The International SEC

Last week’s news carried an SEC press release recounting charges filed against a Florida stock promoter accused of fraud on investors.  Details were unremarkable, and for purposes of this post unnecessary.  At the end of the release, as is typical, the SEC identifies the regulators behind the investigation.  Normally there are a few names of people and agencies.  In this case, proving that there is nowhere to hide in this world if you think you are too clever to be caught, here are the agencies cited as participating in that enforcement effort: SEC; US Attorneys in Alabama, New Jersey, New York, Virginia; US Department of Justice; FBI; US Postal Service; Homeland Security; Alabama Securities Commission; FINRA; Alberta Securities Commission; British Columbia Securities Division, Cayman Islands Monetary Authority; and regulatory commissions or agencies in Cyprus, Dubai, Guernsey, Hong Kong, Mauritius, Newfoundland, Singapore, Switzerland, UAE and the UK.

This effort is both impressive and reassuring, but if you would like an unsettling counterpoint: why was the SEC unable to bring Bernie Madoff to ground for decades as he sat in the middle of New York doing everything in one place — even after receiving repeated tips and after visiting his office?

Public Director Role in Cyber Risk

SEC Guidance to companies has been revised to further emphasize need for more robust public company disclosure of cyber risks and costs, although many public companies now do have extensive if predictable disclosure sections.  And, in fact, directors need to have been on Mars to miss the clear implications of Equifax and Yahoo.

The National Association of Corporate Directors proposed, in its last Weekend Reader sent to members, some granular specifics which bear emphasis: directors need to make certain that the executive team regularly examines incident response and prompt disclosure policies where shareholder value may be materially impacted; boards should insist on immediate notification of incidents to make sure that directors and management do not trade securities on that information; management must be directed to establish a risk identification regime including identity of risks absolutely to be avoided and those to be accepted; and, staffing for mitigation needs to be identified and budgeted.  Boards need to explore which risks should also be insured against.

One might think this is all basic board blocking and tackling, but with so many public failures having occurred, perhaps not.  It also suggests that cyber needs to be on the agenda, at least for reiteration, for each board meeting, with an occasional deep dive.

Seems to me a board committee specific to cyber, or a specific delegation to a separate Enterprise Risk Management Committee, makes sense for many boards as a minimum to avoid a Caremark-style claim against directors for total disregard of the duty to supervise.

The News About Human Nature

The Boston Business Journal recently reported remarks by Alasdair Roberts, Director of the School of Public Policy at UMass Amherst, that a sense of fragility is inherently part of humankind’s experience.  It is interesting that it should be reported in the press as if it were “news.”

Decrying the weakness of political institutions and the ugliness of international politics, the article notes that some people are escapists seeking to make our sense of frailty disappear.  There follows discussion of the themes of Graham Allison’s current book Destined for War (a study of history in order to illuminate the risk of  war between the US and China), suggesting that realistic people always have seen the world as a dangerous place (Allison’s book deals only with events during the last five hundred years in terms of conflicts between countries).

This cynical view of mankind is reinforced by Harari’s brilliant book Sapiens, which contends that humans are an incredibly dangerous and illogical species; for him, turbulence is a constant of the human condition.

Many believe that we live in a unique time bubble, which should be viewed as such.  Americans have avoided wars that have destroyed us, and many have wealth and health beyond historical understanding.  We have existed in a political shell that perhaps allowed us to ignore the truths of history and the defects of the present. Viewed from this vantage point, the idea in the Roberts article, that human existence is turbulent and fearful and should be experienced as such, would appear to be inaccurate.

The real news perhaps is this: if you are reading the Boston Business Journal, and if you have the money and time and focus to read  Allison and Harari, you are one lucky homo sapien. In the words of Hunter Thompson, buy a ticket and take the ride.

On line in Business? GDPR!

If you sell over the internet, what if I told you that the European Union’s GDPR may well cost you a fine of $2.5M or of 4% of your annual sales?

Absurd but — the EU’s General Data Protection Regulation is pretty clear.  Anyone located anywhere which uses, controls, solicits or possesses personal data of any EU person can be sued anywhere if they fail to protect that data from unauthorized disclosure or to provide an ability to strip personal information from the underlying data.

Simple example: US company Seller Co posts to the world wide web an offer to sell a widget for $10 plus shipping.  A potential customer emails in response and asks if the widget comes in the color red.  Or a potential customer emails an order for the widget.  If that customer is located in any EU country, you the advertiser must have a conforming data protection system or you can be sued here in the US even if no actual misuse of the data occurs.

