Category: Technology

Board Oversight of Cyber Risk in the Wake of the Yahoo Breach

Published by

The major cyber breach that Yahoo announced last week has ripple effects not only for the multimedia platform, but for every company. The incident already has caught the attention of a senator who is calling on the U.S. Securities and Exchange Commission (SEC) to investigate how Yahoo disclosed the breach to shareholders and the public.

Background on the Breach

Ashley Marchand Orme

Ashley Marchand Orme

Account data for at least 500 million users was stolen by what Yahoo has called a “state-sponsored actor” in what CNN Money calls one of the largest data breaches ever. Compromised information includes names, email addresses, phone numbers, dates of birth, encrypted passwords, and security questions.

Yahoo has not named a country of origin for the hacker. The company, which Verizon is seeking to acquire, is still one of the busiest online sites, boasting one billion monthly users.

The breach occurred in late 2014, according to Yahoo, but the company just disclosed the incident in a press release dated Sept. 22, 2016. The Financial Times reports that Yahoo CEO Marissa Mayer may have known about the breach as early as July of this year, raising questions as to why it wasn’t disclosed sooner.

Attention From Lawmakers

Sen. Mark R. Warner (D.-VA), a member of the Senate Intelligence and Banking Committees and cofounder of the Senate Cybersecurity Caucus, sent a letter to the SEC yesterday asking the agency to investigate whether Yahoo complied with federal securities law regarding how and when it disclosed the incident.

“Data security increasingly represents an issue of vital importance to management, customers, and shareholders, with major corporate liability, business continuity, and governance implications,” the senator wrote.

Warner—who cofounded the company that became Nextel, a wireless service operator that merged with Verizon—also told the SEC that “since published reports indicate fewer than 100 of approximately 9,000 publicly listed companies have reported a material data breach since 2010, I encourage you to evaluate the adequacy of current SEC thresholds for disclosing events of this nature.”

And Warner isn’t the only lawmaker pushing for increased cyber regulations. Earlier this month, New York Governor Andrew Cuomo (D-NY) announced proposed cybersecurity regulations to increase the responsibility of banks and insurance to protect their information systems and customer information. The regulations, if instated, would apply to companies regulated by the New York Department of Financial Services (NYDFS) and would require them to—among other steps—establish a cybersecurity policy and incident response plan. Companies would also have to notify the NYDFS within 72 hours of any cyber event that is likely to affect operations or nonpublic information.

The Boardroom Response

Any company—whether public, private, or nonprofit—can fall prey to a breach, and even companies with formal cybersecurity plans can find themselves the victims of a breach. Preliminary data from the 2016-2017 NACD Public Company Governance Survey show what corporate directors are already doing to oversee cyber-related risks.

When asked which cybersecurity oversight practices the survey respondents’ boards had performed over the past 12 months—and directors could select multiple answers—the most common responses included:

  • Reviewed the company’s current approach to protecting its most critical data assets (76.6%)
  • Reviewed the technology infrastructure used to protect the company’s most critical data assets (73.6%)
  • Communicated with management about the types of cyber-risk information the board requires (64.4%)
  • Reviewed the company’s response plan in the case of a breach (59.3%).

“Corporate directors should ask management for an accurate and externally validated report on the state of the organization with respect to cyber risk,” said Robert Clyde, a board director for ISACA, which is a global IT and cybersecurity professional association, and White Cloud Security. “They should also ask what framework is being followed for IT governance.”

Aside from high-profile breaches of emails and email providers, Clyde says that breaches related to ransomware are increasing.

“Ransomware encrypts data that can only be decrypted by paying the attacker a fee in Bitcoins.  According to the NACD Cyber-Risk Oversight Handbook and many other organizations, the key control to reduce the risk of attack—including ransomware—is restricting user installation of applications, called ‘whitelisting’ or ‘Trusted App Listing,’” Clyde said. “Yet this highly recommended control is rarely implemented. Boards should ask organizations for their plans to implement this specific control.”

