Archive for the ‘Risk Management’ Category

Understanding the Cyber Dialogue

December 18th, 2015 | By

Cybersecurity is more than a technological issue—it’s a business issue. In a BoardVision video moderated by Judy Warner—editor-in-chief of NACD Directorship magazine—Mary Ann Cloyd, former leader of PwC’s Center for Board Governance, and Zan M. Vautrinot, former commander of the Air Forces Cyber Command and current director of Symantec, Ecolab, and Parsons Corp., discuss effective cyber-risk oversight, addressing the following questions:

  • How can boards communicate with management about cyber risk?
  • How does cyber risk fit into discussions about risk appetite?

Cyber Dialogue

Here are some highlights from that conversation.

Judy Warner: For directors, I think one of the greatest challenges around the issue of cyber is how to engage in an informed conversation with management. And how do they become informed about their oversight roles as they relate to cyber?

Zan Vautrinot: One of the things that was absolutely clear about the private sector and corporate leadership is that they understood how to have a discussion about risks and strategy. The only thing different with cyber is that some of the technology and some of the solution sets are slightly different, but the conversation is the same. It is a discussion about a particular kind of risk and how it relates to the kind of business you are [in].

Warner: Mary Ann, from your perspective, how does that conversation take place, or start to take place, at the board level? And is it a conversation for the full board or a specific committee?

Mary Ann Cloyd: I guess I always say it depends. I never want to be so prescriptive as to tell somebody what they need to do because every board and every committee is different. However, I do think that, given the magnitude of how this affects so many businesses, it’s not a technology issue. It’s a business issue. So, with that, where would you oversee any other business issue at your board? And I’m guessing that a lot of it would belong at the full board, with parts of it delegated down to a committee.

Warner: The NACD recently published a handbook on cyber-risk oversight, and one of the discussions is around risk appetite and where does cyber fit into that equation today. And I know, Mary Ann, you have said we need to think of cyber as any other risk.

Cloyd: I think you bring up two interesting things. [I]n fact, we did a small publication [at PwC’s Board Leadership Center] earlier this year, and we called it “Defining Risk Appetite in Plain English.” What prompted it was I had a director come to me and he said, “Mary, we’re doing our off-site strategy session and we always talk about risk appetite. Do you have a good pre-read that I could give to the board so that they can understand what risk appetite means?” So we did this to really put in plain English, in four pages or less, what the dialog is between management and the board, and how you develop and define your risk appetite. And, to me now—as you have so beautifully put this, Suzanne—cyber is just another part of that risk discussion and how it fits into your overall strategy.

Vautrinot: Right. And if you have already had a discussion about your strategy and those things that are most important to you as a corporate entity, is it the data that is unique that you’ve collected—the information and the access to that information—that makes your corporation unique? Is it the technology or your research and development? Is it your insight into financial transaction or merger and acquisition? Is it [about] manufacturing processes or distribution processes?

Every board and every management team knows what is most important to them being successful as a corporation. It is likely that those things are the areas that [the board] would want to focus on with assessing cyber risk. If you look at that area and say this is what is most important to us as a corporation, and this is the technology that we depend on to do that activity, now I can say that is sufficient or it is insufficient relative to the amount of risk I am willing to accept in that area. There may be other areas that aren’t core to the business, and so you are willing to accept a different amount of risk or put different systems in place that kind of sandbox it—[systems] that put a fence around, or that separate or provide different controls to allow [the lower-risk] activity to run more openly, whereas [higher-risk areas are] much more controlled and much more precious.

Additional NACD resources

NACD’s Director’s Handbook Series: Cyber-Risk Oversight

NACD—Building a Relationship With the CISO

NACD—Assessing the Board’s Cybersecurity Culture

NACD—Cybersecurity Risk Oversight and Breach Response

Four Things Boards Should Know About Global Markets

October 29th, 2015 | By

Companies continue to face significant global economic uncertainty. Although U.S. economic prospects have improved in recent years, structural weaknesses in other regions pose significant challenges for multinational companies. To ensure their organizations thrive in this volatile environment, boards and senior executive teams must pay close attention to regional trends and international politics and how these affect the growing interdependence of markets worldwide. During a presentation at the 2015 NACD Global Board Leaders’ Summit, Kaushik Basu, chief economist and senior vice president of the World Bank Group, identified four major market conditions that will influence the growth prospects for many businesses.

