FDA on Future of Med Device Cyber Security

Posted on by

In my immediately prior post discussing a presentation by Suzanne Schwartz of FDA relative to cyber security in medical devices, I noted that the FDA had proposed regulatory actions during the next twelve months.

Hopefully by the end of calendar 2015, but not later than early 2016, FDA intends to formally articulate a policy concerning “post-market expectations.” One of the major issues in cyber security is that there is a large installed base of devices already in the marketplace, so that work done on new devices will not cure the existing marketplace risk. Guidance for what is expected from device manufacturers should be forthcoming.

The FDA also hopes to adopt the NIST framework relating to cyber security, making it understandable and applicable to medical devices. (For those not deep in the alphabet game, “NIST” is the National Institute of Standards and Technology.)

FDA proposes to provide a vulnerabilities scoring system for medical devices, with sensitivity to the context in which end-users come in contact with such devices.

Schwartz also discussed, albeit it in general terms, premarket guidance. They want to see products where security is “baked in” not “bolted on.” They want to see that you have applied a process for software validation. For new devices, in connection with FDA submissions they expect to see risk analysis, provision for response and ongoing monitoring and for a patch program. They are also interested in getting a sense for what they call “cyber hygiene,” which is a combination of good design, control of access to the software and a provision for routine “servicing” of the software.

With respect to medical devices already in the marketplace, “FDA generally will not need to review or approve medical device software changes made solely to strengthen cyber security.” This approach seems to be an effort to facilitate speed in fixing cyber problems identified in the marketplace.

Aside from FDA identification of resistance within the device industry for collaboratively addressing cyber issues, the various speakers in the aggregate made a compelling case for robustly addressing the issues presented. By the end of the decade, it is estimated that there will be twenty six billion devices connected to the internet, and while most will not be medical devices, many of them will be. One speaker estimated that as much forty five percent of all of last year’s data breaches or hacks were in the medical field (hospitals, insurers, devices and the like). Theoretically, aside from fraud risk, hacking into medical devices could erase records, over-load systems which would create a DOS (demand of service) shutdown, threaten medical patients with online implants (such as pacemakers) with extortion threats, and even (in one reported case) permit a patient to hack into his medical drip to increase the flow of narcotic painkillers.

And with the explosion of “wearable” devices, including Fit Bits, the opportunities for device hacking will do nothing but proliferate in the future.

FDA on Cyber and Med Devices–Part One

Posted on by

The biggest problem in combating medical device cyber-attacks is not technological, it is the secretive reaction of med device companies when confronted with evidence that their devices can be hacked, leading to a refusal to disclose any information about the hacking incidents.

At the Thursday, October 1st conference organized by MassMEDIC (the Massachusetts organization of medical device companies), Suzanne Schwartz of the FDA politely threw down the gauntlet. Schwartz is the Director of Emerging Preparedness of the Center for Devices and Radiological Health at FDA; she expounded at great length on the FDA’s perceptions and expectations with respect to cyber security matters.

Schwartz called upon the industry to act collaborately to identify cyber risks. She asked: aside from a shared desire to protect and heal the public, what is going to motivate competitors to disclose cyber risk information? Do we need a total disaster? Should the FDA impose a penalty (she asked with apparent innocence)? Or, will the industry not adopt a more collaborative approach.

She reviewed a series of executive orders from the President, applicable guidance issued by the FDA, and made reference to last October’s FDA public workshop on cyber security of medical devices (presented in conjunction with the Department of Homeland Security and the Department of Health).

Another problem is the sometimes confrontational nature of dialogue between hackers and companies. She called for civility on both sides. “Security researchers are not the enemy here.”

Two established medical device companies of some size and stature, Boston Scientific and Phillips Healthcare, presented in a separate panel with respect to their practices. It is not surprising that each described robust attention to cyber security during the entire device design process and a willingness to share disclosure with others in the industry (while protecting trade secrets from competitors); each described a corporate program which no doubt the FDA (whose key representative was also listening to the presentation) will find most comforting. It was almost as if a different industry were being described by these presenters compared to FDA’s scenario, which is not to suggest that their companies do not follow the robust procedures they mentioned. It is also perhaps not surprising that the companies which were willing to disclose their procedures are those with the best procedures; it is not likely that a company with poor ratchet on cyber hacking of medical devices would step forward and present in this particular setting.

A subsequent post will outline proposed FDA actions during the next twelve calendar months, and provide premarket guidance on FDA review of devices and related software.

