So what happened? At a time when board composition and disclosure are presented as the board’s best safeguards to a range of corporate crises, what lessons can be gleaned from the Equifax debacle—despite the board’s perceived preparedness in these areas? <P><P>In each annual proxy, boards disclose their governance practices—from director succession planning to risk management—which serves to reassure investors (large and small) that their assets are in safe hands. Yet, the Equifax breach presents us with a scary prospect: How many companies have failed to do what they say?
As Equifax acknowledges a massive security breach making the names, addresses, social security numbers and more available for fraud and disruption and it appears executives, including the CFO, sold stock before making this information public, it also comes out that Equifax lobbied to make it more difficult for consumers to get damages for exactly this kind of abuse.
Equifax’s lobbying group argued against the prohibition even as it acknowledged that a 2015 government study found “that credit reporting constituted one of the four largest product areas for class action relief” for consumers. Consumer groups countered the claims of CDIA and other rule opponents by saying the ability to file suit is necessary to protect Americans’ legal rights.
For more on this issue:
The Center for Audit Quality celebrated its 10th anniversary with a conference that included assessment of its progress since it was created in response to the Enron-era series of accounting failures and some thoughts about upcoming developments. Unabashedly committed to the notion that accounting is “a force for good,” director Cindy Fornelli emphasized the profession’s commitment to “independence, objectivity, and skepticism.” Many of the participants pointed to more attention to cybersecurity and sustainability (including non-GAAP reporting) and coordination with international standards as increasing challenges, necessary for corporate managers, directors, investors, and other stakeholders. In general, the speakers endorsed the Sarbanes-Oxley legislation, though former SEC Chair Harvey Pitt would have preferred the additional flexibility of making it a part of the 34 Act. Some expressed concern about overloading the board, especially the audit committee, and the consensus was that with issues like cybersecurity, the committee should be responsible for ensuring a system is in place, not for performing the checks itself. Some of the participants expressed concern that the new administration’s more insular, protectionist approach might lead to withdrawal from essential international coordination efforts, leaving a gap in leadership. Pitt said, “If we do not participate, it will diminish our impact…and our ability to compete in a global marketplace.”
CEOs’ compensation – including salary, bonuses and stock options – should be linked to their companies’ cyber security performance, according to a new report from the [UK] Culture, Media and Sport committee.
The Global Network of Director Institutes (GNDI), the international network of director institutes, has issued new perspectives papers on two governance issues that have dominated the board agenda globally this year.
“In the last 12 months, discussions have focused on the changing role of the board to be more resilient against cyber threats and address expectations regarding performance, culture and board diversity through renewal,” said Stan Magidson, Chair of the Global Network of Director Institutes and President and CEO of the Institute of Corporate Directors, Canada. “These are global issues and members of GNDI have issued global recommendations for boards to consider.”
In the first paper, Guiding Principles for Cybersecurity Oversight, GNDI proposes three areas of focus: people, processes and technology. Likening cybersecurity to the “fourth estate”, the global network says that cybersecurity falls outside the traditional borders of oversight, accountability and control, and therefore requires a new approach.
The organisation is calling on boards to consider placing cybersecurity as a specific accountability of one of the officers reporting to the board, to inform themselves of specific operational, reporting and compliance aspects of cybersecurity, and lastly to consider adding a member with some knowledge of information technology (including digitalization and cybersecurity).
In the second perspectives paper, Renewing the Board, GNDI advocates for a performance management approach to board renewal to create long-term value and argues that the board should disclose these policies and processes to its shareholders and other stakeholders to allow for better engagement with these groups. The paper also argues that boards should cast a wide net when adding or replacing a director and should consider the need for diversity of thought, skills and experience on the board when considering appointments.
More than two thirds of company board members are more involved with cybersecurity issues than they were a year ago, according to a new survey by BDO USA, a consulting firm. Nearly 90% of the 150 public-company board members who responded to the survey said they’re briefed on cybersecurity at least once a year, with a third briefed at least quarterly on the issue. Seventy percent said they have increased company investments against cyber-attacks during the past year, the survey found.
Shahryar Shaghaghi, national leader of technology services for BDO, said the board participation and involvement numbers are encouraging, but he now expects more as a result of the investment. “I think we need to move from reactive, which is responding to breaches and notifying the board, to a more-proactive state, where the board can understand what’s going on in the organization,” he said.
There’s no doubt that cyber attacks cause real financial harm to businesses. Money can be stolen, business operations disrupted. Cyber theft can provide international competitors with years worth of valuable intellectual property or trade secrets virtually overnight, jeopardizing current and future market opportunities. Cyber attacks can seriously damage an organization’s reputation with customers and result in legal liability for the company, executives, and board members.
As companies race to protect themselves, how do investors know if the organizations they are investing in are secure?
Join Jacob Olcott, VP at BitSight, and Nell Minow, corporate governance expert and co-founder of Institutional Shareholder Services (ISS), for a discussion of key issues, including:
-How investors assess cybersecurity in the M&A diligence process
-What institutional shareholders want to know about cyber risks to their investments
-How shareholders can meaningfully engage with companies on cybersecurity
In recent months, AIG, Blackberry, CMS Energy, General Motors and Wells Fargo have added a board member with computer-security knowledge. Delta Air Lines and Ecolab did the same in recent years.
The reasons are clear. Cyberattacks on large companies skyrocketed 44% last year from 2013. Cybercrime costs businesses more than $400 billion a year, according to Lloyd’s of London.
Data show that corporate boards have a long way to go. Just 11% of public-company boards queried this year reported a high-level understanding of cybersecurity, the National Assn. of Corporate Directors said. A review by the New York Stock Exchange and security firm Veracode found that two-thirds of board members questioned think their companies are ill-prepared for a cyberattack. Yet consulting firm PricewaterhouseCoopers reports that 30% of boards surveyed never talk about cybersecurity at all.