Cybersecurity in the Boardroom: New Horizons

Cybersecurity risks are growing. As society produces more lines of code, and everything – from cars to sex toys is becoming connected: more vulnerabilities are produced daily, inviting more data breaches. The costs associated with security breaches, mostly reputational, have increased in terms of legal and pure losses of revenues as well.  The new oil, is not just data – its security vulnerabilities traded on legitimate and outlawed markets.

The rapidly changing cyber landscape is creating new types of cyber risks, which directors simply cannot continue to ignore. If they do ignore them – they might be slapped with a shareholders’ derivative lawsuit in the case of a breach, claiming that management breached its fiduciary duty towards the corporation by failing to monitor the cyber risk.

Cyber is becoming a subject regularly discussed in board rooms, and a critical corporate governance concern. Recent research done by the U.S. National Association of Corporate Directors (NACD) reported that while directors acknowledge the importance and prominence of cyber risks, they also believe that “their boards do not possess sufficient knowledge of this growing risk.”

In light of these findings, the NACD issued a new report detailing five key principles that directors can adopt to enable oversight over cybersecurity risks: (i) approaching cybersecurity as an “enterprise-wide” managerial risk, (ii) understanding the legal implications of cyber risks, (iii) enabling access to cybersecurity expertise, and discussing cyber risks in the boardroom regularly, (iv) establishing an enterprise-wide cyber-risk management framework and (v) managing cyber risks and terms of deciding which risks to avoid, manage or mitigate through cyber-insurance. Implementing an independent monitoring system, such as Bug Bounty Programs, could also enhance the directors’ ability to oversight security risks.

While the NACD report might provide directors with advice on how to oversee cyber risks, other developments in the “cyber-corporate” arena suggest that directors should take a more proactive managerial approach to cyber risks, one that requires them to have genuine expertise in this field.

First, New York adopted a new comprehensive cyber regulation for financial services companies regulated under the New York State Department of Financial Services, effective March 1, 2017 (with a transition period, § 500.22). The newly adopted 23 NYCRR 500 Cybersecurity Requirements require covered entities, among others, (1) to conduct periodical risk assessments, (2) to implement a cybersecurity policy that evaluates the effectiveness of the corporations’ cybersecurity program and (3) to conduct periodic penetrations testing and vulnerability assessments. Most importantly, the 23 NYCRR 500 regulations mandate directors to pay attention to cyber laws, requiring the Chairman of the Board or a “Senior Officer” to personally sign the annual certification confirming compliance with the regulations, the Board or a “Senior Officer” to approve the cybersecurity policy, and the Board to receive annual reports from the chief information security officer.

Second, a new bill proposal, the Cybersecurity Disclosure Act of 2017, seeks to mandate public companies to disclose to investors information relating to its directors’ expertise and experience in the field of cybersecurity as part of their annual reports/proxy statements. If the company’s Board has no such expertise, it is required to disclose “what other cybersecurity steps” it’s senior management has taken. It’s plausible that companies will prefer to comply with the first requirement, rather than disclosing their detailed cybersecurity strategy and subjecting it to scrutiny and prying eyes.

All of this suggests that directors will be mandated to take a more proactive role on cyber, one which doesn’t sum up to “oversighting”, or else they might find themselves personally liable.

Cybersecurity in the Boardroom New Horizons (PDF)

House Takes a Swing at Class Actions

On March 9, the House voted 220 to 201 to pass the Fairness in Class Action Litigation Act. According to its author, Bob Goodlatte (R-Va.), the Act is intended to make “an efficient and just legal system” by limiting frivolous class action litigation. Its major provision prevents the certification of a plaintiff class unless every individual member of the class suffers “the same type and scope of injury.”

Proponents argue that the Act reduces frivolous suits by requiring that all class members suffer a comparable injury, preventing uninjured individuals from riding the coattails of their injured co-plaintiffs. This would also prevent lawyers from artificially inflating class sizes in order to increase their own share of the settlement. Rep. Goodlatte further suggests that the bill serves a protective function, shielding the small businesses and low net worth individuals whom he believes are the true victims of these suits.