The details of how this works are beyond the scope of this blog post, but note the general view that e-commerce companies and travel sites are covered, as they solicit personal data such as names, email addresses, or charge card information.  How can you prevent liability under the Regulation?

Hire a firm that will make sure that your e-commerce systems comply with EU Regulations.

If you do not provide a compliant system, your e-commerce site might state that no orders will be filled from EU countries.  Some websites are blocking addresses originating from the EU.  It seems that even if you state on your website that you will not accept EU business, if someone in the EU sends a reply that has personal information in violation of your warning and you actually look at that information (as you will, just by looking at the email address to see if it comes from the EU), then I am told that you have processed that information and are subject to the Regulation.  Erasing the data and not entering into a transaction seems not to protect you.

Now this seems illogical; we have no US cases yet; the Regulation is not even in effect for another couple of months.  Although the EU can declare and has declared unilaterally that they have authority over e-commerce companies located anywhere which simply post on the web, what a US court would do with an EU suit absent an express treaty promising enforcement is something for future lawyers to fight about.  Larger, on-line companies are all over this issue but for the small e-commerce business this is a “gotcha.”

Europeans have always been more concerned about data breaches by businesses; Americans are more sensitive to data incursions by governments.  But regardless of your sensitivity, the Regulation seems a massive over-reach.

George Washington and Tom Yawkey

Press reports advise us that the Red Sox are seeking to rename Yawkey Way, the street leading into the main entrance of Fenway Park, because of Tom Yawkey’s record of racial prejudice during his four-plus decades of team ownership.  (There is a sub-text that the team is not seeking to erase to Morse Code on the scoreboard spelling out the Yawkey name initials, perhaps as the Park itself is on the National Register of Historic Places.)

Common knowledge has it that Yawkey in fact was guilty as charged.  As to that I cannot say, although the absence of patrons of color at Red Sox games is strongly suggestive as current residual evidence.  The entire issue of expunging evidence of history based on contemporary moral judgment is surely an interesting subject.  We have statues removed from Southern cities, team names being changed to delete demeaning references to native Americans, awards and degrees being withdrawn by reason of past actions not being in conformance with current mores.

At the risk of being understood reflexively as defending the actions of those being expunged, I note that we are the people of our own history.  Perhaps some memories are more valuable if left on public display as a reminder.  Tom Yawkey is dead, he was an historical fixture in the City, he achieved what he achieved and failed where he failed, and he left a small fortune now being applied to public use through his family foundation.

What should we be thinking about George Washington,  whose slave quarters have been startlingly restored at Mount Vernon?  Will our government soon be seated in a city renamed North Baltimore?  Frances Scott Key was a racist and not a good person; do we stop singing the Star Spangled Banner?  Let’s get Washington and Jefferson off those bills and coins while we’re at it.

How different is our selective approach to our expunging evidence of our past from the universally disparaged new US law in Poland banning verbal descriptions of “Polish” death camps?

Now there are arguments that certain historical indicia of past evil cause current pain, and I lack the ability or will to reject those arguments.  But there is something to be said for confronting our history.  And learning from it, being reminded by it.  Although the impetus for the naming of Yawkey Way, or of Washington DC, and the impetus for erecting the Holocaust Memorial near Boston City Hall, were very different, why can not all these named sites serve the same purpose: markers of the history of who we were is not the same as a current advocacy for something evil.  Perhaps we are too concerned with creating what looks like a “safe space” and not enough concerned with understanding our nature as a species and as a nation….

California Bubbling?

“Hates California, it’s cold and it’s damp….”

Just back from a week in the San Francisco area and while it was indeed cold (record-setting in 30s) and while it was definitely not damp (the Sinatra lyric was written before the current dry climate spell), the main thing is that the tech start-up economy is frothy in the extreme. Below are some observations, with apologies for their anecdotal nature.

I am not talking “the Valley” per se, although much of the free-floating capital is sourced there.   I am talking the City of San Francisco and its exploding environs of Berkeley and Oakland.  Start-ups in many verticals are gaining significant equity and even debt financing.  I visited one start-up cloistered in a single large room in Oakland with nine-figure financing even though their loft-like space was accessed through an alley and was wracked by periodic construction noise from the vast hole being dug next door.

In fact, Oakland is experiencing the same kind of frenzied build-out (of what was a second-class location) as is occurring on the Boston waterfront.  If you have not seen the Boston waterfront lately, come on down; I am referring to the high rise offices and condos, not just the glitzy restaurant and bar scene, as tech growth demands more space, more close-in housing, and some relief from the inflated real estate costs of Boston and Cambridge.  The same dynamic obtains in Oakland, where the primary geographic characteristic is the construction crane.

