As the 2015 proxy season gets underway, are you looking for the latest information on the priorities of major institutional investors? Are you interested in benchmarking your board’s approaches to proxy statement disclosures and other critical shareholder communications?
To help you prepare, we’ve bundled five of our most recent and most relevant publications into the NACD Proxy Season Toolkit, a one-stop shop for public company boards.
For more insights on the issues currently facing public company boards and key committees, visit NACD’s Board Leaders’ Briefing Center. And be on the lookout for our exclusive proxy season preview, written by ISS’ Patrick McGurn, in the next issue of NACD Directorship magazine.
On Tuesday, the U.S. Department of Homeland Security selected and posted the NACD Director’s Handbook on Cyber-Risk Oversight on the Critical Infrastructure Cyber Community (C3) Voluntary Program website. At a press conference yesterday, four panelists, Ken Daly, president and CEO, NACD; Mark Camillo, head of cyber products for the Americas Region, AIG; Larry Clinton, president and CEO, ISA; and Dr. Andy Ozment, Assistant Secretary for Cybersecurity and Communications, DHS, spoke generally about cybersecurity as an issue for directors, and specifically about the contents of the handbook, created by NACD in association with AIG and ISA, which focuses on cybersecurity oversight at the board level.
Larry Clinton observed that the first of two goals for combatting cyber risks at board level is to raise awareness of cybersecurity as a risk directors must oversee. NACD has been actively engaged in educating the board member community on cyber issues for some time. In summer 2013, The Art of Cyber War graced the cover of NACD Directorship, followed by coverage in subsequent issues; NACD has held multiple roundtables and events focused on cybersecurity issues, including a day-long cyber-risk summit in Chicago, and has built the topic into the flagship Master Class program. In addition to the director’s handbook, other recent NACD thought leadership includes the white paper Cybersecurity: Boardroom Implications and a video series focused on technology and cybersecurity.
On Tuesday, Dr. Ozment emphasized the fact that cyber risks affect organizations of all sizes, sectors, and industries, stating that a director who doesn’t know about cyber incidents falls into one of two categories: either “your CEO doesn’t think you care about cyber incidents,” or “your CIO doesn’t know about the cyber incidents.” He followed with, “unfortunately the bad guys are doing more for cybersecurity awareness than any one of us can do.” Clinton’s first goal, realizing the “why” of cyber-risk oversight at board level, has been scarred into directors’ understanding.
Clinton’s second goal is simple but even more challenging: we have to work together to “solve it.” According to the forthcoming 2014-2015 NACD Public Company Governance Survey, 90 percent of directors believe their boards’ understanding of cyber risk needs improvement. Though directors get the “why,” they need guidance on the “how,” advice practical to boards’ oversight of cyber risk.
The NACD Director’s Handbook on Cyber-Risk Oversight provides insight into the “how.” Daly stated that cyber “is simply another risk [that] fits within the enterprise risk management system.” Camillo indicated that the handbook’s five principles “can be used immediately” and applied to an organization’s existing ERM program:
Principle 1: Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
Principle 2: Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances.
Principle 3: Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda.
Principle 4: Directors should set an expectation that management establish an enterprise-wide cyber-risk management framework with adequate staffing and budget.
Principle 5: Board-management discussions about cyber risk should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.
Daly further emphasized the “voluntary public-private partnership” between NACD, ISA, AIG, and DHS reflected in the fact that the handbook is the first, and currently only, private-sector document featured on the DHS C3 Voluntary Program website. The concept of cross-sector partnership to combat cyber risks is a centerpiece of the president’s 2013 executive order, Improving Critical Infrastructure Cybersecurity. The handbook’s release signifies that the partnership-based approach is bearing fruit and the private sector is taking responsibility for cyber risk. Dr. Ozment agreed, stating that “managing cybersecurity is a shared responsibility,” and this handbook demonstrates widespread acceptance of the NIST cybersecurity framework. The handbook’s creators’ combined cyber, risk, and governance expertise to provide recommendations, broadly applicable to directors of all economic sectors, for combatting a national and international problem.
Cybersecurity is undoubtedly a critical aspect of board oversight, but an overwhelming majority of directors rate their and their board’s knowledge of IT risk as “in need of improvement.” More than three quarters of directors believe their personal IT knowledge could use a boost and nearly 90 percent believe the same of their board’s IT knowledge. A lack of cyber knowledge at the board level can lead to overreliance on C-suite experts and difficulty by directors in judging an appropriate level of involvement.
Recognizing the disconnect between the need for effective cybersecurity oversight and the boardroom’s lack of IT acumen, NACD, supported by Protiviti and Dentons, convened three roundtable discussions, bringing together directors, executives, and experts in the field of cybersecurity. These meetings provided insight into the numerous and significant risks presented by cybersecurity, while experts pinpointed deficiencies in board responses to threats and possible solutions. Key statements from participants prompted NACD, Protiviti, and Dentons to address issues demanding director attention and action:
Boardroom cyber literacy: “Cyber literacy can be considered similar to financial literacy. Not everyone on the board is an auditor, but everyone should be able to read a financial statement and understand the financial language of business.”
Identifying high-value information targets: “Do not just harden the perimeter, because hackers will get in. Accept that they can get in, and then design the strategy with the assumption they are already ‘inside.’”
Formulating detection and response plans: “When your company is hacked, do not start spending money like a drunken sailor.”
The human factor: “People are the constant weakness. Cybersecurity is a human issue. Often the biggest problems are caused by an inadvertent actor.”