Author Archive

Global Cyber Summit Sends Message to Boardrooms

April 28th, 2015 | By

Corporate directors’ mindsets regarding cybersecurity fundamentally need to change. As one participant at April’s inaugural Global Cyber Summit hosted by the Global Network of Director Institutes (GNDI) noted, “We have to go from ‘is it possible we’ll be attacked?’ to ‘it’s probable;’ from ‘how much does it cost?’ to ‘how much should we invest?’; and from ‘can we control cyber threats?’ to ‘how can we keep pace?’”

In the words of another participant, “Yesterday’s approach to cyber at many companies was compliance. Today, the approach is risk management, and the imperative for the future is resiliency.” With the passage of last week’s Protecting Cyber Networks Act and National Cybersecurity Protection Advancement Act, the nation moved one step closer to greater resiliency. Both bills made clear lawmakers’ expectation that companies should share information regarding cyber breaches not just with the government, but also with each other. By sharing information about cyber hacks with peers—via information sharing and analysis centers (ISACs) or information sharing and analysis organizations (ISAOs)—and the Department of Homeland Security, companies may be able to improve their cyber defense. Experts at the summit discussed information sharing in light of the massive threat cyber-breaches pose. While information sharing is important to an effective cyber defense, corporate directors should not view it as a panacea. Instead, “it is another tool in the company’s toolbox.”

At April’s summit, the GNDI, the National Association of Corporate Directors (NACD), and the Washington Board of Trade convened more than 200 directors and cyber experts from around the world for a three-day conference to explore the board’s role in effectively overseeing their companies’ cyber defenses. Supported by AIG, the Center for Audit Quality (CAQ), and KPMG, the event provided directors the opportunity to gain insight from experts including Shawn A. Bray, director of INTERPOL Washington; Larry Clinton, president and CEO of the Internet Security Alliance; Richard Knowlton, director of the Internet Security Alliance for Europe and group corporate security director at Vodafone; Jan Hamby, rear admiral, U.S. Navy (Ret.) and chancellor of the National Defense University; Tim McKnight, chief information security officer of General Electric; and Arne Shönbohm, president of the Cyber-Security Council Germany.

Five boardroom imperatives emerged from the event:

  1. View cybersecurity as an enterprise-wide risk issue. Without a doubt, cyber-risk poses a significant threat to companies of all shapes and sizes. From the boardroom perspective, however, it should be viewed not as a technological issue, but as an enterprise risk that is addressed like all other risks disclosed in the MD&A. “Security—not merely cybersecurity—is the key.” Directors should ensure that the company is properly structured to respond to an attack and has plans for both breach prevention and cyberattack response. And don’t be complacent. As one participant at the cyber summit advised, “If you ask management how we’re doing on cyber-risk management and they say, ‘great,’ don’t accept that as an answer.”
  2. Identify your critical assets. Throughout the summit, speakers noted the interdependent nature of cyberattacks. No company is an island, so achieving a perimeter-defense strategy that attempts to protect the entire enterprise is virtually impossible. Instead, management must identify what assets, if breached, would bring the company down: the “crown jewels.” Directors should ensure that defense efforts identify and prioritize them. As part of this identification process, the company also can assess its most vulnerable points, making sure to account for third-party contractors’ potential weaknesses. If a vendor in your supply chain is hacked, are your assets still protected?
  3. Ensure adequate resources for your information technology (IT) teams. Cybersecurity should be viewed as an investment in the company’s future, not as a cost center. Panelists noted a growth in the use of a chief information security officer (CISO), separate from a chief information officer (CIO). Regardless of the leadership structure employed, however, directors must remember that cybersecurity is largely a human issue. Does the c-suite have the staff and training needed to effectively defend the company against hacks? If the company is not going to develop an internal security defense program, how will it acquire one from outside? Is the IT team staffed with both technology professionals and security experts? Broadly, the company should run ongoing employee cybersecurity education programs throughout the enterprise.
  4. De-jargon the board dialogue. The technical nature of cybersecurity can create a formidable barrier to effective board oversight. While it is critical for the board to receive reports on the company’s cyber efforts on a continuous basis, CIOs, chief technology officers (CTOs), or CISOs may deliver the reports in jargon. Panelists noted that the solution, however, is not necessarily to invite a cyber expert to sit on the board. Instead, the entire board should comprise directors who are equipped to ask the probing questions necessary for effective oversight. The board can invite experts to speak to the board on cyber issues and ask management to provide “de-jargoned” reports in clear, actionable terms.
  5. Incorporate cyber into your strategy and every business decision. Panelists stressed the need for directors to address cyber issues proactively—starting with prevention—rather than waiting to respond to a breach. To do so, cyber should be an aspect of the front-end of business decisions: strategy, legal, and financial. Does the CIO (or CISO, CTO) play a role in strategy and tactical decisions? Does the CIO have a working relationship with the IT teams at third-party vendors? In an M&A scenario, do you assess the cyber vulnerabilities of the target company? These questions can help bring cyber-consciousness to board decisions.

