Paul S. Williams is a partner in the Chicago office of Major, Lindsey & Africa, the nation’s leading executive legal search firm, andis a member of the board of directors for three public companies: Bob Evans Farms, Compass Minerals, and Essendant. He recently was named president of the NACD Chicago Chapter, and has served as the lead independent director of State Auto Financial Corp. The NACD team recently sat down with Williams to discuss his insights on board diversity and to ask him how to make the most of the 2017 Global Board Leaders’ Summit.
NACD: You are a fierce advocate for greater diversity in the boardroom. Could you tell us why diversity at the highest level of a company is so important?
Williams: As a director, I feel a sense of obligation to make sure that I am helping to pave the way for diversity on boards. Unfortunately, there have not been many people of color that have served on public company boards. I think when you step back and think of the credibility of these boards—the credibility of corporate boards with the rest of the business world and the rest of society—it’s incumbent upon us to demonstrate that diversity within companies should start with the board.
When I say that I am a staunch advocate of diversity, I don’t want to limit it to ethnic diversity. I feel strongly about gender diversity, as well as diversity of ethnicity and sexual orientation. I truly believe these boards need to be diverse in all aspects.
Boards also need to be diverse experientially. Directors can’t all be people with similar backgrounds and ways of looking at critical business issues. It’s important that the discussions in our respective boardrooms include truly diverse views.
NACD: What kind of impact do you think a diverse board has on company culture?
Williams: I think it has a tremendous impact. When a management team sees a diverse board talking the talk and walking the walk, it sends a message that the board has taken to heart the importance of diversity. As a board, we don’t want to be hypocritical. Boards without diversity undermine the management team’s ability to bring about change.
A diverse board definitely impacts corporate culture in a number of ways, starting with the commitment to diversity within the company. There’s a sense of appreciation for people who bring different perspectives. It sets a tone of progressiveness and the mandate of being open to different ideas.
Diversity as a concept is somewhat intangible. Compared with financial results, it’s harder to measure. Yet I believe a company can’t have impressive financial results without an underlying culture that is productive and effective.
How can directors learn more about the importance of diversity?
Last year I attended NACD’s Global Board Leaders’ Summit. It was uplifting to be able to go to Summit and meet a number of other diverse directors. I knew that I would be assuming leadership of the NACD Chicago Chapter and thought it would be great to meet other chapter leaders. I had heard rave reviews about the programs and I wasn’t disappointed.
The sheer number of attendees at Summit is impressive. There is such a diversity of experience and expertise at Summit. It gave me an opportunity to meet people from around the country to network with and discuss the challenges boards are facing in terms of board diversity and other challenges.
What advice would give to someone attending Summit for the first time?
Get out of your comfort zone and meet new people. It can be tempting for people who are more introverted to stay with the people they know. Sit at a table with folks you have never met, or who are from a different part of the country, or who sit on boards that are in different industries.
Have a game plan in advance, especially in terms of programs you plan to attend. It’s important to know which programs you want to focus on.
Most importantly, have fun! Really allow yourself to enjoy the things that come up in the spur of the moment, whether it’s talking to someone that you didn’t anticipate meeting, or going up to one of the speakers after a program and asking a follow-up question.
Click here to learn more about diversity-specific programming offered at the 2017 Global Board Leaders’ Summit.
How much of your personal data is out there, available for companies to slice and dice—and potentially for hackers to find? Your username and password information to your e-mail account? Your medical records? Your government identification numbers? What about all of the information in your connected devices?
Many companies are moving toward a digital business model, which is generating a massive amount of data about customers. With that proliferation of customer data also comes valuable opportunities for companies to analyze and act upon it. But the explosion of data is also creating a very big, mostly invisible window into people’s private lives that may leave them very vulnerable to identity theft and other crimes.
New privacy laws and incidents of privacy violations, identity theft, and compromise of personal and sensitive information are compounding, which is pressuring companies to prioritize data privacy, security, and compliance. Failure to do so could mean damage to their brand and shareholder value—and even enforcement action by US federal agencies or class action lawsuits.
