Promoting Long-Term Value Creation – The Launch of the Investor Stewardship Group (ISG) and ISG’s Framework for U.S. Stewardship and Governance
A long-running, two-year effort by the senior corporate governance heads of major U.S. investors to develop the first stewardship code for the U.S. market culminated today in the launch of the Investor Stewardship Group (ISG) and ISG’s associated Framework for U.S. Stewardship and Governance. Investor co-founders and signatories include U.S. Asset Managers (BlackRock; MFS; State Street Global Advisors; TIAA Investments; T. Rowe Price; Vanguard; ValueAct Capital; Wellington Management); U.S. Asset Owners (CalSTRS; Florida State Board of Administration (SBA); Washington State Investment Board); and non-U.S. Asset Owners/Managers (GIC Private Limited (Singapore’s Sovereign Wealth Fund); Legal and General Investment Management; MN Netherlands; PGGM; Royal Bank of Canada (Asset Management)).
Focused explicitly on combating short-termism, providing a “framework for promoting long-term value creation for U.S. companies and the broader U.S. economy” and promoting “responsible” engagement, the principles are designed to be independent of proxy advisory firm guidelines and may help disintermediate the proxy advisory firms, traditional activist hedge funds and short-term pressures from dictating corporate governance and corporate strategy.
Importantly, the ISG Framework would operate to hold investors, and not just public companies, to a higher standard, rejecting the scorched-earth activist pressure tactics to which public companies have often been subject, and instead requiring investors to “address and attempt to resolve differences with companies in a constructive and pragmatic manner.” In addition, the ISG Framework emphasizes that asset managers and owners are responsible to their ultimate long-term beneficiaries, especially the millions of individual investors whose retirement and long-term savings are held by these funds, and that proxy voting and engagement guidelines of investors should be designed to protect the interests of these long-term clients and beneficiaries. While the ISG Framework is not intended to be prescriptive or comprehensive in nature, with companies and investors being free to apply it in a manner they deem appropriate, it is intended to provide guidance and clarity as to the expectations that an increasingly large number of investors will have not only of public companies, but also of each other.
Click here to read the full article.
After deliberations over more than a year’s time, the Standing Committee of the National People’s Congress (“NPC Standing Committee”) finally adopted the Cyber Security Law (“CSL”) on November 7, 2016. The CSL is the first omnibus law in China governing cyber security issues and has incorporated a number of new legal concepts and requirements that may impact companies with business operations in China.
Below we will briefly introduce the CLS in terms of its background, applicable scope and legislative purpose, major requirements, and potential practical impact.
This legislation includes provisions relating to information and technology security. Meanwhile, as China has not enacted a unified data protection law, the CSL also incorporates several provisions related to the protection of personal information, which is also an issue of wide concern.
Application Scope and Purpose
The CSL applies to the construction, operation, maintenance and use of networks as well as the supervision and administration of cyber security within the territory of the PRC. “Networks” include networks and systems that are composed of computers and other information terminals and the relevant facilities and used for purposes of collecting, storing, transmitting, exchanging and processing information in accordance with certain rules and procedures (Article 76). “Network operators”, an important subject of legal obligations under the CSL, is broadly defined as “owners and administrator of networks and network service providers (Article 76)”.
The CSL provides for “safeguarding the national cyberspace sovereignty” as a fundamental principle, and, for that purpose, includes provisions on, inter alia, the strategy, plan and promotion of cyber security, network operation security, network information security, and alarm and emergency response systems.
The national cyberspace administration authority, namely the Cyberspace Administration of China (“CAC”), is responsible for the coordination of cyber security protection activities and the relevant supervision and administration activities on a national level. It further provides that the Ministry of Industry and Information Technology, the Ministry of Public Security and other relevant government departments shall be responsible for the protection and supervision of cyber security within their respective authorities.
The CSL will become effective on June 1, 2017. Therefore, nearly a half year is provided as a transition period before its implementation.
