referencelibrarybanner
Listing ETP Banner
Reference Library - Advanced Search
New! Find
 



Library 



** To make multiple selections, select the first criterion and then press and hold the Ctrl Key **
 
Timeframe
Category
 
Sub-Category
1- 50 of 56 Search Results for:
Libraries:   Governance Clearinghouse
Filters:   All Years; Issues and Trends;



Collapse All
Printer Friendly View
Mailto Link 
Page: 1 of 2
Frequently Asked Questions
Ransomware Defense for Boards by Betsy Atkins with input from Bill Lenehan
Identification Number
1427
Clearhouse
Ransomware Defense for Boards by Betsy Atkins with input from Bill Lenehan
Publication Date: September 20, 2017

For all the clever coding involved, most ransomware delivers a very crude but deadly message when it strikes your company. Important company files are locked, and may be destroyed, unless you pay a specific ransom amount, anonymously, with a short deadline. At that point, panic sets in. But if your top management, IT team and board of directors have devoted some time, thought and resources in advance, you'll know how to respond (and might dodge the bullet altogether).

In my own recent boardroom experience, how boards should deal with cybersecurity is one of the hottest topics. I've been an evangelist for getting boards active in setting and assuring effective corporate digital policies. Much of this should be basic good governance for the twenty first century. Realize that a cyber-attack is now a matter of when not if. Make your board digitally savvy so it can ask smart questions on technology, threats, and liabilities. Assure things like up-to-date platforms, software, and third-party testing.

I should note that the majority of company hacking attacks still involve these conventional threats -- the cyber equivalent of smash-and-grab theft. However, the special dangers posed by digital hostage taking demands a unique corporate governance role. If regular hackers penetrate your systems to steal money or data, there are few shades of grey. There may be debates between IT and the rest of management on budgeting for safeguards (the board should be IT's advocate and "nudger" on this, by the way). However, the priorities after a conventional breach are never in doubt -- assess and limit the damages and learn from the attack.

Ransomware is existentially different and goes to the heart of a board's governance and fiduciary role. Do we as a company pay a ransom demand or do we take the moral high ground and say no? Your board needs to tackle this question, with its uncomfortable blend of technology and ethics, now, before an attack. The major ransomware strains, such as Petya and WannaCry, offer a short time frame (sometimes as little as 24 hours) to pay up or face the consequences. Convening a board meeting that quickly to deal with a flash crisis would be both impractical and unwise. Further, the actual ransom itself can be oddly small. Would you really convene an emergency board session to discuss expending $1,000?

Real-world board experiences with ransomware suggests there is a better way. I've seen ransom demands first-hand at one of my boards, and spoke with Bill Lenehan, CEO at Four Corners Property Trust, who's also faced these traumas. We have observed a number of effective strategies specifically targeted at dealing with the unique threat of a ransomware attack:

Have the ethical discussion before a ransomware attack occurs. Your top executives and IT staff need guidance from the boardroom on the big question of whether or not the company should submit to a demand for ransom. The decision is not an easy one; losing business (and perhaps the business itself) by taking the moral high ground is not your call as a shareholder fiduciary. Your number one mission is to protect the business for investors. That may involve the tough decision to pay up if it will save data or needed access.

"Boards need to provide guidance and support on how this is handled," recalls Bill Lenehan. He finds laying out the issues directly to the board helps clarify their thinking. "I was talking with a 70-year old board chair, and said 'Let me throw you a curve. You're trying to close a $200 million acquisition, when suddenly, your employees get a ransomware demand for a total of $3000. If you don't pay, you jeopardize the deal, your relationship with numerous counterparties, and maybe the company itself.' The response, 'My God, I never thought of this!??'"

Hold this debate now at the board level, because when a hacker's WARNING screen pops up, it's too late for philosophy.

Shape a corporate ransomware response policy based on the ethics discussion. Take the strategic principles the board has developed for responding to ransomware attacks and turn them into a working tactical policy. Include functional steps, like who is to be notified, who makes the final payment decision, damage/cost tradeoffs to weigh, etc. Also, will you even be able to pay the crooks? It sounds distasteful, but assure that you have the mechanisms in place to quickly meet the ransom demands if you choose to.

"You don't want to be scrambling to pay, figuring out how to practically make this work," Bill Lenehan recalls from his own experience as CEO of Four Corners Property Trust. At 5:30 one morning, he received a text message from the company controller telling him there was a problem -- a short-term ransomware attack was spreading globally. "Our board chairman was out of the country, hours behind us, so what do I do as CEO? Would I pay, or not pay, do I need to inform my board, or just hurry to set up a Bitcoin account?"

The CEO and other staff should not have to make these decisions on the fly -- and if they do, it's the fault of the board, which didn't prepare in time. "Ransomware is not the fault of the CEO," notes Lenehan. "It's like a school snow day -- you have to set your decision policies in advance." (Lenehan also notes that his small company has a staff of 12, and is as far off the business news radar as can be -- yet hackers still found them).

No policy can mean inability to respond at all. At a major company whose board I had served on, we faced a short-term ransomware demand, and decided we had to pay. But the hackers demanded payment in Bitcoin, and the company didn't have a Bitcoin account. This took two days to set up -- by which time the deadline had passed. In the missed deadline experience I referred to, we were able to negotiate a compromise. We were ultimately able to decrypt our files.

Also, ask what you'll do if other problems crop up. In Europe, a recent Petya attack demanded payment to the bit-napper's Posteo email account. But before victims could comply, Posteo had blocked the mailbox.

Beware risks related to ransomware attacks on third-party affiliates. Ransomware is not just an internal danger. Even after you shape a sound emergency policy for your corporate response, what about the suppliers, customers and advisors you depend on? Lenehan tells of a ransomware strike, not at his company, but at a major law firm they were depending on to close a $20 million acquisition. "The lawyers got an email from IT early in the morning telling everyone not to turn on their laptops and check them in immediately." A pending deal was suddenly frozen solid.

What would happen at this very moment if one of your top vendor's or client's IT system instantly went dark for an uncertain period of time? Are they able to back up their information with systems completely walled off from the afflicted ones?

Fight hackers with unconventional warfare. Above, I noted the generic things a board can do to improve the technical odds of avoiding and fighting cyber mischief. Push IT to innovate outside its normal comfort zone. Third-party vendors like Optiv, SecureWorks, and Stroz specialize in penetration testing, 24/7 threat monitoring and ethical hacking. Your IT staff says they have the latest software updates and threat assessments? Good -- let's contract with outside experts who can make sure. The expenses involved should be modest and today are a basic cost of doing business. Want to drive a car? You need to buy insurance. Want to operate in today's digital world? Invest in outside cyber-expertise.

Check that cyber insurance coverage is adequate. Speaking of insurance, check your liability and other business policies when it comes to hacking damages and, specifically, ransomware costs. What sort of losses are covered, which aren't, how much could ransomware losses total, what compliance measures must you have in place, and what are disqualifiers? Also, how should your company decide on making a claim? (If you file a claim for a ransomware payment of $5,000, will your premiums shoot up by ten times that amount?) "If someone demands $350 in Bitcoin, it may be like when someone keys your car in a parking lot," notes Lenehan. "Rather than making a claim, you just get it detailed out on your own dime."

Ultimately, boards and management need to respond to a ransomware crisis the same way they respond to any company crisis. They must assure good response tools and plans are in place and functioning, that tough questions are asked, and that everyone knows their role. But for the board, ransomware prep demands an added step -- asking if they're ready to make a deal with the devil.

***

Betsy Atkins serves as President and Chief Executive Officer at Baja Corp, a venture capital firm, and is currently the Lead Director and Governance Chair at HD Supply. She is also on the board of directors of Schneider Electric, Cognizant, and a private company, Volvo Car Corporation, and served on the board of directors at Nasdaq LLC and as CEO and Board Chairman at Clear Standards.

Bill Lenehan is the Chief Executive Officer of Four Corners Property Trust, a real estate investment trust that owns over 500 restaurant properties. He is also on the board of directors of Macy's, the department store company. Prior experience includes board service at Darden Restaurants and Gramercy Property Trust, among others. He spent ten years as an investor at Farallon Capital Management.

 

The views and opinions expressed herein are the views and opinions of the author at the time of publication and may not be updated. They do not necessarily reflect those of Nasdaq, Inc. The content does not attempt to examine all the facts and circumstances which may be relevant to any particular company, industry or security mentioned herein and nothing contained herein should be construed as legal or investment advice.

Publication Date*: 9/20/2017 Identification Number: 1427 Mailto Link
Frequently Asked Questions
Ransomware Payment: Legality, Logistics, and Proof of Life
Identification Number
1424
Clearhouse
Ransomware Payment: Legality, Logistics, and Proof of Life
Part One: Background and Reality
Publication Date: September 12, 2017 

Cybersecurity expert John Reed Stark has authored a three-part series of white papers offering guidance for boards of directors on the legal issues, logistical considerations and financial implications of responding to ransomware threats.

In the 2000 American thriller film Proof of Life, the title refers to a phrase commonly used to indicate proof that a kidnap victim is still alive. As an expert negotiator in kidnapping cases, Terry Thorne, played by Russell Crowe, is engaged to bargain for a corporate kidnap victim's safe return. Proof of Life's screenplay was partly inspired by Thomas Hargrove's book The Long March to Freedom, which recounts how the release of the once-kidnapped Hargrove was negotiated by Thomas Clayton, the founder of kidnap-for-ransom consultancy Clayton Consultants, Inc.

The film Proof of Life is not just a compelling narrative – its premise and main character also provide some useful insights into managing the emerging threat of ransomware. Ransomware, a special and more nascent type of malware, prevents or limits users from accessing their data by locking system screens or user files unless and until a ransom is paid.

Just like Clayton Consultants, the team advising a ransomware victim company (whether the victim is a hospital or global corporate conglomerate) must employ a thoughtful, careful and methodical protocol to survive the ransomware crisis. Like any hostage situation, when a cyber-attacker locks up critical data files the logistics and legalities of ransomware refusal, acquiescence or capitulation can be both elaborate and complicated.

To make matters worse, seeking law enforcement help for a ransomware attack unfortunately remains a very limited option. First, law enforcement has become inundated with ransomware reports and lacks the resources and wherewithal to assist victims. Second, most of the ransomware attackers are overseas, where merely obtaining an electronic evidence or interviewing a witness—let alone successful extradition and prosecution—are rarely possible. Finally, ransomware demands are often at monetary levels in the hundreds or thousands of dollars – too small to warrant federal law enforcement consideration and clearly outside of the jurisdiction of local law enforcement.

Thus, it should come as no surprise that a significant number of ransomware victims opt to pay the ransom. When padlocked files are business-critical (e.g., an important intellectual property formula); when encryption cannot be defeated (no matter how good the code-breaker) or when time is of the essence (e.g., when patient data is needed for life-saving surgery), paying the ransom can become the proverbial best worst option. Moreover, the typically de minimus ransomware payment demands (on average, about $679) are more akin to a financial nuisance than a material fiscal line-item, so from a cost-benefit perspective, payment can make the most sense.

This three-part series of articles provides guidance on the legal issues, logistical considerations and financial implications when managing ransomware threats, including an exposition of the unique issues which can arise when seeking proof of life and opting to meet the monetary demands of ransomware attackers.

Part One provides the keys to understanding the impact of recent ransomware strains, including a discussion of the nature and growth of ransomware; the dangerous aspects of some recent ransomware attacks; and the role (or lack thereof) of law enforcement when managing a ransomware attack.

Part Two will examine the intricacies involved in ransomware response including ransomware investigative tactics, ransomware payment logistics, and the legalities of ransomware response.

Part Three will cover the remaining range of key ransomware essentials including: notification requirements, ransomware remediation, and ransomware cyber insurance.

Read Part One of Ransomware Payment: Legality, Logistics, and Proof of Life >>

***

John Reed Stark is President of John Reed Stark Consulting LLC, a data breach response and digital compliance firm. Formerly, Mr. Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last 11 of which as Chief of its Office of Internet Enforcement. He also worked for 15 years as an Adjunct Professor of Law at the Georgetown University Law Center, where he taught several courses on the juxtaposition of law, technology and crime, and for five years as managing director of a global data breach response firm, including three years heading its Washington, D.C. office. Mr. Stark is the author of, "The Cybersecurity Due Diligence Handbook," available as an eBook on Amazon, iBooks and other booksellers.

Publication Date*: 9/12/2017 Identification Number: 1424 Mailto Link
Frequently Asked Questions
You Can Gain Access to the Society for Corporate Governance's Directors' Cut Newsletter
Identification Number
1404
You Can Gain Access to the Society for Corporate Governance's Directors' Cut Newsletter
Publication Date: July 24, 2017

The Society for Corporate Governance is now offering non-members complimentary access to its Society Alert - Directors' Cut newsletter. This quarterly online newsletter is a select compilation of governance-related news from the preceding quarter's weekly Society Alerts, geared and edited with a view toward a director and C-suite audience. Each issue covers a wide range of topics including audit/financial reporting developments, board practices, board and key committee oversight, proxy/annual meeting developments and trends, and board and C-suite-relevant institutional investor updates.

Read the Directors' Cut for Q2 >>

Subscribe to Directors' Cut >>
Publication Date*: 7/24/2017 Identification Number: 1404 Mailto Link
Frequently Asked Questions
What's New in Shareholder Engagement: Telling Your Own Story
Identification Number
1392
Clearhouse
What's New in Shareholder Engagement: Telling Your Own Story
Publication Date: June 22, 2017 

Tactical communication with shareholders is critical, as shareholder activism increases and institutions begin to rely more on their own independent research and less on the opinions of proxy advisory firms. By aligning corporate messaging with investor interests and concerns, companies build better relationships with their investment communities—and in the process, eliminate information vacuums that can be exploited by activists.

Proxy statements are an often-overlooked opportunity for companies to share compelling corporate governance stories and improve stockholder engagement. Investors are keenly interested in succinct and articulate explanations of the following:

  • the company's strategic and risk management plans;
  • the company's corporate governance values;
  • why executive officers are compensated appropriately; and
  • why the company believes it has the right people sitting on the board.

By transforming proxy statements from compliance tools into highly effective communication tools, companies can improve shareholder engagement and nurture investor support for annual meeting ballots. Following are best practices we have observed (and also applied here at Nasdaq) for utilizing proxies to tell a compelling corporate story.

Engage with shareholders proactively.
In addition to building relationships and ensuring shareholders support the company's strategy, a key goal of engagement is discovering investor perspectives on their areas of focus (such as board composition, pay-for-performance metrics, and engagement). Effective shareholder engagement is a two-way dialogue, some of which ought to take place with the company's largest investors outside of proxy season. If institutional investors aren't available to meet during the off-season, take advantage of quarterly earnings calls, industry conferences, and investor presentations to engage.

Bring the proxy process in-house.
Once the company has identified investor concerns and refined its corporate story, it should consider bringing the process for writing and editing the proxy in-house. An outside consultant or vendor cannot do a better job aligning corporate messaging with investor concerns than the company itself. Complex topics such as board composition, executive compensation policies, corporate strategies, and enterprise risk management should be explained succinctly and clearly, a task best left to corporate insiders.

When bringing the proxy development process in-house, it is helpful to create a benchmark of best-in-class proxies that stand out in terms of innovation and formatting. At Nasdaq, we spent months researching and creating a "look book" of noteworthy proxies that our development team used as a reference tool to guide improvements in the messaging, readability, disclosure, and formatting of the proxy.

Enhance disclosure and transparency.
When developing the elements of the company's story that address investor hot buttons, don't settle for the bare minimum in disclosure. Transparency around board composition, executive compensation, and corporate governance builds trust and assists investors in evaluating the board's effectiveness and independence. For example, shareholders like to map the skill sets on the board to the company's corporate strategies and enterprise risks. A holistic overview of board composition—including committee assignments, tenure, experience, and diversity—can be helpful for this, as is a board skills matrix. The structure and philosophy of executive compensation should also be outlined in a thorough and very readable analysis.

Enhanced disclosure is especially important when a company has a great governance story it hasn't been sharing effectively. Through our own research at Nasdaq, we have unearthed many Nasdaq-listed companies that have quietly achieved exemplary track records with regards to board composition and diversity. However, these efforts often go unnoticed because only a handful of companies highlight board composition metrics in their proxies using charts and graphs.

Transform the proxy into a communication tool.
Different types of investors read and use proxies differently: for retail investors, it's a reading document; for institutional investors, it's a reference document. To motivate institutional investors to support the company's annual meeting ballot, proxy messaging needs to be clear and compelling (and navigation intuitive) so investors can locate topics of interest quickly and understand them easily.

Readability is key—writing content in plain English, eliminating redundancies to condense the document, and hyperlinking a detailed table of contents are all ways to enhance the readability of a proxy. Key messages should be highlighted in such a way that shareholders can't miss them: In addition to enhancing the summary to include critical information, companies can draw attention to (and summarize) main ideas by incorporating charts, matrices, graphics, and bulleted lists.

Launch an interactive digital proxy.
A growing number of investors prefer to access proxies and vote online, and interactive proxies are transforming online stockholder engagement. The intuitive framework and visually appealing layouts of interactive proxy documents make it easy for shareholders to navigate and digest proxy content on their own terms, and on any device. These interactive versions include multiple features allowing for easy search and maneuverability, such as section and sub-section headers, expanded table of contents, and linked page references throughout the document.

Interactive proxy platforms also provide companies with useful analytics regarding which sections of proxy statements, and which search terms, are most popular with shareholders. User analytic data will be valuable to companies seeking to identify proxy content elements that most resonate with investors, as well as fine-tuning digital layouts and navigation.

During the past few weeks, a number of Nasdaq-listed companies published their 2017 proxy statements using an interactive format including eBay, Inc., Intel Corporation, Nasdaq, Inc., Northern Trust Corporation, and Otter Tail Corporation.

Perhaps the most compelling piece of PR advice dispensed by Don Draper, ad man extraordinaire of the series Mad Men, was this: "If you don't like what they are saying about you, change the conversation." By taking control of their own story, corporations can do just that.

