Philip J Loree Jr and Nancy K Eisner take an in-depth look at how Sarbanes-Oxley is affecting insurers

On 30 July 2002, President Bush signed the Sarbanes-Oxley Act in response to the widely-publicised corporate fraud, waste, abusive accounting practices and self-dealing of the late 1990s that led to the downfall of Enron, WorldCom and other large and well-regarded US publicly-traded companies. The Act is one of the most significant and comprehensive US securities law measures since the 1930s. Among other things it:(a) imposes strict auditing, quality control, ethics and independence standards on US certified public accountants and establishes a Public Companies Accounting Oversight Board (PCAOB) to administer those standards;(b) increases financial disclosure requirements for publicly-traded companies and their executive officers and boards of directors;(c) imposes rigorous internal controls on financial reporting, including CEO and CFO certification of financial reports; and(d) subjects issuers, executive officers and directors to civil and criminal penalties and increased civil liability in actions brought by private parties.The Securities and Exchange Commission (SEC) is charged with promulgating rules, and administering and enforcing the Act's provisions.The Act contains powerful incentives for compliance because of the wide range of individuals and entities subject to its reach. Independent auditors, in-house and outside attorneys, directors, executive officers and internal audit committees are charged with heightened, independent responsibility for reporting fraud and ensuring the accuracy and reliability of publicly-filed financial information. Persons that report abuses are (at least in theory) protected from retaliation by 'whistleblower' provisions. The penalties for violation of the Act may seem draconian to some, and the Act may tend to create an atmosphere of anxiety from the top down on the part of public companies and their professional advisors (in which everyone is motivated to protect his or her proverbial backside). It may also require companies to allocate substantial resources to ensuring that adequate systems are in place to comply with the Act's requirements. On the positive side, however, the result is a system of checks and balances which attempts to do away with the 'hide your head in the sand' approach to corporate governance and financial reporting.Technically, the Act applies only to US publicly-traded companies, including insurance companies. However, its effect is already more far-reaching.There are indications that the Act's requirements are likely to influence state insurance laws that apply to all insurance companies doing business in the US regardless of whether they are publicly traded. In addition, non-publicly-traded US insurers are beginning to voluntarily implement reporting and monitoring procedures that comply with the Act, as they see those procedures becoming the industry norm against which any company's conduct may be judged in future.

Key provisionsSarbanes-Oxley not only requires public companies to disclose financial information, but also prescribes in detail the form the disclosure must take. For example, Section 401(a) of the Act provides that each financial report filed with the SEC that contains financial statements required to be prepared in accordance with generally accepted accounting principles (GAAP) must reflect all material correcting adjustments that have been identified by a public accounting firm. Section 401(a) also directs the SEC to promulgate rules requiring that a public company discloses in its annual and quarterly reports all off-balance sheet transactions, arrangements, obligations (actual and contingent) and other relationships of the company with unconsolidated entities or other persons that may have a material current or future effect on the company's financial condition, results of operations, liquidity, capital expenditures, capital resources or significant components of revenue.(1)Section 401(b) of the Act directs the SEC to promulgate (and the SEC has promulgated) rules requiring that pro forma financial information included in any report filed with the SEC or in any public disclosure or press release must reconcile the pro forma information with the financial condition and operations of the company under GAAP and contain no material false statements or omissions.(2)Section 404 of the Act directs the SEC to require issuers to file internal control reports that:- state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting and- contain an assessment (as of the end of the most recent fiscal year of the company) of the effectiveness of the internal control structures and procedure for financial reporting.(3)The registered public accounting firm preparing the audit for the company must attest to, and report on, the internal controls assessment made by the company.(4)

