“Putting a Boardroom Lens on Cyber,” one of the final panels of the 2015 Global Board Leaders’ Summit, continued themes heard throughout Summit sessions. The panel focused on how to ask management the right questions about the state of their enterprise’s cyber security and how to assess the strength of their preparedness to manage this risk.
The panel was packed with leading technology experts: Nicholas M. Donofrio, director of NACD, Advanced Micro Devices, BNY Mellon, Delphi Automotive and Liberty Mutual, and former executive vice president of innovation and technology, IBM; Alfred Grasso, president and CEO, The MITRE Corp.; Christopher Hetner, cybersecurity lead, Technology Controls Program, Office of Compliance Inspections and Examinations, U. S. Securities and Exchange Commission; and Kimberley S. Stevenson, director, Cloudera Inc.,and CIO, Intel Corp. Bill E. McCracken, director of NACD and MDU Resources Group and former CEO of CA Technologies, moderated the discussion.
Below is a summary of the high points from that discussion.
Recognize that cyber criminals are constantly changing methods and targets. When it comes to security breaches, “The bad people are getting better, faster, and you have to assume, therefore, that you have to move quicker,” Donofrio said. For example, cyber criminals increasingly exploit human error by using social engineering—especially with “spear phishing” emails. These emails look like legitimate business from trusted sources, yet contain dangerous malware. One employee opening such an email could compromise an entire network’s security.
Scrutinize whether management really knows where key data assets reside. It’s essential to gain the confidence that management knows the location and how “crown jewel” data assets in often highly distributed IT environments are being protected. Management needs to also demonstrate an understanding of the rationale for access rights of both employees and contractors. The fine print in third-party contracts could jeopardize data security, as cloud storage companies sometimes have “quality control” clauses granting access to your data.
Ensure that general management is held accountable for effective cyber-risk management. Cybersecurity is no longer an IT issue, but a significant business risk as technology is now a critical component of most business processes. As a result, general managers must share formal accountability with IT for the strength of cybersecurity. They must foster a risk-aware culture. If, for instance, the IT department sends dummy malicious emails to test open or click rates in the network, a problem would be detected if the rate goes up. “We track the number of employees who click on malicious emails,” Grasso said. “It’s less than two percent, but if it rises, we’ll move quickly and change our training policies.”
Demand that technology leadership avoid jargon and communicate complex concepts in easy-to-grasp language. “We have our own vocabulary as IT professionals, and we have a hard time translating that into everyday language,” Stevenson said. Technology leadership must be careful to clearly communicate concepts to board members whose first imperative is to understand risks. Technology management should craft language that non-expert directors can readily grasp.
Beware the consequences of your own oversight approach. Directors must carefully craft the questions they ask management when examining cyber risks. Donofrio recommended that board members focus carefully on the questions they ask of the C-suite to avoid sending the wrong message: for example, boards that focus exclusively on the costs associated with cybersecurity could undermine much-needed investments by management in better defenses. “We as board members can mess this thing up,” Donofrio said. Continued technological literacy is integral to asking the right questions, understanding experts’ briefings, and appreciating the full impact of cyber-risks across the organization.
Innovative technology can be a differentiator as well as a disruptor in today’s marketplace. Technological advancements are rapidly compressing the half-life of business models and industries that historically have not been viewed as dependent on technology are now being transformed by it and their business models can no longer function without these latest advancements. Consider Uber. The ability to book, track, and pay for a cab from a mobile device significantly differentiated this business from traditional taxi services. The bottom line is that technology is no longer a mere enabler.
At Protiviti, we often receive feedback from directors stating they do not have a sufficient understanding of the information technology (IT) risks facing their organizations. Furthermore, according to the 2014−2015 NACD Public Company Governance Survey, IT was the area with the least amount of satisfaction in terms of both quality and quantity of information received from management.
The board needs to understand IT as a critical enterprise asset, and the opportunities and risks associated with it must be communicated in a manner directors can understand. Directors instinctively know IT risks have increased in significance. Social business, cloud computing, mobile technologies and other developments offer significant opportunities for creating cost-effective business models and enhancing customer experiences. They also may spawn disruptive change, increased privacy and security risks, and further exposure to cyberattacks.
These changes present fresh challenges that create a moving target for companies to manage. While the velocity of disruptive innovation through emerging technologies is not as immediate as a sudden catastrophic event, its persistence of impact is potentially lethal for organizations caught on the wrong side of the change curve.
