Five Questions to Ask When Considering an Outplacement Provider

Leading organizations realize that providing outplacement services shows respect to their former employees, improves retention and engagement with those who remain, and protects their employer brand.  I have yet to meet a decision maker who is not concerned with how business decisions, such as mergers, acquisitions and downsizings, affect their people, making outplacement programs even more valuable.  But, more and more, the conversations about outplacement are centered on the inability to evaluate an appropriate provider.

Outplacement is not a one-size-fits-all service. To ensure a proper fit for both company and vendor, consider the following questions:

What services are provided? Having a knowledgeable professional to partner with and to help guide your employee through unfamiliar territory can greatly reduce his or her search time if the consultant is offering more than talk therapy. Ask about help with resumes, LinkedIn, creating a professional brand, networking scripts, interviewing, job search strategy, career change, starting a business, etc. Ask the potential firm if there will be group sessions, classes, webinars, and trainings as well.

How are services delivered? Many career transition firms are moving to a mainly virtual platform. Virtual coaching can be beneficial for rural workers who don’t have easy access to a coach, and these services are typically are less costly. But, if you are outplacing more seasoned workers or if your exiting employees have not utilized a high-tech platform in their roles, the virtual platform can be intimidating and anxiety provoking. Make sure that the services will be delivered in a way that is familiar and comfortable for your exiting employees.  Most workers find major benefits to direct interaction with their coach.

What are the coaches’ backgrounds? Your exiting employees are diverse. You’ll want to choose a firm that offers a diverse and relatable coaching bench. Ask about the firm’s talent. Are they certified? Do they understand your industry? Are they geographically located in a way that allows them to have knowledge about your employees’ target markets?

Does the firm have connections? Connections are critical to the job search process. Your exiting employees will be encouraged to network. Ask questions to determine if the firm can offer connections to recruiters, hiring managers, and decision makers. Survey the tools, technology, and employees to ensure that you are putting your exiting employees in the best possible position to secure their next roles.

Do you want a vendor or a partner? Choosing an organization to handle your outplacement needs is like deciding on car insurance. Some of us just want the bare minimum, and some of us want comprehensive coverage. If you’re asking what the very least amount of coverage looks like, there are companies that will partner with you in that way. If you are looking for a partner who knows your needs, goals and values and will provide comprehensive care in planning, delivery and reporting of your career transition services, you will find organizations that will provide you that level of service. In evaluating providers, you should consider your end goal.

Choosing an outplacement provider should be done with care. Simply reviewing a proposal may not give you all of the information that you need to enter knowledgeably into a contract. Your potential provider should take time to meet with you, answer the above questions and thoroughly understand your needs. You may find it beneficial to reconnect with your current advisor and reassess the relationship on an annual basis. Remember that the level of service that the provider offers can impact your relationship with your employees and your consumers. Choose wisely!

 

Written by Andrea Holyfield, Consulting Manager at CPI Partner Warren Averett Workplace

The post Five Questions to Ask When Considering an Outplacement Provider appeared first on CPIWorld.

Anticipating Disruptive Innovation and Digital Transformation

To stay competitive and relevant in a rapidly changing business landscape, organizations in every industry must navigate an increasingly disruptive, technology-enabled environment. Companies that do not address and embrace new and emerging technologies will be less competitive or may even face obsolescence. Netflix and Uber Technologies disrupted traditional business models by rethinking the way in which service delivery occurred, tapping into new technology capability to empower customers.

Given these challenges to companies, what does innovation mean in this era of digital transformation? Innovation now involves finding the right problems worth solving; building new offerings, business models, and experiences; and generating value at scale for customers.

Furthermore, the rapid digital transformation of advanced technologies such as blockchain, robotic process automation (RPA), and artificial intelligence (AI) now portend similar effects in industries from financial services and healthcare to communications and manufacturing. Boards must become knowledgeable about these digital disruption trends in order to be able to conduct meaningful oversight that management can use successfully as the company embraces new technologies.

Advanced digital technologies bring with them both opportunities and challenges for boards. Consider the following strategies when the organization evaluates or adopts any new, potentially disruptive technology:

