Late last month, the US Securities and Exchange Commission (SEC) approved nonbinding guidance urging public companies to “inform investors about material cybersecurity risks and incidents in a timely fashion.” The guidance, which gives greater urgency to current cybersecurity risks, builds on an earlier document issued in 2011. In the SEC’s words, “Cybersecurity risks pose grave threats to investors, our capital markets, and our country.” A recent report from the Office of the Director of National Intelligence predicts that the world faces “imminent disruption” from cyber threats—potentially on a massive scale with “lethal” consequences.
Meanwhile, not surprisingly, Congress continues to take action on cyber risk, proposing 191 bills so far on the topic.
The imperative for boardrooms to conduct sound cyber-risk oversight is here to stay—in the boardroom and in the halls of legislation. Luckily, resources abound for corporate directors to get up to speed on what their companies need to know and disclose while awaiting regulations and rulemaking about cyber-risk oversight.
Ubiquity of Cyber Risk
The ubiquity of cyber risk poses a fundamental operating problem for all enterprises. Most businesses today depend on digital technologies to operate, which leaves sensitive data and other assets vulnerable to cyber risk. The new Berkshire Hathaway 2017 annual report puts it well. After listing cyber threats in great detail, the report notes that “These are risks we share with all businesses.” Hacking, phishing, malware, viruses—you name it, it’s happening for all of us. Such events can present a material, existential threat to corporations, and possibly could even physically harm the people who work for them or that they serve. That is why Berkshire’s founder and leader Warren E. Buffett has stated famously that cyberattacks are the “number one problem with mankind.”
Directors on Alert
Corporate directors by and large are keenly aware of their companies’ responsibilities around cyber-risk oversight. NACD’s 2017 survey of 660 US public company boards’ members indicated that only 37 percent of directors feel “confident” or “very confident” that their company is properly secured against a cyberattack. This result, which demonstrated lower confidence in a company’s preparation for a cybersecurity incident than in 15 other risk areas, is down from 49 percent the previous year.
Does this mean that companies are less prepared? I read things differently. It means that directors are less complacent.
More directors may be realizing that cybersecurity incidents are inevitable. Directors also are learning more about the topic, with 85 percent of boards reporting at least some knowledge of the topic, up from 78 percent two years before. (In 2015, 22 percent of directors reported that their boards had no or very little knowledge of cyber risk. That dropped in 2017 to 15 percent.)
If you’re feeling either behind or a little foggy on your understanding of these risks, you might consider brushing up with these resources:
Hundreds of directors have enhanced their cybersecurity literacy through the NACD Cyber-Risk Oversight Program, offered in partnership with Ridge Global and Carnegie Mellon University’s CERT Division of the Software Engineering Institute. More than 175 corporate directors and senior executives have completed the course, the world’s first and only program of its type, while an additional 135 now enrolled in the program are progressing to complete the CERT Certificate in Cybersecurity Oversight.
NACD offers the Director’s Handbook on Cyber-Risk Oversight, published jointly with the Internet Security Alliance (ISA) and available to all regardless of NACD membership status. The handbook is the most downloaded publication in NACD history, and the only private-sector publication that has been endorsed by the Department of Homeland Security and the Department of Justice, as well as a wide variety of private-sector organizations such as the US Chamber of Commerce and the International Auditors Association.
ISA and NACD also jointly produce summits on cybersecurity exclusively for corporate boards, where recognized experts and seasoned directors share best practices. As an outgrowth of this initiative, NACD and ISA will cohost our first international dialogue, the Global Cyber Forum, in Geneva, Switzerland, in April 2018.
In all these venues, NACD’s resources on cyber-risk oversight keep driving home several key challenges:
Cyber risk is a global challenge that now threatens to undermine governments, markets, and businesses around the globe. Most cyberattacks are cross-border.
Cyber risk is also systemic, given our reliance on digital networks and devices for commercial, government, and personal use.
For corporations, cyber risk is a strategic, enterprise-wide matter demanding active board engagement. Continuous learning is a must, even for specialists, given how quickly technology and threats are evolving.