Add to all of the above the evolving relationship between the CIO and CISO and the board (or the supervisory board in a two-tiered board structure). These dynamics sum up the environment and expectations that these executives face as they address boards now and in the future, placing their interactions with the board within a business model, strategic and/or risk context.
In many organizations, the chief information officer (CIO) and chief information security officer (CISO) brief the full board or the audit committee on the state of IT on an annual basis, if not more frequently. They can approach this briefing in three ways:
Within the context of the business. The CIO or CISO addresses how the business model leverages technology to deliver the products and services the company offers the marketplace and the opportunities and exposures resulting from disruptive change. The business context briefing answers questions such as:
Do we understand potentially disruptive technologies at an industry level? Are we ahead of the curve to the extent that we are able to integrate new technologies into the business on a timely basis?
Are emerging technologies being deployed effectively to achieve our business objectives (e.g., achieve customer loyalty, improve quality, compress time, reduce costs and risks, and drive innovation)?
Are we positioning the company’s operations to anticipate and proactively drive the innovative change needed to secure sustainable competitive advantage?
What emerging technologies could alter the competitive landscape, customer expectations, and strategic supplier and/or distribution channel relationships within the value chain in which we operate? To what extent are our operations and currently deployed technologies exposed to disruptive change?
Are there aspects of our technological capabilities that we should be sharing with analysts, shareholders, and the general public? If so, are we sharing them? If not, why not?
Within the context of executing the strategy. The CIO or CISO articulates how strategic initiatives are driven by critical technologies and how the organization is facilitating the design and implementation of controls over these various technologies to ensure they perform effectively. The strategic execution context briefing answers questions such as:
What technologies are critical to implementing our strategic initiatives (e.g., growth, profitability enhancement, innovation, and process improvement)?
How are we ensuring that these technologies are functioning effectively?
How is the IT department collaborating with other functional units and the lines of business to ensure that an appropriate return on the organization’s investment in these technologies is being realized?
What challenges are we encountering in implementing these technologies to execute our strategy? What is the potential impact of these challenges on the success of our strategic initiatives?
Do we have the reliable and timely information and data we need to execute strategic initiatives?
Within the context of mitigating risks. The CIO or CISO uses a broader business view to identify specific risks that either may be a result of technology or are mitigated partly through the application of technology. The risk mitigation context briefing answers questions such as:
What are the most significant risks arising from IT, and how do they affect the business, including its reputation and brand image? Have we assessed our tolerance for these risks?
Are we mitigating the critical risks to an acceptable level? How do we know?
What critical business risks are we mitigating using a risk response that relies upon an important technology component? Is this technology component performing effectively? How do we know?
The objective is to provide a briefing on IT matters that resonate with directors across all of the above contexts:
The business context: Are we managing disruptive change?
The strategic context: Are we maximizing value contributed and return on investment?
The risk mitigation context: Are we managing the business and reputational impact of our risks?
Two principles underpin this discussion: (1) business objectives are also IT objectives, and (2) IT risks represent business risks. Using these principles, the above contextual perspectives provide insights to CIOs as to how they should communicate with boards and to board members as to the information they should expect from CIOs.
Citing and then speaking to the above contexts in a crisp, nontechnical manner can facilitate an ongoing board dialogue. In this regard, the CIO or CISO should:
Demonstrate an understanding of the business. Using the appropriate context, drill down to the relevant IT-related objectives, plans for achieving objectives, organizational capabilities to execute plans, and measures by which to gauge progress. In today’s world, technology can facilitate and expedite business transformation and growth through technological innovation (the business context), but it also can destroy reputations if not adequately protected and controlled (the risk mitigation context). Board members should be counseled on both of these interrelated contexts.
Focus on the board’s needs. The board has little interest in the intricacies of how the CIO or CISO organization is run and managed. Don’t go there unless requested.
Address business impact and metrics, not just IT impact and metrics. Provide an end-to-end view and focus on business consequences. For example, consider the following metric: “99 percent of our systems are patched within 10 days.” This metric leaves unaddressed the question as to the sensitivity of the data and/or business consequences of service failure of the other 1 percent of systems.
Target the audience. Understand the purpose of the briefing. Ask the board committee chair for direction. Ask people who have presented to the board for insight as to the background and personalities of the various directors.
