Header graphic for print

Middle Market Money

Your Guide to Understanding Regulatory Developments to Navigate the Capital Markets

New EU Rules on Credit Rating Agencies: A Brave Step to Better Functioning Financial Markets

By Nora Wouters and Orestis Omran on Posted in Capital Markets, Financing & Lending

On May 13, the Council of the European Union adopted a legislative package consisting of a directive and a regulation amending the EU’s rules on credit rating agencies (“CRAs”). Adoption was preceded by agreement reached with the European Parliament at first reading in November 2012, and subsequent approval by the Permanent Representatives Committee the next month.

The amending legislation aims at reducing investors’ over-reliance on external credit ratings, mitigating the risk of conflicts of interest in credit rating activities and increasing transparency and competition in the sector.

The directive will come into force around the beginning of 2015, following its transposition by all Member States 18 months after its publication in the Official Journal of the EU,  while the regulation will be directly applicable throughout the EU 20 days after its publication in the Official Journal, namely at some point during this summer. A review report of the new legislation by the European Commission is required to have taken place by July 1, 2016.

The Directive

The Directive amends Directive 2003/41/EC on the activities and supervision of institutions for occupational retirement provision, Directive 2009/65/EC on the coordination of laws, regulations and administrative provisions relating to undertakings for collective investment in transferable securities (UCITS) and Directive 2011/61/EU on Alternative Investment Funds Managers in respect of the over-reliance of such strictly regulated financial products on credit ratings. It imposes a general obligation on investment firms to adopt risk management processes to enable the monitoring and measuring at any time of the risk of their positions and the contribution to the overall risk profile of a relevant portfolio while it encourages competent authorities to mitigate the impact of references to credit ratings, with a view to reducing sole and mechanistic reliance on such ratings.

The Regulation

The Regulation imposes a mandatory rotation between CRAs that are employed by issuers of structured finance products with underlying re-securitized assets for their ratings. In particular, such issuers will need to change their CRA every four years. It must be mentioned though that the rotation does not apply to small CRAs, or to issuers employing at least four CRAs, each rating more than 10% of the total number of outstanding rated structured finance instruments.

Public disclosure provisions are introduced in order to mitigate the risks contained in certain conflicts of interests, including the dual shareholdership in both rated entity and rating agency. Shareholders with 5% or more of the capital or voting rights of a rating agency holding 5% or more of a rated entity will have to disclose these interests. Moreover, it is prohibited to own 5% or more of the capital or the voting rights in more than one CRA, unless the agencies concerned belong to the same group.

A provision reducing the current review period of 12 months for sovereign debt ratings to 6 months is introduced with a view to the catastrophic impact those ratings had in the financial credibility of a number of EU Member States in the recent past. In addition, issuers and investors can claim damages for losses incurred following a wrongdoing committed intentionally or with gross negligence by the agency.

Conclusion

Having experienced the serious consequences of uncontrolled CARs in the markets, that contributed substantially to the recent financial crisis, the EU is making a brave step to regulate their influence via the adopted legislative package. The management of CRAs must be very careful in complying with the new obligations imposed to their agencies while investors and issuers will have to adapt to the new era by designating and applying robust risk management procedures, while avoiding mechanical reliance on ratings produced by CRAs.

FASB Proposes New Rules on Lease Accounting

By Derek B. Swanson on Posted in Accounting, Compliance

After a lengthy comment period, FASB has finally issued an updated exposure draft on new lease accounting requirements, with comments due on the exposure draft by September 13, 2013 (electronic comments may be left here).

Overview of New Rules

Consistent with the prior exposure draft (from 2010), the new exposure draft would remove the old distinction between operating leases (which had no balance sheet impact) and capital leases (which were required to be reflected in the balance sheet), and require instead that all assets and liabilities arising from leases be recognized on the balance sheet.  Regardless of how a lease is classified, under the new rules, lessees would be required to recognize a right-of-use asset on its balance sheet and a corresponding lease liability.

