Tag: Risk management

Why Do Bank Boards Have Risk Committees?

Posted by René M. Stulz (The Ohio State University), on
Monday, August 30, 2021
, , , , , , , , ,
More from: , , ,

René M. Stulz is the Everett D. Reese Chair of Banking and Monetary Economics at the Fisher College of Business at The Ohio State University. This post is based on a recent paper by Mr. Stulz; James Tompkins, Professor of Finance at Kennesaw State University; Rohan Williamson, Professor of Finance at Georgetown University McDonough School of Business; and Zhongxia (Shelly) Ye, Associate Professor of Accounting at the University of Texas at San Antonio Carlos Alvarez College of Business.

Though the Dodd-Frank Wall Street Reform and Consumer Protection Act (DFA) passed in July 2010 required bank holding companies with more than $10 billion of assets to have a board risk committee, a majority of the banks required to have a risk committee had one before the legislation. The presumption of the legislators apparently was that having a board risk committee would reduce bank risk-taking. As far as we know, there was no scientific evidence at the time suggesting that requiring the establishment of a risk committee for banks that did not have one would be valuable either for the banks’ owners or for the financial system. We develop a model of whether a bank should have a risk committee and show that for a bank that maximizes shareholder wealth there is no expectation that a board risk committee causes bank risk-taking to decrease. Our empirical analysis finds no support for the proposition that the existence of a board risk committee decreases bank risk-taking. We use unique interview data to assess how bank risk committees work and whether they act as expected with our theory. We find that risk committees play a role that is consistent with our theory except that they also seem to be a way for regulators to monitor and influence risk-taking within banks. Though a well-functioning risk committee can be valuable to a bank’s shareholders, it is also possible for the risk committee to worsen the communication and engagement of a bank’s board. Therefore, having a risk committee only makes sense for banks where risk-taking is sufficiently complex that risk metrics have to be monitored by a specialized committee.

READ MORE »

The SEC’s Cyber Priorities and Four Ways for Companies to Reduce Regulatory Risk

Posted by Avi Gesser, Johanna Skrzypczyk, and Suchita Mandavilli Brundage, Debevoise & Plimpton LLP, on
Wednesday, August 11, 2021
, , , , , , , ,
More from: , , , ,

Avi Gesser is partner, Johanna Skrzypczyk is counsel, and Suchita Mandavilli Brundage is an associate at Debevoise & Plimpton LLP. This post is based on a Debevoise memorandum by Mr. Gesser, Ms. Skrzypczyk, Ms. Brundage, and Katie McCarty.

Earlier this year, we wrote about the SEC’s cybersecurity priorities. Since then, the SEC announced a settlement with First American Title Insurance and Services (“First American”) for violating Rule 13a-15(a) of the Exchange Act, and issued a voluntary request for information to a number of companies in connection with the SolarWinds cyber attack (“Voluntary Request”). In this post, we discuss these developments and provide an update on ways that companies can reduce their cybersecurity regulatory risk.

The First American Settlement

According to the SEC’s order, First American’s security personnel identified a security vulnerability exposing over 800 million document images during a penetration test in January 2019. Some of those exposed documents contained sensitive personal data such as customer Social Security numbers and financial information dating back to 2003. The vulnerability was not remediated or reported to information security managers according to First American’s policies. In May 2019, a cybersecurity journalist notified First American of the same vulnerability and First American issued a press statement and submitted an 8-K. According to the order, First American senior executives responsible for these public statements were not made aware that the company’s IT personnel had previously identified this vulnerability and failed to fix it, and therefore “lacked certain information to fully evaluate the company’s cybersecurity responsiveness and the magnitude of the risk” posed by the vulnerability at the time of the company’s disclosures.

The SEC accordingly found that First American failed to maintain disclosure controls and procedures designed to ensure that all available relevant information concerning the vulnerability was analyzed for disclosure in the company’s SEC filings. As part of this settlement, First American agreed to a cease-and-desist order and to pay a $487,616 penalty.

READ MORE »

SEC Increasingly Turns Focus Toward Strength of Cyber Risk Disclosures

Posted by Vivek Mohan, David Simon, and Richard Rosenfeld, Mayer Brown LLP, on
Sunday, July 25, 2021
, , , , , , ,
More from: , , , ,

Vivek Mohan, David Simon, and Richard Rosenfeld are partners at Mayer Brown LLP. This post is based on a Mayer Brown memorandum by Mr. Mohan, Mr. Simon, Mr. Rosenfeld, and Julie L. Sweeney.

