Overseeing the Intersection of Digital Transformation and Cybersecurity

We’ve all heard the buzz word “digital,” and I am often asked
questions about how to analyze and oversee the risks of enterprise-wide digital
transformation. While a possible nuisance to the person asking, my first answer
tends to be a question.

What do you believe it means for your enterprise to become
digital?

Only once your company answers that question can the
challenges and risks associated with a well-managed transformation be weighed.
Invariably, the answers to this question are unique and divergent. The answers
also, by necessity, should include insights into these added threads:

  • How do we manage digital transformation risks
    without taking our focus off cybersecurity?
  • What is the role that cybersecurity plays during
    digital transformation?

Cybersecurity and digital transformation are two areas that
are rife with risk, and are shaping challenges around enterprise risk
management (ERM) that are both divergent and orthogonal.

In order to reengineer the enterprise for digital
excellence, cybersecurity risks must be considered hand-in-hand with the risks
inherent in disparate digital infrastructures. Our consumers and stakeholders
expect mobility, with just-in-time, just-in-context service. They also expect
the digital experience to include interaction expected anywhere in the world
the consumer may happen to be located, while at the same time responding
immediately to changes in consumer behaviors.

No pressure, right?

Digital transformation is critical to most enterprises, but
how can the board successfully oversee these the management of these new risks?
First, the board should consider the operational changes that come with digital
transformation.

Defining
Enterprise-Wide Digital Transformation

To achieve the new digital paradigm, enterprises embrace new
technology models to deliver a digital experience for end consumers. These
models often require vast adjustments to the organization, business, and
technology operating models to be successful.

Consider this example. To meet consumer demands for digital
experiences, enterprises are embracing cloud services as a platform to
accelerate delivery of a product or service. This means that there is no physical
data center lurking in a corner of your corporate headquarters where your
technology operations team goes to provision, configure, and adjust wiring and
floor space. There are no blinky-lighted servers on site that developers and
the business historically have monitored.

What does this change bring?

  • Operating model change.
  • Technology model change.
  • New risks.

Continuing with the example, infrastructure-as-a-service
capabilities like the ones offered by Amazon Web Services (AWS), Microsoft
Azure, and Google Cloud Platform provide enterprises a “virtual data center,” an
environment where developers can begin to create code for a new product
immediately. This increases the speed to launching a new digital service.

What happens next? Everything changes again. The company
would now need a development operations (DevOps) team with combined software
development and information technology operations skills to shorten the systems
development life cycle (SDLC)—all while delivering features, fixes, and updates
frequently in close alignment with business objectives.

Where is the segregation of duties? Where is the old SDLC
waterfall process of requirements (design, build, test, then deploy software)
all run by separate teams with a set of controls that source documented
evidence?

Oh yeah, we don’t do that anymore as a digital organization.

Once an organization begins the process of digital
transformation, the technology operating and control models change, business
objectives have to adjust to consumers’ digital demands, and the roles and
talent requirments needed to function absolutely evolve.

We’ve seen too often that enterprises that rely on digital channels can be interrupted and burdened by cybersecurity missteps. Without an imperative to transform cybersecurity prior to operating the enterprise in a new digital format, disasters are bound to happen. As reported by Bloomberg, one example of many things that can go wrong with the shift to digital operations  was the breach at Uber Technologies. The company was utilizing a private Github repository—a cloud-based development resource—for its code. A careless developer left logon credentials of users open to bad actors, allowing them to access Uber users’ data on AWS.

While this is a fairly simple illustration of the disconnect
between digital transformation and cybersecurity practices, your cybersecurity
program and controls need to evolve to a new method of operating digitally and
provide an appropriate set of controls that enable strong risk management.

Don’t allow your management team to make the mistake of
accelerating digital transformation without first analyzing the readiness of
your company’s cybersecurity program to manage these new digital operating
models and domains.

Sequencing Digital
Change With Digital Cybersecurity

Cybersecurity risks and challenges are omnipresent, and the
risk and threat landscape continue to evolve at the pace of our digital
environments. Making the move to embrace digital operations only expands your company’s
attack surface.

While your company once was operating out of a data center
with its own server hardware, the move to the cloud means that the company’s
data operations may now be functioning in “rented,” multi-platform environments
such as native cloud, software as a service (such as Salesforce Cloud), or
outsourced, provider-managed environments.

One essential question that directors can ask the technology
and security leaders of their companies is, “Have we built new cybersecurity
capabilities to secure our increasing attack surface and the new digital
environments and channels?”

The answer in many cases is that your cybersecurity program has
not transformed digitally and could be unprepared for a new digital paradigm.

The previously effective cybersecurity program you had in
place was not purpose-built to enable a digital transformation. It was instead
built for a world of data-center centricity and simple service offerings
managed from a web application storefront—all solutions that are protected by
on-premise firewalls, endpoint security, denial of service security, content
filtering solutions, and a host of other appliances managed in the company’s data
center.

Therefore, it’s important to consider a risk assessment to
determine the readiness of the company’s cybersecurity program to secure its new
digital domains and environments—on premise and off.

The companies that build a digitally-transformed enterprise
that places the cybersecurity program first, will see greater success in
enterprise digital transformation. They are able to demonstrate to the market
that they are operating with a well-managed risk posture, and are able to move
faster to achieve safe, sound digital success.

Overseeing How the Risk
Is Managed: A Way Forward

Every enterprise believes that they have a winning strategy
to thrive within the new digital market, but the hard truth is that they will
not all be winners. Those that win will have a digitally enabled cybersecurity
threat and risk management platform operating in harmony with their digital
business strategy.