For more on guidance on the board’s role in cyber-risk oversight, download the NACD Cyber-Risk Oversight Handbook here. Kate Iannelli, Alexandra Lajoux, and Ashley M. Marchand contributed to this report.

Proxy Season Toolkit

January 14th, 2015 | By

NACD Proxy Season Toolkit

As the 2015 proxy season gets underway, are you looking for the latest information on the priorities of major institutional investors? Are you interested in benchmarking your board’s approaches to proxy statement disclosures and other critical shareholder communications?

To help you prepare, we’ve bundled five of our most recent and most relevant publications into the NACD Proxy Season Toolkit, a one-stop shop for public company boards.

  1. Investor Perspectives: Critical Issues for Board Focus in 2015
  2. Sample Board Expertise Matrix
  3. Preparing the CD&A: Priority Considerations for Boards
  4. Pay for Performance and Supplemental Pay Definitions 
  5. Enhancing the Audit Committee Report: A Call to Action 

For more insights on the issues currently facing public company boards and key committees, visit NACD’s Board Leaders’ Briefing Center. And be on the lookout for our exclusive proxy season preview, written by ISS’ Patrick McGurn, in the next issue of NACD Directorship magazine.

NACD BLC 2014 Breakout Session – Balancing Shareholders and Capital Markets

December 2nd, 2014 | By

On the morning of Tuesday, October 14, 2014, a group of Board Leadership Conference attendees  joined Alan M. Klein, Partner, Simpson Thacher; Jamie S. Moser, Partner, Joele Frank; and moderator Chris Ruggeri Principal, Deloitte for a power breakfast session entitled “Balancing Shareholders and Capital Markets”.

The Landscape

It is well known that there has been a rise in shareholder activism over the last few years. There are more than 400 activist funds today with more than $100 billion under management. If viewed as an asset class, activist funds are a top performer. Money flows to where it can generate the largest return, and activist-backed funds have flourished. In turn, panelists observed that this has emboldened shareholders of all stripes. In their quest to have a more prominent voice in how companies are run, these investors have changed the dynamics of company-shareholder interaction.

There are many different kinds of shareholders ranging from professional, established investors to newer, smaller entrants into the market. Moser believes that some larger organizations that tend to maintain long-term positions in companies can be considered activists as well. While they prefer not to run campaigns on their own, they feed ideas to others who will. Klein noted, “In a sense these ‘long only’ funds have outsourced their activism”.

Tactics

Panelists noted that activist shareholders don’t pick targets lightly. They spend a significant amount of time drilling down into companies, and have a surprising depth of knowledge. As such, it would be a mistake to disregard them or view them as superficial. Nevertheless, there is often a mismatch between the way those who run companies view their businesses and the perspective of many activists.

Governance issues can be used as part of a shareholder’s demands. Although they are not typically the crux of an activist fight, these issues can become part of the story and set the tone. For example, panelists cited topics such as related party transactions or sluggish board turnover as “low hanging fruit” for shareholders. Even if these issues have been properly disclosed, a shareholder may use them to put the company on the defensive.

On the other hand, some investors – particularly the more well-established fund – ask for reasonable conversations with the board and management. Panelists observed that if directors can demonstrate to them the validity of the current plan and why their thesis is wrong, some investors may listen or even back off. That being the case, engagement is extremely important.

Outreach

It is critical that directors understand the perspective of the company’s shareholders. The first question Moser asks  a company is, “When’s the last time you spoke with your top 10 shareholders?

Further, the board should engage with shareholders for the first time outside proxy season, when the discussion is often centered around voting. Then, if a proxy contest starts, the company can reply “our board has been speaking directly with shareholders; we’ve been active and engaged.” Meetings between the board and investors should demonstrate transparency and openness. Directors can simply ask investors, “what’s on your mind?” Of course, panelists noted that it is important to remain conscious of Regulation FD; avoid the discussion of material items in a one-on-one setting.

Boards can also go beyond annual “deep dives” to ensure the current strategy is still viable. For example, Klein suggested that boards invite a banker to give a presentation, valuing the strategic plan and showing how it stacks up to strategic alternatives. If the board has conducted this type of analysis, they are more able to speak to the current strategy’s strengths and how it will produce the most value for the company. It is also important that the strategic plan for the company is communicated in the most compelling way possible. “The first three-quarters of any ‘fight letter,’” Moser noted, should be about strategy – how your strategy provides more value than what the shareholder is proposing.”

Activist Investors on the Board

Finally, the panel discussed how boards can work with new activist directors once elected to the board. Klein noted that most activist situations  today end in a negotiated outcome:  Either a proxy fight doesn’t start, or the fight may end before it ever gets to a vote. Typically, as the result of a negotiation, the shareholder ends up with one or two seats. If these new directors can make their case in a logical manner, a fresh perspective may prove beneficial for a board.

Ultimately, panelists agreed that there has been a sea change regarding how companies and their shareholders interact. To the question of whether activism is good or bad, the answer is “yes”– it depends on facts and circumstances.