  • Overcome technology anxiety. Directors and executives who either lack knowledge of disruptive technologies—or lack confidence in their knowledge—stand to allow their companies to lag behind or fall into a state of stasis. This is something no organization can afford in this age. Management can feel threatened or uncertain about jobs surrounding the adoption of advanced technologies. Concerns can arise around the lack of historical evidence and case studies to demonstrate the technology’s value. Management must be confident and equipped to explain how the tools will support the existing workforce, rather than cannibalizing their talents. To support this mindset and approach, the board needs to support and approve major policies focused on empowering management with knowledge around advanced technologies.
  • Reduce fragmentation while achieving enterprise-wide consistency in adoption. Organizations tend to assign value and evaluate impact as disconnected activities. In a world where value is created by technology across the enterprise, value and impact should be assigned as part of a cohesive business strategy that embraces advanced technology. Neglecting to do so creates knowledge and skills gaps between teams, causing inefficient business processes and ineffective or sporadic performance, rather than fully functioning, optimized operations. Boards must go beyond fiduciary responsibilities to take a more active role by challenging management constructively on how new technologies fit into the overall organization’s strategic plan.
    Management may focus too narrowly on addressing a problem through technology for a small group of individuals and lose sight of the larger application of the technology, resulting in a varied impact across the organization. The board can provide clear guidance and ensure balance by reinforcing a consistent, enterprise-wide, business-change approach to technology adoption.
  • Manage the pace of technological change. The adoption of advanced technologies demands teams that are agile in nature. This process can potentially leave legacy business units behind. For example, blockchain technology can be used to identify the location of any transaction, file, entity, or product at any given time. However, information changes in a data-driven age, expanding quickly and exponentially, which can have a cascading impact on how the organization currently uses the technology. Digital technologies demand organizations to be both agile and adaptable to the new ways of doing business. The board must promote digital innovation when it comes to doing things faster, better, and more efficient. The board must also monitor the pace of innovation to ensure the organization can best manage the change while meeting strategic objectives.
  • Define evolving responsibilities and accountabilities. Adoption of advanced technologies can create knowledge gaps and roles changes. For instance, when an organization implements RPA for a particular process, the digital resource (robot) and the human workforce each may have responsibilities to support or execute an element of the process. In order to provide sound oversight of the changes to a business unit, the board must ask management for clearly defined roles, responsibilities, and accountabilities affected by or involving an advanced technology’s adoption and use.

While the board isn’t tasked with the hard work of managing through digital transformation, its members must be cognizant of the policies and decisions made to ensure they aren’t driven by legacy assumptions. Directors must ask the right questions about the technology as well as the broader questions about the company’s information technology (IT) strategy. This, in turn, requires that board directors, senior management, and IT use a shared language to discuss IT performance. Deeper board involvement can serve as a mechanism to cut through company politics and focus management on the large, integrated technology investments needed as digital weaves ever further into the fabric of today’s businesses.

 

Waqqas Mahmood is director of advanced technology and innovation for the advisory, tax, and assurance firm Baker Tilly.

Moving to the Cloud with Confidence: What to Ask CISOs to Ensure Security

As the pace of innovation pushes business to move faster, companies are increasingly moving more of their information technology (IT) infrastructure into the cloud. Cloud services allow IT departments to scale and leverage specialized software as a service (SaaS) offerings. But what does this mean for security?

In a recent report from Gartner, executives cite cloud computing as a leading concern for risk. The executives surveyed fear data loss and data breach due to unauthorized access or downtime on the part of providers. However, business leaders also find the benefits of the cloud far outweigh any perceived disadvantages, contributing to double-digit year-to-year growth in cloud services, according to Gartner. Indeed, for some companies, a move to the cloud is integral to staying competitive.

Keeping the benefits and challenges of the cloud in mind will help board members best prepare relevant questions for chief information security officers (CISOs). This, in turn, will ensure that your company maintains a strong security posture around cloud services.

Benefits of the Cloud

Economies of scale, specialized expertise around particular solutions, speed to market, and many other benefits have contributed to the cloud’s rapid growth. The benefits include:

  • Flexibility. The cloud offers the ability to scale infrastructure according to need without large capital and operational expenditures. In other words, companies don’t have to buy new servers and maintain them and their environment to increase capacity, or keep them around when they aren’t needed anymore.
  • Affordability. Cloud services provide a low cost of entry for new functions, making it possible for companies to try new processes and business models, running experiments with a smaller upfront investment.
  • Talent. The hardware and security components of the IT stack used by cloud service providers are often maintained by top talent in the industry. For example, Amazon Web Services (on which many providers depend) recruits some of the best talent in the world for its data centers and security operations centers.
  • Speed. This includes both quicker implementation and quicker updates. New functionality gets rolled out through SaaS solutions faster using fewer internal resources. The software update process is also handled by the vendor, requiring little to no effort from the customer.
  • Interoperability. Integrating disparate SaaS solutions is usually simpler than integrating on-premises solutions.
  • Protection. Because cloud services reside in remote locations—and have backups—separate from the companies using them, they help protect data from natural disasters and other local events.

Challenges of the Cloud

Despite the advantages, however, cloud services do come with risks. These spring from services being hosted separately from a customer company’s own IT and security infrastructure. The risk factors include:

  • Shadow IT. The very ease and speed of implementation for cloud services lead to one of the risk factors. Software acquired by groups making their own purchases via credit card runs the risk of bypassing the security team, as do cloud-based apps created by those groups.
  • Black box syndrome. Services using proprietary systems may or may not meet best security standards while remaining opaque to scrutiny by in-house security teams.
  • Outages. Cloud services may also go down, rendering data and important functions unavailable at crucial times with no control over corrective measures.
  • Fragmentation. More systems, applications, and instances mean less expertise for any individual system, thereby increasing management complexity.

