New Disclosures of Executive Comp

The Wall Street Journal this morning (April 29th) reports that the SEC is proposing new regulations requiring further substantial disclosure of executive compensation, as mandated by the 2010 Dodd-Frank Act.  (Note: SEC releases now confirm….)

Although the proposals will require disclosure both for the CEO and the five highest paid executives, and will track the disclosure over a five year period, the devil as ever will be in the details. It looks like some new measures of compensation are involved. For example, calculation for the five highest paid executives is set to exclude certain components otherwise reported in existing SEC requirements, such as the value of share grants that have not yet vested.

Disclosure also will attempt to tie actual pay to “total shareholder return,” a measure companies are already required to disclose in proxy statements.

The proposed rules will be subject to public comment and perhaps modification. They do not appear to be responsive to the as-yet-unfulfilled Dodd-Frank requirement of expressing the ratio between CEO compensation and the compensation of all employees; the SEC proposed rules in that regard in 2013 (again, years late as against the statutory requirement), but the SEC is not expected to finalize those highly convoluted (and likely non-edifying)  ratio rules at least until the second half of 2015.

All of this regulation of course begs the question of the efficacy of disclosure tools in the actual control of “excessive” executive compensation. The previously adopted “say-on-pay” regulations, much touted, have done little to control executive comp. Boards of directors are slow to admit psychologically that they are hiring people who are in the lower half of the quality scale (implicitly equating compensation with executive ability). Whether these new public disclosures, if and when finally adopted, will be effective is highly problematical; indeed, calculation of CEO compensation as against shareholder return already is being deeply analyzed by activist investors based upon information now calculable under the current disclosure regime.

It may be that activist shareholders, together with shareholder advisors such as ISS, ultimately will be the drivers for any capping of CEO or executive compensation.

Trends in Managing Cyber Risk

Although cyber risk typically is cited as the biggest board preoccupation in terms of risk, at least among public and larger companies, other data suggests that preoccupation with cyber risk is over-stated.

According to the World Economic Forum (2015 study), the ten top “global risks” in order of likelihood places cyber-attacks tenth, well behind inter-country conflicts, collapses of national governments, extreme weather and the water crisis. And, in terms of impact, cyber-attacks do not even make the list of the top ten (water, infectious diseases and WMDs lead the list).

On the other hand, public boards (2015 NACD survey) indicate that at least one-third of all United States public directors consider the quality of information concerning cyber security, delivered by management, to be unsatisfactory, and a majority consider information quantifying that risk to be unsatisfactory.

Where do public companies place responsibility for risk oversight? During the last couple of years, one suspected a trend in designating specific Risk Committees. However, at the public company level, the audit committee continues by far to be the typical depository of that function. If there is any trend, it is towards placing ERM responsibility on the full board of directors, and not at any committee level.

Cyber Cooperation, Company Liability and Privacy

Yesterday I posted about House of Representatives action encouraging companies to share with the Federal government information bearing on cyber security.  Intrigued by substantial negative votes cast against what looked much like a no-brainer, I sought some texture on the issue from Congressman Mike Capuano (D– MA and a thoughtful liberal voice in the Congress).  Mike’s Newsletter, received today, is pretty interesting.

It seems there were two separate House bills which were passed and Mike voted against both.  The first (Protecting Cyber Networks Act) requires the Director of National Intelligence to establish a framework for sharing company cyber breach information while including consumer privacy protections.  In order to foster company participation, there are strong insulations against company liability for sharing private data with whichever Federal agency,  in the company’s view,  is best equipped to analyze the issue.  However, under the bill, that Federal agency must immediately share the information with the Department of Defense and the National Security Agency.  This bill passed 307-116 with overwhelming Republican support and mixed Democratic support (105 yeas, 79 Democratic nays).

A second related bill garnered far more robust support on both sides of the aisle, requiring companies to take “reasonable efforts” to remove personal information.  It also establishes Homeland Security Department’s National Cybersecurity and Communications Integration Center as the lead Federal civilian agency on cyber threats.

