Sarbanes Oxley News, Sarbanes Oxley Compliance ... · strategic objectives.” Prior to joining the PCAOB, Ms. Lee was Senior Vice President, General Counsel, and Corporate Secretary

P a g e | 1

Sarbanes Oxley Compliance Professionals Association (SOXCPA)

Sarbanes Oxley Compliance Professionals Association (SOXCPA) 1200 G Street NW Suite 800 Washington DC 20005-6705 USA Tel: 202-449-9750 Web: www.sarbanes-oxley-association.com

Sarbanes Oxley News, March 2019 Dear members and friends, Today we will start with the PCAOB’s standard-setting process.

The PCAOB seeks to establish and maintain high quality auditing and related professional practice standards for audits of public companies and other issuers, and broker-dealers, in support of the PCAOB mission to protect investors and further the public interest in the preparation of informative, accurate, and independent audit reports. The PCAOB Office of the Chief Auditor — working with other PCAOB offices and divisions — assists the Board in establishing and maintaining PCAOB standards. The PCAOB standard-setting activities include identifying current or emerging audit issues, developing the research agenda, and working on standard-setting projects. These are informed by a range of activities, such as the PCAOB's oversight activities, consultation with the Standing Advisory Group, input from the Investor Advisory Group, discussion with SEC staff, the work of other standard setters (for example, the International Auditing and Assurance Standards Board, the Financial Accounting Standards Board, and the International Accounting Standards Board), and other relevant inputs and developments. The PCAOB takes a priority-based approach to standard-related projects. The timing of each phase may vary from project to project, depending on the nature and scope of audit issues involved.

http://www.sarbanes-oxley-association.com/

http://www.sarbanes-oxley-association.com/

P a g e | 2


Understand Current or Emerging Audit Issues. The process begins with a PCAOB interdivisional team that performs an environmental scan to identify current or emerging audit issues and informs the Board about matters that potentially warrant changes to PCAOB standards or that warrant additional staff guidance. The interdivisional team continues to monitor current or emerging issues, including observations from oversight activities, that may merit further consideration. The evaluation of potential issues may result in a project being added to the PCAOB research agenda. Research Projects. For each research project, a PCAOB interdivisional research team is formed to perform research, outreach, and economic analysis to assess whether there is a need for changes to PCAOB standards; consider alternative regulatory responses; and, if standard setting is needed, evaluate the potential standard-setting scope and approaches. If standard setting is pursued, the project would be added to the standard-setting agenda. If standard setting is not pursued, consideration would be given to whether any other action is needed. For example, the PCAOB staff may prepare guidance regarding the application of existing PCAOB standards. In addition to the projects on the research agenda, the PCAOB also conducts monitoring activities in other areas that could impact audits or PCAOB standards (e.g., financial reporting fraud, auditor independence, and new accounting standards). Standard-Setting Projects. For each standard-setting project, the PCAOB solicits public comment on potential changes to standards before adopting

P a g e | 3


changes. Consideration of changes to standards also involves conducting an economic analysis and analyzing the potential impact of changes on audits of emerging growth companies. Staff Guidance on Economic Analysis in PCAOB Standard Setting (Feb. 14, 2014), was prepared to provide guidance to PCAOB staff involved in rulemaking. After the Board adopts changes to its standards, the changes must be approved by the SEC to become effective. Further information about the PCAOB's projects may be found at Research and Standard-Setting Projects. The descriptions of these projects posted on our website are prepared by the staff of the Office of the Chief Auditor, and are not statements of the PCAOB, nor do they necessarily reflect the views of the Board, individual Board members, or other staff.

P a g e | 4


PCAOB News

The Public Company Accounting Oversight Board announced it has named Eric Hagopian as its first Chief Data Officer. In this role, Mr. Hagopian will advance the PCAOB’s data management strategy and enhance the organizational approach to data management and analytics. "In 2018, the Board began to develop a formal organization-wide strategy related to our own use of data, which included the creation of a Chief Data Officer,” said PCAOB Chairman William D. Duhnke. “The Board is pleased to welcome Eric to the PCAOB, and we look forward to utilizing his deep experience in data governance, management, and analytics to enhance the effectiveness of our oversight activities.” Prior to joining the PCAOB, Mr. Hagopian served as the Director of Data Governance at CareFirst BlueCross BlueShield, where he was responsible for developing a data governance framework. Before joining CareFirst, Mr. Hagopian was a Chief Technologist for the Booze Allen Hamilton Strategic Innovation Group and he also spent several years as the Chief Data Officer for the U.S. Department of Homeland Security Immigration and Customs Enforcement. Throughout his career, Mr. Hagopian has served in a variety of technical and data analytics roles at a number of companies. Mr. Hagopian earned his master’s degree in applied information technology at the Volgenau School of Engineering at George Mason University and also holds a bachelor of science degree in mechanical engineering from Syracuse University’s L.C. Smith College of Engineering.

The Public Company Accounting Oversight Board also announced it has created a new Office of Enterprise Risk Management to implement the Board’s strategic objective of implementing an Enterprise Risk Management (ERM) program for the organization. The Office of Enterprise Risk Management will be led by Sue Lee who has been named the organization’s first Chief Risk Officer. Ms. Lee leads the PCAOB’s work to establish an ERM program and oversees the organization’s risk management, compliance, ethics, and security programs.

P a g e | 5


ERM is a framework used to identify potential events that may affect an organization, manage the associated risks and opportunities, and provide reasonable assurance that an organization’s mission, vision, and strategic objectives will be achieved. "In connection with our strategic planning process last year, the Board undertook an organizational assessment that revealed the need to transform our approach to risk management," said PCAOB Chairman William D. Duhnke. “The Board is fortunate to have Sue’s vast experience, leadership, and expertise as we work toward achieving one of our key strategic objectives.” Prior to joining the PCAOB, Ms. Lee was Senior Vice President, General Counsel, and Corporate Secretary of Entegris, Inc., a publicly traded chemicals and materials company. In this role, she managed the company’s legal, compliance, privacy, corporate governance, enterprise risk, and government affairs functions. Before joining Entegris, Ms. Lee was the Vice President, General Counsel, and Corporate Secretary for CYREN, Ltd., a publicly traded cybersecurity company. Ms. Lee has also served in various legal, compliance, and risk advisory roles at Fortune 500 companies, including Viacom and Genzyme, and was an attorney in New York City at the law firm Cleary Gottlieb Steen & Hamilton. She earned her bachelor’s and law degrees at Harvard University, where she graduated magna cum laude.

P a g e | 6


Recent economic developments and longer-term challenges Jerome H Powell, Chairman of the Board of Governors of the Federal Reserve System, at the Citizens Budget Commission 87th Annual Awards Dinner, New York City.

It is a pleasure to speak here this evening at the 87th Awards Dinner. Tonight I will start with the near-term outlook for the U.S. economy. Then I will turn to a topic that is inspired by the Citizens Budget Commission's mission statement, which focuses on the "well-being of future New Yorkers." I imagine that future New Yorkers attending this dinner in 50 years may not look back on the near-term outlook in February 2018 as very interesting or important. So, tonight, after a brief review of the here and now, I will focus on an issue that is likely to be of more lasting importance: the need for policies that will support and encourage participation in the labor force, promote longer-term growth in our rapidly evolving economy, and spread the benefits of prosperity as widely as possible.

The State of the Economy and Near-Term Prospects Beginning with the here and now, Congress has charged the Federal Reserve with achieving maximum employment and stable prices, two objectives that together are called the dual mandate. I am pleased to say that, judged against these goals, the economy is in a good place. The current economic expansion has been under way for almost 10 years. This long period of growth has pushed the unemployment rate down near historic lows.

P a g e | 7


The employment gains have been broad based across all racial and ethnic groups and all levels of educational attainment as well as among the disabled.

P a g e | 8


And while the unemployment rate for African Americans and Hispanics remains above the rates for whites and Asians, the disparities have narrowed appreciably as the economic expansion has continued. Nearly all job market indicators are better than a few years ago, and many are at their most favorable levels in decades. After lagging earlier in the expansion, wages and overall compensation--pay plus benefits--are now growing faster than a few years ago (figure 3). It is especially encouraging that the labor force participation rate of people in their prime working years, ages 25 to 54, has been rising for the past three years.

More plentiful jobs and rising wages are drawing more people into the workforce and encouraging others who might have left to stay. In addition, business-sector productivity growth, which had been disappointing during the expansion, moved up in the first three quarters of 2018. Rising productivity allows wages to increase without adding to inflation pressures. Sustained productivity growth is a necessary ingredient for longer-run improvements in living standards. The price stability side of our mandate is also in a good place. After remaining below our target for several years, inflation by our preferred measure averaged roughly 2 percent last year (figure 4).

P a g e | 9


Inflation has softened a bit since then, largely reflecting the recent drop in oil prices. Futures markets and other indicators suggest that oil prices are unlikely to fall further, and if this proves correct, oil’s drag on overall inflation will subside. Consistent with that view, core inflation, which excludes volatile food and energy prices and often provides a better signal of where inflation is heading, is currently running just a touch below our 2 percent objective. Signs of upward pressure on inflation appear muted despite the strong labor market. While the data I have discussed so far give a favorable picture of the economy, it is also important to acknowledge that not everyone has shared in the benefits of the expansion to the same extent, and that too many households still struggle to make ends meet. In addition, over the past few months we have seen some crosscurrents and conflicting signals about the near-term outlook. For instance, growth has slowed in some major economies, particularly China and Europe.