At the commencement of the lease, the asset would consist of:

  • the amount of the initial measurement of the lease liability;
  • any lease payments made at or before the commencement date, minus any lease incentives received by the lessor; and
  • any indirect costs incurred by the lessee.
At the commencement of the lease, the corresponding liability would be measured at the present value of the lease payments discounted using the rate the lessor charges the lessee.
Unwinding of Asset and Liability — Class A Versus Class B Leases

In a departure from the prior exposure draft, however, lessees would, in general, classify leases differently depending on whether the lease is for assets other than property (for example, equipment, aircraft, cars, or trucks) (a Type A lease) or instead a lease for property (a Type B lease).  How a lease is categorized would effect how the asset and liability flows through the lessee’s profit and loss statement.

If the lease is treated as a Type A lease, the lessee would reflect two separate items in its profit and loss statement: (1) the unwinding of the discount on the lease liability as interest expense (generally the result of multiplying the discount rate by the amount of the lease liability recognized on the balance sheet); and (2) the amortization expense of the asset (generally calculated on a straight-line basis).

By contrast, for Type B leases, lessees would recognize a single lease cost in its profit and loss statement that combines the unwinding of the discount on the lease liability with the amortization of the asset.  The single cost would be calculated so that the remaining cost of the lease is allocated over the remaining lease term on a straight-line basis.

Next Steps

Because of the potential impact on companies’ internal control and disclosure controls processes, the internal and external auditors, as well as financial and compliance teams, should begin an assessment and cataloging of existing leases to determine what impact the new rules would have on the accounting treatment for those leases.  In addition to this effort, companies will need to analyze their existing credit agreements, loan documents, and any other agreements containing financial covenants to determine the impact of recognizing the assets and liabilities of its leases on the company’s balance sheet and of the added expense flowing through the company’s profit and loss statement.

As noted above, comments are due by September 13, 2013, and if FASB decides to move forward with the adopting the revised accounting rules, expect to see the new rules adopted in 2014, with an effective date likely to be in 2016.

Auditor Independence – Auditor Rotation Gains Speed

By William L. Floyd on Posted in Compliance

Following the PCAOB’s controversial auditor independence and mandatory auditor rotation Concept Release  from August 2011, the PCAOB continues to consider various methods to enhance auditor independence, following three public roundtable meetings and the receipt of over 670 comment letters.  While the PCAOB continues to consider all of the information it has obtained from these various sources, given the controversial nature of the proposal and the amount of time that has elapsed since the Concept Release was issued, it seems unlikely that the PCAOB will issue a further proposal during the first half of this year.

However, as was discussed in some length at the various PCAOB roundtable discussions and as set forth in several of the comment letters, the European Parliament’s Committee on Legal Affairs has been considering a requirement that an auditor may serve no more than a specific term of  years as a company’s independent auditor, absent certain safeguards.  On April 25, 2013, the Committee on Legal Affairs voted to recommend that the European Parliament adopt a law to require audit firms may be engaged for no more than fourteen years as independent auditors, absent additional safeguards.  As initially proposed, the Committee on Legal Affairs considered a recommendation that the mandatory auditor rotation should occur after a maximum of six years engagement.

The recommendation to the European Parliament for mandatory auditor rotation affects “public entities,” such as banks, insurance companies and listed companies, in order to provide investors with a degree of confidence.  The law as proposed also would forbid companies from narrowing the election of an audit firm to only the so-called big four firms, which is intended to create more competitiveness among the leading audit firms.

Along the same lines, the Council for Institutional Investors (CII), in the United States, recently revised its “Policy on Auditors” by updating its policy statement to suggest audit committees exercise a greater degree of care in their authority to hire and oversee external auditors, suggesting on a routine basis the audit committee should determine and conclude whether a new audit firm should be considered.  The CII supports the appropriateness of periodically changing independent auditors.  In its policy statement, the CII proposed a number of factors that an audit committee should take in to consideration, including the tenure of the current audit firm, its performance, relationships with management and directors, overall consideration of audit fees and non-audit fees, a detailed assessment of the firm’s independence, its experience and skepticism, and assessment of the firm’s audit personnel as well as other factors.

While the PCAOB continues to consider its position in connection with auditor independence, a number of other bodies, both inside and outside the U.S., are considering more stringent requirements to assure auditor independence.  The bottom line is the audit committee likely will be charged with greater responsibility in this task, together with disclosure of its assessment and the related rationale.

