One of my favorite comments from an attendee at last year’s Global Board Leaders’ Summit went something like this: “I was expecting to be informed; I wasn’t expecting to be inspired.” For a team that works year-round scouring the globe to discover and deliver to you voices that are shaping the future, that’s about as good as it gets.
This year’s Global Board Leaders’ Summit is on track to be our biggest ever, and one big feature of the Summit remains the same: a diverse array of thought leaders will share paradigm-shifting insights that will challenge the way you think about leadership, give you new tools to approach your directorship practice, and perhaps inspire you in surprising ways.
Here’s a sampling of some of the most exciting sessions at Summit this year:
Michelle Crosby’s start-up Wevorce is not only shaking up Silicon Valley, it’s turning the historic, antagonistic model of divorce on its head. The company’s mission is to “help couples ensure their divorce is less damaging to themselves, their finances, and the people they love.” Crosby was named one of the American Bar Association’s Legal Rebels in 2014, a distinction reserved for “lawyers who are breaking new ground using technology.” “Every institution is subject to change, and the more entrepreneurs who learn to work in the system to create that change, the further we’re going to get,” Crosby said in an interview with USA Today. In an intimate fireside chat, Crosby will discuss innovation, entrepreneurship, disruption, and how the company applies the Wevorce model to talent management inside the company.
Howard Ross, one of the most highly rated thought leaders at last year’s Summit, is back again to share insights from his groundbreaking work on unconscious bias, diversity, leadership, and organizational change. The question directors should ask themselves, says Ross, is not “Is there bias?” Rather, directors should ask one another, “What biases do we have that keep us from making choices counter to the values that we say we believe in?” Ross will open the Diversity Symposium on Saturday and will lead an in-depth workshop on Monday focusing on board dynamics.
The United Nations estimates that by 2025, two-thirds of the world’s population may face fresh water shortages, a critical concern for business and society. Whitewater rafting guide turned CEO Pat Crowley is betting that the solution to that crisis might literally be in our backyards. Crowley’s passion for the outdoors led him to work as a water resource planner, which drew his curiosity to crickets, of all things. “I heard about insects as a more environmentally friendly form of nutrition. From a water perspective, it was clearly a game-changer,” he said. Crowley founded Chapul, a company that makes cricket-based energy bars, in 2012, “to leap over this psychological hurdle of eating insects in the United States.” With explosive growth— 500 percent annually for the past two years alone—Crowley is on track to break through those barriers. On the summit mainstage on Monday, Crowley will discuss what it means to be part of building a new industry that is challenging societal norms, reshaping the competitive landscape, and may just help save the planet.
Phil Gilbert has been working with start-ups for the past 30 years, the most recent of which was acquired by IBM in 2010. Now Gilbert leads IBM’s design team with a focus on an empathy-centered workforce. Bringing a start-up mentality to 100-year-old company can be a challenge and almost immediately Gilbert was forced to confront a disconcerting question: “Is the entire way we’re working an anachronism?” Embracing that hard truth has been nothing short of transformational. Gilbert comes to the Summit mainstage to discuss lessons learned in this transformation. “We’re at an interesting crossroads in business. I think the way business is done and businesses work inside themselves has got to fundamentally change in the twenty-first century,” he said.
As managing director of famed Silicon Valley venture capital firm Andreessen Horowitz, Scott Kupor has been part of building brands like Airbnb, Buzzfeed, Facebook, Foursquare, Lyft, Pinterest, and Skype—companies that have become synonymous with disruption. “Things that are fringe today might become mainstream over time,” Kupor explained on Fox News back in June, describing the philosophy that underpins Andreessen Horowitz’s approach to finding the next disruptive trend. In a mainstage fireside chat Tuesday, Kupor will discuss this philosophy in context with everything from M&A activity and shareholder activism, to IPO trends and the next big innovations he sees poised to disrupt the business landscape.
When Chelsea Grayson took on the role of general counsel at American Apparel, she faced a daunting task: to help turn around a company that was operating in an increasingly competitive industry and was coming off of a tumultuous series of events, including high-profile sexual harassment allegations, layoffs, bankruptcy, and protests. In February, Grayson told the legal blog Above the Law, “I have been in-house for over a year now, and I have encountered just about every legal issue a general counsel might experience in an entire career.” Next month, Grayson will share her insights on governing complexity, a subject she has become adept at navigating during her tenure at American Apparel.
These are just a few snapshots of the incredible line-up of thought leaders who will join us in September. Want to learn more? View the full list of speakers and sessions at www.NACDonline.org/summit.
The dust settled recently on another chapter of the Target Corp. data breach litigation. Although the five shareholder derivative lawsuits filed against Target’s officers and directors have been dismissed, they underscore the critical oversight function played by corporate directors when it comes to keeping an organization’s cyber defenses up to par. While the ink isn’t quite dry on the court papers, it’s time to start reflecting on the lessons of the skirmish.
