The Power of Culture

There are many priorities to consider in building a successful company. Founder & CEO William Vanderbloemen highlights what above all else—more than profits, more than process, and even more than people—is most important. 

Insurance Is One Spoke in the Cybersecurity Wheel

Sebastian Hess

Who can forget the famous lyrics to the 1968 Noel Harrison song “The Windmills of your Mind”? Mirroring many other facets of life, cybersecurity is “[L]ike a circle in a spiral, like a wheel within a wheel, never ending nor beginning.” As the threat landscape changes, as risk appetites shift, and as new regulations come into being, your organization’s approach to cyber risk also must continually adapt. Throw in the new European General Data Protection Regulation and it’s clear now is the time to be discussing these issues.

Oversight responsibility for cybersecurity has become a board-level responsibility. However, what cybersecurity actually means for a business is often still something of a mystery to some in this position.

Some corporate directors struggle to answer questions such as:

  • What is our ability to prevent, detect, contain and respond to a cyberattack?
  • How should our internal departments, such as information technology, legal, and communications—work together when an incident occurs?
  • What is our overall risk tolerance?
  • How does our level of preparedness compare to our competitors?
  • What is the potential impact of a cyber incident to our balance sheet?
  • What is the return on investment for additional security controls compared to the cost of obtaining cyber insurance coverage?

After last year’s major ransomware attacks, business interruption has become a topic for discussion in many corporate boardrooms. Total economic losses associated with WannaCry are estimated at $8 billion, with half a billion dollars attributed to business, or network, disruption. But there seems to be a lack of ideas on how to mitigate that exposure, how to assess and measure a potential business interruption risk, and how to evaluate this issue with suppliers.

One element of a mature cybersecurity program is cybersecurity insurance. While this is an important spoke in the wheel, it’s also important to understand that it is only one part of the whole.

There is a misconception about what cyber insurance actually is, and almost more importantly, what it is not. Recently, I talked with a medium-sized business about cyber insurance, and their thoughts before our meeting were along the lines of, “if we purchase cyber insurance, we do not need to invest in a cyber security program any longer. After all, we will be insured.”

Even though such a statement is issued infrequently, and would surely not come from any organization that has reached some degree of cyber maturity, it took me by surprise. Yes, risk transfer is important, but only as part of a broader approach to cyber resilience. In a world where systemic cyberattacks are becoming more frequent, nobody wants to be the low-hanging fruit.

In a nutshell, traditional cyber insurance is aimed at dealing with the financial impacts associated with a security or privacy event, including direct costs with managing the event, loss of income, paying extortion demands, as well as liability, including regulatory fines and penalties in jurisdictions where such costs are insurable.

Cyber insurance itself is not a single coverage. It can be packaged in a number of different ways to match an individual client’s insurance buying strategy and evolving cyber threats, risks, and emerging impacts. It can be a combination of first- and third-party offerings, responding to the direct losses of a cyber event as well as claims asserted by third parties.

It’s also important to say what this type of insurance does not address. Cyber insurance does not replace a cybersecurity program and does not negate the need for good security controls. In fact, some policies may require demonstration of certain best practices in cybersecurity in order to provide indemnification. In order for organizations to effectively manage cyber risk, they should have both an effective security program and insurance in place for when defenses fail.

Like all other risks, it is important to look at cyber risks as a continuous cycle of management, not just a one-time risk mitigation exercise. The cycle is one of determining the current risk posture, by looking at the likelihood of cyber threats and the impacts, as well as the current security controls in place.

Based on the internally-determined risk appetite, if certain risks are considered to be above the threshold, they need to be mitigated by additional controls. Once completed, this cycle will be carried out continuously, as the lyrics to “The Windmills of Your Mind” suggest.

As is the nature of risk, it is almost impossible to eradicate it completely, and there is always a residual risk. It is this residual risk that is picked up by cyber insurance, a necessity even for the most resilient among us.

