Tag Archive: Director’s Handbook Series

Global Cyber Summit Sends Message to Boardrooms

Published by

Corporate directors’ mindsets regarding cybersecurity fundamentally need to change. As one participant at April’s inaugural Global Cyber Summit hosted by the Global Network of Director Institutes (GNDI) noted, “We have to go from ‘is it possible we’ll be attacked?’ to ‘it’s probable;’ from ‘how much does it cost?’ to ‘how much should we invest?’; and from ‘can we control cyber threats?’ to ‘how can we keep pace?’”

In the words of another participant, “Yesterday’s approach to cyber at many companies was compliance. Today, the approach is risk management, and the imperative for the future is resiliency.” With the passage of last week’s Protecting Cyber Networks Act and National Cybersecurity Protection Advancement Act, the nation moved one step closer to greater resiliency. Both bills made clear lawmakers’ expectation that companies should share information regarding cyber breaches not just with the government, but also with each other. By sharing information about cyber hacks with peers—via information sharing and analysis centers (ISACs) or information sharing and analysis organizations (ISAOs)—and the Department of Homeland Security, companies may be able to improve their cyber defense. Experts at the summit discussed information sharing in light of the massive threat cyber-breaches pose. While information sharing is important to an effective cyber defense, corporate directors should not view it as a panacea. Instead, “it is another tool in the company’s toolbox.”

At April’s summit, the GNDI, the National Association of Corporate Directors (NACD), and the Washington Board of Trade convened more than 200 directors and cyber experts from around the world for a three-day conference to explore the board’s role in effectively overseeing their companies’ cyber defenses. Supported by AIG, the Center for Audit Quality (CAQ), and KPMG, the event provided directors the opportunity to gain insight from experts including Shawn A. Bray, director of INTERPOL Washington; Larry Clinton, president and CEO of the Internet Security Alliance; Richard Knowlton, director of the Internet Security Alliance for Europe and group corporate security director at Vodafone; Jan Hamby, rear admiral, U.S. Navy (Ret.) and chancellor of the National Defense University; Tim McKnight, chief information security officer of General Electric; and Arne Shönbohm, president of the Cyber-Security Council Germany.

Five boardroom imperatives emerged from the event:

  1. View cybersecurity as an enterprise-wide risk issue. Without a doubt, cyber-risk poses a significant threat to companies of all shapes and sizes. From the boardroom perspective, however, it should be viewed not as a technological issue, but as an enterprise risk that is addressed like all other risks disclosed in the MD&A. “Security—not merely cybersecurity—is the key.” Directors should ensure that the company is properly structured to respond to an attack and has plans for both breach prevention and cyberattack response. And don’t be complacent. As one participant at the cyber summit advised, “If you ask management how we’re doing on cyber-risk management and they say, ‘great,’ don’t accept that as an answer.”
  2. Identify your critical assets. Throughout the summit, speakers noted the interdependent nature of cyberattacks. No company is an island, so achieving a perimeter-defense strategy that attempts to protect the entire enterprise is virtually impossible. Instead, management must identify what assets, if breached, would bring the company down: the “crown jewels.” Directors should ensure that defense efforts identify and prioritize them. As part of this identification process, the company also can assess its most vulnerable points, making sure to account for third-party contractors’ potential weaknesses. If a vendor in your supply chain is hacked, are your assets still protected?
  3. Ensure adequate resources for your information technology (IT) teams. Cybersecurity should be viewed as an investment in the company’s future, not as a cost center. Panelists noted a growth in the use of a chief information security officer (CISO), separate from a chief information officer (CIO). Regardless of the leadership structure employed, however, directors must remember that cybersecurity is largely a human issue. Does the c-suite have the staff and training needed to effectively defend the company against hacks? If the company is not going to develop an internal security defense program, how will it acquire one from outside? Is the IT team staffed with both technology professionals and security experts? Broadly, the company should run ongoing employee cybersecurity education programs throughout the enterprise.
  4. De-jargon the board dialogue. The technical nature of cybersecurity can create a formidable barrier to effective board oversight. While it is critical for the board to receive reports on the company’s cyber efforts on a continuous basis, CIOs, chief technology officers (CTOs), or CISOs may deliver the reports in jargon. Panelists noted that the solution, however, is not necessarily to invite a cyber expert to sit on the board. Instead, the entire board should comprise directors who are equipped to ask the probing questions necessary for effective oversight. The board can invite experts to speak to the board on cyber issues and ask management to provide “de-jargoned” reports in clear, actionable terms.
  5. Incorporate cyber into your strategy and every business decision. Panelists stressed the need for directors to address cyber issues proactively—starting with prevention—rather than waiting to respond to a breach. To do so, cyber should be an aspect of the front-end of business decisions: strategy, legal, and financial. Does the CIO (or CISO, CTO) play a role in strategy and tactical decisions? Does the CIO have a working relationship with the IT teams at third-party vendors? In an M&A scenario, do you assess the cyber vulnerabilities of the target company? These questions can help bring cyber-consciousness to board decisions.