Keep it pithy. Identify the key message points directors should take away, and focus on supporting those points. Share sophisticated knowledge judiciously. Allow time for questions. Expect to be asked to expedite your briefing if it is scheduled late in the day.
Boards need to clarify their expectations of the CIO and CISO. What are the directors’ needs, what do they not understand, and what IT issues and related business risks concern them the most? More important, what context(s) do directors want these executives to address when presenting on IT matters? In addition, directors need to be realistic with their expectations of CIOs and CISOs due to the natural complexity of IT. Accordingly, the allotted presentation time should be commensurate with directors’ expectations of the briefing.
Questions for Boards
Below are some suggested questions that boards may consider, based on the risks inherent in the entity’s operations:
Is the strategy-setting process influenced by the opportunities presented by technology and the potential to lead and/or respond to disruptive change? Alternatively, is technology narrowly viewed as a strategic enabler?
Does the board devote sufficient time to IT matters, including related opportunities and risks, as well as the organization’s capabilities and processes in managing those opportunities and risks?
Is the board satisfied with the CIO’s periodic communications? If not, has the board conveyed its expectations to the CIO so that future communications are on point?
Is the CIO organization effective in supporting the changing needs of the business and monitoring technology innovations, including how new technology can be deployed by competitors (or employees) to create disruptive change? Does the CIO assist the board in understanding these issues?
Given growth in the number of cyber threats confronting organizations, does the board have an active dialogue with the CISO on incident response preparedness?
For significant IT projects, does the board understand the underlying assumptions about how each project achieves strategic goals, as well as how success will be measured? Is there follow-up to ensure that each significant project delivers on promises made?
As corporate fiduciaries, directors represent shareholders. But what should boards do when their sense of corporate good conflicts with resolutions advanced by specific owners? It is easy to say that boards need to do more to oversee risk, or to improve strategy, but without real-world testing, these statements become platitudes. Let’s take a look behind the headlines surrounding six recent proxy season conflicts—starting with five Fortune 500 companies (Bank of America, Darden, Staples, Target, and Walmart) and closing with a mid-market real estate investment trust (REIT) family (Ashford). In each case, boards have had to draw the line when confronted by special interests—while still respecting the rights and interests of all shareholders, including activists.
Please click on a company name above to go directly to the case study.
Bank of America: Of Accounts and Accountability
The issue. Is the board responsible for preventing honest administrative errors? On April 28, the Federal Reserve Board announced that it would require Bank of America Corp. to suspend planned increases in capital distributions and resubmit its capital plan. This requirement followed disclosure by Bank of America that the bank made an error in the data used to calculate regulatory capital ratios used in the most recent stress tests conducted by the Federal Reserve. The error was unintentional and, in comparison to the $2 trillion on the balance sheet, small. Nonetheless, the consequences became clear at the annual meeting on May 7, when the California State Teachers’ Retirement System (CalSTRS) pension fund voted against four of five members of Bank of America’s audit committee. “The shortcomings in processes and risk controls underscore the need to make the necessary changes to ensure this sort of issue does not arise again,” opined CalSTRS spokesman Ricardo Duran in an e-mailed statement to the Wall Street Journal. Yet only a minority of investors joined the California giant. Apparently, most investors shared the views of William Smead, chief investment officer of Smead Capital Management in Seattle, who told the Wall Street Journal that the bank’s CEO Brian Moynihan “is a straight shooter” so his fund would “stay the course.” At the meeting, shareholders elected the full board for another term, approved all the management proposals, and rejected all four shareholder proposals; still, the CalSTRS campaign and commentary fired warning shots heard around the governance world.
The lesson. Boards cannot prevent error, but they can ensure quality of both processes and people. Clearly, this bank (like every institution) can continue to improve its controls. On the other hand, when management is willing to admit mistakes and act quickly, and the board has supported this progressive direction, it’s hardly time to change leadership.
Darden Restaurants (and Pfizer): The Right to Sell (or Buy)
The issue. Should cut-or-keep strategy be decided by boards and management or by shareholders? On May 16, Darden Restaurants Inc. announced a definitive agreement to sell its Red Lobster chain restaurant business and related assets, and assumed liabilities to Golden Gate Capital for $2.1 billion in cash. Red Lobster was failing and the board opted to sell it rather than turn it around. The deal will net Darden about $1.6 billion, of which approximately $1 billion will be used to retire outstanding debt. The deal is expected to close in early 2015 after necessary regulatory approvals. A week later, on May 22, Starboard Value, protesting the sale, put forward a full slate of candidates for Darden’s board of directors to be voted on at the company’s June 22 annual meeting. (Similar questions arose on the buy side at the Pfizer annual meeting on April 24 during the recently ended Pfizer bid for Astra-Zeneca.)
