Tag: Risk assessment

The SEC’s Focus on Cybersecurity

Jessica Forbes is a corporate partner resident the New York office of Fried, Frank, Harris, Shriver & Jacobson LLP. This post is based on a Fried Frank publication authored by Ms. Forbes, Joanna D. Rosenberg, and Stacey Song.

On September 22, 2015, the Securities and Exchange Commission (the “SEC”) issued a cease-and-desist order (the “Order”) and settled charges against St. Louis-based investment adviser R.T. Jones Capital Equities Management (“R.T. Jones”) for failing to establish required policies and procedures to safeguard customer information in violation of Rule 30(a) of Regulation S-P (“Rule 30(a)”) under the Securities Act of 1933. [1]

Rule 30(a) requires every broker, dealer, investment company and registered investment adviser to adopt written policies and procedures reasonably designed to ensure the security and confidentiality of customer information and to protect customer information from anticipated threats or unauthorized access. According to the Order, from at least September 2009 through July 2013, R.T. Jones stored personal information of its clients and other persons on its third party-hosted web server without adopting any such written policies and procedures. In July 2013, a hacker gained access to the data on R.T. Jones’ web server, rendering the personal information of more than 100,000 individuals vulnerable to theft. In response to the cyber attack, R.T. Jones notified each individual whose information was compromised.


Asset Managers: AML ready?

Dan Ryan is Leader of the Financial Services Advisory Practice at PricewaterhouseCoopers LLP. This post is based on a PwC publication by Mr. Ryan, Jeff Lavine, Adam Gilbert, and Armen Meyer. The complete publication, including footnotes and appendix, is available here.

On August 25th, the US Treasury Department’s Financial Crimes Enforcement Network (FinCEN) proposed anti-money laundering requirements for US investment advisers. The proposal requires advisers that are registered with the Securities and Exchange Commission (SEC) to establish anti-money laundering (AML) programs, to report suspicious activities related to money laundering and terrorist financing, and to comply with other sections of the Bank Secrecy Act (BSA).

If finalized as proposed, the impact of these new requirements will vary. Advisers owned by bank holding companies (BHCs) are already subject to similar requirements that are applicable to their BHC parents and enforced by the Federal Reserve. These advisers will nevertheless likely experience an increase in regulatory oversight, as the proposal now allows the SEC to enforce AML requirements.


Cybersecurity: Enter Insurance Regulators

Dan Ryan is Leader of the Financial Services Advisory Practice at PricewaterhouseCoopers LLP. This post is based on a PwC publication by Mr. Ryan, Sean Joyce, Chris Joline, Adam Gilbert, Joseph Nocera, and Armen Meyer.

Since issuing its Principles of Effective Cybersecurity last July, [1] the National Association of Insurance Commissioners (“NAIC”) has been making progress in the development of cybersecurity examination manuals. NAIC’s regulatory guidance is intended to help state insurance regulators identify cybersecurity risks and communicate a uniform set of control requirements to insurers, insurance producers, and related regulated entities (collectively, “Insurance Companies”).

Given the priority regulators are placing on cybersecurity (including NAIC’s Cybersecurity Task Force) and the continued occurrence of high profile data breaches, we expect that cybersecurity examinations will commence as early as 2016 and will be performed by insurance regulators as part of their standard three-year exam cycle. While NAIC’s examination manuals will act as guidelines for state regulators, actual regulation will vary by state. Thus, Insurance Companies should be tracking state regulatory developments to ensure that their cybersecurity programs are rigorous and all-encompassing.


Corporate Risk-Taking and Public Duty

Steven L. Schwarcz is the Stanley A. Star Professor of Law & Business at Duke University School of Law. This post is based on a draft article by Professor Schwarcz, available here.

Although corporate risk-taking is economically necessary and even desirable, it can also be harmful. There is widespread agreement that excessive corporate risk-taking was one of the primary causes of the systemic collapse that caused the 2008-09 financial crisis. To avoid another devastating collapse, most financial regulation since the crisis is directed at reducing excessive corporate risk-taking by systemically important firms. Often that regulation focuses on aligning managerial and investor interests, on the assumption that investors generally would oppose excessively risky business ventures.

