The week in GRC: SEC reveals Edgar hack and guides on pay ratio rule
– The New York Times reported that New York Governor Andrew Cuomo proposed regulations that would subject credit reporting agencies to the same rules as banks and insurances companies in order to protect consumers. The move came in response to the recent security breach at Equifax. The proposal would require companies such as Equifax, Experian and TransUnion to register with the state’s Department of Financial Services, whose superintendent will have broad powers to deny or revoke their authorization to do business in the state, or to sue, if a company fails to comply or engages in prohibited practices deemed unfair, deceptive or predatory.
– According to Reuters, law firm Cadwalader Wickersham & Taft hired former US Federal Trade Commission (FTC) attorney Bilal Sayyed to beef up its antitrust practice. Sayyed, joining Cadwalader in Washington, DC from McDermott Will & Emery, has advised corporate clients being reviewed by the FTC and the US Department of Justice on mergers, civil and criminal antitrust matters. He is also an expert in representing investment funds on Hart-Scott-Rodino Act compliance matters, Cadwalader said. Compliance with that law has received heightened attention from government regulators amid the rise in shareholder activism.
– Auditors are experimenting with specialized drones to use artificial intelligence and image recognition to analyze information about companies’ inventories and send it back to their headquarters, the Financial Times said. The new technology is part of a new range of digital tools the largest accountancy firms are exploring as they seek to automate aspects of the audit process. Technology can improve the quality of audit work by carrying out tasks faster, and potentially more accurately, than a human could.
– As part of President Donald Trump’s drive to target what he and aides call outdated or unnecessary restrictions, a panel of industry and labor representatives delivered a report urging the Federal Aviation Administration to eliminate or roll back more than 50 long-standing air safety rules, The Wall Street Journal reported. The document recommends loosening controls over everything from pilot training to structural testing of new models. Several of the specifics are prompting opposition from some union groups, outside safety advocates and families of crash victims.
– The Washington Post reported that toy store chain Toys ‘R’ Us filed for bankruptcy. The company said its 1,600 Toys ‘R’ Us and Babies ‘R’ Us locations would operate ‘as usual’, and that it would work with its investors to address roughly $5 billion in debt. ‘Today marks the dawn of a new era at Toys ‘R’ Us where we expect that the financial constraints that have held us back will be addressed in a lasting and effective way,’ said Dave Brandon, chair and CEO of Toys ‘R’ Us, in a statement. ‘We are confident these are the right steps to ensure the iconic Toys ‘R’ Us and Babies ‘R’ Us brands live on for many generations.’
– John Chambers will not stand for re-election to the post of executive chair of Cisco Systems in December, the company said, ending more than two decades of leadership at the networking company, according to Bloomberg. He first joined the board in 1993. Chuck Robbins, who has been CEO since 2015, will assume the executive chair role. As CEO of Cisco, Chambers was one of the most prominent spokespeople for the boom that transformed the internet into a network that redefined how people work, communicate and get entertainment. At its annual meeting in December, the board is expected to reduce its size to 11 members, 10 of whom will be independent directors, Cisco said. The company has a mandatory retirement age of 70 for board members.
– The FT said Chinese internet company Sina hit back against a US hedge fund that has launched a proxy fight in a rare test of the power of foreign shareholders in Chinese firms. Aristeia Capital, a Connecticut-based hedge fund firm, is pressing Sina for an array of corporate governance reforms to boost shareholder value. Aristeia has nominated two candidates to Sina’s five-person board of directors.
‘We do not believe Aristeia – which has traded in and out of Sina’s stock to support its gains – is truly interested in governance. Instead, we believe Aristeia is interested only in implementing a short-term and self-serving agenda,’ Sina said. In a statement explaining its candidate nominations, Aristeia said: ‘Sina is in fact not being governed for the benefit of all of its owners, but rather for the personal advancement or desires of a select few insiders.’
– According to the WSJ, more boards are pairing new members with seasoned mentors as they move to improve their oversight of management in the face of intensified investor scrutiny. Board buddies can help newcomers understand the boardroom’s cultural norms, power brokers – and even the right place to sit. Mentors make sure ‘you don’t come in like a bull in a china shop,’ said Steven Walker, managing director of the board services group at the National Association of Corporate Directors.
