Cyber Cooperation, Company Liability and Privacy

Yesterday I posted about House of Representatives action encouraging companies to share with the Federal government information bearing on cyber security.  Intrigued by substantial negative votes cast against what looked much like a no-brainer, I sought some texture on the issue from Congressman Mike Capuano (D– MA and a thoughtful liberal voice in the Congress).  Mike’s Newsletter, received today, is pretty interesting.

It seems there were two separate House bills which were passed and Mike voted against both.  The first (Protecting Cyber Networks Act) requires the Director of National Intelligence to establish a framework for sharing company cyber breach information while including consumer privacy protections.  In order to foster company participation, there are strong insulations against company liability for sharing private data with whichever Federal agency,  in the company’s view,  is best equipped to analyze the issue.  However, under the bill, that Federal agency must immediately share the information with the Department of Defense and the National Security Agency.  This bill passed 307-116 with overwhelming Republican support and mixed Democratic support (105 yeas, 79 Democratic nays).

A second related bill garnered far more robust support on both sides of the aisle, requiring companies to take “reasonable efforts” to remove personal information.  It also establishes Homeland Security Department’s National Cybersecurity and Communications Integration Center as the lead Federal civilian agency on cyber threats.

Both bills worried Capuano relative to inadequate consumer protection.  Perhaps part of the concern is the interweaving of the US response to cyber threats with sensitivity to international governmental participation in domestic US hacking.  The existing infrastructure already is keyed significantly to this risk, involving the FBI, Homeland Security and Immigration with significant anti-cyber-risk functions.  The tension between protecting us against the potential of massive damage from off-shore and creating a hyper-intrusive governmental bureaucracy, already pervading the debate as to free speech issues over the internet and our phone system, now is evident even in the effort to protect our business computer networks.  This is not an area where clear guidelines will be generated any time soon.

Congressional Action on Cyber-Threats

The Times today reports that the House has passed a broad measure encouraging companies to open their networks and records to Federal investigators of cyber breaches.  Since the Senate Intelligence Committee has recommended a similar measure and since the Administration seems on board, we may be seeing legislation soon.

In broad outline, companies would be protected from liability for disclosure, but only provided that their data is scrubbed of personal information. Resistance historically has been expressed by Republicans worried about government burdens on business and by fears from all over the spectrum that giving more data to the government is just never a good idea; the liberal Massachusetts House delegation was pretty split in voting on the House Bill (which passed by a three-to-one margin).

Income Inequality: Big Problem, But What to Do?

Income inequality in the United States is recognized as a worsening significant issue.  At a recent meeting of the Columbia University Alumni Association (held in the austere richness of Boston’s Algonquin Club), Economics Professor Sunil Gulati, and politically liberal chief investment officer of Sankaty Advisors Jonathan Lavine, speculated about how to address it. The bad news is that suggestions were short on specifics and avoided any discussion of  economic measures which might promptly mitigate at least the trend if the not the status quo.  Emphasis on needs-blind university education for talented students and mention of reforming immigration policies to keep US-educated foreign graduates in the United States (rather than forcing them to go home and take their expertise and entrepreneurial drive with them) are both fine ideas, but are long-term structural elements unlikely to have short-term results and unlikely to create public assurance that the basic issue is being addressed directly. Of course a specific discussion of governmental involvement, by regulation or tax policy, would be highly volatile.  Congress, in addressing the issue, charged the SEC with forcing disclosure of executive salaries, through more robust discussion of compensation and advisory “say on pay” votes by shareholders, and did not either attack income disparity through tax policy (beyond the modest existing provisions of IRC section 162[m] which limit CEO comp deductibility in certain instances) or through admittedly un-American absolute caps on earnings or through robust national hourly wage minimums. It is likely too much to ask major investors in business, obligated to their own stake-holders to produce robust returns, to make fostering of income equality a checklist item when deploying capital, and no one raised that issue with the panel (Lavine runs Sankety which is an investment affiliate of Bain), but if money talks then one quick way force the issue is to build the goal of income equality into the criteria for investment.  Not a likely development….

