Cyber Crooks: More Dangerous than Whitey?

Mid-way through the National Association of Corporate Directors breakfast held in Newton this week, former Boston Police Chief Ed Davis, now a security consultant, held up a picture of someone with a long Russian name. “$3,000,000,” intoned Davis. “The FBI is offering a $3,000,000 reward to catch this man. He is a cyber-thief, stole $100,000,000 using the Zeus malware. $1,000,000 more reward than the FBI paid for Whitey Bulger!”

The number of programs discussing cyber-crime has so proliferated, the number of articles so voluminous, that it is almost possible to get jaded by the onslaught. On the other side, however, the newspapers are constantly filled with stories of ever-escalating breaches of security systems, causing chaos, economic loss, and reputational destruction for the businesses and institutions suffering these incursions.

Some key take-aways from the NACD program, according to Davis and Greg Touhill, the retired Brigadier General who runs the cyber security system for the Department of Homeland Security (our government’s top gun in the war on cyber-crime):

Cyber-crime is not an IT issue, it is an enterprise risk management issue. The key to a robust system is several fold: keep physical security of your space, train your key people and update them, and use the technology by constantly applying the patches and amendments to software.

There are lots of resources available to help you: consulting experts; a framework for a cyber-security infrastructure published in 2014 by NIST; consultative help available from the Department of Homeland Security itself (charged in the 2002 Homeland Security Act with protecting the nation’s infrastructure and operating sixteen “centers” which provide information and on the scene consultative services for companies); a handbook for boards published in 2014 by the NACD itself (Cyber-Risk Oversight: Director’s Handbook Series).

Cyber security is taking a major role in merger and acquisition work. Acquirors are carefully reviewing acquisition targets to determine the robustness of data privacy and security. Deals fail based upon a failing grade; no one wants to acquire a major data leak. Warranties and representations concerning the quality of cyber security on the part of acquisition targets are being heavily negotiated. After a merger takes place, failure properly to both integrate target computer systems and insulate them and test them for vulnerability, has become a major problem.

A measure of the seriousness with which the Federal government takes this risk is the active involvement of: the Federal Bureau of Investigation (which enforces the Homeland Security mandate on protecting our infrastructure); the Secret Service in investigating financial crime; and Immigration and Customs in protecting against intellectual property theft.

How serious is the IP risk? Releasing credit information and other identification is one thing, but when you hack into a movie company and download an as yet unreleased season’s worth of shows of The Walking Dead, we are talking about serious business risk here.

And finally: think about where your computer hardware is being manufactured. Domestic US computer designs often are shipped offshore to be manufactured and then shipped back. What, exactly, is going into that computer being assembled in China?

I am planning a full article on the best current thinking for cyber security for directors and businesses, culling the literature (which is full of scare stories) in order to end up with specific actionable suggestions which will not break the bank. I expect publication in April and will announce by blog post access to that article.

The Pats: anti-geriatric to the last

Now I never post about the Patriots.  I do not much like the Pats, though I root for them I confess.   I do not much like football either; a brutal game embedded in the American ethos (and financial world) in a most unfortunate way.  And I really did not like that coach at our neighborhood fair trying to recruit my solidly built 11-year old for pee-wee football, or whatever that kid’s league is called.

But the current furor over the Pats “losing” Reavis to the Jets is particularly moronic and worthy of a gentle reminder that another bad part of the football racket is that it is mercilessly against aging (although from my vantage point, none of the people I am about to discuss are beyond the equivalent of childhood).

In the past week or two, the Pats have said goodbye to defensive players Reavis, Browner and Wilfork.  At the start of next season they will be, respectively, 30, 31 and 33.  Reavis was looking at a shot at a long-term commitment also.

Seemingly we are retaining, for now, defensive players McCourty, Collins, Hightower, Jones, Siliga, Butler and Ryan. At the start of next season they will be, respectively, 28, 25, 24, 25, 24, 25 and 24.

What part of TWENTY vs THIRTY do you not get?

I do hope that Brady does not mess up his first few games next season or he, too, will be gone; almost happened this past year.  He will be meat for the grinder also, in his turn.  And I am so fond of his signed jersey, overlooking my pool table downstairs….