Housing in San Francisco has always been foolishly expensive, as has been the case in Berkeley, which is fed by the vast campus and the lack of buildable parcels as the City climbs its way percipitously up the hills.  Oakland was always an “iffy” and somewhat more dangerous location, but now it is buzzing with companies, urban renewal and office and multi-housing construction; downtown looks a lot like the Boston waterfront, with a few restored deco structures blended in for a dash of character.

I have heard debate as to whether VC funding was harder to obtain in Boston than on the West Coast.  That is almost unanswerable as you cannot be sure you have an apples-to-apples comparison as to companies, available technology and the like.  But some people in California are talking that it feels like a bubble out there.  Putting aside the fact that many folks in the San Francisco tech community are too young to have experienced a bubble in their careers, the comment reflects an underlying nervousness in the face of what is clearly a booming environment.

As of this moment, my personal guess is that the safest good investment available is to buy real estate in Oakland; no need to bet on which technology will be victorious, as the pressure on housing and business space seems insatiable.

The SEC Commissioner Wanders….

It is always interesting to track the unofficial pronouncements of SEC commissioners; it gives you a sense of their fundamental thought drivers.  So a couple of weeks ago Commissioner Kara Stein gave a speech at Stanford billed as “reimagining” the role of the shareholder in today’s corporation.  Her analysis, in summary:

Corporations should have a relationship with shareholders she describes as “mutualism;” each is benefited, the corporation getting funded and the shareholder getting rewarded.  This mutualism is reflected, by way of example, as follows:

*shareholders have been out front in advocating cybersecurity, although corporations  do not recognize that cyber risk is fundamental and not just a technical IT issue;

*diverse boards perform better and there is a need for more gender diversity;

*shareholder activism is sometimes resisted by boards and, when embraced, the outreach generally is to significant institutional investors controlling about 70% of share ownership; further, a trend is growing to disenfranchise shareholders by vesting super-voting rights with insider-founders which is “inherently democratic;”

*we can benefit shareholders and corporations, mutually, through shareholder engagement and communication.

Although one might well agree with some of these separate sentiments, the totality of the commissioner’s remarks falls very far short of reimagining anything.

The battle to define the relationship between shareholder and entity is one of who directs corporate power.  Modern large corporations separated ownership from control.  Some theorists, today notably the present Harvard Corporate Governance Project led by Julian Bebchuk, contend that management must be globally more responsive to shareholders.  Of course, one must figure out which shareholders; Stein is correct that the majority of the action is held by professional investors and funds — indeed, today’s news headlines speculate that selling stock to cover margin was a major cause of the scope of the recent market sell-off, and it wasn’t the retired retail investor from Kansas City that had to sell millions of shares to get back into formula.

The reimagining of the modern corporation is much more than admonitions to add women to boards and to protect IT assets from hacking.  The reimagining requires first that you figure out who the “shareholder” is, because what is good for the retired retail investor is not decided by the same metric applied by institutions selling by algorithms.  The reimagining requires making sure that the shareholders you care about dominate the board.

The best societal solution may be the maintenance of the current lack of clarity, without drawing battle lines between different kinds of investors, or between capital and management.  But suggesting that shareholders and management need to bond over cybersecurity and electing women to boards is far less than a proposal to reimagine corporate goverance.

Are you an IP Licensee?

What happens when your licensor files for bankruptcy?  Companies filing Chapter 11 always have had the right to accept or reject any contract that has yet to be performed fully.  This right become volatile in the new economy where so many businesses are reliant on software or other IP licenses to sustain their operations.  To protect licensees of intellectual property, Congress enacted an amendment to the Bankruptcy Code (section 365[n]) to compel the bankrupt, in many cases, to continue to provide the license.

But the definition of intellectual property does NOT include use of a trademark, service mark or trade name.  Are they covered?

Federal courts are divided as to whether these statutorily unmentioned categories of license are totally terminated on rejection of the contract even while other elements of intellectual property licenses (trade secrets, patents etc.) can be preserved by the customer under section 365[n].

Seems that if you are a SaaS licensee or a licensee of an embedded system you may not care about trade names; you may not even have rights to use those names.  But if you  present to your customers using trade or service designations of your IP licensor, you may be at the mercy of the bankrupt or its bankruptcy trustee.  And unless the Supreme Court acts, the answer to the question may depend on the court chosen by the bankrupt to make its filing.

Additionally, it is not clear if it possible to continue a license, by licensee action under section 365[n], if the bankruptcy filing is a chapter 7 liquidation as opposed to a chapter 11 proceeding (for technical reasons beyond the scope of this post).

