Lorrie Norrington has over 35 years of operating experience in technology, software, and Internet businesses. Norrington is currently an Operating Partner at Lead Edge Capital, and serves on the boards of Autodesk, Colgate-Palmolive Co., HubSpot, BigCommerce, and Eventbrite. She lives in Silicon Valley. This blog is part of the2017 NACD Global Board Leaders’ Summitseries.
A company’s board sets the tone from the top and oversees long-term strategy. However, now more than ever, boards also must actively work to understand technology trends and encourage a culture of innovation that drives long-term growth. The development of an innovation mindset has become an imperative for directors.
The pace of technological change is forcing governance needs to evolve faster than anticipated. As a result, the inability to innovate has become one of the biggest business risks in most enterprise risk management assessments. It is useful to understand that both evolutionary innovation (or the combination of small ideas into bigger change) and discontinuous innovation (which is disruptive to companies and industries) can render companies uncompetitive in months and years—not decades.
Below are some of the techniques I’ve used over the past decade as a director to keep current on my knowledge and help boards embrace technology and innovation.
Take It Personally
You don’t have to live in Silicon Valley or be a technologist to possess a solid working knowledge of innovation and technology trends. In our previous roles as executives, we were forced to keep current on business and technology changes. The same holds for board directors. It is up to you. Annual updates through events like the NACD Global Board Leaders’ Summit are essential to learn about key trends and best practices from other boards. However, given the rate of change, you cannot rely solely on annual updates. Every year, at a minimum, I read the top three business technology books on Amazon’s bestseller list, attend one technology conference (Mary Meeker’s annual pitch is a must), and read my favorite tech-focused publications (i.e., Recode and TechCrunch) daily. This routine enables me to engage in the boardroom with an informed perspective.
Go Beyond the CEO
With today’s rate of change, it isn’t realistic to expect the CEO to have all the answers regarding innovation efforts and how teams are applying technology. If your board has a technology and innovation committee, take time to understand executives’ areas of focus and ensure the agenda is balanced to include both the risks and opportunities technology change can create. If your board does not have one, ensure one of your board members is designated to engage regularly with the chief technology officer or chief product officer about their mid-and long-term innovation and technology plans.
Create an “Innovation System” for Your Board
A technology and innovation review should be part of your annual, board-level strategy or product review. Examining current technologies and innovations, as well as early-stage technologies and innovations that management believes to be part of the future, are two key behaviors to build as a part of your board’s robust “innovation system.” Last, by including technology and technical product skills as part of the criteria for new board members, you will ensure the board has the right skills long-term to encourage and challenge management.
In sum, boards set the tone for the entire organization. If you embrace technology and innovation, this empowers everyone throughout the company to do the same. In a world where the rate of technology and innovation will determine long-term success or failure, directors must embrace the changes needed to encourage and challenge management to accelerate their understanding of technology and the pace of innovation.
To learn more about technology and innovation, attend the 2017 Global Board Leaders’ Summit, Oct. 1–4, 2017, in National Harbor, MD. For the full Summit agenda, please visit the Summit website.
In April 2017, the U.S. Securities and Exchange Commission’s (SEC’s) Division of Corporate Finance announced it will not recommend enforcement action for companies that disclose, but do not further investigate usage of conflict minerals which may be from the Democratic Republic of Congo (DRC). Any company manufacturing or contracting to manufacture products using such minerals had previously been required to conduct extensive due diligence on its supply chain and make this diligence publicly known with a note that its products contained minerals which “have not been found to be ‘DRC conflict free.’” However, following a series of partial losses in court, the SEC appears to be backing off the rule—for now.
The Conflict Minerals Rule and Disclosure Requirements
A provision in the Dodd-Frank Act aims to cut off funding sources for armed rebel groups in the DRC and surrounding countries in central Africa. It requires companies manufacturing products containing certain minerals to conduct supply chain audits and disclose if those minerals were known to have originated in the DRC or adjoining countries. The SEC, as the enforcer of this provision, issued a rule requiring issuers of securities who filed reports with the SEC under Sections 13(a) or 15(d) of the Securities Exchange Act of 1934 and who manufactured or contracted to manufacture a product in which the defined conflict minerals were a necessary part, to file a separate special disclosure form, Form SD. Although these obligations were placed on manufacturing issuers, in practice, the diligence requirement was imposed on others in the supply chain because many manufacturers required their supply chain partners to certify origin of minerals and compliance with the rule.
