By Jacquelyn Lumb
University of Texas law professor Henry Hu opened the Practising Law Institute’s thirteenth annual directors’ institute on corporate governance with a talk about decoupling, also known as empty voting, and the challenges posed by financial innovation. Hu said the SEC’s disclosure rules were adopted in a simpler time and recommended that the staff consider the implications of decoupling under its disclosure effectiveness project. The transparency challenges posed by financial innovation can undermine stock-based compensation, the monitoring of management performance, the market for corporate control, and other governance mechanisms, he explained.
Hu noted that the primary government response to transparency challenges was the adoption of a parallel disclosure system for major financial institutions with large derivatives holdings. This parallel disclosure system, developed by bank regulators, is not directed at investor protection and market efficiency, so it conflicts with the goals of the SEC’s disclosure mandates, he advised. A resolution will require Congressional action, but in the near-term Hu called on the SEC, the Federal Reserve, and others to harmonize the disclosure system.
Shareholder activism. Theodore Mirvis with Wachtell Lipton talked about activism and its impact on short-term versus long-term planning by companies. Institutional investors are more willing to support activist campaigns in proxy fights, which is a much different world than it was five to 10 years ago, he said. He also talked about accumulation strategies that take advantage of the reporting regulations and loopholes. Wachtell Lipton filed a rulemaking petition with the SEC in 2011 seeking to shorten the reporting deadline for Schedule 13D and to expand the definition of beneficial ownership, a measure that activists oppose.
Proxy access. With respect to the 2016 proxy season, Zach Oleksiuk with BlackRock said he believes proxy access and private ordering will persist as key issues. BlackRock views proxy access as an accountability mechanism for management, he said. He noted that many companies embark on communications programs with their top investors and those which can effectively explain their approaches to governance will be more successful in warding off shareholder initiatives.
Oleksiuk believes that proxy access is inevitable, with three years of ownership and a three percent threshold as the market standard. He added that the three percent threshold is a high hurdle, even for pension funds. He also would like to see a pause in the adoption of new governance measures to weigh how the many new initiatives are working.
Audit committees. Another panel addressed audit committee overload. The panelists noted that many companies add cybersecurity to the list of issues for which the audit committee is responsible. Nicholas Donofrio, who serves on a number of boards, said it was not a good idea. It may be convenient but cybersecurity requires special expertise. In his view, cybersecurity is an IT issue and it poses a huge risk to place it with the audit committee. He added that if a company does not currently have a risk committee, perhaps it should review the need for one.
The panelists noted that the SEC’s concept release on updating the audit committee report did not have a warm reception in the marketplace, and criticized its list of 74 questions. With respect to the PCAOB, the panelists felt that its presence has improved audit quality, but questioned the need for audit quality indicators, an initiative currently under consideration. A proposal will likely go out in 2016, but with fewer AQIs, in one panelist’s view.
Cyber security. Two special agents from the FBI’s cyber branch provided an update on the types of activities they are investigating. Timothy O’Brien said there has been a blurring of activities by nation states and hackers acting on their own behalf. Spearfishing is the main attack method in which an email is crafted for someone at a particular organization. It has become harder to discern that an email is not legitimate, he said, and once someone clicks on a link or an attachment, the malware is downloaded. O’Brien said it takes an average of 240 days before a company realizes it has been attacked.
Mike Dvilyanski said weak passwords, default passwords, and unpatched vulnerabilities enable some cyber attacks. Prevention is difficult since everyone will receive emails, but prompt detection will put companies in a better position for recovery, and a strong defense may lead hackers to go elsewhere. When asked whether the authorities are beginning to get cyber attacks under control, Dvilyanski said no—it is too easy to penetrate networks, so the crime is not going away.