The major cyber breach that Yahoo announced last week has ripple effects not only for the multimedia platform, but for every company. The incident already has caught the attention of a senator who is calling on the U.S. Securities and Exchange Commission (SEC) to investigate how Yahoo disclosed the breach to shareholders and the public.
Background on the Breach
Ashley Marchand Orme
Account data for at least 500 million users was stolen by what Yahoo has called a “state-sponsored actor” in what CNN Money calls one of the largest data breaches ever. Compromised information includes names, email addresses, phone numbers, dates of birth, encrypted passwords, and security questions.
Yahoo has not named a country of origin for the hacker. The company, which Verizon is seeking to acquire, is still one of the busiest online sites, boasting one billion monthly users.
The breach occurred in late 2014, according to Yahoo, but the company just disclosed the incident in a press release dated Sept. 22, 2016. The Financial Times reports that Yahoo CEO Marissa Mayer may have known about the breach as early as July of this year, raising questions as to why it wasn’t disclosed sooner.
Attention From Lawmakers
Sen. Mark R. Warner (D.-VA), a member of the Senate Intelligence and Banking Committees and cofounder of the Senate Cybersecurity Caucus, sent a letter to the SEC yesterday asking the agency to investigate whether Yahoo complied with federal securities law regarding how and when it disclosed the incident.
“Data security increasingly represents an issue of vital importance to management, customers, and shareholders, with major corporate liability, business continuity, and governance implications,” the senator wrote.
Warner—who cofounded the company that became Nextel, a wireless service operator that merged with Verizon—also told the SEC that “since published reports indicate fewer than 100 of approximately 9,000 publicly listed companies have reported a material data breach since 2010, I encourage you to evaluate the adequacy of current SEC thresholds for disclosing events of this nature.”
And Warner isn’t the only lawmaker pushing for increased cyber regulations. Earlier this month, New York Governor Andrew Cuomo (D-NY) announced proposed cybersecurity regulations to increase the responsibility of banks and insurance to protect their information systems and customer information. The regulations, if instated, would apply to companies regulated by the New York Department of Financial Services (NYDFS) and would require them to—among other steps—establish a cybersecurity policy and incident response plan. Companies would also have to notify the NYDFS within 72 hours of any cyber event that is likely to affect operations or nonpublic information.
The Boardroom Response
Any company—whether public, private, or nonprofit—can fall prey to a breach, and even companies with formal cybersecurity plans can find themselves the victims of a breach. Preliminary data from the 2016-2017 NACD Public Company Governance Survey show what corporate directors are already doing to oversee cyber-related risks.
When asked which cybersecurity oversight practices the survey respondents’ boards had performed over the past 12 months—and directors could select multiple answers—the most common responses included:
Reviewed the company’s current approach to protecting its most critical data assets (76.6%)
Reviewed the technology infrastructure used to protect the company’s most critical data assets (73.6%)
Communicated with management about the types of cyber-risk information the board requires (64.4%)
Reviewed the company’s response plan in the case of a breach (59.3%).
“Corporate directors should ask management for an accurate and externally validated report on the state of the organization with respect to cyber risk,” said Robert Clyde, a board director for ISACA, which is a global IT and cybersecurity professional association, and White Cloud Security. “They should also ask what framework is being followed for IT governance.”
Aside from high-profile breaches of emails and email providers, Clyde says that breaches related to ransomware are increasing.
“Ransomware encrypts data that can only be decrypted by paying the attacker a fee in Bitcoins. According to the NACD Cyber-Risk Oversight Handbook and many other organizations, the key control to reduce the risk of attack—including ransomware—is restricting user installation of applications, called ‘whitelisting’ or ‘Trusted App Listing,’” Clyde said. “Yet this highly recommended control is rarely implemented. Boards should ask organizations for their plans to implement this specific control.”
