Cybersecurity is more than a technological issue—it’s a business issue. In a BoardVision video moderated by Judy Warner—editor-in-chief of NACD Directorship magazine—Mary Ann Cloyd, former leader of PwC’s Center for Board Governance, and Zan M. Vautrinot, former commander of the Air Forces Cyber Command and current director of Symantec, Ecolab, and Parsons Corp., discuss effective cyber-risk oversight, addressing the following questions:
How can boards communicate with management about cyber risk?
How does cyber risk fit into discussions about risk appetite?
Here are some highlights from that conversation.
Judy Warner: For directors, I think one of the greatest challenges around the issue of cyber is how to engage in an informed conversation with management. And how do they become informed about their oversight roles as they relate to cyber?
Zan Vautrinot: One of the things that was absolutely clear about the private sector and corporate leadership is that they understood how to have a discussion about risks and strategy. The only thing different with cyber is that some of the technology and some of the solution sets are slightly different, but the conversation is the same. It is a discussion about a particular kind of risk and how it relates to the kind of business you are [in].
Warner: Mary Ann, from your perspective, how does that conversation take place, or start to take place, at the board level? And is it a conversation for the full board or a specific committee?
Mary Ann Cloyd: I guess I always say it depends. I never want to be so prescriptive as to tell somebody what they need to do because every board and every committee is different. However, I do think that, given the magnitude of how this affects so many businesses, it’s not a technology issue. It’s a business issue. So, with that, where would you oversee any other business issue at your board? And I’m guessing that a lot of it would belong at the full board, with parts of it delegated down to a committee.
Warner: The NACD recently published a handbook on cyber-risk oversight, and one of the discussions is around risk appetite and where does cyber fit into that equation today. And I know, Mary Ann, you have said we need to think of cyber as any other risk.
Cloyd: I think you bring up two interesting things. [I]n fact, we did a small publication [at PwC’s Board Leadership Center] earlier this year, and we called it “Defining Risk Appetite in Plain English.” What prompted it was I had a director come to me and he said, “Mary, we’re doing our off-site strategy session and we always talk about risk appetite. Do you have a good pre-read that I could give to the board so that they can understand what risk appetite means?” So we did this to really put in plain English, in four pages or less, what the dialog is between management and the board, and how you develop and define your risk appetite. And, to me now—as you have so beautifully put this, Suzanne—cyber is just another part of that risk discussion and how it fits into your overall strategy.
Vautrinot: Right. And if you have already had a discussion about your strategy and those things that are most important to you as a corporate entity, is it the data that is unique that you’ve collected—the information and the access to that information—that makes your corporation unique? Is it the technology or your research and development? Is it your insight into financial transaction or merger and acquisition? Is it [about] manufacturing processes or distribution processes?
Every board and every management team knows what is most important to them being successful as a corporation. It is likely that those things are the areas that [the board] would want to focus on with assessing cyber risk. If you look at that area and say this is what is most important to us as a corporation, and this is the technology that we depend on to do that activity, now I can say that is sufficient or it is insufficient relative to the amount of risk I am willing to accept in that area. There may be other areas that aren’t core to the business, and so you are willing to accept a different amount of risk or put different systems in place that kind of sandbox it—[systems] that put a fence around, or that separate or provide different controls to allow [the lower-risk] activity to run more openly, whereas [higher-risk areas are] much more controlled and much more precious.
Every company will face a crisis at some point. It could be a government investigation, data breach, product recall, or other significant event. An effective communications strategy can minimize the impact of the crisis and demonstrate leadership’s ability to effectively steer the company. In contrast, an ineffective strategy may worsen a crisis or raise doubts about company leadership.
Directors should confirm that management has an effective communications strategy before a crisis occurs. Although no two crises are the same, thorough preparation can prevent the pressures of a crisis from interfering with the company’s message. When developing a strategy, directors should consider the following guidelines.
1. Establish Clear Lines of Authority and Communication
A crisis will generate media and government interest. To maximize control of the narrative and to ensure that accurate information is conveyed to the public, the company should have a concrete decision-making structure to quickly resolve key questions and prepare meaningful, clear, and truthful responses to media and investor inquiries. Once those questions are resolved with the input of company counsel, a media-savvy spokesperson (which could be an officer) should be designated to deliver the company’s narrative. An individual director, unless designated as the official spokesperson, should respect the company’s established communication channels and resist the urge to respond to inquiries, including those of investors, analysts, friends, professional acquaintances, and reporters.
2. Seek the Advice of Counsel
A crisis can cloud normal decision-making processes. Experienced legal and communications counsel will keep the company focused and help to minimize legal exposure. In consultation with counsel, the company should identify its objectives, create a specific strategy, and ensure that the company is disciplined in working toward its objectives.
3. Set the Narrative But Avoid Premature Disclosures
When a crisis leads to an internal investigation, the company has the advantage of knowing the facts before anyone else. This allows the company to set the narrative. Outside legal and communications counsel are critical resources for advising the company on what information to include in the company’s narrative, as well as when and how to convey it. Once the company decides to disclose information, the company and counsel should carefully script talking points (including answers to possible questions) to avoid miscommunications. The company should deliver all relevant information as soon as possible, thereby avoiding subsequent disclosures that unnecessarily prolong the crisis. Conversely, the company should avoid prematurely disclosing incomplete information or setting unachievable timelines, which may cause investors to lose confidence in company leadership and expose the company to legal liability. Care should be taken to avoid selective disclosure in violation of Regulation FD.
