Identifying what expertise is needed on the board and orchestrating different—if not conflicting—points of view into constructive conversation can be a challenge. During a session at the second annual NACD Diversity Symposium on the opening day of the Global Board Leaders’ Summit in Washington, DC, panelists James Lam, director and chair of the risk oversight committee at E-Trade Financial Corp. (E*TRADE); Myrna Soto, director of Spirit Airlines and CMS Energy Corp.; and Charlotte Whitmore, vice chair and chief, brand strategies, of Analytics Pros., discussed how boardroom talent and a robust mix of perspectives are critical to ensuring a company’s success.
Conversation centered around two themes:
1. Striking a Balance. When considering the future needs of the company, Lam recommended that directors think about their business and its risk profile and then consider the following questions: “What are the key megatrends that will impact the business?” and “What director skill sets will be needed to mitigate this potential impact?”
Considering the continuously growing list of threats and disruptors facing businesses—such as cybersecurity, globalism, and climate change—some boards debate the need to focus on recruiting subject-matter experts to help them oversee these risks. But panelists agreed that new perspectives should replace long-standing expertise.
“Seasoned directors can be a voice of reason,” Soto said. “New executives can be what you need to push the strategy. When you have that diversity of thought, you really challenge the strategy, but it comes down to the nominating committee and how it thinks about what the next director is going to bring to the table.”
Drawing on her own experience, Whitmore concurred. Whitmore is cofounder of the data analytics start-up, Analytics Pros, and knows what it’s like to both recruit directors whose business experiences are different from her own and to be recruited to a board because of her particular expertise. At her own company, Whitmore said she has learned from more seasoned directors that taking actions to grow the company too quickly might do more harm than good. “They bring a sensibility to corporate culture that’s not just about driving results,” she said. In her role as a director, she said her older colleagues often look to her data-analytics savvy to discover new ways to support the organization.
2. Facilitating Dialogue. Having diverse perspectives around the board table does the company no good unless they are heard. Effective director onboarding is vital to acquainting a new director with the company and establishing both the board’s expectations of the new recruit and what that director expects of fellow board members and management. A director’s ability to successfully contribute to the conversation is contingent on the conditions on which they were onboarded. Soto said that she turned down several directorships based on what she learned about the companies’ governance structures. Lam recalled having his own agenda during his onboarding at E*TRADE, ensuring, for example, that he was able to meet with the risk committee and senior management.
In addition, the lead director plays the very important role of ensuring that all directors are heard. When new directors are called upon to join the board of a company in crisis or during a transition—such as a CEO succession—the lead director can be instrumental in managing and balancing the perspectives and experiences represented around the table and getting the full board to a point where it feels comfortable not only in making major decisions, but also in communicating those decisions to stakeholders outside of the boardroom.
The dust settled recently on another chapter of the Target Corp. data breach litigation. Although the five shareholder derivative lawsuits filed against Target’s officers and directors have been dismissed, they underscore the critical oversight function played by corporate directors when it comes to keeping an organization’s cyber defenses up to par. While the ink isn’t quite dry on the court papers, it’s time to start reflecting on the lessons of the skirmish.
In the midst of the 2013 holiday shopping season, news leaked that hackers had installed malware on Target’s credit card payment system and lifted the credit card information of more than 70 million shoppers. That’s almost 30 percent of the adult population in the U.S.
Predictably, litigation was filed, regulatory and congressional investigations commenced, and heads rolled. Banks, shareholders, and customers all filed lawsuits against the company. Target’s CEO was shown the door.
And Target’s directors and officers were caught in the crossfire. In a series of derivative lawsuits, shareholders claimed that the retailer’s board and C-suite violated their fiduciary duties by not providing proper oversight for the company’s information security program, not making prompt and accurate public disclosures about the breach, and ignoring red flags that Target’s IT systems were vulnerable to attack.
The four derivative cases filed in federal court were consolidated (one derivative lawsuit remained in state court) and Target’s board formed a Special Litigation Committee (SLC) to investigate the shareholders’ accusations. The SLC was vested with “complete power and authority” to investigate and make all decisions concerning the derivative lawsuits, including what action, if any, would be “in Target’s best interests.” Target did not appoint sitting independent directors but retained two independent experts with no ties to the company—a retired judge and a law professor. The SLC conducted a 21-month investigation with the help of independent counsel, interviewing 68 witnesses, reviewing several hundred thousand documents, and retaining the assistance of independent forensics and governance experts.