The risks of digital transformation and cybersecurity are
clearly impacted by ensuring the right sequence of digital strategies while
managing the risks during this transition. As board members, it’s our
imperative to ask the questions of enterprise digital readiness for
cybersecurity and having purpose-built cybersecurity for digital environments.

Here are my suggtestions for questions to ask your
management team to determine if the cyber- and enterprise-wide risks of digital
transformation are being properly conceived of and managed:

  1. How are we defining digital transformation for our
    enterprise with regard to the business and technology operating models?
  2. What are the cultural impacts on the personnel
    and teams affected by digital transformation? How are we considering the
    organizational risks as we require new talent and roles to operate digitally
    and manage risk during the transition to digital operations?
  3. Have we performed a risk assessment to determine
    the impact of the changes to the business, technology, and cybersecurity
    operations required to become digital? How is our attack surface expanding with
    the movement to digital operations and how are we managing the risk?
  4. How are we sequencing required changes to
    digital operating models for cybersecurity, technology, and the business?
  5. How are we measuring the effectiveness of our
    cybersecurity program with the transformation to digital? Are we making the
    right investments in cybersecurity to manage digital cyber risk?

Like the nuisance question at the beginning of this
statement, getting the right answers will be the key to sound oversight of a
successful digital transformation program at your company.

Tony Spinelli is CEO and
founder of S7 Advisors LLC, and is a board member of Blue Cross Blue Shield
Association, director of Peapack Gladstone Financial Corp., and board member of
Per Scholas. He previously served as chief information security officer at
Capital One Financial Corp. and has served on the board of advisors for several
organizations, including the National Security Agency, Cisco, Coalfire, and
IBM.

4 Steps to Harness 360-Feedback’s Possibilities

Effective leaders develop themselves and their team members. Since the 1990s, many leaders have leveraged the development possibilities from 360-feedback surveys, or multi-rater feedback.  Like all development tools, 360-feedback surveys have their pros and cons.

A quick scan online yields articles warning readers of the “Horrible Truth of 360-Feedback Assessments” and “The Fatal Flaw with 360-Surveys”. 360-feedback surveys can promote disagreement, dissension, and discord—when implemented improperly. However, when used as a developmental tool, rather than an evaluative appraisal, 360- feedback affords individuals greater self-awareness, opportunities for deeper alignment with company goals, and insights for clear paths to professional success.

Like all employees, leaders have their own blind spots.  In order to successfully manage themselves and their teams, it is key to acknowledge these blind spots exist and work to minimize their effects.   Leaders who develop this awareness position themselves for success by knowing what competencies they possess, how those relate to the success of the company, and how others around them—peers, direct reports, customers, etc.—perceive their day-to-day effectiveness.

360-Feedback’s Possibilities & Pitfalls

360-feedback provides leaders and team members with key data points taking them beyond their own hunches or assumptions about themselves. They can gain critical insights from how others validate their strengths and pinpoint their weaknesses. It informs, or alerts, recipients to traits and tendencies concealed from their view but ripe for refinement. 360-feedback helps recipients address what strengths and competencies they offer, how those strengths are perceived by others, and how closely linked one’s strengths are with the goals of the company.

Because of its anonymous multi-rater process, 360-surveys add a unique richness to an individual’s development opportunities by lessening the intrusion of reviewer bias.  360’s anonymity empowers raters to offer unguarded feedback because they are given a voice and permission to use it. This anonymity, though, can enable ineffective responses if respondents aren’t aware of the survey’s goals and expectations. Without coaching and the necessary time to complete the surveys, respondents can offer points of grievance without context or examples, expressing aimless criticisms of a leader.

Additionally, leaders who force 360-feedback surveys into the rhythms of their companies will find it difficult to connect the dots between company goals and how 360-feedback can help recipients contribute to those goals. Not all 360 tools are created equal, and if leaders don’t take the time to shape a 360 to the core competencies of a certain role and the overall values of a company, they’ll encounter more dilemmas than developmental opportunities.

So how can leaders effectively implement 360-feedback as part of their companies’ goals for development and success? Here are four steps to harness the possibilities—and avoid the pitfalls—of 360-feedback.

  1. Align to Desired Behaviors: Before a leader receives a 360-feedback review or has a team member reviewed, it’s important to evaluate empirical research addressing the skills, abilities, and competencies necessary for certain roles to help a company thrive.  It’s also important to consider which 360 tool is appropriate to drive desired outcomes. This combination will help leaders connect the dots between what development opportunities and strengths a 360-review reveals and what direction of development will help an individual efficiently contribute to the company’s success.
  2. Use as a Developmental Coaching Tool: Problems arise when 360-feedback is used as an evaluative instrument of performance rather than as a development tool for coaching. When 360-feedback is used to grade performance, it becomes tied to decision making that involves possible promotions, raises, etc. In this capacity, 360-feedback can be inappropriately viewed as a final assessment.  Instead, leaders need to understand—and help others understand—it’s a data point on the development journey. A skilled coach can deliver the results of 360-feedback to help leaders grow in awareness of their strengths, define steps for moving forward, and clarify what accountability and feedback loops look like.
  3. View It as a Component: Leaders who use only 360-feedback reviews to assess themselves and others are akin to conductors who direct only one musician; they’ll hear wonderful notes and chords, but multiple instruments are required to hear the entire song. 360-feedback reviews should be used in concert with other tools to provide a fuller, clearer picture of behavioral strengths and development opportunities. This provides leaders with a better baseline to create a more nuanced plan for learning, practice, progress, and success.
  4. Clearly Communicate Expectations: Ensuring facilitators and those surveyed are trained to offer helpful reviews is the backbone of a successful 360-feedback discussion. Clear expectations provide a leader with the opportunity to embrace a wider company vision for a culture of development, help illuminate strengths, and highlight opportunities to grow expected competencies.  This also helps prepare recipients to digest and reflect on feedback to develop a plan for professional development.

