Posts Tagged ‘Risk’

Changing the Cyber Security Playing Field in 2015

Posted by Paul Ferrillo, Weil, Gotshal & Manges LLP, on Tuesday January 20, 2015 at 8:36 am
  • Print
  • email
  • Twitter
Editor’s Note: Paul A. Ferrillo is counsel at Weil, Gotshal & Manges LLP specializing in complex securities and business litigation. This post is based on a Weil Alert authored by Mr. Ferrillo; the complete publication, including footnotes, is available here.

“If this incident [Sony] isn’t a giant wake-up call for U.S. corporations to get serious about cybersecurity, I don’t know what is. I’ve done more than two dozen speaking engagements around the world this year, and one point I always try to drive home is that far too few organizations recognize how much they have riding on their technology and IT operations until it is too late. The message is that if the security breaks down, the technology stops working—and if that happens the business can quickly grind to a halt. But you would be hard-pressed to witness signs that most organizations have heard and internalized that message, based on their investments in cybersecurity relative to their overall reliance on it.”

— Author Brian Krebs, Dec. 20, 2014.

“For those worried that what happened to Sony could happen to you, I have two pieces of advice. The first is for organizations: take this stuff seriously. Security is a combination of protection, detection and response. You need prevention to defend against low-focus attacks and to make targeted attacks harder. You need detection to spot the attackers who inevitably get through. And you need response to minimize the damage, restore security and manage the fallout.”

— Professor Bruce Schneier, Dec. 19, 2014.

Without a doubt, the last month in the world of cyber security has been tumultuous. It has now been confirmed that two companies in the United States have potentially been the subject of cyber-terrorism. Servers have been taken down or wiped out. Businesses have been significantly disrupted. Personally identifiable employee information has been shoveled by the pound onto Internet credit card “market” sites. The cyber security world has changed. And two of the most respected men in cyber security have both iterated similar messages: it is time for U.S. corporations to take this stuff seriously.

…continue reading: Changing the Cyber Security Playing Field in 2015

Ownership Structure, Voting, and Risk

Posted by R. Christopher Small, Co-editor, HLS Forum on Corporate Governance and Financial Regulation, on Thursday January 8, 2015 at 9:06 am
  • Print
  • email
  • Twitter
Editor’s Note: The following post comes to us from Amrita Dhillon, Professor of Economics at King’s College London, and Silvia Rossetto of the Toulouse School of Economics at the University of Toulouse.

In our paper Ownership Structure, Voting and Risk, forthcoming in the Review of Financial Studies, we investigate the interaction between the ownership structure of publicly traded firms and their risk profiles. In particular, we show how the potential for conflict of interest between shareholders on risk decisions may cause the emergence of activist mid-sized investors. In turn, ownership structure affects the risk decisions that firms make.

It is natural to believe that the choice of shares to hold in a company is a trade off between diversification and control: large size comes with control at the cost of diversification. Many firms, however, have mid-sized shareholders who are neither well diversified nor have control. For example, in the United States (where it is widely agreed that regulation helps dispersed ownership), 67% of public firms have more than one shareholder with a stake larger than 5%, while only 13% are widely held and 20% have only one blockholder (Dlugosz et al., 2006). In Europe (where concentrated ownership is the norm), in eight out of the nine largest stock markets of the European Union, the median size of the second largest voting block in large publicly listed companies exceeds five percent (data from the European Corporate Governance Network). Why do such mid-sized shareholders emerge?

…continue reading: Ownership Structure, Voting, and Risk

The Importance of a Battle-Tested Cyber Incident Response Plan

Posted by Paul Ferrillo, Weil, Gotshal & Manges LLP, on Friday December 19, 2014 at 9:00 am
  • Print
  • email
  • Twitter
Editor’s Note: The following post comes to us from Paul A. Ferrillo, counsel at Weil, Gotshal & Manges LLP specializing in complex securities and business litigation, and is based on a Weil Alert authored by Mr. Ferrillo.