On March 30, 2016, the SLC issued a 91-page report, concluding that it would not be in Target’s best interest to pursue claims against the officers and directors and that it would seek the dismissal of all derivative suits.
Minnesota law, where Target is headquartered, provides broad deference to an SLC. Neither judges nor plaintiffs’ are permitted to second-guess the SLC members’ conclusions so long as the committee’s members are independent and the SLC’s investigative process is ‘adequate, appropriate and pursued in good faith.” By these standards, U.S. District Judge Paul A. Magnuson recently dismissed the derivative cases with the “non-objection” of the shareholders, subject to their lawyers’ right to petition the court for legal fees.
Target isn’t the only data-breach-related derivative case filed by shareholders against corporate officers and directors. Wyndham Worldwide Corp.’s leadership faced derivative claims relating to three separate data breaches at the company’s resort properties. After protracted litigation, the derivative claims were dismissed in October 2014, in large measure because Wyndham board’s was fully engaged on data security issues and was already at work bolstering the company’s cybersecurity defenses when the derivative suit was filed. A data-breach-related derivative action was also filed against the directors and officers of Home Depot, which remains pending.
Despite the differences between the Target and Wyndham derivative suits, both cases contain important lessons for corporate executives and sitting board members.
Treat data security as more than “just an IT issue.” Boards must be engaged on data security issues and have the ability to ask the right questions and assess the answers. Board members don’t know what they can’t see. Developing expertise in data security isn’t the objective; rather, it’s for directors to exercise their oversight function. Board members can get cybersecurity training and engage outside technical and legal advisors to assist them in protecting their organizations from data breaches.
Evaluate board information flow on cybersecurity issues. How are board members kept up-to-date on data security issues? Are regular briefings held with the chief information officer (CIO) to discuss cybersecurity safeguards, internal controls, and budgets? Boards might also consider appointing special committees and special legal counsel charged with data security oversight.
Prepare for cyberattacks in advance. Boards should ask tough questions about their organization’s state of preparedness to respond to all aspects of a cyber-attack, from reputational risk to regulatory implications. Get your house in order now, and not during or after an attack. Not surprisingly, multiple studies—including the Ponemon Institute’s 2016 Cost of Data Breach Study—suggest that there is a correlation between an organization’s up-front spending on cybersecurity preparation and the ultimate downstream costs of responding to a breach.
Decide whether and when to investigate data breaches. Before hackers strike, boards must decide whether and when to proactively investigate the breach, wait to see if lawsuits are filed, or wait to see if regulators take notice. Regardless, boards should be prepared to make this difficult decision, which will establish the tone of the company’s relationship with customers, shareholders, law enforcement, regulators, and the press.
Develop a flexible cyber-risk management framework. Cyber-risk oversight isn’t a one-time endeavor, nor is there a one-size-fits-all solution. The threat environment is constantly changing and depends, in part, on a company’s sector, profile, and type of information collected and stored. While cyber-criminals swiped credit card data in the Target and Wyndham cases, the threat environment has escalated to holding organizations hostage for ransomware payments and stealing industrial secrets.
Cybercrime is scary and unpredictable. It poses risks to a company’s brand, reputation, and bottom line. Board members are on the hot seat, vested with the opportunity and responsibility to oversee cybersecurity and protect the company they serve.
Craig A. Newman is a litigation partner in Patterson Belknap Webb & Tyler LLP and chair of the firm’s Privacy and Data Security practice. He represents public and private companies, professional service firms, nonprofits institutions and their boards in litigation, governance and data security matters. Mr. Newman, a former journalist, has served as general counsel of both a media and technology consortium and private equity firm.
North Carolina State University’s Enterprise Risk Management Initiative and Protiviti have completed their latest survey of C-level executives and directors regarding the macroeconomic, strategic, and operational risks their organizations face. More than 500 board members and C-level executives participated in this year’s study. Noting some common themes, we’ve ranked the risks in order of priority on an overall basis below. Last year’s rankings are included in parentheses:
No. 1 (previously No. 1)—Regulatory changes and scrutiny may increase, noticeably affecting the manner in which organizations’ products or services will be produced or delivered. This risk has been ranked at the top in each of the surveys we’ve conducted over the past four years, and is the top risk in many industry groups. The cost of regulation and its impact on business models remain high in many industries.