4. Guard Against Leaks
During an internal investigation, there is a risk that information will leak before the investigation is complete. Sensitive information should be shared on a strict need-to-know basis to prevent leaks, and the results of an investigation should not be shared with the public until the investigation is completed. If there are information leaks, the company should resist the temptation to disclose investigative results or information prematurely, which can make the situation worse.
5. Be Accessible
The nature of the crisis may require the company to speak publicly on multiple occasions. In such circumstances, the company should adhere to consistent and truthful talking points aimed at achieving the company’s strategic objectives. Where possible, a willingness to address press reports and allegations–even if merely acknowledging they are being investigated–demonstrates confidence, transparency, and a commitment to effectively resolving the crisis. There are potential pitfalls to addressing the public, however, and the company should consult with experienced legal and communications counsel before each public statement.
6. Be Mindful of Multiple Audiences
Publicly-traded companies have multiple audiences, including regulators, shareholders, and possibly plaintiffs’ lawyers. To achieve its objectives and comply with the law, the company should work with its counsel to develop a coordinated approach that considers how each audience will interpret the company’s statements. If there are parallel government investigations, counsel should make courtesy calls to the government agencies prior to any public disclosures. Additionally, the company should guard against possible Regulation FD violations by avoiding selective disclosures to certain parties such as institutional investors and investment professionals.
7. Be Prepared To Communicate Change
Often a crisis will result in changes to corporate priorities, enhancements of procedures and controls, or removal of key management personnel. Directors may be called upon to communicate significant decisions that could attract the attention of regulators, activist investors, and private plaintiffs. In these situations, outside legal and communications counsel can be effective in crafting communications for the public and for outgoing management that minimize legal exposure and government threats.
Bradley J. Bondi and Bart Friedman are partners with Cahill Gordon & Reindel LLP. They advise financial institutions and global corporations, boards of directors, audit committees, and officers and directors of publicly-held companies in significant corporate and securities matters, with particular emphasis on crisis management, internal investigations, and enforcement challenges. Michael D. Wheatley, a litigation associate at Cahill, assisted with this article.
The most compelling obligation of a board is to create shareholder value. The most enduring way to create shareholder value is to create customer value. Creating great customer value is an ongoing process of continuous renewal. In today’s marketplace, most competitive advantages (even seeming monopolies) are fleeting. Great intellectual property (IP) is vulnerable to alternatives and to advances in the state of the art. Human talent has never been more mobile. Advances in communication, universal access to information, and the lowering of trade barriers have opened many markets to global competition. Supply chains can be anywhere. What’s a director to do?
I am convinced that the only sustainable competitive advantage is to create an innovative enterprise. To be truly sustainable, innovation cannot be a eureka moment, where a liquid accidentally falls on a hot stove and we have rubber. Further, it cannot be built just on individuals who are innovative. Great individual contributors are necessary but not sufficient. To be truly sustainable, innovation must be deeply imbedded in the culture of the organization and in the collective behavior of its leaders. Sustainable innovation must also be baked into processes that are documented, taught, and repeatable.
Boards must have a broad-based expectation of innovation from management. That expectation must be imbedded in CEO recruiting, in establishing visions and goals, in measurement and reward. This innovation must be pervasive; a critical quality dimension to everything that management does. Innovation can occur in a firm’s products and services, in their business model, in their approach to markets (advertising and sales efforts), in their staff recruiting and retention practices.
How does a board operate, staff, and structure itself to drive innovation?
Circumstances vary so widely. I doubt there is a rigid answer to that question. However, I do believe there are universal success contributors:
Full board engagement. When the very broad functional potential for deploying innovation is laid over the skills’ breadth of a well-diversified board (legal, operational, financial, business development, etc.) it could be limiting to assign the responsibility for innovation oversight to a subset of the board. An alternative is to require that innovation be deeply imbedded in all of management’s plans, strategies, and goals and reviewed by the full board.
External market awareness. Directors who stay aware of best innovation practices across the economy are best able to contribute to continuous innovation on the boards on which they serve. Directors must become students of the discipline of innovation.
External perspective. There are innovation experts. Just as a board equips itself with experts in compensation, taxes, and organizational development, we need to find competent advisors who can help us to stay current and focused on our innovation progress.
Fundamental alignment between the board and the CEO on innovation. CEO position descriptions are usually written to reflect the board’s definition of success within a certain time frame. The capacity to passionately lead innovation must be fundamental to the CEO position description.
Patience. Creating an innovative culture is a longer-term project than is introducing an innovation to an individual product. The history of business is littered with stories of spectacularly successful short-term product/market innovations that were not sustained in subsequent products. One primary reason that the life of an S&P 500 company is now down to 20 years (from over 50 years a generation earlier) is that some firms are innovating in a more effective and sustained way than others.
Final thoughts on innovation and risk: Innovation is a form of change. Some innovations represent disruptive change that can impact the innovator as well as the markets they disrupt. For example, a new-product innovation can disrupt an existing successful product, or even an existing monopoly. Risks of this type can be effectively managed through thoughtful planning, integrated communication, and solid enterprise-wide controls.
The biggest risk in today’s economy lies in not innovating.
Thomas J. Furst served as senior vice president and chief financial officer of SRI International for 18 years until 2014. He was a director of the Sarnoff Corp. until its absorption into SRI. Tom currently speaks, and advises management and boards, on innovation and related topics. He can be reached at email@example.com.