Managing the Risks

Companies can mitigate the risks associated with moving to the cloud with the right approach. Ask your CISO: “Are these in place at our company?”

  • Vendor assessments. Are we interviewing cloud vendors to ensure robust security on their end? Are we interviewing a representative sampling of some of their customers to verify past performance?
  • Hybrid cloud-and-premises systems. Cloud services may go down, but local redundancy can help. Do we use hybrid systems that maintain local backups and functionality for critical systems?
  • Checks and balances for the shadow IT. Are we flagging or preventing purchases of cloud services so security staff can evaluate them before trusting important data and functions to them?
  • Regulatory compliance. Are we taking full responsibility for and ensuring compliance with regulations even when using outside systems (for example, through enforceable language in our contracts with vendors)?
  • Trust maintenance. Are we prioritizing our relationships with customers and suppliers rather than letting these relationships suffer at the expense of moving quickly?

Cloud services offer many benefits. As Gartner reports, the cloud “has become a solution for issues that have plagued organizations and overtaxed IT departments for years.” If boards ask their CISOs the right types of questions in the evaluation process, they can consider and mitigate the risks and address any concerns. This will allow their companies to move functions and data to the cloud as securely as possible.

 

Corey E. Thomas is CEO of Rapid7. Read more of his insights here

Note These Trends When Reviewing Your D&O Liability Insurance

Directors and officers increasingly face personal exposure from litigation risk, regulatory investigations, and shareholder activism, but the right program of directors and officers (D&O) liability insurance can reduce such exposure. Every director should periodically review his or her company’s D&O insurance program to confirm that it provides the broadest scope of coverage available in the always-evolving D&O insurance market.

Standard D&O policies provide a single policy limit that is shared among three types of coverage:

  • Side A, for the directors and officers when they are not indemnified by the company or not otherwise insured;
  • Side B, for reimbursement of the company when it indemnifies directors and officers; and
  • Side C, for certain claims against the company itself. In the public company context, “Side C” coverage for the company is usually limited to “Securities Claims,” while private company D&O insurance covers companies for a broader variety of claims.

D&O insurance should be considered together with the company’s indemnification obligations. Most companies provide indemnification for their directors and officers that is broader than coverage available under D&O insurance, and a company’s indemnification obligation is uncapped. D&O insurance, on the other hand, is subject to exclusions and a policy limit. That said, D&O insurance protects the company’s balance sheet by covering most of the company’s indemnification obligations (under Side B), and D&O insurance is available to protect directors and officers in certain cases when the company is unable to indemnify them.

The D&O insurance market continues to evolve rapidly. The following are some of the latest trends in the industry.

  1. Offsetting costs from shareholder activism. Shareholder activists continue to be active in the market and aggressive in pursuing directors and officers for perceived mismanagement, entrenchment, and/or alleged breaches of fiduciary duties. In the course of an activist campaign or proxy fight, activists frequently make demands of the directors or the company that trigger coverage under D&O insurance. Depending on the nature of the communications with the activist, the entire policy limit may be implicated; in other cases, D&O insurance sublimits are available to defray a portion of the defense costs. Shareholder activism defense counsel can assist directors and companies in considering whether a company’s D&O insurance is available to offset some of the costs of defense, whether during an activist campaign or as part of an activism preparedness exercise. 
  1. Expanding coverage for government investigations. Coverage under D&O insurance for government investigations continues to evolve rapidly. Most D&O policies cover directors when they are the targets of such investigations, but policy language should be carefully reviewed each year to ensure the broadest possible coverage for directors. Many D&O policies also provide limited coverage for a “pre-claim inquiry,” when a regulatory body requests an interview of a director in the course of an investigation of the company. It is also increasingly common for D&O policies to provide some amount of investigations coverage for the company itself. This coverage can include, for example, recognition of retroactive erosion of the retention in the event of a later-filed securities lawsuit involving the same matter and/or coverage for the company when directors are simultaneously targeted in an investigation. 
  1. Optimizing D&O insurance coverage for bankruptcy risk. Normally, directors and officers have two sources of funds available for the defense of claims against them: (1) indemnification from the company and (2) D&O insurance. If the company is insolvent or bankrupt, however, indemnification from the company has little to no value. Ideally, D&O insurance protects directors and officers and their personal assets from claims brought by company shareholders or creditors. Directors and officers planning for bankruptcy contingency may consider Side A difference-in-conditions (DIC) coverage because it cannot be rescinded, it offers more flexibility than traditional Side A coverage, and it provides excess and broader protections for company directors.
  1. Negotiating sublimits. Sublimits are policy enhancements that provide retention-free (i.e., first-dollar) coverage for specified events, up to a small percentage of the overall policy limit—usually between $50,000 and $250,000. Policyholder advocates sometimes view sublimits as a way for insurers to carve out items from the coverage provided by the larger policy limit. While this may be true, these sublimits can also provide significant value for companies. For example, we have seen the following sublimits triggered frequently:
    • Derivative Demand Investigation Costs. Upon receiving a derivative demand or suit, the board may commence investigation by a special litigation committee. D&O insurance policies frequently provide sublimits for the costs of these investigations. Recently, excess D&O insurers have agreed to add sublimits to their own policies for these costs, meaning that a second, smaller “tower” of D&O insurance may be available to offset these costs.
    • Books and Records. Historically, D&O insurers of public companies have refused to cover the costs of defending a books and records inspection demand because the demand is not a “Securities Claim.” Recently, D&O insurers have been adding coverage for these costs to their policies. The most common approach is to add the defense costs associated with a books and records demand to the derivative demand investigation costs sublimit described above. When combined with sublimits from excess insurers, these sublimits can be very useful, especially because books and records demands are being litigated more frequently. Other D&O insurers will add coverage for books and records demand defense costs into the larger policy limit if there is a concurrent “Securities Claim” against the company.
    • Crisis coverage. Crisis event sublimits facilitate company responsiveness to high-pressure events. For example, a company’s negative earnings announcement, the loss of a key executive, or the threat of a regulatory investigation are typical triggers of the crisis coverage sublimit.