P a g e | 10


Uncertainty is elevated around some unresolved government policy issues, including Brexit and ongoing trade negotiations. And financial conditions have tightened since last fall. While most of the incoming domestic economic data have been solid, some surveys of business and consumer sentiment have moved lower. Unexpectedly weak retail sales data for December also give reason for caution. To read more: https://www.bis.org/review/r190301a.pdf

https://www.bis.org/review/r190301a.pdf

https://www.bis.org/review/r190301a.pdf

P a g e | 11


Regulation: A View from Inside the Machine Commissioner Hester M. Peirce, Remarks at Protecting the Public While Fostering Innovation and Entrepreneurship: First Principles for Optimal Regulation, University of Missouri School of Law

Thank you, Thom [Lambert], for that kind introduction. I am delighted to be part of this conference, but am sorry that I cannot be there in person. I had high expectations when I picked up Thom’s book on regulation shortly after it first came out several years ago. Those expectations were exceeded by the clear and compelling way in which the book wrestles with the difficulties faced by regulators as they seek to design regulations that solve problems without creating larger problems in the process. As the book explains, “regulation . . . always involves trade-offs. The $64,000 question is how policymakers should proceed to ensure that they strike those trade-offs in a manner that creates as much social welfare as possible.” I appreciate the book even more now that I am sitting in a regulator’s seat. Incidentally, as a regulator, I must give the standard disclaimer that the views I express today are my own and do not necessarily represent those of the Securities and Exchange Commission or my fellow Commissioners. Entrepreneurship and innovation do not have the happiest of relationships with regulation. Regulators get used to dealing with the existing players in an industry, and those players tend to have teams of people dedicated to dealing with regulators. Entrepreneurs trying to start something new are often much more focused on that new thing than on how it fits into a regulator’s dog-eared rulebook. Regulators, for their part, tend to be skeptical of change because its consequences are difficult to foresee and figuring out how it fits into existing regulatory frameworks is difficult.

P a g e | 12


Society, however, often pushes regulators to accept change. After all, society benefits from entrepreneurs’ imaginative approaches to solving problems and willingness to go out on a limb with a new idea. Society welcomes innovations that make our lives easier, more enjoyable, and more productive. In many sectors, therefore, entrepreneurship and innovation evoke overwhelmingly positive responses. In the financial industry, entrepreneurship and innovation do not always face such a warm reception. Financial innovations, for example, were fingered by some as the cause of the last financial crisis. Former Federal Reserve Chairman, Paul Volcker, in a negative post-crisis appraisal of financial innovation, concluded that: The most important financial innovation that I have seen the past 20 years is the automatic teller machine . . . . How many other innovations can you tell me of that have been as important to the individual as the automatic teller machine, which is more of a mechanical innovation than a financial one? I have found very little evidence that vast amounts of innovation in financial markets in recent years has had a visible effect on the productivity of the economy . . . . Some people might disagree with Chairman Volcker. Take for example the man who got stuck inside an ATM a couple years ago. In the course of repairing the machine, he got locked inside it. Without a cellphone or any other obvious way to contact the outside world, he was stuck. It is good that he thought to slip written pleas for help to undoubtedly baffled customers. Instead of a receipt, customers got a note reading “Please help. I’m stuck in here and I don’t have my phone. Please call my boss at . . . ” A customer heeded the call, and the police rescued the repairman. The moral of the story is that every innovation—even one that almost everyone agrees is good—carries with it some risk. Some people may get hurt by the innovation in ways we would never have imagined. Others may be helped by the innovation in ways we would never have imagined.

P a g e | 13


Some people will use the innovation in ways we wish they would not. We would be better off without some innovations, but we might not know that until after enough time has passed to see the harm they cause. In other instances, the true value of an innovation may not come to light for years. Technological progress in the financial industry offers the same mix of hope, promise, and risk that technological progress in other parts of our society offers. As regulators, therefore, we must allow innovation to proceed, even as we put in reasonable safeguards and watch for unanticipated consequences. The SEC’s attitude toward innovation is important because we regulate an industry that is a key gatekeeper for progress and productivity in the rest of the economy. The United States has benefited greatly from the relative importance of non-bank financing. Without the funds that the capital markets provide, companies in other sectors of the economy would not be able to explore new ideas and develop new products and processes. As a regulator, when I think about protecting the public, I think not only of protecting investors, but also of ensuring that the capital markets are able to serve the rest of the economy without undue barriers. Because of the central role the markets we regulate play in ensuring that the rest of the economy is funded, we need to be open to innovations that will make the capital markets function better and serve parts of the population that were previously not able to access those markets. Can we, for example, look for ways for unaccredited investors to pool their resources to invest in private companies? Can we change rules that mandate the use of outdated technology in, for example, our recordkeeping rules so that financial institutions can incorporate new technology and thus lower the costs of the services they provide? Can we allow more experimentation in the way that funds and investment advisers communicate with investors? Can we reexamine our assumptions about the types and methods of disclosure we require in light of the enormous changes in communication technology that have occurred since the federal securities laws were written in the 1930s?

P a g e | 14


Can we permit more issuer communication with investors, which perhaps could open the door to a back-and-forth style of disclosure facilitated by online chats and message boards? These and other innovations in the capital markets often require regulatory approvals or regulatory forbearance, both of which my agency historically has been slow to provide. The SEC now has a wonderful opportunity to consider its approach to innovation and entrepreneurship. We have just hired our first Advocate for Small Business Capital Formation, Martha Miller. She brings a much needed voice to an agency that has not been particularly open to thinking about the benefits that come from eliminating regulatory barriers to small issuers seeking capital. It is not the SEC’s job to shift capital flows toward small or emerging businesses; capital should flow to the companies—old, new, large, or small—that can best use it. We ought, however, to consider whether the rules we have in place have the effect of putting a thumb on the scale in favor of large and established companies. Having someone at the SEC whose job it is to ensure that the Commission is aware of the types of difficulties small companies face in the capital markets is an important step. Martha’s enthusiasm, knowledge, and experience suit her well for the important job she has taken on. The agency’s opportunity to rethink its approach to innovation also arises out of a decade of technological development related to blockchain and cryptocurrencies. This area has challenged many regulators around the world, and the SEC is certainly no exception. We, along with other regulators, are asking how existing rules apply in this space and whether a new regulatory framework would work better. If we act appropriately, we can enable innovation on this new frontier to proceed without compromising the objectives of our securities laws—protecting investors, facilitating capital formation, and ensuring fair, orderly, and efficient markets.

P a g e | 15


One of the things that makes regulating in this space challenging is that its very essence is decentralization. Decentralization is nothing new; it is at the root of our economic system; free markets draw on the talents and knowledge of people all across society to produce what society needs. No person or group of persons can serve as central coordinator because such a master planner would be inherently less smart and less plugged in than the market, composed as it is of diverse individuals communicating with one another in the brutally blunt language of prices. Yet, there is formal coordination too. Corporations, along with individuals, are key players in our markets. By joining together in a common enterprise, people are able to combine efforts and talents in ways that otherwise would not be possible. Our securities markets have thus grown up around markets composed of individuals and corporations. Corporations issue securities, make the attendant disclosures, and have other responsibilities under the securities laws. Our securities laws are designed with the assumption that every issuer has someone at the helm who can authoritatively disclose the relevant material information about the organization. Blockchain-based networks offer a new way of coordinating human action that does not fit as neatly within our securities framework. Satoshi Nakamoto, in the white paper that introduced bitcoin to the world, envisioned a “network [that] is robust in its unstructured simplicity.” Uncoordinated nodes work together toward a common end “with little coordination.” Other blockchain projects likewise seek to build networks that operate organically, without a central organizer. Some projects seek to facilitate various forms of authentication to replace traditional recordkeeping transactions or to allow individuals to interact without using trusted intermediaries. The objective of many of these blockchain projects is to build networks that run on diffuse contributions, rather than to create centralized entities that run networks. In the end, there may not be anyone steering the ship. Yet many of these projects begin in a centralized manner that looks about the same as any other start-up. A group of people get together to build

P a g e | 16


something and they need to find investors to fund their efforts so they sell securities, sometimes called tokens. The SEC applies existing securities laws to these securities offerings, which means that they must be conducted in accordance with the securities laws or under an exemption. When the tokens are not being sold as investment contracts, however, they are not securities at all. Tokens sold for use in a functioning network, rather than as investment contracts, fall outside the definition of securities. The Supreme Court’s Howey test, which sprang from a dispute about orange groves seven decades ago, is the tool the SEC uses for discerning whether or not something is an investment contract, which is a particular type of security that includes some token offerings. A case once only on the lips of eager law students is thus now the hot topic in crypto conversations. In a now famous speech, the SEC’s Director of Corporation Finance, Bill Hinman, explained how that case, along with Gary Plastics, has informed the SEC’s approach to digital assets. As Director Hinman noted in his speech, it is the nature of the transaction that determines whether an offering of securities has occurred, not the item being sold. The oranges in Howey were not securities standing on their own, nor were the groves in which they grew. By contrast, the overall package sold to investors—the “opportunity to contribute money and to share in the profits of a large citrus fruit enterprise managed and partly owned by [third parties]”—was a securities offering and therefore triggered federal securities law. Purchasers’ “respective shares in this enterprise are evidenced by land sales contracts and warranty deeds, which serve as a convenient method of determining the investors’ allocable shares of the profits. The resulting transfer of rights in land is purely incidental.” The Division of Corporation Finance therefore will look to the nature of a token sale to determine whether a securities offering has occurred, and not just at the qualities of the token itself. Director Hinman went on to explain, however, that because the token “all by itself is not a security, just as the orange groves in Howey were not,” a token sold in a securities offering might later be sold in a transaction that does not constitute a securities offering.

