Regulation part of NVCA plan to restore liquidity

Regulatory review is one of four key recommendations made Wednesday by the National Venture Capital Association at its annual meeting in Boston. In Part 2 of The Deal’s Behind the Money video conversation with NVCA president Mark Heesen, we talk about the regulatory climate for VC. “The last decade has been characterized by a series of broad sweeping regulations aimed at curbing serious abuses within the financial system but fraught with unintended consequences for small pre-public and public companies,” says Heesen, pointing to the Sarbanes-Oxley Act of 2002 and the Global Settlement to Regulation Fair Disclosure of 2000 as the chief culprits. “The NVCA strongly supports regulation and protecting investors where necessary but does not support a ‘one-size-fits-all’ regulatory approach,” Heesen says. After months of soliciting input from leaders in all aspects of technology dealmaking, the NVCA outlined remedies for addressing the capital markets crisis for US venture-backed companies. The proposals ask venture capitalists, investment banks, accounting firms, law firms, stock exchanges and the federal government to consider a variety of steps, including new ways to link buyers and sellers of private company stock, using a wider variety of service providers including investment banks and accounting firms, and pushing for tax policies that could boost VC investment. (Pipeline subscribers can learn more about the nvca’s recommendations here.) Watch the video below or download it from itunes. Click here for Part 1 of our video conversation with NVCA president Mark Heesen, when he talks about the lack of exits for venture-backed companies

Audit Committees: Regulation and Practice

Product Description
To help companies comply with the new recently enacted requirements, the authors have compiled this edition as a working volume on audit committees for everyday use by corporate audit committee members, directors, general counsel, outside counsel and legal scholars specializing in this area of corporate governance, among others.</ul>This thoroughly new edition includes all the materials one might need to consult in order to create, maintain, advise and/or serve on a well-functioning audit committee, including: <li class=copymedium> the relevant provisions of the Sarbanes-Oxley Act<li class=copymedium>the newly adopted SEC rules and regulations impacting audit committee independence, duties, powers and disclosures<li class=copymedium>the revised listing standards of the New York Stock Exchange, NASDAQ and the American Stock Exchange relating to audit committee composition, responsibilities and functions.</ul> It also contains an illustrative selection of ¿best practices¿ for audit committee chairs and members.</ul> For the convenience of the reader, the authors have included an index that is designed to identify the location of information by subject matter that may not be readily apparent from the Table of Contents.

Order from Amazon TODAY —> Audit Committees: Regulation and Practice

Sarbanes-Oxley regulation effective without harming investor value

Sarbanes-Oxley—the law passed after Enron’s scandal—proved effective without harming investors, according to new research by Stephan Siegel, assistant professor of finance at the Foster School of Business; Lance Young, assistant professor of finance and Neal and Jam Dempsey Faculty Fellow at the Foster School; Jefferson Duarte, associate professor of real estate finance at Rice University; and Katie Kong, a doctoral student at the Foster School.

Online Compliance and Government Regulation

With business being conducted more and more so online and the use of the Internet having primary relevance in todayâ??s society comes the need for regulation and protection in a way never needed before. As new ways of doing business online grow so do the dangers and attacks on vulnerable users. We are not only seeing encryption technology and certificate authority but government rules and regulations imposed upon businesses to protect their customers and information.

With all the regulations set either by government or credit card companies to help protect the consumer, the business or the government, itâ??s easy to get confused as to who is doing what. So here are just some of the protections put into place:

1. Payment Card Industry Data Security Standard (PCI DSS)
Identity theft has been on the rise with the ease of stealing credit card information. Of the approximately 650,000 complaints about fraud that the U.S. Federal Trade Commission received each year in the period 2004 to 2006, identity theft was the subject a consistent 35% to 36% of the time.

In 2005, the worldâ??s biggest credit card issuers including MasterCard, Visa, American Express, Discover, and the JCB International Credit Card Company formed a consortium for the purpose of establishing adequate and consistent data security measures that must be used by all merchants, banks, and service providers that store, process, or transmit cardholder data.