Understanding your company’s D&O insurance program is critical to managing your own risk profile as well as your company’s risk profile. Every director should periodically review his or her company’s D&O insurance program, ideally with the assistance of an experienced broker and outside counsel.

Sarah Mitchell is of counsel and Mustafa Abdul-Jabbar is an associate at Vinson & Elkins LLP. All thoughts expressed here are their own. 

Civility in the Workplace: Don’t Take it for Granted

With over thirty years of experience in talent development and career transition services, Career Partners International (CPI) has provided clients with the tools to navigate through decades of change in the workplace. Despite the best preparations, new challenges continually emerge for HR and Management teams.

Join us for the CPI Webinar Series on December 11th, to discuss civility in the workplace at a time when it has relevance in relation to the lessons we are absorbing from the #MeToo movement.  In our world today, this complex subject continues to be front of mind for employers and employees, changing the dynamics and cultures of many organizations.  As an expert in this critical subject, Gary Cormier will be presenting “Workplace Civility on a Continuum” to assist professionals in beginning to address this difficult topic.

Gary Cormier joins us from Harvard University as a Senior Human Resources and Organizational Development Consultant.  This foundational session will explore the business case for workplace civility as well as the implications of incivility. It will help identify uncivil, inappropriate, negative, or bullying behaviors in the workplace and what can be done to mitigate them.  Finally, the session concludes with ways to make civility part of your organization’s overall culture.

The CPI webinar is on December 11th at 11:00 AM EST, all Managers and HR Professionals are welcome to join.  Registration is free and open to the entire CPI network.  Gary will deliver a thirty-minute presentation with time after for Q&A.  Registration is now open.

The post Civility in the Workplace: Don’t Take it for Granted appeared first on CPIWorld.

The Secret Ingredient for Powerful Board Assessments

Maybe you talk too much during board meetings. Maybe you don’t talk enough. Maybe you harp on topics your fellow directors are tired of hearing about, or perhaps you only chime in during discussions about your area of expertise and they wish you would contribute more.

But how do you know if no one tells you?

In PwC’s 2018 Annual Corporate Director’s Survey, 45 percent of directors said they think at least one of their fellow board members should be replaced. Half of those think two or more colleagues need to go. This is not a new trend. These numbers have hardly changed over the past few years, which tells us that boards are underperforming even as new technologies, disruption, and shareholder activists are demanding they step it up.

The most common criticisms directors have about each other is that they overstep the boundaries of their oversight role or don’t challenge management enough. The directors in our survey also said some members’ interaction styles hurt board dynamics, while others lack essential skills or seem to be slipping because of advanced age.

No matter the issue, much of this discontent could be alleviated if more boards were willing to give each other one thing: constructive feedback. Only 31 percent of the directors in our survey said their board conducts individual director assessments, and there are several reasons why.

The first is tradition. Directors simply haven’t gotten into the habit of giving each other regular feedback. The second is avoidance. Telling someone how well they are (or aren’t) performing isn’t the easiest thing to do. Another factor is that individual assessments aren’t required—just an evaluation of the board’s overall performance. The annual board assessment requirement for NYSE-listed companies doesn’t specify how to do them, which is why so many end up being a check-the-box exercise.

Most of us don’t change without a precipitating event, and many boards lack the impetus to change their culture from one of go-along collegiality to transparency and honest feedback. If the chair were to suddenly announce the board was going to start conducting individual assessments, directors would likely worry that board leadership is trying to clean house. That can create all kinds apprehension and resentment you don’t want.

