Cyber-Risk Management for Directors Should Start at Home

Published by

Frederick Scholl

There are many posts on the NACD Board Leaders’ Blog discussing cybersecurity, but all of them deal with directors’ responsibilities toward the organizations where they are board members. In fact, corporate directors themselves may be targets for hacktivists or cybercriminals and need to make sure they have adequate protection. This protection should include both home and professional office.

Directors obviously will have access to sensitive insider information that many unauthorized parties would like get access to. Many directors will also be targets as high net worth individuals. Cyber criminals always target the weakest link, and as corporate information security improves, they increasingly will target the home networks of key executives and directors.

Breaches such as the one that occurred in the summer of 2017 at Equifax have put so much personal information into the hands of criminals that individuals increasingly will become targets. Directors represent a perfect demographic cross section to be attacked. Attack vectors may include phishing, ransomware, and social media.

Earlier this year, an employee of the National Security Agency was in the news as the hacker apparently stole government secrets from the comfort of his own home network. Directors with access to confidential strategic or financial information should make sure their home networks are protected above and beyond the usual consumer grade defenses.  Another attack path may be through tools and services used by directors. In 2010 attacks were reported against a prominent meeting portal for corporate boards. It is not clear if any sensitive information was stolen at that time.

What more should directors do?

First, make sure your home network is built to corporate standards. You need a commercial firewall, not just a consumer router. Most critically, any devices—especially firewalls and routers—should be set to auto-update their security firmware. Auto-update is now included in the Windows 10 operating system, in most smart phones, and in many home network devices, but not in devices more than a few years old. Anything you put on your network will be found to have vulnerabilities, so this software and firmware update feature is critical to keep hackers out.

Password strength and protection represent a second critical area. Many breaches result from theft of user credentials such as username and password. You should use two-factor authentication to log in to sites with your financial or personal information. Two-factor verification utilizes a second security barrier to verify with the application or website that the person logging in is, in fact, you. For instance, applications for your smart phone such as Google Authenticator and Duo Security generate one-time tokens that serve as a second factor. More familiar is the text messaging that many sites still use to send one time codes to users. This process has been deprecated by the Federal government because of potential eavesdropping attacks, so use the dedicated security apps, if possible. Still other financial sites do not yet have any two-factor authentication available. For these, make sure to use strong passwords that contain at least 12 characters, and that preferably can be pronounced. Such complex passwords should be managed using password vaults like LastPass or KeyPass.

The last factor to consider is encryption. Never store any sensitive data online without encrypting it and protecting it using a password known only to you. It is true that collaboration sites like Dropbox do encrypt the data saved there, but the companies still have the encryption keys and can view the data. These keys can be hacked or stolen by a disgruntled employee. That level of encryption is fine for 99 percent of the information you store online. But for the other, essential 1 percent of information—especially personal or corporate sensitive material—only you should have the encryption key. Applications like Boxcryptor integrate with Dropbox and enable you to further protect your information.

These three security precautions will help you keep your personal and professional information secure. Since threats and vulnerabilities are constantly changing, you should keep up to date using the NACD Cyber-Risk Resource Center and other sources of information on this topic. Also consider attending the NACD Global Cyber Forum in Geneva, Switzerland, April 17–18, 2018. You’ll hear from leading international directors, executives, and security professionals on how to protect sensitive corporate information.

Frederick Scholl is president of Monarch Information Networks, and is adjunct professor of computer science at Lipscomb University in Nashville, TN. All thoughts expressed here are his own.

Culture: The Board’s Expanding Frontier

Published by

Peter Gleason

With headlines trumpeting high-level firings for “inappropriate behavior” in a variety of domains, it’s become more obvious than ever that corporate culture matters, and that boards should oversee it. So what exactly is corporate culture, and how can it be overseen? These questions might sound new, but they are as old as the corporate governance movement that began some 40 years ago when NACD was founded. Indeed, for the past four decades, the role of the board in overseeing corporate culture has been growing in breadth and depth, and much can be learned from history.

  • The Foreign Corrupt Practices Act of 1977 made the board a vigilante against foreign bribes. The original law made it illegal to do business abroad “corruptly” and required “internal controls” through oversight of books and records.
  • In 1987, the Committee of Sponsoring Organizations of the Treadway Commission put the board on alert against misdeeds not just in faraway lands but down the hall: its Treadway report required independent audit committees to prevent fraud in general.
  • Another decade later, in 1996, the Delaware Chancery Court’s decision In re Caremark International Inc.said that directors have an affirmative duty to seek reasonable assurance that a corporation has a system for legal compliance. Soon thereafter, NACD published its first handbook on ethics and compliance, authored by NACD pioneer Ronald “Ronnie” Zall, an attorney and educator then active in the NACD Colorado Chapter, which later established the Ronald I. Zall Scholarship in his honor.
  • In late 2007, as global equity markets went into panic mode, NACD forged Key Agreed Principles of Corporate Governance for U.S. Public Companies, highlighting all areas of agreement among management (the BRT), directors (NACD), and shareholders. Our report, published in 2008, stated that boards must ensure corporate “Integrity, Ethics & Responsibility.NACD Southern California Chapter leader Dr. Larry Taylor began writing on “tone at the bottom,” publishing a series of articles and books on the topic over the next several years.
  • And now, in 2017, board oversight of culture has become more important than ever. Our NACD 2017 Blue Ribbon Commission Report on Culture as a Corporate Asset provides useful guidance.