These requirements apply not only to data in motion but also data at rest in databases, Web servers, and applications that store and/or process credit card data. PCI DSS also requires that crypto keys and their transmissions and storage be effectively managed. While not mandated by the standard, it is also recommended that organizations provide visibility into the SSL traffic to detect threats and employ Web gateway solutions that offer SSL scanning and policy enforcement for encrypted traffic.

All merchants and service providers must perform a quarterly network scan. The penalties for violators are severe. They may face higher processing fees or, in more severe cases, can even be barred from using or processing PCI member credit cards at all. In extreme cases, credit card companies issue substantial fines. Visa, for example, levies penalties of up to $500,000 for each instance of non-compliance while American Express fines merchants up to $15,000 per day.

2. HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) of 1996, which
affects all health-related organizations in the United States, was originally intended to
protect health insurance information when workers changed or lost their jobs. In 2005,
HIPAA expanded its charter and adopted a new set of standards for the electronic maintenance and transmission of protected health information (PHI) â?? information about the health status, provision of health care, or payment for health care that can be linked to a
specific individual. To assure the security of patient-related data, HIPAA regulations require health plan administrators, healthcare clearinghouses, and healthcare providers to protect and secure any individually-identifiable health-related information including that which is stored
or transmitted electronically. To ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI), HIPAA provides a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual. Specifically, health care organizations are required to ensure the confidentiality, integrity, and availability of all electronic protected health care information; to protect against threats to the security or integrity of such information and against unauthorized disclosure or use of protected health care information; and to educate the entire workforce on achieving compliance.

The penalties for violating HIPAA requirements can be quite severe, for example:
â?¢ Each instance of unauthorized disclosure by a health care provider is punishable
by fines ranging from $10,000 to $25,000
â?¢ Each instance of intentional unauthorized disclosure is punishable by fines
ranging from $100,000 to $250,000 and possible jail time
â?¢ Although certainly not part of HIPAA itself, the most severe penalty of all might
be exposure to lawsuits from the individual whose private medical information is revealed in violation of HIPPA requirements

3. Sarbanes-Oxley
The Public Company Accounting Reform and Investor Protection Act of 2002, commonly
known as â??Sarbanes-Oxleyâ? or â??SOXâ?, was enacted in response to the flood of headline-
dominating financial transgressions by companies such as Enron, Arthur Andersen, and
Worldcom that led not only to their downfall but to a serious decline in stock markets
and the economic health of the United States. In a nutshell, it was too easy for a company
to â??cook the booksâ? and for executives to line their pockets at the expense of shareholders
while claiming ignorance. SOX greatly tightened restrictions on methods companies can
use for maintaining and reporting financial data, and on their financial processes generally.
SOX is enforced by the U.S. Securities and Exchange Commission (SEC). While SOX does not specifically mandate the use of encryption in maintaining or transmitting information, it does require that institutions maintain tight control over access to their sensitive financial data.

The Information Technology Governance Institute (ITGI), a group created to assist companies with IT governance, has created a set of security-related recommendations for helping with SOX compliance. One of them is to employ SSL or similar encryption to secure IP connections whenever passwords or other sensitive data may traverse the link.

Another is to use digital certificates whenever financial information is moved between systems.

One of the provisions of SOX as an embezzlement preventative is that no single individual in a company should be in position to both make and receive any given paymentâ??a so-called segregation of duties requirement. Therefore it is very important for companies to be able to prove the identity of the author of key communications such as emails that have to do with making or receiving payments, and to be able to state with certainty that they have not been tampered with. Digital signatures are ideal for this purpose.

SOX compliance is a major issue for virtually any publicly traded firm and is the subject of untold numbers of hours spent in company meetings. Its provisions are still not completely understood by many firms, but everyone involved does understand one thing: SOX is very serious business and a breach can lead to detrimental consequences. Penalties include large fines and jail terms, in addition to damaged public images for them, their employers, and the brand. With consequences this severe and so much ill-defined, many companies are going beyond the letter of the law and incorporating technologies such as strong encryptionâ??such as that offered by SGC technologyâ??that clearly can help demonstrate compliance with the spirit of the law.

4. FISMA
The Federal Information Security Management Act of 2002 (FISMA) is a U.S. federal government law intended to bolster computer and network security within the government and affiliated parties such as government contractors by mandating yearly audits. It requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information management systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. The information contained on RFID tags, which sometimes contains sensitive data, is one major application area.