But here’s the opportunity: as boards seek to diversify their composition to include more women and people of color, or specific skill sets like digital or cybersecurity, they’ve had to expand their selection criteria beyond retired CEOs and those who sit on multiple boards. As a result, many directors now joining boards don’t have the same level of boardroom experience as their predecessors and often could use help to grow into the role.

Board leaders can use this as a trigger for change. For example, I was advising a board the other day that was going through a refreshment and onboarding two directors that had never served on a board. My suggestion was to use that opportunity to change the board culture by starting an individual feedback process that the entire board could participate in.

Directors should also keep in mind that the motivation for the board to institute individual director assessments should be to create a high-performance culture, not a vehicle for pushing people out. For the same reason that companies give employees annual performance reviews, directors need to know what their fellow board members appreciate about them and where they need to improve. An added benefit of this process is that directors who refuse to adjust won’t be as surprised when they are asked to go.

Other factors to consider:

  • Who should conduct the assessment? Assessments can be led by the board chair, the lead director, the nominating and governance committee, or a third-party facilitator. Any of these choices is fine, although I suggest that boards hire a third party to conduct the assessment every few years to provide greater impartiality and an outside view.
  • What methods should we use? Many assessments include a combination of questionnaires, facilitated discussions, and individual interviews. For individual director assessments, I recommend that whoever is leading the assessment gather feedback from each director about the other members and then share that feedback in one-on-one discussions.
  • What do we do now? Assessments are worthless without follow-up. Boards should use the information they’ve gathered about the performance of their committees and individuals to create action plans, then track their progress on addressing the areas of improvement.

The payoff for these efforts, despite the hard work involved, will be a better performing board and, consequently, a higher-performing company. With the right process, honest participation, and appropriate follow-through, directors might even find themselves agreeing with the adage, “Feedback is a gift.”

First SEC ‘Red Flags’ Enforcement Case Spotlights Board’s Role

A recent U.S. Securities and Exchange Commission (SEC) enforcement action punishing a financial firm for its subpar data security practices—the agency’s first-ever use of its “red flags” rule—called out the company’s board of directors for its failure to “administer and oversee” the program.

While corporate boards are charged with the general oversight of business risks including cyber risks, it’s far from the norm for a data security regulation to draw a straight line to the boardroom. The SEC’s “red flags rule” does just that and places direct responsibility on corporate boards. In an enforcement order against Voya Financial Advisors, the Iowa-based investment advisory arm of Voya Financial, the commission used the rule to censure the asset management firm for allowing hackers to roam freely though its customer information. The hackers were able to access social security numbers, account balances, and even details of client investment accounts, according to the commission.

This should set off alarm bells for every financial firm and board of directors under the SEC’s watch. It’s likely that most companies are not in compliance with the rule and, given the agency’s increased focus on cybersecurity, this should be their wake-up call to quickly get such a program in place.

Five years ago, the SEC adopted the rule, formally called the “Identify Theft Red Flags Rule,” which requires investment firms to pay attention to identity theft by developing and implementing a written program to “detect, prevent and mitigate” identity theft and fraud, and to provide “red flags” or other warning signs when hackers might be trying to steal customer information or customer identities. The rule also requires that a firm’s board of directors or senior leadership administer the program. But until recently, the SEC did not enforce the rule.

The SEC’s charge against Voya implies that the company’s conduct was so egregious that it might explain the agency’s decision to finally make use of its “red flags” rule. During a six-day window in 2016, cybercriminals impersonated Voya’s independent investment representatives—the largest segment of the firm’s work force—by calling the Voya help line and asking that their passwords be reset.  Even though some of the telephone numbers used by the hackers were already flagged in Voya’s system as being associated with fraud, the callers still made it past security and were able to convince Voya’s help line to reset their passwords and provide new passwords over the phone, according to the SEC.

The intruders used the new passwords to gain access to the personal information of 5,600 customers, the SEC alleged, and then used the customer information to create new online customer profiles and identities and to pour through thousands of account records.

Without so much as triggering a fraud alert, hackers were able to change a legitimate customer’s phone number and address of record, which meant account statements and confirmations would be re-routed from legitimate customers to the hackers. In several instances, the SEC said, hackers used a “@yopmail.com” address, a disposable email service that lets users create an email address, review incoming emails, and then destroy everything.

Voya had an identity theft program in place since 2009 but the program was not updated, nor was it approved by the firm’s board of directors or senior leaders, as is required. Instead, the program languished, was ignored by Voya’s security team and fell far below the requirements of the regulation.

Although Voya did not admit or deny liability in the SEC settlement, the commission deemed the firm’s violation of the red flags rule as “willful.”

“VFA’s [Voya Financial Advisors] board of directors or a designated member of VFA’s management did not administer and oversee the Identity Theft Prevention Program, as required by the Identity Theft Red Flags Rule,” concluded the SEC.

In the settlement, the SEC ordered that Voya clean up a laundry list of data security issues and also mandated that it engage a consultant to monitor its compliance with the red flags rule. This is also a first time the SEC has ordered use of an independent monitor to police compliance with the red flags rule.