Both bills worried Capuano relative to inadequate consumer protection.  Perhaps part of the concern is the interweaving of the US response to cyber threats with sensitivity to international governmental participation in domestic US hacking.  The existing infrastructure already is keyed significantly to this risk, involving the FBI, Homeland Security and Immigration with significant anti-cyber-risk functions.  The tension between protecting us against the potential of massive damage from off-shore and creating a hyper-intrusive governmental bureaucracy, already pervading the debate as to free speech issues over the internet and our phone system, now is evident even in the effort to protect our business computer networks.  This is not an area where clear guidelines will be generated any time soon.

Congressional Action on Cyber-Threats

The Times today reports that the House has passed a broad measure encouraging companies to open their networks and records to Federal investigators of cyber breaches.  Since the Senate Intelligence Committee has recommended a similar measure and since the Administration seems on board, we may be seeing legislation soon.

In broad outline, companies would be protected from liability for disclosure, but only provided that their data is scrubbed of personal information. Resistance historically has been expressed by Republicans worried about government burdens on business and by fears from all over the spectrum that giving more data to the government is just never a good idea; the liberal Massachusetts House delegation was pretty split in voting on the House Bill (which passed by a three-to-one margin).

Income Inequality: Big Problem, But What to Do?

Income inequality in the United States is recognized as a worsening significant issue.  At a recent meeting of the Columbia University Alumni Association (held in the austere richness of Boston’s Algonquin Club), Economics Professor Sunil Gulati, and politically liberal chief investment officer of Sankaty Advisors Jonathan Lavine, speculated about how to address it. The bad news is that suggestions were short on specifics and avoided any discussion of  economic measures which might promptly mitigate at least the trend if the not the status quo.  Emphasis on needs-blind university education for talented students and mention of reforming immigration policies to keep US-educated foreign graduates in the United States (rather than forcing them to go home and take their expertise and entrepreneurial drive with them) are both fine ideas, but are long-term structural elements unlikely to have short-term results and unlikely to create public assurance that the basic issue is being addressed directly. Of course a specific discussion of governmental involvement, by regulation or tax policy, would be highly volatile.  Congress, in addressing the issue, charged the SEC with forcing disclosure of executive salaries, through more robust discussion of compensation and advisory “say on pay” votes by shareholders, and did not either attack income disparity through tax policy (beyond the modest existing provisions of IRC section 162[m] which limit CEO comp deductibility in certain instances) or through admittedly un-American absolute caps on earnings or through robust national hourly wage minimums. It is likely too much to ask major investors in business, obligated to their own stake-holders to produce robust returns, to make fostering of income equality a checklist item when deploying capital, and no one raised that issue with the panel (Lavine runs Sankety which is an investment affiliate of Bain), but if money talks then one quick way force the issue is to build the goal of income equality into the criteria for investment.  Not a likely development….

War Games: Activist Shareholders

A panel of activist fund investors assured the breakfast audience at the National Association of Corporate Directors/New England today that all public companies are on their potential radar screen. One panelist stated “the only defense is, don’t be public,” a sardonic remark reminiscent of the conclusion reached by the computer “Whopper” when analyzing global thermonuclear war in the movie War Games: “the only way to win is not to play.”

The panel was, if you will, “stacked” with activist proponents. Although some acknowledgement was given to the view that activist investors may not drive better shareholder returns (disputed), and that certain activists may not have the most productive approaches (not disputed), attending directors were assured that activist funds have huge capital: about 20% of new monies flowing into funds are going to activists.

Unlike just a few years ago, activists now often team up with institutional investors (who in the past were “quiet” money”). The panel outlined activist “best behavior:” talk with management rather than launching an immediate proxy fight, let management take credit for improvements, explain that activist funds now are “long term players” not in it for quick profit.