For a useful summary of how to manage cyber risk at board level please see the NACD Director’s Handbook on Cyber-Risk Oversight

 

Sebastian Hess is Cyber Risk Engineer for Austria, Germany, and Switzerland of AIG Europe Ltd. in Frankfurt, Germany. 

Experts Update Directors on Cybersecurity Threat Landscape, Regulations

From the recent botnet attack on home and small-office routers to renewed attention to cybersecurity at the U.S. Securities and Exchange Commission (SEC), directors of companies are tasked with understanding and overseeing a mounting range of information about cyber risks. Recognizing that directors need oversight-specific resources to guide their understanding of this critical risk, the National Association of Corporate Directors (NACD), Ridge Global, and the CERT Division of the Software Engineering Institute at Carnegie Mellon University (CMU) partnered to develop the Cyber-Risk Oversight Program.

The program is tailored specifically to the needs of the director and is updated periodically with webinars to provide context on the most recent developments in cybersecurity. Students who complete the course and pass a series of quizzesare awarded the CERT Certificate in Cybersecurity Oversight. They also join a group of their peers who are publicly acknowledged for having completed the program.

“Cyber-Risk Oversight: Boardroom Update” is the first installment in our Cyber-Risk Oversight webinar series. Completion of the program is not a requirement to view this webinar. Some chief insights from the webinar follow.

What’s New In the Threat Environment

According to Summer C. Fowler, a member of the CERT Institute faculty at CMU and an instructor in the Cyber-Risk Oversight Program, cybercrime costs the global business market $6 trillion annually. This considerable cost suggests that directors should pay closer attention to cyber-risk oversight, as cyber risks take a material toll on companies. Below is a summary of some of the more pressing threats discussed in the webinar.

  • Just under three quarters of cybersecurity breaches to companies’ systems come from an outside source, while 27 percent are from insiders. Fifty percent of the breaches are made by criminals acting with financial gain in mind.
  • Small businesses have become a primary target for cybercriminals because they oftentimes do not have sufficient resources to defend themselves. Directors of these types of companies and nonprofits should ask questions of the organization’s executives to understand how data is being protected.
  • The average time to discover a breach is six months, which is down from seven months from 2017. This number is alarming, as cybercriminals are still spending significant time in systems without being detected.
  • Members of boards of directors are very often the targets of whaling attempts, which are phishing attempts in which an e-mail is received that looks like a critical, legitimate request. For example, an e-mail may be drafted to appear as though it has come through the chain of command. There will often be multiple people targeted at once through these attempts, to increase the appearance of legitimacy. Whaling can be extremely convincing, and directors should receive training on how to avoid falling victim to these attacks.

Cybersecurity and the SEC

In the past few years, the corporate approach to cybersecurity has shifted from a reactive to a proactive mindset. These shifts have also been significant from a legal perspective, as ensuring cybersecurity and data protection becomes the responsibility of many people, rather than one single person. Cybersecurity also has become a priority for the SEC. In 2011, the SEC’s Division of Corporate Finance issued guidance on how companies should approach disclosure of a breach to investors. While the chief regulator of public companies has not since made any specific rules on reporting of cybersecurity incidences, it restated its guidance on what it expects companies to do to be transparent to shareholders about breaches. In February of 2018, the SEC released guidance for companies to consider when evaluating cybersecurity risks for disclosure. The SEC suggests that the board needs to think about more than the concrete costs of recovering after a cyber breach.

The factors that a board should consider in cybersecurity disclosure are:

  • occurrence, frequency, and severity of prior cybersecurity incidents;
  • probability and potential magnitude of cybersecurity incidents;
  • adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs;
  • aspects of the company’s business and operations that give rise to material cybersecurity risk;
  • costs associated with maintaining cybersecurity protections;
  • potential for reputational harm;
  • existing or pending laws and regulations that may affect the cyber requirements; and
  • litigation, regulatory investigation, and remediation costs associated with cybersecurity incidents.