What Do CEOs Worry About?

Posted on by

CEOs of major New England-based companies are worried this year about a reasonably predictable list of immediate problems which impact the local and world economies: Chinese slowdown, the European refugee crisis, lack of domestic liquidity driven by requiring concentration of big bank capital, the problematical Middle East, increased volatility in the capital markets.

But the Tuesday panel convened by the National Association of Corporate Directors-New England, consisting of Putnam Funds President Bob Reynolds, Mass Mutual Life’s CEO Roger Crandall and Bain Capital’s Managing Director Steve Pagliuca, also hit upon several systemic issues which theoretically may be within our own reasonable control if we could only find common political ground.

The Retirement Gap. People are living longer. Individuals with a work-place savings plan (such as a 401k) are far more successful in saving for long retirement. Increasing medical costs, likely to fall in larger measure on individuals, further drive the need for robust retirement funding. In the new economy, many workers are now without direct access to a work place savings plan. State or national programs are needed to drive robust retirement investment.

Making Greater Boston Competitive. The three fastest growing cities are all in Texas. Texas, Florida, Arizona and other jurisdictions are growing much faster than Massachusetts. Many high growth jurisdictions are without local tax. Excessive and over-lapping government (including town and city) regulation make greater Boston unaffordable both for business and for home buyers. We need new approaches to taxation and infrastructure, lest in the long run greater Boston/Cambridge prove non-competitive for our increasingly mobile technology economy.

United States Policies Don’t Help. Our visa policy drives the very best students from overseas, educated here, to export their expertise and energy offshore. Giving every offshore graduate a visa would be better for the United States economy. Further, domestically based businesses which repatriate to the United States the profits they accumulated offshore incur a 35% federal corporate income tax; this drives United States-based companies to open new facilities overseas rather than repatriating the money and creating jobs here in the United States. With the 35% savings, one panelist noted, “I can build an entire factory in India. That factory is free.”

Education Education Education. We need better education at every level. Outside of Eastern Massachusetts, secondary and high school education is grossly deficient. Below the very highest levels, we are also not training people to support industry here; a greater role for community colleges was urged. Non-elite private colleges are overpriced and will be shaken out. Companies themselves should be incentivized, perhaps tax wise, to pick up some of the training effort. There was very robust panel support for comprehensive societal focus on improving education at every level.

Emerging Markets. They are volatile. Today China is best positioned, with banks and infrastructure, to ride out the volatility. However, India and other emerging markets have huge potential. “Demographics don’t lie.” “Our biggest trend in our lifetimes is globalization.” One needs a long-term strategy: any business planning for the next fifty years absolutely requires an Asian and an African strategy be successful and competitive.

Delaware Director Liability in Related Party Transactions

Posted on by

You might want to take a look at recent developments in the Delaware law relating to the liability of corporate directors in case of a freeze out merger or other self-interested transaction. You can start by taking a look at my recently published article on this subject in New England In-House, which can be accessed at http://newenglandinhouse.com/reprints/2015/08/24/the-care-and-protection-of-the-independent-director/.

Three days after publication, the Delaware Chancery Court issued another opinion which extends the learning set forth in the article. The article correctly stated the Delaware case law that the “entire fairness test” is indeed met if the deal is expressly conditional on both independent committee approval and affirmative vote of majority of independent shareholders. In the August 27th Delaware Chancery decision In re Dole Food Co. Inc., interested directors nonetheless were held personally liable for inadequate price paid in a freeze-out merger even though these two conditions were present. The reason: in spite of following the formalities of the Delaware law, the controlling Dole shareholders defrauded the independent committee in various ways, including knowingly misrepresenting financial projections and purposely depressing stock price.

I’ve Been Thinking: SEC, Trump and Gifford

Posted on by

Why do Republican SEC commissioners continue to criticize last week’s formal regulation requiring disclosure of ratio of CEO comp to median employee comp? The regulation, long overdue, is mandatory under a Federal statute (Dodd-Frank) and is no doubt watered down in final form from the spirit of the statute itself. With majorities in both houses, why don’t they try legislation to upend the law? Even Democrats ought to understand the regulation is useless and wasteful.

When will the SEC promulgate another long-overdue regulation which permits crowd funding by non-accredited investors in exchange for stock? Many States have already enacted such legislation, although the Federal exemption for such State initiatives is so narrow as to make State schemes difficult to follow and typically inappropriate for many new-economy ventures. “Dumb money” (as characterized by critics) may not be a great investor base, but here again there is that pesky little thing called a Federal statute….