War Games: Activist Shareholders

A panel of activist fund investors assured the breakfast audience at the National Association of Corporate Directors/New England today that all public companies are on their potential radar screen. One panelist stated “the only defense is, don’t be public,” a sardonic remark reminiscent of the conclusion reached by the computer “Whopper” when analyzing global thermonuclear war in the movie War Games: “the only way to win is not to play.”

The panel was, if you will, “stacked” with activist proponents. Although some acknowledgement was given to the view that activist investors may not drive better shareholder returns (disputed), and that certain activists may not have the most productive approaches (not disputed), attending directors were assured that activist funds have huge capital: about 20% of new monies flowing into funds are going to activists.

Unlike just a few years ago, activists now often team up with institutional investors (who in the past were “quiet” money”). The panel outlined activist “best behavior:” talk with management rather than launching an immediate proxy fight, let management take credit for improvements, explain that activist funds now are “long term players” not in it for quick profit.

Panelists included principals of Barington Capital (a fifteen year player in the manufacturing and consumer space with a two to five year hold target), Hedge Fund Solutions (consultant to both investors and boards), Trian (successful in adding activist directors to PepsiCo and Mellon and now involved in a rare proxy fight at DuPont) and Ethos Management (which claims to speak three languages: the languages of management, investors and boards; and traces much tension to “miscommunication”).

The underlying theme: directors should engage activists early,  listen to what they have to say and create a dialogue. Just because a hedge fund approaches a company, it does not mean that agreement cannot be reached on how to maximize shareholder return. As Matt Peltz of Trian (a multibillion dollar player) noted, Trian is always willing to listen and learn: “I’d rather be rich than right.”

Are you Emotional about your Med Device?

MassMEDIC, the trade association for the Massachusetts medical device industry, hosted a program this morning built around integrating the “human factor” into device design. The FDA’s 2011 draft guidance (promised to be made final this year) includes the usability of medical devices as one criterion in device approval.

The presenters, from the consulting firm Contiuum and the drug company Sanofi, noted that successful devices (including those which deliver medication) must not only satisfy the fundamental standards of safety and efficacy, but also must be sufficiency appealing to the user (whether a member of the public or health care professional) in order to gain traction in a competitive, consumer-marketplace. “The success of a product depends on your users.”

The panel noted anecdotal experiences wherein products which were both safe and efficacious nonetheless failed in the marketplace because they did not address human factors: is the physical design sufficiently appealing to reinforce use, are the cognitive factors so clear that the manner of use is understandable and comfortable, does the device achieve an emotional reaction in the hands of the user.

Techniques for having usability march hand-in-hand with product design include integrating the human factor early in the design process, undertaking biometric and other studies of devices in actual use (even if they are nonfunctional “dummy” devices), and testing, redesigning and testing again.

Certain products, particularly those not analogous to those already in the marketplace, require careful writing of instructions for use. In these cases, the FDA will focus on the instructions both for their own understanding and in order to make sure that the product in the marketplace will perform safely and as the engineers anticipate.

The emphasis on usability and the consideration of human factors in the design of products reflects society’s growing “consumer” emphasis. Products will not be successful unless they are used as intended, notwithstanding their theoretical efficacy; utilization in the hands of the consumer requires consumer buy-in which in turn depends upon both ease of use and a positive human-emotional reaction to the user experience. It is interesting to hear engineers engaged in the “softer side” of product development but, it seems, the blending of human factors into device development is becoming a standard goal, and the only question is: how can you make sure the engineers are sufficiently exposed to that aspect so that the ultimate products are successful in the marketplace.

Boston is Chopped Liver

Lunching at my desk today, and needing a break from thinking, I was flipping through Fortune Magazine (March 15 issue) and came across a list of the 100 best places to work in the US.  Putting aside both the source and the obvious subjective nature of the premise, I began flipping through the list.

Second and then Eighty-second!  These are the only Massachusetts companies.  (Boston Consulting Group in town, and the Bright Horizons in Watertown;  kudos to them, I mean them no harm.)  But

with all we think we have to offer, how smug we Bostonians are about our culture, our environment, our science, our entrepreneurship–  only two winners??

Looking at some of the higher-listed companies is further deflating.  I can sort of understand San Francisco, and people in Florida and California likely can get nice tans; New York City of course is, well, New York City if you like that sort of thing.