CEOs and CFOsThe Act contains two provisions requiring CEOs and CFOs to certify financial information filed with the SEC.Section 302, as implemented by SEC Release No 33-8124, requires public companies filing periodic reports under Section 13(a) and 15(d) of the Securities and Exchange Act of 1934 (the Exchange Act) to include in those annual and quarterly reports a statement certified by the principal executive and financial officer(s) stating, among other things, that he or she has reviewed the report, and that, based on his or her knowledge:- the report does not contain any untrue statement of a material fact or omit to state a material fact where the omission would cause the report to be misleading; and- the financial statements and other financial information included in the report fairly present in all material respects the financial condition, results of operations and cash flows of the company as of, and for, the periods presented in the annual or quarterly report.The certifying officers must also provide detailed certifications on the company's 'disclosure controls and procedures', which are defined by the SEC as controls and other procedures of the company that are designed to ensure that information required to be disclosed in the reports is recorded, processed, summarised and reported within the periods specified in the SEC's rules and forms.(5) These disclosure procedures include controls and procedures designed to ensure that information required to be disclosed by a company in its reports is accumulated and communicated to the company's management, including its principal executive and financial officers, to allow timely decisions regarding required disclosure.Finally, the Section 302 certification must certify that all significant deficiencies in the design or operation of internal controls and any fraud, whether or not material, that involves management or other employees who have a significant role in the company's internal controls, has been disclosed to the company's outside auditors and to the internal audit committee.Section 906 of the Act requires an additional CEO/CFO certification that each periodic report containing financial statements fully complies with the requirements of Sections 13(a) and 15(d) of the Exchange Act and that the information in the report fairly presents, in all material respects, the financial conditions and results of the company. While violation of Section 302 subjects CEOs and CFOs to civil penalties, Section 906 violations carry severe criminal penalties. If the CEO or CFO is convicted of making a Section 906 certification 'knowing' it to be false, he or she is subject to a fine of up to $1m or imprisonment for up to ten years, or both. If the CEO or CFO 'wilfully' makes such a certification, the penalties increase to a maximum fine of $5m and 20 years imprisonment.In addition to the penalties for false certifications, the Act establishes new criminal offences, including destruction, alteration or falsification of records in connection with federal investigations and bankruptcy proceedings(6); conspiracy or attempt to commit securities fraud(7); and retaliation against whistleblowers(8). It also increases criminal penalties for securities, mail and wire fraud, and violations of the Exchange Act and the Employee Retirement Income Security Act.These provisions, particularly the conspiracy provisions, are broad in scope and are not limited to officers and directors of the company. For example, bankers and lawyers that participate in a potential Sarbanes-Oxley violation (perhaps even giving limited structuring advice) could face criminal charges along with the primary corporate participants on a conspiracy theory. The interplay of these sections with the Racketeer Influenced Corrupt Organizations Act (RICO) could further increase criminal liability of the company, its officers and directors and third parties, because the provisions increase the number of 'predicate acts' that could constitute a RICO violation, which, in turn, could result in still more criminal penalties.While criminal penalties are a very strong deterrent, civil liability can also have very serious consequences and the burden of proof is lower.Sarbanes-Oxley significantly increases civil liability by creating causes of action for whistleblowers(9) and insider trading during pension fund 'black out periods'(10); lengthening the statute of limitations for a civil action for securities fraud (two years after the discovery of the violation or five years after the violation, whichever is shorter)(11); and vesting in the SEC the power to impose civil penalties and seek injunctive relief for violations of the Act(12). One civil penalty of particular interest to CFOs and CEOs is the forfeiture of bonuses earned during a period for which the company subsequently restated its earnings.Finally, the Act directs the SEC to promulgate - and the SEC has promulgated - rules setting forth minimum standards of conduct for attorneys appearing and practicing before the SEC in connection with the representation of a public company, including rules requiring attorneys to report to the chief legal counsel or the chief executive officer of the company "evidence of a material violation of securities law or breach of fiduciary duty or similar violation by the company or any agent" of the company.(13) If the "officer does not appropriately respond to the evidence (adopting, as necessary, appropriate remedial measures or sanctions with respect to the violation)", then the attorney must report the evidence to the audit committee of the board of directors or to "another committee of the board of directors comprised solely of directors not employed directly or indirectly by the issuer, or to the board of directors."(14)