When Form SD was first issued, items 101(a) and (b) required companies using conflict minerals to attempt to identify the country of origin of those minerals. If after conducting a “reasonable country of origin inquiry” the company determined that the country of origin was neither the DRC nor an adjacent country, it had to disclose this finding (and a description of the country of origin inquiry conducted) on its website as well as to the SEC. Per item 101(c) of Form SD, if a company’s minerals may have originated in either the DRC or its neighboring countries, the company was required to conduct additional, more extensive due diligence, and then file and publish a conflict minerals report. This report had to include a description of the company’s due diligence efforts, certified results of an independent private audit, and a list of planned changes as a result of the audit. In the report and on its website, companies also had to describe which products had “not been found to be ‘DRC conflict free,’” although for the first two years of enforcement they could use the label “DRC conflict undeterminable.”
The National Association for Manufacturers challenged these regulations on both procedural and constitutional grounds. After the district court granted the SEC summary judgment, the Association appealed to the DC Circuit of Appeals. Ultimately, the appeals court found that forcing companies to note whether or not their products are DRC conflict free was unconstitutional under the First Amendment. The case was remanded to the U.S. District Court for the District of Columbia, which issued its final judgment in April 2017 and set aside the part of the rule that requires companies to add language that their products are “DRC conflict free” or “have not been found to be ‘DRC conflict free.’” Citing both the court decision and the unclear efficacy of the rule, SEC Chair Michael Piwowar reopened comments and the SEC stayed the compliance portions of the rule pending the conclusion of litigation. The SEC announced it would not pursue enforcement actions against companies who only complete Form SD items 101(a) and (b) and do not pursue more extensive diligence on sourcing or secure an independent audit. The SEC has taken the view that the purpose of item 101(c) of Form SD and the related conflict minerals reports was to determine the status of conflict minerals by requiring the “conflict free” or “not conflict free” labels, and that these measures and the requirements for more detailed due diligence are in need of re-evaluation and clarification given recent court rulings on this matter.
Although companies are not currently expected to conduct the extensive due diligence envisioned by item 101(c) of Form SD, they are still expected to conduct in good faith a reasonable country of origin inquiry and disclose this information to the SEC and the public. Companies and boards still need to ensure there are effective diligence programs in place that allow reasonable inquiry into supply chain partners and components, particularly if conflict minerals are necessary to any product the company manufactures. By statute, the SEC is required to issue a rule relating to due diligence for conflict minerals. Although the “conflict free” labeling requirement has been eliminated, the question remains whether conflict minerals reports, in their current form, are otherwise valid. The SEC is currently developing its future enforcement recommendations with respect to the rule.
In the interim, companies should continue to ensure effective supply chain diligence mechanisms are in place that allow them to confirm where components, particularly conflict minerals, are sourced. To the extent that auditing or diligence measures had already been put into place prior to the final judgment and SEC announcement, companies may want to continue to implement these measures given the lingering uncertainty about future application of the rule. Companies also have the ability to submit comments on the rule to the SEC and should make their views known to influence future enforcement on this issue.
At Baker & McKenzie, Joan Meyer is a partner and chairs the North America Compliance, Investigations & Government Enforcement Practice Group. Reagan Demas is a partner and Maria McMahon is a professional support lawyer in the North America Compliance, Investigations & Government Enforcement Practice Group in Washington, DC.
To learn more about strategy and risk, attend the 2017 Global Board Leaders’ Summit where you will have the opportunity to explore emerging risk issues with peers. A detailed agenda of NACD and Marsh & McLennan’s Board Committee Forum on strategy and risk, can be found here.
Robert P. Silvers is a respected expert on Internet of Things security and effective corporate planning and response to cybersecurity incidents. Silvers is a partner at Paul Hastings and previously served as the Obama administration’s assistant secretary for cyber policy at the U.S. Department of Homeland Security. Silvers will speak at NACD’s 2017 Global Board Leaders’ Summit in October and NACD’s Technology Symposium in July.