Are you interested in earning a respected credential in cyber-risk oversight at your own pace? NACD members and those who are not yet members are encouraged to watch the webinar embedded above to preview the course’s offerings and to register for the course.

The Business Case for the Rule of Law

Ulysses Smith

With the principle of the rule of law and democratic governance under siege in numerous parts of the world, corporate board members are increasingly considering how global events are creating mounting risks to both their businesses and the bottom line.

These actions are taking place in jurisdictions that have long been high risk for companies. The Democratic Republic of the Congo, Venezuela, and Myanmar, for example, have for some time presented operational challenges as a result of poor governance. In recent years, however, countries thought of as bulwarks for the rule of law have also begun to present challenges for businesses. Some argue that these include the United States, a country that traditionally has been known as a powerful advocate for the rule of law and democratic values and the long-time guarantor of the system of global governance, and the United Kingdom, where the legal and regulatory uncertainty caused by Brexit has seen many investment decisions put on hold.

Just in the last few weeks actions taken by the United States with rule-of-law implications have given some in the business community great pause. US actions regarding Chinese telecom company ZTE Corp. have raised questions as to whether a law enforcement action against a corporate entity can be used as a point of leverage in an international trade negotiation. Notwithstanding policy arguments for and against, the US’s withdrawal from the Iran agreement and pending re-imposition of secondary sanctions create significant uncertainty both for international businesses making investment decisions in Iran, and with respect to the US’s long-term commitments to international agreements. Many also note that America’s executive in chief has imposed considerable pressure on elements of the Federal government whose independence has long underpinned the rule of law in the United States, from individual judges and the judiciary to members of Congress, to law enforcement and the Federal Bureau of Investigation. This pressure has at times taken the form of quite personal attacks that set a concerning precedent, including for businesses that must ask whether they could become a target for a president who dislikes what they may be doing.

It is no secret that businesses do well in jurisdictions where the rule of law is strong: where contracts are enforceable, where fair judicial decisions are rendered without unreasonable delay, where assets aren’t arbitrarily seized or contracts arbitrarily renegotiated, where laws and regulations are transparent and applied fairly, where bribes need not be paid for discretionary actions by government. These are environments where businesses thrive. Indeed, as a 2015 Report by law firm Hogan Lovells and the Bingham Centre for the Rule of Law makes clear, there is a strong correlation between foreign direct investment in a country and the existence of a sound rule of law.

Businesses also do well where basic principles of the rule of law and associated norms are embedded. The separation of powers, the existence of a resilient and independent law enforcement system, and basic respect for truth and fact-based decision making are all important contributors to business success.

Finally, the existence of a strong rule of law correlates with broader societal thriving, making for an invigorated source for customers, employees, partners, and suppliers.

Given this reality, it is imperative that boards be sensitive to the range of rule-of-law issues that impact their businesses, even in jurisdictions where they least expect it. This means considering specific risk factors involving rule of law, above and beyond more generic political risk factors, whenever contemplating entry into new jurisdictions. The same can be said for assessing merger and acquisition or joint venture prospects, even in places where rule of law issues aren’t on the front page of newspapers every day. Indeed, a broad range of rule of law risk factors should be included in standard risk matrices so that business-critical issues such as prospects for the enforceability of contracts, or the ability to get a fair and timely judicial decision, or the independence of law enforcement are specifically considered when assessing risk. Existing governance and compliance frameworks can readily be adapted to reflect rule of law issues, alongside human rights and other risk issues. Rule of law matters should be included on the agenda of board meetings when appropriate.

In addition, boards should consider their companies’ own self-interest in the existence of a strong rule of law, and decide what their role might be in encouraging better governance, both within the companies themselves and in the environments where they operate. Many high-profile businesses have stepped up in recent months to publicly support such issues as countering climate change (as occurred when the US withdrew from the Paris Climate Agreement last year, which precipitated an outpouring of commitments by businesses to meet the goals set out), or in response to gun violence (as with Dick’s Sporting Goods following the Parkland school shooting), for instance.