Data privacy is now a topic that boards need to stay on top of. Directors will want to regularly ask management questions about the company’s efforts to protect its customers’ personal information. Here are five questions boards can ask management about the topic.
1. What is our total dollar exposure to data privacy risk, exclusive of data security? Violating established privacy and data security practices can be costly. According to analysis of government data by PwC, in 2016, companies paid nearly $250 million in privacy and security related fines. It’s critical for the board meet with the right people to understand what steps the company is taking to protect its sensitive information. By meeting with the chief risk, information security, and privacy officers, the board can get a better picture of the state of privacy risk, including the dollar value of the worst possible data privacy risk event. The board also needs to determine if it is receiving the information it needs to oversee privacy risk. And if it’s not, the board needs to ask for and get it from management.
2. How effective is our data privacy strategy? Data is starting to change companies’ business strategies. Nearly two-thirds (64%) of CEOs believe that management of data will be a differentiating factor in the future. For some companies, it already is. The board should ask management to explain the company’s data privacy strategy and outline any goals around data collection and use. Is the data-driven business strategy to grow sales and revenue, improve customer experience, trust and relationships, differentiate the business, or get a competitive edge? Once the board understands that strategy, it can have discussions with management about whether the strategy is effective. The board will want to ask management for updates to that strategy and changes to any plans to achieve those data-related goals.
3. How ready is the company to provide evidence of compliance to privacy regulators? Companies that collect and use personal data need to pay close attention to privacy laws. The European Union’s General Data Protection Regulation (GDPR)—the world’s toughest privacy law—goes into effect in 2018, and the deadline for compliance is May of next year. It is notable that businesses that do not comply with GDPR face a potential fine of 4% of global revenues. Boards need to understand other laws and regulations around data privacy, too. They should ask management about what the company is doing to comply with data privacy laws. Is management ensuring the company stays on schedule to meet the law’s requirements and stays within budget for its compliance efforts? Boards should ask if the company has a data privacy compliance program, what the program entails, and how the company accounts for all the data the company collects, including where it’s housed. Boards need to be assured that management has the right processes and controls in place to mitigate any risk to that data.
4. Are the company’s plans for adopting new technologies and data analytics in sync with emerging global privacy regulations? Directors will want to look beyond compliance with current laws to the ethical issues that data use present. Just because a company collects data doesn’t mean it can—or should—use it, or allow third parties to access it. Data ethics standards are an emerging topic of practice, which means there aren’t always clear rules or laws outlining how companies can use personal customer data. Consider, for example, that some companies may use technologies such as artificial intelligence and machine learning to surveil for terrorist activity. There are few, if any, regulations around this type of implementation, which could leave these companies open to ethical scrutiny. Directors will want to discuss with management how to draw these ethical and privacy lines in the sand and how the company ensures they are not crossed. Boards will also want to ask how the company evaluates the privacy impact of new products or third-party partners.
5. Is the company’s privacy organization sufficiently resourced to enable its growth plan? Data privacy concerns may become bigger if the company grows. The more customers it attracts, the more data about them it may be collecting and analyzing. As the company’s data collection grows larger, the importance of having a data-use framework also grows. A good framework is one that outlines the collection of data, where and how it’s stored, how it’s protected, how it’s being used, any training on data privacy policies, and what the plan is if there is a breach. The board will want to meet with the chief information security and chief privacy officers to discuss the framework and ask how it’s being implemented, tracked, and enforced.
If the board regularly talks to management, asks questions, and gets answers and information, it will be in a good position to effectively oversee the company’s data privacy, protection, and compliance program.
Paula Loop is the leader of PwC’s Governance Insights Center and is a well-known speaker on a variety of governance topics. As a PwC partner and with more than 20 years of experience, Paula brings extensive knowledge in governance, technical accounting, and SEC and financial reporting matters to organizations.