Read More about Interactive Proxy Statements Here >>

Read More about Reasons to Bring the Proxy Process In-House Here >>

Publication Date*: 6/22/2017 Identification Number: 1392 Mailto Link
Frequently Asked Questions
Top Cybersecurity Concerns for Every Board of Directors: Data Mapping and Encryption
Identification Number
1375
Clearhouse
Top Cybersecurity Concerns for Every Board of Directors: Data Mapping and Encryption
Publication Date: May 17, 2017

This is the fourth of a four-part series of white papers authored by Cybersecurity expert John Reed Stark. This series -- published for the first time on Nasdaq's Governance Clearinghouse --outlines a strategic framework for boards of directors to effectively analyze and supervise corporate cybersecurity risks.

This final part of the series Top Cybersecurity Concerns for Every Board of Directors discusses the board's oversight responsibilities with respect to two of the largest enterprise undertakings in the field of cybersecurity: data mapping and encryption.

  • Data Mapping: Every cyber-attack response begins with the forensic process of preserving any electronically stored information (ESI) that may be relevant to the cyber-attack. The most well-run companies establish sophisticated and intelligent data classification schemes to mitigate the costs and challenges of preserving ESI after an attack. Creating an accurate data map for a company is imperative: before a company can figure out how to protect its data, the company needs to know where that data is.

  • Encryption: While encryption systems require constant maintenance, and may complicate communications lines, encryption is typically a company's last line of defense from cyber-attacks. Target's hackers had access to everything, from the deli meat scales to the cash registers, because there were no controls such as encryption limiting access. Merely encrypting sensitive data is not enough—the type of encryption is of equal importance.
This four-part series of white papers covers the following cybersecurity topics:

Part 1, Cybersecurity Governance: critical components related to the governance practices, policies and procedures of a strong cybersecurity program.

Part II, People: cybersecurity recruitment, training and retention as well as hiring outside firms for digital forensics and data breach response.

Part III, Technology: the technical systems that provide the foundation for cybersecurity infrastructure. 

Part IV, Data Mapping and Encryption: an overview of the board's oversight responsibilities with respect to encryption and data mapping.

By using these white papers as a guide, boards of directors can become not only more preemptive in evaluating cybersecurity risk exposure but they can also successfully elevate cybersecurity from an ancillary IT concern to a core enterprise-wide risk management item. 

Read John Reed Stark's Latest White Paper on Data Mapping and Encryption >>

***
John Reed Stark is President of John Reed Stark Consulting LLC, a data breach response and digital compliance firm. Formerly, Mr. Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last 11 of which as Chief of its Office of Internet Enforcement. He also worked for 15 years as an Adjunct Professor of Law at the Georgetown University Law Center, where he taught several courses on the juxtaposition of law, technology and crime, and for five years as managing director of a global data breach response firm, including three years heading its Washington, D.C. office. Mr. Stark is the author of, "The Cybersecurity Due Diligence Handbook," available as an eBook on Amazon, iBooks and other booksellers.
Publication Date*: 5/17/2017 Identification Number: 1375 Mailto Link
Frequently Asked Questions
Learn More About the Shareholder Services Association
Identification Number
1376
Learn More About the Shareholder Services Association
Publication Date: May 16, 2017

Nasdaq recently talked to the SSA to learn more about its mission, the benefits of membership, and its advocacy efforts on behalf of the shareholder services industry. They also shared the agenda for their 2017 Annual Conference that will take place in Florida on July 18-20.

Read our interview with the SSA >>
Publication Date*: 5/16/2017 Identification Number: 1376 Mailto Link
Frequently Asked Questions
WEBINAR RE-PLAY: A Conversation with PCAOB, BDO and Grant Thornton
Identification Number
1374
WEBINAR RE-PLAY: A Conversation with PCAOB, BDO and Grant Thornton
Publication Date: June 8, 2017

Nasdaq hosted a web seminar with representatives from the PCAOB, BDO USA and Grant Thornton to discuss the PCAOB resources available for public companies on June 7.

Listen to the Re-Play Here >>
Publication Date*: 5/16/2017 Identification Number: 1374 Mailto Link
Frequently Asked Questions
Nasdaq Talks to . . . PCAOB's Office of Outreach and Small Business Liaison about Its Mission and How It Can Help Public Companies
Identification Number
1371
Clearhouse
Nasdaq Talks to . . . PCAOB's Office of Outreach and Small Business Liaison about Its Mission and How It Can Help Public Companies
Publication Date: May 9, 2017

Nasdaq often hears questions from listed companies about their annual financial statement audit or a specific accounting directive. To help answer these questions, Nasdaq investigated and found that, although the Public Company Accounting Oversight Board (PCAOB or the Board) does not have an official "ombudsman," it does have an Office of Outreach and Small Business Liaison. Read our interview below to find out how this office can help answer these questions.

Want to know more?  You can listen to a re-play of a recent webinar Nasdaq hosted with PCAOB, BDO, and Grant Thornton here >>

Q: What is the Office of Outreach and Small Business Liaison?

A: The Office of Outreach and Small Business Liaison was established in 2010 after the passage of the Dodd-Frank Act. The Office plans and conducts forums for auditors of smaller public companies and for auditors of smaller broker-dealers. The Office also acts as a liaison between the Board and accounting firms and others affected by the Board's work; assists with arranging Board member and PCAOB staff speaking engagements; and serves as a contact for anyone who may have questions about the Board's regulatory activities or needs assistance in locating publicly available information issued by the Board.

Q: How can you help public companies?

A: The PCAOB website contains a number of resources which inform companies about the work of the PCAOB including inspection reports of registered accounting firms and summaries of inspection findings. More information on these pages is provided below.

In addition to our website, PCAOB Board Members and Senior Staff speak to representatives from public companies at events across the country. This includes groups of CFOs as well as Audit Committee members.

In addition to the website, public companies may contact our office if they have questions related to anything on the website.

Q: What's the best way to reach you?

A: The office can be reached by telephone at (202) 591-4135 or by email at either outreach@pcaobus.org or info@pcaobus.org.

Q: What are the most common questions you get? How do you respond?

A: The Office of Outreach receives questions on many topics. The most common requests typically involve assistance with locating information on registered firms. Generally, staff from the office will respond directly to the person who contacts us. In some instances, due to the technical nature of the question(s) posed, messages are sent to the appropriate division within the PCAOB for a response. Additionally, if the question or request relates to an issue outside of the PCAOB's jurisdiction, we will direct people to the organization or agency best suited to respond.

We encourage people who contact us to provide enough detail in their message so that the request can be handled promptly.

Q: How can a company participate in PCAOB's standard-setting process? Are there ways for PCAOB to accept input from public companies? What is it?

A: The PCAOB collects comments from all interested parties, including public companies, as part of the standard-setting process. If a proposal is open for comment, it will be listed on the PCAOB home page. The PCAOB has also made available a rulemaking docket which lists the status of all rulemaking projects, including standards. More information on the comment process is available here. All comment letters that are received are posted on the PCAOB website.

Additionally, all PCAOB standards are subject to SEC approval. Once a proposed standard is submitted to the SEC, there is an additional period in which comments are accepted.

The PCAOB also has a Standing Advisory Group which advises on the development of auditing and related professional practice standards. Public company executives and audit committee representatives are among the members of the group.

Broad-based organizations whose members are public companies such as Financial Executives International, the Society for Corporate Governance, the American Bankers Association, and others may seek to meet with Board members and senior staff to discuss issues of mutual interest. Public companies could also reach out to the Board through Nasdaq.

Q: What other resources are available at PCAOB for public companies with auditor-related questions or concerns?

A: As noted above, the PCAOB website has a number of documents and pages that may be of interest to public companies. The Board frequently issues general reports along with staff inspection briefs. In addition, the Board has created a page with information specifically for audit committee members. Information on firms registered with the PCAOB is available through the registration and reporting system. Users of the system can search for any firm and see inspection reports and enforcement actions for each firm as well as view filings required by the PCAOB. Questions not specifically answered on our web site should be directed to the email address and phone numbers listed above.

We encourage anyone interested in the work of the PCAOB to sign up for email updates or to follow us on Facebook, Twitter and LinkedIn.
Publication Date*: 5/9/2017 Identification Number: 1371 Mailto Link
Frequently Asked Questions
Fredrik Voss, Nasdaq Vice President, Talks About What Blockchain Could Mean to Your Company, Part 2
Identification Number
1360
Clearhouse
Fredrik Voss, Nasdaq Vice President, Talks About What Blockchain Could Mean to Your Company, Part 2
Publication Date: April 28, 2017

Following up on our interview last year, we had the chance to speak again with Fredrik Voss, who is spearheading Nasdaq's blockchain innovation initiative. Fredrik described the advances and accomplishments over past year, and gave us some idea of what to expect in the future. Excerpts from our conversation follow.

Q: Last year, Nasdaq announced a blockchain-based solution for voting in Annual General Meetings in Estonia, an application of the technology that went beyond settlement and clearing, an area that seems to be garnering a lot of attention. What made you choose this project?

A: We chose that project for a couple of reasons. One, we deliberately wanted a project that wasn't related to the issuance and settlement of assets on blockchain. We wanted to do something else. We also wanted a project where we really had to explore issues around identity on the blockchain: the identity of a person, identity of a person representing a firm and then firms and people representing other firms in a proxy arrangement.

So those were two things we wanted to explore and then we wanted to find a space where we could do that with internal knowledge and by leveraging the blockchain technology and know-how from our partner Chain. It so happens that in Estonia, we actually do run annual general meetings for a number of companies, as a service. So we had a good understanding of the current business process, so to speak. Also, we would have to rely on a central security depository (CSD) for a share ownership data and we actually own and operate the CSD in Estonia.

As we explored leveraging that environment, we also identified that the Estonian government has put in place a system called e-Residency, which is an advanced way of handling digitized identity for Estonian citizens, but anyone can become an electronic resident of Estonia through that mechanism. So a lot of planets aligned while we picked that particular use case and that particular market as the pilot.

Q: With respect to annual meetings, what are the advantages of a blockchain-based system versus the traditional model?

A: You can obviously do electronic remote voting using traditional technology but the blockchain (or distributed ledgers) has some inherent capabilities that make them quite attractive for a use case like annual meetings, in that it's very easy to track the provenance of a digitized asset. A digitized asset can be anything, but in this case, it's a vote, and it is easy to track its whereabouts in a blockchain user base.

One of the problems with the proxy process today is actually demonstrating to the shareholder that their vote was cast in accordance with the instructions of the shareholder. It is actually difficult to do that. But with blockchain technology, you can easily track the whereabouts of that vote. Also, with this system, the ledger is immutable; you cannot change the records, you can undisputedly prove that votes were cast in accordance with the instructions.

Basically, the way it works is that when a vote is coming up, you poll the CSD, and you issue the right number of voting tokens to the shareholders. An individual shareholder can then transfer that voting token to a delegate, or of course they can vote on their own as well. Then you can actually track the whereabouts of that voting token in the network. You can also see in which ballot – if it was in the yes one or the no one –it was cast. There are some inherent functions in blockchain that make it an easy technology to use for that particular use case.

Q: So a company is no longer just sitting back and waiting for the votes to come in? They actually have total visibility into the whole process from beginning to end?

A: Exactly. They have total visibility from the issuance of those voting tokens. You can allow various parties to see where the votes are in the network, and if you are the shareholder, for example, and if you delegated your vote to someone, you can actually see where it is, you can see when it's cast, you can see in what ballot it was cast, depending upon the rules of the voting process. You can allow the issuing company to see the complete picture of where the votes are for everyone in the network.

The technology provides transparency and certainty to these processes. You cannot quite emulate that using the existing technology of trusted third parties and traditional databases. That would be a more complex and cumbersome solution to build than versus leveraging the inherent capabilities of blockchain ledgers.

Q: In a report issued in January 2017, the Estonia AGM project was described as "successful" and well received by the user community. What were the highlights from this effort?

A: As highlighted in the report, we tested our solution in cooperation with a recently listed Nasdaq Tallinn company, LHV Group, an Estonian financial group. Some reactions from LVH's management team were:
  • Mr. Erki Kilu, CEO of LHV Pank: Testing the prototype was simple and user friendly. The options were intuitive and required minimal amount of clicks. It is a joy to use a blockchain-based system that actually works and which is awaited by the market and can be used by thousands of people at the same time.
  • Mr. Madis Toomsalu, CEO of LHV Group: It is a good initiative (i.e. start-up) and has a lot of potential. Testing of the prototype was convenient and simple. If the future solution enables mobile ID authentication as well and the security is granted, then we would definitely consider using the product in the future.
Some feedback we received from various investors included:
  • "The GUI was very clean and intuitive, design is nice."
  • "Everything was logical, simple and understandable. The only disappointment is that I did not find any bugs to report."
  • "Quick and simple way to vote. The future seems bright!"
They appreciated the transparency in the process. We had proxy companies and custodians involved in the process, and for them, the fact that they now could validate and have evidence that they have fulfilled their obligations was helpful for them. We also learned a couple of things on what is needed to do to make it a complete product, so that was helpful as well.

Q: Looking back on the Estonia project, in what areas do we still need to make improvements?

A: I think the core piece of the solution is very solid. To make this a complete and attractive solution for the users there are some areas we can improve upon. Currently, for example, you have to use a laptop to participate remotely. Obviously you want to be able to provide handheld capabilities. What we delivered was sort of a first minimum viable product or a pilot, and there are some analytics and additional features we'd like to add to it when we turn it into a full blown product.

Q: Do you think that blockchain technology will facilitate shareholder engagement?

A: Totally. That's one of the key promises of the technology. We explore, broadly speaking, three uses of the technology. The first would be post-trade issuance and settlement, as you mentioned earlier. We're also looking to regulatory transparency. But we also are looking at whether this technology can be used to bring issuers and investors closer to each other. And I think this project proves that is the case.

We think that a solution like this could promote a more active investor base. It will be a cheaper, more intuitive, more effective way of participating. For example, in a shareholder meeting, it doesn't mean that everyone wants to participate on their own, but the delegation methodology is a more attractive solution for the issuer, the investor and the proxy custodian. So this project is actually evidence that the technology potentially has that capability.

Of course, to continue on that theme, that voting token we talked about earlier could basically be any digitized asset. If you're a coffee company, the token could be a beverage coupon that you can easily send to your shareholders using the electronic ledger network, as an example of something you could do in the future. So we definitely think the technology will facilitate shareholder engagement.

Q: Nasdaq is utilizing blockchain technology with private companies through the Nasdaq Private Market. How are private companies utilizing the blockchain technology?

A: That is the first project we embarked upon, what we call the Linq project, which combines Nasdaq solutions with technology developed by our partners at Chain. That falls into the first bucket of the areas we've explored: the issuance, settlement and transfer (in the case of secondary market transactions) of ownership of securities. So that is mainly how we've used the technology in the private company space.

So basically, a private company using this solution issues shares, and it can transfer those shares to its investors. When investors trade in the secondary market, they can transfer ownership of those shares using this technology. This is all electronic, secure, and done in real time. But there is no trusted third party in the middle. There is no central depository involved so this is a true peer-to-peer network that's leveraging the technology. It is actually the technology that keeps track of who owns what, instead of a trusted third party in the middle, like a depository.

Q: With private companies, what advantages does the distributed ledger provide over traditional systems?

A: In the U.S. for example, you've traditionally had paper certificates. You've had capitalization tables being managed in Excel spreadsheets. You have had these certificates being shipped by common carrier, and stored in vaults. You're talking about a labor intensive, error prone infrastructure…but the key feature has been a peer-to-peer network between these parties. Now you can actually keep this peer-to-peer network if this industry does not want to have a depository function in the middle. This technology secures the processes, provides capitalization information in real time, and is cheaper than the way it happens right now.

Q: How do you see the landscape changing in 2017? What roadblocks are limiting the mass adoption of the blockchain technology?

A: In terms of blockchain in capital markets, we are sort of moving out of the proof of concept (POC) era. Not only at Nasdaq, but among the blockchain industry as a collective, there are fewer POCs, and we are seeing more and more solutions, products being deployed for real assets with real customers. So we are leaving the POC era and entering into more of a pilot era with real products. It's going to be interesting to follow how those products perform over the next, let's say, two years. We are seeing increased certainty in the technology. That said, blockchain is not yet, of course, a mature technology.

We will see a lot of evolution in blockchain protocols over the coming years and there are still certain issues around functionality that need to be developed. But we and others increasingly believe that actually these types of enhancements they will be achievable and where companies like our partners Chain are in the forefront. So the technology seems to be increasingly validated as a good candidate for use in capital markets. Now the focus is on the obstacles or challenges limiting wide-scale adoption, and they are mainly non-technology related and non-technical in nature.

One challenge is actually going from vision to concrete designs of how these solutions, these networks, are going to work. The blockchain has wonderful potential as an enabler of faster transaction processing, lower need for capital, better operations, lower cost for IT, among other things. That is the vision – but actually bringing that down into a concrete design that a community of users can agree upon? That's not a show stopper but it takes a bit of time to achieve. So that's one area.

A second area is legislation and regulation. Some of these new business models and market structures that are being thought about are so innovative that they are simply not contemplated by existing laws and regulations. The issue is not that they are prohibited, the issue is that there's a legal uncertainty around them in the current regulatory context. You cannot expect capital market participants to allocate billions worth of assets into solutions where there is legal uncertainty. So there needs to be some legal and regulatory innovation in parallel with the technical innovation. Again, that is not a show stopper – we change laws and regulations all the time, but it takes a bit of time and effort to do it.

Third is something Nasdaq has been thinking about from the beginning: the integration and transition processes. Whatever you want, the fact of the matter is that this technology is being implemented in a pre-existing context – a rather complex technology infrastructure. It needs to be integrated in an efficient way. And then, of course, if your business idea or your business model relies upon replacing a pre-existing piece of infrastructure, you also need to have a credible transition plan to put in the new and get rid of the old technology. You don't want to be stuck halfway through a transition process because then you end up having to support both the old infrastructure and the new infrastructure. We don't want that to happen.

So while technology evolution is still very important, that is less of a concern. Now, more and more focus in terms of challenges is being directed to these three things I just spoke about.