In this regard, business can serve as a champion of good governance and the rule of law, advocating for improving the standards of governance where appropriate, and initiating collective efforts with like-minded companies with shared interests in stronger rule of law. Chambers of Commerce and other trade associations can be powerful voices when it comes to advocating for a strong rule of law that encourages foreign investment and secures stable business environments. Directors can urge the associations they are involved in to initiate efforts to support the rule of law, helping to bring to bear the influence and credibility of the business community to move the needle, in a positive way, on the quality of governance and the rule of law. Further, there are business-driven associations that provide a platform for collaboration to support the rule of law.

With the rule of law being challenged in so many countries around the world, businesses have both a strong interest in and ability to contribute to fostering a strong rule of law everywhere. Businesses, and their directors, should be part of the urgent work to publicize and mitigate what it is we as a global community will lose if the rule of law is undermined.

 

Ulysses Smith is a US-based lawyer and director of the Business and the Rule of Law Program at the Bingham Centre for the Rule of Law. All thoughts are his own and do not necessarily reflect those of NACD.  

Rigid Job Offer?

CPI Board Member, Elaine Varelas’ Insight On Inflexible Job Offers

Published in MoneyINC.com, Elaine Varelas discusses “One-Sided Negotiations: Is a Company’s Inflexibility on Job Offers a Red Flag?”

Being offered a new role that’s a great fit professionally and culturally is an exciting time—unless an unproductive negotiation process taints the entire experience.  Read the complete article at MoneyINC.com

 

The post Rigid Job Offer? appeared first on CPIWorld.

CPI Welcomes Chris Boyd As Global Marketing Director

Chris Boyd – Marketing Director

CPI Welcomes Chris Boyd as Global Marketing Director

Career Partners International (CPI) is pleased to announce that Chris Boyd has joined the organization as Global Marketing Director. CPI continues to grow on a global level, offering unparalleled, high-touch career management solutions.  From outplacement services with participants landing in an average of 2.73 months, to an expansive network of specialized executive and leadership coaches, CPI is the trusted source for career consultants.  “Constantly innovating, CPI is moving into the future with an expanding portfolio of career services and entry into even more markets around the world,” says Doug Mathews, CEO of CPI. “We are very fortunate to have Chris on our team to help drive these initiatives.”

With a focus on developing the brand, Chris is looking forward to strengthening CPI’s role in the market and supporting the growth of our 66 partner firms.  Chris joins the organization with a broad marketing experience, working with small, family-owned organizations and Fortune 50 companies alike.  He has led teams in product development, brand management, and marketing communications.  Chris has a B.A. from Muhlenberg College as well as an MBA and M.S. from Wilmington University.

The post CPI Welcomes Chris Boyd As Global Marketing Director appeared first on CPIWorld.

Oversight of Organizational Speed in the Digital Age

Jim DeLoach

Jim DeLoach

A recent survey of executives and directors globally found that the top two risks discussed are disruptive change to the business model and the organization’s resistance to change. This incongruence captures what may be one of a board’s most fundamental fears.

No established incumbent wants to fall into the category of companies that were yesterday’s success stories but today are in decline, suffering “death from a thousand cuts.” Yet it happens all too frequently. One well-known CEO says it begins with “stasis”—a state of inactivity that leads to “irrelevance” and is followed by an “excruciating, painful decline” until, ultimately, there is an abrupt demise of the enterprise.

This kind of decline is unmerciful. Its low velocity is one of the primary reasons it is so difficult to spot. Left unabated, it leads a once-proud company to the point where very little can be done to save it as it continues down its committed path. In the digital age, cloud computing, robotic process automation, machine learning, and other technologies are disrupting every industry by presenting opportunities to reimagine business models. With physical locations, people, and infrastructure barriers virtually gone, it’s possible for “born digital” start-ups to disrupt an established company with a hyper-scalable business model that can accommodate rapid growth without significant upfront capital.