Jay Cline is PwC’s Global Privacy Co-Lead. He has over 20 years of experience and is a nationally recognized thought leader in the privacy profession. He has deep knowledge of law, technology, and business, and specializes in all major privacy legislation and information security standards. In his work, Jay has helped private and public sector clients comply with data privacy and security regulations across nearly every sector.
My introduction to cybercrime came seven years ago as a bolt from the blue. I Googled myself and found that four of the top five search results showed I was on the Federal Bureau of Investigation’s (FBI) Top Ten Most Wanted List.
The attack came as a bolt from the blue.
After checking outside my front door to make sure no FBI agents were lining up to arrest me, I researched what had happened. I was the victim of an Internet stalker—a previous business associate looking to mar reputations of people this person had had no contact with for nearly two decades.
This experience personally taught me the harm that could be done through the Internet and the unique nature of the risks involved, and sparked my commitment to practicing sound cyber-risk oversight.
Cybersecurity as a Risk
Cyber risks have unique characteristics that not many of the more than 60 different risks reported in public companies’ 10-K reporting share. Most other risks and the damage they cause, although highly detrimental to a company, can be assessed and quantified (consider, for example, the cost of rebuilding after a fire). Cyber risk is different because a victim of a cyberattack may never be able to find out who attacked the company or person, where the attack came from, what was taken, or how long the attack had been going on for.
The most striking feature of cyberattacks is their anonymity. It is very difficult to trace an attacker who wants to stay anonymous. An attacker can create dummy corporations, hijack e-mail accounts, and use multiple servers to become virtually untraceable. Another method that hackers use to hide themselves is the virtual private network, which make it very challenging to track where the attack originated. Say the intrusion appears to have come through a server in Singapore. The attacker actually could be in Estonia. Even if you can trace the perpetrator, getting redress would mean international ligation.
What are they taking? Unless the attacker is confronting you with a ransom demand for your data, you may not know what is being taken or corrupted without extensive and time-consuming forensics.
Lastly, how long has this been going on? For the same reasons that it is difficult to identify what is being stolen, the time of the origination of the attack is hard to assess. Often known as “Logic Bombs,” malicious software can lie dormant for long periods, and sometimes years, before it is activated. The classic example is the disgruntled employee who leaves malware that activates itself on the anniversary of his firing.
You Are Not Invulnerable
One of the worse mistakes a board can make is to assume that they are at a lower state of cyber risk, as their corporation is not a bank or does not store credit card information. If the company transfers money and is connected to the Internet, which means just about every company in the United States and many around the world, the company is at high risk for being attacked. Banks and retailers are at extremely high risk. Low risk simply does not exist in the cyber-risk spectrum.
For most companies, the principal vulnerability is economic. Simply put, attackers are trying to make money. Besides stealing information such as employee health care data, or social security numbers that can be sold on the black market, an increasingly popular form of attack is to lock out the company from its data, or encrypt it and charge a ransom to release it or decrypt it.
Brand and reputation attacks are another vulnerability done more to discredit a company’s reputation for either competitive or political motives. To take an obvious example, imagine the damage to a cybersecurity company’s reputation if its own firewalls were breached. Such an attack would deeply harm the core promise that a cybersecurity company makes to its customers to secure its enterprise.
Hacktivism, as the name connotes, is an attack launched based on the attacker’s beliefs and ideologies. For instance, a company that tests its products on animals could find itself as a hacktivism target. Typically, the attacker will post messages about the cause on the company’s website or contact its customers and suppliers.
Lastly, malicious attacks can be launched to inconvenience and disrupt the company such as in the Logic Bomb attack described above. There is usually no economic effect—vengeance is the principal motive.
Since her “arrival” on the FBI’s Top Ten Most Wanted list, Wendy Luscombe has led a real estate investment trust as CEO, served as a director on European and American boards, and studied cybersecurity and cyber-reputation management. All views and opinions expressed here are the author’s own.