My article, Misalignment: Corporate Risk-Taking and Public Duty, argues that assumption is flawed. What constitutes “excessive” risk-taking depends on the observer; risk-taking is excessive from a given observer’s standpoint if, on balance, it is expected to harm that observer. As a result, the law inadvertently allows systemically important firms to engage in risk-taking ventures that are expected to benefit the firm and its investors but, because much of the systemic harm from the firm’s failure would be externalized onto other market participants as well as onto ordinary citizens impacted by an economic collapse, harm the public.


Operational Risk Capital: Nowhere to Hide

The following post comes to us from PricewaterhouseCoopers LLP and is based on a PwC publication by Dietmar Serbee, Helene Katz, and Geoffrey Allbutt; the complete publication, including appendix and footnotes, is available here.

The Basel Committee on Banking Supervision (BCBS) last month proposed revisions to its operational risk capital framework. The proposal sets out a new standardized approach (SA) to replace both the basic indicator approach (BIA) and the standardized approach (TSA) for calculating operational risk capital. In our view, four key points are worth highlighting with respect to the proposal and its possible implications:

The Risky Business of Cybersecurity

David A. Katz is a partner at Wachtell, Lipton, Rosen & Katz specializing in the areas of mergers and acquisitions and complex securities transactions. The following post is based on an article by Mr. Katz and Laura A. McIntosh that first appeared in the New York Law Journal; the full article, including footnotes, is available here.

The national and economic security of the United States depends on the reliable functioning of critical infrastructure. Cybersecurity threats exploit the increased complexity and connectivity of critical infrastructure systems, placing the Nation’s security, economy, and public safety and health at risk. Similar to financial and reputational risk, cybersecurity risk affects a company’s bottom line. It can drive up costs and impact revenue. It can harm an organization’s ability to innovate and to gain and maintain customers.

—National Institute for Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0

In today’s technology driven environment, public companies must constantly confront the challenge of cybersecurity, in its complex, varied, and ever-adapting forms. Cybersecurity breaches regularly fill the headlines, the costs of cybercrime are skyrocketing, and the repercussions of corporate cyber-attacks are felt all the way from chief executives to retail customers. President Barack Obama has stated that “the private sector and the government can, and should, work together to meet this shared challenge,” while FBI Director Robert S. Mueller has described “the critical role the private sector must play in cyber security.” As companies become increasingly dependent on networked technology, and as an expanding number of people conduct transactions and other activities online, cybersecurity will continue to grow in importance for the business community, for the global economy, and for society at large.


Understanding and Implementing the NIST Cybersecurity Framework

The following post comes to us from Paul A. Ferrillo, counsel at Weil, Gotshal & Manges LLP specializing in complex securities and business litigation, and is based on an article authored by Mr. Ferrillo and Tom Conkle.

Why the Cybersecurity Framework was created and why it is so important

Despite the fact that companies are continuing to increase spending on cybersecurity initiatives, data breaches continue to occur. According to The Wall Street Journal, “Global cybersecurity spending by critical infrastructure industries was expected to hit $46 billion in 2013, up 10% from a year earlier according to Allied Business Intelligence Inc.” [1] Despite the boost in security spending, vulnerabilities, threats against these vulnerabilities, data breaches and destruction persist. To combat these issues, the President on February 12, 2013 issued Executive Order (EO) 13636, “Improving Critical Infrastructure Cybersecurity.” [2] The EO directed NIST, in cooperation with the private sector, to develop and issue a voluntary, risk-based Cybersecurity Framework that would provide U.S. critical infrastructure organizations with a set of industry standards and best practices to help manage cybersecurity risks.