Yet it’s likely that few firms and even fewer boards are aware of the rule. Many firms and their leaders are familiar with the SEC’s general data security rule and its guidance to public companies about disclosing cybersecurity risks and data breaches, but the red flags rule—for all its timeliness and importance—has flown under the proverbial radar screen.

Over the past few years, the SEC has made scrutiny of companies’ cybersecurity practices a priority. Earlier this year, the agency updated guidance to public companies, telling them to beef up cybersecurity risk factors and data breach disclosures. And in April, the SEC pursued its first-ever cybersecurity enforcement action over the massive Yahoo! data breach after it was learned that the company sat on news for more than two years that hackers had made off with the personal information of more than 500 million users. Altaba, the company that has since purchased Yahoo, was fined $35 million for the tardy disclosure.

With the SEC toughening its stance on data security issues, corporate leaders and board members should treat the Voya case as an object lesson and ensure that their identity theft programs are up-to-date and align with the particular cybersecurity risks that face their organization. Although Voya was only hit with a symbolic $1 million fine, it’s doubtful that the SEC will be as forgiving in the future.

 

Craig A. Newman is a partner with Patterson Belknap Webb & Tyler LLP, the New York law firm, and chair of its Privacy and Data Security Practice. All thoughts are his own. 

First SEC “Red Flags” Enforcement Case Spotlights Board’s Role

A recent U.S. Securities and Exchange Commission (SEC) enforcement action punishing a financial firm for its subpar data security practices—the agency’s first-ever use of its “red flags” rule—called out the company’s board of directors for its failure to “administer and oversee” the program.

While corporate boards are charged with the general oversight of business risks including cyber risks, it’s far from the norm for a data security regulation to draw a straight line to the boardroom. The SEC’s “red flags rule” does just that and places direct responsibility on corporate boards. In an enforcement order against Voya Financial Advisors, the Iowa-based investment advisory arm of Voya Financial, the commission used the rule to censure the asset management firm for allowing hackers to roam freely though its customer information. The hackers were able to access social security numbers, account balances, and even details of client investment accounts, according to the commission.

This should set off alarm bells for every financial firm and board of directors under the SEC’s watch. It’s likely that most companies are not in compliance with the rule and, given the agency’s increased focus on cybersecurity, this should be their wake-up call to quickly get such a program in place.

Five years ago, the SEC adopted the rule, formally called the “Identify Theft Red Flags Rule,” which requires investment firms to pay attention to identity theft by developing and implementing a written program to “detect, prevent and mitigate” identity theft and fraud, and to provide “red flags” or other warning signs when hackers might be trying to steal customer information or customer identities. The rule also requires that a firm’s board of directors or senior leadership administer the program. But until recently, the SEC did not enforce the rule.

The SEC’s charge against Voya implies that the company’s conduct was so egregious that it might explain the agency’s decision to finally make use of its “red flags” rule. During a six-day window in 2016, cybercriminals impersonated Voya’s independent investment representatives—the largest segment of the firm’s work force—by calling the Voya help line and asking that their passwords be reset.  Even though some of the telephone numbers used by the hackers were already flagged in Voya’s system as being associated with fraud, the callers still made it past security and were able to convince Voya’s help line to reset their passwords and provide new passwords over the phone, according to the SEC.

The intruders used the new passwords to gain access to the personal information of 5,600 customers, the SEC alleged, and then used the customer information to create new online customer profiles and identities and to pour through thousands of account records.

Without so much as triggering a fraud alert, hackers were able to change a legitimate customer’s phone number and address of record, which meant account statements and confirmations would be re-routed from legitimate customers to the hackers. In several instances, the SEC said, hackers used a “@yopmail.com” address, a disposable email service that lets users create an email address, review incoming emails, and then destroy everything.

Voya had an identity theft program in place since 2009 but the program was not updated, nor was it approved by the firm’s board of directors or senior leaders, as is required. Instead, the program languished, was ignored by Voya’s security team and fell far below the requirements of the regulation.

Although Voya did not admit or deny liability in the SEC settlement, the commission deemed the firm’s violation of the red flags rule as “willful.”

“VFA’s [Voya Financial Advisors] board of directors or a designated member of VFA’s management did not administer and oversee the Identity Theft Prevention Program, as required by the Identity Theft Red Flags Rule,” concluded the SEC.

In the settlement, the SEC ordered that Voya clean up a laundry list of data security issues and also mandated that it engage a consultant to monitor its compliance with the red flags rule. This is also a first time the SEC has ordered use of an independent monitor to police compliance with the red flags rule.

Yet it’s likely that few firms and even fewer boards are aware of the rule. Many firms and their leaders are familiar with the SEC’s general data security rule and its guidance to public companies about disclosing cybersecurity risks and data breaches, but the red flags rule—for all its timeliness and importance—has flown under the proverbial radar screen.