P a g e | 17


Once “a network becomes truly decentralized, the ability to identify an issuer or promoter to make the requisite disclosure becomes less meaningful” and offers and sales of tokens are no longer subject to the securities laws. Director Hinman’s speech has provided a useful framework within which people can analyze their token offerings in connection with the securities laws. The staff is working on some supplemental guidance to help people think through whether their crypto-fundraising efforts fall under the securities laws. There is also a standing offer for people to come in for so-called no-action relief in connection with a particular token or project. The applicant for no-action relief lays out the parameters of what it is trying to do, and the SEC staff can respond by saying that it would not recommend an enforcement action to the Commission based on the parameters set forth in the request for relief. Of course, the Commission also has spoken indirectly through a number of enforcement actions, which necessarily involved finding that the token offerings at issue were securities offerings. Enforcement actions are not my preferred method for setting expectations for people trying to figure out how to raise money. For this reason, it is important for the Commission, in conjunction with Congress and its fellow regulators, to offer something more concrete and carefully considered. While the application of the Howey test seems generally to make sense in this space, we need to tread carefully. Token offerings do not always map perfectly onto traditional securities offerings. For example, as a recent report from Coin Center noted, the decentralized nature of token offerings can mean that the capital raised through token sales may not be truly owned or controlled by a company. Functions traditionally completed by people designated as “issuers” or “promoters” under securities laws—which, importantly, bestow those roles with certain responsibilities and potential liabilities—may be performed by a number of unaffiliated people, or by no one at all. Additionally, I am worried that the application of the test will be overly broad. The Supreme Court in Howey embraced a “flexible rather than

P a g e | 18


static principle, one that is capable of adaptation,” an unwelcome phrase for people craving clarity. The subsequent application of the Supreme Court’s decision has further added to the ambiguity by diluting factors, such as the prong that asks whether the investors were anticipating “profits to come solely from the efforts of others.” “Solely” has gotten dropped in the application of this prong. In the years since Howey, many courts have instead focused on whether profits are derived in effect principally from the efforts of others. This approach has been formulated by one appellate court as a question of whether “the efforts made by those other than the investor are the undeniably significant ones, those essential managerial efforts which affect the failure or success of the enterprise.” More to the point, the Commission itself determined in 2017 that tokens issued by the DAO, a decentralized organization based on a distributed ledger, were securities despite the fact that token-holders had certain roles within the organization necessary to its operation. Given the role that individuals play in some token environments, either through mining, providing development services, or other tasks, the SEC must take care not to cast the Howey net so wide that it swallows the “efforts of others” prong entirely. In the realm of securities regulation, we often talk of the need for disclosure as a means of addressing information asymmetries between the issuers and the investors. The “efforts of others” prong of Howey aims at the heart of this problem. If the investors are not in control of the enterprise, that is, if they lack material information about the operation of the organization, they will need to obtain that information from those who are in control in order to make an informed investment decision. It is possible that some projects may simply not be able to work under the existing Howey framework and the applicable securities laws. One cryptocurrency project, Basis, has announced that it will shut down operations and return $133 million in capital to investors due to the difficulty—if not impossibility—of complying with securities regulations given the team’s vision for the project. I am not going to comment on what I think about the merits of any particular project or how the securities laws apply to it, but my antennae

P a g e | 19


will go up when apparently legitimate projects cannot proceed because our securities laws make them unworkable. Ambiguity is not all bad, of course. We might be able to draw clearer lines once we see more blockchain projects mature. Delay in drawing clear lines may actually allow more freedom for the technology to come into its own. Congress may resolve the ambiguities engendered by Howey by simply requiring that at least some digital assets be treated as a separate asset class. Congressmen Warren Davidson and Darren Soto recently introduced a bill in the House intended to amend the federal securities laws to do just that, provided that the token truly operated in a decentralized network. Such an approach would facilitate more tailored disclosure. Indeed there are others who have argued that, whether ICOs can fit within the definition of a securities offering does not answer the question of whether that is how we should regulate them. In a forthcoming paper, Georgetown Law professor Chris Brummer and his co-authors argue that ICOs have certain features that make the regulatory framework applicable to IPOs inappropriate. For example, changes to the blockchain may have outsized effects on certain tokens that depend on it. An investor may need to understand, for example, how the blockchain can be changed, and how those changes would affect the relevant token before she could fully appreciate the risks of investing in that crypto asset. There is also the fact that much of the relevant—in the terms of securities law, arguably “material”—information about a token is often found in a white paper. The terms of this paper may be highly technical and difficult for most investors to understand. In some cases, these white papers have not matched the tokens’ actual code. Whether this is due to honest error, as may be the fact in some cases, or outright fraud, as it has been in others, it raises a unique issue for regulators to address. Much as we regulators hate to admit it, we ought not to assume that absent the application of the securities laws to the world of tokens, there would never be any order. As Professor Lambert notes in his book, the disclosure approach built into the securities laws is designed to “prevent adverse selection by requiring informationally advantaged parties to share specified information with their counterparties.”

P a g e | 20


As he explains, however, even in the absence of government directives, the informationally advantaged party may not need the government to tell it to make disclosures. The market itself sends this message; disclosure is a way to signal quality, something you want to do when you are trying to convince someone to buy your product. After an initial period of unbridled enthusiasm over ICOs, cooler heads seem to be thinking about ways to assess ICOs—to separate the wheat from the chaff. Sponsors of ICOs that want to succeed will make voluntary disclosures to signal their quality. Disclosure will happen regardless of whether the securities disclosure regime applies to ICOs. Moreover, the platforms that trade cryptocurrencies can play a role in forcing such disclosures, much as the stock exchanges did before the securities laws took effect. Our interactions with cryptocurrencies are not limited to questions about the regulation of token sales and disclosures. Closely linked to the question of whether tokens are securities is the question of how the platforms on which tokens trade should be regulated. Some of these platforms want to register with us, and I am eager to make progress on this front. There are features of crypto trading platforms that may differ from exchanges or alternative trading systems designed for traditional securities. To identify how regulation may need to change to accommodate these differences we will need to improve our understanding of how the platforms operate. There is also great interest in exchange-traded products based on bitcoin or other cryptocurrencies. As I have mentioned in the past, I am concerned that our approach with respect to such products borders on merit-based regulation, which means that we are substituting our own judgment for that of potential investors in these products.

P a g e | 21


We rightfully fault investors for jumping blindly at anything labeled crypto, but at times we seem to be equally impulsive in running away from anything labeled crypto. We owe it to investors to be careful, but we also owe it to them not to define their investment universe with our preferences. I would like to conclude by drawing again from Professor Lambert’s book. His definition of “regulation” as “any threat-backed governmental directive aimed at fixing a defect in ‘private ordering’ . . .” reminds us of the gravity of the regulator’s task. Private ordering is the baseline because, as the book explains, “when property rights are well defined and transferable, and individuals are able to strike trustworthy exchange agreements, markets will emerge and channel productive resources to … [the] production of the goods and services individuals value most.” Regulation involves overruling private arrangements, substituting a government mandate, and imposing a penalty of some sort on people who fail to comply with that mandate. Given the potential consequences of doing these things, the regulator and the people on whose behalf it regulates must think carefully about whether and how regulation should be employed. That careful thinking, however, may mean frustration for the innovators hoping for quick answers about what the relevant regulations are. Channel that frustration by coming and talking to us about how you think we should approach these regulatory questions. Sometimes I feel like the repairman in the ATM sending slips of paper to the outside world asking for help. In my case, I am asking for help on getting the regulations right so that innovators and entrepreneurs can spend their time and attention on making better products, providing better services, and revolutionizing the way we interact with one another.

P a g e | 22


CCP resilience, recovery and resolution: completing the journey towards resilient derivatives markets Deutsche Bundesbank, European Central Bank and the Federal Reserve Bank of Chicago Conference on CCP Risk Management, Frankfurt Remarks by Dietrich Domanski, Secretary General, Financial Stability Board

Ladies and gentlemen, it is good to be here today. The Deutsche Bundesbank, European Central Bank and the Federal Reserve Bank of Chicago have shown real leadership in convening this conference. Today’s agenda shows that we have come a long way in reforming derivatives markets. Almost ten years ago, at the Pittsburgh Summit in September 2009, G20 Leaders declared that all standardised over-the-counter (OTC) derivative contracts should be traded on exchanges or electronic trading platforms, where appropriate, and cleared through central counterparties. The declaration made central clearing an essential element of the reforms to reduce the complex and opaque web of exposures that existed between derivatives counterparties. Since then, we have put in place a framework to fundamentally reform derivatives markets. This includes measures related to central clearing, but also policies to enhance the transparency and resilience of markets for non-centrally cleared derivatives, through trade reporting and margin requirements. Yet derivatives markets reform is only one key area of post-crisis regulatory efforts. There is also significant progress in making the banking system more resilient; implementation of too-big-to-fail reforms is advancing, including via the establishment of effective resolution regimes for banks; and those aspects of non-bank financial intermediation that contributed to the financial crisis have declined significantly and generally no longer pose financial stability risks.

P a g e | 23


But, as today’s conference shows, important issues still lie ahead. What I would like to do in my remarks is to put CCP-related reforms into perspective – by looking back at what we have accomplished, and discuss what remains to be done from the perspective of the FSB; and by relating CCP-related policy measures to progress in other areas.

What we have accomplished? CCPs have become central to the global financial system Let me begin with a few simple numbers that illustrate how central CCPs have become for the financial system. In 2009, the clearing level was around 24% for interest rate derivatives and just 5% for credit derivatives. By June 2018 these levels had risen to approximately 62% for interest rate derivatives and 37% for credit derivatives. Today, 90% of new OTC single currency interest rate derivatives are now centrally cleared in the US. This impressive shift has been accompanied by the enhancement of legislative or regulatory frameworks to promote central clearing. Such frameworks, including comprehensive standards for determining when OTC derivatives should be required to be centrally cleared, are now in place in 18 FSB jurisdictions. Our latest annual report shows a continued broadening of the range of asset classes that are centrally cleared. Policy measures to promote central clearing are working. Last year, the FSB, Basel Committee on Banking Supervision (BCBS), Committee on Payments and Market Infrastructures (CPMI) and the International Organization of Securities Commissions (IOSCO) published the results of its evaluation of the incentives to centrally clear OTC derivatives. The report found that the reforms – particularly capital requirements, clearing mandates and margin requirements for non-centrally cleared derivatives – are achieving the goal of promoting central clearing, especially for the most systemic market participants. However, the report also found that beyond the systemic core of the derivatives network of CCPs, dealers/clearing service providers and larger, more active clients, the incentives are less strong.