NACD’s 2017 Commission made 10 recommendations, starting with this one:

The board, the CEO, and senior management need to establish clarity on the foundational elements of values and culture—where consistent behavior is expected across the entire organization regardless of geography or operating unit—and develop concrete incentives, policies, and controls to support the desired outcome. The Commission report explains that these foundational elements involve two sets of standards: first, the values and behaviors that help the company excel and that are to be encouraged, and second, the behaviors for which there is zero tolerance.

As I write this blog in December 2017, the business media are continuing to report firings or sabbaticals for executives—some 20 in the past eight weeks alone—over reportedly inappropriate conduct or speech. Many of these pertain to sexual harassment, but the corporate desire to clean house seems to be spreading like wildfire to other domains. One executive was recently fired for making a disparaging remark about regulators in private conversation to a former employee. Could a policy have prevented this? I think so.

Click to enlarge in a new window.

The NACD Commission urges a proactive approach backed by policies and training. The good news is that many companies are taking preventive action.  A Wall Street Journal article titled “Harassment Scandals Prompt Rapid Workplace Changes” cites numerous companies that are instituting training to avoid bad behavior in the workplace. Some like Vox Media and Uber Technologies are responding to scandals. Others like Dell, Facebook, Interpublic Group of Cos., and Rockwell Automation are acting more proactively.

Boards in these companies and others are starting to oversee culture in proactive ways, but they still have a long way to go. Our most recent 2017–2018 NACD Public Company Governance Survey found that oversight of culture is stronger at the top than at lower levels, but that boards are taking steps to correct the imbalance.

The best cultures don’t happen by accident. They are intentional. They happen when a company makes a concerted effort to foster a good culture.

Understanding Climate Resilience Is Requisite for Climate Competence

Published by

Underlying the growing pressures for climate-competent boards is this fundamental question: how resilient is the organization to the impacts of climate change?

Few organizations or boards are capable of answering this question with any degree of certainty. Yet, the question is being raised with greater frequency and urgency due to actions by investors, regulators, customers, supply-chain partners, and competitors.

Click to enlarge in a new window.

Across every industry the increased focus on climate change is accelerating other megatrends such as disruptive technologies, digitization, urbanization, and evolving demographics. Underpinning these megatrends are a combination of technological leaps and upheavals in global society and the environment that will reshape economies, businesses, and lifestyles. For example, over $1 trillion worth of new markets for manufacturers are expected to develop over the next decade as industries transform. This shifting landscape creates many uncertainties, risks, and opportunities for new products, services, supply-chain structures, and improvements in resource management, among many others.

Taken as a whole, these pressures are driving companies to better assess, define, and enact strategies to increase their climate resilience. In their strategic oversight role, boards need better insights on the direct impacts of climate change on the organization as well as the indirect risks and opportunities associated with transitioning to a lower-carbon economy.

Yet, recent NACD corporate governance survey data suggests that many boards need a rethink on this issue. Six percent of respondents indicated that climate change would have the greatest impact on their businesses over the next year. The previous year’s report found that over 90 percent of public company directors believe that climate change would have negligible impact over the next five years.

Companies that focus primarily on climate change’s projected physical impacts expected to play out over the coming decades will have “blind spots” to the indirect risks associated with the transition to a lower-carbon economy. Companies must to go on the offensive to build climate resilience in order to gain competitive advantage.

Climate resilience has the capacity to adapt and succeed in the face of direct and indirect impacts of climate change. In addition to addressing and managing risks, it encompasses the ability to capitalize on the strategic opportunities presented by the shift to a lower-carbon and resource-constrained economy.

To provide boards with a line of sight into its organization’s climate resiliency, management teams can undertake one or more of the following actions:

  • assess climate vulnerability of operations and facilities;
  • embed climate impacts into enterprise risk management programs; or
  • undertake scenario analysis to enhance decision making around risks and opportunities.

As a start, companies can model the risk of physical assets to identify location-level risk exposure and the vulnerability of properties and assets to evolving weather events and climate change. A geographic portfolio review can also help map demographic and infrastructure vulnerabilities to natural hazards to better understand how supply chains may be impacted by weather events.

Existing enterprise risk management (ERM) and risk assessment processes can be used to increase awareness of climate risks and better assess resilience across the organization. Leading organizations are using their ERM processes to identify how direct and indirect climate impacts—including regulatory and technology developments—serve to accelerate or otherwise change the velocity of other trends and risk events. Framing climate as a risk driver helps to align the timeframe of the risk and opportunity assessment to that of most corporate planning cycles.

Scenario analysis is recommended by the Financial Stability Board’s Task Force on Climate-related Financial Disclosures as a technique to assess climate impacts. Modeling different environmental scenarios (such as warming by a margin of 2 degrees Celsius and associated changes) gives form to the amorphous problem of climate change and provides mechanisms to discuss potential future states of operation. In selecting and devising scenarios, companies should consider the appropriate trade-offs in quantification, but also avoid excess complexity and optionality. When assessing for operational climate-risk resilience, it is critical to include a minimum of one favorable and unfavorable scenario respectively. This empowers organizations to make informed decisions regarding their longer-term strategies.

Overall, it is clear that the dialogue on climate change within boardrooms and among C-suites of companies across all sectors must evolve to a focus on how climate change will impact their businesses. The real measure of a climate-competent board is one that can address this critical question: how climate-resilient is the organization?

Lucy Nottingham is a director in Marsh & McLennan Companies’ Global Risk Center and leads research programs on governance and climate resilience. All thoughts expressed here are her own.