Anne Dolan

Organizations that use entities from multiple jurisdictions in their corporate structures or transactions need to ensure that they are ably managed and well accounted for. International standards of governance and disclosure have expanded in scope since the global financial crisis, and there is little tolerance for errors in the administration or reporting of internationally domiciled entities. Even a simple clerical miscue such as a late filing can have adverse consequences for a company, both in terms of legal resolution and reputational damage.

Technology and Legal Entity Management
The administrative and regulatory burden associated with managing corporate vehicles is often extremely demanding.  There is a tremendous volume of data that is tracked and reported on during an entity’s lifecycle from formation to dissolution. Often there are tight deadlines for filing information and documents with third party regulators or governing bodies. As a result, more organisations are turning to specialised technologies to help them track statutory information and documents in multiple jurisdictions.

Developing a system internally to track data and store documents is not always the most appropriate or cost-effective option.  Aside from the significant expense associated with developing such a system from scratch, once launched, it would also require ongoing monitoring, maintenance and development.

As clients now desire continuous information on, and access to, their network of international entities, they are more frequently looking to their service providers to establish an infrastructure that makes this possible.

In 2009, Walkers Management Services (WMS) consulted a number of its clients as to where their concerns lay with entity management, noting that organisations engaging in significant cross-border transactional activity were looking for more efficient ways in which to track data and documents. As a result, the firm designed and implemented a web-based system–the Client Portal–that allows clients continuous access from anywhere in the world to view, print and download all of their statutory data and documents for any entity in any jurisdiction that WMS serves.

The Client Portal is extended to WMS’ clients free of charge, with the aim of ensuring that they are statutorily and regulatory compliant at all times, not only in the jurisdictions in which WMS acts for them in, but globally. The fact that the Client Portal is web-based also means that users can choose to give access (on a restricted basis if necessary) to other third party service providers, such as attorneys and auditors. This not only increases efficiencies by putting information and documents at the fingertips of those who need it, but also reduces unnecessary administrative costs associated with information and document requests, which can significantly rack up over time.

As well as tracking statutory data and documents, other features WMS included in its Client Portal are the ability to generate reports to assist with regulatory filings and the mapping of intra-group relationships, directorships, shareholdings, and partnership interests. Users can opt to receive an alert as to upcoming filing deadlines across a variety of jurisdictions.

Web-based systems are also proving to be invaluable for communication with directors prior to board meetings.  From my own experience of providing company secretarial services to numerous Cayman, BVI and Delaware entities, board packs often run to several hundred pages which can prevent circulation by email or fax. Having the option of being able to download documents from a virtual boardroom has vastly improved the efficiency of co-ordinating board meetings. Directors on the move for example, no longer have to cart heavy board packs around the world or log into their email to receive papers for review. Provided they have internet access, they can log onto the virtual boardroom on the Client Portal, download a pack and then review it offline as they are travelling.

As with any online system for storing data, security and confidentiality is key. WMS opted to invest heavily in the security and infrastructure of its Client Portal, including engaging a top consultancy firm to do annual vulnerability testing. Organizations that are considering using an online system to store their data and documents should ensure that they thoroughly review its security features. Being able to control who sees what information is also critical.  For example, access to WMS’ Client Portal is tightly controlled and monitored by a small, highly experienced team of Chartered Secretaries. Permissions can be restricted on an entity or group basis, thereby making sure that the right people have access to the right information. Due to the popularity of WMS’ Client Portal, the in-house development team has been beefed up to accommodate an aggressive schedule of new feature releases and enhancements.

Conclusion
The task of managing an organization’s global entities often falls to a small team of paralegals, junior lawyers or in-house company secretaries. Such individuals need to have a thorough grasp of a wide range of statutory and regulatory obligations in the jurisdictions in which their organisation’s entities are domiciled, as well as be adept at dealing with the burden of regulatory reporting in their home jurisdiction. While there are a number of technological solutions available to assist organizations with their entity management, they vary tremendously in terms of sophistication, breadth and cost. The legal and regulatory environment in which multinational organisations now operate has changed dramatically over the past decade, and no doubt will continue to evolve in the years ahead.  At the centre of this process, technology will need to evolve to keep pace with those changes in an effective and cost-efficient manner.  Entity management and corporate governance have moved firmly into the digital realm, and it is management’s duty to ensure that their organisation does the same.

Anne Dolan is a chartered secretary with Walkers Management Services in the Cayman Islands.  For more information regarding Walkers’ Client Portal, please visit www.walkersglobal.com.

No company is exempt from potential cyberattacks. The United States government is no stranger to cyber threats and Director of National Intelligence Dennis Blair believes the government’s efforts to defend the country against cyberattacks are “not strong enough.”