Debate on Packaged Retail Investment Products Regulation’s Scope of Application: Balancing Consumer Protection with Pragmatism

By Nora Wouters and Orestis Omran on Posted in Compliance

On July 3, 2012, the European Commission published a proposal for a Regulation of the European Parliament and the European Council on key information documents for investment products. The proposed regulation is intended to improve investor protection for retail investors and create a level playing field for packaged retail investment products (PRIPs) providers. Currently being discussed in the Committee on Economic and Monetary Affairs (ECON) of the European Parliament, the proposal has generated considerable debate concerning its scope of application, which is still seriously contested. The proposal will be put to vote in the Committee on May 27, 2013 while a final vote at the European Parliament’s plenary is forecasted for October 23, 2013.

Original scope

The original proposal provides for the application of the Regulation to all investment products where, regardless of the legal form of the investment, the amount repayable to the investor is exposed to fluctuations in reference values or in the performance of one or more assets which are not directly purchased by the investor, including investment funds, insurance products linked to financial markets and structured retail investment products.

Explicitly excluded from the original scope, however, are: a) insurance products which do not offer a surrender value or where that surrender value is not wholly or partially exposed, directly or indirectly, to market fluctuations; (b) deposits with a rate of return that is determined in relation to an interest rate; (c) securities referred to in points (b) to (g), (i) and (j) of Article 1(2) of Directive 2003/71/EC on the prospectus to be published when securities are offered to the public or admitted to trading; (d) other securities which do not embed a derivative; (e) occupational pension schemes; and (f) pension products for which a financial contribution from the employer is required by national law and where the employee has no choice as to the pension product provider.

Suggestions to broaden the scope

It seems to be a common acceptance among a majority of Members of the European Parliament (MEPs) in the ECON Committee that the scope of application of the suggested Regulation shall be further broadened to cover other investment products. Nevertheless. no consensus has still been reached on which specific products should be added to coverage under the Regulation. In a meeting of the ECON Committee that took place on April 24, divergent views were expressed on how to expand the coverage of the Regulation.

While it seems to be the conviction of Pervenche Berès, the Rapporteur of the Committee, that shares, bonds, savings products and bank accounts should be included, other MEPs are very skeptical in particular with regard to a potential inclusion of savings accounts and government bonds. Recent examples of the implications of sovereign debt management in the EU and the case of Cyprus, where depositors were called to contribute to the saving of the banking system, have demonstrated that such products are not riskless, however concerns are expressed about the added value of such a broadened scope of the Regulation, given especially the overlap with other pieces of legislation on the same field.

Seeking balance and heavy financial consequences

Consumer protection has traditionally been one of the basic goals of the EU when adopting different types of finance regulation.  The current debate concerning the scope of application of the proposed Regulation on key information documents for PRIPs can be dragged down into a search for balance between the undisputed need to protect investors and the realistic approach of ensuring the effective operation of the markets via clear cut non-overlapping regulation.

Investment product developers need to follow closely the relevant developments and be ready to comply with the new requirements for their product’s marketing material – that will certainly increase compliance costs – in order to avoid the heavy fines suggested by the ECON Committee, which can be to 10% of the total annual turnover of a company or €5,000,000 for individuals who breach the Regulation.

AIFMD Implementing Measures: Long Awaited Delegated Regulation Finally Published in the Official Journal

By Nora Wouters and Orestis Omran on Posted in Capital Markets

On March 22, 2013, the Delegated Regulation supplementing the Alternative Investment Managers Directive (“AIFMD”) with regard to exemptions, general operating conditions, depositaries, leverage, transparency and supervision was finally published in the official EU Journal.

The Regulation is expected to bring considerable changes to the way U.S. Alternative Investment Funds operate in Europe. Their managers need to study the changes brought about by both the AIFMD and the Delegated Regulation to avoid the risk of severe financial consequences that national legislations will impose for non-compliance. The most important provisions of the Regulation are set out below.

