Luis A. Aguilar served as a Commissioner at the U.S. Securities and Exchange Commission from July 31, 2008 to December 31, 2015. Currently he serves on the Boards of Directors of Envestnet, Inc. (NYSE: ENV), Donnelley Financial Solutions, Inc. (NYSE: DFIN) and MiMedx Group, Inc. (NASDAQ: MDXG). Envestnet is a leading provider of unified wealth management technology and services to investment advisors. Donnelley Financial is a financial communications and data services company serving both the investment and capital markets worldwide. MiMedx is a leading regenerative medicine and biopharmaceutical company.
Commissioner Aguilar is also a partner in Falcon Cyber Investments, a private equity investment firm focused on cybersecurity investments. Commissioner Aguilar’s previous experience includes serving as the general counsel, head of compliance, executive vice president and corporate secretary of Invesco, with responsibility for all legal and compliance matters regarding Invesco Institutional. In addition, he was also Invesco’s Managing Director for Latin America in the 1990s, and president of one of Invesco’s broker-dealers.
Every public company board of directors has to operate within an environment where both expected and unexpected government regulations can have a meaningful impact on their strategic objectives. Being able to anticipate risk and identify how legislation may influence decision-making processes is a noteworthy skill—in fact, of the directors included in board skills matrices disclosed in annual proxy statements, 58.3% had government affairs or public policy experience. To gain insights on how this dual viewpoint can be an asset in the boardroom, C-Suite spoke with Luis A. Aguilar, an SEC Commissioner from 2008 until 2015 who now serves on three public boards. He shared his experiences from the SEC, as well as how those perspectives have shaped his approach to board service.
Luis A. Aguilar: You can call it “interesting,” “scary” or “a period of turmoil,” and each would be an apt description. I was sworn in as a Commissioner only a few weeks before the collapse of Lehman Brothers and the financial turmoil that followed. This period included the “breaking of the buck” by a well-known money market fund that stressed the market, the short-sellers onslaught of publicly traded financial institutions, the tightening of the credit markets, and was only a few months before one of the largest financial frauds in U.S. history—the Bernard Madoff Ponzi scheme—was exposed. And, while that was the largest, it was only one of many fraudulent schemes that came to light.
Beyond their obviously substantial impact on American families and the economy, these events demonstrated many regulatory failings that the SEC needed to address.
As a result, the Commission entered one of the most active periods in its history—from internal restructurings to a transformative number of new rules. In addition, as you mention, in 2010 Congress passed the Dodd-Frank Act, which mandated that the SEC promulgate close to 100 separate rulemakings. In combination with Congress’ subsequent passage of the Jumpstart Our Business Startups Act (the “JOBS Act”), and the Commission’s own initiatives, my tenure coincided with one of the most active periods in SEC rulemaking history. Obviously, the continuing rapid changes in the capital markets require that the SEC continue to be vigilant, and I would urge the SEC not to be complacent and think that the work is done.
Even before passage of the Dodd-Frank Act, the Commission had already entered what has become one of the most active periods in its history.
Aguilar: My years at the SEC were both challenging and rewarding. Clearly, the challenges the SEC faced were numerous, and almost all aspects of the capital markets were under scrutiny—from the stress experienced by money market funds, the failings revealed by Madoff, the problems resulting from the faulty ratings issued by credit rating companies that, as one of their employees said, “would rate a cow,” and the lack of transparency in asset-backed securities, just to name a few areas. We worked hard to address many of the failings and I believe that I left the SEC and investors in a better place, but the agency must remain on guard to make sure it’s providing appropriate oversight and fulfilling its mission of protecting investors, maintaining fair, orderly and efficient markets and facilitating capital formation.
I learned too many lessons during my tenure and there isn’t time to talk about them all, but one takeaway is that regulations are tools, and like all tools they are only as good as the people who build them and use them. The way the regulators craft rules is important. Rules need to be crafted with a solid foundation of information that underlies the need for the rule and a clear understanding of what the rule is intended to achieve. This process requires a focus on protecting shareholders but with appropriate flexibility that allows for the affected companies to adapt to rapidly changing markets, both domestically and globally. On the other hand, even the best written rules may fail in their goals if those covered by the rules ignore them. To be effective, rules need to be adhered to with integrity, and not with an eye to doing end-runs that cause the rules to fail to have the intended benefits.
Regulators simply cannot do it alone. Those working for the companies that make up the capital markets have crucial functions to perform. That’s always been true but even more so in today’s more complex markets. To that end, companies need to have robust corporate governance regimes to be able to effectively police themselves.
Aguilar: I’ve always appreciated the important responsibilities that boards of directors have with respect to overseeing company management and setting forth the overall direction of the company. Directors play a critical role in setting the appropriate tone at the top, and are relied upon by both shareholders and the capital markets in general.
It can be a daunting responsibility to faithfully fulfill those responsibilities. Directors are expected to carry out their duties and responsibilities with a keen focus and attention to detail. This can be particularly challenging for independent directors that devote only part of their time to any particular company. Nonetheless, under our legal corporate structure, it’s an invaluable service. Directors are expected to act as fiduciaries and protect and enhance the interests of others. When companies asked me to consider serving on their boards, I understood that responsibility.