Robert P. Silvers
Cybersecurity breaches pose a growing threat to any organization. As we’ve seen in recent years, and indeed in recent weeks, the most sophisticated companies and even governments aren’t immune from cyberattack. Ransomware has become a global menace, and payment data and customers’ personal information are routinely swiped and sold on the “dark web” in bulk. Next-generation Internet of Things devices are wowing consumers, but they are also targets, as Internet connectivity becomes standard-issue in more and more product lines.
How do directors prepare for this landscape? Everyone now acknowledges the importance of cybersecurity, but it is daunting to begin to think about implementing a cybersecurity plan because it’s technical, fast-moving, and has no “silver-bullet” solutions. Most boards now consult regularly with the organization’s information security team, but the discussions can be frustrating because it’s hard to gauge readiness and where the organization really stands in comparison to its peers. Sometimes directors confide in me, quietly and on the sidelines, that their real cybersecurity strategy is one of hope and prayer.
There are steps directors can take now to prepare for incidents so that when they occur the company’s response is well oiled. With the right resources and preparation, boards can safely navigate these difficult and unforeseen situations. Three key strategies can assist directors as they provide oversight for cybersecurity risks:
Building relationships with law enforcement officials
Having incident response plans in place (and practicing them)
Staying educated on cybersecurity trends
1. Building Relationships With Law Enforcement Officials
It’s no secret that relationships are central to success. Building the right relationships now, before your worst-case scenario happens, will help manage the situation. The Federal Bureau of Investigation is generally the lead federal investigative agency when it comes to cybercrime, and the United States Secret Service also plays an important role in the financial services and payment systems sectors.
Boards should ensure company management educates law enforcement officials from these agencies about the company’s business and potential risks. In turn, the company should ask law enforcement to keep it apprised of emergent threats in real time. There should also be designated points of contact on each side to allow for ongoing communications and make it clear whom to contact during an incident. This is critical to ensuring that the company has allies already in place in the event that a cyberattack occurs.
2. Having—and Practicing—Incident Response Plans
Directors should ask to see copies of the company’s written cyberbreach response plan. This document is essential. A good incident response plan addresses the many parallel efforts that will need to take place during a cyberattack, including:
a. Technical investigation and remediation;
b. Public relations messaging;
c. Managing customer concern and fallout;
d. Managing human resources issues, particularly if employee data has been stolen or if the perpetrator of the attack is a rogue employee;
e. Coordination with law enforcement; and
f. Coordination with regulators and preparedness for the civil litigation that increasingly follows cyberattacks.
An incident response plan is only valuable if it is updated, if all the relevant divisions within a company are familiar with it, and if these divisions have “buy in” to the process. If the plan is old or a key division doesn’t feel bound by it, the plan isn’t going to work. Directors should insist the plan be updated regularly and that the company’s divisions exercise the plan through simulated cyber incidents, often called “table-top exercises.” Indeed, table-top exercises for the board itself can be an excellent way to familiarize directors with the company’s incident response plan and its cyber posture more generally.
3. Staying educated on cyber security trends
As your board is building relationships with law enforcement officials and preparing an incident response plan, directors should also be educating themselves on cyber risk. Cybersecurity becomes more approachable as you invest the time to learn—and it’s a fascinating subject that directors enjoy thinking about. Do you know what a breach will look like for your company? What protocols do you have in place in case something happens?
According to the 2016–2017 NACD Public Company Governance Survey, 89 percent of public company directors said cybersecurity is discussed regularly during board meetings. Since a majority of directors in the room agree that cybersecurity is worth discussing, directors should collectively and individually prioritize learning the ins and outs of cyber risks.
One easy way to stay up to date on the latest is to ask the company’s information technology security team for periodic reports of the most significant security events that the company has encountered. This will give directors a feel for the rhythm of threats the company faces day in and day out.
Another option is for directors to take a professional course and get certified. The NACD Cyber-Risk Oversight Program is a great example of a course designed to help directors enhance their cybersecurity literacy and strengthen the board’s role in providing oversight for cyber preparedness. Consider these options to keep yourself as educated and informed as possible.
The more you can prepare individually, the better off you will be when you have to provide oversight for a cybersecurity breach at your company.