Panelists included principals of Barington Capital (a fifteen year player in the manufacturing and consumer space with a two to five year hold target), Hedge Fund Solutions (consultant to both investors and boards), Trian (successful in adding activist directors to PepsiCo and Mellon and now involved in a rare proxy fight at DuPont) and Ethos Management (which claims to speak three languages: the languages of management, investors and boards; and traces much tension to “miscommunication”).

The underlying theme: directors should engage activists early,  listen to what they have to say and create a dialogue. Just because a hedge fund approaches a company, it does not mean that agreement cannot be reached on how to maximize shareholder return. As Matt Peltz of Trian (a multibillion dollar player) noted, Trian is always willing to listen and learn: “I’d rather be rich than right.”

Are you Emotional about your Med Device?

MassMEDIC, the trade association for the Massachusetts medical device industry, hosted a program this morning built around integrating the “human factor” into device design. The FDA’s 2011 draft guidance (promised to be made final this year) includes the usability of medical devices as one criterion in device approval.

The presenters, from the consulting firm Contiuum and the drug company Sanofi, noted that successful devices (including those which deliver medication) must not only satisfy the fundamental standards of safety and efficacy, but also must be sufficiency appealing to the user (whether a member of the public or health care professional) in order to gain traction in a competitive, consumer-marketplace. “The success of a product depends on your users.”

The panel noted anecdotal experiences wherein products which were both safe and efficacious nonetheless failed in the marketplace because they did not address human factors: is the physical design sufficiently appealing to reinforce use, are the cognitive factors so clear that the manner of use is understandable and comfortable, does the device achieve an emotional reaction in the hands of the user.

Techniques for having usability march hand-in-hand with product design include integrating the human factor early in the design process, undertaking biometric and other studies of devices in actual use (even if they are nonfunctional “dummy” devices), and testing, redesigning and testing again.

Certain products, particularly those not analogous to those already in the marketplace, require careful writing of instructions for use. In these cases, the FDA will focus on the instructions both for their own understanding and in order to make sure that the product in the marketplace will perform safely and as the engineers anticipate.

The emphasis on usability and the consideration of human factors in the design of products reflects society’s growing “consumer” emphasis. Products will not be successful unless they are used as intended, notwithstanding their theoretical efficacy; utilization in the hands of the consumer requires consumer buy-in which in turn depends upon both ease of use and a positive human-emotional reaction to the user experience. It is interesting to hear engineers engaged in the “softer side” of product development but, it seems, the blending of human factors into device development is becoming a standard goal, and the only question is: how can you make sure the engineers are sufficiently exposed to that aspect so that the ultimate products are successful in the marketplace.

Boston is Chopped Liver

Lunching at my desk today, and needing a break from thinking, I was flipping through Fortune Magazine (March 15 issue) and came across a list of the 100 best places to work in the US.  Putting aside both the source and the obvious subjective nature of the premise, I began flipping through the list.

Second and then Eighty-second!  These are the only Massachusetts companies.  (Boston Consulting Group in town, and the Bright Horizons in Watertown;  kudos to them, I mean them no harm.)  But


with all we think we have to offer, how smug we Bostonians are about our culture, our environment, our science, our entrepreneurship–  only two winners??

Looking at some of the higher-listed companies is further deflating.  I can sort of understand San Francisco, and people in Florida and California likely can get nice tans; New York City of course is, well, New York City if you like that sort of thing.

But all those places in Minnesota?  Where IS Minnesota, anyway?  West of Trenton, New Jersey, I am told. (Speaking of New Jersey, that state had FOUR; twice as many as Massachusetts.)

Freeport, Maine?  They get even more snow than Boston (well, usually).  Newark, Delaware?? Give me a break.  I sit on my brother-in-law’s porch in Newark Delaware, in the BUILT-UP part of town, and can see waving fields of grain and numerous cotton tails hopping past, dodging the swooping hawks.  What cosmopolitan person wants to live with bunnies and hawks?

