Emerging Governance Lessons from Equifax

Published by

Michael Peregrine

It’s way too early to make any judgments on board conduct in the Equifax controversy. That’ll be for the courts to decide, and they’ll take a long time getting there. But it’s not too early to draw some useful governance lessons from the situation, if media reports are to be believed. And these are lessons that apply regardless of whether the board serves a publicly held, privately owned or nonprofit corporation.

Some of these lessons relate to the board’s crisis management responsibilities. Others relate to the oversight of the board-CEO relationship. Still others invoke expectations of board cybersecurity oversight.

All of the possible lessons are premised on the increasing recognition of the inevitably of crisis, be it black swan or foreseeable, cybersecurity-related or “from out of left field.” For most complex enterprises, crises are just going to happen. The only questions are when, how big the crisis will be, and from what direction it will come. The most prescient of boards will embrace this inevitably and prepare for a corporate governance version of Defcon 3.

The other lessons are more practical in nature.

1. Emergency Succession  The swiftness of Mr. Smith’s removal speaks to the “nuts and bolts” value of having an emergency executive succession plan. The sudden Smith transition is a shocking example of how emergency succession applies to circumstances beyond customary triggers such as death, health care and family considerations. In today’s crisis-oriented environment, the need to separate from, and replace even the youngest, seasoned and most successful executives can arise at a moment’s notice.

Succession is a part of the board’s basic responsibilities that often gets lost amid the confluence of best practices and consultant messaging. Such planning can be complicated. According to the New York Times, the Equifax board regarded many of its original replacement candidates as “tainted” by ties to the cyber breach—including some executives who are believed to have sold company stock after the breach was discovered but before it was disclosed to the public.

2. Structuring the Separation There’s also the need to anticipate both the classification and the financial terms of executive separation in the context of a crisis environment. According to media reports, Mr. Smith’s separation was described as a retirement. Yet, the board announced that it was reserving the right to retroactively classify the separation as for-cause termination, based upon the ultimate findings of a board special committee charged with the responsibility for reviewing the data breach. Such a reclassification would have obvious and material implications for Mr. Smith’s compensation arrangements, including valuable stock awards.

This action by the Equifax board reflects several key realities of the crisis environment.

  • It will often be difficult to fairly ascertain the presence of cause for termination purposes in the direct aftermath of a crisis. The consideration of the results of an internal investigation may be a necessary and equitable precondition.
  • While not yet considered best practice, the use of clawbacks and other forms of executive compensation disgorgement arrangements is increasingly viewed as an effective response to executive fraud, malfeasance, or other misconduct. Clawback application has most recently been demonstrated by the actions of a financial services company board in response to a significant corporate controversy.
  • Boards must face the harsh reality of the need to impose separation in advance of intense scrutiny by the media, regulators, and possibly even legislators. The sometimes corporate brutality of “throwing executives under the bus” may be perceived as both part of an effective board response (i.e., to demonstrate board accountability), and necessary to preserve the reputation of the company and the interests of its stakeholders. According to the Wall Street Journal, the departures of the Equifax information officer and chief security officer were not considered by the board to be actions significant enough in stature. Thus, the concept of “strict accountability” for executives in the context of major corporate controversies may increasingly be considered an indirect part of the compact between the board and management.

3. The Standard of Conduct  Another lesson is for the board to reconsider the effectiveness of its own cybersecurity oversight efforts. The leading judicial decisions have to date established a high Caremark-style barrier for demonstrating breach of cybersecurity oversight responsibilities. Notable in this regard was the decision of the court in the Home Depot case to extend the protection of the business judgment rule to the board’s conduct, despite its clearly expressed concerns about the speed with which the board implemented protective measures.

However, boards should not place unreasonable reliance on Caremark protection. As instances of cyberbreaches become more egregious, it is reasonable to project a stricter approach to director liability in future cases.

4. The Self-Critique Perhaps the most basic governance lesson from Equifax is the need for board self-evaluation. Any board-driven internal investigation of a corporate controversy will benefit from consideration of the adequacy of the full board’s related oversight efforts. For example, the Wall Street Journal reported that weaknesses in Equifax’s cybersecurity measures were “apparent to outside observers in the months before the hack.” Was the board made aware of these weaknesses? If not, why not? Such a self-critique has been an accepted component of truly comprehensive internal investigations since the “Powers Report” from the Enron board. The willingness to consider how possible governance inadequacies may have contributed to crises can serve as a powerful demonstration of the board’s good faith and assumption of ultimate responsibility.

Equifax is not, as some have characterized it, the second coming of Enron. That’s unnecessary hyperbole at this point. As exaggerated as commentary may be, what is known about the crisis offers a valuable teaching moment to boards about expectations of fiduciary conduct in crisis situations, cybersecurity or otherwise.

Michael W. Peregrine, a partner in McDermott Will & Emery, advises corporations, officers and directors on matters relating to corporate governance, fiduciary duties and officer/director liability issues. His views are his own and do not necessarily reflect the views of McDermott Will & Emery, its clients, or NACD.

Isaacson: To Be Like da Vinci, Be Passionately Curious

Published by

In addition to serving as the CEO of the Aspen Institute and having served as the managing editor of Time and as the chair and CEO of CNN, Walter Isaacson is an author and historian who specializes in telling the life stories of the great minds that have fundamentally shaped our world.

From Benjamin Franklin and Albert Einstein to Henry Kissinger and Steve Jobs, Isaacson has observed that the common denominator among the greatest geniuses in human history is a sense of curiosity that spans multiple disciplines—that and a little rebelliousness. He sat down with NACD Directorship Editor in Chief Judy Warner at the 2017 NACD Global Board Leaders’ Summit to discuss his latest book, a biography of Leonardo da Vinci, and the relevance of the life and work of the ultimate Renaissance man to the digital age.