NACD recently announced a new online cybersecurity learning program for directors. The multi-module course aims to enhance directors’ understanding of cybersecurity, and the difference between the board’s and management’s responsibilities related to cyber risks. Participants in the program, which is the product of partnership between NACD, Ridge Global, and the CERT Division of Carnegie Mellon University’s Software Engineering Institute, will work through a cyber-crisis simulation and take a comprehensive exam. Successful completion of the program will earn the participant a CERT Certificate in Cybersecurity Oversight.
Despite this call to action, overcoming short-termism remains a stark challenge for many companies. In fact, as the National Association of Corporate Directors’ (NACD) 2015 Blue Ribbon Commission observed, “factors encouraging a short-term focus are stronger now than ever before.” Additionally, in a 2015 report, the Conference Board contemplated whether short-term biases might jeopardize future business prosperity altogether.
Yet if short-termism is a sizable challenge, so too is the commitment to understanding why short-termism is so entrenched as a business practice and the task of mitigating its harmful effects. In July, the Anti-Fraud Collaboration, a group of organizations focused on fighting financial reporting fraud, hosted a webcast on Coming to Terms with Short-Termism. The discussion, which I was privileged to moderate, featured top experts and generated a wealth of useful takeaways for participants across the financial reporting supply chain.
Let’s look at a few key takeaways from the discussion.
1. Acknowledge and Define the Complexities of the Issue
To address the challenge of short-termism, it helps to understand the complexities of what companies are up against. For one thing, “short-termism” doesn’t equate to short-term activity, which isn’t necessarily bad. NACD Chair Karen Horn, director of Simon Property Group, observed at the outset of the webcast that the “long term is made up of many, many short-term actions.”
Another tricky step to understanding the complexities of short-termism is how to define “short-term” at your company. Is it a month? A quarter? A year? “It depends on the company,” said panelist Bill McCracken, president of Executive Consulting Group LLC. McCracken, who previously served as CEO of CA Technologies, added that even within a company the meaning of “short-term” can change according to different contexts, such as strategy or compensation.
2. Think Strategically
However complex a challenge combatting short-termism may seem, there are several simple solutions for directors to consider. One of them is this: think strategically. A strategic mindset helps short-term actions align with long-term goals. “Boards really need to be conversant with the company strategy,” said Horn. McCracken agreed, noting that board members should become “activist directors” who immerse themselves in the details of the company, its strategy, and its industry. This engaged approach, he added, can help directors be prepared to handle situations such as share buybacks or changes to dividend policy where questions of short-termism may arise.
Similarly, strategic thinking can also help directors gauge the validity of the use of non-GAAP measures. “Shouldn’t the use of non-GAAP measures also tie in to the strategy of the entity?” asked Douglas Chia, executive director of the Conference Board’s Governance Center. “Absolutely,” responded fellow panelist and KPMG Partner Jose Rodriguez.
3. Strengthen Tone at the Top…
One danger of short-termism is that it can heighten fraud risk across the enterprise. Companies need to ensure that management is setting the right tone at the top. “I can’t underemphasize tone at the top,” said Rodriquez. “How do [senior executives] talk to employees? Is everything geared around meeting that analyst’s [earnings] expectations?” From his auditor’s viewpoint, he added, “that would be concerning.
4. …But Don’t Forget the “Mood in the Middle” and “Buzz at the Bottom”
While emphasizing tone at the top, panelists also stressed that short-termism shouldn’t be a point of concern for only senior management. Many instances of fraud, noted Rodriguez, occur outside the C-suite. “It’s middle management and lower management that had to get that sales number to a certain amount of dollars,” he said, and this pressure can lead to channel stuffing or other undesirable activity. Such activity is what audit committees, auditors, and the board ought to be looking for, added Bill McCracken.