But all those places in Minnesota?  Where IS Minnesota, anyway?  West of Trenton, New Jersey, I am told. (Speaking of New Jersey, that state had FOUR; twice as many as Massachusetts.)

Freeport, Maine?  They get even more snow than Boston (well, usually).  Newark, Delaware?? Give me a break.  I sit on my brother-in-law’s porch in Newark Delaware, in the BUILT-UP part of town, and can see waving fields of grain and numerous cotton tails hopping past, dodging the swooping hawks.  What cosmopolitan person wants to live with bunnies and hawks?

I guess when it comes down to good places to work, Boston is just chopped liver….

SEC on Reg A Offerings

Last week the SEC finally released definitive rules, under the 2010 Jobs Act, to permit Regulation A offerings of up to $50M by unregistered issuers, significantly advancing the scope of permitted offerings (now capped at $5M).  The lesser disclosure requirements and greater speed of Reg A offerings has been attractive, in theory, to issuers; but in practice, the low cap and the lack of relief from concurrent State regulation, has made Reg A the orphan child of large placement practice.  These two impediments seemingly have been removed. Commentary from SEC Commissioners suggests that not all problems have been solved, including how Reg A integrates with the ’34 Act and how disclosure does, or rather does not, qualify for permitting resale of securities under Rule 144.  Over the next few days, as final copies circulate, the details can be filed in.  But Reg A, in the right circumstance, looks like a viable additional tool in capital formation for emerging companies where other exemptions (notably Reg D) today dominate the market. And finally, looks like smaller Reg A offerings (under $5M) remain subject to state review, a curious result throwing these smaller offerings back into prior law.

Cyber Crooks: More Dangerous than Whitey?

Mid-way through the National Association of Corporate Directors breakfast held in Newton this week, former Boston Police Chief Ed Davis, now a security consultant, held up a picture of someone with a long Russian name. “$3,000,000,” intoned Davis. “The FBI is offering a $3,000,000 reward to catch this man. He is a cyber-thief, stole $100,000,000 using the Zeus malware. $1,000,000 more reward than the FBI paid for Whitey Bulger!”

The number of programs discussing cyber-crime has so proliferated, the number of articles so voluminous, that it is almost possible to get jaded by the onslaught. On the other side, however, the newspapers are constantly filled with stories of ever-escalating breaches of security systems, causing chaos, economic loss, and reputational destruction for the businesses and institutions suffering these incursions.

Some key take-aways from the NACD program, according to Davis and Greg Touhill, the retired Brigadier General who runs the cyber security system for the Department of Homeland Security (our government’s top gun in the war on cyber-crime):

Cyber-crime is not an IT issue, it is an enterprise risk management issue. The key to a robust system is several fold: keep physical security of your space, train your key people and update them, and use the technology by constantly applying the patches and amendments to software.

There are lots of resources available to help you: consulting experts; a framework for a cyber-security infrastructure published in 2014 by NIST; consultative help available from the Department of Homeland Security itself (charged in the 2002 Homeland Security Act with protecting the nation’s infrastructure and operating sixteen “centers” which provide information and on the scene consultative services for companies); a handbook for boards published in 2014 by the NACD itself (Cyber-Risk Oversight: Director’s Handbook Series).

Cyber security is taking a major role in merger and acquisition work. Acquirors are carefully reviewing acquisition targets to determine the robustness of data privacy and security. Deals fail based upon a failing grade; no one wants to acquire a major data leak. Warranties and representations concerning the quality of cyber security on the part of acquisition targets are being heavily negotiated. After a merger takes place, failure properly to both integrate target computer systems and insulate them and test them for vulnerability, has become a major problem.

A measure of the seriousness with which the Federal government takes this risk is the active involvement of: the Federal Bureau of Investigation (which enforces the Homeland Security mandate on protecting our infrastructure); the Secret Service in investigating financial crime; and Immigration and Customs in protecting against intellectual property theft.

How serious is the IP risk? Releasing credit information and other identification is one thing, but when you hack into a movie company and download an as yet unreleased season’s worth of shows of The Walking Dead, we are talking about serious business risk here.

And finally: think about where your computer hardware is being manufactured. Domestic US computer designs often are shipped offshore to be manufactured and then shipped back. What, exactly, is going into that computer being assembled in China?

