What You Need to Know About Cyber Insurance and Regulatory Change

As recent events have shown, the pace and scale of cyberattacks continue to grow, as do the financial stakes—revenue losses, recovery expenses, liability costs, and potentially severe regulatory fines are all consequences facing companies. The specter of 2017’s NotPetya event, the most devastating cyber event in history, continues to haunt business leaders: the malware caused more than $10 billion in economic damages and disrupted business operations, production, and logistics for major global firms.  The insured losses from that attack alone have been estimated at more than $3 billion

Incidents such as these are forcing companies to make cyber risk a corporate priority. In the recently released Global Risks Report 2019, those in advanced economies again rank cyberattacks among their top risk concerns. That recognition has evolved from viewing cyber risk as a problem to be solved by spending more on technology to seeing it as a risk that must be actively managed across many areas of the company. That shift in mindset has brought cyber insurance into the overall equation of how a firm manages its technology risk.

But cyber risk is an increasing concern not just for c-suites
and boards: regulators also are more actively looking at how organizations
address cyber risks and how they manage their responsibilities to key
stakeholders. So even as the financial costs of cyber threats grow, the
regulatory stakes are likewise poised to rise as more regulators—and particularly
the US Securities and Exchange Commission (SEC)—begin to impose stricter
requirements on businesses.

These two trends—the increasing adoption of insurance to transfer cyber risk and a more rigorous regulatory approach to cyber-risk management—dovetail in numerous ways. Many of the new regulatory requirements and guidance around cyber-risk assessment, prevention, and management, executive and board-level ownership, and event disclosure and response, are the same practices that should inform an organization’s decision-making around cyber insurance investment. These same best practices are what underwriters increasingly expect and value.

The SEC Strengthens Its
Stance

Cybersecurity has been on the SEC’s agenda for several years. In 2011, the commission’s Division of Corporation Finance issued guidance calling on companies to assess their disclosure obligations regarding their cybersecurity risks and cyber incidents.

While a good starting point, the guidance did not go far enough in setting clear expectations for both proactive and reactive cyber-risk management and oversight. The SEC’s 2018 interpretative guidance outlines requirements for publicly traded companies to disclose cybersecurity risks and material incidents.

The SEC guidance focuses on five main areas:

  • Pre-incident
    disclosure.
    The guidance calls for transparency around the identification,
    quantification, and management of cyber risks by the C-suite and oversight by
    the board of directors. Often, growth in technology and the global operating
    environment impede 360-degree visibility into a company’s vulnerable spots, with
    lack of data contributing to compromised security.
  • Board oversight. The board is expected to
    understand, quantify, and oversee cyber risk. The SEC advises companies to
    disclose in their proxy statement the board’s role and engagement in cyber-risk
    oversight. Board members have to be privy to and understand the
    company’s overall cybersecurity exposure, with a particular focus on the impact
    on the company’s financial condition, integrating this insight into their
    360-degree view of the company’s risks.
  • Incident
    disclosure.
    Companies are required to “inform investors about material
    cybersecurity risks and incidents in a timely fashion.” To do so, companies must
    have structures in place to identify and quantify cyber risk—tools that allow
    the organization to rapidly determine whether the impact of a compromised
    system was, in fact, material and requires disclosure to regulators and
    investors.
  • Controls
    and procedures.
    The guidance also tasks companies with assessing whether
    their enterprise risk management (ERM) process is sufficient to safeguard the
    organization from cyberdisasters. This requires a step-by-step playbook for
    cyberevents, including identifying who needs to be contacted and how and with
    whom the business will share information about a breach. Given the evolving
    nature of cyber risk, ongoing due diligence exercises should occur to identify
    and manage new risks—especially during a merger or acquisition. Most companies
    have long done this for other perils such as natural disasters, and it is
    imperative they extend this process to cyber risk.
  • Insider
    trading.
    New to the 2018 guidance is a reminder to companies, directors,
    officers, and other parties of insider trading prohibitions. In practice, this
    means that directors, officers, and other executives who are aware of a
    company’s cybervulnerabilities or a breach could be liable if they sell company
    stock, or instruct anyone else to do so, before such a breach or vulnerability
    is divulged.