P a g e | 24


Significant work has been devoted to CCP resilience, recovery and resolvability The shift to central clearing has made CCPs both larger and more systemic. Cognizant of their even more central role in the financial system, authorities have made significant efforts to ensure that CCPs are safe and sound. The CPMI-IOSCO Principles for Financial Market Infrastructures (PFMI) are a milestone in this regard. In July 2017, the FSB working with CPMI, IOSCO and the BCBS completed a workplan on CCP resilience, recovery and resolvability. The three reports coming out of the workplan provide guidance on a broad range of issues: • CPMI and IOSCO set out further guidance on the PFMI regarding resilience of CCPs, in particular on governance, credit and liquidity stress testing, coverage, margin, and a CCP’s contributions of its financial resources to losses. • CPMI and IOSCO also updated their 2014 guidance on recovery for financial market infrastructures to provide clarifications in a number of areas including the operationalisation of recovery plans and non-default related losses. • And the FSB published guidance on how to implement its Key Attributes in resolution arrangements for CCPs. To read more: http://www.fsb.org/wp-content/uploads/S270219.pdf

http://www.fsb.org/wp-content/uploads/S270219.pdf

http://www.fsb.org/wp-content/uploads/S270219.pdf

P a g e | 25


RAND Releases Report Commissioned by DHS on Building an Effective and Practical National Approach to Terrorism Prevention

The Homeland Security Operational Analysis Center (HSOAC), operated for the Department of Homeland Security by the RAND Corporation, has released a new report on how to build an effective and practical national approach to terrorism prevention. The report, commissioned by the Department of Homeland Security, examines past terrorism prevention efforts and makes recommendations for future programs. “As threats from terrorism evolve, our understanding of prevention also has to evolve,” said Assistant Secretary for Threat Prevention and Security Elizabeth Neumann. “In addition to the DHS internal review of prevention efforts, the Department asked the RAND Corporation for a third party assessment. I am pleased to share with the American people the highlights of their findings and to discuss steps we are taking as a Department to further enhance the security of our homeland.” The report highlights various areas of terrorism prevention, including: - Successful community education efforts by DHS; - Countering terrorist narratives through public-private partnerships; - Robust systems inside government for suspicious-activity reporting,

and the need for a uniform mechanism for making interventions for referral by the public;

- How spending on terrorism prevention in the U.S. compares with some

of our partners; - The role of state, local, nongovernmental and private organizations in

leading prevention efforts, with support from the federal government; and,

- The importance of addressing domestic as well as international

terrorism in prevention programs.

P a g e | 26


Assistant Secretary Neumann has announced the release of the report at an event hosted by The Heritage Foundation. To watch her remarks: https://www.heritage.org/terrorism/event/building-effective-approach-terrorism-prevention The full report: https://www.rand.org/pubs/research_reports/RR2647.html

https://www.heritage.org/terrorism/event/building-effective-approach-terrorism-prevention




https://www.rand.org/pubs/research_reports/RR2647.html

https://www.rand.org/pubs/research_reports/RR2647.html

P a g e | 27


Written testimony of CISA Director Christopher Krebs for a House Committee on Homeland Security hearing titled “Defending Our Democracy: Building Partnerships to Protect America’s Elections”

Chairman Thompson, Ranking Member Rogers, and members of the Committee, thank you for the opportunity to testify regarding the U.S. Department of Homeland Security’s (DHS) progress in reducing and mitigating risks to our Nation’s election infrastructure. DHS has worked to establish trust-based partnerships with state and local officials who administer our elections, and I look forward to sharing with you an update on our work during the 2018 midterm election cycle. Leading up to the 2018 midterms, DHS worked hand in hand with federal partners, state and local election officials, and private sector vendors to provide them with information and capabilities to enable them to better defend their infrastructure. This partnership led to a successful model that we aim to continue and improve upon in the 2020 election cycle. Since 2016, DHS’s Cybersecurity and Infrastructure Security Agency (CISA) has led a voluntary partnership of Federal Government and election officials who regularly share cybersecurity risk information. CISA has engaged directly with election officials—coordinating requests for assistance, risk mitigation, information sharing, and incident response. To ensure a coordinated approach, CISA convened stakeholders from across the Federal Government through the Election Task Force. The Department and the Election Assistance Commission (EAC) have convened federal government and election officials regularly to share cybersecurity risk information and to determine an effective means of assistance. Since 2016, the Election Infrastructure Subsector (EIS) Government Coordinating Council (GCC) has worked to establish goals and objectives,

P a g e | 28


to develop plans for the EIS partnership, and to lay the groundwork for developing an EIS Sector-Specific Plan. Participation in the council is entirely voluntary and does not change the fundamental role of state and local jurisdictions in overseeing elections. DHS and the EAC have also worked with election vendors to launch an industry-led Sector Coordinating Council (SCC), a self-organized, self-run, and self-governed council with leadership designated by sector membership. The SCC serves as the industry’s principal entity for coordinating with the Federal Government on critical infrastructure security activities related to sector-specific strategies. This collaboration is conducted under DHS’s authority to provide a forum in which federal and private sector entities can jointly engage in a broad spectrum of activities to coordinate critical infrastructure security and resilience efforts which is used in each of the critical infrastructure sectors established under Presidential Policy Directive 21, Critical Infrastructure Security and Resilience. The SCC has helped DHS further its understanding of the systems, processes, and relationships particular to operation of the EIS. Within the context of today’s hearing, I will address our efforts in 2018 to help enhance the security of elections that are administered by jurisdictions around the country, along with our election related priorities through 2020. While there was activity targeting our election infrastructure leading up to the midterms, this activity is similar to what we have seen previously and occurs on the Internet every day. This activity has not been attributed to nation-state actors and along with the Department of Justice (DOJ), we concluded that there is no evidence to date that any identified activities of a foreign government or foreign agent had a material impact on the integrity or security of election infrastructure or political or campaign infrastructure used in the 2018 midterm elections

Assessing the Threat The Department regularly coordinates with the Intelligence Community and law enforcement partners on potential threats to the Homeland. Among non-federal partners, DHS has engaged with state and local officials, as well as relevant private sector entities, to assess the scale and

P a g e | 29


scope of malicious cyber activity potentially targeting the U.S. election infrastructure. Election infrastructure includes the information and communications technology, capabilities, physical assets, and technologies that enable the registration and validation of voters; the casting, transmission, tabulation, and reporting of votes; and the certification, auditing, and verification of elections. In addition to working directly with state and local officials over the past two years, we have partnered with trusted third parties to analyze relevant cyber data, including the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC), the National Association of Secretaries of State, and the National Association of State Election Directors. DHS field personnel deployed around the country furthered information sharing and enhanced outreach.

Enhancing Security During the 2018 midterms, CISA provided a coordinated response from DHS and its federal partners to plan for, prepare for, and mitigate risk to election infrastructure. Working with election infrastructure stakeholders was essential to ensuring a more secure election. CISA and our stakeholders increased awareness of potential vulnerabilities and provided capabilities to enhance the security of U.S. election infrastructure as well as that of our democratic allies. Election officials across the country have a long-standing history of working both individually and collectively to reduce risks and ensure the integrity of their elections. In partnering with these officials through both new and ongoing engagements, CISA will continue to work to provide value-added—yet voluntary—services to support their efforts to secure elections in the 2020 election cycle.

Improving Coordination with State, Local, Tribal, Territorial and Private Sector Partners Increasingly, the nation’s election infrastructure leverages information technology for efficiency and convenience, but also exposes systems to cybersecurity risks, just like in any other enterprise environment.

P a g e | 30


Just like with other sectors, CISA helps stakeholders in federal departments and agencies, state, local, tribal, and territorial (SLTT) governments, and the private sector to manage these cybersecurity risks. Consistent with our long-standing partnerships with state and local governments, we have been working with election officials to share information about cybersecurity risks, and to provide voluntary resources and technical assistance. CISA works with the EI-ISAC to provide threat and vulnerability information to state and local officials. Through funding by CISA, the Center for Internet Security created and continues to operate the EI-ISAC. The EI-ISAC has representatives co-located with CISA’s National Cybersecurity and Communications Integration Center (NCCIC) to enable regular collaboration and access to information and services for election officials.

Providing Technical Assistance and Sharing Information Knowing what to do when a security incident happens—whether physical or cyber—before it happens, is critical. CISA supports election officials with incident response planning including participating in exercises and reviewing incident response playbooks. Crisis communications is a core component of these efforts, ensuring officials are able to communicate transparently and authoritatively when an incident unfolds. In some cases, we do this directly with state and local jurisdictions. In others, we partner with outside organizations. We recognize that securing our nation’s systems is a shared responsibility, and we are leveraging partnerships to advance that mission. CISA actively promotes a range of services including: Cyber hygiene service for Internet-facing systems: Through this automated, remote scan, CISA provides a report identifying vulnerabilities and mitigation recommendations to improve the cybersecurity of systems connected to the Internet, such as online voter registration systems, election night reporting systems, and other Internet-connected election management systems. Risk and vulnerability assessments: We have prioritized state and local election systems upon request, and increased the availability of risk and vulnerability assessments. These in-depth, on-site evaluations include a system-wide understanding of vulnerabilities, focused on both internal and