Leaders who hastily implement 360-surveys without a developmental mindset and effective coaching will likely encounter challenges. But when 360-surveys are used as a development opportunity to cultivate greater alignment between strengths and the competencies required to succeed, they bolster self-awareness and create effective development plans to move leaders —and their teams—toward success.

 

Written by Promark, a Career Partners International Firm proudly serving Greater Cincinnati clients locally and delivering globally for over 50 years.

The post 4 Steps to Harness 360-Feedback’s Possibilities appeared first on CPIWorld.

Newmont Mining Shares How It Improved Board Diversity

As the
deadline approaches for submissions to the second annual NACD NXT awards, produced
in conjunction with Deloitte, the March/April issue of NACD Directorship magazine features a cover story on why the board
of the global gold and copper miner was chosen as the large-cap company winner
for diversity and inclusion.

Newmont’s
15-year journey to achieve greater diversity and inclusion on what was once an
all-male board features interviews with Newmont Chair Noreen Doyle, who also
chairs the corporate governance and nominating committee; independent director
Veronica (Ronee) Hagen, who chairs the leadership development and compensation
committee; and director of global inclusion and diversity, Beatrice
Opoku-Asare.

The story
of the board’s evolution to its current composition is intended to provide to
other boards a prime example of how to practice inclusion—and commit to continuing
that practice. At the time the story was reported, Newmont’s 12-member board
was 58 percent female and ethnically diverse; five of the 12 directors live
outside of the United States where Newmont is headquartered. Setting targets
(not quotas) is part of Newmont’s story.

Newmont was chosen from a group of large-cap
company boards comprised of nominees Archer Daniels Midland Co., Estee Lauder
Cos., Eversource Energy, HP Inc., Prudential, Target Corp., and Union Pacific
Corp. Newmont board directors accepted their award at the first NACD NXT gala
hosted by author and Bloomberg TV anchor Emily Chang before the opening of the
2018 NACD Global Board Leaders’ Summit in Washington, D.C.

The 2019 gala is scheduled for September 23 in Washington, D.C., and will fall amid the 2019 NACD Global Board Leaders’ Summit. This year there are two added categories. In addition to large-, mid-, and small-cap public company boards, NACD NXT will recognize two private companies, one large and one small, and a nonprofit.

In all, six awards will be given. Nominees in
each category will be jointly announced by NACD and Deloitte in June and
winners in each category, selected by an esteemed judging panel, will be
revealed at the gala.

An excerpt of the story from the March/April
issue follows.

The leadership at the top of Newmont’s house has been integral to the continued diversification from the board throughout the company, which has been reinforced by a board-approved people policy. It reads, in part: “At Newmont, we value diversity and promote an inclusive work environment. We are on a journey to becoming an industry leader in global inclusion and diversity. We welcome employees from a wide range of cultures and races. We seek to maximize local employment and to increase diversity in our workforce to better reflect the communities where we operate. We desire a work environment where all employees feel valued and are encouraged to contribute to their fullest potential.”

One of those employees is Beatrice Opoku-Asare, the director of global inclusion and diversity. She originally went to work at Newmont in her home country of Ghana as an environmental scientist. Three years ago, when she was promoted to her current role, she recounted in an interview, she moved from Ghana to Newmont’s corporate headquarters in Greenwood Village, Colorado. She grew up among a majority population. Arriving in the United States, Opoku-Asare found herself well in the minority.

“Think about that,” Doyle implored.

Given her science background, Opoku-Asare describes her love of experimentation and data as being well suited to her role as diversity chief. She enthusiastically describes her current study of how technology can be deployed to better inform Newmont recruitment and hiring activities. She also is active in various BRGs. On Newmont’s “Voices” blog, she recalled her transition to the United States. “Sometimes it’s the most simple things that an employee like myself [moving from Ghana to Colorado]— like clearing out your sprinkler line before the onset of winter.”

Among Opoku-Asare’s responsibilities is the development of targets aimed at providing Newmont with objectives by which diversity outcomes can be measured. At the end of 2017, female representation had nudged up to 14.7 percent from 14.1 percent the prior year. In its Africa region, Ghanaian nationals represented 50 percent of the leadership and 87 percent of management. In South America, 47 percent of the regional leadership is national. In Peru, 94 percent of management are Peruvian nationals, and in Suriname, the percentage of Surinamese nationals is 64 percent. None of these gains, she noted would have been possible without the support of Newmont leadership including its board.

Ready to read more? Click here to read the March/April 2019 issue of NACD Directorship magazine.

What to Do With Pay If Taxes Go Much, Much Higher

Regulations and
taxes greatly influence executive pay design. While the current “typical”
program—salary, annual bonus based on financial results, and an annual equity
award dominated by performance-based shares—seems as comfortable as an old shoe,
it’s an evolving thing that adapts to meet dual goals of incentives and retention.

As the election
cycle begins to heat up for a 2020 showdown, lines are beginning to show in the
sand around monetary policy, trade, and income taxes. Compensation committees
need be forward-thinking about long-term implications of potential new laws so
they can act nimbly and with conviction when changes occur.

Our objective is not
to handicap the political environment and discuss what’s “likely” to occur.
Guessing right would be simple luck. In broad strokes, the tax ideas floated so
far by potential 2020 Democratic presidential candidates focus on raising taxes
for the wealthy as a mechanism to close the Federal deficit. That drumbeat will
get louder and more polarizing on the road to the 2020 general election and amid
mixed economic signals.

