Tag Archive: NACD Cyber Summit

Take These Five Lessons from NACD’s Cyber Summit Back to Your Board

Published by

NACD held its third annual Cyber Summit in Chicago on June 21, 2017, in partnership with the Internet Security Alliance (ISA). This year’s event followed in the wake of cyber incidents such as WannaCry and the hacking of the Democratic National Committee’s email account, as well as Europe’s adoption of the General Data Protection Regulation (GDPR) and the implementation of China’s Cybersecurity Law.

NACD members left the Cyber Summit with valuable lessons to share with their colleagues.

Speakers acknowledged this context and focused on topics such as building a cyber-risk culture, insider threats, cyber-risk regulation, the threat of state-sponsored attacks, and the economics of cybersecurity. (Click here for a list of event sessions and speakers.)

Five key takeaways emerged for director attendees at the 2017 NACD Cyber Summit:

1. Actively learn from cyber incidents at other companies. A bill that aims to require cyber expertise on public company boards has surfaced twice in Congress since 2015. However, Melissa Hathaway—president at Hathaway Global Strategies and senior advisor at Harvard Kennedy School’s Belfer Center for Science and International Affairs—believes boards do not necessarily need to have a director who is an expert in cybersecurity. Hathaway, who delivered a keynote at the cyber summit, suggests boards regularly hold conversations about current events in cybersecurity, and review a cyber-event case study at each quarterly meeting.

2. Work toward a public-private partnership. Hathaway emphasized the benefit of forming a public-private partnership in the United States to serve as a medium for information sharing about cyberattacks. Canadians have already formed such an organization. The Canadian Cyber Threat Exchange is an independent nonprofit that functions as a middleman between the public and private sectors. According to Hathaway, the U.S. government itself has been a victim of a number of cyberattacks exposing personal data, which has cost it credibility with the private sector. Thus far, U.S. corporations have been largely reluctant to share information about cyberattacks with a government that may not be seen as equipped to adequately respond. At the same time, the government classifies data on cyberattacks that limits information sharing with the private sector.

3. Consider having the CISO report directly to the board. The 2016–2017 NACD Public Company Governance Survey indicates that only 31 percent of boards receive reports directly from the chief information security officer (CISO), despite the increased prevalence and importance of the role. Bret Arsenault, corporate vice president and CISO at Microsoft, indicated that the frequency of meetings between the CISO and the board depends on the board’s existing cyber knowledge. As Microsoft’s CISO, Arsenault conducts a quarterly review with both the full board and the audit committee, in addition to meeting with the CEO and the full leadership team for a half hour once each week. Having all members of senior management involved in the conversation helps set the tone at the top around cyber culture. See the 2017 Cyber-Risk Oversight Handbook for guidance on building a relationship with the CISO (p. 38) and questions for the board to ask management about cybersecurity (p. 21).

4. Strengthen a culture of secure behaviors. In providing oversight of cybersecurity, one aspect of the board’s role is to ensure that the organizational culture reinforces healthy cybersecurity behaviors. For this culture to take hold, it is essential that any cybersecurity-related issues be explained to the board—and employees—in a clear, understandable way. For example, the CISO should speak in business terms to the board and avoid using technical language, according to Arsenault. John Lhota, managing principal for global cybersecurity consulting services at SecureWorks, also suggested using gamification for employee cyber education programs. Directors should evaluate whether a culture of awareness about the importance of cybersecurity truly exists, beginning at the board level. See NACD’s Cyber-Risk Oversight Handbook for tools on assessing the board’s cybersecurity culture (p. 27) and establishing board-level cybersecurity metrics (p. 28).

5. Ensure access rights are limited and continuously monitored. Directors should discuss with management what the company’s most critical data assets—or, “crown jewels”—are, and who could access them. Many high-profile breaches have been carried out by employees or contractors with access to company networks. Robert Clyde, vice chair of ISACA and managing director for Clyde Consulting LLC, indicated the hiring process can aid in selecting trustworthy employees, but employees with administrative privileges (i.e., the ability to install certain software, access certain files, or change configuration settings) can become very destructive if they retaliate against the company after a job loss or make a mistake. The board should check with the CISO to make sure there are a very small number of employees that have administrative privileges on an everyday basis, with slightly more given access in an emergency. Adding secondary approvals—so that two people must be involved in a process—further constrains the possibility of someone accidentally deleting data or removing it on purpose. Access for those with administrative privileges should be amended the second those individuals change jobs, according to Robert Zandoli, director of the ISA and global chief information security officer at BUNGE Ltd.