The International Organization for Standardization (ISO) and International Electro- technical Commission (IEC) have issued a series of standards collectively known as
â??ISO27Kâ? that provide best practice guidance on Information Security Management Sys- tems (ISMS) for protection of confidential information, including the use of encryption. As a set of voluntary international standards, ISO27K recommendations are not enforceable and therefore compliance with the standards themselves is not required. However, they make a number of recommendations on achieving compliance with laws, regulations, contractual obligations, and internal or external security requirements.

5. Gramm-Leach-Bliley Act
The Financial Modernization Act of 1999, also known as the â??Gramm-Leach-Bliley (GLB)
Act,â? is intended to protect consumersâ?? personal financial information held by financial institutions including banks, securities firms, insurance companies, credit card agencies and other companies that provide services such as lending, brokering, or servicing any type of consumer loan; transferring or safeguarding money; preparing individual tax returns; providing financial advice or credit counseling; providing residential real estate settlement services; and collecting consumer debts. It covers organizations issuing such personal information as well as those receiving it.

The FFIEC also has power to investigate institutions and enforce compliance with GLB Act rules, and it expects its recommendations to be followed. If an institution employs weak or no encryption, it carries the burden of demonstrating to the FFIEC that it is nonetheless fulfilling its information safeguarding obligations.

6. Department of Defense Directive 8100.2
The Department of Defense Directive 8100.2, in effect since 2004, defines mandatory security policies for the use of wireless technologies within the DoD Global Information Grid. Its main purpose is to protect DoD computer networks from the security vulnerabilities introduced via wireless networks. The directive applies to all DoD employees as well as visitors to DoD facilities. It also applies to contractors and others who have access to DoD information.

The directive requires that all data sent to or from wireless devices, as well as all VoIP packets, be encrypted. It also requires that the encryption technology comply with FIPS
140-2 Level 1 or Level 2â??which do not specify a particular encryption strength. In addition it specifies that all DoD components ensure that robust, standards-based, FIPS 140-validated authentication and encryption are used in their wireless infrastructure and security technologyâ??including new technologies that emerge in the future.

Securities Regulation: Accounting for the Cost of SOX

Regulation in the U.S. financial markets is objectively a rigid and mechanical process; statutes and codes define and prescribe regulatory procedures, businesses comply with these directives, and lawyers and compliance officers enforce them.  However, the evolutionary process of regulation in this sector has followed anything but a scientific formula. Driven by psychology and sociology as much as it as by mathematics and economics, the financial sector appears to possess the impulses and motivations of a complex individual rather than the makings of a clear cut chemical equation.

The accounting profession, which is characterized by its members’ independence, serves an integral role in the financial regulatory machine, and unfortunately, is also not immune to such human impulses. As seen in the events surrounding Enron, when the gatekeepers, particularly accountants, are producing counterfeit keys, and allowing fraud to penetrate the inner workings of a company, the results are catastrophic.

Following this disaster, lawmakers were catapulted back into their seats, charged with the task of devising a new system to combat and deter fraudulent escapades by companies, as well as taking a closer look at the professions that by definition support these actors, law and accounting. The result amended the Securities Exchange Act of 1934 Act to include the Sarbanes-Oxley Act of 2002 (SOX). In hindsight, scholars, such as Professor Jennings of Wyoming Law School, wrestle with the psychology behind the Enron disaster.  Termed a “Yeehaw Culture,” the atmosphere at Enron was characterized by pressure to maintain those numbers and that performance, fear and silence, a weak board, and other factors that paralyzed the ability for moral integrity to prevail over a culture of . The U.S. Senate Permanent Subcommittee on Investigations’ findings showed Fiduciary Failure, high Risk Accounting, Extensive Undisclosed Off-the-Books Activity, Excessive Compensation, Lack of Independence.

