necessary. CME Group indicated that, although not required, clearing members may register the Tag 50 IDs of other individuals or teams. CME Group also said that, in connection with omnibus accounts, clearing members must be able to provide the identity (or to require the relevant omnibus account to obtain and provide the identity) of any individual or team assigned within the omnibus account “promptly upon request by Market Regulation.” Additionally, CME Group's guidance describes the circumstances when a Tag 50 ID should reflect an individual (e.g., a single person who physically submits messages into Globex or is solely responsible for an automated trading system (ATS) at the relevant time) or a team (e.g., a group of persons who are responsible for the administration, operation and monitoring of an ATS at the relevant time).

Compliance Weeds: Each person entering non-administrative messages (including orders) manually or automatically into CME Globex must ensure that the order is accompanied by an operator identification known as a Tag 50 ID. This identification must be unique to the individual entering the order or, in the case of an automated trading system, unique to the person responsible for operating and monitoring the ATS at the time any messages are sent to Globex, or the team of persons on the same shift responsible for the ATS’s operation and monitoring. All Tag 50s must also be unique at the level of the clearing member firm. Individuals and team members may not permit their unique Tag 50s to be used by other persons. Other exchanges have equivalent requirements (e.g., ICE Futures U.S.; click here to access IFUS Rule 27.12(f)). Beginning September 29, 2016, future commission merchants must, under certain circumstances, report to the Commodity Futures Trading Commission on Form 102A or 102B the trading account controllers of their futures trading accounts exceeding reportable position or trading level thresholds (“reportable accounts”). These persons are defined as natural persons who by power or attorney or otherwise actually direct the trading of a trading account. (Click here to access CFTC Regulation 15.00(bb).) However, CFTC staff recently issued a guidance stating that a person “directing trading” is not only a person who provides trading instructions, but a person who implements those instructions. (Click here to access Division of Market Oversight Guidance Regarding the Term “Owner” and “Controller” in the Ownership and Control Reporting (OCR) Final Rule” dated April 8, 2016.) Clients holding reportable accounts are obligated to provide information regarding their account controllers to their FCMs and to amend such information timely, practically on the same day as any change. Firms trading electronically should be mindful of the potential overlap of individuals required to obtain unique identification tags and to be identified to their FCMs as account controllers, and should consider whether it might be helpful to better coordinate the identification of all such relevant persons. (Click here for background on the CFTC’s imminent OCR requirements in the article, “CFTC Again Extends Deadlines for New OCR Compliance; Puts Pressure on FCM Clients Who Will Not Provide Adequate Information Regarding Trading Control” in the April 10, 2016 edition of Bridging the Week.)

  • Alleged EFRP and Wash Sale Violations Are Subjects of CME Group Disciplinary Actions Settlements: CME Group brought and settled disciplinary actions against two firms, including one non-member, for entering into exchange for related position transactions without a corresponding related position. In both cases, one involving Evolution Markets Ltd., a non-member, and the other, involving BNP Paribas Commodity Futures Ltd., a member, the disciplinary actions were filed against the firms in their roles as brokers; the actual parties to the EFRPs were not named. Both firms resolved their disciplinary actions by agreeing to pay a fine of US $15,000. Separately, ED&F Man Capital Markets Inc., a member, and Merit Performance Concepts Ltd., a non-member, also agreed to settle CME Group disciplinary actions that alleged that they impermissibly engaged in EFRPs without a related position as traders. CME Group alleged that ED&F Man entered into “several” such EFRPs, while Merit Performance entered into a single problematic EFRP. ED&F Man agreed to resolve its disciplinary action by paying a fine of US $17,500 while Merit Performance agreed to remit a penalty of US $15,000. Finally, Chenhui Wang, a non-member, agreed to pay a fine of US $20,000 and a 10 business day CME Group all exchange trading suspension in connection with an allegation that on “multiple” days from December 18, 2014, through January 28, 2015, he engaged in wash trades to transfer funds between different accounts he owned and controlled.
     
  • Federal Reserve Proposes Rule to Severely Restrict Banking Organizations From Commodities Activities: The Board of Governors of the Federal Reserve System proposed a sweeping new rule to severely limit the physical commodity activities of financial holding companies. Principally, the FRB proposed new requirements that would materially increase FHC’s risk-based capital requirements applicable to physical commodities; impose a consolidated organization-wide 5 percent cap on the total value of commodities an FHC may hold compared to its Tier 1 capital; eliminate copper as an approved precious metal that bank holding companies are permitted to own and store; and cancel the authority of five FHCs to engage in energy management and energy tolling activities. The FRB also proposed to require FHCs to report more detailed information regarding their physical commodity activities. The FRB claimed the new rule is necessary because of the “potential environmental catastrophe and other risks associated with physical commodity activities of FHCs.” The FRB will accept comments on its proposal through December 22. Recently, the FRB recommended severely limiting the non-core bank activities that FHCs may engage in, by proposing that Congress repeal the authority of FHCs to invest in non-financial companies as part of a bona fide merchant or investment banking activity (including the authority to make investments in portfolio companies engaged in physical commodity activities) and the grandfathered authority of two FHCs to engage in physical commodity activities directly. (Click here for details in the article, “Federal Reserve Recommends Repeal of Financial Holding Company’s Authority to Invest in Commodity Firms” in the September 11, 2016 edition of Bridging the Week.)
     
  • Hedge Fund Icon Sued by SEC for Alleged Insider Trading: The Securities and Exchange Commission filed a lawsuit against Leon Cooperman, the president, chief executive officer and majority shareholder of Omega Advisors, Inc., a registered investment adviser, and Omega Advisors, alleging that, in 2010, through his personal holdings and client holdings of Omega Advisors, Mr. Cooperman profited because of trading on insider information he wrongfully obtained. According to the SEC’s complaint, filed in a federal court in Pennsylvania, Mr. Cooperman obtained nonpublic information regarding divestiture plans of Atlas Pipeline Partners, L.P., a company in which he owned or controlled a substantial number of shares. Despite providing assurances to the APL executive who provided him the nonpublic information that he could not and would not trade based on it, he in fact so traded, claimed the SEC. Later, in late 2011 or early 2012 after Omega Advisors was served with a subpoena regarding trading in APL securities, Mr. Cooperman “improperly” sought the executive’s assurances that he “had not shared confidential information with him in advance of the announcement of [the divestiture].” The SEC seeks an injunction, disgorgement of trading profits and a fine against the defendants. In a letter sent to investors, Mr. Cooperman said “[w]e have done nothing improper and categorically deny the Commission’s allegations.”

And more briefly:

  • International Bank Settles With CFTC Over Alleged Failure to Document EFRPs: Barclays Bank PLC agreed to settle charges brought by the Commodity Futures Trading Commission related to its alleged failure to maintain and produce confirmation statements for 1,358 metals and energy exchange for related position transactions it entered into from September 1, 2009, through October 16, 2012. Barclays Bank agreed to pay a fine of US $500,000 to resolve the CFTC’s enforcement action.
     
  • HK Derivatives Regulator Proposes to Amend Position Limits Regime to Authorize Higher Excess Levels: The Hong Kong Securities and Futures Commission issued a consultation on its proposal to increase the cap on excess position limits that may be granted to exchange participants or affiliates trading Hang Seng Index and Hang Seng China Enterprises Index futures and options contracts. In addition, SFC proposed to enable market makers, and liquidity providers of exchange-traded funds as well as locally authorized asset managers to also apply for higher limits. Traders in Hong Kong are subject to position limits on enumerated derivatives contracts and a large trader position-reporting regime. SFC will accept comments on its proposal through November 21.
     
  • SFC in Hong Kong Warns of Impending AML Enforcement Proceedings; Urges Brokerage Firms to Enhance Internal Controls: The Hong Kong Securities and Futures Commission advised that it is currently investigating “a number of cases” of SFC licensed brokerage companies with potentially inadequate anti-money laundering internal controls, and that it expects to commence enforcement proceedings in response. Among the areas of concern identified by SFC were failure to analyze cash and third-party deposits into customer accounts; ineffective review of transactions in customer accounts; and failure to consider adequately potentially suspicious transactions to determine whether a suspicious activity report should be filed.
     
  • ESMA Seeks Views on Mandatory OTC Derivatives Trading Obligation: The European Securities and Markets Authority sought input on how it should best implement the trading obligation for over-the-counter derivatives as contemplated in the Markets in Financial Instruments Regulation (Click here to access Article 32(1).) ESMA believes that the earliest date any trading obligation can be implemented is January 3, 2018, the first date of application of MiFIR. Moreover, ESMA considers that any trading obligation should be aligned with the relevant clearing obligation. Thus, because different categories of counterparties will have different phase-in schedules before they are subject to mandatory clearing for different classes of OTC derivatives, no trading obligation should apply before a respective counterparty is subject to a clearing obligation, proposed ESMA. This will likely necessitate a phase-in over time of the trading obligation, ESMA contemplated. ESMA will accept comments through November 20, 2016. (Click here for further information on ESMA's mandatory trade execution obligations in the article "ESMA Publishes Discussion Paper on Mandatory Trade Execution Obligations for OTC Derivatives Under MiFIR" in the September 23, 2016 edition of Katten Muchin Rosenman LLP's Corporate and Weekly Financial Digest.
  • Canada Proposes Commodity Pool Regulation Update: The Canadian Securities Administrators proposed amendments to existing rules that would move most of the existing Canadian regulatory framework related to commodity pools from a distinct regulation for CPOs to one applicable to all investment funds. At the same time it would replace the term “commodity pool” with the designation “alternative fund” and expand concentration restrictions related to securities of any one issuer within alternative funds from 10 percent of net asset value to 20 percent. In addition, CSA proposed that alternative funds be permitted to invest up to 100 percent of their NAV in any other mutual fund (including other alternative funds) or in nonredeemable investment funds provided the other funds are subject to the same regulation as the investing alternative fund. Currently, in Canada, commodity pools are subject to the same fund of fund investment restrictions as conventional mutual funds. Comments will be accepted by all of the CSAs through December 22.