In the midst of the 2013 holiday shopping season, news leaked that hackers had installed malware on Target’s credit card payment system and lifted the credit card information of more than 70 million shoppers. That’s almost 30 percent of the adult population in the U.S.
Predictably, litigation was filed, regulatory and congressional investigations commenced, and heads rolled. Banks, shareholders, and customers all filed lawsuits against the company. Target’s CEO was shown the door.
And Target’s directors and officers were caught in the crossfire. In a series of derivative lawsuits, shareholders claimed that the retailer’s board and C-suite violated their fiduciary duties by not providing proper oversight for the company’s information security program, not making prompt and accurate public disclosures about the breach, and ignoring red flags that Target’s IT systems were vulnerable to attack.
The four derivative cases filed in federal court were consolidated (one derivative lawsuit remained in state court) and Target’s board formed a Special Litigation Committee (SLC) to investigate the shareholders’ accusations. The SLC was vested with “complete power and authority” to investigate and make all decisions concerning the derivative lawsuits, including what action, if any, would be “in Target’s best interests.” Target did not appoint sitting independent directors but retained two independent experts with no ties to the company—a retired judge and a law professor. The SLC conducted a 21-month investigation with the help of independent counsel, interviewing 68 witnesses, reviewing several hundred thousand documents, and retaining the assistance of independent forensics and governance experts.
On March 30, 2016, the SLC issued a 91-page report, concluding that it would not be in Target’s best interest to pursue claims against the officers and directors and that it would seek the dismissal of all derivative suits.
Minnesota law, where Target is headquartered, provides broad deference to an SLC. Neither judges nor plaintiffs’ are permitted to second-guess the SLC members’ conclusions so long as the committee’s members are independent and the SLC’s investigative process is ‘adequate, appropriate and pursued in good faith.” By these standards, U.S. District Judge Paul A. Magnuson recently dismissed the derivative cases with the “non-objection” of the shareholders, subject to their lawyers’ right to petition the court for legal fees.
Target isn’t the only data-breach-related derivative case filed by shareholders against corporate officers and directors. Wyndham Worldwide Corp.’s leadership faced derivative claims relating to three separate data breaches at the company’s resort properties. After protracted litigation, the derivative claims were dismissed in October 2014, in large measure because Wyndham board’s was fully engaged on data security issues and was already at work bolstering the company’s cybersecurity defenses when the derivative suit was filed. A data-breach-related derivative action was also filed against the directors and officers of Home Depot, which remains pending.
Despite the differences between the Target and Wyndham derivative suits, both cases contain important lessons for corporate executives and sitting board members.
Treat data security as more than “just an IT issue.” Boards must be engaged on data security issues and have the ability to ask the right questions and assess the answers. Board members don’t know what they can’t see. Developing expertise in data security isn’t the objective; rather, it’s for directors to exercise their oversight function. Board members can get cybersecurity training and engage outside technical and legal advisors to assist them in protecting their organizations from data breaches.
Evaluate board information flow on cybersecurity issues. How are board members kept up-to-date on data security issues? Are regular briefings held with the chief information officer (CIO) to discuss cybersecurity safeguards, internal controls, and budgets? Boards might also consider appointing special committees and special legal counsel charged with data security oversight.
Prepare for cyberattacks in advance. Boards should ask tough questions about their organization’s state of preparedness to respond to all aspects of a cyber-attack, from reputational risk to regulatory implications. Get your house in order now, and not during or after an attack. Not surprisingly, multiple studies—including the Ponemon Institute’s 2016 Cost of Data Breach Study—suggest that there is a correlation between an organization’s up-front spending on cybersecurity preparation and the ultimate downstream costs of responding to a breach.
Decide whether and when to investigate data breaches. Before hackers strike, boards must decide whether and when to proactively investigate the breach, wait to see if lawsuits are filed, or wait to see if regulators take notice. Regardless, boards should be prepared to make this difficult decision, which will establish the tone of the company’s relationship with customers, shareholders, law enforcement, regulators, and the press.
Develop a flexible cyber-risk management framework. Cyber-risk oversight isn’t a one-time endeavor, nor is there a one-size-fits-all solution. The threat environment is constantly changing and depends, in part, on a company’s sector, profile, and type of information collected and stored. While cyber-criminals swiped credit card data in the Target and Wyndham cases, the threat environment has escalated to holding organizations hostage for ransomware payments and stealing industrial secrets.
Cybercrime is scary and unpredictable. It poses risks to a company’s brand, reputation, and bottom line. Board members are on the hot seat, vested with the opportunity and responsibility to oversee cybersecurity and protect the company they serve.