P a g e | 31


external systems. We provide a full report of vulnerabilities and recommended mitigations following the testing. Incident response assistance: We encourage election officials to report suspected malicious cyber activity to NCCIC. Upon request, the NCCIC can provide assistance in identifying and remediating a cyber incident. Information reported to the NCCIC is also critical to the Federal Government’s ability to broadly assess malicious attempts to infiltrate election systems. This technical information will also be shared with other state officials so they have the ability to defend their own systems from similar malicious activity. Information sharing: CISA maintains numerous platforms and services to share relevant information on cyber incidents. Election officials may also receive information directly from the NCCIC. The NCCIC also works with the EI-ISAC, allowing election officials to connect with the EI-ISAC or their State Chief Information Officer to rapidly receive information they can use to protect their systems. Best practices, cyber threat information, and technical indicators, some of which had been previously classified, have been shared with election officials in thousands of state and local jurisdictions. In all cases, the information sharing and use of such cybersecurity threat indicators, or information related to cybersecurity risks and incidents complies with applicable lawful restrictions on its collection and use and with DHS policies protective of privacy and civil liberties. Classified information sharing: To most effectively share information with all of our partners—not just those with security clearances—DHS works with the intelligence community to rapidly declassify relevant intelligence or provide as much intelligence as possible at the lowest classification level possible. While DHS prioritizes declassifying information to the extent possible, DHS also provides classified information to cleared stakeholders, as appropriate. DHS has been working with state chief election officials and additional election staff in each state to provide them with security clearances. Field-based cybersecurity advisors and protective security advisors: CISA has more than 130 cybersecurity and protective security personnel available to provide actionable information and connect election officials to a range of tools and resources to improve the cybersecurity preparedness of election systems; and to secure the physical site security of voting machine storage and polling places. These advisors are also available to assist with planning and incident management for both cyber and physical incidents. Physical and protective security tools, training, and resources: CISA provides guidance and tools to improve the security of polling sites and

P a g e | 32


other physical election infrastructure. This guidance can be found at www.dhs.gov/hometown-security. This guidance helps to train administrative and volunteer staff on identifying and reporting suspicious activities, active shooter scenarios, and what to do if they suspect an improvised explosive device.

Election Security Efforts Leading up to the 2018 Midterms In the weeks leading up to the 2018 midterm elections, DHS officials supported a high degree of preparedness nationwide. DHS provided free technical cybersecurity assistance, continuous information sharing, and expertise to election offices and campaigns. EI-ISAC threat alerts were shared with all 50 states, over 1,400 local and territorial election offices, 6 election associations, and 12 election venders. In August 2018, DHS hosted a “Tabletop the Vote” exercise, a three-day, first-of-its-kind exercise to assist our federal partners, state and local election officials, and private sector vendors in identifying best practices and areas for improvement in cyber incident planning, preparedness, identification, response, and recovery. Through tabletop simulation of a realistic incident scenario, exercise participants discussed and explored potential impacts to voter confidence, voting operations, and the integrity of elections. Partners for this exercise included 44 states and the District of Columbia; EAC; Department of Defense, including the Office of the Secretary of Defense, U.S. Cyber Command, and the National Security Agency; DOJ; Federal Bureau of Investigation; Office of the Director of National Intelligence; and National Institute of Standards and Technology (NIST). Through the “Last Mile Initiative,” DHS worked closely with state and local governments to outline critical cybersecurity actions that should be implemented at the county level. For political campaigns, DHS disseminated a cybersecurity best practices checklist to help candidates and their teams better secure their devices and systems. On Election Day, DHS deployed field staff across the country to maintain situational awareness and connect election officials to appropriate incident response professionals, if needed. In many cases, these field staff were co-located with election officials in their own security operations centers. DHS also hosted the National Cybersecurity Situational Awareness Room, an online portal for state and local election officials and vendors that facilitates rapid sharing of information. It gives election officials virtual access to the 24/7 operational watch floor of the CISA NCCIC. This setup

P a g e | 33


allowed DHS to monitor potential threats across multiple states at once and respond in a rapid fashion. Our goal has been for the American people to enter the voting booth with the confidence that their vote counts and is counted correctly. I am proud to say that our efforts over the past two years have resulted in the most secure election in modern history.

No Evidence of Election Interference The Secretary of Homeland Security and the Acting Attorney General have concluded that there is no evidence to date that any identified activities of a foreign government or foreign agent had a material impact on the integrity or security of election infrastructure or political or campaign infrastructure used in the 2018 midterm elections for the United States Congress. The activity we did see was consistent with what we shared in the weeks leading up to the election. Russia, and other foreign countries, including China and Iran, conducted influence activities and messaging campaigns targeted at the United States to promote their strategic interests.

Election Security Efforts Moving Forward Ensuring the security of our electoral process remains a vital national interest and one of our highest priorities at DHS. In the run up to the 2020 election season, DHS will continue to prioritize elections by broadening the reach and depth of information sharing and assistance that we are providing to state and local election officials, and continuing to share information on threats and mitigation tactics. DHS goals for the 2020 election cycle include improving the efficiency and effectiveness of election audits, continued incentivizing the patching of election systems, and working with the National Institute of Standards and Technology (NIST) and the states to develop cybersecurity profiles utilizing the NIST Cybersecurity Framework for Improving Critical Infrastructure. We will also continue to engage any political entity that wants our help. DHS offers these entities the same tools and resources that we offer to state and local election officials, including trainings, cyber hygiene support, information sharing, and other resources. DHS has made tremendous strides and has been committed to working collaboratively with those on the front lines of administering our elections to secure election infrastructure from risks.

P a g e | 34


Just last week, DHS officials provided updates to the secretaries of state, state election directors, and members of the GCC and SCC on the full package of election security resources that are available from the Federal government, along with a roadmap on how to improve coordination across these entities. DHS also worked with our Intelligence Community partners to provide a classified one day read-in for these individuals regarding the current threats facing our election infrastructure. We will remain transparent as well as agile in combating and securing our physical and cyber infrastructure. However, we recognize that there is a significant technology deficit across SLTT governments, and state and local election systems, in particular. It will take significant and continual investment to ensure that election systems across the nation are upgraded and secure, with vulnerable systems retired. These efforts require a whole of government approach. The President and this Administration are committed to addressing these risks. Our voting infrastructure is diverse, subject to local control, and has many checks and balances. As the threat environment evolves, DHS will continue to work with federal agencies, state and local partners, and private sector entities to enhance our understanding of the threat; and to make essential physical and cybersecurity tools and resources available to the public and private sectors to increase security and resiliency. Thank you for the opportunity to appear before the Committee today, and I look forward to your questions.

Note

Christopher Krebs serves as the first director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). Mr. Krebs was originally sworn in on June 15, 2018 as the Under Secretary for the predecessor of CISA, the National Protection and Programs Directorate (NPPD). Mr. Krebs was nominated for that position by President Trump in February 2018. Before serving as CISA Director, Mr. Krebs was appointed in August 2017 as the Assistant Secretary for Infrastructure Protection. In the absence of a permanent NPPD Under Secretary at the time, Mr. Krebs took on the role of serving as the Senior Official Performing the Duties of the Under

P a g e | 35


Secretary for NPPD until he was subsequently nominated as the Under Secretary and confirmed by the Senate the following year. Mr. Krebs joined DHS in March 2017, first serving as Senior Counselor to the Secretary, where he advised DHS leadership on a range of cybersecurity, critical infrastructure, and national resilience issues. Prior to coming to DHS, he was a member of Microsoft’s U.S. Government Affairs team as the Director for Cybersecurity Policy, where he led Microsoft’s U.S. policy work on cybersecurity and technology issues. Before Microsoft, Mr. Krebs advised industry and Federal, State, and local government customers on a range of cybersecurity and risk management issues. This is his second tour working at DHS, previously serving as the Senior Advisor to the Assistant Secretary for Infrastructure Protection and playing a formative role in a number of national and international risk management programs. As Director, Mr. Krebs oversees CISA’s efforts to defend civilian networks, secure federal facilities, manage systemic risk to National critical functions, and work with stakeholders to raise the security baseline of the Nation’s cyber and physical infrastructure. Mr. Krebs holds a bachelor’s degree in environmental sciences from the University of Virginia and a J.D. from the Antonin Scalia Law School at George Mason University.

P a g e | 36


Festivus, Fortnite, and Focus: Remarks before the Council of Institutional Investors Spring Conference Commissioner Hester M. Peirce, Securities and Exchange Commission (SEC)

Thank you, Mary [Francis], for that kind introduction and for the opportunity to be here today. Before I begin, I will give my standard disclaimer. The comments I make today represent my own views and not necessarily those of the Commission or my fellow Commissioners. I consider it a great honor to have some time with you here this morning. You represent such an important group of participants in our markets with an aggregate of approximately $4 trillion dollars in member assets under management invested in the markets. You bring remarkable sophistication and great wisdom to the job of investing and you do so on behalf of many Americans. Your views, therefore, on how we can make our capital markets function even better than they already do are of real interest to me. Institutional investors are the market’s repeat, long-term, and bulk players. Costs that are not important to the occasional investor add up to amounts that matter greatly to investors that trade frequently or in large size. It is helpful for me to know, for example, the types of information you find to be material in making decisions about where to trade. More generally, your voices are very important in discussions about whether and how to change market structure in both the equity and the fixed income markets. In particular, you have emphasized the importance of market transparency in our thinking about effective market structure. Institutional investors have a deep interest in the functioning of our proxy system, a matter of great interest to the present Commission. We appreciate your participation in our recent roundtable on the proxy process. As long-term investors, CII members have a particular interest in building effective mechanisms for shareholders to vote and communicate with the boards of companies in which they invest.