While on paper the bill may sound uncontroversial and even beneficial, a host of critics ranging from civil rights groups to labor organizations have claimed that the new requirements would “obliterate class actions in America.”  Christine Hines, legislative director of the National Assn. of Consumer Advocates, explained that under the current system, classes “typically include a range of individuals who almost never suffer precisely the same degree of injury.” Take for example, the class action suit against air bag manufacturer, Takata. Their malfunctioning airbags caused harms ranging from superficial wounds to fatalities. Though few would consider the Takata claims frivolous, the range of injuries presented by the plaintiffs are unlikely to be considered of the same type and scope under the proposed Act.

Regardless of these significant class formation issues, even if a sufficiently similar class could be assembled it would still face a lengthier certification process. This process would increase the administrative burden on courts and the financial burden on plaintiffs. As Rep. Jamie Raskin (D-Md.) summarized “it’s not the guillotine, but it’s a straight-jacket.”

So far, the bill shows no signs of losing steam. It was introduced in early February, approved by the Judiciary Committee less than a week later, and passed by the House in March. Now the viability of the class action suit rests in the hands of the Senate.

House Takes a Swing at Class Actions (PDF)

Rolling-Back Vehicular Emissions Standards: Different Strokes

The Trump administration recently indicated its willingness to halt Obama-era vehicular emissions standards.  In an announcement that foreshadowed executive action, President Trump promised to freeze and potentially review vehicle emission standards.

Under a legal regime harmonized by Obama-era regulations, the Department of Transportation, the Environmental Protection Agency (EPA) together with California, empowered by a Clean Air Act waiver, can prescribe and review fuel economy standards for cars and light trucks. These standards are to operate from 2012 to 2025 with the possibility of midterm evaluation in 2018. President Obama’s EPA and the California Air Resources Board had both confirmed the application of those standards through to 2025. However, President Trump may revisit this midterm evaluation in order to make it easier for manufacturers to meet emission standards. Additionally, (although less likely) the Trump administration may challenge the California waiver that allows that state to pursue standards stricter than the federal government.

Just how much could this change? The EPA’s midterm evaluation of the vehicular standards is already the subject of litigation, with California and 9 states indicating their willingness to defend the emission standards. Attempts by the EPA or Department of Transportation to enforce President Trump’s announcement is thus likely to be met with resistance. Environmentalists will also surely view any rollback of the emissions standards as undermining the United States’ commitment to reduce (GHG) emissions under the Paris Accord.

However, the effect may be more neutral for businesses. For one, this federal dispute comes after states like Georgia, once home to a booming electric car market, repealed tax credits and established registration fees that undercut the electric vehicle market. Similarly, Colorado, Illinois, Pennsylvania and Tennessee have allowed clean vehicle incentives to expire. Additionally, California’s authority to establish more stringent standards may, as long as it is not challenged, effectively make its regulations the benchmark for auto manufacturers. California is a crucial auto market, representing 10% of all sales, and its zero emission vehicle standards have been adopted by 9 other states. Finally, responses by automakers to a loosening of standards is likely to differ according to their strategic objectives.  While weaker long-term standards may affect the outlook for electric vehicles, some analysts doubt that it would significantly undercut investment in autonomously driven electric cars.

Eventually, much will depend on the administration’s next steps and just how much of President Obama’s climate change legacy it seeks to challenge.

Rolling-Back Vehicular Emissions Standards Different Strokes (PDF)

Trump’s 2005 Tax Return Released: Why President Trump Wants to Abolish the A.M.T.

On March 14, MSNBC released a two-page section of President Trump’s tax return from 2005. The released tax return (which was condemned but confirmed by the White House) shows that Mr. Trump reported income of $150 million and paid $38 million in federal income taxes (an effective tax rate of 25 percent). President Trump declared more than $100 million in business losses which led him to save millions of dollars in federal taxes.