Major Legal Requirements
Strengthened Network Operation Security Obligations
The CSL provides various security protection obligations for network operators, including, inter alia:
- the compliance with a series of requirements of tiered cyber protection systems (Article 21);
- the verification of users’ real identity (an obligation for certain network operators) (Article 24);
- the formulation of cyber security emergency response plans (Article 25); and
- the assistance and support necessary to investigative authorities where necessary for protecting national security and investigating crimes (Article 28).
In addition, network products and service providers shall inform users about and report to the relevant authorities any known security defects and bugs, and furthermore shall provide constant security maintenance services for their products and services, not install malware with their products, and clearly inform users and obtain their consent if their products or services collect users’ information (Article 22).
Key network facilities and special products used for protecting network security shall comply with the relevant national standards and compulsory certification requirements, and may only be offered for sale after being certified by the qualified security certification organization or passing the relevant security tests (Article 23).
It is notable that some requirements for network operators, such as retention of user logs for at least six months (Article 21) and regulations on the publication of cyber security information regarding system loopholes, computer viruses, cyber-attacks, cyber invasions, etc. (Article 26), are prescribed for the first time under PRC laws.
Heightened Protection of Critical Information Infrastructure
The CSL, for the first time under PRC law, clearly imposes a series of heighted security obligations for operators of critical information infrastructure (“CII”), including:
- internal organization, training, data backup and emergency response requirements (Article 34);
- storage of personal information and other important data must in principle be secured within the PRC territory (Article 37);
- procurement of network products and services which may affect national security shall pass the security inspection of the relevant authorities (Article 35); and
- conducting annual assessments of cyber security risks and reporting the result of those assessments and improvement measures to the relevant authority (Article 38).
Protection of Personal Information
The CSL reiterates the obligations of network operators regarding the protection of personal information which appear across existing laws and regulations, including the mandate to observe the principle of lawfulness, necessity and appropriateness in the collection and use of personal information and to observe “the notification and consent requirements” (Article 41), to use personal information only for the purpose agreed upon by the relevant individual (Article 41), to adopt security protection measures for personal information (Article 42), and to protect the individual’s right to access and correct personal information (Article 43). In addition, the CSL also incorporates some new rules on personal information protection, including data breach notification requirements (Article 42), and data anonymization as an exception for notification and consent requirements (Article 42), and the individual’s right to request the network operators make corrections to or delete their personal information in case the information is wrong or used beyond the agreed purpose (Article 43).
The CSL is the first law in the PRC specially focused on cyber security matters. When the CSL takes effect on June 1, 2017, internet companies and other industries in China will be subject to stricter and more comprehensive obligations and face more severe punishments for violations. As an omnibus law on cyber security issues, many provisions of the CSL are still very general and abstract, and the detailed requirements for implementation and enforcement depend on subsequent and more specific implementation regulations as well as the opinion of the relevant authorities. We may expect that the relevant regulatory authorities may promulgate a series of implementation regulations to clarify certain requirements under the CSL, such as the regulations on tiered cyber security protection systems, the specific scope and protection measures of CII, the protection of minors on networks, the mandatory security certification and the test requirements for key network devices and special cyber security products, national security review on the network products and services procured by CII operators, etc. For example, as for the protection of minors on the internet, the CAC published a draft of Regulations on Protection of Minors Online for public comment last month.
Nearly half a year remains before the formal implementation of the CSL and companies may use this transition period to improve their understanding of the potential impacts of the CSL on their business. In particular, if companies are deemed operators of CII, the CSL may have a significant impact on its network security framework, procurement of security products, and data storage. Companies may consider whether they need to adjust their business and operation practices in these aforementioned aspects and enhance their cyber security protections so as to ensure fully compliance with the CSL. Given the specific implementation of the requirements in the CSL are not entirely clear, companies will also need to closely follow any subsequently released regulations and opinions of the relevant governmental authorities.
CHINESE UPDATE – Limitations on Overseas Direct Investment, A First Step of Temporary Capital Controls?