– Bloomberg reported that Toshiba’s board agreed to sell its flash memory chip unit to a group led by Bain Capital for ¥2 trillion ($18 billion). The Bain consortium includes backing from Japanese and overseas companies, including Toshiba, which will reinvest ¥350.5 billion, the company said. Toshiba expects the deal to close by March 31, 2018 and aims to restore a positive net worth by the end of the fiscal year, according to the company.
– Massachusetts Attorney General Maura Healey filed a lawsuit against credit reporting firm Equifax following a cyber-breach that exposed the personal data of up to 143 million people, including 3 million in the state, Reuters said. ‘Equifax needs to pay for its mistakes, make our residents whole and fix the problem so it never happens again,’ Healey said. An Equifax spokesperson declined to comment on the lawsuit, but said the company wanted to reassure consumers of its focus on helping them to ‘navigate this situation.’
– According to Bloomberg, the European Securities and Markets Authority (Esma) is due to gain sweeping new powers as the EU braces for the impact of Brexit and new Mifid II rules on its capital markets. Esma will directly supervise critical market infrastructure including derivatives clearinghouses, data reporting services providers and financial benchmarks, according to a draft bill from the European Commission. It will also co-ordinate the work of national authorities to sharpen the EU’s supervisory focus.
– The SEC said its Edgar system, which is used by companies to make legally required filings, was hacked last year, giving the attackers private information that could have been exploited for trading, The New York Times reported. The agency said it was still investigating the breach. The SEC said it learned in August that an incident detected last year ‘was exploited and resulted in access to non-public information.’ It said the security vulnerability used in the attack had been patched shortly after it was discovered.
– Reuters reported that the Californian cities of San Francisco and Oakland filed separate lawsuits against five oil companies seeking billions of dollars to protect against rising sea levels they blame on climate change. The lawsuits allege BP, Chevron, ConocoPhillips, ExxonMobil and Royal Dutch Shell created a public nuisance, and ask for funds to finance infrastructure to deal with rising sea levels. According to a news release from San Francisco city officials, the lawsuits mirror 1980s-era lawsuits against tobacco companies.
‘Should this litigation proceed, it will serve only special interests at the expense of broader policy, regulatory and economic priorities,’ a Chevron spokesperson said. Shell said the issue should be addressed by government policy and cultural change, not by courts. Exxon described the lawsuits’ claims as without merit, and said it would defend itself. ConocoPhillips declined to comment. BP did not respond to a request for comment.
– The UK government has told the financial services industry that it will seek to develop a distinct regulatory framework from the EU after Brexit to try to secure a long-term competitive advantage for banks, fund managers and insurance firms, according to the FT. Since the referendum last June, however, many in the City of London have argued that maintaining some form of regulatory equivalence with the EU after Brexit would be one way of retaining some of the UK’s financial services activities that would otherwise be taken by other countries in the region.
– The SEC approved interpretive guidance intended to help companies in their efforts to comply with the CEO pay ratio disclosure requirement that goes into effect in early 2018. For example, the guidance states the commission’s views on the use of reasonable estimates, assumptions and methodologies and statistical sampling permitted by the rule, as well as clarifying that a company may use appropriate existing internal records, such as tax or payroll records, in determinations about the inclusion of non-US employees and in identifying the median employee.
– Bloomberg reported that Uber Technologies’ license to operate in London was revoked. Transport for London said it denied the license because Uber’s ‘approach and conduct demonstrate a lack of corporate responsibility.’ The license will expire on September 30, although the company has 21 days to appeal the ruling, and can carry on operating during the appeal process. ‘We intend to immediately challenge this in the courts,’ said Tom Elvidge, general manager of Uber in London.
– According to the FT, the SEC delayed for at least eight months before notifying the public that hackers had penetrated its network, even as it urged the companies it regulates to promptly disclose cyber-attacks. The commission had by Friday released only a four-sentence description of the 2016 hack into its online Edgar company filings system, which officials belatedly realized last month had permitted criminals to obtain non-public information and trade profitably on it.
Publicly traded companies must disclose to investors any hack that has a material effect on their operations. Government agencies such as the SEC are governed by a different set of rules that generally require notification within seven days to law enforcement authorities, congressional oversight committees and a federal information security incident center, though not the public. Attorneys said the SEC’s tight-lipped approach may have been intended to protect efforts to identify the hackers. On Thursday, an SEC spokesperson confirmed that the incident had not been previously revealed, but said the commission would not comment on its disclosure obligations.