Overseeing risk is no small task for boards as a company’s footprint is no longer confined to local or even national boundaries. The globalization of business—spurred in large part by the Internet—has simultaneously expanded business opportunities while also introducing new worlds of risk that an organization must contend with.
The National Association of Corporate Directors (NACD) invited Joan Meyer, a partner at Baker McKenzie LLP, and SecureWorks Chief Threat Intelligence Officer Barry Hensley to offer their insights on these issues as part of a larger panel discussion at the Leading Minds of Governance–Southwest event.
Highlights from their conversation with NACD Directorship Publisher Christopher Y. Clark follow.
What is your outlook on the complexities of being an international company?
Joan Meyer: It’s becoming extremely complex because there is increasing enforcement from other jurisdictions. Five or six years ago, the U.S. was the predominant regulator and multinationals only had to deal with certain European countries in addition to the United States. Now, we are seeing emerging markets that are getting extremely aggressive. They are also putting in more restrictive laws and data privacy rules about the transfer of data. It’s a real conundrum for companies because they not only have to comply with U.S. law but the more robust law of various regimes, which create conflicts. Some of that risk may be theoretical because certain jurisdictions have not begun enforcing these laws —but it’s out there.
If you are disclosing information to a U.S. enforcement authority but you can’t get information out of a foreign jurisdiction, a U.S. regulator might not care— they just want the information. In this situation, not only is executive management caught in a bind, but the board will be asked: “What do we do?”
The U.S. Department of Justice is also pursuing individual prosecutions of mid-level managers and the C-suite, and there is increasing pressure on companies dealing with U.S. authorities to get cooperation credit by identifying individuals who are culpable for the misconduct. And it’s not only in the U.S. where that’s happening. Because the government wants real-time cooperation in pursuing individuals, it’s frustrating for companies because they are being pushed to provide investigatory conclusions to the government which they may not have completed. On a global basis—whether it’s Saudi Arabia, China, Russia, or Brazil—individuals are being actively pursued. The problem is compounded if they are expatriates who are working in these foreign countries for a limited period of time, don’t understand the culture, and are suddenly being subjected to detention or prosecution. This puts managers working outside countries with an established legal system at real risk because they may be pursued by authorities simply for a perceived failure to exercise their supervisory responsibilities in the right way.
What questions should a board chair ask the chief information security officer [CISO]?
Barry Hensley: First: What are our top five risks? Only by thinking like the enemy can the CISO begin to itemize and categorize the company’s security risks. Consider the following ways you may be attractive to cyber threats: your brand and how you’re perceived on the world stage; your digital capital, such as intellectual property, electronic currency, and personal data and how it’s secured; and your internet-exposed vulnerabilities.
Second: Does our security program have the visibility to detect an advanced adversary whose work eludes security controls? The threat does not remain static nor does the network. While some tactics and tradecraft are well known, the adversary is innovating, always seeking opportunities to bypass traditional protections. For example, while implementing multi-factor authentication is important, bad actors are finding ways to impersonate users and hijack credentials. Does your risk assessment learn from the headlines and adapt? It’s important to keep risk assessments current and update your mitigation strategies and budgets against these threats.
Third: Does your staff collectively understand the term “breach” and the conditions that trigger a formal response? Are you prepared with a meaningful, rehearsed, cross-disciplinary crisis response plan? While no company wants to dwell on the potential for serious incidents and breaches, preparation is still essential. This requires a real understanding of what constitutes an addressable incident, what triggers it, the steps that must occur to resolve the incident, and the people involved. Key tenets should be established, such as: knowing who’s in charge, how the board contacts the key players, and what the measurable actions we take to address the incident are.
Fourth: Is security training tailored to ensure appropriate audiences are aware of threat actors and their tactics? Different segments of the workforce present different risks, and the CISO must make sure each segment is aware of the tactics being used to exploit all avenues of compromise. Boards need to ask: Do employees understand how phishing works? Do administrators know the value of frequently changed passwords and vulnerability scans? Do web designers understand the importance of secure coding practices? Do executives and financial managers recognize that they are extremely lucrative targets for social engineering? And remember: there is no such thing as one-size-fits-all security training.