The ideas of candidates Bernie Sanders and Elizabeth Warren center on increasing tax revenue from capital gains. Bill Gates approached the notion more directly (albeit in a manner less politically appealing): “The big fortunes, if your goal is to go after those, you have to take the capital gains tax, which is far lower at like 20%, and increase that.”

Both ideas are similar in that they create a more even playing field between ordinary income and capital gains. That disparity is arguably at the heart of inequality of wealth distribution.

Boards first should be thinking and talking about the broader economic implications of the political environment on their business planning and strategy. Compensation committees should consider near-term and long-term implications for pay program design as part of this discussion.

A Dollar Today May Be Worth More Than a Dollar Tomorrow

Material changes to
the tax code should not be expected reasonably before 2022, and then only if a
Democrat is elected as president. If marginal income rates are certain to rise
materially, incentive awards that vest prior to the increase will have a higher
after-tax value than those that vest after the increase occurs.

Awards that deliver a
higher after-tax value may be desirable, similar to the end of 2017 when the
corporate tax rate—and the associated value of tax-deductible compensation—dropped
from 35 percent to 21 percent. Many boards took action at the end of 2017 to
bring forward compensation-related tax deductions. We would expect similar
actions if future individual tax rates are certain to rise.

Maintaining Sound Pay Principles Remains Paramount

The compensation committee
has a duty to make rational decisions about pay that align with performance. Pay
programs that deliver pay sooner and incentives for long-term strategic
execution that benefit the company must remain balanced. This could lead to
complexity in pay program design that generates taxable income for recipients
but maintains a connection to long-term performance of the company. This could
take many forms, such as:

  • Increased stock option usage, giving the
    recipient control over timing of income.
  • Shorter vesting of share-based awards with
    material holding requirements.
  • “Banked” awards, to trigger income tax
    quickly on a portion with future performance requirements for upside attainment.
  • A (short-lived) renaissance in Section 83(b)
    elections.

Increased Taxes Could Promote “Long-termism”

If wealth, estate,
and capital gains tax ideas come to fruition, an opposite and powerful
incentive to encourage long-term behavior could become a reality. Executive pay
above $1 million in a given year generally is no longer deductible, and if
corporate tax rates do not rise with individual rates, companies have less incentive
to accelerate pay-related deductions where available.

This should
stimulate discussion of much longer-term and estate-oriented pay structures for
senior executives. Ideas in this area include the use of various kinds of
trusts to encourage a reduction in personal balance sheets to defer wealth or
estate tax burdens, and a delay
versus acceleration of income recognition.

It is too early to
tell how this will shake out. How pay evolves is a result of many complicated interactions.
History teaches us that changes in the law are a major driver of that
evolution. Reaffirming the principles of the pay system when discussing
potential reactions to a new regulatory environment will be the key to having
comfort in the next wave of executive pay design.

Margaret Hylas is a consultant and Todd Sirras is a managing director of Semler Brossy Consulting Group. All thoughts expressed here are their own.

What to Do With Pay If Taxes Go Much, Much Higher

Regulations and
taxes greatly influence executive pay design. While the current “typical”
program—salary, annual bonus based on financial results, and an annual equity
award dominated by performance-based shares—seems as comfortable as an old shoe,
it’s an evolving thing that adapts to meet dual goals of incentives and retention.

As the election
cycle begins to heat up for a 2020 showdown, lines are beginning to show in the
sand around monetary policy, trade, and income taxes. Compensation committees
need be forward-thinking about long-term implications of potential new laws so
they can act nimbly and with conviction when changes occur.

Our objective is not
to handicap the political environment and discuss what’s “likely” to occur.
Guessing right would be simple luck. In broad strokes, the tax ideas floated so
far by potential 2020 Democratic presidential candidates focus on raising taxes
for the wealthy as a mechanism to close the Federal deficit. That drumbeat will
get louder and more polarizing on the road to the 2020 general election and amid
mixed economic signals.

The ideas of candidates Bernie Sanders and Elizabeth Warren center on increasing tax revenue from capital gains. Bill Gates approached the notion more directly (albeit in a manner less politically appealing):“The big fortunes, if your goal is to go after those, you have to take the capital gains tax, which is far lower at like 20%, and increase that.”

Both ideas are similar in that they create a more even playing field between ordinary income and capital gains. That disparity is arguably at the heart of inequality of wealth distribution.

Proponent Idea
Sen. Bernie Sanders For the 99.8% Act expands estate tax to 77 percent marginal rate for estates worth $1 billion or more
Sen. Elizabeth Warren Annual wealth tax: 2 percent on net wort
over $50 million, 3 percent over $1 billion
Sen. Brian Schatz Proposed Wall Street Tax Act would
introduce 0.1 percent tax on sale of stocks,bonds, and derivatives
Sen. Alexandria
Ocasio-Cortez
New 70 percent marginal rate on annual income over $10 million
Sen. Tammy Baldwin and
Rep. Bill Pascrell
Eliminate capital gains treatment for carried interest gains

Boards first should be thinking and talking about the broader economic implications of the political environment on their business planning and strategy. Compensation Committees should consider near-term and long-term implications for pay program design as part of this discussion.

A Dollar Today May Be Worth More Than a Dollar Tomorrow

Material changes to
the tax code should not be expected reasonably before 2022, and then only if a
Democrat is elected as president. If marginal income rates are certain to rise
materially, incentive awards that vest prior to the increase will have a higher
after-tax value than those that vest after the increase occurs.

Awards that deliver a
higher after-tax value may be desirable, similar to the end of 2017 when the
corporate tax rate—and the associated value of tax-deductible compensation—dropped
from 35 percent to 21 percent. Many boards took action at the end of 2017 to
bring forward compensation-related tax deductions. We would expect similar
actions if future individual tax rates are certain to rise.