Now you can be inept at 25 and skilled at 35, no doubt depending on who you are.  But on fair average, in a sport where if you are not hit by someone weighing 250 pounds that is only because the guy who hits you weights 325, where would you place your bets?

The defense rests.

Trends in Med-Tech Device Funding

At the March 6th meeting of MassMEDIC, the association of the medical device industry, two expert panels discussed both the key attributes which an early stage company must have to attract financing, and the landscape for obtaining that financing.

Requisite Attributes: A panel including Mass Medical Angels, an institutional investor and a large strategic industry investor shared a fundamental viewpoint: you need an appealing story which is well told and understandable, initially in a brief presentation or slide deck (it need not be a full offering memorandum), describing the problem, the solution and its novelty. Intellectual Property should be identified but need not be dwelled upon. For an emerging company, the core team may be important but it can be reasonably small; successful emerging companies are very parsimonious with money, and many problems (such as regulatory and reimbursement) can be farmed out. Good founders are imaginative and make due with short dollars in early stages.

How important is the team? For the angels and the institutional investor, seemingly quite important. When you get to a strategic acquiror, even one which purports to invest in early stage and no-revenue enterprises, the founders are important but, let’s face it, a strategic is liable to impose its own management team, or integrate a company into its own management structure, pretty quickly.

One interesting side note: general consensus that if there is more than one founder, the back and forth process generally creates a superior company than in a single-founder situation.

Where Is The Money? There is hope for financing life science companies, including medical device companies in Massachusetts. One serial entrepreneur on a second panel noted that money was more easily available on the East Coast than in Silicon Valley in the life science space. The venture fund on this panel, Norwich, noted that about half of their investments are in companies run by first time entrepreneurs, so there is hope for that cohort.

Some other interesting take-aways on finance:

No one was big on crowd funding. It is not intelligent money, and a large number of investors will scare away institutional future rounds.

For the new emerging company, angels can often provide sizable amounts of money. There was also advantage in being in an accelerator, and the Boston Medical Accelerator and M2D2 (the accelerator at University of Massachusetts at Lowell) were mentioned.

SBIR grants, while slow and difficult to get, can fund pure startups with no traction. The phase one disbursement of up to $250,000 is often a stepping stone, if progress is made, to phase two funding of up to $1,500,000, although it was suggested that on a strong showing of prior progress some companies might be able to jump directly into phase two.

Other issues in attracting capital (weighted differently as between angels, venture fund and strategic investor): Is the product buildable? Is the idea proven or is there an understandable road to proof through clinical trial? Have the founders thought about a logical exit (the exit may change over time, but are they sensitive to the fact that there has to be a pay day somewhere down the road)?

Partners Hospitals: Your new Venture Capitalist?

Chris Coburn, who runs the Partners Healthcare Innovation Center, delivered what amounted to a sales pitch to emerging life science companies, urging them to work with the vast Partners system. Addressing a meeting of MassMEDIC, the association of the medical device industry, last week, Coburn outlined Partners’ value proposition: come to us with your idea, if we decide to work together we can provide reliable funding, brand recognition, networking, and robust practical information to develop your company with guidance from the Partners staff, and using documented experience of the Partners Hospitals.

Partners has established nine vertical areas, and has assigned a leadership team in each area to foster innovation and identify promising emerging medical technology. He suggests that approaching Partners makes particular sense these days, where funding in the device space has become very difficult and regulatory timelines have continued to lengthen.

(With respect to the latter point, many of the business plans we see here in my firm call for rollouts in Europe and, indeed, I now have one on my desk looking for an initial rollout in India, given the regulatory log jam here in the United States.)

Coburn emphasized fundamental changes taking place in the life science arena: new trends in managing and insuring risk, substantial shifts in the nature of delivery systems. It is not clear what companies are doing which functions, noting that Medtronics is now managing clinical services in European hospitals rather than just being an outside supplier. He also painted two startlingly different futures for the approximately 6,000 hospitals now in the United States; some experts suggest efficiency through substantial consolidation so that in a decade there will be only 600 hospitals; the contrary view is that technology will unbundle delivery of health services and there will be 60,000 hospitals.