Over the past few years, the SEC has made scrutiny of companies’ cybersecurity practices a priority. Earlier this year, the agency updated guidance to public companies, telling them to beef up cybersecurity risk factors and data breach disclosures. And in April, the SEC pursued its first-ever cybersecurity enforcement action over the massive Yahoo! data breach after it was learned that the company sat on news for more than two years that hackers had made off with the personal information of more than 500 million users. Altaba, the company that has since purchased Yahoo, was fined $35 million for the tardy disclosure.

With the SEC toughening its stance on data security issues, corporate leaders and board members should treat the Voya case as an object lesson and ensure that their identity theft programs are up-to-date and align with the particular cybersecurity risks that face their organization. Although Voya was only hit with a symbolic $1 million fine, it’s doubtful that the SEC will be as forgiving in the future.

 

Craig A. Newman is a partner with Patterson Belknap Webb & Tyler LLP, the New York law firm, and chair of its Privacy and Data Security Practice. All thoughts are his own. 

The Board’s Role in Cyber-Risk Oversight: Advice from Leading Directors

In today’s evolving threat landscape, corporate directors are increasingly asking for security performance updates from chief information (and information security) officers, chief risk officers, and other executives.

At BitSight’s inaugural EXCHANGE forum last month, a panel of directors and executives from top global companies discussed the importance of board involvement in mitigating cyber risk.

The panel was moderated by Suraj Srinivasan (professor, Harvard Business School). The panelists included Ed Brandman (chief information officer, KKR & Co.), Andy Brown (board of Zscaler and Guidewire), Bijoy Sagar (chief digital and technology officer, Stryker) and Shelley Leibowitz (board of AllianceBernstein and E*TRADE).

Panelists Ed Brandman, Andy Brown, Bijoy Sagar, Shelley Leibowitz, and Suraj Srinivasan discuss the board’s role in cybersecurity at BitSight’s inaugural EXCHANGE forum on October 10, 2018.

Here are some of the key takeaways from the discussion.

1) When it comes to cybersecurity, board members need to completely understand the spectrum of risk for both their organization and industry.

It’s important for directors to understand the landscape around their company: its value and possible threats to that value, as well as company decisions, their residual risk, and the risk-mitigation techniques being employed. Understanding both qualitative and quantitative data allows organizations to look backward and forward; the audit committee should focus specifically on looking backward while the risk oversight committee focuses on what may happen. This helps create a comprehensive picture of risk both within and outside the organization. Companies, especially those in cybersecurity, must think about risks that may not seem obvious. As one executive said, “Think about the risks you may not be thinking about and expect the unexpected.”

2) While some boards have a cybersecurity expert, most do not. Instead, the risk oversight committee should fulfill this role and facilitate discussions that provide the appropriate context around cyber risk.

The shortage of security professionals among board members emphasizes the need for collective responsibility around cybersecurity and cyber risk. While most boards do not have a designated cybersecurity expert, an increasing number are assigning this responsibility to the risk oversight committee. According to another executive, risk committees should be accountable for several cybersecurity-related areas: governance, policy, testing, transparency, and resource allocation.

All executives agreed it’s critical for boards to get—and understand—the qualitative and quantitative information needed to make informed decisions about cyber risk, particularly when it comes to transparency. Security ratings are one tool many of these boards are using as an external, objective measurement of their company’s security posture— recognizing that internal measurements only go so far because of their natural biases. This is also significant when chief information (and information security) officers are reporting to board members and can use security ratings to track security performance and trends over time.

3) The cybersecurity information presented in board meetings must align with business objectives and areas of responsibility.

Another executive emphasized the most important thing for him is aligning his roles and responsibilities with the board. He looks at cybersecurity reporting in terms of conveying applicable information about the threat landscape, sharing insights into trends, and articulating the strategy (particularly the public relations strategy) around all efforts.

Another executive said his board has a cybersecurity expert but his relationship with the board as chief information officer is unique; he views his primary role as disclosing a strategy around how to keep the business safe and the areas his team is most focused on. He lays out the roadmap for the board and outlines how it can help in resourcing, financial commitment, and prioritization within a business context. He acknowledges that every company is going to think about cyber risk in a different way but that his job is to help educate the board on how it constructs its risk management model and strategy, as well as how it responds to risk.

While every company thinks about risk management in a unique way, executives need to convey critical information to the board of directors in a consumable way. One component can be a reporting metric like a security rating, but ultimately the goal should be to convey the company’s positioning and strategy to address cyber risk in a proactive, efficient manner.

 

To learn more about how to keep up with your company’s risk metrics, visit BitSight’s Cyber Risk Monitor report.

From Cars to Cornflakes, LIBOR’s Departure Will Ripple Through Corporate America

The phrase “LIBOR transition” doesn’t elicit more than a yawn from most corporate treasurers.

But how about this: “the terms on your debt maturing after 2021 are going to change, whether you like it or not.”