Want more? A panel of Fortune 500 company directors and subject matter experts will offer their insights on issues ranging from cyber resilience to the latest regulatory trends at Leading Minds of Governance–Southeast. Join us on March 16 in New Orleans, LA. Space is limited—register today.
Click here to read addition coverage of the Leading Minds of Governance–Southwest event with highlights from a discussion on the board’s role in overseeing talent and tone.
What questions should board members ask the leadership of their companies in the weeks to come? Political experts Terry Baxter, who served in three presidential administrations and is the former CEO of the National Transportation Safety Board (NTSB), and Alex Castellanos, co-founder of public affairs firm Purple Strategies and current member of CNN’s political analysis team, opined on considerations for the business community in this time of political and societal uncertainty.
Castellanos shared that President-Elect Donald J. Trump is highly aware that his administration will be under pressure to enact policies that produce economic growth. Both panelists agreed that the success of the new administration will also hinge on delivering on regulatory and tax reform, as well as changes to healthcare policy. Ever present in the incoming administration’s actions will be the populist sentiment that propelled the success of the Trump campaign. Castellanos suggested that companies that expect to succeed in this environment should be prepared to tell their story about how they are contributing to American renewal, including domestic job growth.
Attendees took away from the program several key questions that directors should be asking of management—and of each other—in post-election America:
Questions for Management
Information gathering: How are we informing ourselves about the new administration’s proposed policies, the implementation of those policies, and what those changes might mean for our company?
Outreach: What is our outreach and engagement plan for advancing our positions on important issues with the new administration?
New trends: How is our company identifying current trends, disruptors, and business impact issues? How are we identifying key actions that have longer-term or permanent implications?
Tax policy: What are we doing to prepare for shifts in the tax policy?
Spending: How are we positioning the company to benefit from proposed spending on infrastructure?
Growth: What core assumptions about our business’s growth should be reconsidered in light of the changes in government? What possible, emerging growth opportunities are on the horizon that we should be anticipating? Do we have a capture plan in place for these growth opportunities?
Exposure: What is our exposure to trade policy changes and the fluctuation of the U.S. dollar?
Supply chain: Do we know which of our critical suppliers could be impacted by a shift to a nationalist trade policy?
Strategic planning: How are we integrating political risk analysis and assessments into our strategy and risks processes?
Scenario planning: How robust and effective are our current scenario-planning processes, and how prepared are we to act quickly if needed?
Technology: What impacts will the new administration have on the growth of technology?
Questions for Fellow Directors
Compensation: What objectives are our compensation plans setting out for key executives and business units? Are we rewarding the right activities and the right behaviors?
Board composition: Does our board have the right combination of skills, diversity, and experience to provide effective guidance and oversight to management?
The audience also left with an important piece of advice. Castellanos cautioned that, in a world where we get our news from each other and the President-Elect has an affinity for social media, it is more critical than ever for companies to have a well thought-out corporate social media strategy.
Note: The views and opinions expressed in this blog are those of the speakers at this event and do not necessarily reflect the views or opinions of the National Association of Corporate Directors (NACD) or the NACD Capital Area Chapter.
Kimberly Simpson is NACD regional director for the Southeast, providing strategic support to NACD chapters in the Capital Area, Atlanta, Florida, the Carolinas, and the Research Triangle. Simpson, a former general counsel, was a U.S. Marshall Memorial Fellow to Europe in 2005.
What would you recommend if you were on the board of Ford Motor Co., Boeing Co., or Lockheed Martin Corp., all of which have had tête-à-têtes with the incoming leader of the free world? Welcome to the age of the suddenly very bully pulpit. The most powerful thumbs in the world belong to Donald J. Trump, who will soon become the 45th President of the United States.