P a g e | 37


I am especially interested in how innovation, including innovation in technology, can solve problems. I therefore appreciate CII’s suggestions regarding the use of blockchain technology to track proxy voting and address other concerns in that process. In addition to advocating systemic changes, you have made some suggestions for “near term improvements,” including recommending changes to assure vote confirmation. I especially welcome your thoughts when they are different from my own. For example, while I remain skeptical of the value of the mandatory use of a universal proxy card, I realize that you, among others, disagree with me and I find your thoughtful advocacy in favor of universal proxy cards to be helpful as I seek to fully think through the issue. With the engagement of investors of all sizes and types, the Commission is thinking about ways that we can refine our offering and disclosure regime. Just last month, for example, we proposed extending the popular “testing the waters” provision to all issuers, a change we hope will facilitate a more efficient and easily navigable public offering process. Other recent initiatives include extending the Regulation A exemption to all issuers, including reporting companies; expanding the definition of smaller reporting company; and conducting a broad sweep of existing disclosure requirements to weed out those that have become redundant or outdated. While these regulatory efforts, we hope, will help smooth the path for registrants, we expect investors also to reap considerable benefits from reductions in the regulatory costs that issuers pass on to investors and from expanded investment opportunities. CII is an active participant in our disclosure reform efforts, and your comments on our proposals are consistently well-thought out and therefore valuable in helping to crystalize the issues we are trying to address. In your letter last year, for example, commenting on the SEC’s latest strategic plan, you provided helpful feedback on the value of modernizing EDGAR and improving data tagging. Because I have concerns about the costs and drawbacks of embedding specific technology in rules, your positive response to our use of XBRL is especially valuable to me.

P a g e | 38


Does the use of such tagging create efficiencies we should embrace? Does it, for example, make it possible to reduce the duplication of certain types of disclosure? As you know, our Division of Corporation Finance has been looking hard at ways to streamline the disclosure process, and we have also found useful your input regarding our specific disclosure reform initiatives. Hearing your thoughts about whether a particular disclosure requirement is important to your members in their investment decision-making is helpful as we work through this process. For example, we have proposed rule changes to the disclosures required for guarantors and issuers of guaranteed securities, and you have laid out in a comment letter some of your concerns about the breadth of that rule proposal. We also have proposed changes to the auditor independence rules that we hope will train our regulatory attention on those relationships that actually impair independence while filtering out immaterial transactions. Again, I appreciate your comment letter, which recommends, among other things, that we take an alternative approach to addressing the problem the proposal identifies. Another disclosure initiative, under the FAST Act, has us rethinking certain disclosure requirements under Regulation S-K, and you have provided some specific feedback on our proposal. Your voice in other areas of debate is similarly valuable. For example, I have been interested to hear your thoughts in the ongoing debate over the use of dual-class shares. I am typically reluctant to interfere in the relationship between shareholders and issuers unless necessary. Your objections to the use of dual-class shares will undoubtedly echo loudly in the ears of issuers contemplating such an offering; given your position, you wield considerable influence and therefore will be essential in shaping the ongoing debate. Your joint op-ed with the Business Roundtable yesterday in the New York Times on stock buybacks was similarly welcome. I agree with what you have said elsewhere on the subject: “Tying companies’ hands on capital allocation could lead executives to pour money into wasteful businesses that falter or fail to create additional jobs.”

P a g e | 39


Of course, as the op-ed points out, the money spent on buybacks does not evaporate; it is often invested by shareholders in other companies that need capital more than the company executing the buyback. That reinvestment in a higher use creates a benefit that inures to investors and to society more broadly. Whether there may be instances in which a buyback is not in the interests of the company as a whole is a different question, and one that I am happy that shareholders like you are taking on. I tend to trust market forces, and shareholders’ responses to board decisions are key drivers of capital market efficiency. Speeches are not very interesting if they only focus on points of agreement and appreciation. I am therefore going to borrow a line from the famous Airing of Grievances scene in Seinfeld’s Festivus episode: “I got a lot of problems with you people, and now you’re gonna hear about it.” When George Costanza’s father made that statement, it was clear that he valued the recipients of the critiques he proceeded to mete out. Before delineating my grievances, therefore, I will reiterate my gratitude to you for the role you play in thinking through some of the most difficult issues in financial regulation and corporate governance. I will continue to look to you for advice. What then do I have to complain about? My concerns are mainly ones of focus. I recently had a conversation with a boy who shares an obsession with many other children his age—the video game Fortnite. He described to me how much he enjoyed long stretches of playing the game, which I found surprising given that he is a great athlete and generally one of the most active boys I have ever met. Indeed, if I had just a tenth of his energy, I would be champing at the bit to reverse every last delegation of authority to the SEC staff just so I would have enough to do. How is it, then, that a boy who has so much energy can sit still in the virtual world of Fortnite? How is it that this simulated environment can drown out the real distractions around him? Clearly, the designers of that game and others like it have figured out how to concentrate the mind on objects of their own making. Indeed, as a child, I whiled away many hours playing the flat, unsophisticated videogames of that era, so I can certainly see how inviting today’s games, with their

P a g e | 40


fascinating, multidimensional worlds—and, incidentally, expenditure of real dollars to get a leg-up on competitors—must be. I see a parallel in today’s investment world. Many investors these days seem focused on non-investment matters at the expense of concentration on a sound allocation of resources to their highest and best use. Real dollars are being poured into adhering to an amorphous and shifting set of virtue markers. I do not want the SEC to become an enabler of this shift in focus. The pressure, however, to get on the bandwagon and drag others with us is pretty intense. We are being asked more and more to shift securities disclosure to focus more on matters that do not go to an assessment of how effectively companies are putting investor money to work. Indeed, in some instances, we are being asked to make it harder for companies to use their resources effectively. I will talk about several examples, but my list is only illustrative of a broader trend that concerns me because I do not think it is consistent with investor protection. To start with a very recent example, I have concerns about CII’s position with respect to the Johnson & Johnson shareholder proposal. As you know, a Johnson & Johnson shareholder submitted a proposal that, if approved, would have started the process to shift shareholder disputes with the company to mandatory arbitration. Johnson & Johnson sought the SEC staff’s concurrence under Rule 14a-8 with the company’s decision not to include the proposal in its proxy. While that request was pending, the New Jersey Attorney General submitted a letter stating that adoption of the proposal would violate New Jersey state law. CII also submitted a letter stating that “shareholder arbitration clauses in public company governing documents reflect a potential threat to principles of sound governance.” Deferring to the Attorney General’s interpretation of his own State’s law, the SEC staff granted the company permission to reject the proposal. The staff did note that the “parties could seek a more definitive determination from a court of competent jurisdiction.”

P a g e | 41


Without engaging on the issue of any particular state’s law, I will say that the New Jersey A.G.’s letter does not help us to confront how federal law would interact with a bylaw provision like the one proposed. Since 1925, arbitration in the U.S. has been subject to the Federal Arbitration Act. This law, according to the U.S. Supreme Court, “declared a national policy favoring arbitration and withdrew the power of the states to require a judicial forum for the resolution of claims which the contracting parties agree to resolve by arbitration.” Although states have periodically challenged the Act’s preemption when applied to mandatory arbitration clauses in other contexts, in the dozen or so such cases that have come before the Supreme Court, the Court has consistently held that the Act forbids states from holding arbitration clauses unenforceable. Were the matter at hand to make its way through the courts, given the Supreme Court precedent, the Federal Arbitration Act might be held to preempt any state law prohibiting mandatory arbitration provisions. I will leave the judges to decide that question, but what of the policy of mandatory arbitration? CII argues that “shareowner arbitration clauses in public company governing documents represent a potential threat to principles of sound corporate governance that balance the rights of shareowners against the responsibility of corporate managers to run the business.” Among your worries is the non-public nature of arbitration and thus the absence of a “deterrent effect.” Other observers likewise have argued that arbitration deprives shareholders of the full panoply of options available in a judicial forum and, depending on how such clauses are crafted, can deprive them of the ability to join together in a class action. Arbitration is also conducted privately with no publication of how the case was decided and on what grounds. The problem is that these class actions are rarely decided on the merits. Instead, the cost of litigating is so great that companies often settle to be free of the cost and hassle of the lawsuit. Settlements are rarely public and certainly involve no publication of broadly applicable legal findings. Additionally, such suits can depress shareholder value since they often result in costly payouts to make the suit go away that do not inure to the benefit of shareholders.

P a g e | 42


Indeed, the cost of defending and settling these suits is a substantial cost of being a public company. The result is that the company’s shareholders are ultimately harmed by the very option intended to protect them: first by the company’s diversion of resources to defend often meritless litigation, and second by the resulting decline in the value of their shares. Case law remains untouched, and the shareholders not involved in the process have no idea what happened. A big chunk of shareholder money typically goes to nice payouts for the lawyers involved. All that is not to say that I would insist on mandatory arbitration provisions for all companies. That would not be an appropriate exercise of our investor protection mandate. If shareholders value the ability to bring class actions, they can divert their investments to companies that offer such options. I am sure that CII’s preferences will be well-attended by issuers seeking your investment money. I trust that shareholders like you are more than capable of handling the matter without our intervention. Let us turn now to the broader question of shareholder proposals. CII has recently argued against changing our current Rule 14a-8. By contrast, I see a clear need for reform in this area. The current thresholds permit, indeed encourage, a handful of shareholders to put forward proposals that incur considerable costs borne by all shareholders. Shareholders are able to submit losing proposals over and over again. In recent years, many of these proposals are not even related to core corporate governance issues, but instead promote a tiny group of shareholders’ personal political and social preferences. Ultimately, many companies faced with a proposal, even one that reflects the idiosyncratic preferences of a small number of shareholders, may resort to negotiating backroom deals with the proponents. These deals may not be in the best interest of the company and thus of the other shareholders who have not been part of the process. In other instances, companies come to us, as Johnson & Johnson did, for our staff’s assent to the company’s exclusion of a shareholder proposal from their proxy.