On June 11, 2021, the US Securities and Exchange Commission (“SEC” or “Commission”) announced that it would focus on cybersecurity disclosures made by public companies as part of its regulatory agenda. [1] Given the SEC’s continued interest in cybersecurity issues, high-profile ransomware attacks and executive orders issued by President Biden, it is no surprise that the SEC is focused on taking an increasingly active role in a whole-of-government response to cybersecurity threats. Although it will be some time before a final rule on cybersecurity risk disclosures is issued, a proposal from the SEC is expected in October 2021. In the meantime, public companies should begin preparing for what is likely to be a new SEC rule mandating cybersecurity disclosures.

This Legal Update provides background on the new SEC chairman and the SEC rulemaking process, the SEC’s prior guidance on cybersecurity disclosures and steps that public companies can begin taking now to prepare for enhanced SEC oversight of cybersecurity disclosures.

READ MORE »

What Companies Need to Know About Modern Ransomware Attacks and How to Respond

Posted by Antonia M. Apps, Adam Fee, and Matthew Laroche, Milbank LLP, on
Wednesday, July 14, 2021
, , , , , ,
More from: , , ,

Antonia M. Apps and Adam Fee are partners and Matthew Laroche is special counsel at Milbank LLP. This post is based on their Milbank memorandum.

Ransomware is an escalating and evolving cybersecurity threat facing organizations around the world. In 2020, ransomware attacks increased seven-fold by year end, with over 17,000 devices detecting ransomware each day. [1] As an added challenge, ransomware is more sophisticated than ever before with modern variants designed to inflict immense damage and perpetrators demanding higher payouts. In the past few months alone, ransomware has caused catastrophic disruptions to the business activities of, among others, Colonial Pipeline, food processing giant JBS USA Holdings Inc., and Ireland’s national health care system. [2] Successful attacks cost businesses millions of dollars, including disruption to business, personnel cost, device cost, network cost, lost opportunity, reputational harm, and a potential payment of a ransom. [3] Cybercriminals are demanding and making more and more money, with the average ransomware payout per event growing from approximately $115,000 in 2018 to more than $300,000 in 2020; and the highest ransom paid more than doubling from $5 million between 2015 and 2019 to $11 million in 2021. [4] Governments, law enforcement, and regulatory bodies have taken notice, with companies facing pressure to effectively prepare for and respond to ransomware attacks. [5]

Given the current threat environment, it is critical that companies seeking to manage their cybersecurity risks have some understanding of how ransomware has evolved to become one of the most damaging cybersecurity threats today. Companies are facing increased legal, regulatory, and political scrutiny in the wake of these attacks, which in turn requires companies to have appropriate management structures and controls in place, with board oversight, in order to anticipate and address the significant harms that can be caused from a ransomware attack. Below we examine the key features of modern ransomware that companies should be considering, including how ransomware actors are now targeting specific companies, threatening to post their victims’ most sensitive data online, and collaborating with other cybercriminals to increase the sophistication of attacks. After exploring modern ransomware, we then recommend guidelines for companies responding in the immediate aftermath of an attack so that companies are best positioned to contain the incident, resume normal business operations, and appropriately assess legal and regulatory risks.

READ MORE »

A New Angle on Cybersecurity Enforcement from the SEC

Posted by John F. Savarese, Wayne M. Carlin, and Sabastian V. Niles, Wachtell, Lipton, Rosen & Katz, on
Saturday, June 26, 2021
, , , , , ,
More from: , , ,

John F. Savarese, Wayne M. Carlin, and Sabastian V. Niles are partners at Wachtell, Lipton, Rosen & Katz. This post is based on their Wachtell memorandum.

In recent years, companies across a wide range of industries have wrestled with the challenge of making appropriate disclosures about cybersecurity risks and vulnerabilities. Earlier this week, an SEC enforcement action, In the Matter of First American Financial Corp. (June 14, 2021) (“FAFC”), shed important new light on these cyber disclosure issues. Importantly, the case did not involve a third-party attack or actual data breach. Rather, it arose from an existing weakness in FAFC’s systems, and centered on the company’s public statements when the vulnerability was publicized in a press report. The case charges that FAFC failed to maintain disclosure controls and procedures sufficient to ensure that all available relevant information concerning the problem was analyzed for inclusion in the company’s disclosures. The SEC has not previously employed this theory as the exclusive basis for a cyber-related enforcement action. FAFC settled without admitting or denying the SEC’s findings.