Q: What effect do you think the proposed changes to Delaware General Corporate Law (DGCL) will have on the adoption of blockchain technology for corporate purposes?

A: That is an example of an initiative that addresses the challenge of legislative and regulatory uncertainty. If you can create legal certainty that, for example, shares issued in the blockchain format actually represent ownership in the company that would be tremendously helpful. So I think these proposed changes are a sign that these challenges are starting to be addressed, and that is positive for the landscape.

Q: Besides annual meetings and settlement and clearing, what other uses of blockchain do you foresee for publicly-held and private companies?

A: In terms of the corporate nature of things, those are definitely the key areas. Particularly, issuance, settlement, and transfer of ownership combined with services like voting. That is core. There are a lot of use cases that could be relevant for companies in certain industries.

We know, although we are not active in some of those industries ourselves, that there are a lot of use cases being explored in the insurance industry, in supply chain management, and a number of initiatives in the healthcare industry. So there could be broad implications – some in specific industries, but also general features that address needs for all companies, regardless if they are private or public.

Q: Basically new infrastructure for them to utilize at that point?

A: New and better infrastructure. Of course, if the technology delivers on its promises in terms of creating better transparency into who owns a company's shares, you can think of all kinds of interesting things that a company can do with that information to become a more valuable company to its shareholders.

Q: Last question: do you have any other projects planned for 2017?

A: Yes, there are a number of exciting projects going on. Some are public; some are yet to be publicized. One that has been publicized is that we are working together with a company called The New York Interactive Advertising Exchange (NYIAX) to create a blockchain-based marketplace for advertising instruments.

We are continuing to work on the Linq concept with our partners at Chain and expanding the feature sets. We're expanding the markets for which it is used. We already use it for company shares and we've announced that we're going to use it for alternative investments as well. And as I said, we are working on the features included in the Linq solution as well.

We have also added blockchain capabilities to the Nasdaq financial framework, which is basically a platform for capital market applications, where a user of that platform can use any data store they want. You can use the blockchain or you can use a traditional data base or you can use them in combination.

And then we have a couple of other projects that we actually cannot talk about publicly yet, but when we can, we can add them to the list.

Q: Sounds good. Let's catch up again next year and you can tell us more about this.

A: Yes, we should.

***
Frederik Voss is a Vice President at Nasdaq responsible for Nasdaq's blockchain innovation initiative.
Publication Date*: 4/28/2017 Identification Number: 1360 Mailto Link
Frequently Asked Questions
Equilar Study Finds Over-Boarding Directors More Common, Better Paid
Identification Number
1357
Equilar Study Finds Over-Boarding Directors More Common, Better Paid
Publication Date: April 21, 2017

The idea of multi-boarding, also known as “overboarding”, has become a topic of debate for investors, board members, and advisors. Although some argue public directorships on multiple boards can positively promote shareholder engagement and corporate governance experience, others question if directors with multiple board commitments are putting sufficient time and energy into their other commitments. A recent Equilar study found that multi-boarding is more present in larger companies, has increased 48.6% to 53.6% in the past five years, and has led to greater director pay-outs. The study also revealed that the increase of women on boards, and a desire for directors familiar with issues scrutinized by shareholders and stricter regulatory requirements, may lead to candidates who are well-versed with these issues serving on more boards.

Read more from Equilar >>
Publication Date*: 4/21/2017 Identification Number: 1357 Mailto Link
Frequently Asked Questions
Five Key Components for Building and Maintaining an Ethical Workplace Culture
Identification Number
1349
Clearhouse
Five Key Components for Building and Maintaining an Ethical Workplace Culture
Publication Date: April 11, 2017

A strong ethical culture is essential to effective compliance risk management. There is no shortage of compliance failures to illustrate how a weak ethical culture can sabotage even the best corporate compliance programs. Almost universally, misconduct took hold in these cases because employees felt pressure to prioritize performance over compliance and, in response to such pressure, figured out how to evade controls meant to ensure compliance.

Given the importance of ethical culture in producing positive outcomes and enabling business goals as well as its profound impact in preventing significant compliance failures, boards and executive management teams should make sure the company’s approach to building and maintaining an ethical culture incorporate these key best practices:

1. Establish clear accountability for ethical culture as a management function

Ethics and compliance functions rely on similar skillsets, leverage similar tools and operationally need to be well-coordinated. While program management for ethics and compliance program elements can be combined, ultimately, an ethical workplace culture is determined primarily by senior executive management, not by an Ethics and Compliance Department.

To ensure that managers understand their accountability for setting the company’s ethical culture:
  • Establish an Ethics Steering Committee comprised of senior business and operations executives along with senior representatives from compliance, Human Resources (HR) and Communications to ensure the ethics program is fully integrated in the business’ operations;

  • Appoint a senior executive as the Ethics Officer (as a part time role) for each geography or business unit to evaluate and reinforce the ethical culture; and

  • Connect ethical conduct to compensation and make it part of each executive’s performance objectives.
2. Evaluate your employee-facing compliance policies so they enable rather than inhibit ethical culture

Overly detailed and technical policies can undercut an ethical culture. This is especially true when responsibility for compliance falls on individual “line” employees and managers. Think of the core messages that are commonly associated with ethical business – “we are a values-based organization” or “we trust our employees to exercise good judgment.” – Now consider a lengthy compliance policy that reads like an excerpt from a federal regulation. The implied message this type of policy can convey may inhibit an ethical culture, and instead, imply counterproductive messages such as – “we are only concerned with bare legal or technical compliance” or “you could try your best but still get something wrong.”

To demonstrate that compliance policies are ethical culture enablers:
  • Create a policy committee comprised of average level employees and managers to review new company policies to make sure they address employee needs with appropriate but not hyper-technical detail;

  • Post employee compliance policies on their own intranet site supported by strong search functions; and

  • Use reading level software on all policies – targeting readability at below the average education level of your employees as many are likely not familiar with the topic.
3. Include ethical behaviors in promotion criteria

When employees perceive that ethical behavior helps them climb the corporate ladder, it reinforces the emphasis that the organization places on building and maintaining an ethical culture. Many companies require some form of risk screening for employees under consideration for promotion to senior level positions. In some instances, this involves reviewing HR files to make sure there have not been any disciplinary actions or significant policy violations; in others, it can involve credit, litigation or public records review to make sure that the individual does not pose risks to the organization before ascending into a position of greater trust and influence. Keep in mind, however, that a lack of unethical conduct is not the same as affirmatively demonstrating ethical behavior.

To help ensure that your promotion process reinforces the importance of an ethical workplace culture:
  • Incorporate specific ethical behaviors into performance and promotion expectations, such as keeping promises and commitments, upholding values while under pressure and demonstrating honesty and transparency;

  • Require a manager to document instances of employee integrity before a promotion to a senior level position; and

  • Conduct 360 degree reviews of high potential staff prior to promotion.
4. Ensure executives and managers have the skills to build and maintain an ethical culture

It can be tempting to confuse personal ethics with ethical leadership – to believe that because someone is an ethical individual with personal integrity that he/she will naturally become an ethical leader. To be sure, ethical leadership starts with personal integrity. But it also means understanding team dynamics, motivations and pressures and how those may influence employee perceptions and behaviors. Lastly, and perhaps the most intimidating to many managers, ethical leadership involves speaking confidently and effectively about the company’s values and “ethical narrative.”

To help ensure that your managers are ready to be ethical leaders:
  • Explicitly incorporate ethical leadership into general leadership development courses, helping new managers understand that ethical leadership is just a key dimension of good leadership;

  • Require managers to share a personal message about their values or a story about an ethical dilemma they have faced; and

  • Provide managers with prepared discussion frameworks to help with discussions about ethical issues with their staff.
5. Prepare managers to identify and respond to employee ethics and compliance concerns

As with most workplace concerns, employees are most likely to raise ethics and compliance concerns with their managers – in most studies, reporting to management is favored by large margins over going to HR, the law department or the hotline. It is therefore all the more important to train managers to recognize signals from their employees. An employee’s offhand “comments” at the end of a meeting might be viewed by an untrained manager as just office banter, but for the employee, who was likely mulling over this issue for days and the potential risks and rewards of coming forward, he or she just raised the issue to management and expects some sort of response. In addition to missing the opportunity to address an issue early-on, if the manager misses these signals repeatedly over time, the team’s ethical climate can begin to erode as issues are not addressed and bad behavior becomes enculturated.

To help ensure that your managers can identify and respond to issues effectively:
  • Make identification and responding to employee ethics and compliance reports part of your annual training program for managers;

  • Provide managers toolkits on how to respond to employee concerns, including what to say and who to contact based on the issue involved; and

  • Reinforce the importance of engaging company resources quickly rather than trying to solve the problem themselves.
***
The author, Michael Kallens, is an Associate General Counsel in Nasdaq’s Office of General Counsel and is a senior member of Nasdaq’s Global Ethics and Compliance Team. Michael has led industry working groups on developing best practices for corporate ethics programs and is a frequent speaker on ethics and compliance topics. In 2014, he received the Outstanding In-House Counsel Award from the Association of Corporate Counsel-National Capital Region for his work in the area of corporate ethics and compliance.
Publication Date*: 4/11/2017 Identification Number: 1349 Mailto Link
Frequently Asked Questions
Seven Critical Elements of a Board Refreshment Plan
Identification Number
1347
Clearhouse
Seven Critical Elements of a Board Refreshment Plan
Publication Date: April 3, 2017

We asked Betsy Atkins, veteran of 23 boards and 13 IPOs, to share her perspective on the art and science of board refreshment. In addition to her board service, Ms. Atkins is also well known for making very early stage investments in Yahoo and eBay through her venture capital firm Baja Corp. Following is her sage advice on structuring an effective board refreshment cycle.

1) View the corporate board as a strategic asset, not just a fiduciary.

The first step to an effective board refreshment plan is understanding why refreshment is so important. Historically, the function of boards was to act as a financial fiduciary and steward for shareholders. However, for the past decade or so, the role of boards has been evolving as boards are being held for “futureproofing” against threats, and ensuring the competitive relevance of the company.

Just as a company’s leadership team is forward-hired based on long-term strategy, the board is now equivalently an asset to be reviewed for critical expertise and experience, and refreshed as needed. Unfortunately, it’s still not common for a board to have a holistic view of board composition as a strategic asset, and many corporate boards still view themselves as fiduciaries.

2) Take a proactive versus reactive approach.

It’s never been more important to address the topic of refreshment internally- if the board doesn’t proactively think about it, somebody outside the organization is going to raise it. Index funds that were traditionally passive are now beginning to push for diversity, governance refreshment and renewal, and are raising questions on term limits and age limits.

A board should have an annual governance committee calendar with explicit agenda items, just as it does for compensation committees and audit committees. A typical governance committee refreshment calendar might run as follows:
  • Q1: Review board composition, long-term succession planning and rotation schedules.

  • Q2: Map board skill sets to the corporation’s long-term strategic plan.

  • Q3: Review the board skills matrix to identify gaps.

  • Q4: Outline a plan for executing graceful rotations and engaging search firms to assist in filling gaps.
A standardized annual process for board refreshment establishes expectations on term limits from the beginning, ensures recruitment of new members is not a shotgun affair, and takes the personal element out of rotating members off the board. Board refreshment becomes a pure, professional process for identifying and filling needed skill sets.

3) Annually map board skill sets against the company’s long-term strategic plan.

In the absence of a detailed vision of board composition, it’s human nature to place a premium on good working relationships. Therefore, it’s very important when taking a strategic approach to board refreshment to identify whether the board’s skill sets align with the company’s long-term strategic needs.

A board needs to look closely at its company’s long-term strategy, map that against the skills around the table, identify potential gaps, and create a matrix. The skills matrix is not a one-and-done task-it’s a living document, updated every year against the company’s strategy. For example, the board of a bricks-and-mortar retailer planning to establish an ecommerce channel might determine it needs a board member with ecommerce, web advertising and data analytics expertise.

4) Do not let search firms drive the recruitment process.

Too often a board’s decision to replace a member is triggered by a retirement, an activist, or an institutional shareholder. The result of a passive refreshment process is that search firms wind up driving recruitment by default. A far better practice is for the governance committee to lead the board through it as part of the natural refreshment cycle. That way, the board gets the critical skills it needs and new members understand from the beginning that it’s not a lifetime appointment.

When refreshment is driven by a standardized process based on maintaining competitive skill sets, the board isn’t caught back on its heels if a board member is suddenly incapacitated or an activist rattles the doors. It’s also easier to tell a colleague that it’s time to surrender their board seat to somebody who has more critically relevant experience.

5) Set guidelines for retirement or term limits.

Retirement ages are extending, because people are staying active longer and working longer. Age limit guidelines are an effective way to trigger graceful rotations and maintain director independence. The term is guideline—not mandate—because it’s important to retain the ability to waive the age limit as part of governance. For example, at Berkshire Hathaway they’ll likely waive any age limit as long as Warren Buffet is sharp.

Europe is leading the way in board term limits; some European countries have already mandated 10-year terms. Institutional shareholders in the U.S. are taking note and beginning to discuss term limits as a method to maintaining director independence. Term limits also keep a board’s skill set fresh—but again, the governance committee has to retain the ability, by exception, to waive it. Microsoft isn’t going to ask Bill Gates to step down anytime soon.

6) Don’t get too comfortable with board colleagues.

It’s only human that people who serve together on a board will over time become friends, just as coworkers often do. So it becomes awkward to tell a long-time board colleague that they aren’t the right person going forward. To make it more difficult, boards lack the hierarchy of a private corporation. Instead they are led by a group of peers, with a lead director or a chairman who should together with the governance/nominating chair own the board makeup and refreshment topic.

Executing a proactive approach to refreshment eliminates the awkwardness of asking long-time colleagues to leave a board, because transitioning board members off becomes part of a natural, smooth cycle. The expectation is set from the beginning that board appointments are not for life.

7) Measure boardroom diversity using a holistic set of benchmarks.

Diversity shouldn’t be measured strictly by gender. What boardrooms need is diversity of perspective: gender diversity, ethnic diversity, international diversity, entrepreneurial diversity, and don’t forget technical diversity as technology is the biggest disrupter of virtually every business.

***
Betsy Atkins serves as President and Chief Executive Officer at Baja Corp, a venture capital firm. She is currently Lead Director and Governance Chair at HD Supply. She is also on the board of directors of Schneider Electric, Cognizant and Volvo Car Corporation. She also served on the board of directors at Nasdaq LLC and as Clear Standards CEO and Chairman. She is also on the SAP Advisory Board, among many others.

A self-proclaimed “veteran of board battle scars,” Ms. Atkins will be collaborating with Nasdaq to produce a series of corporate governance “nuts and bolts” articles. Stay tuned for an upcoming interview with her about the importance of executive sessions as a risk mitigation strategy.

Do you have a question about corporate governance for Betsy Atkins? If so, please send your question to comments@nasdaq.com and we may address it in a future post.
Publication Date*: 4/3/2017 Identification Number: 1347 Mailto Link
Frequently Asked Questions
Top Cybersecurity Concerns for Every Board of Directors: Technology
Identification Number
1345
Clearhouse
Top Cybersecurity Concerns for Every Board of Directors: Technology
Publication Date: March 29, 2017

This is the third of a four-part series of white papers authored by Cybersecurity expert John Reed Stark. This series -- published for the first time on Nasdaq’s Governance Clearinghouse --outlines a strategic framework for boards of directors to effectively analyze and supervise corporate cybersecurity risks.

The technical systems in place at any company provide the foundation for cybersecurity infrastructure and should be one of the primary focuses of any board of directors. Top Cybersecurity Concerns for Every Board of Directors: Technology outlines the various technological system classifications involved in an effective cybersecurity program.

The data points covered in the attached white paper are organized into broad categories helpful for shaping analysis and scrutiny and include:
  • Evaluating logging capabilities
  • Vetting penetration tests and testing consultants
  • Adopting data loss protection (DLP) systems
  • Patching and updating software
  • Installing endpoint detection and response (EDL) tools
  • Assessing physical security of facilities
This four-part series of white papers covers the following cybersecurity topics:

Part 1, Cybersecurity Governance: critical components related to the governance practices, policies and procedures of a strong cybersecurity program.

Part II, People: cybersecurity recruitment, training and retention as well as hiring outside firms for digital forensics and data breach response.

Part III, Technology: the technical systems that provide the foundation for cybersecurity infrastructure.

Part IV, Data Mapping and Encryption (Coming in May): the board’s oversight responsibilities with respect to two of the largest enterprise undertakings in the field of cybersecurity: encryption and data mapping.

By using these white papers as a guide, boards of directors can become not only more preemptive in evaluating cybersecurity risk exposure but they can also successfully elevate cybersecurity from an ancillary IT concern to a core enterprise-wide risk management item.

Read John Reed Stark's Latest White Paper on Cybersecurity Technology >>

***
John Reed Stark is President of John Reed Stark Consulting LLC, a data breach response and digital compliance firm. Formerly, Mr. Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last 11 of which as Chief of its Office of Internet Enforcement. He also worked for 15 years as an Adjunct Professor of Law at the Georgetown University Law Center, where he taught several courses on the juxtaposition of law, technology and crime, and for five years as managing director of a global data breach response firm, including three years heading its Washington, D.C. office. Mr. Stark is the author of, "The Cybersecurity Due Diligence Handbook," available as an eBook on Amazon, iBooks and other booksellers.
Publication Date*: 3/29/2017 Identification Number: 1345 Mailto Link
Frequently Asked Questions
Nasdaq Talks to . . . Martin Lipton of Wachtell, Lipton, Rosen and Katz about the New Paradigm in Corporate Governance
Identification Number
1328
Clearhouse
Nasdaq Talks to . . . Martin Lipton of Wachtell, Lipton, Rosen and Katz about the New Paradigm in Corporate Governance
Publication Date: February 27, 2017

Martin Lipton, a founding partner of Wachtell, Lipton, Rosen & Katz, specializes in advising major corporations on mergers and acquisitions and matters affecting corporate policy and strategy. We spoke with Mr. Lipton about his most recent publication, The New Paradigm – A Roadmap for an Implicit Corporate Governance Partnership between Corporations and Investors to Achieve Sustainable Long-Term Investment and Growth,” a blueprint for eradicating the short-termism that, he believes, is crippling long-term corporate growth and investment.