NACD Resources

NACD recently announced a new online cybersecurity learning program for directors. The multi-module course aims to enhance directors’ understanding of cybersecurity, and the difference between the board’s and management’s responsibilities related to cyber risks. Participants in the program, which is the product of partnership between NACD, Ridge Global, and the CERT Division of Carnegie Mellon University’s Software Engineering Institute, will work through a cyber-crisis simulation and take a comprehensive exam. Successful completion of the program will earn the participant a CERT Certificate in Cybersecurity Oversight.

For board-level tools and templates to fortify your oversight practices, visit NACD’s Cyber-Risk Oversight Resource Center.



Global Volatility Seems Limitless

Published by

This is the second of a three-part series looking at the global economy and uncertainty in 2016. In our first post, we addressed the challenges of slow growth in developed and emerging markets.  In our next post, we will focus on the outlook for 2017.

DJ Peterson

DJ Peterson, President, Longview Global Advisors

Businesses need supportive, stable political and legal institutions to prosper, yet the global landscape has become increasingly unstable as many once-implausible events have become realities.

Since the start of 2016, the United Kingdom has voted itself out of the European Union. The U.S. Republican Party is pulling itself apart over policy and personalities. In Europe, fences are replacing open borders and Jihadi terrorists are targeting festivals, shopping centers, churches, and other public gathering places. Investors pay to lend their money to governments even as debt risks mount.

In conversations, business leaders and directors repeatedly express surprise and concern at the turn of events. What’s fueling this instability? Are recent events indicative of a “new normal,” a brief detour, or a transition to a new equilibrium? And, as the end-of-year business strategy season approaches, what should corporate directors and executives focus on?

Each country has unique characteristics, but there are some important interdependencies. Four powerful, converging political forces are at play.

1. Slow growth is fueling political volatility

As noted in a previous post, global growth has been muted and uneven since the global financial crisis, prompting some economists to ask whether the world has entered a period of “secular stagnation.” Energy and commodities exporters such as Australia, Brazil, Russia, and countries in much of Africa have been particularly hard hit.

Economic hardship often leads to political volatility, but there is a larger political force at play today: A lack of policy consensus and latitude. To turn the situation around, global financial institutions have been calling on governments to undertake bold structural reforms and assertive stimulus measures such as investing in infrastructure. But thanks to large debt piles and continuing calls for austerity from fiscal hawks, big spending increases are not politically feasible in the U.S. and Europe. Emerging markets dependent on commodities exports have been forced into belt-tightening mode as well. The inability of governments to reignite growth has forced central bankers to step into the breech with extraordinary measures.

Policymakers struggle to reignite growth, people are disaffected, and the sum of this instability is the political uncertainty and volatility we are experiencing today.

2. Inequality is adding to political frustrations

Free market liberalism is predicated on creating economic opportunity, but the benefits have not been shared. In many countries, inequality has surged since the 1980s. More recently, quantitative easing, a response to slow growth, has lifted a few boats greatly. In the past, governments often played the role of an equalizer; now proximity to political power is seen as conferring huge economic benefits, creating the belief that “the system” is not fair.

Free trade could be a casualty of increasing inequality and diminished opportunity. The perception that the benefits of globalization accrue disproportionately to certain segments of the population while the losers are left to fend for themselves is pervasive. Anti-immigrant sentiment is another by-product of limited opportunity.

Animosity towards politically connected elites in authoritarian markets is kept in check by repression. Open societies may be more at risk to economic and political polarization. As we see with Brexit, the pushback against globalization, and with the rise of anti-immigrant pressures, middle-ground policy pragmatism—a hallmark of stable democracy—is losing credibility in a world of economic resentments.

3. Populists are exploiting the governance gap

The widespread belief that establishment elites are incapable of solving important problems has created a volatile atmosphere where disaffected voters are willing to take risks and throw wrenches.

Private sector entrepreneurs exploit gaps in the market and find new ways to satisfy needs. Political entrepreneurs do the same in the public sphere: They take advantage of volatility, peddle new solutions (often from both left and right), and break rules.