Calculation of Assets

The methods to be followed by investment managers when valuing assets under management are provided in detail. It must be emphasized that each derivative instrument position, including any derivative embedded in transferable securities, must be converted into its equivalent position in the underlying assets of that derivative. In addition, investments in other Alternative Investment Funds (“AIF”) shall not be included. The assets under management will need to be revalued on an annual basis and continuous monitoring via periodic recalculation of values must take place.

Additional Professional Funds and Professional Indemnity Insurance

An AIFM is required to adopt and implement effective internal risk management policies and procedures in order to identify, measure, manage and monitor operational risks including professional liability risks to which the Alternative Investment Fund Manager (“AIFM) is or could be exposed. Moreover, AIFMs shall provide its own funds for professional negligence risks for a minimum of 0.01 % of the value of the portfolios of AIFs managed.

Operating Conditions

As a general rule, AIFMs shall apply a high standard of diligence in the selection and monitoring of investments. In particular, such diligence should apply when selecting and appointing counterparties and prime brokers, who are required to be financially sound, subject to ongoing supervision by a public authority and possess the necessary organizational structure and resources for the required services. Moreover, AIFMs have to act fairly and honestly in accordance with the best interests of AIFs they manage. The Regulation expressly sets out the protection against the risk of inducement if the AIFM receives any monetary or non-monetary benefit other than the fees and commissions by the AIF and third parties and sets out disclosure requirements for all benefits.

Valuation

AIFMs shall establish, maintain, implement and review, for each AIF they manage, written policies and procedures that ensure a sound, transparent, comprehensive and appropriately-documented valuation process. Any valuation policies adopted by the AIFM have to comply with the following: (i) the competence and independence of personnel carrying out the valuation of assets; (ii) the specific investment strategies of the AIF and the assets in which the AIF might invest; (iii) the controls over the selection of valuation inputs, sources and methodologies; (iv) the escalation channels for resolving differences in values for assets; (v) the valuation of any adjustments related to the size and liquidity of positions, or changes in the market conditions, as appropriate; (vi) the appropriate time for closing the books for valuation purposes; and (vii) the appropriate frequency for valuing assets.

Delegation

Fundamental decision-making functions, such as those related to the risks of portfolio management, shall remain with the AIFM in order for the AIFM to not become a mere “letter box” entity. In particular, the following need to be considered when assessing the objectives of a delegation structure: (a) optimizing of business functions and processes; (b) cost saving; (c) expertise of the delegate in administration or in specific markets or investments; (d) access of the delegate to global trading capabilities.

Conclusion

While many of these provisions seem common-sense, the devil is in the detail. The new compliance requirements are likely to result in increased operating costs. They may need time to be become fully effective and this may have an impact to a broad spectrum of activities of AIFMs. Managers of AIFs need to be prepared for the new regime and the changes that will need to be made in the operation of their AIFs if they are to remain fully compliant and avoid the risks of what will probably be serious penalties.

Cyprus — A Lesson For Risk Assessment

By Mick Cochran on Posted in Capital Markets, Financing & Lending

During the past couple of weeks, the financial world has turned its attention to Cyprus as European finance ministers have grappled with the latest systemic threat to the Euro System.  In this case, Cyprus’ banking system collapsed due to sour investments and balance sheets bloated with foreign deposits.  While the root causes of the latest crises are but one of a series of challenged national banking systems in Europe (see Iceland, Ireland, Spain, Portugal and Italy),  the solution posed by European finance ministers was without precedent.

The Bailout

As has been well documented, European finance ministers proposed a bailout to Cyprus that included a requirement for Cyprus to confiscate deposit accounts held in Cypriot banks.  As originally proposed, this “tax” on the banking system would apply to all depositors independent of any existing deposit insurance system in place to protect these accounts.  Due to intense political pressure inside the EU and Cyprus, the final bailout proposal bifurcated accounts, protecting insured accounts with balances of less than  €100,000 while heavily taxing accounts in excess thereof.