“The scope of [the Sony Pictures Entertainment (SPE)] attack differs from any we have responded to in the past, as its purpose was to both destroy property and release confidential information to the public…. The bottom line is that this was an unparalleled and well planned crime, carried out by an organized group, for which neither SPE nor other companies could have been fully prepared.”

— Remarks by Kevin Mandia, “Sony Investigator Says Cyber Attack ‘Unparalleled’ Crime,” Reuters, December 7, 2014. [1]

“The days of the IT guy sitting alone in a dark corner are long gone. Cybersecurity has become an obvious priority for C-Suites and boardrooms, as reputations, intellectual property and ultimately lots of money are on the line.”

— Priya Ananda, “One Year After Target’s Breach: What Have We Learned?” November 1, 2014. [2]

“Resiliency is the ability to sustain damage but ultimately succeed. Resiliency is all about accepting that I will sustain a certain amount of damage.”

— NSA Director and Commander of U.S. Cyber Command Admiral Mike Rogers, September 16, 2014. [3]

We have definitively learned from the past few months’ worth of catastrophic cyber security breaches that throwing tens of millions of dollars at “preventive” measures is simply not enough. The bad guys are too far ahead of the malware curve for that. [4] We have also learned that there are no such things as quick fixes in the cyber security world. Instead, the best approach is a holistic approach: basic blocking and tackling such as password protection, encryption, employee training, and strong, multi-faceted intrusion detection systems [5] really trump reliance on a “50 foot high firewall” alone. But there are also two more things that are critical to a holistic cyber security approach: a strong, well-practiced Incident Response Plan (IRP), and, as Admiral Rogers noted above, the concept of cyber-resiliency, i.e., the ability to take your lumps, but continue your business operations unabated.

In this post, we tackle two questions: (1) What are the essential elements of a Cyber IRP? and (2) Why are IRPs so important to your organization?

…continue reading: The Importance of a Battle-Tested Cyber Incident Response Plan

Cyber Security, Cyber Governance, and Cyber Insurance

Posted by Paul Ferrillo, Weil, Gotshal & Manges LLP, on Thursday November 13, 2014 at 9:07 am
  • Print
  • email
  • Twitter
Editor’s Note: Paul A. Ferrillo is counsel at Weil, Gotshal & Manges LLP specializing in complex securities and business litigation. This post is based on an article authored by Mr. Ferrillo and Christine Marciano, President of Cyber Data Risk Managers.

JP Morgan Chase. Community Health Systems. The Home Depot. Kmart. There has been no shortage of data breaches in recent weeks—with new developments on an almost daily basis. The age of cyber hactivisim, cyber extortion, and cyber terrorism is here, and it is not going away any time soon.

Data security issues are no longer just an IT Department concern. Indeed, they have become a matter of corporate survival, and therefore companies should incorporate them into enterprise risk management and insurance risk transfer mechanisms, just as they regularly insure other hazards of doing business. As the number of data breaches has increased, the demand for cyber insurance has likewise dramatically increased more than that for any other insurance product in recent years. Every board of directors should be questioning its officers and management as to “whether or not its company should be purchasing cyber insurance to mitigate its cyber risk.” If management answers, “Oh, it costs too much,” or “Oh, it will never pay off,” second opinions should be obtained. Rapidly. Because neither answer is correct.

…continue reading: Cyber Security, Cyber Governance, and Cyber Insurance

Ten Key Points from the Final Risk Retention Rule

Posted by Yaron Nili, Co-editor, HLS Forum on Corporate Governance and Financial Regulation, on Sunday November 2, 2014 at 9:00 am
  • Print
  • email
  • Twitter
Editor’s Note: The following post comes to us from PricewaterhouseCoopers LLP and is based on a PwC publication by Christopher Merchant, Frank Serravalli, and Daniel Sullivan.

