China’s legislature approved its Cybersecurity Law this past November, solidifying China’s regulatory regime for cyberspace and potentially disrupting foreign companies that use or provide telecommunications networks in China. The law takes effect June 1, 2017, and reflects China’s desire for “cyber-sovereignty” (regulating the Internet in China according to national laws, despite the global nature of the World Wide Web). As the Chinese Communist Party (CCP) faces pressure from slowing economic growth and foreign influence, the Cybersecurity Law is one in a series of laws the Chinese government has implemented recently to uphold state security.
Significant Provisions of the Law
Though the wording of the law is vague, it formalizes many current practices and aims to consolidate cybersecurity authority under the Cybersecurity Administration of China. While the government is expected to offer more clarification on the law through implementation rules, how the law is played out in practice will be the ultimate indicator of the law’s severity. These three aspects of the law have the greatest potential to affect multinational companies (MNCs) doing business in China, according to an NACD analysis:
1. Data localization: Article 37 of the law is one of the most contentious and requires that “critical information infrastructure” (CII) operators store personal information and other important data they gather or generate in mainland China to be storedin mainland China. CII operators must have government approval to transfer this data outside the mainland if it’s “truly necessary.” The definition of CII is a catch-all, including public communication and information services, power, traffic, water, finance, public service, electronic governance, in addition to any CII that would impact national security if data were compromised.
Impact: The broad applicability of the CII definition raises the concern that any company using a telecommunications network to operate or provide services in China would be required to store data in mainland China, possibly even affecting those that store data to clouds with servers located outside mainland China.
2. Support for Chinese security authorities: Article 28 requires “network operators” to provide technical support to security authorities for the purposes of upholding national security and conducting criminal investigations. Network operators are broadly defined as those that own or administer computer information networks or are network service providers, which may include anyone operating a business over the Internet or networks.
Impact: The loose definition of “technical support” creates the concern that MNCs will be required to grant Chinese authorities access to confidential information, compromising private information and intellectual property that may be shared with state-owned competitors. Although not stated in the final version of the law, there is also the possibility that companies may be required to provide decryption assistance and backdoor access to authorities upon request.
3. Certified network equipment and products: For network operators, Article 23 indicates that “critical network equipment” and “specialized network security products” must meet national standards and pass inspection before they can be sold or supplied in China. A catalogue providing more specification on these types of products will be released by the government administrations handling cybersecurity. Under Article 35, CII operators are also required to undergo a “national security review” when purchasing network equipment or services that may affect national security.
Impact: Chinese companies and government agencies have historically relied on computer hardware and software manufactured by foreign companies, although this is now shifting in favor of domestic IT products. Opportunities for hacking and espionage put China at risk of losing sensitive information to foreign governments or companies, and China has already started conducting reviews of the IT security products used by the central levels of government. This provision of the Cybersecurity Law demonstrates China’s resolve to mitigate this risk and may pose a significant barrier to foreign IT equipment manufacturers selling products in China.
How Directors Can Prepare
China’s Cybersecurity Law has been criticized by the foreign business community, and, depending on the law’s implementation, it may make doing business in China for MNCs not only more complex but also riskier. Tom Manning, a China specialist at the University of Chicago Law School and director of Dun & Bradstreet, CommScope, and Clear Media Limited, advises boards to consider the effect of the Cybersecurity Law in the greater context of China’s rise: “The Chinese economy is increasingly more self-sufficient. Domestic companies are growing stronger and are more capable, while multinational companies are finding it more difficult to compete.”
Manning suggests boards conduct an overall China risk assessment, with the Cybersecurity Law as the focal point. While some companies may determine the risk of doing business in China is too high, Manning says, others might decide they need to invest more in China to be profitable. Ultimately, creating alliances with domestic firms, who have a greater influence over the government’s implementation of the law, may be key. “Leading domestic companies have a stake in seeing a better definition of the law, and their interests aren’t unaligned with multinational companies,” Manning says. “Chinese Internet companies can explain to the government how the law will affect their business models and be more effective in doing so than Western companies.”
Although how the law will be enforced remains to be seen, boards can consider the following questions when evaluating the impact of China’s Cybersecurity Law:
Are we storing information generated or gathered in mainland China on servers in mainland China? Do we need to create separate IT systems for China-specific data? Are we reliant on cross-border data transfers, and how would we approach this need with the Chinese government?
What is our risk exposure stemming from the potential loss of intellectual property or encryption information as a result of this law? How would our business be affected should our Chinese competitors gain access to this information?
For computer hardware or software manufactures, are we willing to share our source code with the Chinese government?
For technology firms, how does the law alter the playing field for our company to compete in China against domestic firms?
What additional investments do we need to make in order to comply with this law?