Follow-up:

  • My View: CFTC Rule Review Instructs CBOE Futures to Cease Issuing Warning Letters for Offenses Other Than Books and Records Offenses: I recently reported on a rule review by the Commodity Futures Trading Commission’s Division of Market Oversight of the CBOE Futures Exchange, LLC. (Click here to access the article, “CFTC’s Division of Market Oversight Highlights Compliance Department Resources Concern in CBOE Futures Rule Enforcement Review" in the July 10, 2016 edition of Bridging the Week.) One recommendation made by staff that is receiving more and more attention was that the CBOE Futures Regulation Department “should recommend and the Exchange should promptly take appropriate disciplinary action when it makes a finding that a violation of a substantive trading rule occurred.” This may sound innocuous (it did to me on first reading); however, the recommendation was made in response to the issuance of warning letters by CFE to certain trading permit holders in response to their alleged placement of fictitious orders and trades. According to CFTC staff, “[w]hile a warning letter may be appropriate for certain violations of recordkeeping or audit trail rules, the Division believes that issuing a warning letter for a substantive trading violation is never appropriate.” However, this statement appears contrary to the plain language of CFTC Rule 38.711 (click here to access) that does not limit the types of violations for which warning letters may be issued. All this provision does is limit to one time the number of occasions an exchange may issue a warning letter for any type of rule violation during a rolling one-year period. If, based on its own assessment of facts and circumstances, an exchange believes that the appropriate disciplinary action in response to a rule violation is to issue a warning letter, the CFTC should defer to the exchange’s discretion absent extraordinary circumstances.
September 26, 2016
PwC Discusses New York's Proposed Cybersecurity Rules
by Dan Ryan, Sean Joyce, Joseph Nocera, Jeff Lavine and Didier Lavion

On September 13, 2016, the New York State Department of Financial Services (DFS) proposed a broad set of cybersecurity regulations for banks, insurers, and other financial institutions.[1] The proposal is largely consistent with existing guidance (e.g., under the NIST Cybersecurity Framework or the FFIEC[2] IT Handbook), but it goes further in some ways.

The proposed rule is the result of DFS’ focus on cybersecurity over the past several years, in which DFS conducted three industry surveys, held cybersecurity discussions with various financial institutions, and issued a letter to US regulators asking for feedback on potential cyber-specific requirements.[3] The proposal contains several requirements that will be new or more expansive than most organizations currently practice. For example, the proposal’s call for encryption of all nonpublic information (including data both "in-transit" and "at-rest") will be challenging for many organizations. While most entities encrypt data in-transit, they only encrypt data at-rest in more selective circumstances.[4] The proposal also expands the requirements for using multi-factor authentication in a variety of ways that will be new for most organizations.

Additionally, DFS will require that the chairperson of the board or a senior officer submit an annual certification that the entity is complying with the regulation’s requirements. Those submitting the certification could potentially be exposed to individual liability if the organization’s cybersecurity program is found to be noncompliant.

The proposal is now in a 45-day comment period, ending on October 28, and many of its requirements have compliance deadlines as early as June 30, 2017. We recommend that organizations begin reviewing their cybersecurity programs for conformance. Those entities with less mature programs – including many smaller banks and insurers – should be enhancing their cybersecurity programs to align with other industry best practices such as the NIST Cybersecurity Framework, FFIEC guidance, or NAIC Model Data Security Law as appropriate.

It is clear that regulators across the financial services industry are focused on raising the bar for cybersecurity programs. As a result, we recommend that organizations holistically focus on developing a robust risk-based cybersecurity program rather than reactively responding to siloed regulatory guidance. Such an approach will make organizations well-equipped to comply with regulatory requirements while effectuating broader strategic objectives.[5]

What does the proposal require?

To start, DFS’ proposal codifies foundational cybersecurity requirements, which are consistent with existing guidance and leading industry practices:

Cybersecurity program

Organizations will be required to implement a cybersecurity program designed to perform the following core cybersecurity functions (in alignment with the NIST Cybersecurity Framework):

  • Identify internal and external threats
  • Use defense infrastructure to protect the covered entity
  • Detect cybersecurity events
  • Respond to cybersecurity events
  • Recover from cybersecurity events
  • Fulfill all regulatory reporting requirements

Cybersecurity policy

The proposal also calls for entities to implement and maintain a written cybersecurity policy, which must address the following areas (consistent with ISO 27001 standards and leading industry practices):

  1. Information security
  2. Data governance and classification
  3. Access controls and identity management
  4. Business continuity and disaster recovery planning and resources
  5. Capacity and performance planning
  6. Systems operations and availability concerns
  7. Systems and network security
  8. Systems and network monitoring
  9. Systems and application development and quality assurance
  10. Physical security and environmental controls
  11. Customer data privacy
  12. Vendor and third party service provider management
  13. Risk assessment
  14. Incident response

New challenges

However, the DFS’ proposal also introduces several requirements that extend beyond current regulatory guidance and industry practices. The most significant are:

Data encryption

The proposal calls for organizations to encrypt sensitive data both in-transit and at-rest. The suggestion for encryption of data at-rest is the most impactful because it is not a common industry practice and will be challenging for many organizations to implement.

Under the proposal, organizations will be required to include these enhanced data encryption standards in their contracts with third party service providers. This will be burdensome for organizations with large numbers of service providers, as they must take steps to confirm each service provider’s adherence to the encryption requirements.

Encryption requirements for in-transit data must be met by January 2018, while compliance for at-rest data must be met by January 2022. However, DFS expects that, prior to those dates, organizations secure nonpublic information using alternative controls that have been reviewed and approved by the Chief Information Security Officer (CISO).

Enhanced multi-factor authentication

The proposed multi-factor authentication requirements go beyond existing regulatory guidance, which only requires multi-factor authentication for internet banking channels. Under the proposal, multi-factor authentication would be required for any users accessing internal systems from an external network and for privileged access to database servers. Furthermore, the proposal requires risk-based and multi-factor authentication for web applications that contain nonpublic information.[6]

The proposed requirements are not standard industry practice as most organizations use multi-factor authentication for a more limited subset of external applications, but do not do so for internal access. Likewise, privileged access management solutions are still in their infancy of deployment in all but the largest firms.

Enhancing authentication programs will be an especially heavy lift for insurers, as some have not implemented multi-factor authentication due to the lack of specific insurance regulatory requirements within this space. Many banks have implemented some aspect of multi-factor authentication in order to comply with current FFIEC internet banking guidance.

Organizations will be required to comply with these requirements by June 30, 2017.

Annual certification

The proposed rule requires that either the chairperson of the board or a senior officer[7] certify annually that their cybersecurity program meets the proposal’s requirements. This certification is similar to the certification required by Sarbanes Oxley (SOX) for controls related to financial reporting. The Volcker Rule and last year’s instructions from the Federal Reserve regarding stress testing data include similar SOX-like certifications.[8]

Although not explicitly mentioned in the proposal, those submitting the certification could be held individually liable if the organization’s cybersecurity program is found to be deficient. The proposal notes that its requirements will be enforced "under any applicable laws," which include laws (e.g., New York Banking Law, New York Insurance Law) that contain individual civil and criminal penalties for intentionally making false statements to DFS.[9]

Organizations will be required to submit their first certification by January 15, 2018.

Incident reporting

Under the proposal, entities would be required to notify DFS within 72 hours of the discovery of cyber incidents that either compromise nonpublic information (including unauthorized access of such information) or are likely to materially affect the business.

Although some existing regulations include requirements for reporting cybersecurity events, the proposed reporting requirements exceed the scope of what is currently required in other regulations. For example, New York State’s existing data notification requirements only mandate that organizations notify authorities when there is a loss of customer personally identifiable information. Additionally, the Securities and Exchange Commission’s cybersecurity reporting requirements under Regulation Systems Compliance and Integrity (Reg SCI) only apply to securities market infrastructure.[10]

To comply, entities should adjust their detection operations and response plans to include provisions for identifying and reporting incidents that fall under this requirement. Organizations will be required to comply with these requirements by June 30, 2017.