Time and speed in business have changed. Business has evolved beyond the tactical to emphasize a more strategic and holistic view of challenging conventional thinking and disrupting traditional ways of working as well as long-established value chains. Managing to the speed of business may seem like a strange notion to some, but why shouldn’t every organization evaluate its processes given the speed of change in the marketplace and within the industry? Considering the stakes, it’s worth a serious look.

Following are 10 thoughts on managing to the speed of business and its implications to board oversight.

  1. Set the tone for speed at the top. Directors should support the CEO in setting the tone for speed through both actions and words, emphasizing the importance of staying close to the customer, keeping an eye on relevant market trends, organizing for speed, and embracing change.
  2. Focus on high-velocity and high-quality decision-making. Many large companies make high-quality decisions but make them too slowly. There is a time and a place for formality, but for many activities, an unstructured approach is sufficient.
  3. Inculcate a culture of speed. Members of the executive team should have a stake in initiatives to improve and sustain speed. A company must be at least as fast as—and endeavor to be faster than—agile followers of the latest trends in its industry.
  4. Focus on the customer experience. The speed-conscious organization is customer-centric. Accordingly, it places strong emphasis on gaining access to market insights efficiently and in a timely manner, likely through big data solutions and advanced data analytics.
  5. Establish an organizational structure that directly supports lean business behaviors. Open, flexible, and agile structures with flat hierarchies drive efficiencies, speed up innovation cycles, and facilitate collaboration, communication, and faster decision-making and execution. Focused, dedicated teams armed with purpose and clear objectives should be empowered by executive sponsors to tackle well-defined tasks and assisted by appropriate alliance partners. Sponsors keep the effort on the fast track with a fail-fast mentality.
  6. Select the talent who will lead to success. Trite as it might be to say, the best and most diverse talent wins in the digital era. Talent strategy must set the foundation for speed.
  7. Understand external trends. Speed places a premium on recognizing global megatrends and their impact timely. Boards should ensure that management is focused on becoming more future-oriented, mindful of external developments, and resilient in the face of change in the digital age.
  8. Speed must deliver desirable outcomes. Speeding up processes and decisions is not the endgame. Outcomes that are on-strategy validate a faster process.
  9. Learn at the speed of business. A committed learning organization fosters a positive culture that embraces open-mindedness, critical thinking, fresh ideas, and contrarian points of view—all of which are vital to speed. Ongoing knowledge-sharing, networking, collaboration, team learning, and admission of errors and learning from them facilitate speed. Feedback loops regarding interactions with customers, suppliers, regulators, and other outside parties that maximize broad employee participation helps to root out unconscious bias.
  10. Speed requires effective change enablement. When processes and functions are reimagined, and products and services require improvement, the organization should have an established process to organize the necessary stakeholder commitment and drive the needed change.

What do Atari, Blockbuster, Borders, Palm, and Polaroid have in common? Each failed to keep pace with the market and suffered a long decline before entering bankruptcy or being acquired or liquidated. Each case illustrates how difficult it is to turn away from a business model or a segment of the market that has served the entity’s stakeholders well over the years.

Confidence in facing the future is what every director and leader wants. Speed is dictated by the market—meaning that external and internal factors influence it. The tailwind effect of embracing change and managing to speed breeds desirable confidence in the digital economy.

Jim DeLoach is managing editor of Protiviti. 

Companies Weigh Public vs. Private Options

Peter Gleason

To be a public company or to be a private company—that is the question for an increasing number of directors of both private and public enterprises. And given the recent rise in public-to-private buyouts and private-to-public initial public offerings (IPOs), corporate directors need to be comfortable in both worlds.

Heading toward the public markets are our newest IPOs. As of May 10, 2018, according to statistics from Renaissance Capital, the United States has seen pricing of 67 IPOs worth over $50 million—up 28.8 percent from the same period last year. Last year 160 IPOs got to the pricing stage—up 52 percent from the previous year. As for filings, the first quarter of 2018 saw 44 of them in the United States valued at over $50 million; last year featured 140 such filings—both numbers up from the previous periods, signaling a recovery from the dismal market of ten years ago.

