Though the Dodd-Frank Wall Street Reform and Consumer Protection Act (DFA) passed in July 2010 required bank holding companies with more than $10 billion of assets to have a board risk committee, a majority of the banks required to have a risk committee had one before the legislation. The presumption of the legislators apparently was that having a board risk committee would reduce bank risk-taking. As far as we know, there was no scientific evidence at the time suggesting that requiring the establishment of a risk committee for banks that did not have one would be valuable either for the banks’ owners or for the financial system. We develop a model of whether a bank should have a risk committee and show that for a bank that maximizes shareholder wealth there is no expectation that a board risk committee causes bank risk-taking to decrease. Our empirical analysis finds no support for the proposition that the existence of a board risk committee decreases bank risk-taking. We use unique interview data to assess how bank risk committees work and whether they act as expected with our theory. We find that risk committees play a role that is consistent with our theory except that they also seem to be a way for regulators to monitor and influence risk-taking within banks. Though a well-functioning risk committee can be valuable to a bank’s shareholders, it is also possible for the risk committee to worsen the communication and engagement of a bank’s board. Therefore, having a risk committee only makes sense for banks where risk-taking is sufficiently complex that risk metrics have to be monitored by a specialized committee.

(more…)

Earlier this year, we wrote about the SEC’s cybersecurity priorities. Since then, the SEC announced a settlement with First American Title Insurance and Services (“First American”) for violating Rule 13a-15(a) of the Exchange Act, and issued a voluntary request for information to a number of companies in connection with the SolarWinds cyber attack (“Voluntary Request”). In this post, we discuss these developments and provide an update on ways that companies can reduce their cybersecurity regulatory risk.

The First American Settlement

According to the SEC’s order, First American’s security personnel identified a security vulnerability exposing over 800 million document images during a penetration test in January 2019. Some of those exposed documents contained sensitive personal data such as customer Social Security numbers and financial information dating back to 2003. The vulnerability was not remediated or reported to information security managers according to First American’s policies. In May 2019, a cybersecurity journalist notified First American of the same vulnerability and First American issued a press statement and submitted an 8-K. According to the order, First American senior executives responsible for these public statements were not made aware that the company’s IT personnel had previously identified this vulnerability and failed to fix it, and therefore “lacked certain information to fully evaluate the company’s cybersecurity responsiveness and the magnitude of the risk” posed by the vulnerability at the time of the company’s disclosures.

The SEC accordingly found that First American failed to maintain disclosure controls and procedures designed to ensure that all available relevant information concerning the vulnerability was analyzed for disclosure in the company’s SEC filings. As part of this settlement, First American agreed to a cease-and-desist order and to pay a $487,616 penalty.

(more…)

On June 11, 2021, the US Securities and Exchange Commission (“SEC” or “Commission”) announced that it would focus on cybersecurity disclosures made by public companies as part of its regulatory agenda. [1] Given the SEC’s continued interest in cybersecurity issues, high-profile ransomware attacks and executive orders issued by President Biden, it is no surprise that the SEC is focused on taking an increasingly active role in a whole-of-government response to cybersecurity threats. Although it will be some time before a final rule on cybersecurity risk disclosures is issued, a proposal from the SEC is expected in October 2021. In the meantime, public companies should begin preparing for what is likely to be a new SEC rule mandating cybersecurity disclosures.

This Legal Update provides background on the new SEC chairman and the SEC rulemaking process, the SEC’s prior guidance on cybersecurity disclosures and steps that public companies can begin taking now to prepare for enhanced SEC oversight of cybersecurity disclosures.

(more…)

Ransomware is an escalating and evolving cybersecurity threat facing organizations around the world. In 2020, ransomware attacks increased seven-fold by year end, with over 17,000 devices detecting ransomware each day. [1] As an added challenge, ransomware is more sophisticated than ever before with modern variants designed to inflict immense damage and perpetrators demanding higher payouts. In the past few months alone, ransomware has caused catastrophic disruptions to the business activities of, among others, Colonial Pipeline, food processing giant JBS USA Holdings Inc., and Ireland’s national health care system. [2] Successful attacks cost businesses millions of dollars, including disruption to business, personnel cost, device cost, network cost, lost opportunity, reputational harm, and a potential payment of a ransom. [3] Cybercriminals are demanding and making more and more money, with the average ransomware payout per event growing from approximately $115,000 in 2018 to more than $300,000 in 2020; and the highest ransom paid more than doubling from $5 million between 2015 and 2019 to $11 million in 2021. [4] Governments, law enforcement, and regulatory bodies have taken notice, with companies facing pressure to effectively prepare for and respond to ransomware attacks. [5]