Additional provisions

In addition to the most significant areas highlighted above, other requirements of the proposal include:

  • Third party risk management – DFS’ proposal requires entities to conduct due diligence on third parties and perform annual assessments of third parties’ cybersecurity practices. Additionally, the proposal calls for organizations to include provisions around encryption, multi-factor authentication, and breach notification in their contracts with third parties. Conducting annual assessments on third parties and ensuring that third parties are following the required contractual provisions will be challenging for organizations that use a large number of service providers.[11]
  • Chief Information Security Officer (CISO) – Organizations will be required to appoint a CISO to implement and oversee its cybersecurity program. The CISO will be required to present a report to the board twice per year identifying cyber risks, evaluating the current effectiveness of the program, and summarizing material cybersecurity events. Many organizations already have a CISO or similar role, but producing a biannual report will be new for most entities.
  • Audit trail – Entities will be required to maintain audit trails of sensitive data, including logs of access to critical systems. The audit trail must be maintained for least six years, which is longer than many organizations currently maintain audit records.
  • Access privileges – Access to systems containing nonpublic information will need to be restricted to only those with a business need for such access. Many entities already address this requirement in their existing access controls, but may require additional investigation to identify all nonpublic information to successfully address the requirement.
  • Application security – The proposal requires that internally built applications follow secure development practices, and that organizations test the security of externally developed applications. Most organizations have policies for secure development of internal applications, but testing external application security is less common.
  • Testing requirements – The proposal calls for annual penetration testing and quarterly vulnerability testing, which are already common practices for most organizations.[12]
  • Risk assessments – Organizations will be required to conduct annual cybersecurity risk assessments. These assessments should identify cyber risks, evaluate existing controls, and have processes and provide mitigation procedures for such risks. Most organizations currently have policies in place to conduct regular risk assessments and should be well-equipped to meet this requirement.

ENDNOTES

[1] DFS’ proposal applies to banks that are chartered or licensed by New York State, insurers that are active in the state, and certain other financial institutions. The proposal exempts smaller institutions, including those with fewer than 1,000 customers over the last three calendar years, those with less than $5 million in gross annual revenue over the last three fiscal years, and those with less than $10 million in year-end total assets.

[2] The Federal Financial Institution Examination Council (FFIEC) is a regulatory council composed of the Federal Reserve Board, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, Consumer Financial Protection Bureau, and the National Credit Union Administration.

[3] For additional information on DFS’s letter to US regulators, see PwC’s Financial crimes observer, Cyber: Is New York’s regulator upping the stakes? (November 2015).

[4] Data "in-transit" refers to data moving from one location to another, such as over the internet or through an internal network. Data "at-rest" refers to data that is not actively moving, such as data stored on a hard drive.

For our guidance on developing a robust cyber risk management program, see PwC’s A closer look, Cyber: Think risk, not IT (April 2015).

[6] For additional information regarding multi-factor authentication, see PwC’s Financial crimes observer, Fraud: Email compromise on the rise (February 2016).

[7] According to the proposed rule, a "senior officer" is someone responsible for the management, operations, security, information systems, or risk management of the institution.

[8] See PwC’s Regulatory brief, Matching SOX? CFO attestation for stress tests (October 2015) and PwC’s A closer look, Volcker rule clarity: Waiting for Godot (May 2014).

[9] DFS’s anti-money laundering rule issued in June contains a nearly identical certification requirement. For additional information, see PwC’s Financial crimes observer, AML monitoring: New York regulator gets prescriptive (July 2016).

[10] Reg SCI requires notice within 24 hours for certain cybersecurity incidents. For additional information regarding Reg SCI’s cybersecurity reporting requirements, see PwC’s First take, Ten key points from the SEC’s final Reg SCI (December 2014).

[11] See PwC’s A closer look, Outsourcing: How cyber resilient are you? (June 2015) for more information on third party cyber risk management, including an analysis of FFIEC guidance on the issue.

[12] The CFTC recently issued similar requirements for market infrastructure. For more information on the CFTC’s requirements or cybersecurity testing generally, see PwC’s Financial crimes observer, Cyber: Regulators putting market infrastructure to the test (September 2016).

This post comes to us from PwC. It is based on the firm’s Financial crimes observer for September 2016, which is available here.


September 26, 2016
The Hidden Costs of Rotating Auditors
by Divesh Sharma, Paul Tanyi and Barri Litt

The avalanche of accounting scandals in the late 1990s and early 2000s triggered major changes in the corporate accounting world. The Sarbanes-Oxley Act of 2002 (SOX) stampeded in, promising tightened audit regulation aimed at easing the minds of frightened market participants. Given heightened concern over excessively "chummy" relationships between corporate management and its auditors, one rule set forth in SOX requires more frequent client rotation of audit partners (every five years rather than seven) and greater time required before partners may return to the same client (five years rather than two).

While there is little doubt that this rule was well intentioned, some commentators argued the new rotation standards would impose significant costs on clients, audit firms, and investors that would undermine effective audit regulation. Regulators persisted, citing the benefits of a fresh perspective and enhanced independence that a new audit engagement partner would bring. However, the accounting profession argued that not only would audit quality be harmed, but audit effort would drop, learning and training costs would increase, client-specific expertise would disappear, and inefficiencies affecting both the client and the auditor would rise. The Securities and Exchange Commission (SEC) eventually acknowledged that the more stringent rotation requirements might substantially raise audit fees and slow audits, but the rules remain.

Given the insight provided by empirical examination of these issues, we studied whether more frequent audit partner rotation creates additional audit costs, and whether firms will pass such costs to clients in the form of higher fees or slower audits. Given the lack of publicly available data on audit partners in the United States, we used a novel measure of audit partner change and studied its implications. Our results show significantly higher audit fees and significantly less timely audits in the year following rotation. We find these effects to persist over subsequent rotations, giving us greater confidence in the robustness of the results.

There are several implications of these findings, shedding light on rotation effects brought about by SOX. First, partner rotation increases audit fees while decreasing audit timeliness. Second, we found that non-Big Four firms are particularly affected, performing less timely audits and passing on rotation costs to their clients through significantly higher audit fees. In contrast, Big Four firms perform less timely audits of their larger clients but seem to absorb additional rotation costs rather than pass them on to clients in the form of higher audit fees.

Third, our sample consists of companies that initially change audit firms. Therefore, we examine successive rotations to rule out any confounding effects of audit firm change. We find consistent audit fee and audit timeliness results with the second and third partner rotations following the initial firm and partner rotation. Therefore, loss of client-specific knowledge at the partner level is not significantly mitigated by increased tenure and client-specific knowledge at the firm level, as some have suggested. This further supports the consistent fee and time consequences of changing audit partners.

Fourth, our study enhances the general understanding of the consequences of audit partner rotation, and informs the literature, regulators, and the profession. We also find the regulatory argument of a fresh partner perspective to come at a price, especially given recent U.S. literature showing poorer financial reporting quality following rotation – a study we published in 2014 in Auditing: A Journal of Practice & Theory. Further, we find evidence supporting the profession’s arguments that partner rotation is costly, both financially and in terms of timely audits, and, thus, timely financial reporting. We also find support for the profession’s contention that smaller audit firms find it particularly difficult to comply with the new rotation requirements.

Finally, we raise potential long-term concerns of mandatory audit-partner rotation. As noted, we find consistently higher audit fees and less timely audits with each successive partner rotation, even as client engagement with the same audit firm office remains uninterrupted. This is important given that we may be the first to examine the persistence of rotation effects. Since audit partner performance evaluations consider factors like whether costs are passed on to clients or audits are delayed, we may see audit partners shifting to other accounting areas to avoid poor evaluations. If partners shy from audits, auditing resources – already strained by mandatory audit partner rotation – may become even scarcer, which the profession argues could further increase audit costs, reduce timeliness, discourage clients from paying auditors, and possibly drive some audit firms out of business.

Tightening audit partner rotation requirements is beginning to look like a classic case of unintended consequences.

This post comes to us from Professor Divesh Sharma of Kennesaw State University School of Accountancy, Professor Paul Tanyi of the University of North Carolina at Charlotte’s Belk College of Business and Professor Barri Litt of Nova Southeastern University’s H. Wayne Huizenga College of Business & Entrepreneurship. It is based on their recent paper, "Costs of Mandatory Periodic Audit Partner Rotation: Evidence from Audit Fees and Audit Timeliness," which is available here.


September 26, 2016
How to Disclose a Cybersecurity Event: Recent Fortune 100 Experience
by Benjamin Pedersen, Brett Novick, David Becker, Jeremy Feigelson, Jim Pastore, Luke Dembosky, Paul Rodel, Debevoise & Plimpton
Editor's Note:

Luke Dembosky and Jeremy Feigelson are partners at Debevoise & Plimpton LLP. This post is based on a Debevoise & Plimpton publication by Mr. Dembosky, Mr. Feigelson, Jim Pastore, Paul M. Rodel, David M. Becker, Brett M. Novick, and Benjamin R. Pedersen.

Cybersecurity threats pose real challenges for any company, including the theft of valuable intellectual property and the reputational harm caused by losses of customer information. Attendant to the operational and financial challenges associated with cybersecurity threats, SEC reporting companies must also consider their disclosure obligations resulting from the risk or occurrence of data breaches or other cybersecurity events.