Dramatic, frustration-driven policy stances of political entrepreneurs make compelling platforms—such as Philippine President Rodrigo Duterte’s anti-drug dealer campaign and French presidential candidate Marine Le Pen’s anti-immigrant stance. Donald Trump and Bernie Sanders are political entrepreneurs too.

But that’s only half the story. In this context, calls for pragmatism and staying the course (“Vote Remain!”) from establishment figures sound tired, if not suspect.

4. Social media is catalyzing volatility

Thanks to social media, populists can peddle their ideas with greater ease than previously seen, without having to adhere to the agenda of establishment media and institutions. (The self-described Islamic State is the most extreme example.) Being provocative is essential to gaining visibility in today’s crowded media landscape and this imperative promotes extreme points of view and places pressures on policymakers to react—even though in representative democracies governments are designed to be deliberative and consensual.

Just as individuals may be overwhelmed by the pace and quality of information flows, so too can governing institutions that were built to be slowed by checks and balances. Few would say policymaking in the U.S. has improved over the past couple of decades thanks to better information. Nationalism, ethnocentrism, and religious animosities seem more powerful than ever.

What can corporate directors do?

Western multinationals can no longer take political stability for granted. In these volatile times, directors have an important role to play in asking the right questions and discerning material risks and opportunity in a time of uncertainty.

  • Integrate political and economic risk assessment into corporate strategy setting. The political forces outlined above are unlikely to change in the foreseeable future which suggests a number of scenarios. Slow growth and low interest rates are likely to persist. The U.S. presidential election is unlikely to fundamentally change the country’s political climate for the better—indeed, it could lead to more disaffection, polarization, and gridlock. Uncertainty will increase in Europe with Brexit negotiations and national elections in France and Germany in 2017. Boards should pressure test macro-assumptions from management about the external environment affecting strategy over the next 12-24 months. What are the most important moving variables and how will they affect growth prospects?
  • Look for pockets of opportunity. Volatility creates opportunities as well as risks. Good governance and sound policies are differentiators between countries poised to sustain relatively stronger economic performance, and those that will continue face serious challenges in volatile markets. Watch for improving and more agile governance in Brazil, Columbia, Argentina, India, and Myanmar.
  • Evaluate the firm’s societal commitments. Proactive companies are seeking to address today’s societal challenges rather than just defend themselves from risks. There is a business case for promoting more inclusive growth: Work by International Monetary Fund researchers has shown that, around the world, higher levels of income inequality are correlated with slower growth. Higher wages support increased consumer spending and broader prosperity. On the other hand, failing to address inequality and other societal ills risks lowers productivity, and leads to more regulation, taxation, and labor radicalization.

NACD’s Global Board Leaders’ Summit, themed around the issue of convergence, will have dedicated sessions on global economic and political disruption, featuring subject-matter experts and seasoned directors. Review the Summit agenda to attend Peterson and others’ sessions addressing global disruption.

Experience the Technologies Changing Our Future

Published by

At NACD’s Master Class this August, directors from companies like Boingo Wireless Inc., Colgate-Palmolive Co., Kimberly-Clark Corp., GameStop Corp., and the Royal Bank of Canada convened in Laguna Beach, California, for peer-to-peer discussions on strategy, risk, and leading through disruption. One common thread ran throughout the discussions: companies expend enormous resources and efforts to mitigate cyber, geopolitical, and other threats, but they have yet to allocate the same attention to technology disruption. Kelvin Westbrook— president and CEO of KRW Advisors LLC, and a director of Archer Daniels Midland Co., Stifel Financial Corp., and T-Mobile US Inc.—framed the issue this way for Master Class participants: “Companies can survive cyber data breaches, but many don’t survive innovative technology disruption. It’s a bigger deal that we need to address.”


A prosthetic hand created using low-cost 3-D printing technology was demonstrated at the 2015 Global Board Leaders’ Summit. Photo by Denny Henry.