Legislative history demonstrates that Sarbanes-Oxley was passed very quickly and without significant debate. Criticism about this piece of legislation centers not around the legitimacy of fraud, but rather the legitimacy of any sweeping regulation that is not forced to survive significant debate. The report from the Committee on Capital Markets Regulation (the “Paulson Report,” 2006) does not call for appeal, but questions its implementation and the effect the regulatory system in the U.S. has had on the competitiveness of the U.S. markets. It also makes specific recommendations about safeguarding certain accounting firms in order to allocate risk and cost, thus protecting the investors in a more efficient and effective way.

There are many regulations to this piece of legislation, and according to The FEI 2007 study and research by the Institute of Internal Auditors (IIA) that found that “SOX has improved investor confidence in financial reporting, a primary objective of the legislation,” as well as, “indicated improvements in board, audit committee, and senior management engagement in financial reporting and improvements in financial controls,” the benefits are many.

Some specific mandates of this Act:

Title I creates the Public Company Accounting Oversight Board (PCAOB), five member board, five year terms, two term limits.
Section 302, addressing internal controls, requires the CEO and CFO to be held accountable for their financial statements.
Section 201 prohibits auditors from having interests in the firms for which they are performing services.  
Section 404, addressing assessment of internal controls, requires management and the external auditor to report on the adequacy of the company’s internal control over financial reporting (ICFR); management must submit an “internal control report” as part of each annual Exchange Act report.

Analyzing the effects of this piece of legislation requires a brief discussion of the fundamentals of securities regulations. These laws determine the parameters for gaining access to the necessary capital and long-term used to sustain and grow businesses. Congresses had two purposes for originally passing the Federal Securities Laws; first, to protect investors, and second, to help honest business to get access to capital following the Wall Street Crash of 1929 . The result was the Securities Act of 1933 and the Securities Exchange Act of 1934.  These statutes are premised on disclosure, and not merit, where “full and fair disclosure of all material facts” is the main objective. If disclosure is made, issuers are permitted to sell securities to the public, regardless of the prospects for success in any particular investment. Financial cost is inherent in the implementation of all regulation, and the result inevitably precludes business from those who are not able to comply. So, again, the question is what’s the benefit relative to the costs?

Other consequences include, more companies going private; U.S. share has declined significantly in the global market, and U.S. IPOs have dropped from 30% to 10%. The reality is that the markets need a more efficient way to achieve goals. This objective is difficult to measure since benefits are much more intangible and speculative, while the overwhelming costs are seen on the company’s balance sheets as well as participation in the U.S. markets as a whole.  The numbers are telling. Upon implementation companies’ costs went up on average 130%, an average of $5.1 million/year, insurance premiums tripling to cover officers, accounting and lawyers fees account for much of the additional cost.

With respect to the accounting profession, the Paulson Report also notes that, “Audit firms play a key role in ensuring the integrity of financial statements and the effectiveness of internal controls of public companies. The demise of another U.S. audit firm would impose huge costs on U.S. shareholders.” To guard against such potentially crippling consequence, the Report suggests safe harbors for certain defined auditing practice, as well as a cap on liability. Advocating for such defensive measures for an industry that played a critical role in perpetuating practices that caused such a precarious state in the markets begs the question: is regulating the cost of the implementation of this legislation more important than punishing malfeasance? Of course it is necessary to mention that this question presents a false dilemma as alternatives are possible, but were arguably not given adequate consideration. Also, is avoiding criminal prosecution of corporations for the good of the industry ethically sound? To those subscribing to utilitarian thinking, this path checks out; but what about the other philosophies that charge all actors with the responsibility of acting with the good in mind at all times, and not just when it benefits the most people. Finding a path that would satisfy philosophical thinkers as well as the business world is difficult, if not impossible. Or have lawmakers and those in business world simply been operating according to a false assumption that these success in business and morality always separate and adverse? The answer to this question directly relates to how one measures and justifies costs of legislation and business operation.

Regulators being faced with the daunting task of creating reactionary measures following a financial disaster is the unfortunate trend this country has come to know well. A more proactive approach to regulation and greater attention to the intangible costs of regulation may help to undo some of the damage to US markets as well as improve the operation of SOX. Recognition of the complicated relationship between the regulations and those who enforce and carry them out, as well as a heightened awareness of the consequences of regulation prior to future financial regulatory meltdowns may also result in avoiding the criticism and incurring the overwhelming costs that the most recent examples of this type of legislation have demonstrated.