Organizational cybersecurity is one of the biggest challenges facing companies today. The most recent in a string of headline-grabbing data breaches involved U.S. credit-reporting company Equifax, an event that exposed the private information of some 143 million customers. Grilled on Capitol Hill about the episode, Equifax’s chair and CEO said that “mistakes were made” in the company’s response to the attack, which has prompted dozens of private lawsuits and precipitated a drop in the company’s share price.
As corporate directors are ultimately responsible for their companies’ future, the urgency to address cyber risk is accelerating. There is general agreement across the C-suite that cyber risk is a top priority, according to a recent Marsh global survey regarding corporate cyber risk perception. But survey results also revealed that there is less alignment inside companies regarding how cyber risk is reported to corporate directors and about what is most important.
The Information Disconnect Between Board and C-Suite
When survey respondents were asked what type of reporting on cyber risk the board of directors received, something surprising surfaced. For every type of report we asked about, respondents who indicated they were corporate directors said they received far less information than respondents from the C-suite said they were supplying to directors.
Click to enlarge in a new window.
For example, 18 percent of surveyed directors said they received information about investment initiatives for cybersecurity initiatives. Yet 47 percent of chief risk officers, 38 percent of chief technology or information officers, and 53 percent of chief information security officers said they were already providing reports to board members on investment initiatives.
Whether it’s optimizing risk finance though insurance or other resiliency measures, such investment initiatives are critical to preparing for an attack as well as to managing an incident. Organizations need to ensure that board members are receiving—and carefully reviewing—this vital information.
Tellingly, corporate directors say the type of cyber risk reporting they most often receive consists of briefings on “issues and events experienced.” It’s clearly important for any corporate director to learn about cybersecurity incidents that the company has faced, but it is an after-the-fact activity. There are a number of reasons for boards to be most cognizant of the material they receive regarding an event that has already happened.
Click to enlarge in a new window.
The survey’s C-suite respondents listed “cyber program investment initiatives” as the type of reporting their boards were most likely to be receiving. But with fewer than one-in-five corporate directors saying they received such reports, there is an issue that needs to be addressed, especially given that understanding—and directing—corporate investment in cybersecurity is a key to building effective resiliency measures.
No Incident Can Be Completely Avoided
Many boards seem to focus their oversight on security activities over resiliency best practices. For example, a high number of corporate directors in our survey said their organization did not have a cybersecurity incident response plan. Why? The top reason cited was that “cybersecurity/firewalls are adequate for preventing cyber breaches.” C-suite respondents did not share the same view.
Click to enlarge in a new window.
As firm after firm of all sizes and across geographies have fallen prey to attacks, the belief that one can have enough defenses in place to completely avoid a cybersecurity incident has been widely debunked by real-world events. Thus, the mantra among the organizations with the most sophisticated cyber-risk management programs is: “It’s not a matter of if you will be breached, but when.”
Cyber threats are constantly evolving and the potential threat actors are multiplying. No organization is impenetrable, no matter how strong their security posture may be.
Strong Companies Are Already Preparing for GDPR
One of our key findings regarding corporate readiness involves the lead-up to the EU’s General Data Protection Regulation (GDPR), which is scheduled to take effect in May 2018.
We found that companies that are already preparing for GDPR are doing more to address cyber risk overall than those that have yet to start planning. Survey respondents who said their organizations were actively working toward GDPR compliance—or felt that they were already compliant—were three times more likely to adopt overall cybersecurity measures and four times more likely to adopt cybersecurity resiliency measures than those that had not started planning for GDPR. This is happening despite the fact that the GDPR does not showcase a “prescriptive” set of regulations with a defined checklist of compliance activities. Instead, GDPR preparedness appears to be both a cause and consequence of overall cyber-risk management strength.
The most forward-looking corporate boards recognize the GDPR compliance process as an opportunity to strengthen their organizations’ overall cyber risk management posture on a much broader level, effectively transforming regulations that might previously have been viewed as a constraint as a new competitive advantage.
The lesson here—even for directors of organizations not subject to the GDPR—is that good cyber-risk oversight requires engaging on a number of fronts, both defensive and responsive. Whether it’s playing an active role in attracting highly-skilled talent, seeking cross-functional enterprise alignment on priorities, or viewing regulatory compliance as part of a holistic plan, an engaged board can make the critical difference in how a company assesses, reports on, and addresses the impact of cyber risk on the company.
To receive a copy of Marsh’s report, GDPR Preparedness: An Indicator of Cyber Risk Management, click here.
Assumptions about the geopolitical and regulatory environments are critical inputs into strategy-setting. If one or more assumptions prove invalid, the strategy and business model may require adjustment, and whether the organization is proactive or reactive is often a function of the effectiveness of its monitoring process. Protiviti recently met with 22 active directors during a dinner roundtable. The discussion revealed directors’ oversight concerns amid escalating geopolitical tensions and significant regulatory shifts.