Why is the SEC facing such headwinds on a couple of initiatives designed to in fact deliver the kind of individual accountability (people not companies liable for violations of law) that so many commentators deem necessary? Pressure against the Commission seeking to salvage its internal adjudicatory process, pressure against the Commission for pushing its historical definition of insider trading. Attorneys rightly point out significant issues with both internal adjudication and demanding tippers profit before tippees can be liable for tipped trades, but: there is appeal out of the Commission adjudications; and, the new judicial standard of tippee liability is not logical if the wrong to be remedied is the misuse of information that the tippee knew or should know to be confidential.

Does anyone agree with me that Donald Trump (who, disclosure here, is very far from my favorite person or politician) is getting excoriated for the wrong sins? Does his comment that you need to be a bit askew to take existential offense at his clearly ill-articulated remark strike at least some chord of credibility? Or: they desperately need to take him out, and if the McCain remark did not do it (wonder of wonders), then they have to jump on the next palpable gaffe real quick….

Finally: Frank Gifford passed away this weekend. Growing up in New York, he was my hero, the all-American two-way football player who was clean-cut, articulate, durable and relate-able. As Tittle’s key target he was unstoppable for several years. In the halcyon days of the Giants, he was the nuts. Dead at 84, likely unknown to many, or remembered only for his broadcasts with Howard Cosell who (unkind final cut by the media) is reported to have disliked Frank, the first negative mark in my memory on the poor departed(is it really twenty years?) Howard (a recovering lawyer for most of his life and thus entitled to special dispensation).

SEC Pay Gap Rule Coming Today

Posted on by

All over the morning press, and the buzz in morning email traffic: the SEC is slated to adopt today a disclosure rule requiring larger domestic public companies to disclose the ratio of the compensation of their CEO to the median earnings of all employees.

It has been so long under discussion that I had to go back to the books to recall the exact statutory mandate for this new rule.  It is the Dodd Frank Act of 2010.  It took the SEC five years to swallow hard and adopt this meaningless rule.  The SEC tried to address added disclosure cost by allowing estimates and statistical samplings, which no doubt will help, although one can imagine the boring written disclosure explaining the statistical methodology.

The statutory requirement for this rule goes back to the fall-out from the 2008-9 crash.  But since public shareholders get to vote (albeit in nonbinding fashion) on CEO comp under the “say on pay” rule, and since proxy advisers have gotten much more granular with recommendations based on specific analysis, it is hard to understand the functionality of new rule.

And more importantly, the rule is useless.  CEO comp is market driven and the comparables are other C-suite executives.  That has nothing to do with the median pay of, say, a company with employees around the world, who may be paid $10 as a robust daily wage in a place where bread is a dime a loaf.  And more importantly, to the extent the rule is designed to control through shame, higher comp is rather a CEO badge of pride.  The psychology is simplistic and wrong.

The real solutions to growth of income disparity, to the extent one views the current situation with disfavor, are more fundamental and politically charged: change the minimum wage; change the tax rate; ultimately take the wholly un-American, anti-free-enterprise step of an absolute C-suite pay cap.   At least today,these solutions range from unlikely to, well, unimaginable.

In the Stone Age when I got to college, the Federal marginal tax rate (under a Republican administration) was 91%.  All those in favor of the good old days, raise your hands….

Death of Delaware??

Posted on by

Rumors of the impending death of Delaware as the State of choice for forming business entities are, as they say, greatly exaggerated.  This notwithstanding the petulant piece on the front page of WSJ yesterday where some larger corporations, incorporated in Delaware and faced with expensive shareholder litigation based on alleged inadequacy of acquisition price, sounded off about how Delaware law and courts do not protect their companies from such baseless litigation.

While it is true that almost all acquisitions of size are met with litigation which often recovers cash only for lawyers (as if that were a bad thing!), the alternative is equally as untenable: if you give no recourse to minority shareholders, there is no cop on the beat to police pricing.  Some of the complaints revolve around Delaware’s legislative failure this year to enact a law fixing costs of litigation on shareholders bringing suit if those shareholders lose.  But this result is violative of the American rule that parties bear their own litigation costs.

Delaware is not likely to lose its place as primary business domicile for a variety of reasons, including: current incorporation there of so many major corporations; clarity of corporate law and practice in so many other areas; comfort of investors with putting their money into Delaware entities.