Given the current threat environment, it is critical that companies seeking to manage their cybersecurity risks have some understanding of how ransomware has evolved to become one of the most damaging cybersecurity threats today. Companies are facing increased legal, regulatory, and political scrutiny in the wake of these attacks, which in turn requires companies to have appropriate management structures and controls in place, with board oversight, in order to anticipate and address the significant harms that can be caused from a ransomware attack. Below we examine the key features of modern ransomware that companies should be considering, including how ransomware actors are now targeting specific companies, threatening to post their victims’ most sensitive data online, and collaborating with other cybercriminals to increase the sophistication of attacks. After exploring modern ransomware, we then recommend guidelines for companies responding in the immediate aftermath of an attack so that companies are best positioned to contain the incident, resume normal business operations, and appropriately assess legal and regulatory risks.

(more…)

In recent years, companies across a wide range of industries have wrestled with the challenge of making appropriate disclosures about cybersecurity risks and vulnerabilities. Earlier this week, an SEC enforcement action, In the Matter of First American Financial Corp. (June 14, 2021) (“FAFC”), shed important new light on these cyber disclosure issues. Importantly, the case did not involve a third-party attack or actual data breach. Rather, it arose from an existing weakness in FAFC’s systems, and centered on the company’s public statements when the vulnerability was publicized in a press report. The case charges that FAFC failed to maintain disclosure controls and procedures sufficient to ensure that all available relevant information concerning the problem was analyzed for inclusion in the company’s disclosures. The SEC has not previously employed this theory as the exclusive basis for a cyber-related enforcement action. FAFC settled without admitting or denying the SEC’s findings.

FAFC is a real estate settlement services provider. According to the SEC’s order, in mid-2019, a cybersecurity journalist contacted FAFC seeking comment on a story about a security vulnerability in one of the company’s web-based applications. FAFC provided a statement to the reporter and also released it to other media outlets, noting, among other things, that “security, privacy and confidentiality are of the highest priority, and we are committed to protecting our customers’ information. The company took immediate action to address the situation . . . .” Shortly thereafter, FAFC filed a Form 8-K, in which it stated that it “shut down external access to a production environment with a reported design defect that created the potential for unauthorized access to customer data.”

(more…)

Introduction

The responsibilities of boards of directors continue to evolve and increase, particularly given the events of the past year. In addition to perennial topics such as strategy, succession, financial reporting, compliance, and culture, boards are experiencing broader demands on their oversight from expanding stakeholder and shareholder considerations; continuing challenges of the ongoing global pandemic and its aftermath; and addressing the changing role of the corporation in society at large on matters such as racial justice and climate. The growth in the number and complexity of board responsibilities is taking place in an environment of growing skepticism towards our various institutions.

Against that background, companies and their boards can help to address these multiple challenges by considering one of the most critical assets not on their balance sheets―trust.

What is trust?

Trust has been defined as “our willingness to be vulnerable to the actions of others because we believe they have good intentions and will behave well toward us.” [1] However, particularly for a business enterprise, trust is not an ephemeral quality or attitude. Rather, it is a critical asset, albeit one that is not reported on the balance sheet or otherwise in the financial statements, as it has no intrinsic value.

(more…)

On Thursday, May 20, 2021, US President Biden signed an Executive Order, entitled “Climate-Related Financial Risk” (Climate Risk EO), that sets the stage for the US federal government, including its financial regulatory agencies, to begin to incorporate climate-risk and other environmental, social and governance (ESG) issues into financial regulation. The Climate Risk EO further demonstrates the priority the Biden administration is giving to addressing climate change and will likely accelerate ongoing efforts by federal financial regulators to adopt new, climate risk-related regulations. Of particular note, the executive order directs Treasury Secretary Janet Yellen to utilize the Financial Stability Oversight Council (FSOC) to coordinate the adoption of regulatory measures to address climate change on the part of the federal financial regulatory agencies. The US Securities and Exchange Commission (SEC) is already actively preparing a proposal to revise public company disclosure requirements to cover a range of ESG issues, [1] and the Federal Reserve Board has established two working committees to examine the climate-related risks to financial stability and to the safety and soundness of financial institutions. [2]