SEC’s Non-Decision Decision on Corporate Political Activity a Policy and Political Mistake

The SEC’s recent decision to take disclosure of political activities off the SEC’s agenda is a policy mistake, as it ignores the best research on the point, described below, and perpetuates a key loophole in the investor-relevant disclosure rules, allowing large companies to omit material information about the politically inflected risks they run with other people’s money. It is also a political mistake, as it repudiates the 600,000+ investors who have written to the SEC personally to ask it to adopt a rule requiring such disclosure, and will let entrenched business interests focus their lobbying solely on watering down regulation mandated under the Dodd-Frank Act and the 2012 securities law statute, rather than having also to work to influence a disclosure regime.


Through the Investor Lens: Perspectives on Risk & Governance

Kayla Gillan is leader of the Investor Resource Institute at PricewaterhouseCoopers LLP. The following post is based on the Introduction and Overview of a PwC Investor Survey; the complete publication is available here.

Investors are looking at risks differently than in the past. The financial crisis that affected capital markets across the globe demonstrated that companies—and even whole economies—can be rocked to their core when the connections between lending practices, securitization programs, and capital and funding levels are not clearly understood and monitored.

Investors today are expecting that those who manage the businesses that rely on their capital will exercise greater care over this expanded concept of “risk.” Of course, investors also seek steady returns, so risks cannot be eliminated. But this is when disclosure—information that provides necessary nourishment to an efficient market—becomes so important.


The Future in Law and Finance

The following post comes to us from Alessio Pacces, Professor of Law and Finance at the Erasmus School of Law in Rotterdam. The post is based on Professor Pacces’ inaugural lecture for the Chair in Law and Finance at the Erasmus School of Law in Rotterdam. The full text of the lecture is available here.

Traditionally, law and finance has been concerned with investor protection. That would be enough if the future were predictable. However, because the future is in fact uncertain and unpredictable, the prices of financial assets are flawed and in the short run they may result in serious mistakes, if not widespread crises. Although these mistakes are corrected in the long run, a lot of harm may occur in the meantime. Drawing on the experience from the global financial crisis, I argue that financial law should be concerned not only with investor protection, but also with mitigating the temporary excesses of markets in allowing or restricting access to finance.

The challenge of this goal is to remedy market malfunctioning without undermining market discipline. This is possible if central banks backstop banks’ illiquidity during a crisis, provided that regulation preserves the central banks’ incentives to distinguish illiquidity from insolvency. Moreover, in order to prevent the backstop from resulting in moral hazard by financial institutions, regulation should police the incentives of both managers and shareholders. On the one hand, bank managers should not be allowed to cash in the profit of short-term success. On the other hand, corporate law should allow shareholders to commit to the long term via takeover restrictions, granting bankers private benefits of control to complement the deferral of performance pay.


  • Subscribe

  • Cosponsored By:

  • Supported By:

  • Programs Faculty & Senior Fellows

    Lucian Bebchuk
    Alon Brav
    Robert Charles Clark
    John Coates
    Alma Cohen
    Stephen M. Davis
    Allen Ferrell
    Jesse Fried
    Oliver Hart
    Ben W. Heineman, Jr.
    Scott Hirst
    Howell Jackson
    Robert J. Jackson, Jr.
    Wei Jiang
    Reinier Kraakman
    Robert Pozen
    Mark Ramseyer
    Mark Roe
    Robert Sitkoff
    Holger Spamann
    Guhan Subramanian

  • Program on Corporate Governance Advisory Board

    William Ackman
    Peter Atkins
    Joseph Bachelder
    John Bader
    Allison Bennington
    Daniel Burch
    Richard Climan
    Jesse Cohn
    Isaac Corré
    Scott Davis
    John Finley
    David Fox
    Stephen Fraidin
    Byron Georgiou
    Larry Hamdan
    Carl Icahn
    Jack B. Jacobs
    Paula Loop
    David Millstone
    Theodore Mirvis
    James Morphy
    Toby Myerson
    Morton Pierce
    Barry Rosenstein
    Paul Rowe
    Rodman Ward