In mid-December, when Trump despaired that Lockheed Martin’s cost overruns on the F-35 joint strike fighter “were tremendous,” the company’s stock lost $4 billion in market capitalization in a matter of hours. Even though the company quickly recovered those losses when its stock price stabilized, Trump’s tweet triggered some discomfiting moments.
No one understands better how to wield the powers of Twitter, the 24/7 news cycle, and a cult of personality than Donald J. Trump quite like the man himself. To one extent or another, Lockheed Martin Corp., Toyota Motor Corp., Carrier, Mondelez International (parent of Nabisco), Ford Motor Co. , and Boeing Co., have all been caught in Trump’s Twitter maelstrom. Fiat Chrysler Automobiles, in a proactive move to get the target off its back before the opening salvo, wisely announced that it would invest $1 billion and create 2,000 U.S. jobs. A smart play, but as all newlyweds ask, “Will it last?”
We’re in unchartered waters here—and by “we,” I include C-suite executives, corporate directors, and communications counselors like me who advise corporations on how to enhance their brand equity, engage with decision makers, and weather inevitable storms that come with doing business. Social media, fake news, and a new president have changed the rules of engagement.
So what is the new rubric? For most publicly traded companies over the near term, the right response is the easy one: for your shareholders’ sake, meet Trump more than halfway if his demand isn’t too outrageous, and give him the early victory lap. But at some point, after Trump’s modus operandi on these matters inevitably hits some turbulence, that dynamic is likely to change. Watch this space closely, particularly the business-to-consumer tech companies who have millions of customers conditioned to social engagement.
In the meantime, how can a company prepare for presidential squalls or getting caught in the crosswinds of a Twitter-induced tsunami?
There are scores of precautions a publicly traded company should consider, but they can be boiled down to four imperatives.
Engage employees. Trump’s “Make America Great Again” mantra proved enormously popular in America’s industrial heartland. His administration’s public positioning will be devoted to job preservation, reinvigorating the manufacturing base, and sticking up for the little guy. In such a climate, relations with national and local union leaders and heads of employee groups will be doubly important. If a company is suddenly the subject of public scrutiny, its labor and management will want to present a united front. Politics, it is said, makes strange bedfellows. So does business in tough situations.
Enlist allies. Empowering third-party champions has always been an important part of any corporation’s public affairs and communications arsenal, but now it’s absolutely vital. The press and public in today’s environment are inherently suspicious of big corporations and paid spokespeople. In the clutch, customers, vendors, suppliers, community leaders, local environmental advocates, philanthropic heads, Chambers of Commerce, et al., will have far more credibility. The more social media-savvy—and more genuinely connected to grassroots movements—these champions are, the better allies they are for your company.
Prepare now. Companies should use “peacetime” wisely by distilling facts and messages into 140 characters; creating photos and videos for other social channels (e.g., Facebook, Snapchat, YouTube, etc.) that make emotionally appealing messages; track media socially in a sophisticated way that predicts trends; and build a social army now to articulate track records in U.S. job creation and economic growth.
Emphasize speed. Virtually every crisis communications plan in corporate America can be rendered obsolete by the proliferation of Donald J. Trump’s use of social media. If a company is being attacked via social media, it cannot rely on conventional communications to respond. Corporations need to put in place ultra-quick turnaround systems that tap leading-edge media. Build your arsenal of information, army of activists, and strengthen your reflexes now. Have the leader of the company’s digital media team report directly to the board. Integrate your silos so that legal, investor relations, government relations, public relations, digital, and brand practices all know and trust each other. Board members and senior teams need to be put through their paces via scenario drills and full-scale rehearsals.
The most effective way for a company to combat thumb power is through thumb power of its own.
Richard Levick, Esq., @richardlevick, is chair and CEO of Levick, a global communications and public affairs agency specializing in risk, crisis, and reputation management.