During this sensitive time when capital control measures are about to come out, through an interview of officials of the State Administration of Foreign Exchange (“SAFE”), the Xinhua News Agency on December 8 revealed the details and direction of policy on the recent tightening of overseas direct investment (“ODI“). The effects on ODI from the tightening of policy restrictions, starting from several months past and up to present, are rapidly magnifying.
At the opening of the news interview, it was stated that cross-border capital flows were generally stable, and according to monitoring, there was no finding that desire for foreign exchange purchases by enterprises or individuals would surge sharply; however, it was pointed out that a large number of ODI projects have already been placed under scrutiny of various departments (i.e., NDRC, MOFCOM, PBOC, and SAFE). During the interview, SAFE officials pointed out that four categories are considered abnormal circumstances of ODI behavior: (1) newly established enterprises without substance of business carry out overseas investment; (2) the scale of overseas investment is far greater than the registered capital of the domestic parent company, and the operational status as reflected by financial statements of the parent company is not comparable to support the scale of overseas investment; (3) no correlation exists between the main business of the domestic parent company and the overseas investment project; (4) the RMB used for investment obtains from an abnormal source, being suspect of illegally transferring assets for Chinese individuals and illegal operation of underground money exchange. Having such a wide range for the definitional scope of abnormal behavior is really rare. From the perspective of SAFE, only enterprises with the capability and qualification can make overseas direct investment, while pooling of funds by individual investors for conducting overseas direct investment does not conform to the so-called “authenticity and compliance” principle.
In addition, this interview once again mentioned the ways of foreign exchange payment violations by individuals, that is by way of split where the annual remittance quotas of other individuals are used in performing fund remittances; as well as the possible consequences of such violations, that is these individuals might be put on an “Attention Name List,” and have their annual remittance quotas for the next two years canceled, and where circumstances are serious, be put on file for punishment.
Our Interpretation: Except for ODIs conducted by enterprises possessing ample financial strength and where the ODI is closely related with the main business of such enterprises, other types of ODI would basically be stopped. In addition, there is a large possibility that the next step of SAFE will be to take further steps in regulatory and enforcement measures regarding overseas investment by individuals.
The new Dutch Corporate Governance Code, issued December 8, 2016, provides an interesting analog to The New Paradigm, A Roadmap for an Implicit Corporate Governance Partnership Between Corporations and Investors to Achieve Sustainable Long-Term Investment and Growth, issued September 2, 2016, by the International Business Council of the World Economic Forum. The new Dutch Code is applicable to the typical two-tier Dutch company with a management board and a supervisory board. The similarities between the Dutch Code and the New Paradigm demonstrate that the principles of The New Paradigm, which are to a large extent based on the U.S. and U.K. corporate governance structure with single-tier boards, are relevant and readily adaptable to the European two-tier board structure.
Both the New Paradigm and the Dutch Code fundamentally envision a company as a long-term alliance between its shareholders and other stakeholders. They are both based on the notions that a company should and will be effectively managed for long-term growth and increased value, pursue thoughtful ESG and CSR policies, be transparent, be appropriately responsive to shareholder interests and engage with shareholders and other stakeholders.
Like The New Paradigm, the Dutch Code is fundamentally designed to promote long-term growth and value creation. The management board is tasked with achieving this goal and the supervisory board is tasked with monitoring the management board’s efforts to achieve it.
Click here to read the full article.
On September 28, 2016, the Canadian federal government introduced Bill C-25: An Act to amend the Canada Business Corporations Act et al. The proposed amendments are the culmination of the first substantive review of the Canada Business Corporations Act (the CBCA) in 15 years and are the result of a consultation process initiated in 2013. The stated objectives of the proposed amendments are to, among other things:
- reform the process for electing directors of certain corporations;
- modernize communications between corporations and their shareholders; and
- require disclosure of information respecting diversity among directors and senior management.
Click here to see the full article.