Q: Do you see any parallels between the corporate takeover atmosphere of the early 1980’s and modern activism, which has been accused of shifting corporate focus to the short-term?

A: There is a strong similarity between the corporate raiding of the ‘70s and ‘80s and activism. Modern activism is a reflection of the overwhelming control of public companies by the major institutional shareholders, which own somewhere between 65-85% of the stock of most listed companies. The real pressure on companies is meeting the expectations of the institutions that have the ability to control them, versus any other kind of defense to deal with in activist attack.

I believe the best free market approach to protect shareholders from attacks by activist hedge funds is my New Paradigm for corporate governance, which places the deciding power in the hands of a majority of shareholders who are acting with knowledge of corporate strategies and in accordance with their fiduciary duties.

Q: If you had to boil down your “New Paradigm” paper to one takeaway, what would it be?

A: The New Paradigm is a corporate governance framework that derives from the recognition by corporate CEOs and boards of directors, and by leading institutional investors and asset managers, that short-termism and attacks by short-term financial activists significantly impede long-term investment by corporations. The New Paradigm recalibrates the relationship between public corporations and their investors, conceiving of corporate governance as a collaboration among corporations, shareholders and other stakeholders to achieve long-term value and resist short-termism.

In this framework, if a corporation is diligently pursuing well-conceived strategies developed with the participation of independent, competent and engaged directors, and its operations are in the hands of competent executives, investors will refuse to support activists seeking to force short-term value enhancements without regard to long-term value implications. As part of their stewardship role, investors will work to understand corporate strategies and operations. Investors also will engage with corporations to ensure they understand investors’ opinions so corporations can adjust strategies and operations in order to receive investors’ support.

Q: In practical terms, who at the company should collaborate with investors and how do you recommend they do so?

A: The key is a double use of engagement: appropriate corporate governance involves real engagement between management and the board of directors, as well as between corporate management and investors. Institutions want to know that there is an independent, competent and experienced board of directors overseeing and engaged in what management is doing. Corporations need to know what governance their institutional investors expect of them.

As a practical matter, the relationship between a corporation and its investors should be overseen and participated in by the CEO and carried out on a day-to-day basis by the investor relations and corporate governance staff. There should be periodic participation by the lead independent director, independent chair (if any) and members of the board. Director participation is a case-by-case decision depending on circumstances, including whether the investors have interest in meeting with directors.

When engaging with institutional investors, it’s important for corporations to understand what investors want, to communicate effectively what management does not think appropriate and therefore will not do, and ensure investors have confidence in that. It’s also critical to be fully transparent with investors with respect to operations, and earnings, and other material information. Corporations should ensure that investor relations are first rate and that institutional investors are satisfied with the access they have to the board of directors if they desire to communicate directly with the directors.

Q: Your paper states that engagement is a two-way street, with investors holding up their end of the bargain. Do you think the investors are ready for it?

A: Most major investors—especially BlackRock, State Street and Vanguard—have equipped themselves for engagement, and most are committed to strengthening their engagement capability. Engagement is strongly supported by FCLT Global (not-for-profit organization dedicated to developing practical tools and approaches that encourage long-term behaviors in business and investment decision-making) and all of the major investor associations.

Q: While the paper calls for changes through market forces without new regulation, do you think there is anything that exchanges can contribute through the regulation of listed companies?

A: I’m very hopeful that a large number of major institutions, investors, and corporations will endorse the New Paradigm, and that we will see a significant decrease in the pressure for short-term performance as a result. Corporations need encouragement and support from their investors to make the long-term investments that lead to sustainable growth.

The exchanges could make a major contribution to the universal adoption of, and adherence to, the New Paradigm by endorsing it and stating that they believe it is an effective means of achieving long-term investment and growth. If both corporations and investors adhere to the New Paradigm, no new regulation would be needed.

Q: Another publication attracting attention in the corporate governance community is “Principal Costs: A New Theory for Corporate Law and Governance.” Why do you think principal-cost theory has taken so long to emerge, allowing instead for the agency-cost theory to dominate?

A: From the very outset of shareholder activism—say Milton Friedman in 1970— it was recognized that the cost of shareholders forcing changes in business strategy and operations could have an adverse impact on investment in research and development, on capital expenditures, on employment, employee training and attracting top executive talent. It just didn’t have a catchy name like “shareholder democracy” or “agency cost.”

What Professor Goshen has made clear is that it’s the function of the board of directors, and of investors dealing with the corporation, to find the optimal governance structure through exercising balanced stewardship. If you pressure for short-term performance, higher dividends or share buy backs, you are causing the corporation to reduce R&D and capital expenditures and increase leverage to the point that companies run into financial difficulties. There’s no better example than what happened in the fiscal crisis in 2008.

As Jack Welch has said, “maximizing shareholder value is the dumbest idea in the world. Shareholder value is a result, not a strategy…your main constituencies are your employees, your customers and your products.”

Q: Do you think the New Paradigm will affect the balance in the capital markets between short- and long-term investors?

A: I believe the New Paradigm will have a significant impact on promoting long-term investment. CEOs, management teams and boards of director are highly responsive to the views and requirements of their investors. If a majority of shareholders are acting with knowledge and in accordance with their fiduciary duties, it will promote a reasonable balance between short-term and long-term goals.

The International Business Council sought signatures from all participants in its January 2017 meeting to The Compact for Responsive and Responsible Leadership: A Roadmap for Sustainable Long-Term Growth and Opportunity. The Compact includes key features of The New Paradigm and I recommend adherence to The Compact and The New Paradigm by all corporations, institutional investors and asset managers.

Read The New Paradigm – A Roadmap for an Implicit Corporate Governance Partnership between Corporations and Investors to Achieve Sustainable Long-Term Investment and Growth >>

Read The Compact for Responsive and Responsible Leadership: A Roadmap for Sustainable Long-Term Growth and Opportunity >>

Read Principal Costs: A New Theory for Corporate Law and Governance >>

***
Martin Lipton has worked as a partner of Wachtell Lipton since 1965, representing corporations involved in many of the largest mergers, change-of-control contests and boardroom crises of the past 60 years. In 1992, Lipton co-authored “A Modest Proposal for Improved Corporate Governance” which became the template for the basic corporate governance principles adopted in the 1990s.
Publication Date*: 2/27/2017 Identification Number: 1328 Mailto Link
Frequently Asked Questions
Nasdaq Talks to…Don Kalfen of Meridian about Preparing for CEO Pay Ratio Disclosure
Identification Number
1303
Clearhouse
Nasdaq Talks to…Don Kalfen of Meridian about Preparing for CEO Pay Ratio Disclosure
Publication Date: January 11, 2017

Should public companies still plan on implementing the CEO Pay Ratio rule given that President-elect Trump has promised to repeal or reform Dodd-Frank? Nasdaq sat down with Don Kalfen of Meridian Compensation Partners to find out. Don leads Meridian’s Technical Team and has more than 20 years of consulting experience in executive and director compensation and related issues.

The Pay Ratio disclosure rules—drafted by the SEC and mandated under Dodd-Frank—become effective in 2017 and, for calendar year companies, apply to their first annual report, annual proxy or information statement filed in 2018 . Don’s interview with Nasdaq resulted in a robust nuts and bolts guide to the CEO Pay Ratio rule, including an overview of the rule, who must follow it, and how to calculate the required pay ratios, as well as his views on its (lack of) merit.

During our conversation, we asked Don to share his thoughts on whether the incoming Trump administration will repeal the CEO pay ratio rule:

President-elect Trump’s specific view on the CEO pay ratio are not known. However, Mr. Trump’s view on Dodd-Frank are clear: The President-elect will seek the repeal or sweeping reformation of Dodd-Frank. This could result in the repeal of the CEO pay ratio along with the other Dodd-Frank disclosure mandates. Further, over the past several years, Congressional Republicans have routinely introduced bills to repeal the CEO pay ratio. Despite these hopeful signs, at this point it would be premature to write off the Pay Ratio rule. It may be well into the summer of 2017 before the fate of Dodd-Frank and its various disclosure mandates start to become clear. Until then, we are advising companies to operate under the assumption that the Pay Ratio will go into effect in 2017, with initial public disclosure in 2018.

Don also shared his advice and planning steps for companies to begin preparing for the rule in advance of the 2018 proxy season:

Until the fourth quarter of 2017, for a calendar year company it is too early to determine a CEO pay ratio that complies with the Dodd-Frank requirements and the SEC rule on the pay ratio disclosure. A calendar year company is required to determine the covered employee population from which to derive the pay ratio as of a company-selected date occurring in its fourth quarter. Only after this determination has been made may a company calculate a compliant CEO pay ratio.

However, we suggest companies undertake the following planning steps during the current calendar year, and into the start of 2017 to get ahead of the curve:

Identify covered entities (and covered jurisdictions) and means of data collection. A company should identify each covered entity (i.e., every consolidated entity for financial statement purposes), the jurisdiction(s) of the entity and the means of collecting applicable employee pay data from each entity. This, importantly, includes how the company will collect data (e.g., via the company’s country specific HRIS system, by hand input on paper documents, etc.), and determine currency conversions.

Determine employee exclusions. Once covered entities are identified and how pay data will be collected, a company should determine if any employees from covered entities may be excluded from the covered employee population (e.g., 5% exclusion of non-U.S. employees, countries where data privacy laws raise issues, independent contractors, etc.). In this regard, a company should consider retention of legal counsel to determine the extent to which non-U.S. employees may be excluded by reason of data privacy laws.

Determine covered employee population. Next a company should determine whether the median employee should be identified from the entire covered employee population or a subset of the employee population based on statistical sampling techniques. A company may need to retain a statistician to determine the appropriate sampling techniques.

Agree upon pay definition for determining median employee. A company should then determine how pay will be defined for purposes of identifying the median employee and to what extent pay may be annualized for certain categories of covered employees. Note, the pay definition for this purpose could be W-2 reported pay, base salary, or other consistently applied measure.

Conduct a simplified calculation based on U.S. employees only. A company should determine sample CEO pay ratio based solely on its U.S. employee population or a subset of this population. This will help a company further refine its processes for developing its CEO pay ratio disclosure and help to surface issues for resolution. Finally, this may provide some indication as to what will be the disclosed CEO pay ratio, and create a more informed expectation on how a company may need to develop disclosures regarding the pay ratio.

To read our full interview with Don Kalfen, click here.

***
With over sixty associates in ten offices in the U.S. and Canada, Meridian Compensation Partners provides executive compensation consulting and corporate governance services to over 500 major publicly traded and privately held corporations. Their core services include board level advisory services, compensation program design, research and competitive market intelligence on executive pay, and corporate governance matters.
Publication Date*: 1/11/2017 Identification Number: 1303 Mailto Link
Frequently Asked Questions
Top Cybersecurity Concerns for Every Board of Directors: People
Identification Number
1301
Clearhouse
Top Cybersecurity Concerns for Every Board of Directors: People
Publication Date: January 4, 2017

This is the second of a four-part series of white papers authored by Cybersecurity expert John Reed Stark. This series -- published for the first time on Nasdaq’s Governance Clearinghouse --outlines a strategic framework for boards of directors to effectively analyze and supervise corporate cybersecurity risks.

Companies can invest heavily in top-of-the-line security software and state-of the-art systems, but without the proper approach toward their IT employees, those efforts will be for naught. This article focuses on a board’s cybersecurity oversight pertaining to a company’s most important cybersecurity resource (and threat): its employees.

Given the tumultuous risk associated with cyber-attacks, boards of directors and C-suite executives must address cybersecurity not as an IT issue, but rather as an issue of governance. Boards and C-suite executives should establish a cross-organizational team that regularly convenes to discuss, coordinate and communicate cybersecurity issues and is supported by outside cybersecurity response firms and law enforcement agencies.

This paper provides an overview of cybersecurity governance areas that involve people, including:
  • Cybersecurity recruitment and retention
  • Top-down commitment to cybersecurity
  • Employee cybersecurity training programs
  • Digital forensics/data breach response firms
  • Law firms specializing in data breach response
  • Pre-breach law enforcement liaisons
The first paper in this series provided an overview of the critical components related to the governance practices, policies and procedures of a strong cybersecurity program. The remaining papers in this series will broadly cover the following topics:
  • Technology: the technical systems that provide the foundation for cybersecurity infrastructure.
  • Data Mapping and Encryption: the board’s oversight responsibilities with respect to two of the largest enterprise undertakings in the field of cybersecurity: encryption and data mapping.
By using these white papers as a guide, boards of directors can become not only more preemptive in evaluating cybersecurity risk exposure but they can also successfully elevate cybersecurity from an ancillary IT concern to a core enterprise-wide risk management item. 

Read John Reed Stark’s White Paper on Top Cyber Security Concerns for Every Board of Directors: People >>

Read John Reed Stark’s White Paper on Cybersecurity Governance >>

***
John Reed Stark is President of John Reed Stark Consulting LLC, a data breach response and digital compliance firm. Formerly, Mr. Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last 11 of which as Chief of its Office of Internet Enforcement. He also worked for 15 years as an Adjunct Professor of Law at the Georgetown University Law Center, where he taught several courses on the juxtaposition of law, technology and crime, and for five years as managing director of a global data breach response firm, including three years heading its Washington, D.C. office. Mr. Stark is the author of, "The Cybersecurity Due Diligence Handbook," available as an eBook on Amazon, iBooks and other booksellers.
Publication Date*: 1/4/2017 Identification Number: 1301 Mailto Link
Frequently Asked Questions
Governance Clearinghouse: 2016's 10 Most Popular Articles
Identification Number
1299
Clearhouse
Governance Clearinghouse: 2016's 10 Most Popular Articles
Publication Date: December 27, 2016

Here are 2016's most popular articles. They covered a range of topics such as board diversity, excellence in governance, cybersecurity, proxy statement innovations, and more, and remain as relevant now as when we published them.

1. Looking Beyond the Numbers: Women on Public Company Boards.  Nasdaq took a close-up look at the women who are changing both the gender parity equation and the boardroom dynamics of publicly listed companies.

2. U.S. Chamber of Commerce Releases Plan for Next Administration. Learn more about the U.S. Chamber’s recommendations to remediate regulations and market inefficiencies that it believes are stifling economic growth and job creation.

3. Nasdaq Listed Companies Recognized for Excellence in Governance.  See which Nasdaq issuers were recognized at the 2016 Corporate Secretary's Corporate Governance Awards for exhibiting best practices in governance, risk, and compliance.

4. Eliminating the Diversity See-Say Problem: Lessons from the Clinton Campaign.  Nasdaq spoke with the Clinton campaign’s Chief Diversity Officer to see what public companies could learn about advancing diversity in the workplace and the workforce.

5. Nasdaq Talks to . . . Andrea Hoffman about Competing for the Talent Companies Need to Grow and Innovate.  Nasdaq spoke with Andrea about tapping the diverse elite talent pool, truly diversifying corporate boards, and digitizing the diversity innovation business model.

6. Nasdaq Talks to . . . Eric Thornburg, CEO of Connecticut Water Service, about the Role Board Diversity Plays in Strengthening Corporate Governance and Improving Company Performance. Eric shared his thoughts on how a diverse culture contributes to the overall success of the organization and how gender parity has strengthened corporate governance and improved company performance.

7. What Makes a Great Board? Find Out from Veteran Director Betsy Atkins.  Betsy Atkins, a scholar of board behavior, veteran of 23 boards and 13 IPOs, shared her views on best practices for building an effective board.

8. Top Cybersecurity Concerns for Every Board of Directors: Cybersecurity Governance.  Cybersecurity expert John Reed Stark outlined a strategic framework for boards to effectively analyze and supervise corporate cybersecurity risks.

9. Taking Stock of Diversity.  Nasdaq EVP and General Counsel, Ed Knight, delivered this speech talking about why he believes the boards of public companies should be as diverse as their investors and customers.

10. Taking Your Proxy Statement from Good to Great.  Read this Outside Insight post to learn about all the latest trends and innovations that will inspire you as you prepare for the upcoming proxy season.

Publication Date*: 12/27/2016 Identification Number: 1299 Mailto Link
Frequently Asked Questions
EY Center for Board Matters: Top Board Priorities for 2017
Identification Number
1298
EY Center for Board Matters: Top Board Priorities for 2017
Publication Date: December 21, 2016

The EY Center for Board Matters expects Boards to increase focus on six priorities in 2017. These priorities include, among others: overseeing competitive strategy in a world of disruption and convergence; navigating the dynamic geopolitical and regulatory environment; optimizing long-term capital allocation strategies; and strengthening board composition through strategic alignment.

Read more from EY >>
Publication Date*: 12/21/2016 Identification Number: 1298 Mailto Link
Frequently Asked Questions
PwC Report Considers Investor and Company perspectives on ESG Disclosures
Identification Number
1293
PwC Report Considers Investor and Company perspectives on ESG Disclosures
Publication Date: December 9, 2016

A new PwC report found that investors are increasingly demanding more environmental, social, and governance (ESG) information disclosures by companies as an important factor in their decision-making processes, but companies are still divided on how and what to include. The study analyzed the relationship between investors and corporations, and found that while companies prioritize growth, investors are more focused on risk. Interestingly, while 65% of companies say that ESG considerations are very important to business strategy, only 31% of institutional investors indicated they were important to equity investment decisions. The report also noted that while over 80% of S&P 500 companies disclosed their ESG programs in 2015, investors do not believe the companies present the information in a way that allows easy comparison by investors. Most of those polled agreed that implementing a common standard for companies to use when disclosing ESG information, as well as increased dialogue and feedback, could help bridge the gap between investors and companies.