P a g e | 43


The opportunity cost of our staff’s having to deal with these proposals is enormous. The staff must review and respond to company requests to reject numerous proposals that have no chance of succeeding were they put to a vote. The time staff spend on such activities must necessarily detract from time they could otherwise spend on more useful endeavors, such as rulemaking and reviewing disclosures, both of which provide more benefit to a greater number of investors. Moreover, the 14a-8 process foists staff into an inappropriate policymaking role. For these reasons, I believe fundamental reform in this area is important. Now let us turn to another area where we may not see eye to eye—the push for new types of disclosure. While I much prefer our disclosure-based regime for capital markets regulation over other potential models, such as a regime based on merit-review, the opportunity to, in the words of former SEC Commissioner Dan Gallagher, “hijack” our disclosure apparatus for unintended purposes, can cause considerable mischief. CII, for example, has supported efforts to require companies to disclose information about board members’ personal characteristics. The SEC staff did just that a couple weeks ago. The Division of Corporation Finance put out new compliance and disclosure guidance related to disclosures of board qualifications. In its Compliance and Disclosure Interpretations, the staff states that: To the extent a board or nominating committee in determining the specific experience, qualifications, attributes, or skills of an individual for board membership has considered the self-identified diversity characteristics referred to above (e.g., race, gender, ethnicity, religion, nationality, disability, sexual orientation, or cultural background) of an individual who has consented to the company's disclosure of those characteristics, we would expect that the company's discussion required by Item 401 would include, but not necessarily be limited to, identifying those characteristics and how they were considered. Similarly, in these circumstances, we would expect any description of diversity policies followed by the company under Item 407 would include a discussion of how the company considers the self-identified diversity attributes of nominees as well as any other qualifications its diversity

P a g e | 44


policy takes into account, such as diverse work experiences, military service, or socio-economic or demographic characteristics. Despite the emphasis on self-identification, I worry that this staff “expectation” will work with other pressures to force reticent board members and nominees to divulge personal details they would prefer to keep private. I hope that I am wrong. A person who does not want to share his sexual orientation, religion, or ethnic background with the world may face pressure to do just that in order to allow the company to get “credit” for having a diverse board. What happens when a person decides to convert to a different religion or discovers that she has a different ethnic or cultural heritage than she previously understood? Would these changes require her to notify the board for potential reconsideration of her board membership? Will decisions that are, for some people, of an intensely personal nature suddenly become the stuff of 8-Ks? I hope that I do not have to say that I believe that there are immensely qualified people of all backgrounds who make excellent corporate directors. Our corporations, along with the rest of our institutions, benefit from being able to draw from a population that is rich in its diversity. I am simply worried that making directors’ personal characteristics an item of expected disclosure may have unintended consequences, among them invasion of board members’ privacy and an undue focus on personal features that may have little relation to talent as a director. Institutional investors also have been a strong voice in favor of regulation that supports the incorporation of environmental, social, and governance (“ESG”) in investing. The International Organization of Securities Commissions, or “IOSCO,” issued a statement on ESG investing in January. The statement directed issuers to consider whether ESG factors—which are not defined—should be included in their disclosures, endorsed the use of private disclosure frameworks purportedly designed to get at these factors, and suggested that some disclosures now being made voluntarily under these frameworks should be incorporated into these disclosures. You may have noticed that the SEC did not vote on the statement and so did not sign on. As I said at the beginning of my remarks, I do not speak for the Commission or for my fellow commissioners, but I found the statement to

P a g e | 45


be an objectionable attempt to focus issuers’ on a favored subset of matters, as defined by private creators of ESG metrics, rather than more generally on material matters. The U.S. securities laws already provide for material disclosures. Explicit consideration of ESG factors must therefore require something more than what is already contemplated by our laws and by our long-standing definition of “materiality.” Issuers already spend considerable amounts of money complying with existing disclosure requirements. Requiring disclosures aimed at items identified by organizations that are not accountable to investors unproductively distracts issuers. When the SEC is asked to concentrate on issues other than protecting investors, facilitating capital formation, and fostering fair, orderly, and efficient markets, our focus shifts away from our mission. We have important work to do. We still have rulemaking to complete under Title VII of Dodd-Frank related to the securities-based swaps markets. As I mentioned earlier, we have proxy reform on our agenda. We have proposed Regulation Best Interest to finalize. We are working on updating our regulation of transfer agents. We have more work to do in the public offering and IPO markets and on market structure reforms. These are all hefty rulemakings and require considerable effort on the part of our talented and dedicated staff and those of you outside the agency who share your thoughts and experiences with us. We are fully engaged focusing on our existing mission. I do not believe that investors are best-served when our staff is distracted by matters unrelated to our core mission. Thank for your patience in listening to me today. I suspect that I have not convinced at least some of you, but I want to reiterate how grateful I am that you are willing to have these kinds of conversations with me and my fellow regulators. I enjoy hearing from people with interesting ideas that do not always match squarely with my own. Even when we do not agree, I learn from you.

P a g e | 46


To that end, I now would like to hear what you have to say. I am happy to take questions, comments, and critiques. In other words, it is now time for the Feats of Strength portion of the holiday—until you pin me, metaphorically of course, Festivus is not over.

P a g e | 47


A Privacy-Focused Vision for Social Networking

My focus for the last couple of years has been understanding and addressing the biggest challenges facing Facebook. This means taking positions on important issues concerning the future of the internet. In this note, I'll outline our vision and principles around building a privacy-focused messaging and social networking platform. There's a lot to do here, and we're committed to working openly and consulting with experts across society as we develop this.

•••

Over the last 15 years, Facebook and Instagram have helped people connect with friends, communities, and interests in the digital equivalent of a town square. But people increasingly also want to connect privately in the digital equivalent of the living room. As I think about the future of the internet, I believe a privacy-focused communications platform will become even more important than today's open platforms. Privacy gives people the freedom to be themselves and connect more naturally, which is why we build social networks. Today we already see that private messaging, ephemeral stories, and small groups are by far the fastest growing areas of online communication. There are a number of reasons for this. Many people prefer the intimacy of communicating one-on-one or with just a few friends. People are more cautious of having a permanent record of what they've shared. And we all expect to be able to do things like payments privately and securely. Public social networks will continue to be very important in people's lives -- for connecting with everyone you know, discovering new people, ideas and content, and giving people a voice more broadly. People find these valuable every day, and there are still a lot of useful services to build on top of them. But now, with all the ways people also want to interact privately, there's also an opportunity to build a simpler platform that's focused on privacy first.

P a g e | 48


I understand that many people don't think Facebook can or would even want to build this kind of privacy-focused platform -- because frankly we don't currently have a strong reputation for building privacy protective services, and we've historically focused on tools for more open sharing. But we've repeatedly shown that we can evolve to build the services that people really want, including in private messaging and stories. I believe the future of communication will increasingly shift to private, encrypted services where people can be confident what they say to each other stays secure and their messages and content won't stick around forever. This is the future I hope we will help bring about. We plan to build this the way we've developed WhatsApp: focus on the most fundamental and private use case -- messaging -- make it as secure as possible, and then build more ways for people to interact on top of that, including calls, video chats, groups, stories, businesses, payments, commerce, and ultimately a platform for many other kinds of private services. This privacy-focused platform will be built around several principles: Private interactions. People should have simple, intimate places where they have clear control over who can communicate with them and confidence that no one else can access what they share. Encryption. People's private communications should be secure. End-to-end encryption prevents anyone -- including us -- from seeing what people share on our services. Reducing Permanence. People should be comfortable being themselves, and should not have to worry about what they share coming back to hurt them later. So we won't keep messages or stories around for longer than necessary to deliver the service or longer than people want them. Safety. People should expect that we will do everything we can to keep them safe on our services within the limits of what's possible in an encrypted service. Interoperability. People should be able to use any of our apps to reach their friends, and they should be able to communicate across networks easily and securely. Secure data storage. People should expect that we won't store sensitive data in countries with weak records on human rights like privacy and freedom of expression in order to protect data from being improperly accessed.

P a g e | 49


Over the next few years, we plan to rebuild more of our services around these ideas. The decisions we'll face along the way will mean taking positions on important issues concerning the future of the internet. We understand there are a lot of tradeoffs to get right, and we're committed to consulting with experts and discussing the best way forward. This will take some time, but we're not going to develop this major change in our direction behind closed doors. We're going to do this as openly and collaboratively as we can because many of these issues affect different parts of society. To read more: https://www.facebook.com/notes/mark-zuckerberg/a-privacy-focused-vision-for-social-networking/10156700570096634/

https://www.facebook.com/notes/mark-zuckerberg/a-privacy-focused-vision-for-social-networking/10156700570096634/




P a g e | 50


How Equifax neglected cybersecurity and suffered a devastating data breach United States Senate, PERMANENT SUBCOMMITTEE ON INVESTIGATIONS, Committee on Homeland Security and Governmental Affairs

The effects of data breaches are often long-lasting and challenging to reverse. Victims who have had their sensitive personal or financial information stolen by hackers can be left with years of expense and hassle. No type of entity or sector of the economy has been immune to data breaches. In 2018 alone, Google+, Facebook, Ticketfly, T-Mobile, Orbitz, Saks, Lord & Taylor, and Marriott all announced significant breaches. The importance of protecting personally identifiable information (“PII”) grows with every successive data breach. Consumers and businesses are well aware of the need to safeguard items like driver’s licenses, credit cards, and financial records that criminals can use to their advantage. Consumers also understand the need to protect information like online passwords, pin numbers, and Social Security numbers. But a consumer taking appropriate care of this information may not be enough to keep PII out of the hands of criminal hackers. In the modern world, businesses collect and compile data about their customers and potential customers.