The jury is still out regarding what the Trump administration and Congress can accomplish on major policy fronts. What has become evident is that there are many policy initiatives that could have significant impacts on business at home and globally. These initiatives include tax reform, fair trade, energy independence, immigration policy (including H-1B visas), infrastructure investment, employment and labor, and streamlining of governmental agencies, among others.
Regulatory shifts are also possible, including healthcare reform, dismantling Dodd-Frank, and a scaling-back of the Environmental Protection Agency. Regulations could be impacted by cutbacks at several agencies.
Some directors expressed concern over the short-termism of thinking inside the Beltway, as well as longer-term sustainability issues such as income inequality, student debt levels, and pay-for-performance. They also voiced concern about policy decisions that could create talent shortages.
What role does the board play in overseeing developments in policy and regulatory reform, and how often is the board briefed on fresh developments? How are significant geopolitical developments considered?
Several concepts for sound oversight were discussed.
1. A process is required to navigate the effects of policy, regulatory, and geopolitical shifts. This process should include monitoring legislative, regulatory, and global market developments through hiring insiders and consultants; tracking developments in published sources; monitoring geopolitical hot spots; and keeping close tabs on special interest groups. The process also entails engaging legislators, regulators, and policymakers through a variety of communications tactics, and continues with responses to new legislation and regulations through performing impact assessments, updating policies, and modifying existing and implements new processes and systems.
During the roundtable, several directors expressed concern about fair trade and risk of protectionist policies. The new administration appears to be committed to a reset of the North American Free Trade Agreement (NAFTA) and the Trans-Pacific Partnership. It is also focused on addressing trade issues with China. How these policy initiatives play out can significantly affect companies’ operations in or exports to these foreign markets and even transactions with suppliers in these markets.
2. Evaluate strategic assumptions. Every organization’s strategy has underlying explicit or implicit assumptions about the future that represent management’s “white swans,” or expectations about the regulatory environment and global markets. In these times of uncertainty, it makes sense for the board to assess the underlying strategic assumptions in light of likely policy actions by the executive or legislative branches that can impact the regulatory and geopolitical landscapes. If it’s possible that one or more assumptions might be rendered invalid, senior management should assess the ramifications to the strategy and business model.
3. Consider the implications of scenarios germane to the sectors in which the organization operates and prepare accordingly. Management should define plausible and extreme scenarios. The impact of various policy initiatives on the company’s markets, channels, customers, labor pool, supply chains, cost structure, discretionary spend, and business model should be considered. Scenario planning can be useful for formulating response and contingency plans. One major Japanese automaker spent three months following the 2016 election evaluating alternative scenarios resulting from Trump’s policies and their impact on U.S. and global sales. The company formulated contingency plans to pivot should a disruptive change occur, while also embracing the incoming administration as a market opportunity.
4. Prepare for more discretionary spending capacity. The Trump administration is looking to reduce the corporate tax rate significantly, make it easier for U.S. firms to repatriate profits earned and taxed abroad. It also seeks to eliminate the corporate alternative minimum tax and provide special deductions for firms engaged in domestic manufacturing. While these proposals have a long road to being passed, companies should consider how to deploy the hypothetical additional cash flow. Some examples include undertaking new investments, reigniting deferred projects, enhancing compensation to retain employees, and increase dividend rates, among other options.
5. Pay attention to sovereign risk. The primary objective of managing sovereign risk is to protect company investments from risks of impairment and sustain returns on investment (ROI). Investment impairments from confiscatory actions such as nationalization of the business or expropriation of assets may occur. ROI reductions may arise from discriminatory actions directed to the company, a targeted industry, or companies from certain countries in response to American policy. Actions could include additional taxation, price or production controls, and exchange controls. In addition, investment impairments and ROI reductions may occur due to circumstances such as violent political unrest or war. These risks must be addressed by understanding the driving forces of change in countries where the company does business and taking proactive steps to manage exposures.
When high risk of confiscation or discrimination emerges, your company might consider repatriation of cash to the extent allowed by controls and currency conditions. Look at managing down the investment by avoiding additional capital investments, cessation of inventory replenishment from abroad, and financing payroll and other operational functions through local cash flow. Initiating an exit by divesting assets is an option if a willing buyer is available. If necessary and feasible, moving tangible and nontangible assets out of harm’s way may be appropriate. Entering into joint ventures with local and foreign partners may reduce exposure to confiscation risk since the presence of nationals can take a multinational under the radar. If cost-effective, political risk insurance is another option covering the risks of confiscation, political violence, insurrection, civil unrest, and discrimination.