Read More from PwC >>
Publication Date*: 12/9/2016 Identification Number: 1293 Mailto Link
Frequently Asked Questions
Non-GAAP Financial Measures: Continuing the Conversation
Identification Number
1291
Non-GAAP Financial Measures: Continuing the Conversation
Publication Date: December 6, 2016

The Center for Audit Quality released a white paper, which explores the issue of non-GAAP information, providing context on its definition and use, pertinent regulatory developments, and the current level of auditor involvement. Additionally, the paper compiles sets of suggested questions for key stakeholder groups (management, investors, investment analysts, securities counselors, audit committee members, internal auditors, independent auditors, regulators, accounting standard setters, and academics) to consider regarding their preparation or use of non-GAAP financial measures.

Read the white paper >>
Publication Date*: 12/6/2016 Identification Number: 1291 Mailto Link
Frequently Asked Questions
EGCs Account for Majority of IPOs Since JOBS Act, EY Study Finds
Identification Number
1287
EGCs Account for Majority of IPOs Since JOBS Act, EY Study Finds
Publication Date: November 28, 2016

In its recent report “Update on Emerging Growth Companies and the Jobs Act,” EY notes that since enactment of the Jumpstart Our Business Startups (JOBS) Act in April 2012, Emerging Growth Companies (EGCs) have come to dominate the IPO market, citing its findings that 83% of all publicly-filed IPO registration statements and 87% of all IPOs that have gone effective during that time were EGCs. . The report also notes that a large majority of EGCs have relied on some of the accommodations afforded by the JOBS Act, including confidential submission of registration statements to the Securities and Exchange Commission (SEC), reduced executive compensation disclosures and including two rather than three years of audited financial statements.

Read more from EY >>
Publication Date*: 11/28/2016 Identification Number: 1287 Mailto Link
Frequently Asked Questions
Willis Towers Watson Looks at “Say on Frequency” Votes
Identification Number
1283
Willis Towers Watson Looks at “Say on Frequency” Votes
Publication Date: November 18, 2016

In a recent report, Willis Towers Watson looks at the Dodd-Frank required shareholder vote on the frequency with which companies must seek a shareholder vote on “say on pay”, either every one, two or three years, the so-called “say on frequency” vote. The report reviewed the “say on pay” frequency at Russell 3000 companies, finding that 82% of companies opted for annual, one percent for biennial and 17% for triennial shareholder votes. The report also identifies various institutional investorswho appear to prefer biennual or triennial frequencies as opposed to an annual vote.

Read more from Willis Towers Watson>>
Publication Date*: 11/18/2016 Identification Number: 1283 Mailto Link
Frequently Asked Questions
Top Cybersecurity Concerns for Every Board of Directors: Cybersecurity Governance
Identification Number
1284
Clearhouse
Top Cybersecurity Concerns for Every Board of Directors: Cybersecurity Governance
Publication Date: November 18, 2016

Cybersecurity expert John Reed Stark has authored a four-part series of white papers outlining a strategic framework for boards of directors to effectively analyze and supervise corporate cybersecurity risks.

In the aftermath of a corporate cyber-attack, boards and the companies they govern are subjected to immediate public scrutiny and, in many cases, unwarranted criticism. This new cyber-reality has essentially removed the distinction between board member and IT executive, with cybersecurity emerging as a key corporate risk area.

For corporations, this is the dawning of a new era of data breach and incident response, where trying to avert a cyber-attack is like trying to prevent a kindergartener from catching a cold during the school year.

But cybersecurity engagement for members of the board of directors does not mean that members should obtain computer science degrees or personally supervise firewall implementation and intrusion detection system rollouts. Instead, a board’s oversight responsibilities should focus on the critical components relating to the governance practices, policies and procedures of a strong cybersecurity program, which are detailed in the attached white paper and include:
  • Elements of a cybersecurity incident response plan
  • Evaluating the business continuity plan in the context of cyber attacks
  • IT security budgeting
  • Cybersecurity table top drills
  • Data security measures for cloud-based services.
The remaining papers in this series will broadly cover the following topics:
  • People: cybersecurity recruitment, training and retention as well as hiring outside firms for digital forensics and data breach response.
  • Technology: the technical systems that provide the foundation for cybersecurity infrastructure.
  • Data Mapping and Encryption: the board’s oversight responsibilities with respect to two of the largest enterprise undertakings in the field of cybersecurity: encryption and data mapping.
By using these white papers as a guide, boards of directors can become not only more preemptive in evaluating cybersecurity risk exposure but they can also successfully elevate cybersecurity from an ancillary IT concern to a core enterprise-wide risk management item. 

Read John Reed Stark’s White Paper on Cybersecurity Governance >>

***
John Reed Stark is President of John Reed Stark Consulting LLC, a data breach response and digital compliance firm. Formerly, Mr. Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last 11 of which as Chief of its Office of Internet Enforcement. He also worked for 15 years as an Adjunct Professor of Law at the Georgetown University Law Center, where he taught several courses on the juxtaposition of law, technology and crime, and for five years as managing director of a global data breach response firm, including three years heading its Washington, D.C. office. Mr. Stark is the author of, "The Cybersecurity Due Diligence Handbook," available as an eBook on Amazon, iBooks and other booksellers.
Publication Date*: 11/18/2016 Identification Number: 1284 Mailto Link
Frequently Asked Questions
Harvard Law School Professor Offers Empirical Analysis of Universal Proxies
Identification Number
1280
Harvard Law School Professor Offers Empirical Analysis of Universal Proxies
Publication Date: November 11, 2016

A recent paper by Scott Hirst, Associate Director of the Harvard Law School Program on Corporate Governance, looked at the potential impact of allowing universal proxies that list all director nominees, as recently proposed by the SEC, instead of voting based on separate proxies for management and dissident nominees, as is the case now. The study found evidence that universal proxies may eliminate “distorted” proxy contests and by doing so enfranchise shareholders. These benefits, the paper argued, would outweigh concerns that universal proxies could lead to more proxy contests and empower special interests. In support of its conclusions, the study found that 22% of proxy contests at large U.S. corporations between 2008 and 2015 may have been distorted, meaning that another candidate may have been elected if a universal proxy was used.

Learn more about Scott Hirst's paper>>
Publication Date*: 11/11/2016 Identification Number: 1280 Mailto Link
Frequently Asked Questions
ISS Proposes Draft Policy Changes for 2017
Identification Number
1277
ISS Proposes Draft Policy Changes for 2017
Publication Date: November 2, 2016

ISS is requesting public comment from interested parties regarding proposed draft policy changes. If accepted, these policies would take effect for meetings on or before February 1, 2017. Significant proposal updates involving U.S. companies include updates to director election voting policies in the case of certain companies with multi-class class structures and companies that restrict the ability of shareholders to amend the bylaws. Comments are due by November 10th and ISS expects its final policy announcements to be released in the second half of November.

Click to see ISS’s Policy Drafts >>
Publication Date*: 11/2/2016 Identification Number: 1277 Mailto Link
Frequently Asked Questions
Counteracting the Fraud Triangle
Identification Number
1272
Clearhouse
Counteracting the Fraud Triangle
Publication Date: October 25, 2016

Cindy Fornelli—Executive Director at the Center for Audit Quality—shares with Nasdaq the elements of a fraud-resistant organization, tools for improving disclosure and audit reports, and recommendations for assessing the performance of outside auditors.






Q: The Center for Audit Quality (CAQ) partnered with a number of organizations to research and prepare a report on detecting and deterring financial reporting fraud. Can you summarize your findings?

A: The Anti-Fraud Collaboration’s report, The Fraud Resistant Organization, provides information about the conditions that might make an organization more susceptible to financial reporting fraud and describes how to mitigate those conditions. The report identifies three central themes that are critical to fraud deterrence and detection: (1) strong “tone at the top,” (2) skepticism, and (3) robust communications. These three elements help counteract each condition of the so-called "fraud triangle"—pressure, opportunity, and rationalization—that can lead someone to commit fraud.

A key theme of the report is that fighting fraud is truly an all-hands effort. Management, boards of directors, internal audit, and external audit all play a part in deterring and detecting fraud, and all need to have a solid understanding of their respective roles.

Additionally, these entities need to work hard to establish and maintain an environment of open and ongoing communication. Good communication enhances the knowledge of all parties and is vital for identifying any gaps in efforts to mitigate the risk of financial reporting fraud.

Q: Since the reforms of the Sarbanes-Oxley Act of 2002 were put into place, accounting restatements have decreased. Other than the change in the law, what other factors have contributed to this reduction?

A: One factor is enhanced communication and collaboration across the financial reporting supply chain. Since the passage of SOX, key stakeholders have worked together as never before to improve financial reporting. The Anti-Fraud Collaboration—formed in 2010 by the CAQ, Financial Executives InternationalThe Institute of Internal Auditors, and the National Association of Corporate Directors (NACD)—is one example of this kind of collaboration. Another example would be the robust dialogue we've seen among market participants around internal control over financial reporting.

A second factor is the ever-strengthening role of audit committees in our system of investor protection. The audit committee community is as energized and engaged as ever. Audit committees are also benefitting from new tools and resources from organizations like the NACD and the CAQ, as well as governance centers at auditing firms.

Last, but certainly not least, credit should be given to the public company profession's strong commitment to enhancing audit quality through the cycle of continuous improvement. Each year, the profession invests substantially in training and continuing education to enable its workforce to execute high quality audits in a constantly changing business and regulatory landscape.

Q: You’ve stated that more disclosure by companies is not necessarily better, but rather, we should be focusing on “effective disclosure.” How can disclosure by public companies be improved, and how can its effectiveness be measured?

A: One way to improve disclosure is to highlight best practices from leading companies. As an example, consider the Audit Committee Transparency Barometer, a joint project from Audit Analytics and the Center for Audit Quality. Each year, The Audit Committee Transparency Barometer measures the robustness of audit-related proxy disclosures among companies in the S&P Composite 1500. The publication not only provides robust data on year-over-year trends, it also features specific examples from companies that have provided meaningful information. Thus, the Barometer can serve as a resource to other companies looking to enhance their disclosure practices.

As the Barometer emphasizes, it is important for disclosure to be tailored to specific companies and industries. That way the disclosure is meaningful—not just more information or boilerplate text.

Q: In what ways can diversity – gender, viewpoint, and ethnicity – benefit public company boards of directors and audit committees?

A: There are substantial benefits to achieving diversity in the boardroom. Boards with diverse points of views—and members with different backgrounds—often make better decisions. And, in the words of Robert E. Moritz, Chairman of PricewaterhouseCoopers International, "diversity yields innovation."

The benefits of diversity are supported by empirical research. On gender diversity, for example, a 2012 study by from researchers at the University of Wisconsin-Milwaukee, Santa Clara University, and Kansas State University found that female presence on a company board reduced the chance of financial restatements by close to 40 percent.

I would also posit that diversity of all types is important to every organization and group, not just boards.

Q: There has been some criticism of the current “pass/fail” model of audit opinion. Do you think this paradigm still works? Where should the burden of disclosure fall for that which is beyond what’s included in an audit report?

A: Across the globe, investors, audit committees, and other key market participants have expressed their need and desire for more information regarding the work and views of public company auditors. This isn't surprising, given evidence of the robust confidence that investors place in independent auditors.

The auditing profession is responding actively to this need on a number of fronts, including rethinking the traditional "pass-fail" auditor's report. In the United Kingdom, audit reports now provide more information, including a discussion of the application of materiality, the scope of the audit, and an assessment of risks of material misstatement. In the United States, public company auditors have been deeply engaged on the issue of the auditor's report, providing extensive and constructive input on regulatory proposals.

A significant principle with respect to the auditor’s reporting model is that the auditor should not be the original source of information. It is the responsibility of the company’s management to consider such information for disclosure.

Q: What recommendations do you have for audit committees in assessing the performance of their auditor, and in considering whether an auditor should be replaced?

A: Audit committees can avail themselves of valuable resources that can help in the area of auditor assessment. One of those resources is the External Auditor Assessment Tool, a publication of the Audit Committee Collaboration. This tool can help inform the audit committee’s evaluation of the auditor, meaning the audit firm, as well as the lead audit partner, audit team, and engagement quality reviewer.

To that end, the External Auditor Assessment Tool contains sets of sample questions that highlight some of the more important areas for consideration in the assessment of the auditor. It also provides a sample form for obtaining input from company personnel.

Q: How should audit quality be measured?

A: The Center for Audit Quality believes that metrics regarding the audit—commonly referred to as audit quality indicators (AQIs)—could be used to better inform audit committees about key matters that may contribute to the quality of an audit.

In recent years, the public company auditing profession, audit committee members, and policymakers all have extensively explored AQIs. There has been progress on the issue, but challenges remain. One challenge is that views on audit quality vary quite widely among stakeholders. Much depends on the degree to which stakeholders have direct involvement in audits—and the lens through which they assess auditor responsibility and performance.

Another challenge revolves around striking the right balance between quantitative and qualitative information. In its engagement on AQIs, the CAQ has observed a strong desire among audit committee members for new ways to assess the more qualitative aspects of the audit, such as the engagement team having strong communications skills, as well as the right mindset to bring forth professional skepticism and auditor judgment.

To address these and other AQI challenges, further dialogue and continued collaboration among all stakeholders are needed.

Q: Let’s take the example of an audit committee that has historically only included the required elements in its audit committee reports. How could such an audit committee improve the transparency and usability of this report to keep up with the needs of investors and other proxy statement users?

A: As I’ve noted earlier, one of the things we like to suggest audit committees do, as they contemplate ways to improve the transparency and usability of their reports, is to look at some of examples from companies that are doing it well. Prudential Financial and General Electric have long been recognized for exemplary proxy statements. We’ve also seen recently notable improvements from Goldman Sachs and —and we’re not just saying this because we’re talking to you—Nasdaq.

***
Cindy Fornelli is Executive Director of the Center for Audit Quality (CAQ), a position she has held since the CAQ was established in 2007. In 2016, Fornelli was honored for the eighth time by Directorship magazine as one of the 100 most influential people on corporate governance and in the boardroom. Accounting Today has named her one of the 100 most influential people in accounting for 10 consecutive years.

Fornelli serves on the Advisory Board of the Ira M. Millstein Center for Global Markets and Corporate Ownership, the Securities and Exchange Commission Historical Society’s Board of Trustees, the Audit & Risk Oversight Committee Advisory Council of the National Association of Corporate Directors, and the Accounting and Auditing Committee of the International Corporate Governance Network. She previously served on the National Association of Corporate Directors’ 2010 Blue Ribbon Commission on the Audit Committee and 2009 Blue Ribbon Commission on Risk Governance. Prior to joining the CAQ, Fornelli was the Regulatory and Conflicts Management Executive at Bank of America and the Deputy Director of the U.S. Securities and Exchange Commission's Division of Investment Management. Fornelli is a graduate of Purdue University and received her JD at The George Washington University.




The views and opinions expressed herein are the views and opinions of the author at the time of publication and may not be updated. They do not necessarily reflect those of Nasdaq, Inc. The content does not attempt to examine all the facts and circumstances which may be relevant to any particular situation and nothing contained herein should be construed as legal advice.
Publication Date*: 10/25/2016 Identification Number: 1272 Mailto Link
Frequently Asked Questions
Comparing Russell 2000 and S&P 500 Corporate Governance Trends
Identification Number
1271
Comparing Russell 2000 and S&P 500 Corporate Governance Trends
Publication Date: October 21, 2016 

In a study conducted by the EY Center for Board Matters, corporate governance trends between firms listed on the S&P 500 and Russell 2000 indexes were analyzed over a four year period between 2012 and 2015. The study was conducted in order to identify lesser-known governance trends occurring in Russell 2000 companies, as well as differences between those and S&P 500 firms. The study found several key findings in Russell 2000 companies, including; smaller, younger, and less diverse boards, increasingly independent board leadership structures and diminished use of presiding directors, transformative changes to director elections through annual elections and majority voting requirements for directors, increased board and executive compensation, and increased investor support.

Read more from EY >>
Publication Date*: 10/21/2016 Identification Number: 1271 Mailto Link
Frequently Asked Questions
Six Rules for Creating Efficient Board Meetings
Identification Number
1266
Six Rules for Creating Efficient Board Meetings
Publication Date: October 14, 2016

Effective and time-efficient company board meetings are quintessential for company success. Often times, board meetings can be inefficient missed opportunities for company executives to review key issues. Boardvantage has provided a list of six simple rules to help improve the quality of board meetings through increasing communication by providing regular updates between meetings, regularly and predictably reporting on success metrics, embracing technology and losing the fear of modernization, eliminating time-consuming and outdated paper materials and implementing tools for communication inside and outside of the boardroom, and increasing corporate and technology security vigilance, in addition to properly equipping support staff to facilitate communications to the board.

Read more from Boardvantage >>
Publication Date*: 10/14/2016 Identification Number: 1266 Mailto Link
Frequently Asked Questions
Shareholder Proposals with Social Agendas Hit Record High
Identification Number
1267
Clearhouse
Shareholder Proposals with Social Agendas Hit Record High
Publication Date: October 14, 2016

Who are the shareholders submitting proposals? What are their motives? What impacts are they having on corporate governance? Answers to these questions can be found in the Proxy Monitor’s 2016 Annual Report on Corporate Governance and Shareholder Activism, survey of the experiences of the 250 largest publicly traded American companies. A summary of the findings follows:
  • The shareholder-proposal process continues to be dominated by a small group of shareholders. Six “corporate gadfly” investors (individuals who repeatedly file multiple common shareholder proposals at a large number of companies) sponsored 33% of all proposals, while institutional investors and labor-affiliated institutional investors (such as Teamsters’ Union and public-employee pension funds) sponsored the remaining 67%.
  • Shareholder proposals are increasingly aimed toward making social and political changes. In fact, 50% of all shareholder proposals involved social or policy concerns. Corporate governance proposals made up another 39%, and executive compensation related proposals accounted for the remaining 11%.
  • With the exception of proposals related to proxy access and shareholder majority voting rules, shareholder proposals rarely win majority support. Only 3% of shareholder proposals received majority support, while shareholders continue to reject overwhelmingly proposals relating to social or policy concerns.
The authors of the report stress that “increasing activity on the part of certain shareholders pursuing social and policy agendas should not be confused with broad shareholder support for these activists’ pet issues.” However, they go on to note that “[d]espite this broad shareholder opposition, shareholder activists with social or policy concerns have continued to introduce shareholder proposals with little to no chance of passage, year after year. The costs of such activity fall on the corporation—and hence other shareholders.”