Maintaining Sound Pay Principles Remains Paramount

The compensation committee
has a duty to make rational decisions about pay that align with performance. Pay
programs that deliver pay sooner and incentives for long-term strategic
execution that benefit the company must remain balanced. This could lead to
complexity in pay program design that generates taxable income for recipients
but maintains a connection to long-term performance of the company. This could
take many forms, such as:

  • Increased stock option usage, giving the
    recipient control over timing of income.
  • Shorter vesting of share-based awards with
    material holding requirements.
  • “Banked” awards, to trigger income tax
    quickly on a portion with future performance requirements for upside attainment.
  • A (short-lived) renaissance in Section 83(b)
    elections.

Increased Taxes Could Promote “Long-termism”

If wealth, estate,
and capital gains tax ideas come to fruition, an opposite and powerful
incentive to encourage long-term behavior could become a reality. Executive pay
above $1 million in a given year generally is no longer deductible, and if
corporate tax rates do not rise with individual rates, companies have less incentive
to accelerate pay-related deductions where available.

This should
stimulate discussion of much longer-term and estate-oriented pay structures for
senior executives. Ideas in this area include the use of various kinds of
trusts to encourage a reduction in personal balance sheets to defer wealth or
estate tax burdens, and a delay
versus acceleration of income recognition.

It is too early to
tell how this will shake out. How pay evolves is a result of many complicated interactions.
History teaches us that changes in the law are a major driver of that
evolution. Reaffirming the principles of the pay system when discussing
potential reactions to a new regulatory environment will be the key to having
comfort in the next wave of executive pay design.

Margaret Hylas is a consultant and Todd Sirras is a managing director of Semler Brossy Consulting Group. All thoughts expressed here are their own.

Directors Discuss How to Build Cyber-Risk Resilience

“What’s the board’s role in a data breach?”

This was a question posed by one of the director attendees
at a recent roundtable event hosted by NACD in partnership with Accenture on
how boards can go about building greater cyber resiliency within the
organizations they serve. And as a litany of companies have fallen victim to
cyberattack and endured considerable financial and reputational fallout—it’s a
simple question that demands a nuanced answer.

Robert Kress, managing director at Accenture, encouraged
attendees not only to have a well-coordinated response plan mapped out so that
it can readily be put into action if and when the worst occurs, but also to
“Ask yourselves: How does the board get engaged in a breach?”

“Is there a subcommittee? How are decisions made? Which
decisions should involve the board?,” Kress asked. “Breaches oftentimes happen
at inopportune times such as weekends and holidays because threat actors know less-experienced
people are manning the ship—if they’re working at all. A good crisis response
plan should have clearly defined the role of the board, outside counsel for
support to ensure you have the regulatory requirements for reporting, and
arrangements with a marketing firm to handle public relations.”

One attendee shared that, after the US Government Affairs
Office (GAO) released its assessment of the Equifax breach, his board asked the
chief information officer to review the GAO’s recommendations and do a gap
analysis. “I was surprised by how cogent those reports really were,” he said.
But for him, paying close attention to how one federal entity picked apart all
that went wrong in the Equifax case raised questions around how boards should
think about disclosures and communicating what the company’s risk capacity is.

“Cybersecurity needs to go hand-in-hand with the broader
enterprise risk management program,” Kress said. “Cybersecurity is one type of
business risk that needs to be addressed broadly—in the 10-K or via a cogent
response from management on how they want to mitigate that risk. And companies
are improving their capabilities in detection and response processes, with the
time to detect and respond to an incident getting shorter. However, the
financial impact of cyber breaches continues to go up, with current research
showing that the average cost of a cyber incident is between 16 and 17 million
dollars.”

When it comes to improving the company’s response, a board
can be a huge asset. Another director shared that, in her experience,
management might offer pushback against boards that want to do tabletop
exercises, seeing the process of simulating an emergency as “overdoing it.” And
yet, when her boards were allowed to engage on this level, management found
that the director perspective was invaluable because they were asking the right
kinds of questions that challenged basic assumptions.

“It’s important you put pressure on things,” Vikram Desai,
global managing director at Accenture, said in affirmation. “In my
observations, the CEO will ask the CISO [chief information security officer] and
the CIO [chief information officer] if everything’s good on the security front.
They say it is—and nothing gets back to the board. These are dynamics that
create a false sense of security.”

But despite best efforts, odds are that companies with a
digital footprint will be breached at some point in time—which will in turn
mean having to work with the federal powers that be. On this front, it was
noted that most companies are not 100 percent compliant with federal
regulations from the get go. At the very least, it’s important to have a formal
plan and timeline in place for becoming compliant as a token sign of good faith
for the regulators who may do a thorough investigation of the company’s
cybersecurity practices. Ignoring these issues, however, is not an option.

As the conversation accentuated the integral role that the
CIO has to play in the board’s oversight of cybersecurity issues, one director
asked about what small-cap companies should do, as they frequently lack the
financial means to attract and retain the requisite talent to help see boards
through these issues. And even if there is money set aside to bring on a CIO or
a CISO, the phrase “you get what you pay for” painfully springs to mind.

Here, outsourcing can be a viable option. “The smartest
thing a company can do is go to a managed security services provider,” Desai
said. “They can provide the ability to monitor operations, and if something
happens, they can activate the incident response plan. And within the universe
of security services, there is a ranking checklist that rates these companies
from OK to very proficient.” 