From the scope of the Climate Risk EO, it is evident that the administration believes that improved corporate disclosures on ESG are an important initial response to the risks posed by climate change, but that far broader regulatory reforms are likely over the next several years. The Climate Risk EO provides the policy framework for federal agencies to adopt new supervisory and regulatory measures with respect to not only insured depository institutions, but also insurers and other nonbank financial institutions, ERISA plans, the Federal Thrift Savings Plan (TSP), federal lending programs (US Department of Agriculture (USDA), US Department of Veterans Affairs (VA), Federal Housing Administration (FHA), and Ginnie Mae) and federal contractors. In addition, Secretary Yellen stated in her remarks on the signing of the Climate Risk EO that “[a]ssessments of climate-related financial risks may require new perspectives and new tools.” [3] She did no go on to elaborate what additional tools may be under consideration.

(more…)

Accelerating digitalization puts new pressures on companies to overhaul their business models and, indeed, fundamentally reimagine how they conduct business. Given that companies are increasingly judged on how well they protect their own information as well as the data entrusted to them by customers and partners, cybersecurity and cyber resilience have become vital concerns for any trustworthy organization.

The growth of our global digital footprint has ensured that cybersecurity will remain a priority for business leaders for years to come. As a result, cybersecurity governance will continue to be a matter of importance for boards of directors. As we are seeing when boards consider environmental, social and governance (ESG) factors, [1] companies that manage the entire portfolio of risks, including cyber, do better in the marketplace.

As a result of a rapidly changing cyber-threat landscape and proliferating regulations, it has become clear that boards, especially, need stronger foundations to govern cyber risks effectively. This report details the work of the leading organizations in this field, the World Economic Forum, the National Association of Corporate Directors (NACD) and the Internet Security Alliance (ISA), along with our global partners and our project adviser, PwC; in it we share our consensus-based, principled approach to delivering successful cyber-risk governance at board level.

(more…)

The Biden Executive Order on Climate-Related Financial Risk (the Executive Order) is the latest significant step by the Administration to analyze and mitigate the risks that climate change poses to the U.S. economy, businesses, workers and the financial system. [1] It aims to advance the Biden Administration’s policy of promoting disclosure of climate-related financial risk, mitigating climate-related financial risk, promoting job creation and social and economic justice goals and reaching net-zero emissions by 2050.

The Executive Order contains directives to various federal regulators to take actions to address climate-related financial risk in five different broad areas: government-wide strategy; coordination among financial regulators; Department of Labor actions to safeguard worker life savings and pensions; federal lending, underwriting, and procurement; and the federal budget. This memorandum focuses on those areas of the Executive Order that are most likely to create risks and opportunities for the private sector. These are, in our view, the impact on the financial sector, which will indirectly impact other sectors, the impact on environmental, social or governance (ESG) investing and the impact on those who sell goods and services to the federal government via government procurement.

(more…)

Developments this week highlight the urgent imperative for boards and management teams to address climate-related challenges as part of their regular risk assessment practices:

• A Dutch court held Royal Dutch Shell partially responsible for global warming and ordered the company to reduce its carbon emissions.
• Engine No. 1, an activist investor laser-focused on climate change, won at least two seats on ExxonMobil’s 12-person board in a proxy fight.
• Likewise bucking management’s recommendation, Chevron stockholders approved an investor-backed resolution calling for cuts in carbon emissions, focusing on the challenging area of “Scope 3” emissions.

These developments come on the heels of a federal executive order and related statement from the Secretary of the Treasury announcing that “financial regulators, financial institutions and investors need to have the best information and data to measure climate related financial risk” and declaring a policy to “act to mitigate [climate] risk and its drivers” (emphasis added) and support “science-based [carbon] reduction targets.”

(more…)

As companies navigate ongoing global volatility, an uneven economic recovery and changes in the US administration, audit committees continue to focus on reviewing scenario plans, stress tests and enterprise risk management (ERM) information while overseeing high-quality financial reporting.

They are working to keep pace with the uncertain and fluid business landscape and continually re-evaluating key risks while reviewing financial statements and disclosures, systems of internal controls and other regulatory filings.

Audit committees must also determine whether appropriate processes are in place to monitor macroeconomic changes and evaluate new and emerging legislative, administrative and regulatory developments for impacts on reporting and disclosure.