During the period from January 2013 through the third quarter 2015, there were 20 reported incidents of major data breaches or cybersecurity events at Fortune 100 companies. While this number is without doubt a fraction of the total cybersecurity events experienced at these and similar companies during that time, a survey of these cybersecurity events, and the manner in which each of the 18 affected companies responded in their SEC filings, is instructive. We have compiled a detailed database, comparing disclosure responses of these companies across a number of vectors in order to guide this complex process.

The bottom line is that most companies did not handle initial disclosure of a breach through a current report on a Form 8-K, instead deferring disclosures to the next periodic filing. Most companies did, however, update disclosures in the context of their annual report.

Initial Disclosure Current Reports

Initial public announcement of a breach is more typically made via press coverage than in a current report on Form 8-K. Affected companies most often waited for their first subsequent periodic report (i.e., Form 10-Q or Form 10-K) before disclosing the event in SEC filings. Companies that elected to disclose in a current report most often did so where the breach involved customer financial information.

When determining whether or not to report a cybersecurity event, in addition to materiality, registrants must also consider risks associated with drafting initial disclosure with incomplete data. In the immediate aftermath of a major breach, the “known” facts may represent a small piece of the cybersecurity risk mosaic, and companies electing to publicly disclose the occurrence of a cybersecurity event before completing a full investigation risk making incomplete, or, worse yet, inaccurate disclosure. In the initial period following a cybersecurity event, affected companies should also be mindful of selective disclosure issues and their obligations under Regulation FD.

First Subsequent Periodic Report

Affected companies frequently used the first periodic filing after a cybersecurity event to review and update risk factors related to cybersecurity. Where the first periodic filing was a quarterly report, affected companies were more likely to defer updating risk factors, consistent with the generally infrequent practice of updating risk factors in quarterly reports. However, if the cybersecurity event was material to the affected company’s business (and, in particular, if they had previously disclosed the cybersecurity event via a current report), it was more likely for the cyber risk factors to be addressed. On the other hand, if the first subsequent periodic report was an annual report, affected companies almost uniformly took the opportunity to update their cyber risk factors and, in most instances, referred specifically to the cybersecurity event.

Subsequent Updates Risk Factor Updates

Even where the affected company had updated its cyber risk factors in its first quarterly report following the cybersecurity event, further updates were often included in the first subsequent annual report. Many registrants view annual reports as an opportunity to update and tailor risk factors generally, and the occurrence of an intervening cybersecurity event provides fodder for such fine tuning, including potentially adding specific reference to the cybersecurity event.

Affected companies did not generally engage in continued updating of disclosure in later quarterly reports following the initial disclosure unless the cybersecurity event had an ongoing material impact on the business, for instance as a result of ongoing financial obligations related to cybersecurity events (e.g. litigation or regulatory responses).

Overall, we identified a trend of including specific reference to recent cybersecurity events in risk factors, though some companies instead chose to disclose the types of risks associated with a previous cybersecurity event, without actually calling out the event. This decision may have been driven by the materiality of the cybersecurity event: the less material the event, the less the need to disclose with specificity. Other cyber risk factor trends included noting that both consumer data and employee data may be targeted, the risk of breaches at third parties that handle the registrant’s data, internal procedures in place to protect data and detect breaches and disclosure regarding cyber insurance.

Other Updates

Disclosure related to cybersecurity at affected companies was less frequently included outside of the risk factors. When disclosure appeared elsewhere, the financial statement footnotes or Management’s Discussion and Analysis were most frequent, though disclosure also occasionally appeared in Legal Proceedings and Business sections. Often, disclosure was via cross-reference to the financial statement footnotes, underscoring that such disclosure generally flows from ongoing financial obligations related to cybersecurity events.

There were few instances of cybersecurity disclosure outside of current reports and periodic reports. In the event of a major business or financing transaction, it is possible that disclosure will be necessary as part of the description of that transaction. In certain circumstances, cyber disclosure may also be included in the Proxy Statement following a cybersecurity event, for instance to discuss the formation of a committee to oversee cybersecurity risks. It will be interesting to observe this trend over time, as the SEC continues to focus on cybersecurity, and boards of directors become more involved in overseeing cyber-preparedness and in responding to cybersecurity events.

Conclusion

Calibration of a registrant’s disclosure response must take into account a number of variables, must be done on a case-by-case basis, and must reflect that many key facts and circumstances may not yet be known with certainty. Those companies seeking to mitigate the legal risks that can flow from untimely—or, worse, inaccurate—disclosures would do well to take stock of where their key information assets reside now, and how those assets are protected. That way, in a breach situation, the company may be able to more quickly ascertain whether information was accessed, the nature of the information (if any) that was accessed, and the materiality of the breach.

September 26, 2016
The Regulation of Proxy Advisory Firms
by Ken Bertsch, Council of Institutional Investors
Editor's Note:

Ken Bertsch is Executive Director of the Council of Institutional Investors. This post is based on a letter sent by the Council of Institutional Investors to the United States Senate Committee on Banking, Housing, and Urban Affairs, regarding the legislation of H.R. 5311, the Corporate Governance Reform and Transparency Act of 2016.

September 6, 2016

The Honorable Richard C. Shelby
Chairman
Committee on Banking, Housing, and Urban Affairs
United States Senate
Washington, DC 20510

The Honorable Sherrod Brown
Ranking Member
Committee on Banking, Housing, and Urban Affairs
United States Senate
Washington, DC 20510

Re:       Proposed Legislation Relating to Proxy Advisory Firms

Dear Mr. Chairman and Ranking Member Brown:

I am writing on behalf of the Council of Institutional Investors (CII), a nonpartisan, nonprofit association of employee benefit plans, foundations and endowments with combined assets under management exceeding $3 trillion. Our member funds include major long-term shareowners with a duty to protect the retirement savings of millions of workers and their families. Our associate members include a range of asset managers with more than $20 trillion in assets under management.[1]

This letter has been co-signed by 30 CII members and other organizations.

We are writing to share our concerns about proposed legislation currently under consideration in the U.S. House of Representatives regarding proxy advisory firms. H.R. 5311, the Corporate Governance Reform and Transparency Act of 2016,[2] aims to tighten regulation of proxy advisory firms to the detriment of pension funds and other institutional investors.

The proposed legislation appears to be based on the false premise that proxy advisory firms dictate proxy voting results. Many pension funds and other institutional investors contract with proxy advisory firms to obtain and review their research. But most large holders vote according to their own guidelines.

The independence that shareowners exercise when voting their proxies is evident in the statistics related to “say on pay” proposals and director elections. Although Institutional Shareholder Services Inc. (ISS), the largest proxy advisory firm, recommended against these proposals at 12 percent of Russell 3000 companies in 2016, only 1.7 percent of those proposals received less than majority support from shareowners.[3] Similarly, although ISS opposed the election of 6.5 percent of director-nominees during the most recent proxy season, just 0.2 percent failed to obtain majority support.[4] We are unaware of any compelling empirical evidence indicating that pension funds and other institutional investors are outsourcing their voting responsibilities to proxy advisory firms.

We believe the proposed legislation would weaken corporate governance in the United States; undercut proxy advisory firms’ ability to uphold their fiduciary obligation to their investor clients; and reorient any surviving firms to serve companies rather than investors. The U.S. system of corporate governance relies on the accountability of boards of directors to shareowners, and proxy voting is a critical means by which shareowners hold boards to account.

Proxy advisory firms, while imperfect, play an important and useful role in enabling effective and cost-efficient independent research, analysis and informed proxy voting advice. In our view, the proposed legislation would undermine proxy advisory firms’ ability to provide a valuable service to pension funds and other institutional investors.

We are particularly concerned that, if enacted, H.R. 5311 would:

  • Require that proxy advisory firms (1) provide companies advance copies of their recommendations and most elements of the research informing their reports, (2) give companies an opportunity to review and lobby the firms to change their recommendations, and (3) establish a heavy-handed “ombudsman” construct to address issues that companies raise.
  • This right of pre-review would give companies substantial influence over proxy advisory firms’ reports, potentially undermining the objectivity of the firms’ recommendations. On a practical level, this right of review would delay pension funds and other institutional investor’s receipt of the reports and recommendations for which they have paid.
  • The requirement that the proxy advisory firms resolve company complaints prior to the voting on the matter would create an incentive for companies subject to criticism to delay publication of reports as long as possible. Pension funds and other institutional investors would have less time to analyze the reports and recommendations in the context of their own customized proxy voting guidelines to arrive at informed voting decisions. Time already is tight, particularly in the highly concentrated spring “proxy season,” due to the limited period between company publication of the annual meeting proxy statement and annual meeting dates.
  • Moreover, the proposed legislation does not appear to contemplate a parallel requirement that dissidents in a proxy fight, or proponents of shareowner proposals, also receive the recommendations and research in advance. This would violate an underlying tenet of U.S. corporate governance that where matters are contested in corporate elections, management and dissident shareowners should operate on an even playing field.
  • Require the Securities and Exchange Commission (SEC) to assess the adequacy of proxy advisory firms’ “financial and managerial resources.”
  • The entities that are in the best position to make these types of assessments are the pension funds and other institutional investors that choose to purchase and use the proxy advisory firms’ reports and recommendations. In 2014, the SEC staff issued guidance reaffirming that investment advisors have a duty to maintain sufficient oversight of proxy advisory firms and other third-party voting agents.[5] We publicly supported that guidance.[6] We are unaware of any compelling empirical evidence indicating that the guidance is not being followed or that the burdensome federal regulatory scheme contemplated by the proposed legislation is needed.
  • Create costs for institutional investors with no clear benefits.
  • The proposed legislation would appear to result in higher costs for pension plans and other institutional investors—potentially much higher costs if investors seek to maintain current levels of scrutiny and due diligence around proxy voting. Moreover, the proposed legislation is highly likely to limit competition, by reducing the current number of proxy advisory firms in the U.S. market and imposing serious barriers to entry for potential new firms. This would also drive up costs to investors. Given these economic impacts, we are troubled that there appears to be no cost estimate on the provisions of this proposed legislation.[7]

Thank you for considering these views. We would be very happy to discuss our perspective in more detail. I am available at , or by telephone at (202) 822-0800. You may also contact our General Counsel Jeff Mahoney at , or by telephone at the same number.