The report also includes a number of recommendations designed to mitigate the expenses associated with processing shareholder proposals, including these:
  • The SEC should revisit its 1976 rule forcing companies to include most issues on their proxy ballots.

  • Force shareholder-proposal sponsors to reimburse the corporation at least some portion of the direct costs of assessing, printing, distributing, and tabulating their proposals, if any proposal fails to receive majority or threshold shareholder support.

  • The SEC should revise its rule permitting companies to exclude resubmitted shareholder proposals, if they fail to garner minimum threshold shareholder support within the preceding five calendar years.
Read the full report here >>

For more information on corporate gadflies, read A Gadfly’s Perspective on Harvard Law School Forum on Corporate Governance and Financial Regulation and Gadflies at the Gate: Why Do Individual Investors Sponsor Shareholder Resolutions?
Publication Date*: 10/14/2016 Identification Number: 1267 Mailto Link
Frequently Asked Questions
SASB Requests Feedback on Provisional Standards
Identification Number
1264
SASB Requests Feedback on Provisional Standards
Publication Date: October 7, 2016

The Sustainability Accounting Standards Board (SASB) has completed provisional standards for over 70 industries and is now requesting feedback from companies before the standards are codified in the fourth quarter of 2017. In a recent letter sent to all Fortune 500 CEOs and CFOs from SASB Chair Michael Bloomberg and Vice Chair Mary Shapiro, SASB is asking companies to participate in a 90-day public comment period to gather additional input on the materiality of topics and usefulness of metrics to ensure the codified standards are cost-effective for companies and include useful information for investors.

Read more from the SASB here >>
Publication Date*: 10/7/2016 Identification Number: 1264 Mailto Link
Frequently Asked Questions
Improving Neurodiversity in the Boardroom and Workforce
Identification Number
1265
Improving Neurodiversity in the Boardroom and Workforce
Publication Date: October 7, 2016

In today’s age, diversity in the workplace is a topic that is more discussed than ever. In his recent Ethical Boardroom feature, David Marks focuses on ways companies can improve neurodiversity in the boardroom and raise awareness for employees with Autistic Spectrum Disorder (ASD). According to Marks, a multi-award winning technology developer, individuals with this condition are often underrepresented for several reasons: the disadvantage faced by those with ASD to advance in an “extroverted world”; their straight-forward, honest, and precise communication styles; social appearance; fear of discrimination; and extreme focus on areas of interest. Marks goes on to describe the numerous positive attributes of this often overlooked pool of talent, suggest how businesses can improve the representation of people with the condition, and encourage those with ASD to step out and help break down negative stereotypes.

Read more from Ethical Boardroom >>
Publication Date*: 10/7/2016 Identification Number: 1265 Mailto Link
Frequently Asked Questions
Long-Term Issues Arise From Short-Term Solutions for American Economy
Identification Number
1270
Long-Term Issues Arise From Short-Term Solutions for American Economy
Publication Date: September 28, 2016

Short-termism, where companies forgo long-term investments to improve stock prices in the near-term, has become one of the greatest threats to America’s economic prosperity, according to Vice President Joe Biden’s recent feature in The Wall Street Journal. Biden argues that although private investment may be the greatest driver of economic growth, company executives often choose to improve the share price of today rather than adding long-term value. He also adds that emphasizing productivity and returning profits to shareholders over future investments has led to a decline in business development and company investments, and that companies will not flourish without investing in research, development, and on-site training. 

Read more from the Wall Street Journal Here >>

Publication Date*: 9/28/2016 Identification Number: 1270 Mailto Link
Frequently Asked Questions
Board Whisperer Webcast: Inside America’s Boardrooms
Identification Number
1260
Clearhouse
Board Whisperer Webcast: Inside America’s Boardrooms
Publication Date: September 27, 2016

Nasdaq has teamed up with “board whisperer” and governance expert TK Kerstetter to provide innovative corporate governance solutions and resources to publicly-traded companies. Nasdaq has made its Times Square MarketSite studio available to Inside America’s Boardrooms, the premier informational web show for boards of directors of public companies. Nasdaq is also a sponsor of the show.

Kerstetter interviews seasoned executives and board members in the trenches of corporate leadership, as well as the governance professionals and scholars who advise them. Institutional investors are also frequent guests. Guests on the show share their perspectives on current issues and trends in corporate governance, including risk management, compensation, proxy access, and sustainability.

To enable viewers to watch the interviews live, Nasdaq has partnered with Inside America’s Boardrooms to live stream the show on Facebook’s new video platform, Live on Facebook. Episodes can also be viewed on the show’s website.

Inside America’s Boardroom recently filmed its 50th episode. Following are quick links to the three most viewed episodes to date:

  1. The Relationship Between the Corporate Secretary & Board of Directors: Janet McGinness, Corporate Secretary at MasterCard, shares her perspective on the value an effective corporate secretary brings to the board.
  2. Key Steps to Building an Effective Board: Richard Leblanc, Associate Professor of Governance, Law & Ethics at York University discusses board leadership, board assessments, board recruitment, and composition.
  3. The Audit Committee’s Role in Investigations: Paula Loop, leader of PwC’s Center for Board Governance & Investor Resource Institute, outlines the factors audit committees should consider when analyzing allegations of fraud, regulatory infractions and whistleblower complaints.

Kerstetter recently launched a special three-part series Investors Board Performance Review, also filmed at Nasdaq’s MarketSite in Times Square. Investors Board Performance Review showcases influential institutional investors and proxy advisors. Guest panels debate how corporate boards are performing, how they can improve, and investment trends that will impact boardrooms in the future.

In Episode 1, several of the world’s most influential institutional investors and proxy advisors share their views on how corporate boards are performing in the boardroom. TK Kerstetter interviews executives at Institutional Shareholder Services, the Council of Institutional Investors, and the New York City Pension Funds.

To subscribe to Inside America’s Boardrooms, visit boardroomresources.com.

***
TK Kerstetter is the founder and Chief Executive Officer of Boardroom Resources, LLC. Prior to launching Boardroom Resources in 2015, Kerstetter served as Chairman of NYSE Governance Services.

Publication Date*: 9/27/2016 Identification Number: 1260 Mailto Link
Frequently Asked Questions
SRI & ESG in the Era of Shareholder Engagement
Identification Number
1261
SRI & ESG in the Era of Shareholder Engagement
Publication Date: September 27, 2016 

Environmental, Social and Corporate Governance (ESG) investing is a priority for many shareholder groups who want their voices to be heard. Whether the issue is say-on-pay, proxy access or socially and environmentally responsible investing (SRI), shareholders expect access to the board that now goes well beyond the annual meeting. A new research paper from Nasdaq Corporate Solutions, Do Well, Do Good, Do Both: Socially Responsible Investing & Environmental, Social and Corporate Governance in the Era of Shareholder Engagement, argues that the evolution of ESG and SRI has led to a new era of shareholder activism and new practices in board engagement. This whitepaper focuses on providing a board process that can be implemented, replicated, measured and adjusted, in addition to ways for boards to demonstrate to shareholders that they understand ESG issues.

Get your free copy of the whitepaper >>
Publication Date*: 9/27/2016 Identification Number: 1261 Mailto Link
Frequently Asked Questions
Nasdaq Submits Comment Letter on Business and Financial Disclosures
Identification Number
1259
Nasdaq Submits Comment Letter on Business and Financial Disclosures
Publication Date: September 20, 2016

In its recent response to the Securities and Exchange Commission (“SEC”) request for comments on the business and financial disclosures required in periodic and current reports, Nasdaq suggested a pilot program to potentially eliminate SEC quarterly reports (Form 10-Qs). The program would instead require companies to put out quarterly earnings releases with financial information and a description of any material changes to the business. Nasdaq also encouraged the SEC to mandate that all public companies disclose any third party payments their directors receive, similar to the rule Nasdaq recently adopted for its listed companies. Nasdaq also emphasized the importance of materiality as the guiding principle for all SEC-mandated disclosures, including sustainability disclosures, and proposed eliminating or modifying the requirement for public companies to disclose the number of shareholders of record.

Read Nasdaq’s Comment Letter >>
Publication Date*: 9/20/2016 Identification Number: 1259 Mailto Link
Frequently Asked Questions
Nasdaq Responds to 2017 ISS Policy Survey
Identification Number
1252
Nasdaq Responds to 2017 ISS Policy Survey
Publication Date: August 30, 2016 

In its response to the 2017 Institutional Shareholder Services Inc. (ISS) Policy Survey, Nasdaq urged ISS to keep several general principles in mind, including that “one-size-fits-all” policies and bright-line standards may not be appropriate for all companies. Instead, companies should be allowed flexibility depending on their industry, size, strategy and other factors. In addition, Nasdaq discouraged ISS from applying policies that punish companies for provisions that were implemented before the company went public, understanding that investors are free to choose to invest or not to invest when a company goes public. Nasdaq also reiterated its concerns about the lack of transparency and inflexibility around ISS’ processes, suggesting that ISS give greater weight to comments from companies in policy formulation and allow companies an opportunity to respond to draft reports, among other things. 

Read Nasdaq's Response >>

Publication Date*: 8/30/2016 Identification Number: 1252 Mailto Link
Frequently Asked Questions
Designing Effective Board Evaluations
Identification Number
1249
Designing Effective Board Evaluations
Publication Date: August 26, 2016

A recent white paper entitled Optimizing Board Evaluations, co-authored by Nasdaq’s Blake Stephenson and Simpson Thacher & Bartlett LLP, examines board evaluations, noting they are an integral part of today’s corporate governance procedures, and when carried out properly, can help increase overall board effectiveness. The whitepaper describes several common types of board evaluations and formats and highlights various considerations for companies to keep in mind to help determine the optimal evaluation method for a specific board. The guide also provides insights into several key topics that each board evaluation should address.

Link to Optimizing Board Evaluations Whitepaper >>
Publication Date*: 8/26/2016 Identification Number: 1249 Mailto Link
Frequently Asked Questions
Nasdaq Announces Extended Life Order
Identification Number
1247
Nasdaq Announces Extended Life Order
Publication Date: August 18, 2016

Nasdaq recently announced plans to adopt an Extended Life Order, which is intended to foster long-term liquidity and benefit investors who are willing to commit liquidity for a minimum time period. Extended Life Orders cannot be amended or cancelled for a minimum fixed resting time. In exchange, these orders will receive priority over other orders entered at the same price, which in turn are expected to appeal to long-term investors. Nasdaq’s proposal is subject to SEC approval.

Hear Nasdaq CEO Bob Greifeld discuss this new order type >>
Publication Date*: 8/18/2016 Identification Number: 1247 Mailto Link
Frequently Asked Questions
Business Roundtable Updates “Principles of Corporate Governance”
Identification Number
1246
Business Roundtable Updates “Principles of Corporate Governance”
Publication Date: August 17, 2016

Business Roundtable recently updated its “Principles of Corporate Governance,” promoting the highest standards of effective and ethical corporate governance for US companies. The Principles are intended to guide companies in developing certain structures, practices, and processes appropriate for various circumstances and needs. The updated Principles focus on shareholder engagement through maintaining effective investor relations and shareholder influence on board and management decision making, boardroom diversity through creating boards with diverse backgrounds and experience to strengthen performance and help drive long-term economic value, in addition to emphasizing cybersecurity in order to build company resiliency to various business and operational risks.

Read more from Business Roundtable here >>
Publication Date*: 8/17/2016 Identification Number: 1246 Mailto Link
Frequently Asked Questions
Cyber Insurance: How to Find the Right Policy
Identification Number
1240
Clearhouse
Cyber Insurance: How to Find the Right Policy
Publication Date: August 2, 2016 

In this third in a series of articles, cybersecurity expert John Reed Stark offers tips for navigating the complex cyber insurance marketplace.

A near certainty for public and private corporations is that, at some point, they will be subject to a cyber-attack. And what is indisputable is that cyber-attacks are almost always extraordinarily complicated and will require a host of costly responses. So it seems that for today’s risk-averse companies, the best way to gain insight into the question of cyber insurance is not only by understanding the growing and complicated hazard of cyber-attacks, but also by obtaining a stand-alone cyber insurance policy that contemplates carefully the workflow that typically occurs during their aftermath.

How to Find the Right Policy. Traditionally, purchasing insurance coverage begins with a policy review, a risk breakdown and a range of other risk-related analytics. However, when contemplating a cyber insurance policy, companies should initiate more of a “reverse-gap” approach toward that calculus, analyzing and scrutinizing the typical cyber-incident response workflow that follows most cyber-attacks.

By analyzing and revisiting the realities and economics of this workflow, a company can then collaborate with its insurance sales representatives and originators to allocate risk responsibly and determine, before any cyber-attack occurs, which workflow costs will trigger coverage; which workflow costs will be outside of coverage; and which workflow costs might be uninsurable.

It also is crucial that companies conduct the necessary due diligence to be sure that their cyber insurance carrier has a good claims-paying and claims-handling history and has a proven record of rapid and supportive response. When a cyber-attack occurs, too often there are doubts as to coverage, which can affect incident response.

Cyber insurance policies also can differ dramatically in their goals and objectives. For example, some policies are designed to cover HIPAA and PCI violations, as well as other regulatory noncompliance, while other policies are geared more for direct financial losses due to wire transfer fraud. For instance, if a company manages trust accounts on behalf of customers, the company likely will require insurance coverage for direct cash losses in the event of a network intrusion that results in the unlawful transfer of funds.

Cyber insurance policy premiums are “not one size fits all”, as premiums are factored on a company’s industry, services, data risks and exposures, computer and network security, privacy policies and procedures and annual gross revenue. At present, there are 70 or so insurance carriers writing cyber insurance policies, and nearly all of those policies are issued on a surplus lines basis with potentially significant differences in policy wording from one cyber policy to the next.

Watch Out for Exclusions. Just like traditional insurance policies, cyber insurance policies can contain a broad range of potentially troubling exclusions. Agreement on the wording and scope is a critical aspect of the negotiation process. Given the dearth of case law on cyber insurance exclusions, policyholders unfortunately lack the benefit of precedent when assessing the boundaries of coverage. Some examples of cyber insurance battleground issues concerning exclusions for significant expenses are:

  1. Failure to Follow Minimum Required Practices. The first question after any data breach, posed by many interested constituencies (including customers, partners, employees, regulators and class action attorneys), is whether the cyber-attack occurred because of some sort of cybersecurity failure. However, despite the popularity of the Framework for Improving Critical Infrastructure Cybersecurity , released by the National Institute of Standards and Technology (NIST), no codified or judicially concocted cybersecurity standard exists. Hence, the adequacy of a company’s cybersecurity defenses is always a subjective determination and often involves “looking back” to cybersecurity technology used by a company at the time of the actual breach and assessing its adequacy. This sort of second-guessing and 20-20 hindsight can provide useful fodder for insurance companies seeking to avoid paying a claim. Along these lines, when a policyholder fails to “continuously implement” the security procedures and risk controls that it identified in its insurance application, an insurance company may argue the triggering of a “reps and warranties” exclusion.
  2. Act of War/Terrorism. Many cyber insurance policies contain exclusions for terrorism, “hostilities (whether war is declared or not)” and claims arising from “acts of foreign enemies.” In a car insurance or homeowner policy, an exclusion for acts of terror or foreign enemies may not seem important – or even relevant to any decision. But for cyber risk policies, these exclusions could pose a real problem. After discovery of a cyber-attack, digital forensic specialists and malware reverse engineers often will be asked to theorize as to the identity of a particular perpetrator of a cyber-attack, or even to construct a profile of the intruder. Sometimes, among the fragments, remnants and artifacts found in a laptop or server (including within deleted recoverable filesunallocated and slack space or the boot sector), evidence may point to a particular attacker or “cyber-gang,” and a data security incident may be deemed an act of state-sponsored terrorism. But these conclusions can be speculative and are only as good as the reputation and experience of the incident response team. Nonetheless, if, for example, a digital forensic specialist labels an APT attack as an act of terror, such labeling could trigger an “act of terror” exclusion. This question may be especially germane if the policyholder is in a key infrastructure industry, defense industry or technology sector.
  3. Third-Party Acts or Omissions. The third-party vendor sector has become one of the more prevalent attack vectors in recent cyber-attacks, yet some cyber policies might not cover acts and omissions by third parties or data in the custody of third parties. Nowadays, cyber-attacks also often result in disputes as to the culpability for an attack, with vendors and companies each pointing the finger at one another for their perceived respective cybersecurity failures. When a dispute arises between a company and its vendor with respect to culpability for a cyber-attack, an insurance company may wait until the dispute is resolved, because the outcome could trigger a “third-party act or omission” exclusion.
  4. Unauthorized Collection of Customer Data. Some cyber insurance policies contain exclusions for losses related to data collections, which were not authorized. Policyholders that gather information for consumer transactions, marketing purposes or as part of their core business model must gauge how an insurance company might use an exclusion for unauthorized collection to evade insurance coverage for a data security breach claim, especially if the policyholder is not meticulous about what data it collects; where data is warehoused; and how data is transferred.
  5. Retroactive Dates. Many polices include some sort of “retroactive date", which disclaims coverage for claims or loss in connection with breaches that occur prior to that date. However, when a company discovers a breach or is notified about a breach (e.g. by the U.S. Air Force or FBI, which is very often the case), the company often then discovers that the breach originally occurred long before (months, sometimes even years) If the retroactive date is relatively recent in time (perhaps even the date of policy inception), there is a risk of losing coverage for earlier-occurring breaches. Policy holders should carefully evaluate retroactive coverage options pertaining to undiscovered breaches occurring earlier in time.

Documentation.   Given that cyber insurance is only in its infancy, claims against such policies will have a higher rate of litigation than other more established insurance products. Thus, when a cyber-attack victim company has its first conference call with its insurance company adjuster, the adjuster might also add the insurance company’s litigator to the meeting. The litigator undoubtedly will follow up the call by sending a detailed letter of inquiry to the victim company, which will be more akin to a lengthy and comprehensive litigation discovery demand, rather than a simple request for information.