Questions to Help You Learn About Your Company’s Security Posture
In closing, I’d like to share some applicable questions shared recently with our members in our Weekend Reader e-newsletter. For your next board meeting, consider asking some of these pointed questions to begin establishing a deeper understanding of cybersecurity across the enterprise.
Which cyber risks are communicated to our company’s shareholders, and in what format?
Has our management team determined what constitutes a material cybersecurity breach?
How effective is our internal escalation process when incidents are discovered?
Have we set clear thresholds for when senior management and the board should be notified?
How is our company’s cyber-risk assessment process integrated into the overall risk-management process?
Can material risks be mitigated by insurance, and does the corporation have sufficient coverage?
Does our company’s cyberbreach response plan include an investor communications strategy?
Under what circumstances is it necessary to inform law enforcement, customers, and other relevant stakeholders?
While corporate directors have some catching up to do, we’re a community of curious, dedicated professionals. Let’s commit to continuous learning and applying that knowledge to sound cyber-risk oversight. We owe it to our shareholders, our customers, and to the security of our economy.
Two NACD panels recently tackled issues surrounding sexual harassment in the corporate setting, and how directors should act and react to issues that could have profoundly negative impacts on company reputation and workforce satisfaction.
Key takeaways for directors ranged from careful CEO hiring to board composition. The following concepts could be readily applied to your own board’s conversation about overseeing this risk.
Aggregate Data to Spot Problems Before They Happen. Given that the board is ultimately responsible for overseeing company culture (including a culture that tolerates sexual harassment), the board should work to mitigate risks rather than taking up sexual harassment issues once a problem has surfaced, according to Michael Aiello, chair of the corporate department at Weil, Gostshal & Manges LLP. Lucy Fato, executive vice president and general counsel for American International Group (AIG), stated that boards should aggregate information to get the full picture, including:
Internal audit findings related to culture;
Employee relations/human resources reporting, including hiring trends, turnover statistics, and reports from exit interviews;
Hotline reporting, including whether there are too many or too few complaints; and
Company legal settlements and insurance payouts.
Board members should also probe whether the company’s investigative processes are fair and thorough.
Go the Extra Mile in CEO Hiring. In light of the board’s primary role of hiring and firing the CEO, along with the fact that fallout from CEO misconduct can significantly impact shareholder value, a board should take steps to ensure that its candidate of choice does not have a history of sexual misconduct or even tolerance for a culture in which harassment is an open secret. According to Sabina Menschel, president and chief operating officer at Nardello & Co., to really know who you are hiring into the corner office, conduct an investigation that includes public records, social media, and supplemented standard reference checks. With regard to CEO hiring, Fato stressed, “Ethics, integrity, and how you carry yourself as a public figure should be a factor in whether you can lead the brand.”
Risk Starts at the Top. The CEO and senior management are not alone in the potential spotlight of the #MeToo movement. Board members also must be vetted fully, and once in place, board members should receive code of conduct training, just as employees do, said Fato. In addition, the board should pick one corporate policy per year on which to do a deep dive as part of its oversight duties. Tabletop crisis preparedness exercises also should be conducted.
Superstar? Irrelevant. A board may face a difficult choice if a superstar CEO is found to have violated the company’s code of conduct, fearing that a dismissal could impact short-term shareholder value. According to Brenda Gaines, director, Tenet Healthcare, Southern Co. Gas, and NACD, superstar status is always irrelevant when investigating misconduct. She suggests that the board should take action to remove an offending CEO and then have a separate conversation about revenue and valuation implications. She added that the company must be clear about its culture and key principles, and should have zero tolerance for misconduct, applied to everyone in the company equally. “Board members have to keep each other honest,” she said.
Expand the Company’s Enterprise Risk Management (ERM) Framework. Sexual harassment should be a part of each company’s ERM framework, given that fallout from a misstep can be quite severe, emphasized Fato. Also, when doing employee surveys, ask specifically about harassment issues. To do so demonstrates that the company cares about these issues, said Menschel. Also, in terms of monitoring potential issues with long-tenured employees or even board members, consider updating background checks at regular intervals, stressed Fato.