Sincerely,

Kenneth A. Bertsch
Executive Director
Council of Institutional Investors

Louise Davidson
Chief Executive Officer
Australian Council of Superannuation Investors

Manuel Isaza
Associate Director, Governance & Sustainable Investment
BMO Global Asset Management

Anne Sheehan
Director of Corporate Governance
California State Teachers’ Retirement System

Julie Cays
Chair of the Board
The Canadian Coalition for Good Governance

Gregory W. Smith
Executive Director/CEO
Colorado Public Employees’ Retirement Association

Denise L. Nappier
Connecticut State Treasurer
Trustee
Connecticut Retirement Plans and Trust Funds

Dieter Waizenegger
Executive Director
CtW Investment Group

Michael McCauley
Senior Officer, Investment Programs & Governance
Florida State Board of Administration

Darren Brady
Hermes Equity Ownership Services Limited

Tim Goodman
Hermes Equity Ownership Services Limited

Stephen Adams
Head of Equities
Kames Capital

Andrew Shapiro
Managing Member & President
Lawndale Capital Management, LLC

Clare Payn
Head of Corporate Governance North America
Legal & General Investment Management

Freddie Woolfe
Responsible Investment Analyst
Newton Investment Management

Scott Stringer
New York City Comptroller

Gianna McCarthy
Director, Corporate Governance
Office of the New York State Comptroller

Carol Nolan Drake, J.D.
Chief External Affairs Officer
Ohio PERS

Karen Carraher
Executive Director Ohio PERS

Judy Cotte, LL.M.
V.P. & Head, Corporate Governance & Responsible Investment
RBC Global Asset Management

Deborah Gilshan
Head of Sustainable Ownership
RPMI Railpen

Lisa J. Morris
Executive Director
School Employees Retirement System of Ohio

Kenneth J. Nakatsu
Executive Director
Seattle City Employees’ Retirement System

Euan A. Stirling
Head of Stewardship and ESG Investment
Standard Life Investments

Ted Wheeler
Treasurer
State of Oregon

Bess Joffe
Managing Director
Head of Stewardship & Corporate Governance
TIAA

Meredith Miller
Chief Corporate Governance Officer
UAW Retiree Medical Benefits Trust

Councillor Keiran Quinn
Chair
UK Local Authority Pension Fund Forum

Janice J. Fueser
Research Coordinator, Corporate Governance
UNITE HERE

Lisa N. Woll
CEO
US SIF and US SIF Foundation

Daniel Summerfield
Co-Head of Responsible Investment
USS Investment Management

Timothy Smith
Director of Environmental Social and Governance Shareholder Engagement
Walden Asset Management

Theresa Whitmarsh
Executive Director
Washington State Investment Board

CC:

The Honorable Michael D. Crapo
Chairman, Subcommittee on Securities, Insurance, and Investment, Committee on Banking, Housing, and Urban Affairs

The Honorable Mark Warner
Ranking Member, Subcommittee on Securities, Insurance and Investment, Committee on Banking, Housing, and Urban Affairs

The Honorable Bob Corker
Committee on Banking, Housing, and Urban Affairs

The Honorable David Vitter
Committee on Banking, Housing, and Urban Affairs

The Honorable Patrick J. Toomey
Committee on Banking, Housing, and Urban Affairs

The Honorable Mark S. Kirk
Committee on Banking, Housing, and Urban Affairs

The Honorable Dean Heller
Committee on Banking, Housing, and Urban Affairs

The Honorable Tim Scott
Committee on Banking, Housing, and Urban Affairs

The Honorable Ben Sasse
Committee on Banking, Housing, and Urban Affairs

The Honorable Tom Cotton
Committee on Banking, Housing, and Urban Affairs

The Honorable Michael Rounds
Committee on Banking, Housing, and Urban Affairs

The Honorable Jerry Moran
Committee on Banking, Housing, and Urban Affairs

The Honorable Jack Reed
Committee on Banking, Housing, and Urban Affairs

The Honorable Charles E. Schumer
Committee on Banking, Housing, and Urban Affairs

The Honorable Robert Menendez
Committee on Banking, Housing, and Urban Affairs

The Honorable John Tester
Committee on Banking, Housing, and Urban Affairs

The Honorable Jeff Merkley
Committee on Banking, Housing, and Urban Affairs

The Honorable Elizabeth Warren
Committee on Banking, Housing, and Urban Affairs

The Honorable Heidi Heitkamp
Committee on Banking, Housing, and Urban Affairs

The Honorable Jeb Hensarling
Chairman, Committee on Financial Services
United States House of Representatives

The Honorable Maxine Waters
Ranking Member, Committee on Financial Services
United States House of Representatives

The Honorable Shawn P. Duffy
Committee on Financial Services
United States House of Representatives

The Honorable John C. Carney
Committee on Financial Services
United States House of Representatives

Endnotes:

[1] For more information about the Council of Institutional Investors (Council or CII) and our members, please visit the Council’s website at http://www.cii.org/about_us. We note that the two largest U.S. proxy advisory firms, Glass Lewis & Co. and Institutional Shareholder Services Inc. (ISS), are non-voting associate members of CII, paying an aggregate of $24,000 in annual dues—less than 1.0 percent of CII’s membership revenues. In addition, CII is a client of ISS, paying approximately $19,600 annually to ISS for its proxy research.
(go back)

[2] On June 16, 2016, the Committee on Financial Services of the United States House of Representatives approved H.R. 5311, as amended, by a vote of 41 to 18. All Actions, Congress.Gov, available at https://www.congress.gov/bill/114th-congress/house-bill/5311/all-actions?q=%7B%22search%22%3A%5B%22H.R.+5311%22%5D%7D&resultIndex=1&overview=closed#tabs. On June 23, 2016, Committee on Financial Services Chairman Jeb Hensarling issued a Discussion Draft of a bill that included the provisions of H.R. 5311. Financial CHOICE Act of 2016, §§ 1081-83, available at http://financialservices.house.gov/uploadedfiles/choice_act-_discussion_draft.pdf.
(go back)

[3] Semler Brossy, 2016 Say on Pay Results 2-3 (July 27, 2016), available at http://www.semlerbrossy.com/wp-content/uploads/SBCG-2016-SOP-Report-07-27-2016.pdf.
(go back)

[4] ISS Voting Analytics Database (last viewed on Aug. 4, 2016 & on file with CII).
(go back)

[5] Staff Legal Bulletin No. 20 at 3 (June 13, 2014) (“it is the staff’s position that an investment adviser that receives voting recommendations from a proxy advisory firm should ascertain that the proxy advisory firm has the capacity and competency to adequately analyze proxy issues, which includes the ability to make voting recommendations based on materially accurate information”), available at https://www.sec.gov/interps/legal/cfslb20.htm.
(go back)

[6] Letter from Jeff Mahoney, General Counsel, CII, to The Honorable Scott Garrett, Chairman, Subcommittee on Capital Markets and Government Sponsored Enterprises, Committee on Financial Services et al. 4 (July 23, 2014), available at https://www.sec.gov/interps/legal/cfslb20.htm.
(go back)

[7] It does not appear that the Congressional Budget Office has produced a cost estimate for H.R. 5311. CBO Cost Estimates Search (last viewed Sept. 6, 2016), available at https://www.cbo.gov/cost-estimates/search?search_api_views_fulltext=H.R.+5311&field_congressionalsession=1621.
(go back)

September 26, 2016
Life as a Corporate Lawyer: Brink Dickerson
by Broc Romanek

I had a lot of fun taping this 36-minute podcast with Brink Dickerson of Troutman Sanders. I’m still chuckling over Brink’s response to my query about "least favorite tasks" (starting at the 23:45 mark). I highly encourage you to listen to these podcasts when you take a walk, commute to work, etc. Brink tackles:

1. Where did you grow up?
2. I understand that you may be the only securities lawyer without a customary qualification?
3. How did you end up going to law school?
4. Although you are in Atlanta now, you started practicing in Chicago. How did that come about?
5. What early experiences shaped how you practice law?
6. Were there any particular experiences that impacted how your practice evolved?
7. I understand that you considered joining the SEC at one point. Tell me about that.
8. How do you prepare for a speaking gig?
9. What types of work tasks are your favorite to work on?
10. Least favorite?