As the afternoon progressed, the conversation began to
explore a more fundamental element of cybersecurity: What part of the board
should assume the primary responsibility for overseeing cyber risk?
Historically, the audit committee has taken on this task largely because it was
concerned with enterprise risk management in general. But as the cyberthreat
landscape continues to quickly grow in scope, both Kress and Desai agreed that
this might not be the best arrangement and that—at least for the larger
companies with the capabilities to do so—creating a standalone technology and
risk committee might be key to capably overseeing these issues into the future.

Failsafe means of prevention may be impossible and having a
well-orchestrated crisis response plan is the best any company can hope for to
save face in a crisis. A company that makes the best of efforts remains at high
risk of losing stakeholder trust. It’s a problem too large for any one company
to solve, making it imperative to identify ways in which to foster
collaboration.

“We are nearing a point where boards need to ask management
how they are working with other companies within the industry,” Kress said in
closing. “Digital trust underpins every organization today. If we lose digital
trust, there will be significant financial impacts. I think that participating
in industry forums and being more willing to share knowledge with government
entities about breaches can help.”

Click here to read additional coverage from this roundtable event.

What You Need to Know About Cyber Insurance and Regulatory Change

As recent events have shown, the pace and scale of cyberattacks continue to grow, as do the financial stakes—revenue losses, recovery expenses, liability costs, and potentially severe regulatory fines are all consequences facing companies. The specter of 2017’s NotPetya event, the most devastating cyber event in history, continues to haunt business leaders: the malware caused more than $10 billion in economic damages and disrupted business operations, production, and logistics for major global firms.  The insured losses from that attack alone have been estimated at more than $3 billion

Incidents such as these are forcing companies to make cyber risk a corporate priority. In the recently released Global Risks Report 2019, those in advanced economies again rank cyberattacks among their top risk concerns. That recognition has evolved from viewing cyber risk as a problem to be solved by spending more on technology to seeing it as a risk that must be actively managed across many areas of the company. That shift in mindset has brought cyber insurance into the overall equation of how a firm manages its technology risk.

But cyber risk is an increasing concern not just for c-suites
and boards: regulators also are more actively looking at how organizations
address cyber risks and how they manage their responsibilities to key
stakeholders. So even as the financial costs of cyber threats grow, the
regulatory stakes are likewise poised to rise as more regulators—and particularly
the US Securities and Exchange Commission (SEC)—begin to impose stricter
requirements on businesses.

These two trends—the increasing adoption of insurance to transfer cyber risk and a more rigorous regulatory approach to cyber-risk management—dovetail in numerous ways. Many of the new regulatory requirements and guidance around cyber-risk assessment, prevention, and management, executive and board-level ownership, and event disclosure and response, are the same practices that should inform an organization’s decision-making around cyber insurance investment. These same best practices are what underwriters increasingly expect and value.

The SEC Strengthens Its
Stance

Cybersecurity has been on the SEC’s agenda for several years. In 2011, the commission’s Division of Corporation Finance issued guidance calling on companies to assess their disclosure obligations regarding their cybersecurity risks and cyber incidents.

While a good starting point, the guidance did not go far enough in setting clear expectations for both proactive and reactive cyber-risk management and oversight. The SEC’s 2018 interpretative guidance outlines requirements for publicly traded companies to disclose cybersecurity risks and material incidents.

The SEC guidance focuses on five main areas:

  • Pre-incident
    disclosure.
    The guidance calls for transparency around the identification,
    quantification, and management of cyber risks by the C-suite and oversight by
    the board of directors. Often, growth in technology and the global operating
    environment impede 360-degree visibility into a company’s vulnerable spots, with
    lack of data contributing to compromised security.
  • Board oversight. The board is expected to
    understand, quantify, and oversee cyber risk. The SEC advises companies to
    disclose in their proxy statement the board’s role and engagement in cyber-risk
    oversight. Board members have to be privy to and understand the
    company’s overall cybersecurity exposure, with a particular focus on the impact
    on the company’s financial condition, integrating this insight into their
    360-degree view of the company’s risks.
  • Incident
    disclosure.
    Companies are required to “inform investors about material
    cybersecurity risks and incidents in a timely fashion.” To do so, companies must
    have structures in place to identify and quantify cyber risk—tools that allow
    the organization to rapidly determine whether the impact of a compromised
    system was, in fact, material and requires disclosure to regulators and
    investors.
  • Controls
    and procedures.
    The guidance also tasks companies with assessing whether
    their enterprise risk management (ERM) process is sufficient to safeguard the
    organization from cyberdisasters. This requires a step-by-step playbook for
    cyberevents, including identifying who needs to be contacted and how and with
    whom the business will share information about a breach. Given the evolving
    nature of cyber risk, ongoing due diligence exercises should occur to identify
    and manage new risks—especially during a merger or acquisition. Most companies
    have long done this for other perils such as natural disasters, and it is
    imperative they extend this process to cyber risk.
  • Insider
    trading.
    New to the 2018 guidance is a reminder to companies, directors,
    officers, and other parties of insider trading prohibitions. In practice, this
    means that directors, officers, and other executives who are aware of a
    company’s cybervulnerabilities or a breach could be liable if they sell company
    stock, or instruct anyone else to do so, before such a breach or vulnerability
    is divulged.

The cost of non-compliance can be substantial. Last year the SEC leveled a $35 million penalty against a large technology company it said misled investors when the company failed to disclose the theft of the personal data from hundreds of millions of user accounts.

Congress, which holds the SEC’s purse strings, is placing mounting pressure on the agency to improve cybersecurity, and private investors are also pressing for more stringent cybersecurity controls at the companies they hold. It is, therefore, likely the SEC will start coming down on companies with more vigor, especially in the wake of recent—and, inevitably, future—major breaches.