Confiscation of Deposit Accounts in a Time of Crisis

It is disconcerting that Western governments and their finance ministers would even consider proposing a remedy that would suggest that deposit accounts could be confiscated in this fashion.  Since the worldwide financial crisis in the 1930s, Western governments have enacted measures such as the U.S. Federal Deposit Insurance Corporation to insure and protect the sanctity of these accounts from bank failures.  As you will recall, in the financial crisis in the U.S. in 2008, Congress moved to increase federal deposit insurance limits to protect depositors and to ensure a smoothly operating banking system.  Expiring at the end of 2012, one of the more important stabilizers, the Transaction Account Guarantee Program, uncapped deposit insurance in order to reassure corporate treasurers that their deposits were safe.  The initial proposal of the regulators in Europe is the antithesis of this fundamental protection in the global banking system.

The ultimate resolution of the Cyprus crisis should not be viewed as any less threatening.  A tax on large depositors in a more normal banking system would include significant corporate and institutional working capital accounts, cash management accounts and related liquid accounts for business and institutions.

Time to Re-Examine Cash Management Accounts and Risk Exposure

For middle market companies in the United States, this recent crisis should at least cause a re-examination of banking risk exposure for their cash management accounts.  Certainly if significant funds are held outside of the United States in tax havens, risk managers should understand the insurance system in place in a particular jurisdiction and its relation to foreign accounts.   Moreover, in the United States, careful consideration should be given to holding significant funds in uninsured deposit accounts or in concentrating credit exposure in one financial institution.  While there is no reason to believe that the United States would ever impose such a “tax” on deposit accounts, there was certainly little warning, until a few weeks ago, that European finance ministers would take this position.

European Venture Capital Funds Regulation: Getting Closer to Full Application of a New Regime

By Nora Wouters and Orestis Omran on Posted in Capital Markets, Venture Capital

On March 12, the European Parliament voted to approve the proposal for a European Venture Capital Funds Regulation. Although formal approval by the Council is still pending, the final adoption of the Regulation, which is scheduled to enter into force on July 22, 2013 to coincide with the implementation of the Alternative Investment Fund Managers Directive (“AIFMD”), should be considered certain.

Scope

The Regulation provides that managers of European Venture Capital Funds who do not require authorization under the AIFMD can optionally select to apply for a marketing passport that will allow them to raise capital freely throughout the EU, benefiting from the admittedly less onerous regulatory requirements compared to those of the AIFMD.

This Regulation applies to managers of collective investment undertakings, provided that those managers: (i) manage portfolios of qualifying venture capital funds, whose assets under management in total do not exceed a threshold of EUR 500 million. Further specification of the calculation method of this threshold will be made through delegated acts, which the Commission is empowered to adopt; and (ii) their collective undertaking invests at least 70 percent of its aggregate capital contributions and uncalled committed capital in assets that are qualifying investments, as defined by the Regulation.

As it stands, the new legislation will apply only to EU funds; however, review of the regulation two years after the commencement of its application might extend the scope to cover non-EU funds based in countries that fulfill certain tax-related requirements.

Information to Competent Authorities

The regulatory requirements with which managers of European Venture Capital Funds need to comply vis-à-vis the competent National Authorities include the disclosure of: (i) the composition of the investment portfolio; (ii) the identity of the persons who effectively conduct the business of managing the fund; (iii) the identity of the funds whose units or shares will be marketed and their investment strategies; and (iv) the Member States where the venture capital fund manager intends to market each fund and the intention to market a new qualifying fund.

Information to Investors

At the same time, managers should provide their investors with information on (i) the identity, the investment strategy, the risk profile, the valuation procedure and pricing strategy; (ii) the remuneration of the manager of the qualifying fund; (iii) the fees, charges and expenses, which shall be borne by investors; and (iv) the fund’s historical performance and procedures for amendment of the adopted investment strategies and policies. In contrast with the AIFMD, there is no requirement to appoint a depositary and the manager can delegate functions to third parties, their liability though being unaffected by such delegation.

Conclusion

All in all, investment managers of qualifying European Venture Capital Funds should seriously consider the new Regulation as a way of ensuring more flexibility in their investments through the less burdensome regulatory requirements imposed therein. Bearing in mind that the review of the Regulation in two years will probably extend its application to non-EU established venture capital funds, managers of the latter should pay close attention to the new regime in order to be prepared to introduce their funds into it.

