In our June 4, 2014 article on cyber security and cyber governance  we noted that for many reasons, boards of directors and executives of U.S. companies needed to reexamine how they protect (and respond to the successful hacking of) their most critical intellectual property and customer information. One of the reasons was that all signs out of Washington, D.C. pointed towards increasing federal regulation and oversight of cyber security for public and private companies, and particularly for those in the financial services sector. Further, we foresaw not only heightened scrutiny from regulators, but increasing class action litigation, with plaintiffs accusing boards and management of not taking the appropriate steps to protect company and client data. Our predictions were correct on all fronts.
Posts Tagged ‘Weil Gotshal’
Why the Cybersecurity Framework was created and why it is so important
Despite the fact that companies are continuing to increase spending on cybersecurity initiatives, data breaches continue to occur. According to The Wall Street Journal, “Global cybersecurity spending by critical infrastructure industries was expected to hit $46 billion in 2013, up 10% from a year earlier according to Allied Business Intelligence Inc.”  Despite the boost in security spending, vulnerabilities, threats against these vulnerabilities, data breaches and destruction persist. To combat these issues, the President on February 12, 2013 issued Executive Order (EO) 13636, “Improving Critical Infrastructure Cybersecurity.”  The EO directed NIST, in cooperation with the private sector, to develop and issue a voluntary, risk-based Cybersecurity Framework that would provide U.S. critical infrastructure organizations with a set of industry standards and best practices to help manage cybersecurity risks.
There are four competing business propositions affecting most American businesses today. Think of them as four freight trains on different tracks headed for a four-way stop signal at fiber optic speed.
First, with a significant potential for cost savings, American business has adopted cloud computing as an efficient and effective way to manage countless bytes of data from remote locations at costs that would be unheard of if they were forced to store their data on hard servers. According to one report, “In September 2013, International Data Corporation predicted that, between 2013 and 2017, spending on pubic IT cloud computing will experience a compound annual growth of 23.5%.”  Another report noted, “By 2014, cloud computing is expected to become a $150 billion industry. And for good reason—whether users are on a desktop computer or mobile device, the cloud provides instant access to data anytime, anywhere there is an Internet connection.” 
The Supreme Court issued its decision yesterday [June 16, 2014] in Republic of Argentina v. NML Capital, No. 12-842, holding that the Foreign Sovereign Immunities Act (FSIA) does not limit the scope of discovery available to a judgment creditor in post-judgment execution proceedings against a foreign sovereign.
As part of NML’s efforts to collect on various litigation judgments entered against Argentina following its default on bond obligations, NML sought discovery of Argentina’s assets around the world in an attempt to locate Argentine property that might be subject to attachment and execution. Those efforts included subpoenas served on Bank of America and Banco de la Nacion Argentina, both of which had offices in New York. The subpoenas generally sought information about Argentina’s accounts, balances, transaction histories and funds transfers. Argentina and the banks sought to quash the subpoenas, contending that they violated the FSIA by seeking discovery of Argentina’s extraterritorial assets that were beyond the reach of U.S. courts. The district court denied the motion to quash, and the Second Circuit affirmed. Only Argentina sought review in the Supreme Court.
The announcement of the Credit Suisse guilty plea on May 19, 2014 marks the first time in more than a decade that a large financial institution has been convicted of a financial crime in the United States. For this reason alone, some will herald it a watershed moment in the history of corporate criminal liability. But the government’s well-publicized efforts to mitigate the collateral consequences resulting from the plea will likely limit the plea’s practical significance for companies that find themselves in the unenviable position of negotiating a resolution of criminal allegations with the government. This post will explore the potential implications of the Credit Suisse guilty plea for corporate criminal liability.
The number, severity, and sophistication of cyber attacks—whether on our retail economy, our healthcare sector, our educational sector or, in fact, our government and defense systems—grows worse by the day. 
Among the most notable cyber breaches in the public company sphere was that hitting Target Corporation (40 million estimated credit and debit cards allegedly stolen, 70 million or more pieces of personal data also stolen, and a total estimated cost of the attack to date of approximately $300 million).  Justified or not, ISS has just issued a voting recommendation against the election of all members of Target’s audit and corporate responsibility committees—seven of its ten directors—at the upcoming annual meeting. ISS’s reasoning is that, in light of the importance to Target of customer credit cards and online retailing, “these committees should have been aware of, and more closely monitoring, the possibility of theft of sensitive information.” 
On July 2, 2013, the United States Securities and Exchange Commission (the SEC) announced two new initiatives aimed at preventing and detecting improper or fraudulent financial reporting.  We previously noted that one of these initiatives, a computer-based tool called the Accounting Quality Model (AQM, or “Robocop”),  is designed to enable real-time analytical review of financial reports filed with the SEC in order to help identify questionable accounting practices.
Public companies that have recently adopted or are considering adopting bylaws that disqualify director nominees who receive compensation from anyone other than the company should be aware of new FAQs released yesterday by Institutional Shareholder Services (ISS) and the potential impact the FAQs may have on forthcoming director elections. Such bylaws typically operate in conjunction with advance notice bylaws that require proponents to disclose compensation arrangements with their nominees. Compensation payable by a third party for director candidacy and/or board service—for example, by an insurgent in a contested director election—may call into question a director’s undivided loyalty to the company and all of its shareholders.
On November 15, 2013, the US Securities and Exchange Commission (“SEC” or “the Commission”) released its Annual Report to Congress on the Dodd-Frank Whistleblower Program (“the Report”). The Report is remarkable for three reasons. First, the Report shows that, despite very significant efforts to publicize the program, the SEC is not seeing a meaningful increase in the number of tips it receives. Indeed, the SEC received essentially the same number of tips in the same categories in 2013 as it did in 2012 (3,283 and 3,001, respectively). Second, consistent with the few awards made under the program, the Report fails to shed any light at all on the SEC’s thought process in making these awards, and provides no insight into how the SEC is applying the highly nuanced factors applicable to award decisions. Finally, the Report does not acknowledge that, for the second year in a row, the largest category of tips were in the “other” category, which suggests that many of these tips are probably meritless, nor does the Report illuminate at all the critical question of how many of the tips the SEC receives actually result in meaningful investigations and cases.
On November 21, 2013, Institutional Shareholder Services Inc. (ISS) released updates to its proxy voting policies for the 2014 proxy season, effective for meetings held on or after February 1, 2014.  In addition, ISS has requested that companies notify it by December 9, 2013 of any changes to a company’s self-selected peer companies for purposes of benchmarking CEO compensation for the 2013 fiscal year.
This post provides guidance to US companies on how to address ISS policy changes and also highlights recent developments regarding potential regulation or self-regulation of proxy advisory firms.
The amendments to ISS proxy voting policies for the 2014 proxy season relate to: