Why Humans Are Still Security’s Weakest Link

Although security leaders may be effective at reducing the impact of cyberattacks within their own four walls, board directors should be aware that malicious insiders are still one of the top two threats, according to our research. It is a fact that serves as a timely reminder for all organizations—protect yourselves from the inside out.

According to the Accenture Ninth Annual Cost of Cybercrime Study, organizations have experienced sizable increases in phishing and social engineering attacks, up 16 percent; ransomware, up 15 percent; and stolen devices, up 13 percent in just one year. These are all areas of concern that give credibility to the argument that humans are still the weakest link when it comes to an organization’s cybersecurity defenses. And with 71 percent being vulnerable to hacking groups using spear phishing, a 55 percent spam rate, and 669 million new malware threats in the last couple of years, a momentary lapse of concentration can prove highly damaging. The prospect of 200 billion connected things by the year 2020 means this vulnerability is only going to get worse for your company and its employees.

Today, the security function is largely
centralized and its staff are often excluded when new products, services, and
processes—all of which involve some sort of cyber risk—are being developed.
This siloed approach can result in a lack of accountability across the
organization and a misplaced perception that security isn’t everyone’s
responsibility—only 16 percent of CISOs in our survey said employees are
responsible for cybersecurity today.

At a granular level, even where
organizations regularly pressure test their resilience, people can invalidate
red and blue team exercises. They may have difficulty behaving like a real
adversary, or they develop “blue team fatigue” following a constant stream of
demoralizing attacks. Worse still, they may develop unhealthy divisions and
fail to communicate effectively before, during, and after an exercise.

As a result, the board should assume the
task of holding the c-suite accountable for putting people first as a security
priority throughout the organization.

Being
Accountable

To tackle insider threats and foster a
culture of accountability, boards should ensure that CEOs rally human
resources, talent development, legal, and information technology teams to work
closely with the security office and business units. Here are five ways
directors can suggest that their organizations take on this risk from within:

  1. Train and reinforce safe behaviors. New
    work arrangements—greater use of contractors and remote work—make the need for
    employee training more urgent. Yet, training employees to think and act with
    security in mind is the most underfunded activity in cybersecurity budgets. Immersive
    communications and gamified learning can create sustained behavior change that
    could drive greater security.
  2. Build cybersecurity champions.
    Cybersecurity champions can not only act as advocates for security across the
    organization, they can also provide feedback to the central team on the
    effectiveness of security programs. As with many other facets of culture, the
    board can lead the way by becoming cybersecurity champions.
  3. Reward “security-first” behaviors. In
    our survey, only 41 percent of companies indicated that they offer incentives
    for business leaders who are committed to cybersecurity. Rewards are one tool
    that boards can use to stimulate the desired cybersecurity hygiene behaviors
    throughout the organization.
  4. Maintain strong defenses. As well
    as standard data protection techniques such as encryption and rights management,
    user and entity behavior analytics (UEBA) systems can flag suspicious employee
    activity, such as unusual file transfers that could indicate criminal intent.
    Ask about whether or not the security team has these practices in place.
  5. Help people be prepared. Suggest that
    the security team become ready by running and testing for end-to-end
    effectiveness. Their practice should be monitoring activity continuously and
    vigilantly, using sophisticated techniques such as micro-segmentation for
    access control—keep the sensitive safe to achieve damage limitation in the
    event of a breach.

Creating
Security-first People

People are often unaware of cybersecurity threats, think they’re already protected by existing procedures, or underestimate the repercussions of a security breach. And while there is no single behavior that keeps people secure online, the vulnerabilities posed by humans can be effectively addressed.

Accenture has developed a Human
Vulnerability Assessment—a diagnostic tool based on a data-centric approach. It
identifies the highest priority areas to help people stay safe, the immediate
actions and interventions needed to improve their weaknesses, and offers
benchmarks to make comparisons across industries or geographies.

If you expect to fully protect your
high-value assets, keep “the people dimension” in mind.  When security behaviors are better monitored
and managed, people can be part of the solution, not the problem. 

Bob Kress is a managing director at Accenture Security where he is the co-chief operating officer and the global lead for quality and risk.

Investors Sound Alarm Bells On Climate. Are You Listening?

Let’s add the World Economic Forum to the list of organizations sounding a clarion call on climate change. Their recent risks report identifies climate change as one of the most severe risks that the world faces, and warns, “it is in relation to the environment that the world is most clearly sleepwalking into catastrophe.”

Investors heard the wake-up calls
early, and have been raising the alarm with companies. Over the past
decade, we have seen rapid growth in shareholder engagement on environmental,
social, and governance (ESG) issues in general, and on climate change in
particular.

One of the most important tools that investors have for engaging with companies on these issues is shareholder resolutions. In 2017 alone, investors filed a record 175 proposals on climate change with U.S. and non-U.S companies, with many of them receiving record-high voting support.

It is important to keep in mind that
investor attention to climate change is not motivated by social good or
altruism. As the owners of companies, investors, particularly long-term
investors, have a financial interest in ensuring that the board and management
can maintain corporate resiliency and build long-term value.

Shareholders file climate-related resolutions
for economic reasons. They want to be sure company executives and their boards
are doing all that they can to prepare for climate-related business and
economic disruptions, including operational impacts, regulatory shifts, supply
chain ripples, and potential reputation risks. By digging in and engaging on
these questions, investors are looking for climate-resilient strategies that
strengthen corporate performance and value creation.

Non-binding shareholder resolutions are hardly a new tool. In place for nearly a century under the U.S. Securities and Exchange Commission (SEC) Rule 14a-8, the process allows qualifying investors to submit resolutions that can be voted on by all company shareholders. It is a constructive, low-cost way for investors of all sizes to engage with company management and boards in a transparent way.

Unfortunately, this process is under
attack by interest groups painting these resolutions as driven by
investors with political agendas. We believe that this is incorrect, as it
implies that investors who file these resolutions are fringe or minor players.

In fact, Wall Street icons such as
BlackRock, State Street Corp., Fidelity Investments, Vanguard, and other large
institutional investors are among those who consistently support climate
resolutions. Collectively, these institutions manage over $16 trillion in
assets.

Additionally, from our perspective, to
say that climate resolutions are politically motivated is also untrue. While
climate change has unfortunately been politicized in this country, the business
and financial risks that it poses to corporate value are very real—and material.

Look no further than the recent National Climate Assessment showing that climate change is already impacting all parts of the United States. This report, which was developed based on contributions by 13 federal agencies, predicts that if significant steps are not taken to mitigate climate warming, the damage could shrink the country’s gross domestic product by as much as 10 percent by century’s end. That’s more than double the losses from the Great Recession a decade ago.

The business impacts are clear: In 2017, 73 companies on the S&P 500 publicly disclosed a material effect on earnings from extreme weather events, and 90 percent felt the effect was negative. Supply chain disruptions due to climate risk have increased 29 percent since 2012 according to Dow Jones.

In addition, the business case for proactive focus on climate and broader ESG issues is also strong. Academic and investment research—including studies by Bank of America Corp., Morgan Stanley, and JP Morgan—show that serious corporate attention to climate and ESG issues delivers higher stock returns, incurs lower capital costs, and lowers volatility risks.

So what should companies and boards
do when faced with investors who are looking to engage with them, including
through the shareholder resolution process, on climate change?

Previously, we wrote about the responsibility of the board to oversee material climate change risks and opportunities. The following suggestions build on those made in a previous article. 

  1. Engage. Research has consistently shown that boards and management make the best decisions when considering multiple perspectives. Rather than hesitate in the face of investors who are looking to engage on climate change, boards should remember that as owners of the company, investors, have an equal interest in the financial wellbeing of the enterprise, and have an important point of view to bring to the table. The sheer act of dialogue could serve to provide valuable information to boards and management and, importantly, generates goodwill. Ceres’ report Lead from the Top notes that shareholder engagement on climate and ESG is an important step to helping the board build its own fluency in these issues.
  • Disclose. Our economy and capital markets work best when companies engage in robust disclosure. Company management and their boards have critical roles in helping their companies provide the kind of climate risk disclosure that investors are requesting in shareholder resolutions. Frameworks like the recommendations from the Task Force on Climate Related Financial Disclosures (TCFD) provide an important starting point.

By partnering and engaging with
investors, boards can help ensure that companies are more resilient, prepared,
and profitable in navigating fast-changing global risks.

And being prepared is a win-win for
everyone.

Mindy Lubber is the CEO and president of Ceres. Veena Ramani is the senior director for capital market systems program at Ceres. Ceres is a sustainability nonprofit organization working with the most influential investors and companies to build leadership and drive solutions throughout the economy.

Overseeing the Intersection of Digital Transformation and Cybersecurity

We’ve all heard the buzz word “digital,” and I am often asked
questions about how to analyze and oversee the risks of enterprise-wide digital
transformation. While a possible nuisance to the person asking, my first answer
tends to be a question.

What do you believe it means for your enterprise to become
digital?

Only once your company answers that question can the
challenges and risks associated with a well-managed transformation be weighed.
Invariably, the answers to this question are unique and divergent. The answers
also, by necessity, should include insights into these added threads:

  • How do we manage digital transformation risks
    without taking our focus off cybersecurity?
  • What is the role that cybersecurity plays during
    digital transformation?

Cybersecurity and digital transformation are two areas that
are rife with risk, and are shaping challenges around enterprise risk
management (ERM) that are both divergent and orthogonal.

In order to reengineer the enterprise for digital
excellence, cybersecurity risks must be considered hand-in-hand with the risks
inherent in disparate digital infrastructures. Our consumers and stakeholders
expect mobility, with just-in-time, just-in-context service. They also expect
the digital experience to include interaction expected anywhere in the world
the consumer may happen to be located, while at the same time responding
immediately to changes in consumer behaviors.

No pressure, right?

Digital transformation is critical to most enterprises, but
how can the board successfully oversee these the management of these new risks?
First, the board should consider the operational changes that come with digital
transformation.

Defining
Enterprise-Wide Digital Transformation

To achieve the new digital paradigm, enterprises embrace new
technology models to deliver a digital experience for end consumers. These
models often require vast adjustments to the organization, business, and
technology operating models to be successful.

Consider this example. To meet consumer demands for digital
experiences, enterprises are embracing cloud services as a platform to
accelerate delivery of a product or service. This means that there is no physical
data center lurking in a corner of your corporate headquarters where your
technology operations team goes to provision, configure, and adjust wiring and
floor space. There are no blinky-lighted servers on site that developers and
the business historically have monitored.

What does this change bring?

  • Operating model change.
  • Technology model change.
  • New risks.

Continuing with the example, infrastructure-as-a-service
capabilities like the ones offered by Amazon Web Services (AWS), Microsoft
Azure, and Google Cloud Platform provide enterprises a “virtual data center,” an
environment where developers can begin to create code for a new product
immediately. This increases the speed to launching a new digital service.

What happens next? Everything changes again. The company
would now need a development operations (DevOps) team with combined software
development and information technology operations skills to shorten the systems
development life cycle (SDLC)—all while delivering features, fixes, and updates
frequently in close alignment with business objectives.

Where is the segregation of duties? Where is the old SDLC
waterfall process of requirements (design, build, test, then deploy software)
all run by separate teams with a set of controls that source documented
evidence?

Oh yeah, we don’t do that anymore as a digital organization.

Once an organization begins the process of digital
transformation, the technology operating and control models change, business
objectives have to adjust to consumers’ digital demands, and the roles and
talent requirments needed to function absolutely evolve.

We’ve seen too often that enterprises that rely on digital channels can be interrupted and burdened by cybersecurity missteps. Without an imperative to transform cybersecurity prior to operating the enterprise in a new digital format, disasters are bound to happen. As reported by Bloomberg, one example of many things that can go wrong with the shift to digital operations  was the breach at Uber Technologies. The company was utilizing a private Github repository—a cloud-based development resource—for its code. A careless developer left logon credentials of users open to bad actors, allowing them to access Uber users’ data on AWS.

While this is a fairly simple illustration of the disconnect
between digital transformation and cybersecurity practices, your cybersecurity
program and controls need to evolve to a new method of operating digitally and
provide an appropriate set of controls that enable strong risk management.

Don’t allow your management team to make the mistake of
accelerating digital transformation without first analyzing the readiness of
your company’s cybersecurity program to manage these new digital operating
models and domains.

Sequencing Digital
Change With Digital Cybersecurity

Cybersecurity risks and challenges are omnipresent, and the
risk and threat landscape continue to evolve at the pace of our digital
environments. Making the move to embrace digital operations only expands your company’s
attack surface.

While your company once was operating out of a data center
with its own server hardware, the move to the cloud means that the company’s
data operations may now be functioning in “rented,” multi-platform environments
such as native cloud, software as a service (such as Salesforce Cloud), or
outsourced, provider-managed environments.

One essential question that directors can ask the technology
and security leaders of their companies is, “Have we built new cybersecurity
capabilities to secure our increasing attack surface and the new digital
environments and channels?”

The answer in many cases is that your cybersecurity program has
not transformed digitally and could be unprepared for a new digital paradigm.

The previously effective cybersecurity program you had in
place was not purpose-built to enable a digital transformation. It was instead
built for a world of data-center centricity and simple service offerings
managed from a web application storefront—all solutions that are protected by
on-premise firewalls, endpoint security, denial of service security, content
filtering solutions, and a host of other appliances managed in the company’s data
center.

Therefore, it’s important to consider a risk assessment to
determine the readiness of the company’s cybersecurity program to secure its new
digital domains and environments—on premise and off.

The companies that build a digitally-transformed enterprise
that places the cybersecurity program first, will see greater success in
enterprise digital transformation. They are able to demonstrate to the market
that they are operating with a well-managed risk posture, and are able to move
faster to achieve safe, sound digital success.

Overseeing How the Risk
Is Managed: A Way Forward

Every enterprise believes that they have a winning strategy
to thrive within the new digital market, but the hard truth is that they will
not all be winners. Those that win will have a digitally enabled cybersecurity
threat and risk management platform operating in harmony with their digital
business strategy.

The risks of digital transformation and cybersecurity are
clearly impacted by ensuring the right sequence of digital strategies while
managing the risks during this transition. As board members, it’s our
imperative to ask the questions of enterprise digital readiness for
cybersecurity and having purpose-built cybersecurity for digital environments.

Here are my suggtestions for questions to ask your
management team to determine if the cyber- and enterprise-wide risks of digital
transformation are being properly conceived of and managed:

  1. How are we defining digital transformation for our
    enterprise with regard to the business and technology operating models?
  2. What are the cultural impacts on the personnel
    and teams affected by digital transformation? How are we considering the
    organizational risks as we require new talent and roles to operate digitally
    and manage risk during the transition to digital operations?
  3. Have we performed a risk assessment to determine
    the impact of the changes to the business, technology, and cybersecurity
    operations required to become digital? How is our attack surface expanding with
    the movement to digital operations and how are we managing the risk?
  4. How are we sequencing required changes to
    digital operating models for cybersecurity, technology, and the business?
  5. How are we measuring the effectiveness of our
    cybersecurity program with the transformation to digital? Are we making the
    right investments in cybersecurity to manage digital cyber risk?

Like the nuisance question at the beginning of this
statement, getting the right answers will be the key to sound oversight of a
successful digital transformation program at your company.

Tony Spinelli is CEO and
founder of S7 Advisors LLC, and is a board member of Blue Cross Blue Shield
Association, director of Peapack Gladstone Financial Corp., and board member of
Per Scholas. He previously served as chief information security officer at
Capital One Financial Corp. and has served on the board of advisors for several
organizations, including the National Security Agency, Cisco, Coalfire, and
IBM.

4 Steps to Harness 360-Feedback’s Possibilities

Effective leaders develop themselves and their team members. Since the 1990s, many leaders have leveraged the development possibilities from 360-feedback surveys, or multi-rater feedback.  Like all development tools, 360-feedback surveys have their pros and cons.

A quick scan online yields articles warning readers of the “Horrible Truth of 360-Feedback Assessments” and “The Fatal Flaw with 360-Surveys”. 360-feedback surveys can promote disagreement, dissension, and discord—when implemented improperly. However, when used as a developmental tool, rather than an evaluative appraisal, 360- feedback affords individuals greater self-awareness, opportunities for deeper alignment with company goals, and insights for clear paths to professional success.

Like all employees, leaders have their own blind spots.  In order to successfully manage themselves and their teams, it is key to acknowledge these blind spots exist and work to minimize their effects.   Leaders who develop this awareness position themselves for success by knowing what competencies they possess, how those relate to the success of the company, and how others around them—peers, direct reports, customers, etc.—perceive their day-to-day effectiveness.

360-Feedback’s Possibilities & Pitfalls

360-feedback provides leaders and team members with key data points taking them beyond their own hunches or assumptions about themselves. They can gain critical insights from how others validate their strengths and pinpoint their weaknesses. It informs, or alerts, recipients to traits and tendencies concealed from their view but ripe for refinement. 360-feedback helps recipients address what strengths and competencies they offer, how those strengths are perceived by others, and how closely linked one’s strengths are with the goals of the company.

Because of its anonymous multi-rater process, 360-surveys add a unique richness to an individual’s development opportunities by lessening the intrusion of reviewer bias.  360’s anonymity empowers raters to offer unguarded feedback because they are given a voice and permission to use it. This anonymity, though, can enable ineffective responses if respondents aren’t aware of the survey’s goals and expectations. Without coaching and the necessary time to complete the surveys, respondents can offer points of grievance without context or examples, expressing aimless criticisms of a leader.

Additionally, leaders who force 360-feedback surveys into the rhythms of their companies will find it difficult to connect the dots between company goals and how 360-feedback can help recipients contribute to those goals. Not all 360 tools are created equal, and if leaders don’t take the time to shape a 360 to the core competencies of a certain role and the overall values of a company, they’ll encounter more dilemmas than developmental opportunities.

So how can leaders effectively implement 360-feedback as part of their companies’ goals for development and success? Here are four steps to harness the possibilities—and avoid the pitfalls—of 360-feedback.

  1. Align to Desired Behaviors: Before a leader receives a 360-feedback review or has a team member reviewed, it’s important to evaluate empirical research addressing the skills, abilities, and competencies necessary for certain roles to help a company thrive.  It’s also important to consider which 360 tool is appropriate to drive desired outcomes. This combination will help leaders connect the dots between what development opportunities and strengths a 360-review reveals and what direction of development will help an individual efficiently contribute to the company’s success.
  2. Use as a Developmental Coaching Tool: Problems arise when 360-feedback is used as an evaluative instrument of performance rather than as a development tool for coaching. When 360-feedback is used to grade performance, it becomes tied to decision making that involves possible promotions, raises, etc. In this capacity, 360-feedback can be inappropriately viewed as a final assessment.  Instead, leaders need to understand—and help others understand—it’s a data point on the development journey. A skilled coach can deliver the results of 360-feedback to help leaders grow in awareness of their strengths, define steps for moving forward, and clarify what accountability and feedback loops look like.
  3. View It as a Component: Leaders who use only 360-feedback reviews to assess themselves and others are akin to conductors who direct only one musician; they’ll hear wonderful notes and chords, but multiple instruments are required to hear the entire song. 360-feedback reviews should be used in concert with other tools to provide a fuller, clearer picture of behavioral strengths and development opportunities. This provides leaders with a better baseline to create a more nuanced plan for learning, practice, progress, and success.
  4. Clearly Communicate Expectations: Ensuring facilitators and those surveyed are trained to offer helpful reviews is the backbone of a successful 360-feedback discussion. Clear expectations provide a leader with the opportunity to embrace a wider company vision for a culture of development, help illuminate strengths, and highlight opportunities to grow expected competencies.  This also helps prepare recipients to digest and reflect on feedback to develop a plan for professional development.

Leaders who hastily implement 360-surveys without a developmental mindset and effective coaching will likely encounter challenges. But when 360-surveys are used as a development opportunity to cultivate greater alignment between strengths and the competencies required to succeed, they bolster self-awareness and create effective development plans to move leaders —and their teams—toward success.

 

Written by Promark, a Career Partners International Firm proudly serving Greater Cincinnati clients locally and delivering globally for over 50 years.

The post 4 Steps to Harness 360-Feedback’s Possibilities appeared first on CPIWorld.

Newmont Mining Shares How It Improved Board Diversity

As the
deadline approaches for submissions to the second annual NACD NXT awards, produced
in conjunction with Deloitte, the March/April issue of NACD Directorship magazine features a cover story on why the board
of the global gold and copper miner was chosen as the large-cap company winner
for diversity and inclusion.

Newmont’s
15-year journey to achieve greater diversity and inclusion on what was once an
all-male board features interviews with Newmont Chair Noreen Doyle, who also
chairs the corporate governance and nominating committee; independent director
Veronica (Ronee) Hagen, who chairs the leadership development and compensation
committee; and director of global inclusion and diversity, Beatrice
Opoku-Asare.

The story
of the board’s evolution to its current composition is intended to provide to
other boards a prime example of how to practice inclusion—and commit to continuing
that practice. At the time the story was reported, Newmont’s 12-member board
was 58 percent female and ethnically diverse; five of the 12 directors live
outside of the United States where Newmont is headquartered. Setting targets
(not quotas) is part of Newmont’s story.

Newmont was chosen from a group of large-cap
company boards comprised of nominees Archer Daniels Midland Co., Estee Lauder
Cos., Eversource Energy, HP Inc., Prudential, Target Corp., and Union Pacific
Corp. Newmont board directors accepted their award at the first NACD NXT gala
hosted by author and Bloomberg TV anchor Emily Chang before the opening of the
2018 NACD Global Board Leaders’ Summit in Washington, D.C.

The 2019 gala is scheduled for September 23 in Washington, D.C., and will fall amid the 2019 NACD Global Board Leaders’ Summit. This year there are two added categories. In addition to large-, mid-, and small-cap public company boards, NACD NXT will recognize two private companies, one large and one small, and a nonprofit.

In all, six awards will be given. Nominees in
each category will be jointly announced by NACD and Deloitte in June and
winners in each category, selected by an esteemed judging panel, will be
revealed at the gala.

An excerpt of the story from the March/April
issue follows.

The leadership at the top of Newmont’s house has been integral to the continued diversification from the board throughout the company, which has been reinforced by a board-approved people policy. It reads, in part: “At Newmont, we value diversity and promote an inclusive work environment. We are on a journey to becoming an industry leader in global inclusion and diversity. We welcome employees from a wide range of cultures and races. We seek to maximize local employment and to increase diversity in our workforce to better reflect the communities where we operate. We desire a work environment where all employees feel valued and are encouraged to contribute to their fullest potential.”

One of those employees is Beatrice Opoku-Asare, the director of global inclusion and diversity. She originally went to work at Newmont in her home country of Ghana as an environmental scientist. Three years ago, when she was promoted to her current role, she recounted in an interview, she moved from Ghana to Newmont’s corporate headquarters in Greenwood Village, Colorado. She grew up among a majority population. Arriving in the United States, Opoku-Asare found herself well in the minority.

“Think about that,” Doyle implored.

Given her science background, Opoku-Asare describes her love of experimentation and data as being well suited to her role as diversity chief. She enthusiastically describes her current study of how technology can be deployed to better inform Newmont recruitment and hiring activities. She also is active in various BRGs. On Newmont’s “Voices” blog, she recalled her transition to the United States. “Sometimes it’s the most simple things that an employee like myself [moving from Ghana to Colorado]— like clearing out your sprinkler line before the onset of winter.”

Among Opoku-Asare’s responsibilities is the development of targets aimed at providing Newmont with objectives by which diversity outcomes can be measured. At the end of 2017, female representation had nudged up to 14.7 percent from 14.1 percent the prior year. In its Africa region, Ghanaian nationals represented 50 percent of the leadership and 87 percent of management. In South America, 47 percent of the regional leadership is national. In Peru, 94 percent of management are Peruvian nationals, and in Suriname, the percentage of Surinamese nationals is 64 percent. None of these gains, she noted would have been possible without the support of Newmont leadership including its board.

Ready to read more? Click here to read the March/April 2019 issue of NACD Directorship magazine.

What to Do With Pay If Taxes Go Much, Much Higher

Regulations and
taxes greatly influence executive pay design. While the current “typical”
program—salary, annual bonus based on financial results, and an annual equity
award dominated by performance-based shares—seems as comfortable as an old shoe,
it’s an evolving thing that adapts to meet dual goals of incentives and retention.

As the election
cycle begins to heat up for a 2020 showdown, lines are beginning to show in the
sand around monetary policy, trade, and income taxes. Compensation committees
need be forward-thinking about long-term implications of potential new laws so
they can act nimbly and with conviction when changes occur.

Our objective is not
to handicap the political environment and discuss what’s “likely” to occur.
Guessing right would be simple luck. In broad strokes, the tax ideas floated so
far by potential 2020 Democratic presidential candidates focus on raising taxes
for the wealthy as a mechanism to close the Federal deficit. That drumbeat will
get louder and more polarizing on the road to the 2020 general election and amid
mixed economic signals.

The ideas of candidates Bernie Sanders and Elizabeth Warren center on increasing tax revenue from capital gains. Bill Gates approached the notion more directly (albeit in a manner less politically appealing): “The big fortunes, if your goal is to go after those, you have to take the capital gains tax, which is far lower at like 20%, and increase that.”

Both ideas are similar in that they create a more even playing field between ordinary income and capital gains. That disparity is arguably at the heart of inequality of wealth distribution.

Boards first should be thinking and talking about the broader economic implications of the political environment on their business planning and strategy. Compensation committees should consider near-term and long-term implications for pay program design as part of this discussion.

A Dollar Today May Be Worth More Than a Dollar Tomorrow

Material changes to
the tax code should not be expected reasonably before 2022, and then only if a
Democrat is elected as president. If marginal income rates are certain to rise
materially, incentive awards that vest prior to the increase will have a higher
after-tax value than those that vest after the increase occurs.

Awards that deliver a
higher after-tax value may be desirable, similar to the end of 2017 when the
corporate tax rate—and the associated value of tax-deductible compensation—dropped
from 35 percent to 21 percent. Many boards took action at the end of 2017 to
bring forward compensation-related tax deductions. We would expect similar
actions if future individual tax rates are certain to rise.

Maintaining Sound Pay Principles Remains Paramount

The compensation committee
has a duty to make rational decisions about pay that align with performance. Pay
programs that deliver pay sooner and incentives for long-term strategic
execution that benefit the company must remain balanced. This could lead to
complexity in pay program design that generates taxable income for recipients
but maintains a connection to long-term performance of the company. This could
take many forms, such as:

  • Increased stock option usage, giving the
    recipient control over timing of income.
  • Shorter vesting of share-based awards with
    material holding requirements.
  • “Banked” awards, to trigger income tax
    quickly on a portion with future performance requirements for upside attainment.
  • A (short-lived) renaissance in Section 83(b)
    elections.

Increased Taxes Could Promote “Long-termism”

If wealth, estate,
and capital gains tax ideas come to fruition, an opposite and powerful
incentive to encourage long-term behavior could become a reality. Executive pay
above $1 million in a given year generally is no longer deductible, and if
corporate tax rates do not rise with individual rates, companies have less incentive
to accelerate pay-related deductions where available.

This should
stimulate discussion of much longer-term and estate-oriented pay structures for
senior executives. Ideas in this area include the use of various kinds of
trusts to encourage a reduction in personal balance sheets to defer wealth or
estate tax burdens, and a delay
versus acceleration of income recognition.

It is too early to
tell how this will shake out. How pay evolves is a result of many complicated interactions.
History teaches us that changes in the law are a major driver of that
evolution. Reaffirming the principles of the pay system when discussing
potential reactions to a new regulatory environment will be the key to having
comfort in the next wave of executive pay design.

Margaret Hylas is a consultant and Todd Sirras is a managing director of Semler Brossy Consulting Group. All thoughts expressed here are their own.

What to Do With Pay If Taxes Go Much, Much Higher

Regulations and
taxes greatly influence executive pay design. While the current “typical”
program—salary, annual bonus based on financial results, and an annual equity
award dominated by performance-based shares—seems as comfortable as an old shoe,
it’s an evolving thing that adapts to meet dual goals of incentives and retention.

As the election
cycle begins to heat up for a 2020 showdown, lines are beginning to show in the
sand around monetary policy, trade, and income taxes. Compensation committees
need be forward-thinking about long-term implications of potential new laws so
they can act nimbly and with conviction when changes occur.

Our objective is not
to handicap the political environment and discuss what’s “likely” to occur.
Guessing right would be simple luck. In broad strokes, the tax ideas floated so
far by potential 2020 Democratic presidential candidates focus on raising taxes
for the wealthy as a mechanism to close the Federal deficit. That drumbeat will
get louder and more polarizing on the road to the 2020 general election and amid
mixed economic signals.

The ideas of candidates Bernie Sanders and Elizabeth Warren center on increasing tax revenue from capital gains. Bill Gates approached the notion more directly (albeit in a manner less politically appealing):“The big fortunes, if your goal is to go after those, you have to take the capital gains tax, which is far lower at like 20%, and increase that.”

Both ideas are similar in that they create a more even playing field between ordinary income and capital gains. That disparity is arguably at the heart of inequality of wealth distribution.

Proponent Idea
Sen. Bernie Sanders For the 99.8% Act expands estate tax to 77 percent marginal rate for estates worth $1 billion or more
Sen. Elizabeth Warren Annual wealth tax: 2 percent on net wort
over $50 million, 3 percent over $1 billion
Sen. Brian Schatz Proposed Wall Street Tax Act would
introduce 0.1 percent tax on sale of stocks,bonds, and derivatives
Sen. Alexandria
Ocasio-Cortez
New 70 percent marginal rate on annual income over $10 million
Sen. Tammy Baldwin and
Rep. Bill Pascrell
Eliminate capital gains treatment for carried interest gains

Boards first should be thinking and talking about the broader economic implications of the political environment on their business planning and strategy. Compensation Committees should consider near-term and long-term implications for pay program design as part of this discussion.

A Dollar Today May Be Worth More Than a Dollar Tomorrow

Material changes to
the tax code should not be expected reasonably before 2022, and then only if a
Democrat is elected as president. If marginal income rates are certain to rise
materially, incentive awards that vest prior to the increase will have a higher
after-tax value than those that vest after the increase occurs.

Awards that deliver a
higher after-tax value may be desirable, similar to the end of 2017 when the
corporate tax rate—and the associated value of tax-deductible compensation—dropped
from 35 percent to 21 percent. Many boards took action at the end of 2017 to
bring forward compensation-related tax deductions. We would expect similar
actions if future individual tax rates are certain to rise.

Maintaining Sound Pay Principles Remains Paramount

The compensation committee
has a duty to make rational decisions about pay that align with performance. Pay
programs that deliver pay sooner and incentives for long-term strategic
execution that benefit the company must remain balanced. This could lead to
complexity in pay program design that generates taxable income for recipients
but maintains a connection to long-term performance of the company. This could
take many forms, such as:

  • Increased stock option usage, giving the
    recipient control over timing of income.
  • Shorter vesting of share-based awards with
    material holding requirements.
  • “Banked” awards, to trigger income tax
    quickly on a portion with future performance requirements for upside attainment.
  • A (short-lived) renaissance in Section 83(b)
    elections.

Increased Taxes Could Promote “Long-termism”

If wealth, estate,
and capital gains tax ideas come to fruition, an opposite and powerful
incentive to encourage long-term behavior could become a reality. Executive pay
above $1 million in a given year generally is no longer deductible, and if
corporate tax rates do not rise with individual rates, companies have less incentive
to accelerate pay-related deductions where available.

This should
stimulate discussion of much longer-term and estate-oriented pay structures for
senior executives. Ideas in this area include the use of various kinds of
trusts to encourage a reduction in personal balance sheets to defer wealth or
estate tax burdens, and a delay
versus acceleration of income recognition.

It is too early to
tell how this will shake out. How pay evolves is a result of many complicated interactions.
History teaches us that changes in the law are a major driver of that
evolution. Reaffirming the principles of the pay system when discussing
potential reactions to a new regulatory environment will be the key to having
comfort in the next wave of executive pay design.

Margaret Hylas is a consultant and Todd Sirras is a managing director of Semler Brossy Consulting Group. All thoughts expressed here are their own.

Directors Discuss How to Build Cyber-Risk Resilience

“What’s the board’s role in a data breach?”

This was a question posed by one of the director attendees
at a recent roundtable event hosted by NACD in partnership with Accenture on
how boards can go about building greater cyber resiliency within the
organizations they serve. And as a litany of companies have fallen victim to
cyberattack and endured considerable financial and reputational fallout—it’s a
simple question that demands a nuanced answer.

Robert Kress, managing director at Accenture, encouraged
attendees not only to have a well-coordinated response plan mapped out so that
it can readily be put into action if and when the worst occurs, but also to
“Ask yourselves: How does the board get engaged in a breach?”

“Is there a subcommittee? How are decisions made? Which
decisions should involve the board?,” Kress asked. “Breaches oftentimes happen
at inopportune times such as weekends and holidays because threat actors know less-experienced
people are manning the ship—if they’re working at all. A good crisis response
plan should have clearly defined the role of the board, outside counsel for
support to ensure you have the regulatory requirements for reporting, and
arrangements with a marketing firm to handle public relations.”

One attendee shared that, after the US Government Affairs
Office (GAO) released its assessment of the Equifax breach, his board asked the
chief information officer to review the GAO’s recommendations and do a gap
analysis. “I was surprised by how cogent those reports really were,” he said.
But for him, paying close attention to how one federal entity picked apart all
that went wrong in the Equifax case raised questions around how boards should
think about disclosures and communicating what the company’s risk capacity is.

“Cybersecurity needs to go hand-in-hand with the broader
enterprise risk management program,” Kress said. “Cybersecurity is one type of
business risk that needs to be addressed broadly—in the 10-K or via a cogent
response from management on how they want to mitigate that risk. And companies
are improving their capabilities in detection and response processes, with the
time to detect and respond to an incident getting shorter. However, the
financial impact of cyber breaches continues to go up, with current research
showing that the average cost of a cyber incident is between 16 and 17 million
dollars.”

When it comes to improving the company’s response, a board
can be a huge asset. Another director shared that, in her experience,
management might offer pushback against boards that want to do tabletop
exercises, seeing the process of simulating an emergency as “overdoing it.” And
yet, when her boards were allowed to engage on this level, management found
that the director perspective was invaluable because they were asking the right
kinds of questions that challenged basic assumptions.

“It’s important you put pressure on things,” Vikram Desai,
global managing director at Accenture, said in affirmation. “In my
observations, the CEO will ask the CISO [chief information security officer] and
the CIO [chief information officer] if everything’s good on the security front.
They say it is—and nothing gets back to the board. These are dynamics that
create a false sense of security.”

But despite best efforts, odds are that companies with a
digital footprint will be breached at some point in time—which will in turn
mean having to work with the federal powers that be. On this front, it was
noted that most companies are not 100 percent compliant with federal
regulations from the get go. At the very least, it’s important to have a formal
plan and timeline in place for becoming compliant as a token sign of good faith
for the regulators who may do a thorough investigation of the company’s
cybersecurity practices. Ignoring these issues, however, is not an option.

As the conversation accentuated the integral role that the
CIO has to play in the board’s oversight of cybersecurity issues, one director
asked about what small-cap companies should do, as they frequently lack the
financial means to attract and retain the requisite talent to help see boards
through these issues. And even if there is money set aside to bring on a CIO or
a CISO, the phrase “you get what you pay for” painfully springs to mind.

Here, outsourcing can be a viable option. “The smartest
thing a company can do is go to a managed security services provider,” Desai
said. “They can provide the ability to monitor operations, and if something
happens, they can activate the incident response plan. And within the universe
of security services, there is a ranking checklist that rates these companies
from OK to very proficient.” 

As the afternoon progressed, the conversation began to
explore a more fundamental element of cybersecurity: What part of the board
should assume the primary responsibility for overseeing cyber risk?
Historically, the audit committee has taken on this task largely because it was
concerned with enterprise risk management in general. But as the cyberthreat
landscape continues to quickly grow in scope, both Kress and Desai agreed that
this might not be the best arrangement and that—at least for the larger
companies with the capabilities to do so—creating a standalone technology and
risk committee might be key to capably overseeing these issues into the future.

Failsafe means of prevention may be impossible and having a
well-orchestrated crisis response plan is the best any company can hope for to
save face in a crisis. A company that makes the best of efforts remains at high
risk of losing stakeholder trust. It’s a problem too large for any one company
to solve, making it imperative to identify ways in which to foster
collaboration.

“We are nearing a point where boards need to ask management
how they are working with other companies within the industry,” Kress said in
closing. “Digital trust underpins every organization today. If we lose digital
trust, there will be significant financial impacts. I think that participating
in industry forums and being more willing to share knowledge with government
entities about breaches can help.”

Click here to read additional coverage from this roundtable event.