Additionally, they are working to keep abreast of the continued evolution of the ESG reporting landscape (including the SEC’s recent principles-based requirements around human capital disclosures).

We summarize the following matters for consideration to aid audit committees as they enhance oversight and approach the Q1 reporting period.

(more…)

The Fourth National Climate Assessment, issued by the U.S. Global Change Research Program, found that climate change is already having an impact on businesses and communities across the United States. The report also found that, without significant global mitigation and adaptation efforts, climate change will inflict increasing disruption and damage. International reports have made similar findings. As a result of these existing and anticipated disruptions, climate change has become a major business concern for many company executives and investors.

Certain members of the financial sector have been proactive in evaluating ways to reduce the greenhouse gas (“GHG”) emissions attributable to their operations and financings, adopting climate governance and risk-management actions at a greater rate than other sectors. In fact, as of this writing, each of the major U.S. banks has made a commitment to “net zero” or “Paris Aligned” reductions in their financed greenhouse gas emissions. As part of this effort, members of the financial sector have both created and joined a series of initiatives designed to better account for their “financed emissions,” or the emissions generated by the operations of entities in which a financial institution invests or to which it lends money.

(more…)

Please let me express my sincere gratitude to everyone who has been part of putting this conference together, as well as everyone in attendance today. This conference is the premier event in the United States for legal and compliance professionals working in the regulated fund industry, and it is an honor to speak before you today as the Investment Company Institute’s new president and chief executive officer.

Since I came onboard four months ago, I have met with our Board of Governors as well as numerous other leaders of member firms to identify their priorities and concerns amid the challenges posed by this pandemic. It is abundantly clear that ICI must always be a strong and productive voice for the regulated fund industry with respect to the development of the rules, regulations, and policies that govern our financial system. All of you are key partners with ICI in carrying out our mission to promote and protect the interests of fund investors.

In that context, I would like to speak with you today about the discussions US and international policymakers are having about the March 2020 market turmoil and their work to make the financial markets more resilient in the face of a similar liquidity shock. Such work is taking place in international bodies like the Financial Stability Board (FSB) and International Organization of Securities Commissions with the active participation of US financial regulators.

(more…)

In our forthcoming Review of Financial Studies publication (available here), we examine the value of financial flexibility for large, publicly listed companies in the US during the initial phase of the COVID-19 crisis.

The COVID-19 shock led to a dramatic temporary decrease in revenues for many firms, because production and selling activities conflicted with social distancing practices. For some firms, production halted, because production would have led to workers being highly exposed to COVID-19. For other firms, customer demand flatlined, because the firm’s goods and/or services entailed exposure to COVID-19.

Firms differ in how their financial affairs are organized. Some firms hold large amounts of cash to help them cope with unexpected events. They also keep debt capacity and limit their exposure to debt rollover risk. These firms have financial flexibility, so that they can more easily fund a cash flow shortfall, such as the one created by the COVID-19 shock. In contrast, firms with less financial flexibility might rapidly descend into financial distress and be forced to take actions that healthy firms would consider detrimental to long-term shareholder wealth.

(more…)

As leaders in business, investment and financial institutions, and academia we welcome and encourage efforts in jurisdictions around the world to take action to embed the concept of sustainable development in corporate governance law, codes and initiatives.

Business sustainability, sustainable finance, corporate purpose and long-term value creation must begin with company boards and the systems of governance under which companies operate.

Director organisations have recognised the urgency of the climate crisis and the need to accelerate progress towards Paris and Sustainable Development Goals. To be able to do so, it is crucial that directors positively orientate towards long-term value creation rather than short-term profit maximisation for the company.

Business organisations have committed to move away from the concept of shareholder primacy towards fully addressing sustainability and ensuring that no stakeholders are significantly harmed.  Although the law already provides Board members with wide discretion when making decisions on behalf of the company on sustainability issues, incentives within existing corporate governance models too often prevent them from taking concrete steps to act on these intentions.

(more…)

Ever since the onset of the pandemic, corporate directors, their advisors, and investors have sought to identify board characteristics and practices that might be associated with superior management of epic disruption. Might any of the board features commonly rated by market analysts as governance-positive have helped companies navigate economic challenges posed by COVID? What lessons may be learned to make boards more crisis-resilient? Research is beginning to shed light on answers. But insights meanwhile may be drawn from the recent experience of boards facing comparable catastrophic risk.