Risk Transfer as a
Core Cyber-Risk Management Tool

Given the nature of the majority of risks, businesses
recognize that technology and other solutions alone can’t respond to the full
spectrum of risks they face. Insurance has historically stepped in to provide
the financial backstop for that residual risk that cannot be managed to zero
through process, procedure, and mitigation. 

Cyber risk is no different in this sense, and organizations
are now recognizing that cyber risk also cannot be managed through technology
alone. It is an operational risk that needs to be incorporated into the firm’s
overall ERM processes—one that includes risk transfer, as well as mitigation
and resilience planning.

The insurance market now offers risk transfer solutions for
cyber risk that address both ever-evolving technology risk and the recent retreat
of traditional insurance products from adequately addressing firms’ evolving cyber-risk
profile.

Cyber insurance starts with the premise that all of a firm’s
technology-driven risk should be insurable. These risks include both the direct
loss that a firm can suffer in terms of lost revenue or assets, as well as the
liability that can arise from a data breach or failure to comply with myriad
new domestic and international regulations.

Cyber insurance has also been at the forefront of pushing
for better understanding of this risk’s financial implications to help the
industry improve modeling of potential loss scenarios. That financial
assessment is a critical foundation for businesses’ risk management planning as
well: Cyber-risk quantification helps the firm assess the economic impact of a
range of cyberevents, and on that basis, make informed investments in
technology, insurance, and response resources. Quantification of cyber risk
also allows for cyber risk to be analyzed within the firm’s overall risk
framework and integrated into its overall risk management planning. 

The assessment, evaluation, and modeling processes that are essential foundations for purchasing cyber insurance are, in many ways, aligned with the practices called for by the SEC in its recent guidance. Given the likelihood of an increasingly active regulatory agenda, organizations are advised to align their policies and practices to abide by the SEC’s recommendations and to consider insurance market coverage that can help protect against cyberevent-related losses and regulatory liabilities. 

Bob Parisi is cyber product leader and Christopher Hetner is managing director of cyber-risk consulting at Marsh.

Finding Inroads to Alleviating Common Cyber Risk Pain Points

It’s generally accepted that the development of technology
is rapidly accelerating. So too has the speed of integration of new
technologies into our day-to-day lives. Consider this: since mobile phones were
first introduced, it took 12 years before 50 million people had one. In
contrast, it took Facebook only 2 years since its debut to reach that same
milestone, and the mobile phone game Pokemon Go only needed two days.

At such a pace of proliferation, it’s difficult to fully
synthesize the full ramifications of a new technology before the next wave of
change comes rolling in. And if you’re a company that is under pressure to
digitize its operations, being too aggressive about staying on the cutting edge
of digital transformation can lead to potentially catastrophic risk exposures.
It’s an area where board insight and oversight is especially needed—but knowing
exactly how to approach the issue might not seem equally crystal clear.

Accenture’s Robert Kress says there is no panacea to cyber risks.

This was the subject of a recent roundtable hosted by NACD
in partnership with Accenture. According to Robert Kress, managing director at
Accenture, there’s no single panacea.

“You need to tailor your thinking to the environment you’re
working in,” he said. “So, what do you do about it? Think about leadership in
governance across three key dimensions: within your organization, within your
ecosystem, and within and across industries. Looking within your organization,
ask: What is the scope of your CISO’s responsibility? Looking within your
ecosystem, realize that every organization is more dependent on other players
within your ecosystem. Many of the breaches that occur come through that
channel. Look across industries because the Internet is fragile. Think about
when it was created and what it was created for—and it was not designed to
defend against cyberattacks. There is a lot of work needed to reinvent the
Internet—and that is only going to happen if organizations are working together
and working with the government.”

“I would say that it’s not as complex a picture as you have
painted,” Vikram Desai, global managing director at Accenture said in
counterpoint. “I do think that while each company has a unique fingerprint,
there’s a value chain associated with how businesses operate and there are
simple pain points along the way. And there are some very basic things you need
to get right to make it more difficult for an attacker to target you. Within
industries, exchange information on best practices, work with service providers
to understand the real-time status of attacks. It’s incumbent on every board
member to make sure that there are techniques and exercises consistently
executed [throughout the organization] to make sure the people are sensitized
to these issues.”

Desai went on to underscore the importance of the chief
information security officer (CISO). To begin with, selecting the right person
for that role is difficult because most CISOs are technologists who lack
business savvy and the ability to communicate what they know to a lay
audience—so ensuring that the person who steps into that role receives the
requisite training to effectively communicate to senior leaders and the board
is critical for his or her success. Boards should also ensure that there is a
CISO succession plan in place. Generally speaking, a CISO stays with a company
for about 24 months. With such a high turnover, ensuring that there is a
pipeline of talent within the organization that can capably fulfill the duties
of that role is critical.

Attendees listen on as NACD Directorship Publisher Christopher Clark introduces the theme of the discussion.

“Understand the role of the CISO and what you expect from
that person,” Desai said. “Does the CISO have direct exposure to the board, or
are they blocked by a tech person? Does the CISO understand the top business
objectives for your company and how security can enable those objectives? The
CISO needs to show how things can be done and what the associated risk and
rewards are. If there’s alignment, you’ve got a great running start.”

Visit NACD BoardTalk later in the week for additional
coverage from this event as director attendees grapple with cyber-risk
oversight best practices.

Webinar: Harnessing the Potential of Virtual Teams

Join us in the upcoming Wilcox Miller & Nelson/CPI Webinar, “Harnessing the Potential of Virtual Teams” featuring Bill Florin of CPI Partner, Learning Dynamics. As part of our firm’s participation in Career Partners International, we periodically host webinars to share HR industry experts’ viewpoints on trending topics. This webinar will explore ways to increase engagement, develop relationships, and bridge cultural differences regardless of proximity.