For more on guidance on the board’s role in cyber-risk oversight, download the NACD Cyber-Risk Oversight Handbook here. Kate Iannelli, Alexandra Lajoux, and Ashley M. Marchand contributed to this report.

“Full Range” Reading: 25+ NACD Deep Dives for 2015

Published by

Have you resolved to become even more proactive and knowledgeable as a director in 2015? I commend you!  As Dr. Reatha Clark King says in the annual Chairman’s letter, which appears in the January-February 2015 issue of NACD Directorship,

[S]trong boards should work with management to stay abreast of the full range of matters that may affect the success of companies. Today the emergence of significant issues on relatively short notice requires both management and boards to adapt more quickly.

To keep you current the first items on your reading list should surely be Directors Daily, NACD Directorship magazine, and the white papers and other timely content that flows from our Advisory Councils, NACD Directorship 2020® events, and many other educational programs.

But in addition to consulting these resources, consider making time for some of our deeper-dive publications, which provide extensive data and comprehensive guidance on key boardroom issues, both perennial and emerging. To help you locate the material that will be of most interest to you, here is a quick (at-a-glance) “catalog” of the most popular and most topical publications on the NACD bookshelves.

NACD’S ANNUAL SURVEYS. These studies cover governance trends among public, private, and nonprofit boards, as well as public-company director compensation. The facts and figures clearly presented here in charts, tables, and graphs—along with nuanced interpretation of the data collected—will enable you to benchmark your board’s practices against your peers’, no matter what size or type of organization you govern.

For more than 20 years, NACD has been tracking governance trends by industry and company size, from multibillion-dollar firms to those with under $50 million in revenues. Topics analyzed include board size, director hours, board priorities, committee variety, and specific practices for the oversight of risk and for CEO succession, to name just a few. While other fine organizations now support the effort to research board practices, NACD surveys are unparalleled in the scope of their topics and the size of respondent pools they cover.

BLUE RIBBON COMMISSION REPORTS. Our widely respected series of Blue Ribbon Commission (BRC) reports is required reading for directors who want to increase their mastery of the many issues facing them. Every year, NACD invites a new and select group of prominent board leaders and subject-matter experts to gather for dialogue about an emerging issue. Chaired by well-known leaders in the business or legal community, the commissions produce authoritative reports that have been cited in legal cases (notably Brehm v. Eisner, 2000) and have even been called “prophetic” by Delaware Supreme Court Justice Jack Jacobs, speaking at the University of Delaware. The following links lead to the most recent editions of 13 of these unique and eminently useful reports.

HANDBOOKS. Last but not least, for a firmer grasp of director duties, you may wish to consider one or more of NACD’s definitive handbooks, which are authored by experts and focus on the “how to” of directorship.

And, coming soon, The Family Business Board, Vol. 2!

Happy reading!

Directorship: The Go-To Guide

Published by

Consistently, the most sought-after skill in new directors is leadership experience, according to NACD’s Governance Surveys. However, regardless of one’s success in management or leading a company, directorship can prove to be a new challenge.

To assist new and potential directors, NACD created a professional development primer to prepare them for the rigors of overseeing a company: “A Practical Guide for Corporate Directors,” part of the Director’s Handbook Series. Originally released in 1996, the guide was updated this year in light of recent regulatory activity affecting the boardroom.

“A Practical Guide for Corporate Directors” recognizes that the determinants of successful directors tend to hold true for all companies—regardless of size or type. By providing the essentials of the boardroom and its practices, the guide can help directors fulfill their responsibilities.

Highlights from the guide include:

1. Board Structure: Committees and Regulations

The guide includes an especially useful primer on board structure. By highlighting the key committees—audit, nominating and governance, and compensation—it provides a foundation for directors on the respective duties of each committee, and how they interact.

2.  Navigating the New Regulatory Environment 

The updated guide also explains the implications for boards of the Dodd-Frank Act, which created numerous regulations governing board structure and operations. For rules such as shareholder access to the proxy, shareholders’ advisory vote on executive compensation (say on pay), and the whistleblower bounty program, the guide provides interpretations and guidance.

 3. The Role of the Board: Nose In, Fingers Out

Ultimately, the board is the top legal authority within a corporation, charged with oversight of all aspects of the business. The guide helps new directors understand the nuances that separate oversight from management. As NACD’s founders put it, “NIFO: Nose In, Fingers Out.” As such, directors should oversee management’s performance of the hands-on tasks necessary to the operation of the business—not personally manage the tasks.

4. Directors’ Fiduciary Duties

Two major components of a director’s fiduciary duties are care and loyalty. The duty of care does not denote caution in this sense; rather, directors should be informed and exercise appropriate diligence and good faith as they make business decisions.

The duty of loyalty is simple: The company comes first. Directors must act in the best interests of the corporation while fulfilling oversight responsibilities—not in the interests of themselves or anyone else.

5. Liability Concerns

Liability arises when directors fail to perform their legal obligation to the company. While directorships entail certain risks to personal wealth and reputation, there are available protections. These protections include statutory reliance and non-fence-sitter laws.

“A Practical Guide for Corporate Directors” is a strong introduction to the boardroom for all directors.