This podcast is also posted as part of my "Big Legal Minds" podcast series. Remember that these podcasts are also available on iTunes or Google Play (use the "My Podcasts" app on your iPhone and search for "Big Legal Minds"; you can subscribe to the feed so that any new podcast automatically downloads...

Rebuttal: "How the SEC Enabled the Gross Under-Reporting of CEO Pay"

Here’s a rebuttal from a member to the blog that I excerpted from on Friday: About this new study about how to calculate "total compensation" for purposes of the Summary Compensation Table, not only are the authors misstating what goes into the SCT – but that even is of little consequence to their analysis. The grant date value of awards issued during the year (not vested) are reported in the Summary Compensation Table. What these these authors are saying is realized compensation (W-2 pay) is far more valuable than SCT pay:

– For example, they reference data from 2014, which indicated S&P 500 company CEOs’ SCT pay averaged $19.3 million, while average realized compensation was $34.3 million.

– The authors conclude that pay is seriously underreported – and the SEC is aiding and abetting this understatement.

The problem with the paper’s analysis is that realized equity gains are based on awards granted several years ago – and comparing gains realized in the current year to awards granted during the year is largely irrelevant & very misleading (to quote Mark Twain: "there are lies, damn lies and then there are statistics"):

– A careful statistician would have examined the grant date value of the specific awards from prior years and compared it to the actual value of the award; in that way, they would be truly matching grant date and realized values of the same award.

– A likely distortion in their analysis is gains realized in the current year might include several years of prior awards (for example 2-3 years of stock options exercised in a single year), thus one year’s pay reported in the SCT is being compared to multiple years’ awards reported in the gain realized table.

– Stock price performance could have soared since the awards were granted, thus realized values are far more valuable than anticipated ( as are shareholders’ gains); why do the authors believe this is a bad outcome?

– Executives who hold onto stock options until expiration (rather than exercise at vest) are likely to report the largest realized gains; arguably, the gains realized after vesting are investment rather than compensation decisions, and should not be included in the authors’ analysis of grant date versus realized pay.

The SEC’s proposing release on pay-for-performance includes a table that attempts to address the lack of disclosure of realized pay, as equity awards will be reported as they vest – but this wouldn’t completely address the authors’ concerns as they are using the value of options when exercised, not when vested.

UK: Theresa May’s Upcoming Corporate Governance Consultation

As I blogged a few months ago, in the wake of Brexit, the new UK Prime Minister Theresa May is seeking a number of governance reforms – she recently promised that a corporate governance consultation would take place within the next few months. The Prime Minister has promised bold action including "cracking down on excessive corporate pay" and giving employees and customers representation on boards.

Meanwhile, the UK Parliament Business, Innovation & Skills Committee launched its own governance consultation last week. This is what Marty Lipton wrote about that:

In announcing the inquiry, the chairman of the committee stated that principle purposes were to determine whether under existing law, corporate governance encourages companies to achieve long-term prosperity and assures fair treatment of employees. That the inquiry is focused on a stakeholder approach to corporate governance is made clear by the first three questions it poses:

– Is company law sufficiently clear on the roles of directors and non-executive directors, and are those duties the right ones? If not, how should it be amended?
– Is the duty to promote the long-term success of the company clear and enforceable?
– How are the interests of shareholders, current and former employees best balanced?

In addition to combatting short-termism, promoting long-term investment and protecting employees, the inquiry is focusing on executive compensation and its relation to companies long-term performance. Lastly, the inquiry poses the following questions about the composition of boards:

– How should greater diversity of board membership be achieved? What should diversity include, e.g. gender, ethnicity, age sexuality, disability, experience, socio-economic background?
– Should there be worker representation on boards and/or remuneration committees? If so, what form should this take?

While the outcome of the inquiry is not certain, it is clear that corporate governance in the U.K., in the U.S., and in the EU has again become a serious political issue. If companies and investors do not find a mutual path to governance that promotes long-term investment and accommodates employee, customer, supplier and community interests, legislation will result. That legislation may not be to the liking of either companies or investors.

"Consultations" are the UK’s rulemaking process – and they typically involve multiple bodies to accomplish the feat. It’s confusing. For an example, look at this blog leading up to the UK adopting binding say-on-pay where I note dual consultation processes in the House of Commons/House of Lords and the Financial Reporting Council (which looks after the "UK Corporate Governance Code")...

Broc Romanek

September 26, 2016
In re Biglari Holdings, Inc. S'holder Derivative Litig. (Taylor v. Biglari): Court Affirms Dismissal of Shareholder Derivative Suit
by Ryan Sharkey

In In re Biglari Holding, 813 F.3d 648  (7th Cir. 2016), the United States Court of Appeals for the Seventh Circuit affirmed the lower court’s dismissal of a shareholder derivative suit brought by shareholders Chad Taylor and Edward Donahue (the “Plaintiffs”) against Biglari Holdings, Inc. (“Biglari Holdings”) CEO and board chairman Sardar Biglari (“CEO”) and four other members of the Biglari Holdings board (collectively, the “Defendants”). 

According to the complaint, the board of Biglari Holdings approved three separate transactions in 2013, including the sale of Biglari Capital Corporation (“BCC”) back to the CEO at “a low price” and a stock offering valued at $75 million. In the case of the stock offering, the Plaintiff alleged that the company had not retained a “financial advisor.” In addition, the board approved a licensing agreement to use the CEO’s name and likeness for the purposes of promoting Biglari Holdings to consumers.  A term in the licensing agreement required the company 

to pay [the CEO] 2.5 percent of the company's gross revenues from products and services that bear [the CEO’s] name as royalties for the use of his name and likeness for five years if he's removed as CEO, resigns because of an involuntary termination event, or loses his sole authority over capital allocation, or a majority of the board is replaced, or someone other than [the CEO] or the company's existing shareholders obtains more than 50 percent of the shares and therefore acquires control of the company. 

The Plaintiffs alleged these transactions amounted to entrenchment, and were “intended to cement Biglari’s control” of Biglari Holdings and “enrich him at the expense of other shareholders.” The Plaintiffs contended that the board was not independent and its members were beholden to the CEO.  Specifically, the Plaintiffs alleged the independence of the Biglari Holdings board had been compromised by the personal and business connections of several individual directors to the CEO.  The Plaintiffs further argued such a costly royalty payment attached to the licensing agreement, triggered by replacement of the board or the CEO, amounted to entrenchment of the current board. Finally, the Plaintiffs alleged the board failed to adequately deliberate before the stock offering or consider the entrenching effects of such an offering. 

Traditionally in a shareholder derivative action, shareholders must demand that “the board either correct the improprieties alleged or initiate an action on behalf of the corporation against members of the board.” The Plaintiffs instead asserted “demand futility.” Under Indiana law – following guidance from Delaware in such cases –“demand futility” can be shown by facts that create a reasonable doubt that a majority of directors was disinterested, that the board was independent, or that the board had exercised reasonable business judgment. Additionally under Indiana law, there is a strong presumption a director is not liable for any action taken unless the alleged breach or failure to perform constitutes willful misconduct or recklessness. 

With respect to the entrenchment claim arising from the licensing agreement, the opinion pointed to the lower court’s conclusion that Plaintiffs had not “alleged that any of the directors were in peril of being removed from the board and, if they were not, it is unlikely that their motivation for approving the challenged transactions was entrenchment.”    

With regard to director independence, the court found the facts surrounding the connections between the CEO and other members of the board were insufficient to raise reasonable doubts regarding the independence of the board. The court conceded that the director who had been the CEO’s professor could “raise a question” about independence but that the allegations concerning the other four directors were insufficient.  The court, however, rejected claims of non-independence for a director who served on the board of a company that the CEO tried to take over and director who, because of the fees received, would “kowtow” to the CEO.  The same was true of a director who served on a board of a company that was 12.8% owned by Biglari Holdings and had allegedly developed business relationships with the CEO prior to becoming a director.       

The court also determined that the three transactions challenged by Plaintiffs did not adequately establish a claim for entrenchment.  With respect to the licensing agreement, the court questioned the allegations that the replacement of the board would “trigger costly royalty obligations.”  See Id. (“Thus the net earnings figure does not reveal the true financial health of the company, and so the required royalty need not have the grave impact that the plaintiffs allege.”).  

Concerning the sale of BCC, the court addressed the claim that the amount paid by the CEO was less than the value of the asset.  The court determined that the $1.7 million sales figure was reasonable in light of the benefits to Biglari Holdings, including “a reduction in regulatory burdens related to investments and by avoiding potential conflicts of interest”.  Finally, the court disagreed with the Plaintiffs’ claim regarding the stock offering, noting the offering contained an oversubscription feature, which allowed existing shareholders to purchase the shares not taken.  The court found the CEO had simply exercised his right to buy more shares under the subscription feature, while other shareholders declined to do so, resulting in the change in ownership interests. 

For the above reasons, court found none of the Plaintiffs’ allegations created a substantial doubt the transactions were a product of valid business judgment by an independent board. Accordingly, the court affirmed the lower court’s dismissal of the Plaintiffs’ complaint. 