I am planning a full article on the best current thinking for cyber security for directors and businesses, culling the literature (which is full of scare stories) in order to end up with specific actionable suggestions which will not break the bank. I expect publication in April and will announce by blog post access to that article.

The Pats: anti-geriatric to the last

Now I never post about the Patriots.  I do not much like the Pats, though I root for them I confess.   I do not much like football either; a brutal game embedded in the American ethos (and financial world) in a most unfortunate way.  And I really did not like that coach at our neighborhood fair trying to recruit my solidly built 11-year old for pee-wee football, or whatever that kid’s league is called.

But the current furor over the Pats “losing” Reavis to the Jets is particularly moronic and worthy of a gentle reminder that another bad part of the football racket is that it is mercilessly against aging (although from my vantage point, none of the people I am about to discuss are beyond the equivalent of childhood).

In the past week or two, the Pats have said goodbye to defensive players Reavis, Browner and Wilfork.  At the start of next season they will be, respectively, 30, 31 and 33.  Reavis was looking at a shot at a long-term commitment also.

Seemingly we are retaining, for now, defensive players McCourty, Collins, Hightower, Jones, Siliga, Butler and Ryan. At the start of next season they will be, respectively, 28, 25, 24, 25, 24, 25 and 24.

What part of TWENTY vs THIRTY do you not get?

I do hope that Brady does not mess up his first few games next season or he, too, will be gone; almost happened this past year.  He will be meat for the grinder also, in his turn.  And I am so fond of his signed jersey, overlooking my pool table downstairs….

Now you can be inept at 25 and skilled at 35, no doubt depending on who you are.  But on fair average, in a sport where if you are not hit by someone weighing 250 pounds that is only because the guy who hits you weights 325, where would you place your bets?

The defense rests.

Trends in Med-Tech Device Funding

At the March 6th meeting of MassMEDIC, the association of the medical device industry, two expert panels discussed both the key attributes which an early stage company must have to attract financing, and the landscape for obtaining that financing.

Requisite Attributes: A panel including Mass Medical Angels, an institutional investor and a large strategic industry investor shared a fundamental viewpoint: you need an appealing story which is well told and understandable, initially in a brief presentation or slide deck (it need not be a full offering memorandum), describing the problem, the solution and its novelty. Intellectual Property should be identified but need not be dwelled upon. For an emerging company, the core team may be important but it can be reasonably small; successful emerging companies are very parsimonious with money, and many problems (such as regulatory and reimbursement) can be farmed out. Good founders are imaginative and make due with short dollars in early stages.

How important is the team? For the angels and the institutional investor, seemingly quite important. When you get to a strategic acquiror, even one which purports to invest in early stage and no-revenue enterprises, the founders are important but, let’s face it, a strategic is liable to impose its own management team, or integrate a company into its own management structure, pretty quickly.

One interesting side note: general consensus that if there is more than one founder, the back and forth process generally creates a superior company than in a single-founder situation.

Where Is The Money? There is hope for financing life science companies, including medical device companies in Massachusetts. One serial entrepreneur on a second panel noted that money was more easily available on the East Coast than in Silicon Valley in the life science space. The venture fund on this panel, Norwich, noted that about half of their investments are in companies run by first time entrepreneurs, so there is hope for that cohort.

Some other interesting take-aways on finance:

No one was big on crowd funding. It is not intelligent money, and a large number of investors will scare away institutional future rounds.

For the new emerging company, angels can often provide sizable amounts of money. There was also advantage in being in an accelerator, and the Boston Medical Accelerator and M2D2 (the accelerator at University of Massachusetts at Lowell) were mentioned.

SBIR grants, while slow and difficult to get, can fund pure startups with no traction. The phase one disbursement of up to $250,000 is often a stepping stone, if progress is made, to phase two funding of up to $1,500,000, although it was suggested that on a strong showing of prior progress some companies might be able to jump directly into phase two.

Other issues in attracting capital (weighted differently as between angels, venture fund and strategic investor): Is the product buildable? Is the idea proven or is there an understandable road to proof through clinical trial? Have the founders thought about a logical exit (the exit may change over time, but are they sensitive to the fact that there has to be a pay day somewhere down the road)?