This week six federal agencies (Fed, OCC, FDIC, SEC, FHFA, and HUD) finalized their joint asset-backed securities (ABS) risk retention rule. As expected, the final rule requires sponsors of ABS to retain an interest equal to at least 5% of the credit risk in a securitization vehicle.

1. A win for the mortgage industry: The final rule effectively broadens the original proposal’s exemption from risk retention requirements for Qualified Residential Mortgages (QRM) by tying the definition of QRM to the Consumer Finance Protection Bureau’s definition of Qualified Mortgage (QM). This alignment abandons the proposal’s most stringent requirements to obtain the QRM exemption, including that a residential mortgage have at least a 20% down payment. The final rule also provides an additional exemption for certain mortgages that would not meet the QRM standards, e.g., community-focused residential mortgages. The immediate impact of the rule on the industry is further muted, given the significant amount of mortgages issued by government sponsored entities (i.e., Fannie Mae, Freddie Mac, and Ginnie Mae) that are currently exempt from the rule’s requirements. It may however be too soon for the industry to celebrate, as the final rule states that the agencies will reassess the effectiveness of the QRM definition at reducing securitization risk at most four years from now, and every five years thereafter.

…continue reading: Ten Key Points from the Final Risk Retention Rule

Risk Governance: Banks Back to School

Posted by Kobi Kastiel, Co-editor, HLS Forum on Corporate Governance and Financial Regulation, on Sunday September 14, 2014 at 9:00 am
  • Print
  • email
  • Twitter
Editor’s Note: The following post comes to us from Dan Ryan, Leader of the Financial Services Advisory Practice at PricewaterhouseCoopers LLP, and is based on a PwC publication.

On September 2, 2014, the Office of the Comptroller of the Currency (“OCC”) finalized its risk governance framework for large banks and thrifts (“Guidelines”) that was proposed in January 2014. [1] The Guidelines formalize the heightened risk management standards that the OCC has been communicating through the supervisory process for several years, but do so somewhat more flexibly than the January proposal (“proposal”) did. Although many firms have been working to enhance their risk management programs to meet the proposal and supervisory communications, most still have work to do in order to meet the Guidelines’ requirements.

The Guidelines maintain the proposal’s emphasis on risk governance at the bank level to ensure safety and soundness, and affords the OCC greater flexibility (prescribed under regulations) to take enforcement actions in response to a bank’s compliance failure. The responsibility to oversee risk management remains with the Board of Directors which retains its ultimate risk governance oversight role; however, the Guidelines clarify that the Board need not take on responsibility for day-to-day managerial duties as the proposal had suggested.

…continue reading: Risk Governance: Banks Back to School

Cyber Security and Cyber Governance: Federal Regulation and Oversight—Today and Tomorrow

Posted by Paul Ferrillo, Weil, Gotshal & Manges LLP, on Wednesday September 10, 2014 at 9:00 am
  • Print
  • email
  • Twitter
Editor’s Note: Paul A. Ferrillo is counsel at Weil, Gotshal & Manges LLP specializing in complex securities and business litigation. This post is based on an article authored by Mr. Ferrillo and David J. Schwartz.

In our June 4, 2014 article on cyber security and cyber governance [1] we noted that for many reasons, boards of directors and executives of U.S. companies needed to reexamine how they protect (and respond to the successful hacking of) their most critical intellectual property and customer information. One of the reasons was that all signs out of Washington, D.C. pointed towards increasing federal regulation and oversight of cyber security for public and private companies, and particularly for those in the financial services sector. Further, we foresaw not only heightened scrutiny from regulators, but increasing class action litigation, with plaintiffs accusing boards and management of not taking the appropriate steps to protect company and client data. Our predictions were correct on all fronts.

…continue reading: Cyber Security and Cyber Governance: Federal Regulation and Oversight—Today and Tomorrow

Shift from Voluntary to Mandatory Disclosure of Risk Factors

Posted by June Rhee, Co-editor, HLS Forum on Corporate Governance and Financial Regulation, on Thursday July 17, 2014 at 9:23 am
  • Print
  • email
  • Twitter
Editor’s Note: The following post comes to us from Karen K. Nelson, the Harmon Whittington Professor at Accounting at Rice University, Jones Graduate School of Business, and Adam C. Pritchard, the Frances and George Skestos Professor of Law at University of Michigan Law School.