The National Association of Corporate Directors (NACD) released the 2016–2017 NACD Public Company Governance Surveylate in 2016. The survey, which NACD has administered for two decades, helps directors affirm that their governance practices are effective, fit for purpose, and clearly communicated to shareholders. Our members find value in benchmarking their companies’ approach in areas such as board structure, composition, education, recruitment, and evaluation year over year, and they use the results to identify opportunities for improvement and validate board priorities for the coming year.
What did we learn about changes to public company governance in the previous year?
Although we did not see any seismic shifts in how public companies govern themselves, the data indicate that corporate boards are slowly adapting to heightened expectations about their contributions and performance.
Let me share 10 key takeaways from this report and illustrate some of the changes we have observed in our analysis.
1. Overseeing Uncertainty Economic uncertainty and business-model disruption are among the top concerns for corporate boards in 2017. Respondents also report that major industry changes, growing regulatory demands, and cyberattacks will significantly affect their companies over the next 12 months. Global economic uncertainty was selected by 60 percent of respondents as one of the five trends that will have the greatest impact on their companies over the next 12 months, most likely in light of ongoing economic turbulence that includes the fallout from Brexit, emerging markets volatility, and the protectionist trade stance of the new US administration.
2. Deeper Board Engagement with Strategy Setting Growing external uncertainty seems to accelerate the momentum for increased board leadership in strategy. For more than half of boards, active involvement in the development of strategy is a goal for major improvement over the next 12 months. Recognizing that successful strategy setting and execution in this volatile environment are challenges, boards are eager to move from the traditional review-and-approve process to more active strategy engagement earlier and on an ongoing basis, allowing directors to examine underlying assumptions, competitive dynamics, and alternatives.
3. The Tyranny of Short-Termism Maybe the most important structural barrier to board engagement in strategy setting is the intense short-term performance pressure placed on both boards and management. Seventy-five percent of respondents report that management’s focus on long-term value creation has been compromised by pressure to deliver short-term results, while 29 percent report that pressure on boards to focus on short-term performance inhibits their ability to effectively oversee long-term strategy development.
4. Risk Oversight Moves to a Higher Standard Board risk oversight is becoming a robust practice, with a large number of boards looking beyond a review of the top risks to consider the linkage between risk and strategy, the impact of incentives, and the strength of their company’s risk culture. Many boards now receive frequent reports on key components of risk management, including summaries of top risks, emerging risks, and their mitigation. According to our survey, 63 percent of them perform in-depth reviews of specific top risks. Perhaps in response to the recent corporate debacles in the auto industry and banking sector, more than 57 percent of boards now assess whether incentives used in the company’s compensation structure could inadvertently create or exacerbate risks.
5. Struggling to Meet the Cybersecurity Challenge Directors continue to wrestle with effective oversight of cyber risk. Many of them lack confidence that their companies are properly secured and acknowledge that their boards do not possess sufficient knowledge of this growing risk. Fifty-nine percent report that they find it challenging to oversee cyber risk, and only 19 percent of respondents report that their boards possess a high level of knowledge about cybersecurity. While 37 percent of respondents feel confident and 5percent feel very confident that their company is properly secured against a cyberattack, many of their boards may lack sufficient expertise or adequate information to confidently assure that cybersecurity defenses are indeed effective.
6. Managing a Growing Board Agenda The average director time commitment has stayed relatively flat at 245 hours per year, with more time spent on preparations and less time on travel compared to last year. The average number of meetings has also remained flat. Facing ever-expanding agendas, boards struggle to effectively prioritize their scarce meeting time. When asked about time allocation over the last 12 months, more than a third of respondents indicate that their boards spent too little time on director education, executive leadership development, cyber-risk oversight, board succession planning, sustainability, CEO succession, and information technology oversight.
7. Information Rich, Insight Poor Boards receive much information from management but express concerns about the quality of that information. While directors noted an average increase of 12 hours for document review in preparation for meetings, roughly 50 percent of respondents noted a glaring need for improvement in the quality of information provided by management.
8. Increased Shareholder Engagement Boards are increasing their shareholder engagement, but their level of preparedness to address activist challenges is uneven. This year, 48 percent of respondents indicate that a representative of their board held a meeting with institutional investors over the past 12 months, compared to 41 percent in 2015. Only 25 percent of respondents have developed a written activist response plan, which may be a critical tool to effectively address a forceful challenge from an activist.
9. The Increasing Reliance On Search Firms for Director Recruitment Boards no longer primarily rely on personal networks to recruit new directors, signaling increased professionalism and a desire to tap into a wider network of candidates. For the first time since NACD began to survey its members on this issue, search firms were the leading source boards used to identify their most recently recruited director.
10. Only a Minority of Boards Conduct Individual Director Evaluations Only 31 percent of respondents report that improving the board evaluation process is an important or very important priority for their boards in the next 12 months. In fact, just 41 percent of boards now use individual board evaluations, and an even smaller number use the results of these evaluations to make decisions about replacing directors.