During the campaign, Trump was highly criticized for refusing to release his tax returns to the public — a tradition for presidential candidates. Indeed, critics claimed that his tax returns could unveil potential improprieties within his business practices, as well as reveal whether he has done business with Russian companies and banks. In his defense, Trump claimed he was under an ongoing audit by the IRS, which prohibited him from releasing his tax returns (although commentators have said that an audit would not legally preclude him from releasing them).

In a recent statement, the White House explained that the business losses were a “large scale depreciation for construction.” The White House also said, “Before being elected, Mr. Trump was one of the most successful businessmen in the world, with a responsibility to his company, his family and his employees to pay no more tax than legally required” and that he paid “tens of millions of dollars in other taxes, such as sales and excise taxes and employment taxes, and this illegally published return proves just that.”

Trump’s 2005 tax return does not indicate any ties with Russia, nor does it shed light on any business activities that were not previously known.  However, it highlights that Trump paid his tax under the alternative minimum tax, which Mr. Trump wants to abolish.

The alternative minimum tax (A.M.T.) was created to prevent wealthy Americans from paying no income tax by taking advantage of deductions and loopholes. Indeed, with the A.M.T., those with high incomes have to calculate their taxes twice: once with all their deductions and once without many of them. The taxpayer must then pay the higher of the two figures. As a matter of fact, without the A.M.T., Trump would only have paid $5.3 million federal income taxes in place of the $31 million he paid on $153 million in income in 2005. According to David Cay Johnston, the journalist who received the tax return by mail and Pulitzer laureate, “If we didn’t have the alternative minimum tax, he would have paid taxes at a lower rate than the poor who make less than $33,000 a year.”

President Trump condemned MSNBC’s release of his 2005 tax return, calling it “fake news” and criticizing the media on his Twitter page. Putting aside the debate of whether the tax return is fake, the partial disclosure of Trump’s tax return will further pressure the White House to finally publish the President’s tax return in full.

Trump’s 2005 Tax Return Released Why President Trump Wants to Abolish the A.M.T. (PDF)

Tighter Restrictions on Employer Use of Payroll Cards in New York Revoked

New York regulations scheduled to take effect on March 7, 2017, that would more tightly govern employer use of payroll cards to pay workers were overturned by the New York State Industrial Board of Appeals, an independent review board. The new regulations would have provided workers considerable protection from their wages being further reduced through fees imposed on basic uses associated with their payroll cards. The review board concluded that the New York State Department of Labor overstepped its rule-making authority in issuing these regulations and effectively entered into the “regulation of banking services.”

New York employers may distribute wages to employees through payroll cards, which function like debit cards and allow workers to access their pay at an A.T.M. This method provides employers with an alternative option so that they may avoid wage distribution through directly depositing the wages into an employee’s checking account or through issuing individualized paper checks. This method of wage distribution has become increasingly popular. Approximately 200,000 workers in New York receive their wages this way, and approximately $12 billion in wages were distributed via payroll cards in 2015. Payroll card wage distribution is common for employers in the retail and service industries.

The New York State Department of Labor issued the new rules on September 7, 2016 to ensure consumer protection for workers and to guarantee that workers’ wages are not decreased further simply by their need to withdraw money from their paycheck, speak with a representative, or review a prepaid card’s balance, in addition to other basic uses. The rules were created in response to the concern that the payroll cards negatively impact many low-wage workers in New York through these unreasonable fees. The fees imposed on payroll card use can in certain cases effectively reduce a worker’s pay to below the minimum wage.

The regulations would have forced employers to ensure employees could access at least one A.T.M. located near their work or home where the employee “could make free, unlimited wage withdrawals.” However, the employer and State Department of Labor would need to decide what constituted an A.T.M. being within an acceptable distance of an employee’s work or home. The regulations also would have imposed requirements regarding consent from employees to receive wages through the payroll cards, and notice from employers to employees about wage options and more.