One rare, insider perspective on such a case comes from Vale, the Brazil-based global mining giant. On January 25 2019, a tailings dam at the iron ore mine just east of Brumadinho, in the Brazilian state of Minas Gerais, suffered a devastating collapse. The resulting mudflow killed some 270 people, most of them Vale employees and family members. The disaster was, like the pandemic for others, an existential one for the company. Vale confronted sudden, daunting, regulatory, reputational, financial, and operational consequences that threatened the firm’s survival. Executives still face homicide and corruption charges, and this month the company agreed to a USD 7 billion settlement, the largest in Brazil’s history.

(more…)

Governance Factor: Beyond the Board

Corporate governance has long been a focal point for large corporates, listed companies and regulated entities, with numerous studies connecting good corporate governance with higher profitability. However, as the March 2021 effective date of the EU’s Sustainability-Related Disclosure Regulation approaches, corporate governance is becoming increasingly important to companies of all sizes. This is, in part, due to investee companies needing to follow good governance practices, as a baseline, in order to be classified as a “sustainable investment.” [1]

Corporate governance is not only facing increased scrutiny by investors and stakeholders but also regularly attracts adverse media attention. Directors wishing to safeguard themselves and the businesses they serve when discharging their duties should, therefore, be mindful of good corporate governance strategies and consider implementing strategies beyond the yardstick of the law.

This post explores several recommendations for companies seeking to improve their corporate governance framework, including:

(more…)

Traditionally, empirical models in accounting and finance have focused on parameter estimation—in other words, what is the relation between the dependent and independent variable (i.e., does X cause Y)? However, a number of these studies generate inferences using variables that are estimates of unobservable firm attributes derived from traditional regression models. For example, estimates of securities litigation risk, a rare but important economic event, are typically generated from logistic regression models. Because of how these estimates are used in the literature, their accuracy has important implications for the conclusions drawn in a number of studies. In the case of securities litigation risk, researchers generally use estimates in two ways. First, researchers include litigation risk as a control variable in a regression specification where litigation is a correlated omitted variable. In these models, an inaccurate estimate of litigation risk can bias the coefficients of interest, thus affecting subsequent inferences. The second way in which these estimates are used is to create treated and control observations in a natural experiment. Typically, researchers will identify a regulatory event that affects litigation risk, and examine its impact using a difference-in-difference methodology where the treated firms have high values for litigation risk and the control firms have low values for litigation risk. In these studies, an inaccurate estimate of litigation risk can result in firms being misclassified, and therefore affect subsequent inferences.

(more…)

Despite the global economic and health crisis resulting from the COVID-19 pandemic, many companies have continued to intensify their efforts to improve their management approaches and communications in relation to environmental, social, and governance (ESG) issues. In many instances, the ongoing crisis has, in fact, accelerated pre-existing trends towards greater ESG integration by underscoring the role of business in confronting wider societal issueThe increasing adoption of ESG management systems is driven by two concurrent trends. First, significant social pressures, a shift in expectations for private enterprise, and ongoing regulatory changes have increased demand for companies to proactively take responsibility for potential externalities affecting the environment and society. Second, there is a growing recognition amongst investment and business professionals that ESG issues can have a material impact on company value and that the management of such risks can preserve (and even enhance) economic value for companies and their shareholders.

In this article, we review the underlying trends behind the momentum in ESG management and examine potential shifts in public policy, investor sentiment, and company behavior in the ongoing aftermath of the COVID-19 crisis. We draw some early lessons for companies reconsidering their approach to ESG as a result of the pandemic, focusing on social inequalities and workforce risks, the acceleration of pre-existing economic trends, and a continued emphasis on ESG issues.

(more…)

Now that you know what the board is overseeing when it comes to management’s development and execution of an ESG strategy, how exactly does the board go about overseeing these efforts? The board will have to consider a number of different topics/issues.

Where responsibility lies: Because ESG strategy should align with business strategy and focus on material risks and business drivers, the full board will want to understand the ESG messaging and how those risks are being mitigated. If this is a new area of focus for the board and the company, directors may need to assign detailed oversight to specific committees to help the ESG strategy launch smoothly. Ultimately, ESG issues will be relevant to all committees. For example, the nominating and governance committee will be interested in the shareholder engagement element, while the compensation committee will be interested in accountability through compensation. The audit committee will be interested in the disclosure, messaging, and metrics.

As the board determines where ESG oversight will be assigned, it may want to consider the following questions:

(more…)