I guess when it comes down to good places to work, Boston is just chopped liver….

SEC on Reg A Offerings

Last week the SEC finally released definitive rules, under the 2010 Jobs Act, to permit Regulation A offerings of up to $50M by unregistered issuers, significantly advancing the scope of permitted offerings (now capped at $5M).  The lesser disclosure requirements and greater speed of Reg A offerings has been attractive, in theory, to issuers; but in practice, the low cap and the lack of relief from concurrent State regulation, has made Reg A the orphan child of large placement practice.  These two impediments seemingly have been removed. Commentary from SEC Commissioners suggests that not all problems have been solved, including how Reg A integrates with the ’34 Act and how disclosure does, or rather does not, qualify for permitting resale of securities under Rule 144.  Over the next few days, as final copies circulate, the details can be filed in.  But Reg A, in the right circumstance, looks like a viable additional tool in capital formation for emerging companies where other exemptions (notably Reg D) today dominate the market. And finally, looks like smaller Reg A offerings (under $5M) remain subject to state review, a curious result throwing these smaller offerings back into prior law.

Cyber Crooks: More Dangerous than Whitey?

Mid-way through the National Association of Corporate Directors breakfast held in Newton this week, former Boston Police Chief Ed Davis, now a security consultant, held up a picture of someone with a long Russian name. “$3,000,000,” intoned Davis. “The FBI is offering a $3,000,000 reward to catch this man. He is a cyber-thief, stole $100,000,000 using the Zeus malware. $1,000,000 more reward than the FBI paid for Whitey Bulger!”

The number of programs discussing cyber-crime has so proliferated, the number of articles so voluminous, that it is almost possible to get jaded by the onslaught. On the other side, however, the newspapers are constantly filled with stories of ever-escalating breaches of security systems, causing chaos, economic loss, and reputational destruction for the businesses and institutions suffering these incursions.

Some key take-aways from the NACD program, according to Davis and Greg Touhill, the retired Brigadier General who runs the cyber security system for the Department of Homeland Security (our government’s top gun in the war on cyber-crime):

Cyber-crime is not an IT issue, it is an enterprise risk management issue. The key to a robust system is several fold: keep physical security of your space, train your key people and update them, and use the technology by constantly applying the patches and amendments to software.

There are lots of resources available to help you: consulting experts; a framework for a cyber-security infrastructure published in 2014 by NIST; consultative help available from the Department of Homeland Security itself (charged in the 2002 Homeland Security Act with protecting the nation’s infrastructure and operating sixteen “centers” which provide information and on the scene consultative services for companies); a handbook for boards published in 2014 by the NACD itself (Cyber-Risk Oversight: Director’s Handbook Series).

Cyber security is taking a major role in merger and acquisition work. Acquirors are carefully reviewing acquisition targets to determine the robustness of data privacy and security. Deals fail based upon a failing grade; no one wants to acquire a major data leak. Warranties and representations concerning the quality of cyber security on the part of acquisition targets are being heavily negotiated. After a merger takes place, failure properly to both integrate target computer systems and insulate them and test them for vulnerability, has become a major problem.

A measure of the seriousness with which the Federal government takes this risk is the active involvement of: the Federal Bureau of Investigation (which enforces the Homeland Security mandate on protecting our infrastructure); the Secret Service in investigating financial crime; and Immigration and Customs in protecting against intellectual property theft.

How serious is the IP risk? Releasing credit information and other identification is one thing, but when you hack into a movie company and download an as yet unreleased season’s worth of shows of The Walking Dead, we are talking about serious business risk here.

And finally: think about where your computer hardware is being manufactured. Domestic US computer designs often are shipped offshore to be manufactured and then shipped back. What, exactly, is going into that computer being assembled in China?

I am planning a full article on the best current thinking for cyber security for directors and businesses, culling the literature (which is full of scare stories) in order to end up with specific actionable suggestions which will not break the bank. I expect publication in April and will announce by blog post access to that article.