Proponents of the payroll card system argue that the prepaid cards provide an attractive option for employees without bank accounts. The prepaid card method benefits employers by providing a payment method that can be “cheaper and more efficient than checks.” Critics of the struck-down regulations argue that the regulations would have imposed excessive compliance costs on employers and would chill employers’ use of the payroll card method.

The Industrial Board’s decision may be appealed by the New York State Department of Labor if the Labor Department chooses to pursue that option.

Tighter Restrictions on Employer Use of Payroll Cards in New York Revoked (PDF)

SoftBank’s Ambitious Move Towards a Ubiquitous Internet Network: The Intelsat & OneWeb Merger

Intelsat S.A., a Luxembourg-based communications satellite services provider, and OneWeb Ltd., a U.S. satellite internet startup, announced on February 28, 2017, that they entered into a conditional combination agreement of merger in a share-for-share transaction. SoftBank Group Corp., a major Japanese internet and telecommunications corporation, will invest $1.7 billion in newly issued common and preferred shares of the combined company. However, the proposed Intelsat-OneWeb merger and SoftBank’s investment require the completion of debt exchange offers to existing Intelsat bondholders in order to cut $3.6 billion of Intelsat’s debt.

Intelsat operates geostationary orbit (“GEO”) satellites and launched the Intelsat Globalized Network last year. On the other hand, OneWeb is developing small, low earth orbit (“LEO”) satellites under its mission to provide affordable internet access for everyone. In addition to the cost-saving synergies to be generated by the merger, both satellite companies expect the merger to facilitate the global satellite network’s development.

As is broadly known, tech giants are eager to establish a ubiquitous internet network, such as through Facebook Inc.’s Aquila drone. Stephen Spengler, CEO of Intelsat, stated that “by merging OneWeb’s LEO satellite constellation and innovative technology with our global scale, terrestrial infrastructure and GEO satellite network, we will create advanced solutions that address the need for ubiquitous broadband.” Andrew Spinola, an analyst at Wells Fargo & Co., also pointed out that Intelsat and OneWeb have complementary radio-frequency licenses that they could use to better provide internet access on airplanes, among other markets. In addition, given that Intelsat has been struggling with managing a $15 billion debt pile accumulated after its 2008 leveraged buyout, the proposed deal would improve its capital structure.

SoftBank has been pushing strategic investments in broadband satellite internet services to complement its communication services. In 2016, SoftBank completed a $32 billion acquisition of ARM Holding PLC, a U.K. microprocessors designer for wireless communication. Subsequently, SoftBank CEO Masayoshi Son promised then President-elect Trump $50 billion in United States investments as part of a $100 billion fund for technology companies. Indeed, SoftBank has already invested $1.2 billion into OneWeb. In the proposed deal’s announcement, the ambitious Mr. Son described the combination as “consistent with SoftBank’s strategy of investing in disruptive, foundational technologies that are building the infrastructure for tomorrow.” Upon completion of the deal, SoftBank will acquire 39.9% of shares in the combined company. According to the announcement, subject to the completion of the debt exchange offers, the deal is expected to close late in 2017’s third quarter.

SoftBank’s Ambitious Move Towards a Ubiquitous Internet Network The Intelsat & OneWeb Merger (PDF)

Fines on the Horizon for Social Media Companies Complicit in Hate Speech

German officials have threatened to propose a law that would allow the country to place fines on social network platforms for failing to remove hate speech. Interior Minister Heiko Maas’ draft of the law would permit fines of up to 50 million Euros ($53 million) if social media platforms fail to remove “obviously criminal” content within 24 hours of a complaint.

The German government under Prime Minister Angela Merkel has been increasingly willing to apply provisions of the strict German Criminal Code in response to a rise in anti-refugee attitudes throughout Europe. The law criminalizes behavior that “incites hatred against a national, racial, religious group or a group defined by their ethnic origins.”