A breach in security can result in operational and reputational risks, as well as government regulatory sanctions if proper procedures to safeguard and protect sensitive information are not created and filed properly. Companies such as Victoria’s Secret in 2003, TJX, parent company of discount retailers TJ Maxx and Marshall’s in 2007; and in 2010, a hijack of more than 75,000 computer systems at nearly 2,500 companies in the U.S., including Google, showcased some of the most sophisticated attacks by cyber criminals to date. TJX suffered immense reputational blows after the company failed to acknowledge the severity of the problem and did not quickly communicate with customers whose personal information was stolen. The fallout from the TJX incident is a prime example of why companies need to carefully compile a plan-of-action and prevention. As the government continues to struggle, directors must take care to ensure their company has proper privacy and data security precautions in place to both protect and provide a plan of action should a cyberattack occur.

According to the Federal Cyber Security Outlook for 2010 by Lumension Security and Clarus Research Group, 69 percent of approximately 200 respondents indicated that while the overall state of their IT security improved in the past year, nearly 21 percent indicated that their companies made no changes to their level of compliance. Fifty-seven percent of respondents reported that the biggest obstacle in meeting federal compliance regulations was having the resources available (skilled personnel, bandwidth, budget). Overall, respondents were less confident in their IT security situation, with the majority voicing that that preventative measures, such as firewalls, anti-virus and anti-malware, vulnerability assessments and IT governance and risk compliance measures, should increase in the coming year.

Taking the First Step
Boards must insist that they are informed about and understand the company’s legal compliance policies and vulnerabilities, says Alan Charles Raul, a partner at international law firm Sidley Austin LLP, where he specializes in privacy and data security practices. “The board should understand the company’s important information access and exposures—whether that be consumer names in its database, employee personal information or intellectual property protection,” Raul says.

To know what precautions are necessary to safeguard valuable information, boards can recruit members with an IT background. “Boards need to have IT experts—they’re still looking at the same skill sets they did 75 years ago,” says Jody R. Westby, CEO and founder of Global Cyber Risk LLC in Washington D.C. Westby believes boards need to first reevaluate the skills they are seeking in potential board candidates, as well as receive regular reports from their IT and security departments.

Westby says only a small percentage of boards have risk committees—and often times the audit committee takes responsibility for privacy and data security issues.  Westby argues that the board should have a specific person or risk committee dedicated to ensuring that the CIO budget is adequately funded and reflected on a situation where a $15 billion company instructed their CIO to “go buy some insurance” in lieu of conducting a privacy and data security plan of action. “Boards provide oversight—but they need to have top-level people in place to make sure policies are properly vetted and reviewed,” Westby adds.

Know the Rules
There are two types of privacy statutes, according to Keith Hochheiser, an attorney at Ettelman & Hochheiser, P.C. A breach notification statute applies if a company is maintaining personally identifiable information. If it’s breached—something as simple as a stolen computer can make a company vulnerable—employees must be notified immediately. The second statute is more comprehensive; it indicates that a privacy policy must be located on your website. A firm must internally write a procedure and comply with the statute and audit it manually. “If your company is not complying, one could argue that the board has a legal obligation because they should have been aware,” says Hochheiser. “Directors could be considered liable and sued as a result.”

Directors must guide management to instill a program that will protect investors as well as themselves, adds John Fodera, a partner at Eisner LLC. “Management is responsible for compliance programs, but directors should make sure they are meeting objectives,” Fodera says. Oftentimes, a firm has operations spanning multiple of states and countries. “Boards must have an understanding of not only the state requirements, but potentially those related to operations abroad,” says Fodera. “Depending on where you are doing business, you need to comply with state or country requirements—it’s not a level playing field.”

Operational and Reputational Risks
Cyber security efforts are integral to both private corporations as well as the economy as a whole. “Cyber criminals are trying to exploit weaknesses in corporate databases—the magnitude and grave risks associated with these attacks should have boards on alert,” Raul says. “No one company can take responsibility for the overall computer networks of a country. But the government has alerted the private sector that each company has a responsibility to help protect the cyber networks on which the entire economy is built.”

The theft of intellectual property and personal information can cause irreparable damage to a company’s reputation. Hochheiser reflected on an instance where an employee left a firm, but still had access to customer information. The company discovered that the former employee was contacting customers using this personally identifiable information and the New York Attorney General came in and discovered there were no policies in place. The firm then had to reassure customers that procedures would be put in place to prevent future incidents.

“But having policies in place isn’t enough,” Hochheiser warns. He noted that another firm had a privacy policy in place, but no procedure. As a result, when a computer was stolen, the business had no way to back up its privacy policy—which resulted in fines because the attorney general viewed the firm’s policy as deceptive. “A big mistake is that companies use really aggressive policies, implying that they are nearly invincible—and aren’t able to live up to it,” Hochheiser says. “That’s a deceptive business practice and you will be fined for it.”

As long as companies have a realistic policy in place and annual audits of those policies and procedures—taking care to bring in an independent third-party consultant—courts have shown that such actions will demonstrate that your firm has made reasonable efforts to prevent and deal with a breach in security. Boards must recognize that threats to cyber security are just as detrimental, if not more so, as someone breaking into company headquarters. Competitive and sensitive information could be stolen for months or years before being discovered if the proper safeguards are not in place.