This year’s Global Board Leaders’ Summit puts technology and disruption front and center, with a variety of leading-edge speakers and sessions that focus on these themes. But more than just convening discussions, the director community get hands-on experience with emerging trends via Innovation Nation. This popular feature, launched at last year’s Summit, is back once again, featuring an even more robust cross-section of the trends, technologies, and innovations that are disrupting your businesses and shaping your world. This year’s exhibits include opportunities to immerse yourself in virtual reality, experience the sharing economy at work, and see the latest in drone technology up close. Here is a sampling of who will be on hand:

  • Dancing With the Start-Ups, a new feature modeled after the popular show Shark Tank, builds on popular sessions from past Summits that gave directors a chance to “Meet the Disruptors.” This fast-paced competition will feature 12 companies across three key industries—healthcare, financial services, and energy— to showcase the latest and greatest in emerging business. Both the competition and a booth showcasing the startup talent in Innovation Nation will offer Summit attendees the chance to meet the entrepreneurs who are hoping to be your next competitors in the marketplace. For those who can’t make the Sunday session, or who just want to get to know the companies a little better, swing by Innovation Nation to learn more about innovative new ways to diagnose malaria, the latest in solar energy technology, the intersection of market data with sustainability, and much more.
  • Dave Meadows is a self-described “lifelong ‘tinkerer’ and inventor”—inclinations that served him well in his former role as a senior research and development executive with Novartis International AG. Several years ago, Meadows set out to solve a problem that has plagued wine drinkers for nearly 9,000-years—adverse physical reactions, especially when drinking reds. Five years later, The Wand was born. This invention removes 95 percent of the histamines and sulfite preservatives from wine. The result—a whole legion of wine enthusiasts who had previously learned to avoid wine can once again partake without the fear of headaches and other adverse reactions. You can experience the power of The Wand firsthand and talk to Meadows about and his work in the areas of medical diagnostics, sports medicine, and consumer packaged goods.
  • Big data and analytics are driving the growth of nearly every business, from heavy hitters like General Electric and Alibaba to early stage start-ups and family farms. This new trend is poised to transform industries, power new business models, enable innovation, and create greater value. According to research from International Data Corporation, worldwide revenues for big data and analytics will grow to $187 billion by 2019—a 50 percent increase from revenues in 2014. But Powerlytics Inc. cofounder Kevin Sheetz cautions that, when it comes to data, big doesn’t mean better, and behind the hype are a number of critical questions boards should be asking to ensure their companies are taking full and smart advantage of this trend. Sheetz will be at the Summit to give directors real-time interaction with the company’s platform, which aggregates publicly available consumer and business financial data from sources like IRS tax returns, the U.S. Census Bureau, and the U.S. Department of Labor.
  • February 15, 2011 became a milestone in both game show and artificial intelligence (AI) history, as the IBM-designed super computer, Watson, bested previously undefeated players Ken Jennings and Brad Rutter to win Jeopardy! The Watson team has been hard at work in the intervening five years to use natural language processing and machine learning to make sense of large amounts of unstructured data. IBM developers will be available to demo this technology and answer questions about the intersection of AI and analytics.
  • The Internet of Things (IoT) is reshaping the business landscape in ways that aren’t yet fully understood. The U.S. Department of Transportation (USDOT) is one of many organizations harnessing the IoT to save lives. According to data from the National Highway Traffic Safety Administration (NHTSA), there were more than six million police-reported crashes on U.S. roads in 2015. While the number of people surviving car accidents has increased significantly thanks to airbags, antilock brakes, and other technology, USDOT’s Connected Vehicles program aims to stop many of those crashes from happening in the first place. This unique partnership between state and local transportation agencies, vehicle and device makers, and the public, aims to test and evaluate technology that will enable motor vehicles, roads and other infrastructure, and devices to “talk” to one another so every vehicle on the road is aware of the position of other nearby vehicles. Chris Gerdes, USDOT’s chief innovation officer, will discuss the program Monday on the main stage. Swing by the Innovation Nation to check out this technology, learn more about how you can bring the program to your home city, and get inspiration for how the IoT might just help your own business survive and thrive.

These are just a few snapshots of the incredible line-up of thought leaders and emerging technology at next month’s Summit. Want to learn more? View the full list of speakers and sessions at