Finally, Coburn noted that Partners has both a venture capacity and a substantial portfolio of licenses and additional licensing opportunities, with 190 licenses in place and $1,400,000,000 approximately of sponsored research now in the process. Seems that Partners is big and intends to get bigger, whether or not expansion of its physical hospital network (which has become quite contentious) moves forward.

I’ve Been Thinking….

What is the pedestrian supposed to do when the entrance to that pedestrian’s office building is festooned with signs that say “Beware of Falling Ice”?

Speaking of our snow here in Boston:  if you save the parking space you dug out of the snow bank on your street, and upon your return you find another car nonetheless is in occupancy, where is your dining room chair that you set out to hold your location?

Why did the Red Sox just pay $31.5M to sign a 19 year old Cuban player, and commit to a 100% luxury tax, when the kid hit no higher than .282 in Cuba?

Perhaps the kid will at least use some of that swag to finish high school and get an associate degree in airplane repair.

If you took that money, call it $60M to round it out, how many tutors could you hire to work in Roxbury and environs to assist our City youth to achieve?  (Spoiler alert: at $15 an hour, one thousand tutors every single week, including summers, for 100 years.)  Go Sox??

Since we are talking sports:  Boston is bidding for the 2024 Olympics, based in part on our transportation system being fully built out to handle the crowds.  Last week it took my average support staff person traveling by public transportation on 40-year old trains on average over two hours to come to the office.  I can readily see how the transportation system component is a real plus, while meeting the pledge that no public funds need be spent to put on the Olympics; can’t you?

Major anomaly in DC, the home of major anomalies:  did I hear the Democrats excoriating the Republicans for failure to support Homeland Security funding?  Yes I did…..

And since we are talking politics: how will Obama parse his pledge to erase ISIS with no US boots on the ground?  Will he blame his new Defense Secretary, who clearly believes we will need lots of said boots?  (“He made me do it, he’s so sure of himself….”).

What happens when the next country Putin invades is a NATO member?  Refresher: think Croatia, Czeck Republic, Hungary, Poland, Bulgaria, Estonia, Latvia, Lithuania, Romania, Slovakia, Slovenia, Albania.  (Extra credit question: which ones of these were part of the USSR?)

If the globe is warming, why is there 99.6 inches of snow on my back porch?

Why did the Academy of Motion Picture Arts and Sciences select as best picture a boring two hour rant by a deranged has-been actor who kills himself, a welcome denouement granted?  And why did said deranged has-been actor run through Times Square in his gleaming white Jockeys; was not the Naked Cowboy enough eye candy for even the most jaded New Yorker?

I’m outta here.   Gotta get home; they are predicting a few inches of snow tonight….

Corporate Governance: Business Judgment Rule Revisited

 

Corporate directors generally are aware of the fact that they are protected by the so-called “business judgment rule”: if a director of reasonable intelligence applies reasonable diligence and doesn’t make a personal profit out of any decisions, then courts will not hold the director liable because he made a mistake.

Corporate statutes, including Delaware and Massachusetts, have long codified this rule, although they do it in a particular way: they set forth an affirmative standard of conduct for directors and then say there will be no liability if this standard is met.

What about corporate officers? They have fiduciary duties to their corporations also. Do they have the benefit of the business judgment rule? Spoiler alert: sometimes.

There is Delaware judicial authority for the proposition of the business judgment rule also applies to officers. In Massachusetts there is a specific statute in the (fairly) new General Business Corporation Act which sets forth a standard of conduct for officers which is similar to (not quite as broad as) the protection from liability afforded by that statute to directors. The supposition that officers are covered in a manner similar to directors is contrary to traditional analysis, but seems to be the judicial trend in Delaware, and in Federal courts in Florida, New York, Illinois and Georgia.

However, recent litigation in various courts has perhaps set in motion a retreat back to the limitation of the business judgment rule as protecting only directors and not officers. Cases in California decided by state (as opposed to Federal) courts seemingly now have restricted the business judgment rule only to directors. And, now director protection is under assault.