Nominations to the 2017 NACD Directorship 100 are open until March 31. And while we tally this year’s annual list of the most influential people in boardrooms and corporate governance, we’re sharing responses to questions from 2016 honorees about their perspectives on directorship.
Honorees underscored the importance of creating a strategic-asset board, reflected on the joy of their life’s work, and shared why board leadership can be fun. Selected responses from the 2016 D100 class follow, complemented by photos from the D100 gala held at New York City’s Gotham Hall on Nov. 30, 2016.
What do directors need to keep top of mind in the next five years?
Deborah DeHaas Vice chair, chief inclusion officer, and national managing partner, Center for Corporate Governance, Deloitte LLP
“Often the most effective boards draw on a diverse set of individual strengths, skills, and experiences from their directors. When brought together with the right leadership, diverse talent in the boardroom can help the company address almost any governance challenge. Such capability doesn’t just happen. It takes rigorous commitment to the principles of board composition, refreshment, and accountability to reach the level of top-performing boards. It also requires a deep understanding of current issues and challenges, anticipating those in the future, and determining what critical skill gaps need to be addressed among directors.”
Stephen R. Howe, Jr. U.S. chair and managing partner, Americas Leading Partner, Ernst & Young LLP
“Complacency with a company’s current strategy may open companies to long-term vulnerabilities. Boards must constantly assess and anticipate competitive forces and threats and drive enterprise-wide cultures of innovation and agility. They must recognize that digitalization and sector convergence will continue to disrupt business models and markets. They must oversee organizations grappling with increasingly complex and global forces resulting from ever-shifting political and regulatory agendas such as those getting underway in the United States following this year’s elections.”
Daniel Laddin Founding partner, Compensation Advisory Partners
“Do not be afraid to stick out and use a less typical design if you believe it is in the best interests of shareholders. I believe we are going to see that many of the best performing companies have unique compensation designs linked to their strategies that do not necessarily fit neatly into the paradigm into we see today.”
Paula Loop Leader, PwC Governance Insights Center
“Boards will need to stay current, and that alone will be hard work. They will need to be up to date on consumer trends and technological changes, to geopolitical and other risks, to name a few. Even those directors who are immersed in all of this disruption and change are finding it hard to keep up. The board of the future will have to fully understand the landscape the company is operating in and recognize the potential disruptors that could affect the company and its strategy. To do that, directors will have to spend a lot more time educating themselves, and boards may have to consider reaching out and finding their own advisors from time to time.”
Michael McGuire CEO, Grant Thornton
“Directors need to keep the probability of rapid disruption top of mind, and then marshal the right resources and habits of mind to stay ahead of it. What are those resources? Imagination. Curiosity. Agility.”
Deborah D. Rieman Director, Corning and Neustar
“Boards are inherently risk averse and may devote too much of their attention to avoiding mistakes. In a slower world, that may have sufficed, but today, slow and steady can be fatal. Successful boards in the years ahead will be the ones that encourage the disruption of their own businesses, because if you don’t disrupt your own market, somebody else will.”
James K. Wolfe
James K. Wolf Managing partner, Meridian Compensation Partners
“Regulations and statutes should continue to protect a board’s business judgment, but boards should understand that the general public will have increasingly more information from which to reach their own evaluations and verdicts about a board’s governance.”
What’s the most fun you have had while serving as a director?
Mary Ann Deacon Director, Lakeland Bank
“It has been exciting to be a part of Lakeland’s success. Our accomplishments over the years have given me enormous admiration for our wonderful employees, who make it all possible. And by far, the most fun has been interacting with all the members of the Lakeland family. It’s important for directors to step out of the boardroom and connect with people. I think of this as leadership by walking around—letting employees, shareholders, and customers know that the board is interested in and fully engaged with their needs.”
Edward B. Rust, Jr. Director, Caterpillar, Helmerich & Payne, and S&P Global
“Growing up during the initial buildout of the interstate highway system, I became fascinated with big earth-moving equipment. Later in life, I started buying antique Caterpillar tractors to restore. Joining the Caterpillar board was a natural move. I had a connection to my past but also a fascination with the rapidly changing world of manufacturing. The real fun is when we tour the proving grounds and have the opportunity to operate some of the really big equipment. ‘Getting in the dirt’ is a joy for an old farm boy, and even a director.”
What was the greatest challenge you’ve faced in your career?
James W. DeLoach
James W. DeLoach Managing partner, Protiviti
“I never worked harder in my life to build the Protiviti brand. But the most gratifying part of the experience for me personally was working side-by-side, shoulder-to-shoulder with men and women who were as committed to our collective success as I was. Protiviti’s market presence today is one of the treasures of my working life.”