6. Diversify if revenue mix is dependent on government funding. Defense contractors can capitalize on defense spending and materials companies; heavy equipment manufacturers and construction contractors can focus on infrastructure spending opportunities. However, companies and nonprofit organizations with a high dependency on government contracts and federal funding may want to evaluate opportunities to deploy their core competencies in markets other than the public sector. It is not unreasonable to surmise that the new administration and the current Congress will restrain growth in budgets in areas that are not deemed a priority.
As priorities and policy direction become clearer over time, companies can firm up their responses to potential changes in the operating environment. Meanwhile, it is never too early to start thinking about alternatives. Directors should ensure that their companies’ boards are paying attention.
Dig into deeper insights from Protiviti by visiting their Board Perspectives piece on emerging geopolitical and regulatory challenges.
In the final mainstage panel discussion of the National Association of Corporate Directors’ (NACD) 2017 Global Board Leaders’ Summit, Richard Edelman, the CEO of communications marketing firm Edelman, spoke with Nicholas Donofrio and Helene Gayle about how corporate culture drives long-term value. He preceded the conversation by offering some sobering statistics. Since 2001, Edelman has researched and measured the trust invested in business, nongovernmental organizations, media, and government by the public. It found that, around the world, only 47 percent of the general population thinks these institutions are trustworthy.
Little more than half (52%) of respondents say they trust businesses. CEO credibility dropped in all countries surveyed, reaching an all-time nadir of 37 percent. Fearful over disappearing employment opportunities, people perceive their current way of life as being threatened, resulting in a rise in protectionist, antitrade sentiments. In addition, looking at survey responses from the investor community, 76 percent of investors indicated that companies should address one or more social issues, ranging from employee education and retraining to environmental issues.
From Edelman’s point of view, business is the last fortification defending public trust in our age-old social institutions. “The board matters,” Edelman said. “Reputation matters. Are you engaged when a company is considering the issues of the day? You have to be. You can’t sit back and let management do this themselves.”
When looking to solve the widespread issue of flagging trust in businesses, directors may do well to take a look at corporate culture. Healthy corporate cultures help drive bottom-line results, increase customer satisfaction, and attract top talent at all levels of the organization. And in the past year alone, media headlines in industries ranging from banking to healthcare to entertainment to automotive manufacturing have highlighted examples of how deficient corporate culture can lead to financial and reputational disaster. As both a source of competitive advantage and as a potential risk, culture is a natural component of boardroom agendas. Yet all too often, it is regarded as a secondary human-resources issue that gets directors’ attention only when a problem arises. In NACD’s most recent public company governance survey, less than half of directors reported that their boards assessed the alignment between the company’s purpose, values, and strategy in the last 12 months.
To upend the common perception of culture as a soft issue, NACD convened directors and governance professionals to develop practical guidance that directors can use to enhance their culture-oversight practices. The resultant publication, The Report of the NACD Blue Ribbon Commission on Culture as a Corporate Asset, makes ten recommendations on culture oversight and offers associated action steps and tools for directors. Donofrio, a director of Bank of New York Mellon, Advanced Micro Devices, and Delphi Automotive PLC, and Gayle, a director of the Coca-Cola Co., the Rockefeller Foundation, and the Center for Strategic and International Studies, co-chaired the commission.
“In many ways, the issue of trust is aligned with issues of culture,” Gayle observed. “While we have a sense of what our culture is, we haven’t defined it and put those pieces together so that culture can be a unifier across those issues.”
“It truly is not just about [financial] results anymore,” Donofrio added. “It’s about what you did and how you did what you did.” And if board members have concerns about how those results were achieved, it’s time to start asking the CEO and management team questions about the beliefs, protocols, and procedures underpinning the company’s performance. If the chief executive is resistant to examining these issues in an open dialogue with directors—or, worse, is taking positions contrary to the company’s espoused culture and values— that is a sign the company does not have the right leadership in place. As Gayle emphasized, “Creating and managing the company’s culture is the responsibility of the CEO and management team. Culture oversight, and holding leaders accountable for a vibrant and healthy culture, is the board’s job.”
Regarding the rising importance placed on a company’s stance on social issues such as education, the environment, or free trade, Gayle advised that directors frame boardroom discussions on these matters in terms of how a given issue is aligned with the business and take into consideration the communities in which the firm operates and the customers it serves. When Edelman asked if board recruitment should include asking directors about their views on key social issues, Donofrio said that these discussions ultimately tie in to the director-recruitment process, where the criteria for board candidates should include their ability to contribute to and support healthy culture—in the boardroom and across the firm as a whole.
Gayle agreed. “How you relate to society is part of how the company sees itself and how the company expresses its culture. Having a well-thought-out position on how [a particular social issue] furthers the business, how it creates an environment of trust, and how it fosters talent—all those things have to do with culture.”