The cost of non-compliance can be substantial. Last year the SEC leveled a $35 million penalty against a large technology company it said misled investors when the company failed to disclose the theft of the personal data from hundreds of millions of user accounts.

Congress, which holds the SEC’s purse strings, is placing mounting pressure on the agency to improve cybersecurity, and private investors are also pressing for more stringent cybersecurity controls at the companies they hold. It is, therefore, likely the SEC will start coming down on companies with more vigor, especially in the wake of recent—and, inevitably, future—major breaches.

Risk Transfer as a
Core Cyber-Risk Management Tool

Given the nature of the majority of risks, businesses
recognize that technology and other solutions alone can’t respond to the full
spectrum of risks they face. Insurance has historically stepped in to provide
the financial backstop for that residual risk that cannot be managed to zero
through process, procedure, and mitigation. 

Cyber risk is no different in this sense, and organizations
are now recognizing that cyber risk also cannot be managed through technology
alone. It is an operational risk that needs to be incorporated into the firm’s
overall ERM processes—one that includes risk transfer, as well as mitigation
and resilience planning.

The insurance market now offers risk transfer solutions for
cyber risk that address both ever-evolving technology risk and the recent retreat
of traditional insurance products from adequately addressing firms’ evolving cyber-risk
profile.

Cyber insurance starts with the premise that all of a firm’s
technology-driven risk should be insurable. These risks include both the direct
loss that a firm can suffer in terms of lost revenue or assets, as well as the
liability that can arise from a data breach or failure to comply with myriad
new domestic and international regulations.

Cyber insurance has also been at the forefront of pushing
for better understanding of this risk’s financial implications to help the
industry improve modeling of potential loss scenarios. That financial
assessment is a critical foundation for businesses’ risk management planning as
well: Cyber-risk quantification helps the firm assess the economic impact of a
range of cyberevents, and on that basis, make informed investments in
technology, insurance, and response resources. Quantification of cyber risk
also allows for cyber risk to be analyzed within the firm’s overall risk
framework and integrated into its overall risk management planning. 

The assessment, evaluation, and modeling processes that are essential foundations for purchasing cyber insurance are, in many ways, aligned with the practices called for by the SEC in its recent guidance. Given the likelihood of an increasingly active regulatory agenda, organizations are advised to align their policies and practices to abide by the SEC’s recommendations and to consider insurance market coverage that can help protect against cyberevent-related losses and regulatory liabilities. 

Bob Parisi is cyber product leader and Christopher Hetner is managing director of cyber-risk consulting at Marsh.

Finding Inroads to Alleviating Common Cyber Risk Pain Points

It’s generally accepted that the development of technology
is rapidly accelerating. So too has the speed of integration of new
technologies into our day-to-day lives. Consider this: since mobile phones were
first introduced, it took 12 years before 50 million people had one. In
contrast, it took Facebook only 2 years since its debut to reach that same
milestone, and the mobile phone game Pokemon Go only needed two days.

At such a pace of proliferation, it’s difficult to fully
synthesize the full ramifications of a new technology before the next wave of
change comes rolling in. And if you’re a company that is under pressure to
digitize its operations, being too aggressive about staying on the cutting edge
of digital transformation can lead to potentially catastrophic risk exposures.
It’s an area where board insight and oversight is especially needed—but knowing
exactly how to approach the issue might not seem equally crystal clear.

Accenture’s Robert Kress says there is no panacea to cyber risks.

This was the subject of a recent roundtable hosted by NACD
in partnership with Accenture. According to Robert Kress, managing director at
Accenture, there’s no single panacea.

“You need to tailor your thinking to the environment you’re
working in,” he said. “So, what do you do about it? Think about leadership in
governance across three key dimensions: within your organization, within your
ecosystem, and within and across industries. Looking within your organization,
ask: What is the scope of your CISO’s responsibility? Looking within your
ecosystem, realize that every organization is more dependent on other players
within your ecosystem. Many of the breaches that occur come through that
channel. Look across industries because the Internet is fragile. Think about
when it was created and what it was created for—and it was not designed to
defend against cyberattacks. There is a lot of work needed to reinvent the
Internet—and that is only going to happen if organizations are working together
and working with the government.”