Sarbanes-Oxley and insurersWhile the insurance industry is no stranger to intensive regulation, the internal controls, certification requirements and civil and criminal penalties imposed by the Act increase the time and expense of insurance companies' day-to-day operations. Because the chief executive officers of the companies must certify the financial information submitted annually and quarterly to the SEC, they have a powerful incentive to require increased diligence on the part of those down the reporting chain. That incentive is compounded by the extensive pressure the Act places on outside auditors and internal audit committees in connection with the auditing process.The accuracy of an insurance company's financial statements depends in large measure on the quality of its underwriting, pricing, claims reserving, money-management, ceded reinsurance and internal reporting controls. To comply with the Act, heightened attention must be paid to each of these core functions.For example, reserves are, as a general rule, the largest item on the liability side of an insurance company's balance sheet. To comply with the internal control and certification requirements of the Act, chief executives and financial officers should exercise care to ensure reserves are not understated. As an additional complicating factor, the SEC has proposed regulations requiring insurers to explain in detail the reason for material changes in reserves in their publicly-filed financial reports.(15)Accordingly, actuaries and claims professionals down the reporting chain are under greater pressure than before to justify reserving decisions and practices.Reserving, particularly in the asbestos liability area, has received a fair degree of attention in the press as of late. In 2003, a large number of insurance companies posted large increases in their reserves. The Travelers Group posted an increase in $2.45bn net of reinsurance; ACE an increase of $500m net and $2.2bn gross; AIG an increase of $1.8bn net of taxes and reinsurance and $3.5bn gross; and The Hartford Group an increase of $2.6bn gross, which resulted in a $1.7bn after-tax charge to its first quarter earnings. Just recently, the Navigators Group announced a reserve increase of approximately $31.6m net of $46m in reinsurance recoverables, which it expected would result in an after-tax charge of approximately $20.5m or $1.68 per share.The issue of reserving, of course, is integrally related to ceded reinsurance, another area where Sarbanes-Oxley may affect the day-to-day operations of insurance companies. Under GAAP, insurers report reserves on a gross and net basis. But a net reserve figure is meaningful only to the extent that the reinsurance for which credit is taken is recoverable. Standard & Poor's has questioned whether, despite recent reserve increases, net reserves for asbestos liabilities were adequate because they assume 100% of the reinsurance is collectible.(16)According to S&P credit analysts Messrs Iten and Partridge: "(a) conflict is brewing between the insurance and reinsurance companies over who will pay for asbestos exposures ... successive rounds of massive reserve increases at primary companies not only fail in aggregate to capture the size of the industry's shortfall, but anticipate an unrealistic level of reinsurance backing." Mr Iten stated: "(a)cross the industry, the difference between net and gross numbers raises all sorts of questions about who's ceding to whom. It's all smoke and mirrors. The liabilities are disappearing into thin air and nobody's capturing them."Ceded reinsurance raises other issues that could affect the accuracy and reliability of an insurer's financial statements, and require effective internal controls. For example, does the program have sufficient capacity?What is the financial condition of the reinsurers? How many cents on a dollar are being collected on environmental and other frequently disputed claims? Have reinsurers raised successful (or at least arguable) rescission claims?Still another ceded reinsurance question involves transfer of underwriting risk. In the 1990s, alternative risk transfer (ART) came into vogue, including finite reinsurance arrangements that transferred minimal underwriting risk. GAAP sought to address these developments with the passage of FAS 113, which sets forth criteria for determining whether a contract transfers sufficient underwriting and timing risk to be considered 'reinsurance' for which balance sheet credit may be taken. But it is not always entirely clear whether a contract has met those criteria. Moreover, ART mechanisms have been abused in the past. Sometimes contracts that appear on their face to transfer meaningful underwriting