Cybersecurity in the EU: New Compliance Requirements in the Spotlight

By Nora Wouters and Orestis Omran on Posted in Capital Markets, Compliance

On February 7, 2013 the European Commission published its long awaited cyber security package, consisting of the Cybersecurity Strategy for the EU and the  proposal for a Directive on Network and Information Security. The EU affirmed its commitment to reinforcing critical infrastructure protection from cyber threats by suggesting legislation, which is going to affect a significant portion of the industry, including the financial sector. The new legislation is also going to apply to a respectable number of US companies operating in Europe.

Cybersecurity Strategy

The Cybersecurity Strategy for the EU reiterates the Digital Agenda’s fundamental acceptance, namely that the EU’s core values (such as the protection of fundamental rights, the need to provide open access for all, democratic and efficient multi-stakeholder governance and the establishment of shared responsibility to ensure security) apply to the digital world as well. This creates an internationally unique approach to cybersecurity, the particulars of which should be regarded as a compromise of the need to uphold fundamental rights with the promotion and protection of business interests. The basic targets of the cybersecurity strategy include, in particular, cyber resilience, the reduction of cyber crime and the development of the required industrial and technological resources, and are spelled out as priorities in the road to a uniform coherent EU-wide cybersecurity policy.

Proposal for a Directive

The proposal for a Directive addresses EU and US financial markets operators amongst critical infrastructure operators from the energy, banking, transportation and health sectors, who fall within the scope of application of the proposed legislation and would be required to comply with a number of new requirements to achieve network safety from cyber attacks. They will have to take appropriate technical and organizational measures to protect their IT systems from cyber intrusions, notify all security incidents and inform the public (if deemed necessary by the competent Cybersecurity Authority). In addition, information on the security measures taken will have to be submitted to the Cybersecurity Authority, while companies will be required to undertake a security audit by a qualified independent audit or national authority and comply with standards and/or technical specifications as those will be determined by EC implementing acts.

Required Action

The cybersecurity package comes as a response to the increasing awareness about network security in Europe. It is suggested that market participants in the financial industry, as well as operators of other critical infrastructure, already take the necessary steps to ensure the protection of their networks from cyber attacks in order to avoid the severe financial and reputational consequences that the latter involve. More particularly, they need to install the most updated technical solutions while at the same time try to manage and mitigate the risks through a review and amendment of their contractual documentation in cooperation with skilled attorneys, the designation of effective self compliance schemes, including a cybersecurity policy, and the purchase of insurance coverage that best fits the nature of their business.

Enter the Dragon: Understanding Inbound Chinese Cross-Border Transactions

By Jay V. Shah and Jeffrey Li on Posted in Capital Markets

Although the economic climate and global business world continues to evolve and change dramatically, the steady increase in the number of cross border transactions, particularly inbound and outbound transactions involving China, has remained constant, and, despite the well documented challenges, the incentives for U.S. domestic firms (e.g., the ability to lower production and manufacturing costs, access to a Chinese economy/markets that have expanded at an average rate of more than 10% since 2005, etc.) and Chinese firms (e.g., access to raw materials, intellectual property, technology and know-how, etc.) are strong.

This past decade has firmly established that, regardless of the perspective, well-structured and properly executed cross-border mergers and acquisitions create value and are important for growth.

This blog post focuses on key issues to consider when contemplating a Chinese inbound investment.

  1. Consider Barriers to Market Entry. At the outset, firms and investors must carefully evaluate and review Chinese laws and requirements relating to foreign investment in the industry in question, specifically: (i) restrictions on the ownership percentage of a foreign shareholder, (ii) qualification requirements, and (iii) the level and scope of oversight by Chinese regulatory authorities.
  2. Structure/Investment Vehicle. Foreign firms and investors now have the ability to choose from a wide range of investment vehicles when entering the Chinese market, including, but not limited to, (i) the Wholly Foreign Owned Enterprise (WFOE), (ii) an Equity or Cooperative Joint Venture, (iii) a Foreign Invested Company Limited By Shares (FICLS), (iv) a Foreign Invested Partnership and (v) a Foreign Invested Holding Company. Each investment vehicle has its advantages and disadvantages, and the “right” vehicle will ultimately come down to the negotiated deal and your individual business goals.
  3. Regulatory Approvals. The regulatory approval process is dependent on the nature and structure of an individual transaction; however, every foreign investment transaction must obtain approval from the Office of the Ministry of Commerce (MOFCOM). Additional registration or approval from, amongst others, the State Administration for Industry and Commerce, the China Securities Regulatory Commission, the applicable Foreign Exchange Bureau and the State-Owned Enterprises and Assets Supervisory Bureau may be, and often are, required.