No. 2 (previously No. 2)—Economic conditions in markets the organization currently serves may significantly restrict growth opportunities. Declining oil and gas prices, equity markets, and commodity prices, in general, have contributed to economic uncertainty. Short-termism is a concern as business investment has yet to catch up with pre-financial crisis levels. A new normal may be unfolding as businesses adapt their operations to an environment of slower organic growth.
No. 3 (previously No. 3)—The organization may not be sufficiently prepared to manage cyber threats that have the potential to significantly disrupt core operations and/or damage its brand.This risk continues to be an issue of escalating concern. The harsh glare of the public spotlight on high-profile breaches at major retailers, global financial institutions and other organizations has led executives and directors to realize it is most likely not a matter of if a cyber risk event might occur, but when.
No. 4 (previously No. 4)—Succession challenges and the ability to attract and retain top talent may limit the ability to achieve operational targets. As roundtables facilitated by the National Association of Corporate Directors and Protiviti in 2015 indicated, directors understand that talent strategy is inexplicably tied to overall business strategy. Companies need talented people with the requisite knowledge, skills, and core values to execute challenging growth and innovation strategies.
No. 5 (previously No. 7)—Privacy, identity, and information security risks may not be addressed with sufficient resources. The technological complexities giving rise to cybersecurity threats also spawn increased privacy/identity and other information security risks. As the digital world enables individuals to connect and share information, it presents more opportunities for companies to lose sensitive customer and private information, in effect, creating a “moving target” for companies to manage.
No. 6 (previously No. 11)—Rapid speed of disruptive innovations and/or new technologies within the industry may outpace the organization’s ability to compete and/or manage the risk appropriately, without making significant changes to the business model. Innovation can be disruptive if it improves the customer experience in ways that the market does not expect, typically by lowering the price significantly, or by designing a product or service that transforms the way in which the consumer’s needs are fulfilled. Whereas disruptive innovations may have once taken a decade or more to transform an industry, the elapsed time frame is compressing significantly, leaving very little time for reaction. Sustaining a business model in the face of digitally enabled competition requires constant innovation to stay ahead of the change curve.
No. 7 (previously No. 6)—Resistance to change could restrict the organization from making necessary adjustments to the business model and core operations. Positioning the organization as agile, adaptive, and resilient in the face of change is top-of-mind for many executives and directors. It’s a smart move. Early movers that exploit market opportunities and respond to emerging risks are more likely to survive and prosper in a rapidly changing environment.
No. 8 (previously No. 17)—Anticipated volatility in global financial markets and currencies may create significant, challenging issues for an organization to address. There are many forces at work that intensify this risk, e.g., high asset prices, slowing global growth, China’s approach to foreign exchange, declining commodity prices, uncertainty associated with central bank policies, and less confidence in policymakers’ ability to respond to market issues quickly and effectively.
No. 9 (previously No. 5)—The organization’s culture may not sufficiently encourage timely identification and escalation of significant risk issues. The collective impact of the tone at the top, tone in the middle and tone at the bottom on risk management, compliance and responsible business behavior has a huge effect on timely escalation of risk issues to the people who matter. This is a cultural issue requiring constant attention by management and oversight by the board.
No. 10 (previously No. 9)—Sustaining customer loyalty and retention may be increasingly difficult due to evolving customer preferences and/or demographic shifts in the existing customer base. Disruptive innovations and the rapid pace of change continue to drive significant changes in the marketplace. Customer preferences are subject to rapid shifts, making it difficult to retain customers in an environment of slower growth. Sustaining customer loyalty and retention is a high priority for customer-focused organizations because senior executives know that preserving customer loyalty is more cost-effective than acquiring new customers.
A board of directors may want to consider the above risks in evaluating its risk oversight focus for the coming year in the context of the nature of the entity’s risks inherent in its operations. If the company has not identified these issues as risks, directors should consider asking why not.
Jim DeLoach is a managing director with Protiviti, a global consulting firm.