Whatever the type of cyber insurance held by a victim company, insurance adjusters will scrutinize all invoices pertaining to the data breach response workflow, requiring briefings and documentation regarding all investigative efforts. Along these lines, communication lines also should be established where a professional on the incident response team, preferably counsel, maintains carefully written documentation of all the response efforts. This helps later on when gathering the “documentation package” to present when seeking insurance reimbursement for the costs of the breach.

Digital Forensic “Panels”.   When negotiating for cyber insurance, some insurance policies will seek provisions mandating use of a specific “panel of digital forensic experts” (even if the victim company already has a prior existing relationship with a particular digital forensic firm). Companies should check carefully on the existence of that kind of provision; much like choosing one’s own surgeon for a heart procedure, a company will want freedom of choice when it comes to selecting a digital forensics/data breach response firm.

Final Thoughts.   To get the most out of cyber coverage, companies should work closely with their brokers, their insurers, their outside counsel and their own internal experts and executives to fully understand their particular cyber risks. For now, the most effective cyber insurance policies are bespoke, and given the rapidly evolving nature of cyber-attacks, will continue to require custom-tailored fitting for quite some time.

Just like other kinds of insurance, cyber coverage by itself will rarely be enough to make a company whole after a cyber-attack, but it can provide critical financial resources. Moreover, when coupled with a thoughtful and diligent incident response, a sound cyber insurance policy can send a powerful message of strong business acumen; fierce customer dedication; and steadfast corporate governance, demonstrating profound expertise to the marketplace, shareholders, regulators and the many other interested corporate stakeholders.

Read the first article in this series: Cyber Defense in the Boardroom: Leveraging the Financial Oversight Paradigm >>

Read the second article in this series: Cyber Insurance: Why Your Company Needs It >>

***
John Reed Stark is President of John Reed Stark Consulting LLC, a data breach response and digital compliance firm.  Formerly, Mr. Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last 11 of which as Chief of its Office of Internet Enforcement.  He also worked for 15 years as an Adjunct Professor of Law at the Georgetown University Law Center, where he taught several courses on the juxtaposition of law, technology and crime, and for five years as managing director of a global data breach response firm, including three years heading its Washington, D.C. office.  Mr. Stark is the author of, "The Cybersecurity Due Diligence Handbook," available as an eBook on Amazon, iBooks and other booksellers.

The Cybersecurity Due Diligence Handbook

Publication Date*: 8/2/2016 Identification Number: 1240 Mailto Link
Frequently Asked Questions
Cyber Insurance: Why Your Company Needs It
Identification Number
1231
Clearhouse
Cyber Insurance: Why Your Company Needs It
Publication Date: July 8, 2016 

In this second in a series of articles, cybersecurity expert John Reed Stark explains the necessity for stand-alone cyber policies.

The time is now for stand-alone cyber insurance.  The tensions between traditional insurance policies and data breach coverage have prompted the dawning of a new era of stand-alone “cyber insurance.” And this new era has only just begun. Global insurance broker Marsh LLC recently reported a 27% increase of stand-alone cyber insurance purchases by its U.S.-based clients in 2015, continuing a pattern of strong growth while PricewaterhouseCoopers estimates that annual gross written premiums for cyber insurance will increase from about $2.5 billion in 2015 to about $7.5 billion by the end of the decade.

Clearly, stand-alone cyber insurance will become yet another basic element of a company’s insurance coverage, just as property insurance and health insurance are.  Many companies might even find their customers demanding the carrying of cyber insurance as a matter of good business practice.  Here are three important reasons why:

  1. Professional liability insurance, business interruption insurance, general liability insurance and property insurance might not cover many of the costs associated with cyber-attacksUnfortunately, companies are finding that their professional liability insurance, general liability insurance and property insurance might not cover many of the costs associated with cyber-attacks.  Despite at least one recent victory for the insured, embryonic case law (with very little appellate level authority) concerning insurance and data security incidents remains all over the map and evidences the uncertainty as to exactly what cyber-related incidents are covered by traditional insurance policies. Factors depend on the nature of the breach, the relationship of the parties, the type of the information at issue (such as personal information, intellectual property, trade secrets, and emails), the precise form of the operative policy and, if related to third-party liability claims, the allegations asserted and the type of damages sought.
  2. Companies that maintain cyber insurance may have the best cyber security policies and practices.  Before obtaining cyber insurance coverage, a company typically undergoes a fairly rigorous underwriting process.  Just as the physical exam typically required by insurance companies before issuing life insurance can prompt better personal wellness practices, a cyber insurance exam can prompt better company cybersecurity wellness.  Relatedly, while it has been suggested that having insurance encourages companies to slack off on security, some research suggests the opposite, i.e., that those companies with good cybersecurity practices are more likely to purchase insurance. 
  3. Companies falling victim to a cyber-attack should not expect any assistance or even compassion from the government.  In fact, companies should expect quite the opposite for several reasons:

    • First, the U.S. government is overwhelmed with protecting the nation’s own infrastructure and does not have a SWAT or other rescue team standing by to assist U.S. companies after a cyber-attack;
    • Second, while it may seem counterintuitive, state and federal agencies often pursue cyber-attack victims not with a helping hand, but instead with subpoenas, enforcement actions and an onslaught of lawsuits.  Furthermore, state privacy statutory regimes and a growing range of federal agencies each wield their own unique set of rules, regulations, statutes and enforcement tools; and
    • Third, the public’s (and Congress’) perception of cyber-attack victims has sadly become not one of understanding or empathy, but rather one of suspicion, skepticism and even vilification.

The Increasing Cost of Data Breaches.  Given the rising costs of data breaches, the growth of the cyber insurance market is not surprising.  Two separate recent studies by the Ponemon Institute and Deloitte Advisory found traditional data breach costs are on the rise; at the same time the hidden costs of data breaches also are proving to be far more expensive than anyone has predicted.

The annual Ponemon Cost of Data Breach 2016 report established whose early benchmark statistics show significant cost increases.  Specifically, the comprehensive study found that the average cost of breaches at organizations have jumped past $4 million per incident, a 29% increase since 2013 and 5% increase since 2015.

Meanwhile, Deloitte Advisory services recently found that damages sustained from a cyber-attack could be much higher than those outlined by Ponemon and present themselves many years after the breach.  Deloitte's report, “Beneath the Surface of a Cyber-attack,” showed that in addition to the well-known costs like breach notification, post-breach protection and technical investigations, hidden costs also present themselves (such as insurance premium increases, increased cost to raise debt and devaluation of trade name).

Deloitte estimates that known costs may account for less than 5% of total business impact.  In one composite model, Deloitte found that cyber-attack costs to a health care company amounted to $1.6 billion due to a significant breach of patient records, with only 3.5% of those costs coming in the form of “above the surface” costs.  The costs under the surface can ripple outward, including temporary or even permanent brand reputation and damage; loss of productivity; extended management drag (especially due to class action lawsuits); and a negative impact on employee morale and overall business performance.

The Wild, Wild West.  Though Jimmy Durante could insure his nose ($50,000); Julia Roberts can insure her smile ($30 million); and Bruce Springsteen can insure his vocal chords ($6 million), it can be far more challenging for public and private companies hoping to insure themselves against the considerable and far-reaching breadth of a cyber-attacks.  In short, given the litany of uncertainties and what some insurance professionals have referred to as the “actuarially immeasurable” results of cyber-attacks, the market for insuring against cyber-attacks is the Wild, Wild West, replete with high premiums, low coverage, broad exclusions and scant legal precedent.

For starters, though the market for cyber insurance continues to evolve and grow dramatically, no form of standardized cyber insurance policy language has yet materialized.  The cyber insurance market is flying completely blind.  There is no proven road map for analysis; no archive of empirical statistically significant data; and no quantification algorithm for calculating cyber-attack risk.  Thus, the actuarial challenges of predicting/gauging both the probability and the impact of a cyber-attack make it difficult to match a cyber insurance policy with the unique risk profiles of today’s global and technologically erudite companies.  Not only do insurance analysts face difficulties, but so do the most experienced companies.

Meanwhile, the complexity, sophistication and variety of a new wave of cyber-attacks continue to swell.  So-called “hacking” is dying from the cyber lexicon along with the historically simplistic and naïve image of mischievous teenagers wreaking havoc from a server in their parents’ basement.  What has appropriated these now-antiquated notions are a litany of new-fangled cyber-attack root causes with dramatically expanding attack vectors, including: denial of service assaults; malware intrusions; advanced persistent threat (or “APT”) terrorist acts; rogue employee and “bad leaver” episodes; social media exploits; mobile device attacks; ransomware demands; cloud computing infiltrations; and human error events.

How can an insurance company possibly organize and mitigate such a dynamic and ever-changing array of risks into a cohesive, logical and effective cyber insurance policy? Gauging a company’s security posture has turned out to be a much more manifold endeavor than anything the insurance industry has mastered before, such as assessing human life expectancy or driving records.  Even the U.S. Department of Homeland Security officially has acknowledged that the cyber insurance market remains confusing for most companies and can be overlooked for all of the wrong reasons, stating in a recent report:

“Cybersecurity insurance is designed to mitigate losses from a variety of cyber incidents, including data breaches, business interruption, and network damage.  A robust cybersecurity insurance market could help reduce the number of successful cyber-attacks by: (1) promoting the adoption of preventative measures in return for more coverage; and (2) encouraging the implementation of best practices by basing premiums on an insured’s level of self-protection.  Many companies forego available policies, however, citing as rationales the perceived high cost of those policies, confusion about what they cover, and uncertainty that their organizations will suffer a cyber attack.”

Convinced your company needs cyber insurance? In our next article in the series, John will offer tips for navigating the complex cyber insurance marketplace.

Read the first article in this series: Cyber Defense in the Boardroom: Leveraging the Financial Oversight Paradigm >>

***
John Reed Stark is President of John Reed Stark Consulting LLC, a data breach response and digital compliance firm.  Formerly, Mr. Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last 11 of which as Chief of its Office of Internet Enforcement.  He also worked for 15 years as an Adjunct Professor of Law at the Georgetown University Law Center, where he taught several courses on the juxtaposition of law, technology and crime, and for five years as managing director of a global data breach response firm, including three years heading its Washington, D.C. office.  Mr. Stark is the author of, "The Cybersecurity Due Diligence Handbook," available as an eBook on Amazon, iBooks and other booksellers.

The Cybersecurity Due Diligence Handbook

Publication Date*: 7/8/2016 Identification Number: 1231 Mailto Link
Frequently Asked Questions
The Latest on Proxy Access
Identification Number
1213
Clearhouse
The Latest on Proxy Access
Publication Date: June 29, 2016

Proxy access continues to be a hot topic, so it was no surprise that the panel discussion on proxy access at this year’s Society of Corporate Secretaries & Governance Professional’s National Conference was standing room only. The bottom line according to the panel, which was moderated by Ning Chui from David Polk, alongside Scott Zdrazil from the New York City Controller’s Office, James Theisen of Union Pacific Corporation, and Glenn Booraem of Vanguard, is that while no one expects proxy access to be used very often they see it as having value to shareholders simply by virtue of its very existence, making boards more responsive to issues important to shareholders.

According to Davis Polk, more than 240 companies adopted proxy access bylaw provisions as of June 1st, many doing so voluntarily to avoid a shareholder vote.

The “Four Pillars” of Proxy Access
  • Ownership Threshold. 95% of companies adopted a 3% threshold.
  • Holding Period. 100% of companies use a three-year minimum holding period.
  • Maximum number of proxy access nominees. 85% of companies provide for 20% of board seats while the remaining 15% of companies provide for 25% of board seats.
  • Group Limit. 90% of companies adopted a group limit of 20 shareholders that can aggregate holdings to meet the ownership threshold.

Other New & Noteworthy Numbers
  • 80% of companies require disclosure only of third-party compensation arrangements and do not impose prohibitions on compensation arrangements.

    In March, Nasdaq filed a proposal with the SEC to require Nasdaq-listed companies to publicly disclose payments by third parties to any nominee for director or sitting director in connection with their candidacy for or service on a board of directors. The Proposal to Require Listed Companies to Publicly Disclose Compensation is posted on the SEC’s website and Nasdaq expects SEC action on this proposal in July.
  • 75% of companies set the deadline for submitting a nomination for a proxy access nominee as 120 to 150 days before the anniversary of the mailing date of the prior year’s proxy statement.
  • 60% of companies limit re-nominations when a proxy access nominee withdraws or fails to receive 25% of the votes.
All data was provided by Davis Polk and is as of June 1, 2016. Also worth checking out: Council of Institutional Investors Best Practice Guidelines.
Publication Date*: 6/29/2016 Identification Number: 1213 Mailto Link
Frequently Asked Questions
Hidden Director Conflicts Should Be Disclosed to Investors by Edward Knight
Identification Number
1214
Clearhouse
Hidden Director Conflicts Should Be Disclosed to Investors by Edward Knight
Publication Date: June 16, 2016

This article was originally published by Institutional Investor on June 16, 2016.
 
Shareholder campaigns aimed at radically reshaping corporate policy and governance — and extracting short-term profits at the expense of long-term value creation — are once again in the news. Many think they are a recent phenomenon. But that’s not the case.

In 1986 vaunted management consultant Peter Drucker lambasted short-termism in an editorial in the Wall Street Journal, declaring, “Everyone who has worked with American managements can testify that the need to satisfy the pension fund manager’s quest for higher earnings next quarter, together with the panicky fear of the raider, constantly pushes top managements toward decisions they know to be costly, if not suicidal, mistakes.”

And the evidence today — the intense focus on quarterly earnings, diminishing capital investment by U.S. corporations, shrinking CEO tenure and, according to Ana Avramovic, director of trading strategy at Credit Suisse in New York, falling average holding period for shareholders to 17 weeks, among other things — continues to demonstrate a push toward decisions that can be costly for shareholders.

This situation is potentially calamitous. Short-termism, often driven by activists, can have grave implications for corporations, for our economy and sometimes for society overall. Innovation, discovery and hiring are curtailed when R&D projects are put on hold or canceled because of short-term pressures. Halted development undermines long-term U.S. competitiveness, to say nothing of potentially postponing lifesaving medicines or cutting-edge technologies from reaching the public. Short-termism also leads to mispricing, misallocation of assets and a lack of reliable information about long-term prospects. But because activists are shareholders, this dynamic puts corporate leadership in a bind. Nobody will disagree that a diverse pool of investors is a goal of any business and that none should be turned away.

Some activist groups today do claim they are in it for the long haul, bringing ideas, questions and concerns to the attention of corporate boards and management, which is an essential part of any healthy relationship between a company and its shareholders. Beyond this engagement by some, however, a movement is afoot in which some board members are paid directly by activist investors, often based on benchmarks such as an increase in share price over a fixed term.

This relation is the case with two directors on Dow Chemical Co.’s board who have a special compensation arrangement with hedge fund firm Third Point, which agreed to pay them stock appreciation rights that increase in value as Dow stock increases in price. At the very least, it is unclear how this director incentive-compensation arrangement does not establish an explicit obligation to Third Point at the expense of other shareholders, lead to conflicts on the board that skew the alignment of interests with shareholders and undercut the fundamental board responsibility to oversee management in the best interests of all shareholders. The question also arises as to whether these payments incentivize risky behavior by the very body that is responsible for ensuring that executive compensation does not do so.

So, in view of such an arrangement, how do we help ensure the healthy functioning of boards without compromising the role of shareholders?

We believe one way is to require transparency around these special compensation arrangements. Full disclosure would shed light on the conflicts of interest generated by these arrangements, steer the focus away from short-term results and benefit investors by providing information useful for their investment and voting decisions.

That’s why, earlier this year, Nasdaq filed a proposal with the Securities and Exchange Commission that calls for Nasdaq-listed companies to disclose “all agreements and arrangements between any director or nominee and any person or entity ... that provide for compensation or other payment in connection with that person’s candidacy or service as a director.” Where disclosure is required, the public company would need to identify the parties and material terms of the agreement or arrangement. This proposal is simple to enact, practical and in the best interests of shareholders and corporations alike.

Activist investors have woven themselves into the fabric of corporate dynamics, with mixed results. They do have a positive and important role to play. Boards and management must be challenged by shareholders so they can continue to develop better companies. Drucker recognized this dynamic when he wrote that the manager’s job is to “keep his nose to the grindstone while lifting his eyes to the hills.”

One way to strengthen the healthy symbiosis of checks and balances between corporate leadership and shareholders is to disclose third-party payments to board members. This openness would have a mutually beneficial long-term focus. If these hidden conflicts of interest are brought into the light, we can keep our eyes on the hills and write a chapter in our capitalist story that takes a positive turn.
Publication Date*: 6/16/2016 Identification Number: 1214 Mailto Link
Frequently Asked Questions
How to Increase Your Press Release's Visibility
Identification Number
1217
Clearhouse
How to Increase Your Press Release's Visibility
Publication Date: June 3, 2016

A well-optimized press release can increase your company's visibility, help you attract media interest and analyst coverage, and make a positive impact on your search engine rankings. Nasdaq teamed with the SEO experts at Acronym to develop The Ultimate Guide to Press Release SEO: 2016 EDITION, which provides tips on how to increase the visibility of your news releases on Google and other search engines.

This guide teaches how to optimize releases for increased visibility on Google; strategically structure headlines, keywords and links; and write like a journalist for maximum exposure. Dos and Don’ts from the guide include:

DO:

  • Identify your audience to create relevant keyword categories, which should describe what that audience wants to learn from your release.
  • Use short headlines (25-55 characters) that feature your most highly targeted keywords.
  • Use compelling, relevant images in your release that are at least 60 pixels by 90 pixels.
DON'T:

  • Shoehorn as many keywords as possible into your piece at the expense of clarity or brevity.
  • Spend your energy trying to rank for generic, extremely popular keywords (e.g., technology).
  • Use superlatives like “one-of-a kind” or “groundbreaking.”
Get the guide >>

Read more >>
Publication Date*: 6/3/2016 Identification Number: 1217 Mailto Link
Frequently Asked Questions
Keys to Maximizing Your Shareholder Relations Team
Identification Number
1203
Keys to Maximizing Your Shareholder Relations Team
Publication Date: May 26, 2016

In a recent episode of "Inside America's Boardrooms," Nasdaq’s Corporate Secretary, Joan Conley, and head of Investor Relations, Ed Ditmire, discuss the importance of good relationships with board members and support teams, and provide insight into how shareholders can ensure there is a culture of good governance.