Part of the problem lies with the Bar.  It cannot be that 93% of all deals (assuming the WSJ statement in that regard is accurate) deserve to give rise to litigation.  One possible fix is for Delaware courts to hold that price cannot be questioned either by fiduciary claims or appraisal (judicial re-determination of fair price) if it is negotiated by an independent directors’ committee, and ratified by a super-majority of minority shares (independent directors already are protected from fiduciary claims if the committee was truly independent, a majority of disinterested shareholders voted in favor, and the deal was conditioned up front on meeting those standards).  But somewhere within the operation of the legal system there has to be a rational adjuster short of moving companies to another State domicile; that kind of movement will simply encourage States to engage in a race to the regulatory bottom.

Insider Trading Redefined?

Posted on by

Long time without a post; summer doldrums and vacations.  However while some of us bask in the sun, the SEC never sleeps.  Those who follow the case law about insider trading know that recent court decisions have been confusing about what constitutes illegal insider trading, but at least one major case held that the tippee (the actual trader) had to know that the tipper was receiving something of real value for the tippee to be guilty.  Not so, held another recent case.  The SEC, sorely vexed by the earlier decision, says it will seek cert before the US Supreme Court to settle the issue.

The Supreme Court does not have to grant cert, of course, but may be well inclined to do so in this case, upon request of a major regulatory agency and with a split among the courts on the proper standard to apply in a volatile legal area.  We may not hear from the Supreme Court for some time; in the meanwhile, those trading on information are best advised to be comfortable with its provenance.  The SEC has high priority on this area, after absorbing major criticism for its failure to chase individual miscreants in a wide variety of cases including but not limited to insider trading.

SEC Activity

Posted on by

The SEC is active today on the regulatory side, although they still have not delivered some key items on their overdo agenda, notably Federal crowd funding.  The States are stealing their thunder on that front, although usually under the intra-state Federal exemption so mostly we are talking small local deals.

New today on executive claw-backs: proposed rules to direct the exchanges to establish a listing standard requiring claw-back of executive incentive pay erroneously granted.  Arises with a financial restatement and applies to current and former executives.  NOT related to any fault on the part of the executives.   Reaches back three years from restatement.  Open for two months comment.  This under Dodd Frank, a statute merely what–  three weeks shy of five years old?

New today on audit committee disclosures: SEC announces it will issue a “concept release” seeking comment on current audit disclosures, particularly oversight of independent auditors.  Would reach criteria used by committee to evaluate, and also to select auditors.  Also two month comment period after publication.  Hard to imagine this will help investors, more likely to result in expanded disclosure requirements eliciting platitudes.

Post M&A Integration

Posted on by

Diligence is complete and your acquisition deal has been signed and closed. Your company has acquired its target. What do you do next? This was the second topic discussed by the panel at the NACD/New England M&A program held June 9th in Boston.

Even if your plan is ultimately to fully integrate the target into the acquiror, it may make some sense to take some time, understand what makes the target tick from the inside, and evaluate the depth and quality of the management team. Sometimes an acquisition is designed to bring more energetic technology or operational approaches to a larger and more staid company. Letting the target run by itself may allow it to retain its entrepreneurial culture. You have acquired not only technology, contracts and physical assets; you have acquired the human beings who have built the target enterprise into the company you have identified as providing strategic strength to your own company. Don’t crush those strengths immediately in a rush to obtain financial efficiency.

Part of the post-acquisition integration process is to create a joint vision, between acquiror and target management, of what the consolidated company should look like. Target management, including several levels down depending upon size of the target, should be made to feel that after the acquisition they have a place to reside, and a better path to achieve their own goals. To fail in this regard drives target management to the placement counsellors. (One anecdotal tidbit: shortly after Procter and Gamble acquired Gillette, 80% of the senior management team of Gillette headed for the hills. Likely not the very best result….

The panel agreed that no acquisition, no matter the quality of the diligence, will work exactly as anticipated. Often the synergies are interpersonal and indirect, and the acquiror has to focus on team building (even if the acquisition is of a prior competitor where initial instincts are non-collaborative).

Since culture is so hard to identify, one of the panelist said he liked to take the inquiry down one step to look at the “values” which create the culture. Are the two companies agreed that they are structured for the long term to build shareholder value and to help the customer base? Or is the culture of one company that it is a vehicle for individual success? Are decisions typically reached in each organization through a small number or a very large number of decisional tiers? Diligence beforehand had better have gotten these factors correct, or any integration will be rocky road.