Each board opportunity can be unique. When first approached, I do significant due diligence on a company—among other things, the company’s history, the backgrounds of the existing directors and management, its industry, its corporate culture, its financial condition, who the outside experts are, etc. The list of things to consider is, of course, much longer. If I’m still interested after researching those areas, I then ask myself if I have something positive to contribute to that particular board. Obviously, this takes some self-awareness and soul searching.
One thing I’ve learned in life, and as a Commissioner, is that risk pops up in the most unexpected places.”
Aguilar: Even before becoming a Commissioner, I was a practicing corporate and securities lawyer that interacted with many boards and have always appreciated their roles. I’ve always understood that the better boards are those that are informed, proactive and ethical and understand that their fiduciary obligations are not to management. My experience at the SEC helped to cement the fact that those types of boards generally don’t have anything to fear from the SEC. I also think that good boards also recognize the need to adapt to new circumstances—such as developments in their company and industries and the emergence of new risks, such as the increasing risks of cyberattacks.
One of the SEC’s failings leading up to the financial crisis is that it failed to keep up with how the markets had grown and changed in the preceding years. Some of the failings, of course, can be attributed to insufficient resources given to the Commission that impaired its ability to keep up with those developments.
Aguilar: My interest in cybersecurity arose from meetings I had with various experts and directors who expressed concern about cyberattacks and the mounting evidence that companies of all shapes and sizes were subject to potentially disastrous cyberattacks. In addition to the threat of significant business disruptions, there can also be substantial response costs, negative publicity, lasting reputational harm, and, perhaps, a derivative lawsuit against the company and/or its officers and directors. Given the potential risks posed by cyberattacks on publicly traded companies and capital market participants like stock exchanges, custodians, transfer agents, broker-dealers and others, I thought that the SEC needed to be more informed. I also hoped that the Roundtable would send a message to corporate boards and senior management that they needed to be proactive in addressing these cyber risks.
Aguilar: For a number of reasons—including the frequent occurrence of cyberattacks—since the Roundtable was held, board oversight of cyber risk management has greatly increased. In addition, over the last few years, providing advice on cybersecurity measures has become a cottage industry for many lawyers, consultants and accounting firms. I don’t think boards will lack for guidance and advice.
But it’s important for boards to not abrogate the responsibility to others. Fortunately, many boards now take seriously their obligation to make sure that their companies are properly prepared. In today’s internet world, this needs to be a critical part of a board of director’s risk oversight responsibilities. In considering where to begin, I think boards should consider the Framework for Improving Critical Infrastructure Cybersecurity, released by the National Institute of Standards and Technology in February 2014. The NIST Cybersecurity Framework provides a set of industry standards and best practices for managing cybersecurity risks. A good first step would be for boards to work with advisors and/or management to assess how their companies match-up to the Framework’s guidelines.
Board oversight of cyber risk management has greatly increased.
Aguilar: I have a couple of reactions to that. First, I commend companies that provide good and useful disclosure that investors benefit from, and I hope they wouldn’t limit disclosures just because they can.
[Many investors] want disclosures that address matters not specifically required by the SEC or that go beyond any guidance provided by the SEC.
Second, you’re correct about the importance of investors being active. You can see that in the rule requiring diversity disclosure. At the time it was being considered, there was give and take among the Commissioners, and it looked like the only way it was going to get sufficient votes for it to pass was to allow companies to define diversity themselves. This wasn’t what many investors wanted. It was clear from their comments that they wanted disclosure along a more traditional view of diversity, that is gender, race, ethnicity, etc. Nonetheless, the fact that companies have to discuss whether they have a policy on diversity, and if so, how they define it, allows investors to gauge how companies feel about it. The proxy statement disclosures are allowing investors that care about diversity to laud those with the best practices and to reach out to those that fell short in providing the information shareholders are asking for. Shareholder involvement is a good thing.
If you look at other situations where there is no specific or comprehensive rule requiring disclosure, you can find that same behavior. For example, many investors are pushing companies to enhance their disclosures on matters such as climate change, cybersecurity and other issues. They want disclosures that address matters not specifically required by the SEC or that go beyond any guidance provided by the SEC.
Aguilar: One thing I’ve learned in life, and as a Commissioner, is that risk pops up in the most unexpected places. Things you didn’t think could occur, will occur. The flash crash is one example, and the break in the dollar in 2008 was only the second time in history that occurred. Risk comes from unexpected places, and it’s difficult to plan for those black swan events. Nonetheless, there is still some benefit for directors to sit down with management and engage in some out-of-the-box thinking about the “what ifs.” It’s not a waste of time.
Obviously, it’s also important to consider the risks you do know are out there. Start with cyber—you can no longer take the view that “it won’t happen to me, I have robust systems and no one can penetrate my walls and get into my systems.” Too many companies and government agencies have been hacked, many with robust cybersecurity. And, don’t forget that Target was hacked through a provider.
Risks, whether known or unknown, result in uncertainty, and businesses hate uncertainty. Today, for example, there’s a lot of uncertainty about the regulatory, political and economic outlook. Is tax reform going to happen? Is healthcare going to happen? What’s happening on regulatory reform? What’s the possible impact of blockchain or artificial intelligence to my company or industry? Etc.
For some companies, some are more key than others, but the uncertainty can create gridlock or delay needed decisions. Of course, much of this can’t be controlled. In the meantime, however, it’s advisable to at least try to come up with Plan A and Plan B and make the best judgment calls you can. It’s certainly not a panacea, but I think proactivity helps you be prepared. Companies have to play offense and defense based on the best knowledge they have.