The lesson. Boards have a right to exercise judgment on whether a struggling company should turn around or sell off part of the business—or, conversely, whether a market leader should grow via merger. Analyst John Maxfield, writing about Red Lobster for the popular investment site Motley Fool, observed that turnarounds rarely succeed. He cited wise words from Warren Buffet, who wrote the following back in 1980: “When a management with a reputation for brilliance tackles a business with a reputation for poor fundamental economics, it is the reputation of the business that remains intact.” The Darden board apparently believed that the fundamental economics of Red Lobster were unfavorable so they sold it. (On the buy side, the Pfizer board made a similarly justified strategic decision—not to let go of a division, but instead to chase, and subsequently let go of, a dream.)
Staples: A Matter of Discretion
The issue:Can the board justly exercise discretion in pay in order to retain executives during a turnaround? The Staples board believed so, and proceeded in good faith to pay accordingly, but shareholders disagreed. On March 3, the Staples board rewarded executives for their added workload in turning the retailer around by approving a “2013 Reinvention Cash Award.” The board also approved an extra reward cycle to retain executives and staff who had not received a bonus in two years due to dragging financials caused by the poor economy for consumer discretionaries. Institutional Shareholder Services (ISS), a proxy advisory firm, urged investors to reject the plan in their advisory “say-on-pay” vote at the annual meeting on June 2. ISS carries considerable influence in the proxy policy-setting and voting processes, and in this case apparently they did, as a majority of shareholders (53.64%) voted against the Staples plan. At that same meeting, 50.66 percent of shareholders cast advisory votes to split the chair and CEO roles at the retailer.
The lesson. While directors should make every effort to comply with their policies when awarding pay, they should reserve and defend the right to exercise discretion; similarly, directors are the ones who should determine the independent leadership structure for their boards. When boards exercise compensation discretion, for example by making an award that did not appear in a plan, they need to clearly communicate early on their reasons for doing so. This is a key finding of the NACD Blue Ribbon Commission (BRC) on Executive Compensation, convened in 2014, as well as previous BRCs on the topic. Communication, not compensation, may be the core issue here. (Then again, communication of any point requires two parties—the speaker and the listener. In some cases, however, it simply may be that shareholders are unwilling to hear management’s reasons for a nonroutine pay decision.)
Target: Expecting the Impossible?
The issue.If aboard knows that a particular risk exists and takes action to defend against it, are directors to blame if the defense does not function well enough to prevent harm? In mid-2013, anticipating hacker problems, Target began installing a $1.6 million malware detection tool made by the computer security firm FireEye; yet due to a break in the chain of alerts during the most recent holiday season, the defense did not work and Target suffered an attack at the height of the holiday shopping season. Subsequently—despite swift response to the problem (replacing the chief information officer and strengthening security)—ISS recommended that shareholders vote against 7 of the company’s 10 directors at the company’s June 11 annual meeting, urging rejection of the members of the audit and corporate responsibility committees. The day before the meeting, Luis Aguilar, a commissioner at the Securities and Exchange Commission, mentioned the Target incident in a speech at the NYSE, and observed that “effective board oversight of management’s efforts to address these issues is critical to preventing and effectively responding to successful cyber-attacks.” Shareholders did vote by a majority on June 11 to keep the full board, but concerns linger. More than 90 lawsuits have been filed against Target by customers and banks for alleged “negligence,” and they are seeking compensatory damages as well.
The lesson. The line between the board and management is still distinct, but it is no longer bright; it will vary by company, so it is up to each board to find it. IT risk oversight is not easy. NACD’s Director’s Handbook Series on Cyber-Risk Oversight recommends that boards approach cybersecurity as an enterprise-wide risk management issue, and encourages directors to understand the legal implications of cyber risk as they apply to their company’s specific circumstances. Boards can encourage them to build that arsenal. Meanwhile, boards can and should vigorously defend themselves against voting campaigns that would disrupt board continuity at the expense of various stakeholders, including not only shareholders but also employees and their communities.
Walmart: What Price Integrity?