5. Dial Down the Emphasis on Quarterly Results
“Our entire [financial reporting] structure is built around quarterly reporting,” said McCracken. While eliminating this quarterly focus might not be possible—or even desirable—panelists agreed that reducing the quarter-to-quarter mindset was an important part of addressing short-termism. “Obviously you can’t get entirely away from that,” said Chia, “but there are ways you can reduce the emphasis and build on the timeline that you think is appropriate—not what you’re being told by the analyst community.”
Fostering robust communication internal and external communication is a core priority for the Anti-Fraud Collaboration, and communication at all levels was a recurring theme throughout this webcast. When discussing the use of non-GAAP measures, Horn noted that “the chairman of the compensation committee should be talking to the chairman of the audit committee as these measures work their way in to [compensation] programs.”
Likewise, communicating effectively with external investors and other stakeholder parties is critical. “Boards need to really understand investor communications,” said Horn. “The way that we can pursue long-term value creation is in partnership with our investors.”
Times sure have changed. Whether a company’s equity is owned by a few venture capitalists or a league of activist investors, investors today want to have their say about where the company is headed and who is leading it.
Perhaps the time has come for companies, both public and private, to consider better use of an underused and under-appreciated asset that many of them already have and others should acquire: the role of the investor relations (IR) professional. Integral to the board’s oversight of corporate asset allocation (i.e., dividend policy, investment in research and development, external growth through M&A and other measures to return value) is a current understanding of how the securities and capital markets work, characteristics and propensities of investor types, investor attitudes and concerns, and relative values of the enterprise.
Request Reports From Your IR Professional
It is commonplace today for the corporate IR professional to present quarterly market analysis reports to the C-suite and in particular the CEO and CFO, regarding relative market performance, changes in ownership, and current investor perceptions and concerns. In my opinion, such reports should find their way to the board of directors as well, both in formal, written form, and as in-person presentations, inviting questions and discussion—all in an effort to keep the board up to date regarding pertinent market activity and best prepared for contingencies.
In the current market environment, the IR professional requires special and multi-disciplined skill sets that can help a board. As spokesperson for the company and often the proxy for the CEO and CFO with investors, the IR professional must be thoroughly familiar and conversant with the business plan, financial structure and strategy, and the performance of the company. He or she must be aware of and sensitive to disclosure Regulation FD, securities laws, and other regulatory imperatives.
Intentionally Include IR Experience and Perspective on the Board
In addition, nominating committees should consider seeking an outside director who has IR experience in addition to other useful boardroom skills. Just as public companies are required to have a financial expert on the audit committee, perhaps boards should be urged to have a skilled investor relations professional among their ranks. While the same might be said of other core disciplines (cybersecurity, finance, human resources, law, marketing, technology, and so forth), the domain of IR knowledge seems worthy of particular consideration at this time of market turmoil and uncertainty. Having IR expertise on the board certainly would make the board smarter and better prepared to deal with myriad corporate and financial decisions within its purview.
The corporate IR professional could be an invaluable asset to the board, as he or she must be cognizant of the pulse of the investment community on specific issues, while bringing this critical perspective to bear on the board’s discussion and decision-making process. The corporate investor relations discipline has evolved significantly over the years out of necessity. No longer simply a stockholder relations functionary, the IR professional is the primary, and sometimes the only daily, interface with owners (as well as prospective owners and market influentials) of the enterprise. The IR professional thus has a keen sense of investor interests and concerns, their perceptions of relative value, and of their voting propensities.
Suggesting the addition of an IR skill set on the board is not to be taken lightly. Recognize that there are numerous skilled and experienced IR professionals available, all of whom, in addition to the aforementioned experiences, know how investors think and know all the hard questions and concerns regarding material corporate events, financial performance, prospects and policies—all in a constantly changing economy.
Robert D. Ferris is an investor relations and crisis counselor and commentator, with more than four decades of experience with both domestic and foreign issuers. A former chairman of National Investor Relations Institute’s Senior Roundtable, his ideas on C-suite communications strategies in challenging corporate situations have been widely published.