risk have been effectively nullified by side-agreements or other related transactions. Sometimes fraudulent accounting practices have been employed. Two examples of recent vintage (although not involving companies publicly traded in the US) are the HIH insolvency and Sompo Japan's $1.1bn arbitration award against Fortress Re. Suffice it to say that, under Sarbanes-Oxley, ART mechanisms warrant careful scrutiny.Underwriting controls are another area that may implicate Sarbanes-Oxley concerns. If the company negligently underwrites a risk, it may not only assume a greater frequency and severity of losses than it intended to, but it might also jeopardise its reinsurance recoveries. If the amount of risk is sufficiently large, and adequate underwriting controls were not in place, then Sarbanes-Oxley might come into play. For example, companies that write surety and financial guarantee base their underwriting decisions on their assessment of the financial condition of the obligor and may assume a great deal of potential exposure based on that assessment. If that assessment is not carried out correctly, then a substantial loss could occur. Pricing could also come into play. A widespread pattern of underpricing could materially affect the company's financial performance.Accordingly, internal controls should be designed to ensure adequate underwriting and pricing of risks.Although reserving, ceded reinsurance, underwriting and pricing are examples of the potential scope of Sarbanes-Oxley in an insurance company's day-to-day operations, there are many others, and a comprehensive discussion of these is outside the scope of this article. One area not involving the company's day-to-day operations but which raises Sarbanes-Oxley concerns is M&A due diligence.

Sarbox and M&AThe scope of a due diligence review of a target's business is usually dictated by the deal environment. As the legal and economic landscape has changed, so has the process of diligence. In the fast-paced deal environment of the late 1990s, buyers rarely had the opportunity to conduct extensive, time-consuming diligence. They were seldom granted exclusivity periods and the typical auction may have allowed a potential buyer a day or two in the 'data room' (which usually had a no-copy rule) and a few hours of management interviews. In contrast, given the environment post-Sarbanes-Oxley, comprehensive diligence is an essential element to virtually all mergers and acquisitions. While best practices for M&A due diligence post-Sarbanes-Oxley have yet to be established in the insurance (or any other) industry, it is certain that senior management will play a more active role in acquisition evaluation and integration, including taking an active role in supervising and documenting the efforts undertaken to evaluate all potential risks.For diligence to have real value, it must be tailored to the particular facts and circumstances surrounding the potential transaction. While no standard form diligence request list suffices in the current environment, there are certain aspects of Sarbanes-Oxley that are particularly important to buyers in designing their due diligence strategies.Executive officers must keep in mind that they will be required to file their Section 302 and 906 certifications as of the end of the first quarter after the acquisition. In large transactions, CEOs and CFOs may be unable to comply with certification requirements if extensive due diligence has not been completed in advance of the closing. Although the CEO and CFO certifications apply only to 'periodic' reports and do not apply to target financial statements filed with a Form 8-K in connection with an acquisition, an officer's confidence in the pre-closing financial reports of an acquired business will be assessed when he or she submits the post-acquisition certifications. This greatly increases the time and administrative costs associated with merger activity. It also places heightened pressure on the company's general counsel's office, and all in-house personnel involved in the due diligence process. In view of the internal control certifications, buyers must evaluate the status and effectiveness of the target's disclosure controls and procedures, and internal (financial) controls to ensure compliance with Sarbanes-Oxley. Are internal controls regarding reserving, underwriting, pricing and ceded reinsurance adequate? Have they been complied with? Has the target's audit committee enacted adequate whistleblowing committees to report questionable accounting or audit practices?As part of the process, the target's internal controls should be compared with the buyer's internal controls to identify any deficiencies or differences and to enable the buyer, after the closing, to prepare an appropriate integration scheme to harmonise the target's control procedures with the buyer's procedures.A thorough diligence review of the target's control procedures is required because CEOs and CFOs of buyers will need to rely on the control procedures of the target (before the target's procedures are integrated with those of the buyer post-closing) to meet the