For Isaacson, Leonardo’s unquenchable curiosity was one of his defining qualities, observing that the questions that the artist would jot down and explore through the course of his notebooks would never directly result in a larger project, be it a work of art or an invention. But there was value in the process of discovering answers to even the most mundane of questions, be it figuring out why the sky is blue or how they made locks in Milan. The artist developed a heightened understanding of the patterns of the world in which he lived, and this understanding fueled his work.

“Sometimes you wander and you do what any good corporate director would do, which is have a vision of what you’re doing and be tactical and open when something comes up. Especially in the digital age, you have to be open to this,” Isaacson said.

And openness to exploring new possibilities has been a guiding principle in Isaacson’s own career. “I began with print, and now dabble in everything from films to podcasts to television and books,” Isaacson reflected. “Each time, I say, ‘Hey, that’s a new opportunity.’ Leonardo was fascinated by everything, and that’s the best advice you can give someone: always be passionately curious.”

Isaacson also identified diversity as a critical factor to innovation. Looking at the Florence, Italy, of the 1400s, he observed that an influx of immigrant populations allowed for people of different background to mingle and exchange ideas. He also sees similar social conditions as being the impetus for the creation of jazz, which some have hailed as America’s greatest art form. “If there are people with different viewpoints and backgrounds, the edginess produces a creativity that uniformity doesn’t produce,” Isaacson said.

Thanks in part to the edginess of his environment, Leonardo helped to redefine art—as did his rival, fellow master painter Michelangelo. For Isaacson, the competition between these two men was paralleled in the late twentieth century by the competition between technology titans Steve Jobs and Bill Gates. But where Jobs focused on end-to-end control of his products and emphasized elegant design, Gates focused on creating software and letting other companies create the hardware that would serve as vehicles for his products. “And each model works well,” Isaacson said. “There’s no right answer. Jobs believed that beauty mattered, but Bill Gates produced a better business model.”

Jobs and Gates also helped to usher in the digital age, which, like the Renaissance, has completely reshaped how we think about and orient ourselves to our world. This new environment—driven by machines, machine learning, and artificial intelligence—has made some wonder how people will fit in to it. “I hear people say you have to learn coding. That’s ridiculous. We’ve learned that machines will learn how to code better than us, but they can’t learn creativity. What will matter in the future is getting people to connect the arts and technology. We need to be like Leonardo, which is to make no distinctions. Love the beauty of an equation as much as you love the beauty of a brush stroke.”

Eager to join us for the 2018 Global Board Leaders’ Summit? Attractive rates are available through October 31. Register today

The Pillars of Courageous Leadership

Published by

According to acclaimed researcher and author Brené Brown, being vulnerable can be a strategic asset to any organization. Although this may sound counterintuitive to some, Brown made the case for how vulnerability cultivates innovation to a rapt audience of directors and corporate-governance professionals gathered at the 2017 NACD Global Board Leaders’ Summit.

Brown became an Internet sensation after she discussed her academic research on these themes at a TEDxHouston event in 2010. Although her presentation was enthusiastically received by her in-person audience, she was frustrated by negative online comments left on the video. But soon after, she discovered a quote by President Theodore Roosevelt that not only has reframed how she viewed her experience, but also has guided her subsequent work:

It is not the critic who counts; not the man who points out how the strong man stumbles, or where the doer of deeds could have done them better. The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood; who strives valiantly; who errs, who comes short again and again, because there is no effort without error and shortcoming; but who does actually strive to do the deeds; who knows great enthusiasms, the great devotions; who spends himself in a worthy cause; who at the best knows in the end the triumph of high achievement, and who at the worst, if he fails, at least fails while daring greatly, so that his place shall never be with those cold and timid souls who neither know victory nor defeat.”

Brown then identified the following four qualities that, when operationalized within an organization, will create a culture of courageous leadership:

  1. Vulnerability. Based on Brown’s research, there is no job where a person is not vulnerable. She noted that vulnerability is not the same as cowardice. Rather, it’s the willingness to expose your new ideas to public scrutiny. Without trying to do something new, and risking the possibility of failing horribly, progress can never happen.
  2. Courage. It takes courage to compete in business. Luckily, Brown’s research into the behaviors of 80 senior leaders and more than 300 MBA students demonstrates that courage is a skill that can be taught and measured. She recommends four practices to instill a culture of bravery in an organization: (1) encouraging vulnerability, (2) defining the organization’s values and operationalizing those values, (3) inculcating trust between individuals and teams, and (4) empowering people with “rising skills,” or the skills to pick one’s self up and brush one’s self off after failing. Regarding rising skills, Brown pointed out that if your employees cannot recover from and learn from their failures, they will begin to feel that they need to be on the defensive—a mind-set that can hinder creativity and innovation.
  3. Ethics. One of the most difficult situations a person can encounter in a business setting is standing up to someone who is making unethical choices. According to Brown, ethics should be the grounding framework that drives behavior. When someone acts outside the set of ethics that the organization adopts or outside the law, leaders must be brave enough to call out that person’s missteps. Her point holds particular relevance to directors and executives who are responsible for overseeing business ethics and promoting a culture of ethical performance.
  4. Trust. Brown asked the audience, “If you can’t see a person’s vulnerability, will you ever be able to trust them?” Vulnerability is a key to building trust, and top-performing teams rate trust in their coworkers as the deciding factor for success.

Brown noted that people who lack trust in one another are likely to avoid confronting their fears and anxieties. Trust makes workers brave enough to develop and share their ideas, and allows them to discuss failures in a respectful manner.

“Can innovation come without exposure?” Brown asked. “Can you have innovation without vulnerability? No. It doesn’t exist.”