For more information on providing cybersecurity oversight, please see the following NACD resources:

What to Watch For in 2016

Published by

A Message from NACD’s CEO to Our Members

Each year I find myself declaring that the profession of directorship has become more challenging than it was in the previous year. I believe we’ve now reached the point where we should recognize this escalation as the status quo, not an annual anomaly. The Securities and Exchange Commission’s director qualification disclosure requirements, the advent of proxy access, and the increasingly public role of shareholder activists have contributed to a business environment in which directors’ qualifications and performance are continually scrutinized.

Kenneth Daly NACD CEONACD’s mission is to help directors lead with confidence—and to foster stakeholders’ confidence in their directors’ ability to effectively serve their companies. I’d like to highlight three critical issues that we believe directors—of all company types—should focus on during the year ahead.

1. Director Awareness

The dramatic slowdown in China’s economy, plummeting oil prices, recent terrorist activities, and the rise of the digital economy have put a fine point on the need for directors to be aware of disruptors that may cause a drastic change in sea conditions for their organizations.

No one can be expected to anticipate every potential disruption. (Who could have seen Uber idling around the corner?) But foresight comes down to one deceptively simple practice: asking the right questions. Are board members exploring the possible impacts of a terrorist act on the company’s supply chain, investigating their organization’s vulnerability to a cyber attack, or considering new competitors that can bring products to market faster than ever before and with nominal investment?  Throughout 2016 our NACD Directorship 2020 initiative will continue to focus on disruptive forces, putting a spotlight on the issues that may affect your companies in the years to come.

Suggested NACD Resources:
Environmental and Innovative Disruption: What Directors Need to Know
Leveraging Social and Demographic Trends

2. Shareholder Activism

It goes without saying that activist investors have gotten our attention. A record-setting 355 activist campaigns were announced in 2015, including 33 against Fortune 500 companies. Last year was also a record year in terms of activist campaigns resulting in board seats—127 resulted in at least one board seat for the activist or the activist’s appointee. Our own annual survey of public-company directors found that 20 percent of respondents’ boards were approached by an activist investor in the past year. But nearly half of respondents reported that they are unprepared for an activist challenge.

Activists aren’t practicing black magic; they are performing effective due diligence and smart analytics on their holdings. Boards need to think like activists and anticipate the issues these investors may raise. Do your company’s metrics fall outside industry norms? Does your board composition have any perceived weaknesses? Do you engage with management about the assumptions that undergird your company’s strategy? In 2016, NACD will continue to provide resources that can help your boards to anticipate—and respond to—emerging issues.

Suggested NACD Resources
Identify the Enemies of Effectiveness and Think Like an Activist
Investor Perspectives: Critical Issues for Board Focus in 2016

3. Mergers & Acquisitions

M&A activity reached record levels in 2015. Given this phenomenon, it’s more critical than ever that boards understand their role in M&A. We believe it boils down to readiness and oversight.

At any given time, directors may need to consider either the sale of their own company or the purchase of another company. The board must carefully weigh all opportunities to buy or sell as part of its routine corporate oversight. Be on the lookout for NACD’s new M&A Board Resource Center, which will be available later this quarter. The center will serve as a one-stop shop to help boards participate effectively in the evaluation of proposed M&A transactions.

Suggested NACD Resources
FAQs on the Role of the Board in M&A
Recorded Webinar:  The Extent of the Board’s Role in M&A

NACD Cyber Summit
On a final note, I’d like to call your attention to the 2016 NACD Cyber Summit, which will be held on June 15 in Chicago. With Congress now considering passage of a bill that would require companies to publicly identify the “cybersecurity experts” on their boards, scrutiny of the board’s role in cybersecurity oversight has never been greater. This year’s Cyber Summit will equip directors and management with the tools they need to foster cyber resiliency and confidently oversee cyber-risk management.

If you would like to receive additional resources on the three issues mentioned above or more information about the Cyber Summit, I encourage you to contact your dedicated NACD Concierge. If you have not yet had a chance to meet the concierge assigned to you, give us a call at 202-775-0509, and we’ll connect you.

Thank you for being an NACD member. I wish you a successful year ahead.

Sincerely,

Ken