However, the number of publicly traded companies on the market has still not rebounded to the pre-dotcom bust levels. Many companies now see an advantage in going private, with major examples in recent times being Panera and Staples. In both of those cases, the move came amid concerns about short-term mindsets on Wall Street inhibiting the companies’ ability to create long-term value. Earlier this year, Univision, a one-time public company that went private in 2007 after a buyout deal, withdrew from an IPO citing “prevailing market conditions.”

There’s also some speculation that companies want to leave public markets because activist shareholders have spooked them. The 2017-2018 NACD Public Company Governance Survey shows that 16 percent of respondents serve on boards that have been approached by activists during the previous 12 months—down from the previous two years but still a level high enough to motivate meetings with shareholders, reported by half of all respondents and the highest level reported since 2015. A Fortune article written at the time of the Safeway and Dell buyouts observes that both companies decided to go private because of the specter of investor activism. The article quotes a private equity executive speaking on background, saying: “Public company boards are scared to death of activists and will do all kinds of things to avoid proxy contests.”

With this business context in mind, the May/June issue of NACD Directorship magazine focuses on entrepreneurship and activist shareholders: who they are, what they want, and why they want it.

The dispersed global ownership of companies today, enabled through technology, has evolved into the complex adaptive system we call the global stock market. As we know from its recent volatility, the market can act a little crazy. But behind every single share that is traded there is a person who made a decision to buy or sell—often as a fiduciary (in the case of institutions). Directors can and should learn from them, even as they maintain their roles as representatives of all stakeholders.

Companies Weigh Public vs. Private Company Options

Peter Gleason

To be a public company or to be a private company—that is the question for an increasing number of directors of both private and public enterprises. And given the recent rise in public-to-private buyouts and private-to-public initial public offerings (IPOs), corporate directors need to be comfortable in both worlds.

Heading toward the public markets are our newest IPOs. As of May 10, 2018, according to statistics from Renaissance Capital, the United States has seen pricing of 67 IPOs worth over $50 million—up 28.8 percent from the same period last year. Last year 160 IPOs got to the pricing stage—up 52 percent from the previous year. As for filings, the first quarter of 2018 saw 44 of them in the United States valued at over $50 million; last year featured 140 such filings—both numbers up from the previous periods, signaling a recovery from the dismal market of ten years ago.

However, the number of publicly traded companies on the market has still not rebounded to the pre-dotcom bust levels. Many companies now see an advantage in going private, with major examples in recent times being Panera and Staples. In both of those cases, the move came amid concerns about short-term mindsets on Wall Street inhibiting the companies’ ability to create long-term value. Earlier this year, Univision, a one-time public company that went private in 2007 after a buyout deal, withdrew from an IPO citing “prevailing market conditions.”

There’s also some speculation that companies want to leave public markets because activist shareholders have spooked them. The 2017-2018 NACD Public Company Governance Survey shows that 16 percent of respondents serve on boards that have been approached by activists during the previous 12 months—down from the previous two years but still a level high enough to motivate meetings with shareholders, reported by half of all respondents and the highest level reported since 2015. A Fortune article written at the time of the Safeway and Dell buyouts observes that both companies decided to go private because of the specter of investor activism. The article quotes a private equity executive speaking on background, saying: “Public company boards are scared to death of activists and will do all kinds of things to avoid proxy contests.”

With this business context in mind, the May/June issue of NACD Directorship magazine focuses on entrepreneurship and activist shareholders: who they are, what they want, and why they want it.

The dispersed global ownership of companies today, enabled through technology, has evolved into the complex adaptive system we call the global stock market. As we know from its recent volatility, the market can act a little crazy. But behind every single share that is traded there is a person who made a decision to buy or sell—often as a fiduciary (in the case of institutions). Directors can and should learn from them, even as they maintain their roles as representatives of all stakeholders.