It is requisite to start every NACD session on boardroom oversight of cybersecurity with the adage: “There are two types of companies: those that know they have been hacked and those that don’t.” And so begins the one- to two-hour panel discussions—experts in cyber technology outlining and explaining the various methods that have already been employed to hack into companies. Understandably, attendees usually leave these sessions a bit pale and speechless.
Cyberattacks on the private sector are a reality, not merely a threat. In 2013, 50 percent of companies with more than 5,000 employees surveyed by the Ponemon Institute reported one or more phishing attacks, a figure that has nearly doubled since 2009. Further, it is those at the higher levels of organizations that are targeted in attacks. In a recent Verizon report on data breaches, it was reported that executives—with higher public profiles and access to secure information—top the list of employee categories targeted in phishing attacks.
Oversight of cybersecurity is at the intersection of national security and the private sector. In the most recent issue of NACD Directorship magazine, Jeff Cunningham, in “The Art of Cyber War,” details the evolution of the cyber battle currently ensuing between China and the United States. Under Chairman Mao, China was defended by the Red Guard. Today, however, the Red Guard has been replaced by “digital warriors,” expert in technology and the English language, working from residential areas of China. In a report representing the culmination of six years of research from Mandiant—an American security company—Chinese hackers have stolen technology blueprints, negotiating strategies, and manufacturing processes from more than 100, mostly American, companies.
At NACD’s Spring Forum this week, cybersecurity expert Richard A. Clarke summarized the current environment: “China does not want to fight the United States in a military war, they want an economic war. You have the Chinese government against your company.” During this session, however, Clarke and Karl Hopkins from SNR Denton went beyond the harsh realities of cyber risk to provide guidance that directors can use at their next board meeting.
Understand you are on your own. The government’s cyber defense budget is allocated toward the military and national security, not toward the private sector. It is up to each company to create a cyber defense strategy.
Define and protect the “crown jewels.” Companies can’t afford to defend every aspect of the organization. As such, it is wise to develop a minimalist strategy that foremost protects the sources of competitive advantage.
Don’t wait for the “big event.” Most frequently, companies are not crippled by one significant event, but instead a “death of one thousand cuts”—a slow creep of proprietary information.
Incorporate the general counsel. At most organizations, the role of the CIO is to keep the company running and costs down, and therefore the CIO may not be the best choice to be responsible for cyber risk management. At American Express, for example, the general counsel has a key role in cyber risk management.
Spend intelligently. You can spend the entire company’s budget on cyber defense and still not know if the company is truly secure. The company should develop a defense strategy first, and then purchase the necessary supporting technology.
Ask the right questions. At the next board meeting, directors should ask: “Have we been breached?” Then, “what forensics team have we brought in to look at these threats?” Most likely, directors will require outside expertise to aid in the understanding of cyber risks.
Technology risk oversight is an area that will require more dedicated effort in the future. As such, NACD will continue to raise the discussion with white papers at upcoming educational events and in our NACD Directorship 2020 initiative.
In the midst of the general process to determine the next leader of the Securities and Exchange Commission (SEC), current Chairman Elisse Walter spoke to NACD’s Capital Area chapter this week. The conversation covered a wide range of topics, from diversity in the boardroom to the sequester’s impact on the SEC.
A significant portion of the discussion focused on the auditing profession, including activity from the Public Company Accounting Oversight Board (PCAOB). Having served on the SEC’s staff in a variety of roles beginning in 1977, Walter has had a front-row seat to the evolution of auditing and oversight. From her perspective, although audit has improved in the years since Sarbanes-Oxley, the improvements have not been enough to meet the current environment. Walter also highlighted the utility provided by PCAOB’s new Auditing Standard 16: Communications with Audit Committees and the proposed changes to the auditor’s reporting model.
On mandatory audit firm rotation—another significant proposed rule from the PCAOB—Walter was less committed. While there are many pros and cons to the concept, she noted the potential impact was uncertain.
PCAOB member Jay Hanson has commented several times on the concept release. Without a causal link between an audit failure and the audit firm tenure, Hanson remarked that he could “not see how the Board could move forward on mandatory rotation.” Furthermore, “mandatory rotation would be extraordinarily difficult to justify through an economic analysis of its costs and benefits.”
Last year, NACD’s National Audit Committee Chair Advisory Council spearheaded an initiative to propose an alternative solution to mandatory audit firm rotation: the audit committee evaluation of the external auditor. On Wednesday—the advisory council’s first meeting in 2013—delegates reviewed the status of the project. Since NACD CEO Ken Daly’s participation in a PCAOB roundtable last fall—during which he presented the assessment tool—the evaluation form has been downloaded over 1,500 times.
While directors wait for the PCAOB to decide its next steps regarding mandatory audit firm rotation, the advisory council outlined areas it plans to focus on in 2013. These include:
The quality of information presented to the board from management. Delegates suggested dashboards that are board- rather than management-oriented.
Cybersecurity and emerging technologies. Cyberterrorism and new technologies, such as social media, present significant risks to companies—oversight of which is often assigned to the audit committee.
Oversight of big data. Increasingly, investors are using data found in sources other than the annual financial report to analyze and make trading decisions. In some cases, the markets have information about a company’s products and performance before the board.
Produced with KPMG’s Audit Committee Institute and Sidley Austin, NACD’s National Audit Committee Chair Advisory Council will next meet in early June. For a summary of the council’s 2012 meeting, visit our Board Leaders Briefing Center.
 The Chairman’s views were her own, not those of the SEC.
One theme resounded in each session at NACD’s Master Class held in Scottsdale, Ariz., last week: the nature of directorship is in flux. In the 1990s, boards were subject to considerably fewer regulatory requirements. Sarbanes-Oxley created the “gatekeeper” of compliance, as observed by NACD President and CEO Ken Daly. Fundamentally, if boards fail to meet compliance requirements, little else will work.
But “you can’t comply your way to success,” according to opening speaker Bill Reichert. Today, long-term value creation necessitates innovative and inventive strategic planning—from management and the boardroom. As such, leading directors are shifting their focus not away from, but through, compliance efforts to the “next level.”
This concept of the “next level” was consistently brought up during discussions across the board. In some sessions, this meant critically assessing the skills and actions necessary to make the board a strategic asset to the company. In other sessions, “next level” addressed the information flow between the management and the board: how to fortify directors with the necessary knowledge to enable them to ask the “second layer” of questions that delve deeper into the data presented by management.
Innovation, however, brings risk—a concept Master Class attendees understood all too well. As noted in the 2009 NACD Blue Ribbon Commission Report on Risk Governance, “without risk there is no reward.” Risk is no longer limited to financial statements, though. The list of areas that pose potential threats to the organization has expanded over the last several years to include fields such as cybersecurity, emerging technologies such as e-commerce, and social media. Throughout the event’s sessions attendees discussed various methods that boards can use to assess and oversee these risks without becoming mired in granularity.
NACD’s Master Class in Scottsdale convened panelists with considerable experience in innovation, strategy, and risk oversight to lead attendees in discussions on how to effectively and intelligently ensure their company is ready to meet the challenges posed by the new economic climate. These panels were punctuated with multiple “deep dive” sessions in which participants could focus on specific topics of interest with experts and peers.