P a g e | 51


Without proper precautions, this information can be stored or transmitted in ways that leave it vulnerable to theft. The information collected by consumer reporting agencies (“CRAs”) to compile credit reports is one example of PII that must be protected. This information includes a consumer’s name, nicknames, date of birth, Social Security number, telephone numbers, and current and former addresses. Credit reports also typically include a list of all open and closed credit accounts, account balances, account payment histories, and the names of creditors. The information tells the story of a consumer’s financial life and can determine whether they can rent an apartment, buy a car, or qualify for a home loan. If stolen, criminals can use it to do significant financial harm. The steps CRAs take to safeguard consumers’ credit histories are extremely important. If that information is compromised, consumers should know to be on heightened alert to monitor their finances and mitigate any potential damage. In 2017, one of the largest CRAs, Equifax Inc. (“Equifax”) announced that it had suffered a data breach that involved the PII of over 145 million Americans. The Subcommittee investigated the causes of this breach to identify ways to prevent future incidents of this scope. The Subcommittee also reviewed the efforts of Equifax’s two largest competitors, Experian plc (“Experian”) and TransUnion LLC (“TransUnion”), in responding to the vulnerability that ultimately led to the Equifax data breach. Highlights of the Subcommittee’s investigative results, including findings and recommendations, are provided below. Equifax Failed to Prioritize Cybersecurity. Equifax had no standalone written corporate policy governing the patching of known cyber vulnerabilities until 2015. After implementing this policy, Equifax conducted an audit of its patch management efforts, which identified a backlog of over 8,500 known vulnerabilities that had not been patched. This included more than 1,000 vulnerabilities the auditors deemed critical, high, or medium risks that were found on systems that could be accessed

P a g e | 52


by individuals from outside of Equifax’s information technology (“IT”) networks. The audit report concluded, among other things, that Equifax did not abide by the schedule for addressing vulnerabilities mandated by its own patching policy. It also found that the company had a reactive approach to installing patches and used what the auditors called an “honor system” for patching that failed to ensure that patches were installed. The audit report also noted that Equifax lacked a comprehensive IT asset inventory, meaning it lacked a complete understanding of the assets it owned. This made it difficult, if not impossible, for Equifax to know if vulnerabilities existed on its networks. If a vulnerability cannot be found, it cannot be patched. Equifax never conducted another audit after the 2015 audit and left several of the issues identified in the 2015 audit report unaddressed in the months leading up to the 2017 data breach. Equifax Could Not Follow Its Own Policies in Patching the Vulnerability That Ultimately Caused the Breach. Equifax’s patching policy required the company’s IT department to patch critical vulnerabilities within 48 hours. The company’s security staff learned of a critical vulnerability in certain versions of Apache Struts – a widely-used piece of web application software – on March 8, 2017, from the U.S. Computer Emergency Readiness Team at the U.S. Department of Homeland Security. The National Institute of Standards and Technology gave the vulnerability the highest criticality score possible; it was widely known that the vulnerability was easy to exploit. Equifax employees circulated news of the vulnerability through an internal alert the next day that went to a list of more than 400 company employees. Equifax held monthly meetings to discuss cyber threats and vulnerabilities, but senior managers did not routinely attend these meetings and follow-up was limited. The Apache Struts vulnerability was discussed during the March 2017 and April 2017 meetings, but not discussed at any subsequent monthly meetings.

P a g e | 53


The Subcommittee interviewed the leadership of the Equifax IT and security staffs and learned that none of them regularly attended these monthly meetings or specifically recalled attending the March 2017 meeting. In addition, the Chief Information Officer (“CIO”), who oversaw the IT department during 2017, referred to patching as a “lower level responsibility that was six levels down” from him. Equifax Failed to Locate and Patch Apache Struts. The Equifax developer who was aware of Equifax’s use of Apache Struts software was not included in the 400-person email distribution list used to circulate information on the vulnerability. The developer’s manager, however, was on the distribution list and received the alert, but failed to forward it to the developer or anyone on the developer’s team. As a result, the key developer never received the alert. Equifax added application owners to the list after the breach. The Subcommittee also learned that Equifax developers were individually responsible for subscribing to push notifications from software vendors about security vulnerabilities. The developer who knew of the company’s use of Apache Struts software was not subscribed to notifications from Apache and did not receive any alerts about the vulnerability. On March 14, 2017 – nearly a week after the Apache Struts vulnerability was disclosed – Equifax added new rules to the company’s intrusion prevention system intended to help it thwart efforts to exploit the vulnerability. With these new protections in place, Equifax believed it had the ability to identify and block exploit attempts and did block several attempts the same day the rules were installed. None of Equifax’s subsequent scans identified the vulnerable version of Apache Struts running on Equifax’s network. And since Equifax lacked a comprehensive inventory of its IT assets, it did not know that the vulnerable version of Apache Struts remained on its system. The Damage Done by the Hackers Could Have Been Minimized. Equifax was unable to detect attackers entering its networks because it failed to take the steps necessary to see incoming malicious traffic online.

P a g e | 54


Website owners install Secure Sockets Layer (“SSL”) certificates to protect and encrypt online interactions with their servers. If an SSL certificate expires, transactions are no longer protected. As part of an IT management effort unrelated to the Apache Struts vulnerability, Equifax installed dozens of new SSL certificates on the night of July 29, 2017, to replace certificates that had expired. This included a new certificate for the expired SSL certificate for its online dispute portal. The SSL certificate needed to be up-to-date to properly monitor the online dispute portal, but had expired eight months earlier in November 2016. Almost immediately after updating the SSL certificate, company employees observed suspicious internet traffic from its online dispute portal that they were able to trace to an IP address in China, a country where Equifax does not operate. After blocking the IP address, Equifax observed similar traffic the following day to another IP address that appeared to be connected to a Chinese entity and decided to take the online dispute portal offline. Equifax later determined that the hackers first gained access to Equifax’s system through the online dispute portal on May 13, 2017, meaning the hackers had 78 days to maneuver undetected. Equifax confirmed to the Subcommittee that the Apache Struts vulnerability facilitated the data breach that began in May 2017. Equifax Waited Six Weeks Before Notifying. Once inside Equifax’s online dispute portal, the hackers also accessed other Equifax databases as they searched for other systems containing PII. They eventually found a data repository that also contained unencrypted usernames and passwords that allowed the hackers to access additional Equifax databases. The information accessed primarily included names, Social Security numbers, birth dates, addresses, and, in some instances, driver’s license and credit card numbers. The usernames and passwords the hackers found were saved on a file share by Equifax employees. Equifax told the Subcommittee that it decided to structure its networks this way due to its effort to support efficient business operations rather than security protocols.

P a g e | 55


In addition, Equifax did not have basic tools in place to detect and identify changes to files, a protection which would have generated real-time alerts and detected the unauthorized changes the hackers were making. Equifax Waited Six Weeks Before Notifying the Public It Was Breached. Equifax employees discovered the suspicious activity that was later determined to be a data breach on July 29, 2017. Equifax’s then-Chief Executive Officer, Richard Smith, learned of the breach on July 31 and that consumer PII maintained by Equifax had likely been stolen on August 15, 2017. Mr. Smith waited until August 22 to begin notifying members of Equifax’s Board of Directors. Equifax publicly announced the data breach on September 7, six weeks after learning of it and nearly four months after the hackers entered Equifax’s networks. Because Equifax was unaware of all the assets it owned, unable to patch the Apache Struts vulnerability, and unable to detect attacks on key portions of its network, for months consumers were unaware that criminals had obtained their most sensitive personal and financial information and that they should take steps to protect themselves from fraud. Equifax officials say the company chose to notify the public only after determining every single individual impacted by the breach. To read the paper: https://www.hsgac.senate.gov/imo/media/doc/FINAL%20Equifax%20Report.pdf

https://www.hsgac.senate.gov/imo/media/doc/FINAL%20Equifax%20Report.pdf




P a g e | 56


Disclaimer The Association tries to enhance public access to information about risk and compliance management. Our goal is to keep this information timely and accurate. If errors are brought to our attention, we will try to correct them. This information: - is of a general nature only and is not intended to address the specific circumstances of any particular individual or entity; - should not be relied on in the particular context of enforcement or similar regulatory action; - is not necessarily comprehensive, complete, or up to date; - is sometimes linked to external sites over which the Association has no control and for which the Association assumes no responsibility; - is not professional or legal advice (if you need specific advice, you should always consult a suitably qualified professional); - is in no way constitutive of an interpretative document; - does not prejudge the position that the relevant authorities might decide to take on the same matters if developments, including Court rulings, were to lead it to revise some of the views expressed here; - does not prejudge the interpretation that the Courts might place on the matters at issue. Please note that it cannot be guaranteed that these information and documents exactly reproduce officially adopted texts. It is our goal to minimize disruption caused by technical errors. However some data or information may have been created or structured in files or formats that are not error-free and we cannot guarantee that our service will not be interrupted or otherwise affected by such problems. The Association accepts no responsibility with regard to such problems incurred as a result of using this site or any linked external sites.

P a g e | 57


Sarbanes Oxley Compliance Professionals Association (SOXCPA) 1. Membership - Become a standard, premium or lifetime member. You may visit: www.sarbanes-oxley-association.com/How_to_become_member.htm 2. Monthly Updates - Subscribe to receive (at no cost) Sarbanes-Oxley related alerts, opportunities, updates and our monthly newsletter:

http://forms.aweber.com/form/30/1922348130.htm 3. Training and Certification - Become a Certified Sarbanes Oxley Expert (CSOE). You must follow the steps described at: www.sarbanes-oxley-association.com/Distance_Learning_and_Certification.htm For instructor-led training, you may contact us. We can tailor all programs to your needs. 4. Authorized Certified Trainer, Certified Sarbanes Oxley Expert Trainer Program (SOXCPA-ACT / CSOET) - Become an ACT. This is an additional advantage on your resume, serving as a third-party endorsement to your knowledge and experience. Certificates are important when being considered for a promotion or other career opportunities. You give the necessary assurance that you have the knowledge and skills to accept more responsibility. To learn more: www.sarbanes-oxley-association.com/SOXCPA_Authorized_Certified_Trainer.html

http://www.sarbanes-oxley-association.com/SOXCPA_Authorized_Certified_Trainer.html

http://www.sarbanes-oxley-association.com/How_to_become_member.htm

http://www.sarbanes-oxley-association.com/How_to_become_member.htm

http://forms.aweber.com/form/30/1922348130.htm

http://forms.aweber.com/form/30/1922348130.htm

http://www.sarbanes-oxley-association.com/Distance_Learning_and_Certification.htm








Documents

Sarbanes Oxley News, Sarbanes Oxley Compliance ... · strategic objectives.” Prior to joining the PCAOB, Ms. Lee was Senior Vice President, General Counsel, and Corporate Secretary