Additionally, there is more than one way to skin the cat; persons who might otherwise be protected by the business judgment rule may lose that protection by reason of the nature of the company (bank directors should be held to a different standard given the impact of a bank failure on the economy), directors must be wholly disinterested (often not true in private corporations), directors may have close family ties or business relationships which taint their judgment and deny them use of the Rule, directors may become “interested” if they are intimidated by an interested director (this from Delaware). Further, directors have been held liable if they fail to inform themselves sufficiently of the facts of the case, and directors also are now being attacked by claims made under Federal Securities Laws (the business judgment rule relates to breach of fiduciary duty at common law and not statutory transgressions).

Given the current pressure to “make individuals liable” for corporate failures, particularly in derivative law suits, you rapidly reach the conclusion that the business judgment rule is under great pressure even in protecting directors, let alone applying it to the protection of corporate officers. (Indeed, there are strong arguments that the business judgment rule should not apply to officers, who generally are more involved in company affairs and thus might be chargeable with actually reaching the correct decision, not just trying hard.)

It may be that the Massachusetts statute, codifying a statement of officer conduct similar to the standard that satisfied the parameters of the court-invented business judgment rule, ultimately will prove among the more robust judicial protections afforded to corporate executives anywhere in the country.

SDX: Not a Railroad; an Investor Relations Proposal

The so-called SDX Protocol, a roadmap prepared by directors, advisors and institutional investors to establish a play book for interaction between the investment community and independent corporate directors, was analyzed at the January 13 meeting of the National Association of Corporate Directors/New England.

Historically, such communication has been anathema. Directors direct; member of management, the CEO or the director of investor relations, has laboring oar in communicating with the investment community.

There is a sense that this current practice has not worked well. It may create barriers between investors and directors, leading to misunderstandings which in turn lead to a poor and destructive level of shareholder-company relations.

The SDX Protocol may not be appropriate for all companies, but larger companies with institutional investors might consider adopting some or all of that proposal. In broad outline:

The company designates one or more independent directors, not management, to speak with institutional investors.

Institutional investors designate high level representatives (not just analysts) to engage with the independent directors.

Ground rules are established to set forth topics which cannot be discussed (the kinds of things that relate to earnings or operations, typically matters typically raised in an “earnings call,” should be avoided).

A list of appropriate areas of discussion should be generated (risk management, corporate philosophy on compensation, high level strategy).

Companies must be careful in selecting the board members to speak; not all board members are going to be adept. The Protocol also contemplates the director speaking without presence of either management or third party advisors, something which makes counsel nervous and raises the risk of violation of Regulation FD (impermissible selective disclosure of material inside information).

The SDX approach is radical, and contrary to historical corporate governance. It should be undertaken only very carefully and with consultation with outside advisors. It is unclear whether SDX represents an opportunity to cut into miscommunication, or a probing invasion by institutional investors into areas which should not be generally disclosed, nor indeed selectively disclosed, to anyone.

Drinking with Drizly– an Entrepreneur’s Story

Did you ever get a thirst for an adult beverage during a snow storm, only to find your larder bare? Along comes Drizly, an application that can get your alcohol delivered to you, at least if you are in a city, in twenty to forty minutes.

Nick Rellas, CEO and co-founder of four year old Drizly, explained how he applied technology to the historically staid liquor business. Drizly gives you an app for your phone or device. You use this app to order what you need. Drizly takes that order and sends it to a nearby liquor store under contract with Drizly. The liquor store delivers product, receives and keeps the entire payment.

How does Drizly make money? A monthly license fee from the liquor store. Drizly never touches the beverage, and never touches the money within the transaction. Now in fourteen markets including Boston and New York, Drizly is again raising capital and anticipates substantial expansion in the United States and Canada in the next twelve months.

An additional possible future revenue source could also be from manufacturers or importers, where advertisements could have a click-through button so that, if the consumer wants to buy the product, that information comes to Drizly and Drizly passes it to a retailer, thereby giving manufacturers or importers an immediate ability to themselves drive sales to consumers.

Drizly also has a compliance function wherein identification of persons authorized to place orders has been preprocessed, so as to avoid facilitating distribution to, for example, underage consumers.