FAFC is a real estate settlement services provider. According to the SEC’s order, in mid-2019, a cybersecurity journalist contacted FAFC seeking comment on a story about a security vulnerability in one of the company’s web-based applications. FAFC provided a statement to the reporter and also released it to other media outlets, noting, among other things, that “security, privacy and confidentiality are of the highest priority, and we are committed to protecting our customers’ information. The company took immediate action to address the situation . . . .” Shortly thereafter, FAFC filed a Form 8-K, in which it stated that it “shut down external access to a production environment with a reported design defect that created the potential for unauthorized access to customer data.”

READ MORE »

Trust: A Critical Asset

Posted by Don Fancher, Jennifer Lee, and Debbie McCormack, Deloitte, on
Thursday, June 17, 2021
, , , , , , , , , , , ,
More from: , , , ,

Don Fancher is Principal of Risk & Financial Advisory, Jennifer Lee is Canadian Managing Partner, and Debbie McCormack is Managing Director at Deloitte. This post is based on a Deloitte memorandum by Mr. Fancher, Ms. Lee, Ms. McCormack, and Bob Lamm.

Introduction

The responsibilities of boards of directors continue to evolve and increase, particularly given the events of the past year. In addition to perennial topics such as strategy, succession, financial reporting, compliance, and culture, boards are experiencing broader demands on their oversight from expanding stakeholder and shareholder considerations; continuing challenges of the ongoing global pandemic and its aftermath; and addressing the changing role of the corporation in society at large on matters such as racial justice and climate. The growth in the number and complexity of board responsibilities is taking place in an environment of growing skepticism towards our various institutions.

Against that background, companies and their boards can help to address these multiple challenges by considering one of the most critical assets not on their balance sheets―trust.

What is trust?

Trust has been defined as “our willingness to be vulnerable to the actions of others because we believe they have good intentions and will behave well toward us.” [1] However, particularly for a business enterprise, trust is not an ephemeral quality or attitude. Rather, it is a critical asset, albeit one that is not reported on the balance sheet or otherwise in the financial statements, as it has no intrinsic value.

READ MORE »

President Biden Signs Executive Order on Addressing Climate Change Risk through Financial Regulation

Posted by Andrew Olmem, J. Paul Forrester, and Thomas J. Delaney, Mayer Brown LLP, on
Friday, June 11, 2021
, , , , , , ,
More from: , , ,

Andrew Olmem, J. Paul Forrester, and Thomas J. Delaney are partners at Mayer Brown LLP. This post is based on their Mayer Brown memorandum.

On Thursday, May 20, 2021, US President Biden signed an Executive Order, entitled “Climate-Related Financial Risk” (Climate Risk EO), that sets the stage for the US federal government, including its financial regulatory agencies, to begin to incorporate climate-risk and other environmental, social and governance (ESG) issues into financial regulation. The Climate Risk EO further demonstrates the priority the Biden administration is giving to addressing climate change and will likely accelerate ongoing efforts by federal financial regulators to adopt new, climate risk-related regulations. Of particular note, the executive order directs Treasury Secretary Janet Yellen to utilize the Financial Stability Oversight Council (FSOC) to coordinate the adoption of regulatory measures to address climate change on the part of the federal financial regulatory agencies. The US Securities and Exchange Commission (SEC) is already actively preparing a proposal to revise public company disclosure requirements to cover a range of ESG issues, [1] and the Federal Reserve Board has established two working committees to examine the climate-related risks to financial stability and to the safety and soundness of financial institutions. [2]

From the scope of the Climate Risk EO, it is evident that the administration believes that improved corporate disclosures on ESG are an important initial response to the risks posed by climate change, but that far broader regulatory reforms are likely over the next several years. The Climate Risk EO provides the policy framework for federal agencies to adopt new supervisory and regulatory measures with respect to not only insured depository institutions, but also insurers and other nonbank financial institutions, ERISA plans, the Federal Thrift Savings Plan (TSP), federal lending programs (US Department of Agriculture (USDA), US Department of Veterans Affairs (VA), Federal Housing Administration (FHA), and Ginnie Mae) and federal contractors. In addition, Secretary Yellen stated in her remarks on the signing of the Climate Risk EO that “[a]ssessments of climate-related financial risks may require new perspectives and new tools.” [3] She did no go on to elaborate what additional tools may be under consideration.