Watch the video >>
Publication Date*: 5/26/2016 Identification Number: 1203 Mailto Link
Frequently Asked Questions
Report Examines the Use of Social Media by S&P 1500 Companies for Investor Communications
Identification Number
1204
Report Examines the Use of Social Media by S&P 1500 Companies for Investor Communications
Publication Date: May 23, 2016

As part of its Director Notes series, The Conference Board looked at how S&P 1500 companies use social media to disseminate financial information. The authors state that “while social media is generally viewed as an opportunity to improve investor communications … investor communications via social media could also result in the company not retaining full control over its financial communications.” The report considers trends in social media utilization as well as market responses to this type of dissemination.

Read more >>
Publication Date*: 5/23/2016 Identification Number: 1204 Mailto Link
Frequently Asked Questions
Cyber Defense in the Boardroom: Leveraging the Financial Oversight Paradigm
Identification Number
1220
Clearhouse
Cyber Defense in the Boardroom: Leveraging the Financial Oversight Paradigm
Publication Date: May 11, 2016 

Cyber security expert John Reed Stark recently shared with us guidance on managing corporate cyber risk. In this first in a series of articles on cyber security, John shares his philosophy on structuring effective cyber risk oversight in the board room.

Hardly a day goes by in legal and consultant circles when some expert somewhere is not opining on the need for corporate boards to bring a greater sense of urgency to address the growing business risk of cyber-attacks. Yet, even the most experienced commentators are underestimating the threat of cyber-attacks, and—even more importantly—overlooking a glaring history lesson that sits in plain view of public companies.

What is this conspicuous history lesson? Boards of directors formulating their cybersecurity oversight should look no further than the current board oversight paradigm for financial accounting and reporting. Boards should put in place the same governance procedures to oversee a corporation’s cybersecurity wellness that have proven effective and sufficiently flexible to assess and validate financial statement accuracy and reliability.

As cyber-attacks continue to proliferate, more and more corporate boards will come to realize that cybersecurity risks now actually trump financial accounting risks – and not just because technology and networks touch every aspect of an enterprise. The nature, extent and potential adverse impacts of these risks demand a proportionate response.

Consider the history of board oversight of financial accounting: As it became clear that corporate insiders were capable of engaging in misconduct, the active oversight and independent supervision over financial controls and governance structures similarly evolved, reducing the risk of financial fraud, fiscal misstatements and management malfeasance. Along those lines, the efficacy of using independent auditors, audit committees and management certifications to deter and minimize such insider misconduct became widely understood and embraced.

However, cyber threats can originate from both inside and outside corporate walls, resulting in a much broader risk profile that requires at least an equivalent if not greater board attention and focus. Indeed, when compared to the risks associated with internal financial malfeasance, deceit or neglect, suffering a cyber-attack can be far more severe in scope, far more cosmic in breadth and far more unpredictable in latitude.

For instance, after suffering a cyber-attack, a corporation must bear more than the substantial regulatory and litigation costs associated with potential privacy violations. Cyber-attacks involving the theft of intellectual property can result in a company’s immediate or even permanent loss of revenue and reputation; cyber-attacks involving denial of services (such as a website being shut down by nefarious hackers) can disrupt or forever diminish consumer or customer confidence; cyber-attacks involving exfiltration of private company emails can have a tumultuous impact upon senior management and create an international uproar; cyber-attacks involving destruction of technological infrastructure or damage to the integrity of a company’s data can require massive and costly remediation; cyber-attacks involving the theft of (and future trading upon) confidential information can damage the integrity of a company’s stock price and disrupt financial markets…and the list goes on.

Notwithstanding these potentially grave consequences; notwithstanding the fact that most experts now view cyber-attacks to be inevitable; and notwithstanding the pervasive nature of the risk, most corporate boards fail to allocate to cybersecurity the same level of oversight routinely afforded to the area of financial reporting.

This needs to change.

Just as occurred in the financial accounting realm, old and stale governance models must be modified and enhanced to address the very real, difficult to control and ever increasing enterprise threat of cyber-attacks. In practical terms, this means that, just as it does for financial reporting, every corporate board should:
  • Create a cybersecurity committee (just like its audit committee);
  • Engage an independent cybersecurity firm to conduct an annual cybersecurity audit (just like an independent accounting firm conducts and signs off on an annual financial audit); and
  • Add cybersecurity expertise and knowledge to the board (sitting right beside the board’s accounting and financial expert).
Following this recommendation will improve overall enterprise risk identification and management of cyber-related challenges and threats -- and fulfill the most fundamental duty of care that every director owes to the corporation, its shareholders and other stakeholders.

Historically, when it comes to their CFOs and the financial reporting function, the successful board paradigm has been one of vigorous and independent supervision, requiring the participation of independent third parties. The same should go for CTOs, CIOs and CISOs, and the maxim of trust but verify should be equally operative in both contexts.

Board members may soon have little choice but to take these steps, not merely to protect their companies but also to protect themselves. Given the current D&O litigation landscape relating to cybersecurity issues, cybersecurity breaches not only create regulatory and other legal liability for corporations but can also create personal liability for directors. For their failure to oversee cybersecurity with the requisite level of care amid the growing corporate risk of cyber-attacks, boards may be sued or reported by a whistleblower.

Boards should also understand that, just like financial accounting failures, when cyber-attacks are handled correctly and appropriately, the response not only strengthens a corporation’s infrastructure but also reinforces strong business ethics; fierce customer dedication; and steadfast corporate governance.

There is a terrific scene in Ron Howard’s 1995 film Apollo 13, which demonstrates this notion of successful failure so brilliantly. The film, which takes place in 1970, shows the trials and tribulations of the Apollo 13 crew, mission control, and families after a near fatal in-space accident cripples the space vehicle. NASA must devise a strategy to return Apollo 13 to Earth safely in the ultimate crisis management situation. Just before the most intense moment, when it remains unclear whether the astronauts would survive their desperate re-entry flight back to Earth, several senior NASA officials and spokesman are mulling over the impact of the accident. One of them states, “I know what the problems are. This could be the worst disaster NASA's ever experienced.” Ed Harris playing Gene Kranz, the famed NASA Apollo 13 flight director, overhears the misguided discussion and interrupts them, firmly declaring, “With all due respect, sir, I believe this is gonna be our finest hour.” It is a scene any corporate board member would find particularly compelling.

For boards contemplating their cybersecurity oversight, there is no need to reinvent the wheel. History provides an authoritative guide. By leveraging financial accounting governance lessons acquired over the past 70 years, and elevating cybersecurity oversight to the top of the risk food chain, boards can better protect their corporations from cyber-adversaries, better carry out their fiduciary responsibilities – and establish a leadership position in managing the emerging and dynamic risk of cyber-attacks.

***
John Reed Stark, President of John Reed Stark Consulting LLC, served for 15 years as an SEC enforcement attorney leading cyber-related projects, investigations and enforcement actions. He served for 11 years as Founder and Chief of the SEC Office of Internet Enforcement and for 15 years as an Adjunct Professor at Georgetown University Law School teaching a law and technology course.
Publication Date*: 5/11/2016 Identification Number: 1220 Mailto Link
Frequently Asked Questions
Nasdaq Talks to. . .Professor Charles Elson About Making Lemonade from the Pay Ratio Lemon and Other Governance Topics
Identification Number
1184
Clearhouse
Nasdaq Talks to. . . Professor Charles Elson About Making Lemonade from the Pay Ratio Lemon and Other Governance Topics
Publication Date: May 3, 2016

We recently spoke with Charles Elson, a leading authority on governance, about how companies have adapted to Dodd-Frank executive compensation mandates, his concerns about proxy access, and why third party payments to directors for board service are a bad idea. Excerpts from our conversation follow.

Q: What do you think of pay for performance, pay ratio and other Dodd-Frank measures that pertain to executive compensation?

A: Who can object to pay for performance?

At first, I was against the shareholder vote for compensation issues because I thought that it would unnecessarily inject shareholders into the process. It seemed that if shareholders did not agree with a board’s compensation actions, they could just vote against the compensation committee. However, it turned out a lot better than I thought because it forced boards to engage with shareholders a lot more than they had before.

I do not think they’re delegating to shareholders the decision making, but they’re being a lot more careful as they make their decisions. I think they’re listening. So I think that was a pretty good one.

The pay ratio is an odd one. I did not support it. No institutional investor I know supported it because it was considered an irrelevant number. It came from the labor movement who was determined to embarrass companies to force rethinking of the executives’ pay. In that regard, they succeeded. And it’s going to go through and that’s that. Now, in making lemonade out of lemons, I think it’s not such a bad thing.

Historically, CEO pay was based on the peer group. In other words, when CEOs are paid, you look externally to determine the pay rather than internally. You look at peer CEOs and you typically peg the pay at the 50th percentile or higher. This leads to the potential manipulation of your peers – you want bigger peers or better compensated peers to elevate your own pay. It also basically ratchets pay up every year because no one will pay below median. If you pay below median, you’re signaling that there is something wrong with your CEO; the issue isn’t pay, you need to get rid of the person.

So what we’ve got is a system that escalates pay without regard to CEO performance because companies always want to pay 50th percentile and higher. If another CEO in your peer group has a good year, you will leapfrog forward based on their efforts. It’s a bad system.

Now, what does that have to do with pay ratio? Actually, a lot because what has happened is it has created this huge disconnect: the difference between CEO’s pay and everybody else’s pay. That’s why we have the big numbers.

So what will happen? The embarrassment factor is really not going to affect shareholders because shareholders don’t care, but it’s going to affect the rank and file. Most people that read the proxy statement’s compensation disclosure and analysis section are the employees of a company.

When employees see these numbers, they’re going to be horrified. It’s going to create for the board a real problem of morale in the organization. I think that this will force companies to move away from the peer group comparison and back to internal methods.

Now the counter to that is that we go with the peer group comparison because CEOs can easily move to peers, right? The answer to that is “no.” The academic paper that I did with Craig Ferrere looked empirically at CEO moves.1 We discovered that in 15 years with a pool of 1,500 companies, there were only approximately 27 lateral moves. In other words, nobody moves. CEO skills are more company specific than you think.

If that’s true, the intellectual justification for the peer group comparison disappears. The problems it creates, the leapfrogging and the manipulated peers remain, and there’s no benefit. And with this pay ratio measure, it’s going to be even worse because people are going to get angry. So the solution is moving to an internal model where CEO pay is constructed on the basis of how you pay within the organization, using the same philosophy. If your number is large, then it’s explainable. It’s large because of the steps that were taken to connect the CEO’s pay to the organization’s internal pay philosophy and structure.

Ultimately, from the “lemon” pay equity rule – which is going to be kind of ugly – we can make the “lemonade” of internal based compensation and which ultimately makes for more effective compensation.

Q: So, remove the “arms race” from the equation?

A: Absolutely right. Get rid of the arms race.

Q: How do you think public companies have adapted to these various new executive compensation rules so far?

A: I think they have done a pretty good job. The ideas of the independent compensation committee and separating the compensation consultant are really good ones. I welcome that. I think it’s a good thing.

However, I am not wild that we did it through regulation. But I think they’ve adapted pretty well.

The problem with a lot of these issues is that when you have it inspired through regulation, it creates a lot of boilerplate language since companies are trying to avoid liability.

One of the problems of the CD&A today is that it is supposedly more transparent but it frankly reads much more like a legal document. I think that this is a downside.

Ultimately, the way out of this is going to be independent directors on compensation committees that retain independent compensation consultants. These directors will have real skin in the game, if you will: equity in the company itself. These directors will design pay that is sensitive to the philosophy of the organization. They will use a heavy amount of equity in the compensation of the CEO to link the CEO’s long-term interests with the long-term interests of the company.

Q: What are your thoughts on the increased focus on board diversity?

A: I think it is a good idea; the broader the pool of people companies can pick from, the better the people they’re going to get. If companies are limited to a narrow pool, which was historically the problem, they missed a lot of talent. It is not a good idea to have a focus on diversity just because it is a requirement that you get diversity. You have to do what motivates you.

I believe in diversity in viewpoint, the diversity in geography, diversity in all kinds of ways. The key is for companies to cast the widest possible net because they will get the best possible people.

Again, I think there is a caution there in that if it is done to meet a regulatory requirement, I think companies will miss the point. Companies need to do it to create a better pool and better talent. A board that is diverse, made up of different experiences and different skill sets, does a much better job monitoring the CEO than a board that isn’t.

Q: Any other ideas in promoting long-term shareholders of a public company?

A: The key is long-term ownership on the part of the board and management. However, the stock that directors receive should be restricted; it needs to be held. Further, they should be strongly discouraged from selling while serving on a board.

The idea is that you are there for a while, buy the stock and keep it for a while, board members and the CEO shouldn’t sell it until they leave. That is the key to long-term value.

I’ve always thought this long-term/short-term thing is a little overplayed, because frankly the only way for someone with a short time horizon to make money is to sell the stock. Now when they sell the stock, someone who thinks there is value there has to buy. So either they’re hoodwinking that person, or maybe that person thinks there is long term value in their short term move. It’s sort of a funny argument, but the way to get out of that argument entirely is to force people to focus on the long term, which is ownership.

Q: What are your thoughts on proxy access?

A: I’m not a fan of it. I believe in open elections and the way to do it is through proxy reimbursement, not through access.

In Delaware, we have two regimes: access and reimbursement. I was the author of the reimbursement regime. I think it’s a better way of doing it.

Access is a good idea in the sense that it creates threats that open the process of director elections. It is a bad thing because it doesn’t ultimately answer the question of who pays for it.

Access reduces the cost a little bit by having the company put shareholder nominees on the company’s ballot. But that’s not entirely what makes up an election.

An election is expensive because companies need to solicit people which costs a lot of money; access does not solve that problem. It puts it off to another day.

Reimbursement says that if you win you get a seat on the board, they pay your expenses, reasonable expenses. If you lose, you don’t get paid. If you lose by a little bit, you get something back; in other words, flexible reimbursement. It allows the shareholders to decide the merit of your actions.

There are two problems with proxy access. First, companies pay whether there is merit to a proposal or not. Second, the filter that we put into place discriminates against small shareholders.

I believe in the small shareholder. Good opinions and good ideas come from all kinds of different places. If we stick with access, a small shareholder can’t participate. That’s depressing.

Reimbursement allows the small shareholder to participate and if they win by shareholder vote, they’re reimbursed. That is the better approach and I think ultimately, we’re going to end with reimbursement, at least in Delaware.

Q: What should public companies be thinking about in terms of sustainability?

A: Companies need to be sensitive to the issues, and sustainability is at the core of the board’s responsibilities. Boards are there to promote long-term value. Sustainability encourages long term success at the organization: sustainable growth and sustainable companies.

It’s interesting; this is the first time where the folks in the social side of the governance house have made a compelling argument linking sustainability with the long term viability of the organization. They’ve done a nice job of it.

We can get too wrapped up in sustainability as a “legal requirement.” You have to think about it as you think of a corporation’s long-term value.

We’re going to have a conference on sustainability at the University of Delaware this October. We’re going to be talking about a disclosure requirement on sustainability, how does it fit into Delaware law, how should it fit into investors’ profiles. That’s going to be this fall. It’s an important issue, otherwise we wouldn’t be dealing with it.

There is an obligation to think about sustainability. To disclose how you think about it, how you do it is a different story.

Q: What are your views on nonfinancial disclosure such as those related to sustainability? And what should boards be thinking about in this area?

A: I’m not very enthusiastic about legal or SEC obligations for these kinds of disclosure, because I think they create boiler plate language. Sustainability is part of the board’s long term vision for the company. It is material and something the investors need to think about, be made aware of. Again, that’s a board’s determination.

If you make these types of disclosures a legal obligation, ultimately people are going to do it to avoid liability, which results in lousy boiler plate disclosure.

If sustainability is an important part of your consideration of the long term value of a company, you’ll let investors know. And I think good companies do that anyway.

Q: Do you have any general comments on how NASDAQ shareholder approval rules should be improved or updated?

A: I’m a big shareholder voting person. However, I’m also board centric.

I believe in the authority of the board – once they’re in office, it’s their job. But I believe in the viability and the robustness of the election process because a) it improves board accountability dramatically, and b) it’s critical that the owners exercise the ultimate authority over the organization.

It’s like the American people. Once you’re elected to Congress, you can do what you wish. Of course, you’re subject to an election every two years or six years. And if voters don’t like what you’ve done, they can replace you.

The election process is critical; frankly, it’s what the business judgment rule is all about. That’s because we legally defer to the directors because we know they’re ultimately accountable. But that depends on the election process. That being said, that is typically for director elections.

When it comes to fundamental corporate changes, you need to have a robust election process as well. Shareholder approval is important.

The board has the authority on day to day matters. The broader long term issues – capital allocation, raising equity and what not – a company would need to go to the shareholders for approval.

The rules sometimes leave a little wiggle room for companies to figure out ways to opt out of them. And I think clarification and preventing the “too clever by half” makes a lot of sense there. That would be my general comment.

Q: Finally, did we miss anything? Are there any other governance issues today that you think board should be considering?

A: Banker conflicts are very important. The disclosure on banker conflicts can really be stepped up a couple of notches. It’s not an issue that you’re hearing a lot about now. But I suspect it’s going to be an issue you hear about later: putting in place some limitation on the ability of conflicted bankers to inject themselves into listed company’s operations. I think that’s something just to think about. I’m not proposing a rule. But I have a feeling that in Delaware it’s going to be an issue.

The issue of using peer group comparisons to determine CEO pay is an important one. I don’t know how the listing standards can be changed. But I do believe in moving companies away from use of the peer group. The peer group can be used as a rationality check, as opposed to th