As the Chinese economy continues to remain one of the fastest growing in the world, foreign investment continues to be strong. By doing your homework, choosing the “right” Chinese partner(s), and properly understanding the risks and requirements, you greatly improve your chances of creating value and meeting your business goals.

Cybersecurity and Information Technology — The Need for Directors to Gain IT Expertise

By Ryan Boyd on Posted in Compliance

 

By larryhallff

The PricewaterhouseCoopers Center for Board Governance (“PWC”) recently published a how-to guide for overcoming the “IT confidence gap” among public company directors.  The guide includes a study, which finds that “less than 1% of Fortune 500 directors have been or are currently Chief Information Officers.”  In addition to this lack of expertise, the study finds that boards lack IT information; most respondent directors were motivated to receive significantly more information about IT risks and strategies.  In short, the study finds that although IT is a critical aspect of American business practice, most public company directors are not familiar with the contours of a sound IT framework.

In light of the “IT confidence gap” raised by the PWC guide, we highlight below the three topics that feature particularly significant legal considerations.

Data Security

Cybersecurity is a challenging burden for many companies.  Even Apple, well known for its cybersecurity measures, suffered a security breach as of February 19, 2013.  Cyberattacks not only cause costly reputational damage, but also impose immediate legal and compliance hurdles (including the disclosure implications highlighted on our blog in October and November of 2012). For example, almost all states enforce “security breach notification” laws, requiring, for example, prompt notice to customers or clients whose personal information has been accessed during a breach.  This notice must be in a particular form, and certain states also require notice to various state agencies. Therefore, companies with a multi-state presence face significant challenges in formulating a coherent, unified response to security breaches.

Data Privacy

Privacy policies are becoming an important element of a company’s regulatory framework.  A company must carefully monitor consumer information disclosures to third parties and to those within the company, which are typically regulated by both state and federal law (e.g., the federal Gramm-Leach-Bliley Act and the California Online Privacy Protection Act).  As e-commerce and the storage of private consumer information (e.g., debit card numbers) becomes more common, companies must craft compliant privacy policies and disclose those policies to consumers when necessary.  More importantly, businesses must abide by and understand such policies.

Social Media

Using social media presents both great opportunity and great risk for officers and directors; two recent events provide examples of its potential pitfalls.  Most recently, in January 2013, Scott Griffith, the CEO of Zipcar, Tweeted regarding the sale of his company, and prompted the company’s counsel to make an SEC Form 8-K filing disclosing the Tweet.  Similarly, Reed Hastings, CEO of Netflix, posted user viewing data on Facebook in July 2012, and the SEC staff subsequently issued a “Wells Notice” to Netflix and Hastings stating that the Facebook post violated Regulation FD.  Regulation FD requires companies to make “material non-public information” available to all investors simultaneously, via an SEC filing or press release, where the selective disclosure to covered persons (for example, investment analysts) is intentional. To balance social media’s great marketing potential with the above risks, businesses should draft social media policies, listing appropriate topics for publication via Twitter and Facebook.

Conclusion

The above issues comprise only part of the IT-related issues officers and directors may face; the PWC article specifies related issues and outlines the steps a board may take in developing a comprehensive IT strategy.  IT is driving much of big business in America, and it is time for corporate leaders to fully understand the risks underlying a company’s digital footprint.

McKenna Long & Aldridge LLP has an experienced, cross-practice Cybersecurity team, skilled in providing guidance related to Cybersecurity and Data Privacy, the two issues with the most potential for legal and compliance risks. Please feel free to contact our Cybersecurity specialists here.