The primary materials for this case can be found on the DU Corporate Governance website.

September 25, 2016
Do Firms Engage in Risk-Shifting? Empirical Evidence
by Erik Gilje
Editor's Note:

Erik Gilje is Assistant Professor of Finance at The Wharton School of the University of Pennsylvania. This post is based on his recent paper.

How does corporate investment risk-taking change when a firm has high leverage or approaches distress? In high-leverage states of the world, equity holders benefit from successful outcomes of high-risk projects, while losses from unsuccessful outcomes are borne by debt holders. This asymmetry between who receives the gains and losses from a project could make it optimal for equity holders to maximize the amount of risk a firm undertakes when leverage is high. This hypothesized increased risk-taking in a firm’s investments, referred to as risk-shifting or asset substitution, could result in an overall cost to the firm (Jensen and Meckling (1976)).

Concerns about the size, prevalence, and mitigation of these costs have been the focus of substantial theoretical work.[1] However, there is little empirical evidence on the size or pervasiveness of changes in investment risk-taking when a firm approaches financial distress. The empirical challenges are twofold. First, obtaining a measure of the riskiness of a firm’s overall capital expenditures is challenging in most settings. Second, financial distress is not randomly assigned to firms. To the extent investment policies and financial policies are jointly determined, or are driven by an omitted variable, obtaining clean identification of the effect of excessive leverage on risk-taking is problematic. The contribution of this paper is to provide empirical advancements on both these fronts. First, I focus on a setting where a firm’s investment risk-taking is clearly defined by measures of investment risk from Securities and Exchange Commission (SEC) disclosures. Second, I use quasi-random shocks to leverage to identify the effect of an increase in leverage and distress on investment risk-taking.

I use a setting in which investments can be categorized into two different types of activities, one that is high risk and one that is low risk. To do this, I focus on the oil and gas industry, where exploratory projects (high risk) are nearly six times more likely to result in an unproductive project than development projects (low risk).[2] Moreover, these categories have clear definitions outlined by the Financial Accounting Standards Board (FASB) and are disclosed in SEC filings. Therefore, there is a standardization in these measures across firms and over time that is typically unavailable in other settings. I construct a data set from hand-collected data on investment risks from the 10-Ks of 184 firms in the oil and gas industry. Using these risk disclosures, I test how the proportion of high-risk investment to total investment changes as leverage increases and firms approach distress.

Contrary to what risk-shifting theory would predict, I find that firms reduce risk-taking as they approach distress. I find similar results in both a natural experiment setting and firm-level panel regressions. In firm-level panel regressions, I find that a one-standard-deviation increase in leverage reduces the proportion of a firm’s high-risk investment to total investment by 8.5% relative to the mean level of firm risk-taking. I also find that the proportion of high-risk investment to total investment is reduced by 21.6% for firm-years in which leverage is in the top quartile of the sample. Furthermore, this risk-reducing behavior also occurs in the years prior to declaring bankruptcy. To mitigate simultaneity and omitted variable endogeneity concerns, my main identification strategy relies on a natural experiment to test how risk-taking changes with leverage during two significant commodity-based negative leverage shocks in 1998 and 2008. Using a difference-in-differences approach, I find that treatment firms reduce investment risk-taking relative to control firms.

Why might firms reduce risk-taking in distress? Firms could have risk-mitigating incentives that outweigh risk-shifting incentives. In the natural experiment setting, I find that risk reduction is most prevalent in firms with shorter maturity debt and bank debt. This suggests that debt composition is important for firm risk-taking in distress, and provides support for risk-reducing incentives and monitoring linked to banking relationships.

To further explore the role of banks in risk-reduction, I assess the role of bank financial covenants. Banks in my sample do not place explicit covenants on exploration activity; however, financial covenants may allow the bank to exert some indirect control on firm risk-taking activity. To test for this, I hand-collect covenant data from credit agreements of firms in my quasi-natural experiment. I find that risk reduction behavior is most prevalent among firms that have stricter financial covenants and more financial covenants prior to the shock. This result provides new empirical evidence that financial covenants may allow banks to exert indirect influence to reduce debt-equity agency conflicts that have not or cannot be explicitly contracted on, such as risk-shifting.

Whether firms engage in risk-shifting has been an open empirical question. Lack of data and adequate measures of risk, and the endogeneity of leverage and risk-taking have meant this question has not been able to be addressed directly. I use a setting which has quasi-random shocks to leverage and objective measures of investment risk, from SEC disclosures, to test whether firms engage in risk-shifting. I find that firms reduce risk, rather than increase risk, when leverage is high and when they get close to distress.

Prior theoretical literature outlines several reasons for why firms may have incentives to reduce risk-taking in distress. Firms likely have incentives to ensure that they have a good reputation to ensure access to debt markets (Diamond (1989)), which can affect their ability to pursue future positive NPV projects Almeida et al. (2011). I am able to highlight channels linked to debt composition and financial covenants as being important for risk reduction in times of distress. I show that these mechanisms are important for mitigating risk-shifting, and serve to mitigate debt-equity agency conflicts that may not be explicitly contracted on. The evidence in this paper suggests that risk-mitigation incentives and monitoring by banks outweigh risk-shifting incentives in investment decision making for the average firm.

The full paper is available for download here.

References

Almeida, H., Campello, M., Weisbach, M. S., 2011. Corporate financial and investment policies when future financing is not frictionless. Journal of Corporate Finance 17, 675–693.

Barnea, A., Haugen, R. A., Senbet, L. W., 1980. A rationale for debt maturity structure and call provisions in the agency theoretic framework. Journal of Finance 35, 1223–1234.

Diamond, D. W., 1989. Reputation acquisition in debt markets. Journal of Political Economy 97, 828–862.

Green, R. C., 1984. Investment incentives, debt, and warrants. Journal of Financial Economics 13, 115–136.

Jensen, M. C., Meckling, W. H., 1976. Theory of the firm: Managerial behavior, agency costs, and ownership structure. Journal of Financial Economics 3, 305–360.

John, T. A., John, K., 1993. Top-management compensation and capital structure. Journal of Finance 48, 949–974.

Smith, C. W., Warner, J. B., 1979. On financial contracting an analysis of bond covenants. Journal of Financial Economics 7, 117–161.

Endnotes:

[1] Existing theoretical work related to the size and mitigation of risk-shifting includes: Smith and Warner (1979) (covenants), Green (1984) (convertible debt), Barnea et al. (1980) (debt maturity), and John and John (1993) (managerial compensation).
(go back)

[2] The firms in my sample drilled a total of 12,574 exploratory wells, of which 3,326 were unsuccessful (26.4%), and drilled 88,277 development wells, of which 3,809 were unsuccessful (4.3%). Additionally, in comparing reserve additions from discoveries relative to exploration capital expenditures, in 27% of all firm-years, firms failed to add reserves through discoveries that exceeded their exploration spending.
(go back)

September 24, 2016
NYDFS Proposed Cybersecurity Regulation for Financial Services Companies
by Joseph Vitale, Michael Yaeger, Noah Gillespie, Schulte Roth & Zabel
Editor's Note:

Joseph P. Vitale is a partner in the Regulatory & Compliance practice at Schulte Roth & Zabel LLP. This post is based on a Schulte Roth & Zabel publication by Mr. Vitale, Michael L. Yaeger, and Noah N. Gillespie.

On Sept. 13, 2016, the New York State Department of Financial Services (“NYDFS”) issued a proposed regulation that would impose new, rigorous cybersecurity requirements on banks, consumer lenders, money transmitters, insurance companies and certain other financial service providers (each, a “Covered Entity”) regulated by the NYDFS (the “Proposed Regulation”). Given New York’s importance in the financial services industry, not only would the effect of the Proposed Regulation be felt immediately across the country, other regulators may follow New York’s example.

In some respects, the Proposed Regulation is consistent with the principles set forth in documents that other regulators have issued, such as the Information Technology Examination Handbook released by the Federal Financial Institutions Examination Council (FFIEC) and the Cybersecurity Framework released by the National Institute of Standards and Technology (NIST). This is true of the Proposed Regulation’s basic requirement that Covered Entities create and implement a written policy—overseen by a qualified Chief Information Security Officer (“CISO”)—to protect against, detect, document and respond to attempts to access, disrupt, or misuse Covered Entities’ consumer information or technology systems.

But the NYDFS regulations also contain some specific commands that go significantly beyond what other regulators have suggested, much less required. Most notably, the Proposed Regulation has several directives tied to “Nonpublic Information,” and it defines that term broadly, including any information that would be considered nonpublic personal information under the Gramm-Leach-Bliley Act’s privacy rule (“GLBA Privacy Rule”). As a result, it captures far more data than what New York’s existing data protection law defines as “personal information.” The requirement that “Nonpublic Information” be encrypted at rest (and not just in transit) may therefore be a significant burden on Covered Entities, as may the requirement that the Superintendent be notified of any “Cybersecurity Event” that “affects” Nonpublic Information. Further, senior management must certify annually that the Covered Entity is in compliance.