Rellas provided his remarks to a breakfast meeting of the Association for Corporate Growth, held in Boston on January 15th. His description of his business model and its application to the consumer marketplace is suggestive of the disruptive impact of web-based services that are reshaping business: Uber and Amazon spring to mind immediately. The founder (who is in his 20s) worked in a liquor store, noted the absence of technology, and applied his generation’s technological skills to the normally conservative liquor business.

Trend in Access to Public Company Proxy Mechanisms

Proxy access, permitting shareholders to nominate directors and have that nomination included in the public company proxy statement itself, remains a volatile issue. You may recall that the SEC’s original regulation to provide shareholder access had two prongs: the first was a set formula by which corporations were required to afford proxy access for director election to shareholders holding 3% or more of the shares of a company, and a second procedure by which companies could themselves “privately order” (custom craft) a proxy access rule just for their own company. The Courts struck down the first part of the SEC regulation, leaving the field open only for private ordering.

Pursuant to private ordering, activist shareholders sometimes have proposed by-law amendments to permit shareholder nominations for directorships. However, a provision of the SEC regulation permits a company to exclude such shareholder proposals if the company itself has proposed a similar rule. As might be expected, company-proposed rules are less generous in affording shareholder access to the proxy mechanism.

In the recently rendered Whole Foods “no-action” letter, the SEC endorsed the company’s rejection of a shareholder proxy access proposal because the company itself had its own pending proposal, even though the company proposal was far more restrictive in allowing shareholder access (it required 9% of the shares held for at least three years, to put forward a proposal, and did not permit aggregation of shareholdings by different shareholders; the SEC required only a cut-back to a 5% threshold).

Although it was suggested that many other companies are flocking to this approach in order to deny the proxy mechanism to shareholders in most instances, discussion continues as to whether suggesting restrictive corporate initiatives, leading to rejection of more liberal shareholder initiatives, should be sustained where (allegedly) companies are pushing the envelope and consequently, de facto, are denying shareholder access to the proxy mechanism.

What your Public Board Should be Doing Now

During the time between year-end and the annual meeting, public boards are planning director elections, effecting audit review to conclude the annual financials, addressing 10K and proxy matters, evaluating shareholder proxy and other proposals from activists, and conducting intensified committee meetings which inevitably follow fiscal year-end. Key board issues for this period were highlighted at the January 13th breakfast meeting of the New England Chapter of the National Association of Corporate Directors, where a panel of financial, legal and shareholder relations experts summarized the current state of play.

From a shareholder communications standpoint, directors shall be focusing on an evaluation of board members standing for reelection. Broader disclosures should be considered, aside from simply reciting education and work background. Consider proactive disclosure with respect to the reason that each individual has been elected to your board: diversity, different skill sets, domain experience, etc.

Management should be prepared to engage activist or institutional shareholders which are likely to have questions after year-end. Have you reviewed your corporate strategy against performance last year? How do you answer questions about your plans for capital expenditure and, particularly, use of excess cash which many corporations have been collecting? Is a share repurchase program actually the best use of company money, given recent analyses that suggest that shareholder value is not thereby enhanced, or is it simply a sign of lack of imagination as to how else to apply the capital?

This is also a good time to review your crisis plan, including identification of inside and outside teams, coverage of social media, and review of “hidden website” content which has been prepared to meet various crisis scenarios.

From a financial control standpoint, boards sometimes find themselves on a somewhat different wavelength from internal audit, which may be directing its attention to operational efficiency. The board’s role is to assure robust financial reporting. Has your board reached out to the internal audit function to make clear that internal financial control is to be given high priority? Has the board engaged its audit committee, or its risk committee, for a year-end review and projection of risks in context?

Other currently hot board topics include: should your CEO be your board chair or should the board chair position be independent (does your board want to undertake a renegotiation of the CEO contract which likely says that the CEO also is to serve as chair?); what is your board’s approach to term limits or “aging out” of directors (might your board be reviewing the European approach which views “independence” holistically, and suggest that ten years of service by definition renders any board member no longer “independent” in a meaningful way).

There will follow a post on the so-called SDX protocol, an organized effort to improve institutional investor access to independent board members.