certification requirements of the Act. Since accounting firms generally design financial control procedures, the buyer should require its accountants to review the target's procedures in establishing the necessary financial controls.It is no longer sufficient to assume that audited financials accurately represent the target's financial position. While a degree of comfort can be obtained if the target has audited financial statements from a reputable independent auditing firm, the number of public companies which have recently had to restate their audited financial statements - and the Enron and WorldCom cases - illustrate that a target's financial statements are only the starting point in the due diligence investigation.Buyers must scrutinise the target's financials from the ground up by first assessing the target's internal audit functions, including the level of independence and involvement of the target's audit committee. As a result of Sarbanes-Oxley, the audit committee's duties have been substantially increased and a thorough review of the committee minutes often uncovers a trail of significant leads that need to be followed. The committee's resolution of these issues can also be used as a measure of the committee's functionality and independence. The process used by the audit committee to select the target's outside auditor, as well as the target's relationship with its outside auditor, should also be examined. Comparing the total amount of money spent on non-audit services to the total amount spent on the audit itself is useful in gauging the relative importance of each type of service to the auditor. If the value of the non-audit services is significant, this should raise a red flag and the buyer should be aware of a potential bias that could compromise the integrity of the audit.In the course of reviewing a target's accounting practices, particular attention should be paid not only to ensuring such practices are in accordance with generally accepted accounting principles, but also determining whether such practices are consistent with buyer's accounting policies. US generally accepted accounting principles often involve subjective determinations that allow for much discretion, and to the extent the target's accounting practices differ from the buyer's and will need to be harmonised, the buyer should be fully informed of the potential impact this may have on the combined company's earnings. Buyers should pay particular attention to the target's policies for accounting for contingent liabilities, including its reinsurers' ability to meet their contractual obligations. For example, if the buyer's internal accounting practice with respect to contingent liabilities is more onerous in the sense that a more conservative approach is taken which will result in greater reserves than disclosed on the target's financial statements, the buyer must determine and understand the effect that differing accounting practices may have on the combined company's financials.In sum, the civil and criminal penalties imposed on CEOs and CFOs for inaccurate certifications raise the stakes and necessitate heightened scrutiny by all involved to confirm the accuracy of the target company's financial information and the sufficiency of the target's disclosure controls and procedures.

ConclusionThe full effect of Sarbanes-Oxley on the insurance industry remains to be seen. The Act's regulatory scheme is in its nascent stages and there are provisions that will be phased in over time. But one thing is for sure; insurance companies and their officers, directors and professional advisors should familiarise themselves with the Act, stay abreast of developments and be attuned to situations to which the Act's provisions potentially apply.

References(1) The rules are contained in SEC Release No 33-8182, and can be found in the SEC's website: www.sec.gov/rules/final/33-8182.htm.
(2) SEC Release No 33-8176, www.sec.gov/rules/final/33-8176.htm.
(3) SEC Release No 33-8238, www.sec.gov/rules/final/33-8238.htm.
(4) Section 404(b).
(5) SEC Release No 33-8124, www.sec.gov/rules/final/33-8124.html.
(6) Sections 802 and 1102.
(7) Section 901.
(8) Section 1107.
(9) Section 806.
(10) Section 306.
(11) Section 804.
(12) For example, Sections 303-306.
(13) Section 307(1).
(14) These rules are set forth in the SEC's website: www.sec.gov/rules/final/33-8185.htm.
(15) www.sec.gov/rules/proposed/33-8098.htm.
(16) Ian Reed, Asbestos Driving a Wedge Between Insurers and Reinsurers, Standard & Poor's, 30 March 2003.
- The views expressed in this article are solely those of the authors and are not intended to represent the views of Cadwalader, or any of its clients, partners or employees. This article is for informational purposes only and is not intended to provide, or be a substitute for, legal advice.The authors thank Cadwalader partner Lou Bevilacqua, Chairman of Cadwalader's Corporate/Mergers & Acquisitions Department, and John Nigh of Tillinghast-Tower Perrin for their assistance and guidance. The authors are also grateful for the assistance and research of Tom Wang, an associate in Cadwalader's Litigation Department.