In our paper, Carrot or Stick? The Shift from Voluntary to Mandatory Disclosure of Risk Factors, we investigate public companies’ disclosure of risk factors that are meant to inform investors about risks and uncertainties. We compare risk factor disclosures under the voluntary, incentive-based disclosure regime provided by the safe harbor provision of the Private Securities Litigation Reform Act, adopted in 1995, and the SEC’s subsequent disclosure mandate, adopted in 2005.

…continue reading: Shift from Voluntary to Mandatory Disclosure of Risk Factors

The Fed’s Wake-Up Call to Bank Directors

Posted by Edward D. Herlihy and Lawrence S. Makow, Wachtell, Lipton, Rosen & Katz, on Wednesday June 18, 2014 at 4:00 pm
  • Print
  • email
  • Twitter
Editor’s Note: Edward D. Herlihy and Lawrence S. Makow are partners in the Corporate Department at Wachtell, Lipton, Rosen & Katz. The following post is based on a Wachtell Lipton memorandum by Mr. Herlihy and Mr. Makow; the complete publication, including footnotes, is available here.

The Dodd-Frank Act was undoubtedly a thorough re-working of the regulatory paradigm for banks and other financial institutions. But no less resolute are the intentions of U.S. banking regulators to carry regulatory reform further, based in significant part on perceived “macroprudential” authority after Dodd-Frank. The new regulatory paradigm will increasingly leave behind bank regulation’s traditional moorings in the protection of federally insured deposits and safe and sound operation of banking organizations. Instead, “macroprudential” regulation will rest on the goals of protecting U.S. financial stability and reducing systemic risk—broad, malleable concepts that elude precise definition. It will seek to influence activities not just of banking organizations but also activities conducted by non-bank entities not traditionally subject to prudential regulation. And, according to an important speech given last week by Federal Reserve Governor Daniel K. Tarullo, the new regulatory paradigm embraces consideration of a potentially unprecedented expansion of the fiduciary duties of directors of banking institutions. This would give such directors very potent incentives to prioritize supervisory goals—including macroprudential objectives.

…continue reading: The Fed’s Wake-Up Call to Bank Directors

Boards of Directors, Corporate Governance and Cyber-Risks: Sharpening the Focus

Posted by Luis A. Aguilar, Commissioner, U.S. Securities and Exchange Commission, on Tuesday June 17, 2014 at 9:06 am
  • Print
  • email
  • Twitter
Editor’s Note: Luis A. Aguilar is a Commissioner at the U.S. Securities and Exchange Commission. This post is based on Commissioner Aguilar’s remarks at the recent “Cyber Risks and the Boardroom” Conference; the full text, including footnotes, is available here. The views expressed in the post are those of Commissioner Aguilar and do not necessarily reflect those of the Securities and Exchange Commission, the other Commissioners, or the Staff.

I am pleased to be here and to have the opportunity to speak about cyber-risks and the boardroom, a topic that is both timely and extremely important. Over just a relatively short period of time, cybersecurity has become a top concern of American companies, financial institutions, law enforcement, and many regulators. I suspect that not too long ago, we would have been hard-pressed to find many individuals who had even heard of cybersecurity, let alone known what it meant. Yet, in the past few years, there can be no doubt that the focus on this issue has dramatically increased.

…continue reading: Boards of Directors, Corporate Governance and Cyber-Risks: Sharpening the Focus

Next Page »
 
  •  » A "Web Winner" by The Philadelphia Inquirer
  •  » A "Top Blog" by LexisNexis
  •  » A "10 out of 10" by the American Association of Law Librarians Blog
  •  » A source for "insight into the latest developments" by Directorship Magazine