I am pleased to be here and to have the opportunity to speak about cyber-risks and the boardroom, a topic that is both timely and extremely important. Over just a relatively short period of time, cybersecurity has become a top concern of American companies, financial institutions, law enforcement, and many regulators. I suspect that not too long ago, we would have been hard-pressed to find many individuals who had even heard of cybersecurity, let alone known what it meant. Yet, in the past few years, there can be no doubt that the focus on this issue has dramatically increased.
Posts Tagged ‘Risk management’
The number, severity, and sophistication of cyber attacks—whether on our retail economy, our healthcare sector, our educational sector or, in fact, our government and defense systems—grows worse by the day. 
Among the most notable cyber breaches in the public company sphere was that hitting Target Corporation (40 million estimated credit and debit cards allegedly stolen, 70 million or more pieces of personal data also stolen, and a total estimated cost of the attack to date of approximately $300 million).  Justified or not, ISS has just issued a voting recommendation against the election of all members of Target’s audit and corporate responsibility committees—seven of its ten directors—at the upcoming annual meeting. ISS’s reasoning is that, in light of the importance to Target of customer credit cards and online retailing, “these committees should have been aware of, and more closely monitoring, the possibility of theft of sensitive information.” 
Compliance is hot.
Pick up the New York Times or the Wall Street Journal and you are likely to find a story about yet another huge fine for regulatory infractions.
In early May, to take a recent example, BNB Paribas, the big French bank, admitted that the $1.1 billion it had set aside for infractions involving sanctions regimes would not be nearly enough to cover its expected liability.
A billion dollars is a big number, but it is hardly the largest penalty we have seen in recent years. It is dwarfed, for example, by the more than $13 billion JPMorgan Chase agreed to pay to various regulatory agencies for mortgage infractions.
Numbers like these command attention.
Corporate risk taking and the monitoring of risks have remained front and center in the minds of boards of directors, legislators and the media, fueled by the powerful mix of continuing worldwide financial instability; ever-increasing regulation; anger and resentment at the alleged power of business and financial executives and boards, including particularly as to compensation during a time of economic uncertainty, retrenchment, contraction, and changing dynamics between U.S., European and emerging market economies; and consistent media attention to corporations and economies in crisis. The reputational damage to boards of companies that fail to properly manage risk is a major threat, and Institutional Shareholder Services now includes specific reference to risk oversight as part of its criteria for choosing when to recommend withhold votes in uncontested director elections. This focus on the board’s role in risk management has also led to increased public and governmental scrutiny of compensation arrangements and their relationship to excessive risk taking and has brought added emphasis to the relationship between executive compensation and effective risk management. For the past few years, we have provided an annual overview of risk management and the board of directors. This overview highlights a number of issues that have remained critical over the years and provides an update to reflect emerging and recent developments.
U.S. banking regulation resembles a cat-and-mouse game of industry change and regulatory response. Often, a crisis or industry innovation will lead to a new regulatory regime. Past regulatory regimes have included geographic restrictions, activity restrictions, disclosure mandates, risk management rules, and capital requirements. But the recently enacted Dodd-Frank Act introduced a new strain of banking-industry supervision: regulation by hypothetical. Regulation by hypothetical refers to rules that require banks to predict future crises and weaknesses. Those predictions—which by definition are speculative—become the basis for regulatory intervention. Two illustrative instances of this regulation were codified in Dodd-Frank: stress tests and living wills. They are two pillars on which Dodd-Frank builds to manage risk in systemically important financial institutions (SIFIs).  As I argue in my forthcoming article, regulation by hypothetical in Dodd-Frank should be abandoned for three reasons: it relies on a faulty premise, tasks an agency with a conflicted mission, and likely exacerbates the moral hazards involved with governmental sponsorship of private institutions. Because of these weaknesses, the regulation-by-hypothetical regime must be either abandoned (my first choice) or strengthened. One way to strengthen these hypothetical scenarios would be to conduct financial war games.
On March 12, the SEC issued a 400-page rule proposal that, if adopted as proposed, would impose a multitude of new compliance requirements on The Options Clearing Corporation (“OCC”), The Depository Trust Company (“DTC”), National Securities Clearing Corporation (“NSCC”), Fixed Income Clearing Corporation (“FICC”) and ICE Clear Europe. Since these clearing agencies play a fundamental role in the options, stock, debt, U.S. Treasuries, mortgage-backed securities and credit default swaps markets, the proposed requirements have important implications for banks, broker-dealers and other U.S. securities market participants, as well as securities exchanges, alternative trading systems and other trading venues.
The Federal Reserve has issued a final rule adopting a tiered approach for applying Dodd-Frank enhanced prudential standards to foreign banking organizations (“FBOs”). Under the tiered approach the most burdensome requirements (e.g., the requirement to establish a top-tier U.S. intermediate holding company) will only apply to FBOs with large U.S. operations, whereas fewer requirements will apply to FBOs with limited U.S. footprints.
We have summarized below the Dodd-Frank enhanced prudential standards that will apply to the following FBOs with limited U.S. footprints:
This post describes the final regulations issued by the Federal Reserve Board (the “FRB”) on February 18, 2014, that radically modify the former requirements applicable to foreign banking organizations (“FBOs”) pursuant to the FRB’s Regulation K. The final rules (the “Final Rules”) impose various requirements on large FBOs that previously have been applied to large U.S. domestic bank holding companies and banks under the Dodd-Frank Act. In addition, however, the Final Rules also alter many of the former approaches to the regulation of FBOs in general, including the necessity for many FBOs to form “U.S. intermediate holding companies” for their U.S. operations.
Regardless of the category an FBO falls into, the Final Rules present significant additional compliance burdens.
On February 18, 2014, the Board of Governors of the Federal Reserve System (the “FRB”) approved a final rule (the “Final Rule”) implementing certain of the “enhanced prudential standards” mandated by Section 165 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Dodd-Frank Act” or “Dodd-Frank”). The Final Rule applies the enhanced prudential standards to (i) U.S. bank holding companies (“U.S. BHCs”) with $50 billion (and in some cases, $10 billion) or more in total consolidated assets and (ii) foreign banking organizations (“FBOs”) with (x) a U.S. banking presence, through branches, agencies or depository institution subsidiaries, and (y) depending on the standard, certain designated amounts of assets worldwide, in the United States or in U.S. non-branch assets. The Final Rule’s provisions are the most significant, detailed and prescriptive for the largest U.S. BHCs and the FBOs with the largest U.S. presence—those with $50 billion or more in total consolidated assets and, in the case of FBOs, particularly (and with increasing stringency) for FBOs with combined U.S. assets of $50 billion or more or U.S. non-branch assets of $50 billion or more.
Our observations on the Federal Reserve’s final rule:
1. Delayed effective date and higher threshold: Foreign Banking Organizations (FBOs) eked out several small victories in the final rule—in particular, the July 2015 compliance date has been pushed to July 2016 and smaller FBOs (i.e., those with under $50 billion in US non-branch assets) are no longer required to form an Intermediate Holding Company (IHC). The changes reflect the Federal Reserve’s attempt to respond to FBOs’ concerns, especially that smaller FBOs did not pose as much risk to US financial stability.