For the Massachusetts folks please note: at this writing a bankruptcy filing in the Massachusetts federal court means the licensee of trade designations cannot salvage use of those designations if the debtor rejects the license agreement.

ERM: Defining Risk

Directors sometimes don’t understand the meaning of risk.  Boards undertake ERM (enterprise risk management) as making sure there is regulatory compliance, sound accounting and reasonable cyber protection.  These are important to address but are NOT the key elements of risk that boards must engage, according to an expert panel convened today by National Association of Corporate Directors of New England.

Risk was defined as the occurrence of events that could deeply harm your organization and which you do not plan for.  Risk thus is mostly another word for how you manage your strategy, how you define and are guided by your risk appetite.  Sixty percent of failures are strategic in nature, thirty percent are operational and only ten percent are based in financial control failures.  As one panelists stated it: risk management is the same thing as running your business.

In for-profit business, one suggested risk definition is the avoidance of unexpected earnings volatility.  That informs us that you need not avoid risk, and indeed in a rapidly changing world it was emphasized that you must undertake risk to remain competitive.  ERM is not eliminating risk; it is balancing the hoped-for benefits against the negative impact of getting it wrong.

One panelist emphasized use of metrics; define your risk appetite in terms of what is an acceptable quantum of risk. Risk measurement must be quantitative (do not drive over 60 mph) and not qualitative (drive carefully).  That raises the issue of the quality of metrics, and whether the board is getting only internal metrics or market metrics.  Good checks on whether the board is getting the true picture: reviewing outside data, bringing on new directors, talking to junior employees, talking to customers, exit interviews, anonymous whistle-blower procedures.

Take-aways for directors: ask what is the risk of what you are not doing; approach risk on a portfolio basis, accepting different levels of risk for different products or services or initiatives; hire the right people to drive the strategy; make sure you are not getting a uniform response from everyone, as that is a sign of lack of healthy awareness; keep the pressure on management for being accountable for strategy that reflects risk management and mediation.

Most interesting perspectives (paraphrased): When I interview new board candidates I ask two gating questions: first, are you healthy enough to do this job; second, is your life style dependent on the income from this directorship (if the answer is “yes” to the latter, you will be too compliant with the common wisdom).  When I join a board I ask the following questions: do I want to fire the CEO; is there institutional buy-in on strategy; is that strategy fully funded.

Final key question to ask management: how do you know that your risk management program is working effectively?

Corporate Compliance Programs; What if you are Mid-Market or Privately Held?

So your company has been accused of committing a fraud, or of violating the Foreign Corrupt Practices Act.  You have attracted investigation by the US Department of Justice.  You are negotiating whether to enter a plea, or to try to head off charges. What will help you in these negotiations? Each case is different, but the DOJ’s recent “Evaluation of Corporate Compliance Programs” suggests courses of action in light of  DOJ’s typical inquiries:

Did the company have prior warnings which would allow it to detect misconduct?  Were  compliance procedures lacking?  If present, misapplied or  willfully ignored?

What specific changes did the company make to reduce risk?  Were senior leaders vocal in discouraging misconduct ?  Did the board hold private sessions with internal and external gate-keepers?

How important did the compliance program appear within the company as compared with “other strategic functions?”  Did the company fully staff, fund and give autonomy to internal compliance functions?

Were policies communicated below, and to third party vendors, and integrated into the risk management?  Did employees and customers have a reporting mechanism so that violations could be flagged?

Were people punished for infractions?  Did the company test its own programs by review of controls and by interviewing employees and others?

In acquisitions, did due diligence address risks in this area?

Many factors seem applicable to larger companies but fraud prosecution, and FCPA enforcement, occur even in smaller companies.  What should such companies do to protect themselves, where company structure is flat, and boards meet infrequently and are not in the habit of holding management accountable?

Every company needs a compliance policy. Distribute it.  Every company can have periodic meetings or programs to educate and remind sales people, inside people, all employees of their obligations.  A file can be kept of compliance inquiry made of third parties: outside vendors, contractors, sales channels.  A modicum of attention at the board level may go a long way here: calendar quarterly meetings and put compliance on the agenda a couple of times a year. Keep summary minutes.  Have zero tolerance for violations; take action to re-mediate and punish.  Ask your auditors or attorneys in writing to look in areas problematic in your industry, or where you had problems in the past, or where your scale does not provide layered controls.  No one will hold a small company to the standard applied to a multi-billion dollar company but, when under investigation, even the smaller company needs to show that it paid such attention as it size and financial resources permit.