Emerging Markets speaker Kaushik Basu

  1. The shape of the post-crisis recovery continues to change. In recent years economists have been hard-pressed to forecast how global markets will behave. After the 2008 financial crisis in the United States, economists initially anticipated a V-shaped recovery, in which the market hits bottom and then recovers. As it became clear that the recession would continue, they altered their predictions, asserting that the recovery would be U-shaped instead. When the European debt crisis occurred, economists then foretold a W-shaped recovery. The lesson seems to be that economic cycles have become less predictable and no longer adhere to historical patterns. In response to this increased uncertainty, directors and management teams must now expand their strategic planning process to incorporate a range of possible economic scenarios.
  2. The economic fortunes of emerging economies are not uniform. Brazil, India, and China are often touted as emerging centers of economic power; however, . In the past year only India and China saw growth in their gross domestic products, while Brazil—which has endured corruption scandals, tax increases, and spending cuts—has experienced virtually no economic growth. When discussing potential investments in these foreign markets, boards should require management to provide forward-looking country assessments in order to responsibly evaluate the potential risk and rewards.
  3. Economies are porous. Directors need to be aware that local economies are inextricably intertwined, and that deteriorating economic conditions in one country can therefore spread quickly to other nations. For example, the ramifications of slowing growth in China are significant because so many countries are increasingly dependent on continued Chinese investments and consumption. Africa, Latin America, and Germany are likely to suffer most as major exporters to China. Conversely, India’s economic growth has recently accelerated, due in part to structural tax reforms that have created a more welcoming investment climate, resulting in a rapid surge of foreign direct investment in 2014.
  4. Increasingly disparate monetary policies among the developed nations will have global economic ramifications. Directors will be expected to understand the consequences of divergent policies—especially those of developed countries—for the world’s biggest economic blocks. For example, the Federal Reserve is debating a possible rise in interest rates after seven consecutive years of record-low borrowing costs. While a rate hike would ostensibly strengthen the U.S. dollar by encouraging investments in this country, it could also raise the prices on U.S. exports and undercut the economic viability of U.S. products in foreign markets. In the Eurozone, the European Central Bank (ECB) has in recent years maintained loose fiscal policies, increasing the supply of money flowing through international markets in hopes of facilitating economic recovery. A U.S. interest-rate hike would result in a weaker euro, which in turn could lead to a boost for Eurozone economies because buying trends would begin to favor domestic products. On the other hand, tighter U.S. fiscal policies could readily be undone by the European Central Bank injecting even more liquidity into the markets to keep euro values low and maintain the viability of Europe’s export market. Emerging markets, too, might experience a negative impact from these proposed policy changes. Because they have been borrowing money in U.S. dollars at near-zero rates, these countries will almost certainly see an increase in debt and decreased economic growth if U.S. interest rates rise.

A Former White House CIO Discusses Data Hygiene and Cybersecurity Strategies

October 15th, 2015 | By

Consumers in the digital marketplace rarely think twice about allowing companies access to their personal information, and the companies that are amassing this data are enjoying the unprecedented business opportunities that such access entails. This exchange of information does, however, come with substantial liability risks; that information can easily fall into the wrong hands. This feature of the e-commerce landscape is causing both consumers and companies to ask: Is privacy dead in the Information Age? To explore this question, NACD Directorship Editor in Chief Judy Warner sat down with former White House Chief Information Officer and founder of consulting company Fortalice Theresa Payton during a Monday evening session at the 2015 NACD Global Board Leaders’ Summit.

Theresa Payton at 2015 Global Board Leaders' Summit

In short, privacy isn’t dead, but our concept of privacy is undergoing a transformation. Payton said that as business leaders and consumers, we need to have serious conversations about what the new—and correct—lines of privacy are. “We own some responsibilities as business leaders and government officials,” she said. “Data is hackable and breaches are inevitable. Don’t aid and abet hackers.”

It turns out that companies are inadvertently aiding and abetting hackers. First, some organizations fall victim to their own, outdated view of building cyber defenses: Set up as big a firewall as you can around the company’s data assets; install anti-malware and antivirus software—done. This is a losing defensive strategy; it fails to take into account the mechanics of how and why these major breaches continue to happen.

According to Payton, companies with poor data hygiene are the most susceptible to cyberattacks. When companies kept analog files, they would shred records when storage space was exhausted or when data reached a certain age. In a digital environment, storage space is cheap and seemingly limitless, meaning that data could—and probably will—live on servers for years. As time goes on and a company reorganizes, data is forgotten, creating prime points of entry for hackers. Adopting a data-“shredding” strategy is imperative.

In addition, the tools needed to hack into a system have become both affordable and readily available. Now anyone can be a hacker—and those who have chosen this path grow more adept at their craft every day. Taken altogether, this is a recipe for potential disaster.

Payton outlined best practices for maintaining optimal data hygiene:

  • Don’t keep all of your data in one place. For data you need to retain, “segment it to save it.” In other words, divide that information among multiple digital locations so that if one location is compromised, a hacker hasn’t gained access to the entirety of the data the company holds.
  • Create rules around when you no longer need data and set a schedule for “shredding” it.
  • “Shred” any data that you don’t need. Keep only data related to the attributes of consumer behaviors and get rid of the specifics (e.g., names and social security numbers). Doing so will reduce your risk of being held accountable when a breach happens.

Furthermore, she stressed that directors should be sure to ask certain questions as they work with management to hone the company’s cybersecurity strategies:

  • Have we identified our top critical assets—those that if held for ransom, lost, or divulged, would destroy us as a company?
  • Who has access to those assets? How do we grant access?
  • Have we drilled for a cyber breach disaster?
  • Do we have a liability plan that will cover the board should critical assets be breached?