Diverse Boards Matter. The #MeToo movement will have an impact on the boardroom, as well as on investor relations, according to Renee Glover, director, Fannie Mae, Enterprise Community Partners, and NACD Atlanta. Indeed, large shareholders are asking about diversity on the board, and they may request sexual harassment policies and pay equity measures. Gaines emphasized the clear-cut nature of the need for more diverse boards. “Diversity is good business,” she said, “and we are nowhere near where we should be. We need more gender diversity and more people of color on boards. Don’t miss this in the search for skill sets.”
Find an Ally. Rochelle Campbell, manager for board recruitment services at NACD, says that she encourages boards to have at least two diverse members on the board, as such boards tend to be more successful. For women and people of color who are new to a board, they can play an important role in discussions about sexual harassment and equal pay for equal work. When asked for practical advice for new board members, Gaines shared best-practice approaches to oversight of misconduct:
Get the facts right.
Take the emotion away.
Look for an ally on the board.
Glover summed up the issue: “We can do better. And when we do, we can get on with realizing the deeper value that a diverse board can deliver.”
Kimberly Simpson is an NACD regional director, providing strategic support to NACD chapters in the Capital Area, Atlanta, Florida, the Carolinas, North Texas and the Research Triangle. Simpson, a former general counsel, was a U.S. Marshall Memorial Fellow to Europe in 2005.
The entire board relies on the hard work of the audit committee to meet its overall objectives. But audit committees today are faced with the heavy burden of regulatory mandates and growing investor expectations. Workloads are increasing, and they have to oversee more complex areas. Many audit committees are asking whether they have the right approach to meet the demands.
One way to ensure the effectiveness of the audit committee is to have a strong chair. Good leadership and effectiveness go hand in hand, and a strong chair can get the most out of the committee members. By choosing a strong leader for this essential role, your entire board will be able to have greater confidence that the audit committee is on top of the issues.
So what makes a strong audit committee chair? Audit committee chairs need to have experience, healthy skepticism, integrity, and strong communication skills. And to be a truly effective, he or she has to take the time to really work on the committee agenda and make sure meetings run well. They also need to be able to effectively coordinate with other board committees, such as the risk and compensation committees.
Here are six other attributes that I have observed in great audit committee chairs:
Highly experienced: Strong audit committee chairs need to have a good understanding of the business, its risks, and controls. They also know what topics to elevate to the full board, and when to do so.
Professionally skeptical: They’re willing to provide an independent point of view and are intellectually curious. They will look for additional information when they aren’t happy with the answers they get frommanagementand
Possesses integrity and confidence: They promote a strong “tone at the top” for the company and for the committee. They also need to ensure that all elements of the charter are being addressed.
Organized and proactive: They’re able to prioritize the most important items on the agenda. They’re good discussion facilitators and know when to cut off low-value discussions.
Strong communication and interpersonal skills: They provide clear updates of issues to the full board. They’re not afraid to ask difficult questions and have uncomfortable conversations with members of management, service providers, and even other committee members.
Willing to devote the time and energy: Chairing the audit committee requires a big time commitment—agendas are denser, filings are more voluminous, and compliance is more time-consuming. So the chair has to be ready, willing, and able to dedicate the time to the job. Strong chairs take the time to develop the agenda and effectively execute meetings. They also make themselves available to management and other board members. The time commitment of the audit committee chair goes well beyond just the meeting time dedicated to that committee, not to mention meetings of the full board.
Strong audit committee chairs understand that an effective audit committee means more than simply meeting stock exchange composition requirements. They recognize the importance of having a diverse committee made up of members with the right experience, expertise, and both hard and soft skills. They keep the committee refreshed and use the assessment process to ensure that all committee members are functioning effectively.
Having a strong audit committee chair at the helm can help ensure that the audit committee not only keeps up but excels.