Whether they have given their teams an added perk of remote work flexibility or have just assembled a completely virtual “dream team,” many employers are still struggling to see the promised returns of a digital team. Why are these teams not delivering at the level of their onsite counterparts despite being, on paper, a superior group of employees? Join us to discuss some of the more treacherous obstacles to realizing the potential of a virtual team.

This program is valid for 1 PDC toward SHRM-CP and SHRM-SCP recertification.

Join us on March 12th at 8:00 a.m. PDT or March 14th at 4:00 p.m. PDT for a 45-minute presentation and 15 minutes of Q&A. Register Today!

Register here or at CPIworld.com.

Sharpening the Board’s Cybersecurity Acumen

Much has been written,
and important insights shared, on cybersecurity. The threat landscape continues
to evolve, and the topic remains significant in the boardroom.

To gain fresh
perspectives on this important area, Protiviti met with 20 active directors
during a dinner roundtable at a December 2018 NACD event to discuss their
experiences. Here are some key takeaways from that discussion:

Don’t let overinvesting in protection and detection lead to underinvesting in response and recovery. The National Institute of Standards and Technology (NIST) framework identifies five pillars of effective cybersecurity: protection, detection, identification, response, and recovery. A global study sponsored by Protiviti asked executives to rate their company’s progress on these pillars, finding most companies score highest on protection and detection and lowest on identification, response, and recovery. As most cybersecurity investments address the protection pillar, the participating directors agreed their organizations need a balanced program to detect and respond to the inevitable cyberattacks. However, most board members report they only see an overall cybersecurity budget; the company’s investments across the five NIST domains are not transparent to them.

Overall, it is important for organizations to move beyond the
protection pillar when it comes to cybersecurity. One board member spoke of a
maturity assessment using the NIST framework and of monitoring progress across
the five domains to improve them to the desired maturity levels. The board
should work with management to regularly assess and monitor the organization’s
ability to identify, detect, respond to, and recover from a cyber breach, as
well as ensure that appropriate investment is supporting each pillar.

Understand the paradox in breach detections between cyber “leaders” and “beginners.” Protiviti’s research finds that digital leaders report more cyberattacks than beginners. The roundtable discussion revealed several reasons, including the likelihood that digital leaders are better at monitoring security activity and have stronger detection measures. Also, they are more likely to have an expanded attack surface due to the new technologies and digitization capabilities they employ. Organizations need to stay focused and keep cybersecurity a critical priority as they advance their digital maturity. To minimize risks, companies should build cybersecurity into each step along their digital transformation process.

Manage the “cyber
squeeze” on innovation funding.
How does the board effectively address cyber risk without throttling innovation? This important question is
a double-edged sword, as
innovating creates more
cyber risk because it almost always involves embracing new digital
technologies. The roundtable discussion emphasized that innovation is about business strategy and should not be an
information technology (IT) or “innovation” budget item. Innovation should be
part of an overall budget for the enterprise’s growth strategy. Also, risk and
cybersecurity should be embedded into the
design and developmental approaches—including the Agile and DevOps methods—that
innovation teams use so that innovation is undertaken securely.

Mind the
enemy within.

According to Protiviti’s research,
nearly all firms (87%) see untrained
general staff as the greatest cyber risk to their business because they may provide a conduit for outside attackers. As noted by
several directors, there are solutions to help combat internal threats, but the
board is typically not aware of how effective they are. Exposure to attacks by
nation-states and sophisticated external attackers is compounded in that these
groups often exploit untrained insiders.

The directors
agreed that boards need to turn up the volume on their inquiries of cyber
management as to what is being done about insider risk, including exposure to
third parties. One tried-and-true, not to mention low-cost, cybersecurity
measure—at least for insiders—remains employee training and communication.

Quantify cyber risk to put a value on the crown jewels. Quantification will help management and the board significantly as they work to understand the different types of data and information systems assets the organization maintains. More importantly, it will help them understand what needs to be protected most and oversee how asset protection is being prioritized. The FAIR methodology can assist with this analysis, as it employs risk quantification software to analyze risk using techniques such as the Monte Carlo method, which simulates risk scenarios. Conducting a quantitative risk analysis forces IT and security teams to set risk appetite thresholds, which enhances cybersecurity communications with the board.

Increase the board’s confidence in its cybersecurity oversight. Cyber threats represent a legitimate concern. A company reputation established and nurtured for 100 years can suffer severe and lasting damage following just one high-profile cyberattack. As a result, it can be difficult for boards to feel fully confident in how they are monitoring cybersecurity risk, both within the organization and among third parties. The roundtable discussion participants noted that while directors must rely on management for this information, they should be proactive in refreshing the board’s oversight capabilities: asking appropriate questions, receiving independent assurances, monitoring focused dashboards, and setting clear expectations regarding the need to preserve reputation and brand image.

Take stock of a changing landscape. Throughout the roundtable discussion, numerous comments were made regarding the changing cyber-threat landscape and the importance of staying informed as it evolves (e.g., ransomware, expanding the value of data beyond credit cards, unapproved mobile devices, third-party threats, and state-sponsored cyberattacks). The complexity of the evolving threat landscape is prompting a need for increased cooperation and information-sharing between the private and public sectors, an objective that remains elusive due to concerns over disclosing confidential and other sensitive information.

The game has now changed. Virtually any organization is
susceptible to cyberattack, even if it does not harbor customers’ personal data
or credit card information. Continue to monitor your company’s cybersecurity
maturity using these and other steps and resources to ensure management has
mitigated risks appropriately.

For a more complete look at the NACD roundtable, including key takeaways, read Protiviti’s full summary of the event.