Since 2015, tech and social media giants like Facebook, Twitter and YouTube have voluntarily attempted to remove criminal content in a joint effort with the EU commission. The voluntary code of conduct, announced in May, included a commitment to review and remove a “majority” of flagged illegal content. But Maas says that in many cases these efforts have not yet been sufficient. A recent report showed that Facebook only removed 39 percent of flagged criminal content within the agreed timeframe and Twitter a meager 1 percent. YouTube, however, met the commitment by removing 90 percent.

A Facebook spokesman said that they were disappointed by the results of the report, admitting that their processes were a work in progress. Both Facebook and YouTube claimed that their procedures regarding content removal were robust.

In addition to combatting anti-refugee sentiment, the German Criminal Code has found renewed application against Holocaust deniers, an explicit offense in the Code. The Internet and social media have become forums for those attempting to spread this ideology. As a result, the Central Council for Jews in Germany and the World Jewish Congress have welcomed Maas’ proposed law.

German communications officials have likewise come out in support of the law, claiming that it does not abridge free speech. In his announcement, Maas asserted “Freedom of expression ends where criminal law begins.”

Maas also hoped that this law could help combat the spread of “fake news” on the Internet. He claimed that this secondary goal could be achieved by use of defamation and slander offenses under the Criminal Code.

Fines on the Horizon for Social Media Companies Complicit in Hate Speech (PDF)

Bridgewater’s 10-year Transition Plan Leading to Artificial Intelligence Management

Ray Dalio has announced that he is dropping his role as co-CEO of Bridgewater to further his 10-year transition plan to change the leadership structure of the company. Bridgewater Associates, the world’s largest hedge fund, has gone under fire from the media over the last year for sexual harassment claims made by employees and the company’s questionable management response. Ray Dalio, the founder of Bridgewater, has vehemently defended the hedge fund against said accusations.

The rumored next step in this transition is to replace management with artificial intelligence to save time and eliminate human emotional volatility. Bridgewater has a reputation of having high turnover among its employees and this move may be reaction to control issues between managing staff and employees. It may also stem from Dalio’s desire to make the future of Bridgewater more predictable under machine leadership instead of under wildcard personalities. According to the 10-year plan, by 2022 Dalio plans to be monitoring Bridgewater without actively running the firm.

The high turnover rate in Bridgewater is not only evident in the bottom level positions but in top positions as well. Jonathan J. Rubinstein, served as co-CEO for 10 months before leaving the firm in May 2016. Rubinstein is revered for his technological innovation and his help in launching Apple Inc., NeXT Inc., Palm Inc. and Hewitt-Packard Co, but Mr. Dalio stated that Rubinstein was “not a cultural fit for Bridgewater.”

Dalio has been working on a secret software engineering project that would send “GPS-style directions” for how employees should spend their time, mapping out specific tasks in their day. He has called this project “The Book of the Future.” This goes along with his transparency theme for the company. With all the meetings recorded and every task of the employees monitored the work of the company will remain efficient and predictable.

Dalio had to return as co-CEO last year after Greg Jensen had to step down from the position as it was too demanding with his co-CIO position. Other management committee members hired in recent years have already left the firm, including GE capital executive Joe Parsons, Former HSBC executive Tony Murphy, and former Accenture executive Kevin Campbell. Dalio’s purpose for the 10-year transition plan was to make Bridgewater able to go on without his leadership, and with the high turnover rate in the humans that have been hired and departed he seems to be putting his reliance on artificially intelligent staff to carry the company forward.

Bridgewater’s 10-year Transition Plan Leading to Artificial Intelligence Management (PDF)

A New Approach to Financial Regulatory Enforcement

The regulatory enforcement of the financial industry may soon change. As the new administration settles into Washington; reports have suggested the rise of dedicated efforts to change, and potentially reduce, financial regulation by the Securities and Exchange Commission (“SEC”) and the Consumer Financial Protection Bureau. While these efforts have not yet fully materialized, there are some indications that they will soon impact the financial services industry.