READ MORE »

Principles for Board Governance of Cyber Risk

Posted by Sean Joyce (PricewaterhouseCoopers LLP), Daniel Dobrygowski (World Economic Forum), and Friso Van der Oord (National Association of Corporate Directors), on
Thursday, June 10, 2021
, , , , ,
More from: , , , , , , , , ,

Sean Joyce is Global and US Cybersecurity, Privacy, and Forensics Leader PricewaterhouseCoopers LLP (PwC); Daniel Dobrygowski is Head of Governance and Trust at the World Economic Forum (WEF) Centre for Cybersecurity; and Friso Van der Oord is Senior Vice-President of Content for the National Association of Corporate Directors (NACD). This post is based on a co-publication by PwC, the Internet Security Alliance, NACD, and the WEF, authored by Mr. Joyce; Mr. Dobrygowski; Mr. Van der Oord; Peter Gleason, NACD President & CEO; Larry Clinton, Internet Security Alliance President; and Joe Nocera Leader of PwC’s Cyber and Privacy Innovation Institute.

Accelerating digitalization puts new pressures on companies to overhaul their business models and, indeed, fundamentally reimagine how they conduct business. Given that companies are increasingly judged on how well they protect their own information as well as the data entrusted to them by customers and partners, cybersecurity and cyber resilience have become vital concerns for any trustworthy organization.

The growth of our global digital footprint has ensured that cybersecurity will remain a priority for business leaders for years to come. As a result, cybersecurity governance will continue to be a matter of importance for boards of directors. As we are seeing when boards consider environmental, social and governance (ESG) factors, [1] companies that manage the entire portfolio of risks, including cyber, do better in the marketplace.

As a result of a rapidly changing cyber-threat landscape and proliferating regulations, it has become clear that boards, especially, need stronger foundations to govern cyber risks effectively. This report details the work of the leading organizations in this field, the World Economic Forum, the National Association of Corporate Directors (NACD) and the Internet Security Alliance (ISA), along with our global partners and our project adviser, PwC; in it we share our consensus-based, principled approach to delivering successful cyber-risk governance at board level.

READ MORE »

Private Sector Implications of Biden’s Executive Order on Climate-Related Financial Risk

Posted by Margaret E. Tahyar, Randall D. Guynn, and Betty Moy Huber, Davis Polk & Wardwell LLP, on
Thursday, June 10, 2021
, , , , , , , , , ,
More from: , , ,

Margaret E. Tahyar and Randall D. Guynn are partners and Betty Moy Huber is counsel at Davis Polk & Wardwell LLP. This post is based on their Davis Polk memorandum.

The Biden Executive Order on Climate-Related Financial Risk (the Executive Order) is the latest significant step by the Administration to analyze and mitigate the risks that climate change poses to the U.S. economy, businesses, workers and the financial system. [1] It aims to advance the Biden Administration’s policy of promoting disclosure of climate-related financial risk, mitigating climate-related financial risk, promoting job creation and social and economic justice goals and reaching net-zero emissions by 2050.

The Executive Order contains directives to various federal regulators to take actions to address climate-related financial risk in five different broad areas: government-wide strategy; coordination among financial regulators; Department of Labor actions to safeguard worker life savings and pensions; federal lending, underwriting, and procurement; and the federal budget. This memorandum focuses on those areas of the Executive Order that are most likely to create risks and opportunities for the private sector. These are, in our view, the impact on the financial sector, which will indirectly impact other sectors, the impact on environmental, social or governance (ESG) investing and the impact on those who sell goods and services to the federal government via government procurement.

READ MORE »

Carbon, Caremark, and Corporate Governance

Posted by William Savitt, Sabastian V. Niles, and Sarah K. Eddy, Wachtell, Lipton, Rosen & Katz, on
Sunday, May 30, 2021
, , , , , , , , ,
More from: , , ,

William Savitt, Sabastian V. Niles, and Sarah K. Eddy are partners at Wachtell, Lipton, Rosen & Katz. This post is based on their Wachtell memorandum.

Developments this week highlight the urgent imperative for boards and management teams to address climate-related challenges as part of their regular risk assessment practices:

  • A Dutch court held Royal Dutch Shell partially responsible for global warming and ordered the company to reduce its carbon emissions.
  • Engine No. 1, an activist investor laser-focused on climate change, won at least two seats on ExxonMobil’s 12-person board in a proxy fight.
  • Likewise bucking management’s recommendation, Chevron stockholders approved an investor-backed resolution calling for cuts in carbon emissions, focusing on the challenging area of “Scope 3” emissions.

These developments come on the heels of a federal executive order and related statement from the Secretary of the Treasury announcing that “financial regulators, financial institutions and investors need to have the best information and data to measure climate related financial risk” and declaring a policy to “act to mitigate [climate] risk and its drivers” (emphasis added) and support “science-based [carbon] reduction targets.”

READ MORE »

Page 1 of 43
1 2 3 4 5 6 7 8 9 10 11 43