That is precisely the scenario in view as regulators phase out the London Interbank Offered Rate, or LIBOR, by the end of 2021.

Known as the “world’s most important number,” LIBOR has more than $240 trillion linked to its daily fluctuations according to Oliver Wyman estimates. LIBOR is tied to all sorts of financial products; you may have a mortgage, student or auto loan tied to it, and your company probably borrows based on it. In other words, it drives your corporate interest expense.

Board directors need to ensure management starts thinking through the transition now. The good news is that companies still have time to get ready. The bad news? The transition will require a fundamental repricing of debt and might have a large market impact.

The largest banks are already preparing, pushed ahead by regulators on both sides of the Atlantic. UK regulators in September sent classically understated “Dear CEO” letters to the largest financial institutions in Britain, politely demanding they develop and submit by December a board-approved plan for LIBOR transition. Regional and community banks, meanwhile, are just starting their efforts.

Beyond banks, the transition affects almost all large corporations, given that trillions of dollars of debt or hedges of debt is tied to LIBOR. Yet in our conversations with treasurers, financial officers, and yes, board members of non-financial companies, we have come across few who recognize the looming issue—or are even aware of it.

Consider this an early warning.

Buried in Fine Print

Corporate loan and debt agreements generally contain language that defines what happens if LIBOR is unavailable – but is designed for a short-term contingency like a systems outage, not permanent cessation. Typical terms vary, ranging from “use the last rate,” meaning that your floating debt is now fixed, to “use prime,” meaning that your rate is now very different.

There are no criteria for what constitutes a LIBOR discontinuance, leaving companies exposed to language buried in contracts. Firms might be entitled to something better, or something worse. Does management know, or are they depending on the financial system to offer a reworked deal? That isn’t always possible; perhaps a bank will renegotiate, but bondholders might be unwilling to give back an unexpected gain.

Companies are likely to feel a financial impact not only from the changing terms of the debt itself but also from changes rippling through hedges and derivatives linked to debt. That’s because almost all these changes break the “hedge accounting” that firms use on their balance sheet, potentially increasing balance sheet volatility.

What Will Replace LIBOR?

In the end, transactions in the market won’t be defined by the regulators who are taking LIBOR off the table. Regulators indicate the transition is “market led,” so it is up to the banks and customers to define a path forward. That’s why corporations need to focus: This is a fundamental repricing of the more than 100 financial products tied to LIBOR, and the market impact is still murky.

While the regulators have not defined how economic changes will work, they have created potential replacement rates. Each of the five existing LIBOR rates will be replaced by country or region specific rates. For example, the Federal Reserve has created the Secured Overnight Financing Rate, or SOFR, and the UK Working Group recommended the Sterling Overnight Interbank Average rate, or SONIA. These are structurally very close to true “risk free” rates and therefore act differently than LIBOR. They should average lower than LIBOR as LIBOR contains features that are good for the banking system. For example, LIBOR will increase during a bank crisis like we had in 2008—and this is not in the new rates. Look for the industry to seek to replicate these features in new non-LIBOR products, which are still under development, and to seek to sell them to corporate borrowers.

All of this points to a mountain of work for corporations and their finance teams. They must inventory existing LIBOR-based obligations, determine exposures past the likely end of LIBOR in 2021, work down those exposures if possible, and get ready for a slew of new products to be evaluated.

What To Do: A Checklist for Boards

How can boards monitor this? In short, by following the script already laid out for banks by the UK regulators in September.

First, they should ensure there is leadership accountable for managing the transition. This might well be the chief financial officer or corporate treasurer, but it will vary depending on the company’s business model. And since this is a global problem, it needs to be considered and managed globally.

That leader (and team) should start by identifying exposures. These is no easy way to do this but to go through the financials and document those which are based on LIBOR, and project what will change when LIBOR goes away.

Once the exposures are understood, leaders should consider the big picture and report to the board about its implications. Companies and their bankers have a relationship that needs to survive what in the end is a technical hitch. What should be the response when a bank calls to refinance or renegotiate?

Next, board members should advise that their companies need to consider the details and build a work plan. LIBOR likely is present in more places than is obvious. For instance, systems will need to be updated. Some of these will be vendor systems, and companies need to show that they are on top of these vendors. That’s the end of the UK regulatory request—a board-approved plan. Boards should be pushing for a similar outcome unless their LIBOR exposures are negligible.

Finally, if you are a board member, you should insist your company isn’t the last to change. As LIBOR fades away it will likely get stale and products based on it could become illiquid. If your company is late to the table, it could prove costly.

For more information on how to prepare for the transition, please see Oliver Wyman’s LIBOR hub.

Paul Cantwell is a Partner in Oliver Wyman’s Finance & Risk and Public Policy Practices in the Americas. Adam Schneider is a Partner in Oliver Wyman’s Digital and Banking Practices in the Americas. Ming Min Lee is a Principal in Oliver Wyman’s Corporate and Institutional Banking practice.