Craig A. Newman is a litigation partner in Patterson Belknap Webb & Tyler LLP and chair of the firm’s Privacy and Data Security practice. He represents public and private companies, professional service firms, nonprofits institutions and their boards in litigation, governance and data security matters. Mr. Newman, a former journalist, has served as general counsel of both a media and technology consortium and private equity firm.
I watched with interest as Senators Jack Reed (D-RI) and Susan Collins (R-ME) advanced bipartisan legislation that would require companies to disclose whether they have a director with cyber expertise on the board, and if not, why. Regardless of whether it passes, The Cybersecurity Disclosure Act of 2015 has apparently widened the door for shareholders and regulators to increase their pressure on boards and hold them more accountable for being proactive about understanding the company’s cybersecurity risk.
As someone who has witnessed the global cybersecurity battlefield at close range for over 14 years, I wholeheartedly agree that boards should increase their knowledge of cyber related risks and engage more proactively with the company’s strategy for mitigating them. Yet for boards to rise to Sen. Reed’s challenge that companies “have the capacity to protect investors and customers from cyber-related attacks,” it’s important to solve for the problem and not just the perception. Electing a cyber-expert to the board could certainly be helpful for companies. However, it may not be practical at this time. Nor does it solve for capacity.
No matter what risks they oversee, from financial to geopolitical, board members have an obligation to avail themselves of the right information to make informed decisions that safeguard shareholder value. This is no less true of cybersecurity risk. In order to empower an effective security program, the board should seek the right information and expertise on which to base its decisions about tolerance, investment, policy, and practice. That information includes but is not limited to: a solid understanding of the threats, the results of a well-prepared cybersecurity risk assessment, a roadmap that articulates desired outcomes and metrics for monitoring effectiveness.
Companies are trying to answer the questions: “How do we know if we’re making a reasonable and appropriate effort to mitigate these risks?” and “How do we measure and rationalize our security investment in the context of corporate strategy and risk tolerance?” I believe boards and their committees should oversee the cyber risk similar to the way the audit process manages financial risk.
Seek a balanced view of Information Technology (IT) security and IT enablement. Give both sides adequate time on the boardroom agenda at each meeting. You’ll gain insights on how strategic initiatives add risk so they are addressed earlier with less disruption, but you’ll also have the added benefit of exploring how security can enable those initiatives.
Ask whether the cybersecurity program has early warning capabilities that reduce time-to-respond. And if not, ask when to expect them. The goal is resilience, not the elimination of risk. Defense is not the endgame. The goal is to reduce the time it takes to detect and respond to the threats targeting your company’s digital assets. Early response is the cornerstone of mitigating risk and damage. Boards should ask if there is a one to three year roadmap for achieving an early warning system that increases visibility and applies threat intelligence to existing solutions, at a minimum, for a more proactive security posture.
Be sure that specific “point solutions” are not confused with the company’s cybersecurity strategy. New technology solutions may be necessary, but being resilient against the threats will depend on how those solutions are integrated, managed and governed as a whole. Ask your cybersecurity officer “what are the desired outcomes?” and “what is the roadmap for getting there?” It’s better to crawl-walk-run toward a well-integrated, manageable program than to jump at every new solution. It’s not about how many “boxes” are deployed to stop the adversary. It’s about how well you’re organized for the fight.
Seek the right threat and risk monitoring dashboard. Security officers with a proactive security program in place should be able to answer: are there threat actors in our systems now? If the answer is no, how can we be sure? and “How do we know they’re there?” Another important metric to monitor is how well the company is improving its “time to respond” to incidents.
And finally, seek third party input and intelligence to aid informed decision-making. Cybersecurity risk is asymmetric, so any security program that provides early warning is going to need threat insights beyond a company’s own experience to date. The right security expertise can help you identify your most likely threats based on global threat intelligence gathered from outside the company’s own limited experience. A third party can also help your security team assess the effectiveness of its current posture against those real-world threats by simulating the attacks. With capabilities in place to anticipate the real threats and prioritize effort, you can greatly expand the security program’s capacity and effectiveness.
It’s inevitable that more and more board members will come to the table with a working knowledge of IT enablement and IT security over time. But for now, boards can take a more proactive and knowledgeable stance by: seeking equal input from IT security and IT enablement leaders; leveraging third party threat intelligence and expertise; and monitoring the company’s progress toward a stronger security posture with “early warning” capabilities that mitigate risk with faster response. These measures go beyond the appearance of “prioritizing” cybersecurity. They add up to tangible improvements in risk mitigation on behalf of all the company’s stakeholders.
Mike Cote is CEO of SecureWorks, a global cybersecurity services firm that provides an early warning system for evolving cyber threats, enabling organizations to prevent, detect, rapidly respond to and predict cyberattacks. SecureWorks minimizes risk and delivers actionable, intelligence-driven security solutions for more than 4,200 clients in 59 countries.