The pressures to alter the regulatory framework are two-fold. First, major banks want to change the way regulatory agencies collect data related to possible crimes. If the banks can modify the framework in a way that would shift more responsibility to the government, then this may lower the banks’ costs of compliance. Second, government officials and regulatory agencies have taken steps to change the enforcement landscape from the top-down. For example, last month, the acting chairman of the SEC, Michael Piwowar, took steps to limit the agency’s powers. Piwowar’s directive gave exclusive power to the director of the enforcement division to authorize formal investigations. This will both limit inquiries and slow down the process of starting investigations. Consequently, the new structure will weaken financial regulatory enforcement.

Scaling back regulation may create undesirable consequences. Particularly concerning is the idea that violations can go undetected for quite some time until they grow into large and harmful issues. Additionally, a lack of sufficient regulation will increase the risk of another financial crisis.

On the other hand, excess regulations are not always desirable either. Too many regulations can create extremely high costs which may not be proportional to the consequential benefits of detecting minor violations. In order to prevent this, a current administration official and financial regulator has recently called for easing the strict requirements that arose after the 2008 crisis.

Ultimately, these new approaches might simply be an attempt to curb over-regulation. However, it may also offer a way for companies to tip-toe around the law in the name of generating profits. Regardless, regulatory agencies must strike a balance in structuring the new enforcement frameworks and make sure that the new regulatory regime is neither too stringent nor too lenient. This balance is key in preventing arbitrary targeting—wasting taxpayer resources in the process and burdening private businesses—and in incentivizing lawful behavior in the financial industry.

A New Approach to Financial Regulatory Enforcement (PDF)

Professional Conduct Codes for Bankers?

Two weeks ago, the general counsel of the Federal Reserve Bank of New York issued a statement at the Yale Law School that everyone “should be concerned with culture in financial services.” Such a comment should not be very surprising due to the role that large banks and other financial institutions played during the economic crisis in 2008. Banks have since been vilified, and rightfully so, for their excessive and risky decision-making which led to one of the worst recessions in United States history.

So, how does one correct a culture built around a capitalistic and opportunistic mindset, where the survivor of the fittest can reap a massive monetary award, in order to prevent another collapse? One approach, which has been implemented elsewhere around the world, is to implement a pseudo professional code, much akin to the code of ethics policing lawyers, accountants, and doctors.

To analogize, here is an example from the California Rules of Professional Conduct, which states a lawyer’s duty with respect to client confidentiality. California is unique in this aspect, as California Bar members are expected to protect their client’s confidentiality at “every peril” to himself or herself. Could such a noble requirement find any success in the banking community?

The difficulty, firstly, is the current toxic culture of the banking community, where investment bankers are often at odds with procuring the highest fee for their respective bank, while at the same time providing competent and fair services to their client. More often than not, bankers will do what’s in the best interest for themselves and employer, and put the client second. This isn’t evil, this is just human nature.

The other difficulty lies in the roles that investment bankers provide. In contrast with lawyers and doctors who serve a primary focus to their client, large banks not only provide advisory services, but also serve as middlemen who operate between buyers and sellers. Charging interest rates and providing loans and capital can go against the idea of getting your client “the best deal.”

Of course, with any installation of an ethics code, the issue arises of how to police conduct. Lawyers and doctors can lose their licenses or face malpractice lawsuits for their unethical behavior, but no such remedies exist, outside of criminal penalties, in the banking community. One idea is to create a database of banker misconduct. By tracking “bad apples” in the financial world, bankers would be incentivized to be on their best behavior, as failing to do so would result in future difficulty of finding a job. While this practice and the potential of implementing ethics codes sounds good on paper, real change will not occur until there is a fundamental shift in the banking culture that does not reward risky and dangerous bets in the financial markets.

Professional Conduct Codes for Bankers (PDF)