The Proposed Regulation is open for public comment for the next 45 days and is slated to take effect Jan. 1, 2017. The NYDFS states that the Proposed Regulation is intended to impose minimum standards on the industry while allowing sufficient flexibility for Covered Entities to adapt to the threats they face and the technologies available to secure their information and systems. The NYDFS notes that it based the Proposed Regulation on extensive surveys of and discussions with Covered Entities; yet many of these surveys and the reports the NYDFS generated are already one or two years old.

Who and What the Proposed Regulation Covers

The Proposed Regulation defines a “Covered Entity” as “any [p]erson operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the [New York] banking law, the insurance law or the financial services law.” Recognizing that certain smaller entities may have difficulty reaching the NYDFS minimum standard, the Proposed Regulation exempts them from some but not all of the Proposed Regulation’s requirements. Nonetheless, the Proposed Regulation may exert influence beyond Covered Entities insofar as it affects the third-party vendors of those entities.

The goal of the Proposed Regulation is to secure “Nonpublic Information” from misuse, disruption and unauthorized access, and as noted above, such information is defined broadly. It includes not only competitively sensitive information and intellectual property, but also numerous categories of information that a Covered Entity receives from or about consumers, including information considered nonpublic personal information under the GLBA Privacy Rule. Accordingly, the Proposed Regulation’s definition of Nonpublic Information is far broader than what New York’s existing data protection law defines as “personal information.”

Formalizing a Cybersecurity Program

Under the Proposed Regulation, Covered Entities must have a written cybersecurity policy that outlines every aspect of its cybersecurity program and explicitly addresses how the Covered Entity complies with each of the Proposed Regulation’s requirements. At a minimum, the written policy must address:

  • Information security;
  • Data governance and classification;
  • Access controls and identity management;
  • Business continuity and disaster recovery planning and resources;
  • Capacity and performance planning;
  • Systems operations and availability concerns;
  • Systems and network security;
  • Systems and network monitoring;
  • Systems and application development and quality assurance;
  • Physical security and environmental controls;
  • Customer data privacy;
  • Vendor and third-party service provider management;
  • Risk assessment; and
  • Incident response.

In addition to outlining all the steps the Covered Entity is taking in these areas, the Covered Entity must also include an incident response plan that lays out how it will respond to any attempted or actual access, disruption or misuse of its systems and information. The incident response plan must also identify and allocate the precise roles and responsibilities of the individuals who will carry out the actions it specifies.

To helm those efforts, the Covered Entity must designate a “qualified” CISO who will oversee and implement the Covered Entity’s written policy and cybersecurity program. In addition, the Covered Entity must also employ sufficient cybersecurity personnel to carry out its program, who must undergo sufficient training to stay abreast of cybersecurity threats and best practices. Further, the Covered Entity must provide all staff with “regular” cybersecurity training that makes them aware of the threats and best practices specific to the Covered Entity’s risk assessment.

The CISO must complete that risk assessment (including the vulnerabilities posed by third parties’ access to the Covered Entity’s information and systems), penetration testing and a comprehensive review and update of the cybersecurity policy at least once a year, and report on the Covered Entity’s efforts and any material attempts or attacks to the board and senior officers at least twice a year.

Limiting Access to Information and Systems

In a major change, under the Proposed Regulation, Covered Entities will be required to encrypt their Nonpublic Information—by January 2018 for Nonpublic Information in transit and by January 2022 for Nonpublic Information at rest. Covered Entities must also require multifactor authentication for remote access to its systems or for privileged access to the servers that contain Nonpublic Information. Web applications that capture, display or interface with Nonpublic Information must require risk-based authentication and must support multifactor authentication. Because of the breadth of what the Proposed Regulation considers Nonpublic Information, implementation of those security measures may be costly for certain Covered Entities, as much of the electronic contact a Covered Entity has with its clients or customers will have to be conducted over secure platforms.

The Proposed Regulation requires Covered Entities to consider which employees need access to which information and systems, and to curtail access to the systems and information accordingly. The Proposed Regulation also makes Covered Entities responsible for the cybersecurity practices of the third parties who hold or can access Nonpublic Information. Covered Entities will be required to conduct due diligence on their third-party providers’ policies and procedures and assess the risks that stem from using those third parties. The Proposed Regulation suggests that Covered Entities include in their written policy the preferred provisions the Covered Entity will include in its vendor contracts, for example, to have the right to audit the third party’s cybersecurity capabilities. Even with favorable contract terms, however, that level of responsibility over third parties will be challenging for many Covered Entities given that the third party’s cybersecurity is in someone else’s hands and the Covered Entity will in many cases not have full and direct access to examine or control the cybersecurity program the third party adopts.

Reporting

When something goes wrong, the Covered Entity must report it to the Superintendent. Specifically, any attempt or attack “that has a reasonable likelihood of materially affecting the normal operation of the Covered Entity or that affects Nonpublic Information” must be reported to the Superintendent within 72 hours after the Covered Entity becomes aware of the event. Any notice the Covered Entity provides to any government or self-regulatory agency must also be given to the Superintendent. As a result, a Covered Entity may have to report a data breach or attempted breach to the Superintendent before the Covered Entity has established a full understanding of the nature and extent of the incident.

Recordkeeping on the One Hand; Timely Destruction on the Other

Covered Entities must maintain sufficiently detailed records to be able to reconstruct who accessed its digital and physical systems when, and to harness that information to successfully detect attempted and actual attacks. Covered Entities must also ensure that the logs that record such access are protected against tampering or alteration. Covered Entities must maintain those “audit trail” records for at least six years.

Nonetheless, Covered Entities are to evaluate and destroy Nonpublic Information that is no longer necessary for the provision of the product or services for which such information was originally provided or obtained, unless some other law (such as, at a minimum, the Proposed Regulation) requires that Nonpublic Information to be maintained. It is often best practice to limit the personal information a business has about its customers to only what is necessary currently for legitimate business purposes, including so that any data breach that does occur will be less harmful to the customers and the business. However, Covered Entities are subject to extensive recordkeeping requirements from many sources and, in many cases, are under the threat of foreseeable litigation, for which they must preserve the materials they may need to exchange in discovery on pain of sanctions for spoliation.

Annual Certification

The Proposed Regulation provides that beginning Jan. 15, 2018, Covered Entities must have the chair of the board or another senior officer (if the Covered Entity has no board) certify in writing to the Superintendent that the Covered Entity is in full compliance with the Proposed Regulation. The Proposed Regulation includes the text of that certification in an appendix. In addition to certifying that the signatory has reviewed all “necessary” material and that the Covered Entity is in compliance, the Covered Entity must provide a report on all remedial efforts planned or underway and all the attempts or attacks that occurred in the prior year that were required to be reported to the Superintendent. The records that support the certification must be maintained for at least five years and made available to the Superintendent upon request. The fact that certification backup materials need only be maintained for five years, but the audit trail materials must be maintained for six years, suggests that the Superintendent may also rely on the audit trail to reach further back in time to find further errors when it enforces the Proposed Regulation.

In fact, the individuals who sign that certification may be exposed to personal liability if the Covered Entity is ultimately found to be noncompliant. The Superintendent may enforce the Proposed Regulation pursuant to her “authority under any applicable laws.” Such laws include the provisions of the New York Banking Law, Insurance Law and Finance Law that impose civil and even criminal penalties for false disclosures made with an intent to deceive a regulator.

Conclusion

While the Proposed Regulation is not yet law and remains open for public comment for the next 45 days, the NYDFS and the State of New York have indicated that securing New York’s financial services firms and consumers from the increasing threats posed by “nation-states, terrorist organizations, and independent criminal actors” is a top priority. In order to meet the Jan. 1, 2017 effective date, Covered Entities should now begin assessing their cybersecurity risks, policies and procedures to develop or enhance their cybersecurity program and to begin documenting and tracking their compliance efforts.

The complete publication, including footnotes, is available here.

View today's posts

9/26/2016 posts

Bridging the Week: Bridging the Week: September 19 to 23 and September 26, 2016 (Supervision; Block Trades; EFRPs; Independence; Tag 50s; Insider Trading)
CLS Blue Sky Blog: PwC Discusses New York's Proposed Cybersecurity Rules
CLS Blue Sky Blog: The Hidden Costs of Rotating Auditors
The Harvard Law School Forum on Corporate Governance and Financial Regulation: How to Disclose a Cybersecurity Event: Recent Fortune 100 Experience
The Harvard Law School Forum on Corporate Governance and Financial Regulation: The Regulation of Proxy Advisory Firms
CorporateCounsel.net Blog: Life as a Corporate Lawyer: Brink Dickerson
Race to the Bottom: In re Biglari Holdings, Inc. S'holder Derivative Litig. (Taylor v. Biglari): Court Affirms Dismissal of Shareholder Derivative Suit
The Harvard Law School Forum on Corporate Governance and Financial Regulation: Do Firms Engage in Risk-Shifting? Empirical Evidence
The Harvard Law School Forum on Corporate Governance and Financial Regulation: NYDFS Proposed Cybersecurity Regulation for Financial Services Companies

Blog posts are subject to copyrights held by the authors and are republished here with permission. Views expressed are those of the authors alone. Infringement Notification.