The issue.Does the board have a right to invest heavily in building an ethical culture or should shareholders get more of that money? Sometimes it seems that boards are damned if they do and damned if they don’t. On June 6, Walmart shareholders voted to reelect the entire Walmart board, and to reject a proposal that would mandate a separate chair and CEO, among other votes. This vote occurred despite campaigns against the directors in March; both the CtW Investment Group (on March 19) and ISS (on March 25) issued reports critical of Walmart, recommending that shareholders vote against two existing directors, as well as the company’s executive compensation proposals. They claimed that the company failed to disclose information to shareholders regarding sums spent on investigations into alleged company violations of the Foreign Corrupt Practices Act. In fact, Walmart did publish a global compliance report with details on its programs, so the main reason for the critique seems to be the amount of money spent on compliance. Randy Hargrove, a Walmart spokesperson, has assured the public that “[t]he board has authorized whatever resources are necessary to get to the bottom of the matter.”
The lesson. Boards have the right and, one might argue, the obligation to invest resources to ensure ongoing efforts to improve compliance and integrity. Global companies have many employees and agents to oversee. Policies can go only so far. Perhaps the best guidance here comes directly from the classic Delaware Chancery Court decision in the Caremark case (1996) in which Chancellor William Allen, finding in favor of a defendant board in an insurance kickback case, held that a board as part of its duty of care has an obligation to “exercise a good faith judgment that the corporation’s information and reporting system is in concept and design adequate to assure that appropriate information will come to its attention in a timely manner as a matter of ordinary operations.” If a board fulfills that requirement, its oversight should be praised rather than condemned.
Ashford: A Tale of Two REITs
The issue.Who gets to determine governance—the board or shareholders? The recent history of the Ashford REIT complex provides a real-world laboratory for the issue. It all started in February when the Ashford Hospitality Trust (AHT) board amended AHT bylaws to require board approval of any future bylaw amendments. (Previously, AHT bylaws could be amended by shareholders without board approval.) One reason for this amendment is that the AHT board wants the company to remain under the protection of the Maryland Unsolicited Takeover Act (MUTA). The AHT board also voted to increase the number of shares required to call a special meeting of shareholders. In response, ISS called on shareholders to withhold votes for all but one director at the annual meeting on May 13. At that meeting, all directors were voted in by a majority of votes cast, despite a high amount of negative votes for the targeted directors. Earlier, shareholders of an AHT spin-off, called Ashford Hospitality Prime (AHP), which is advised by AHT, approved two proxy proposals submitted by Unite Here, a union representing workers in the garment and hospitality industries. AHP shareholders voted by a majority of 68 percent to have the company opt out of MUTA—a result that the AHT board hopes to avoid. So far the board of AHT is holding firm in favor of takeover protections and remaining under MUTA protection, unlike its AHP spin-off.
The lesson. Within the bounds of legal compliance, governance is a responsibility of the board, not the shareholders. So when it comes to preserving corporate independence, boards need not give up their corporate shields just because activists accuse them of being too defensive. This may well be a case of rhetoric versus reality. When the MUTA was passed 15 years ago (in 1999), the Baltimore Business Journal hailed it as good for investors: “Corporate takeover bill protects stockholders,” read the news item. In an editorial detailing the law’s provisions to a painstaking degree, the Baltimore Business Journal concluded: Some public commentary on the takeover bill has mistakenly suggested that it takes away all obligations directors have to stockholders. To the contrary, unlike Pennsylvania’s corporate law, which is highly pro-management and provides no relief to investors or stockholders in Pennsylvania corporations, Maryland law now provides some increased procedural advantage to and greater flexibility for directors, while preserving the primacy of stockholder value and providing an escape valve from the most troubling provisions for future investors in Maryland corporations. It seems that with the passage of time, and inattention to statutory language, the anti-MUTA myth has risen again. We will watch this case for further developments.
These developments have involved different issues—financial planning, mergers and acquisitions, compensation, cybersecurity, internal controls, and takeover protection. Nevertheless, these developments point to the need for ongoing director educationon risk oversight in all of these areas, not just in a classroom, but also on the job, and with more active monitoring. These stories also show the value of understanding the evolving expectations of governance itself. As directors face increasing pressures to continually know more and do more, they can strive to improve, yet at the same time recognize the intrinsic limitations of the board’s role. Directors should also seek to provide investors with information on the context and rationale behind the board’s decisions, as part of the company’s overall shareholder engagement and communication program. This close look at current struggles has yielded important lessons—and guidance for an ever-challenging future.