“I would say that it’s not as complex a picture as you have
painted,” Vikram Desai, global managing director at Accenture said in
counterpoint. “I do think that while each company has a unique fingerprint,
there’s a value chain associated with how businesses operate and there are
simple pain points along the way. And there are some very basic things you need
to get right to make it more difficult for an attacker to target you. Within
industries, exchange information on best practices, work with service providers
to understand the real-time status of attacks. It’s incumbent on every board
member to make sure that there are techniques and exercises consistently
executed [throughout the organization] to make sure the people are sensitized
to these issues.”

Desai went on to underscore the importance of the chief
information security officer (CISO). To begin with, selecting the right person
for that role is difficult because most CISOs are technologists who lack
business savvy and the ability to communicate what they know to a lay
audience—so ensuring that the person who steps into that role receives the
requisite training to effectively communicate to senior leaders and the board
is critical for his or her success. Boards should also ensure that there is a
CISO succession plan in place. Generally speaking, a CISO stays with a company
for about 24 months. With such a high turnover, ensuring that there is a
pipeline of talent within the organization that can capably fulfill the duties
of that role is critical.

Attendees listen on as NACD Directorship Publisher Christopher Clark introduces the theme of the discussion.

“Understand the role of the CISO and what you expect from
that person,” Desai said. “Does the CISO have direct exposure to the board, or
are they blocked by a tech person? Does the CISO understand the top business
objectives for your company and how security can enable those objectives? The
CISO needs to show how things can be done and what the associated risk and
rewards are. If there’s alignment, you’ve got a great running start.”

Visit NACD BoardTalk later in the week for additional
coverage from this event as director attendees grapple with cyber-risk
oversight best practices.

Webinar: Harnessing the Potential of Virtual Teams

Join us in the upcoming Wilcox Miller & Nelson/CPI Webinar, “Harnessing the Potential of Virtual Teams” featuring Bill Florin of CPI Partner, Learning Dynamics. As part of our firm’s participation in Career Partners International, we periodically host webinars to share HR industry experts’ viewpoints on trending topics. This webinar will explore ways to increase engagement, develop relationships, and bridge cultural differences regardless of proximity.

Whether they have given their teams an added perk of remote work flexibility or have just assembled a completely virtual “dream team,” many employers are still struggling to see the promised returns of a digital team. Why are these teams not delivering at the level of their onsite counterparts despite being, on paper, a superior group of employees? Join us to discuss some of the more treacherous obstacles to realizing the potential of a virtual team.

This program is valid for 1 PDC toward SHRM-CP and SHRM-SCP recertification.

Join us on March 12th at 8:00 a.m. PDT or March 14th at 4:00 p.m. PDT for a 45-minute presentation and 15 minutes of Q&A. Register Today!

Register here or at CPIworld.com.

Sharpening the Board’s Cybersecurity Acumen

Much has been written,
and important insights shared, on cybersecurity. The threat landscape continues
to evolve, and the topic remains significant in the boardroom.

To gain fresh
perspectives on this important area, Protiviti met with 20 active directors
during a dinner roundtable at a December 2018 NACD event to discuss their
experiences. Here are some key takeaways from that discussion:

Don’t let overinvesting in protection and detection lead to underinvesting in response and recovery. The National Institute of Standards and Technology (NIST) framework identifies five pillars of effective cybersecurity: protection, detection, identification, response, and recovery. A global study sponsored by Protiviti asked executives to rate their company’s progress on these pillars, finding most companies score highest on protection and detection and lowest on identification, response, and recovery. As most cybersecurity investments address the protection pillar, the participating directors agreed their organizations need a balanced program to detect and respond to the inevitable cyberattacks. However, most board members report they only see an overall cybersecurity budget; the company’s investments across the five NIST domains are not transparent to them.

Overall, it is important for organizations to move beyond the
protection pillar when it comes to cybersecurity. One board member spoke of a
maturity assessment using the NIST framework and of monitoring progress across
the five domains to improve them to the desired maturity levels. The board
should work with management to regularly assess and monitor the organization’s
ability to identify, detect, respond to, and recover from a cyber breach, as
well as ensure that appropriate investment is supporting each pillar.

Understand the paradox in breach detections between cyber “leaders” and “beginners.” Protiviti’s research finds that digital leaders report more cyberattacks than beginners. The roundtable discussion revealed several reasons, including the likelihood that digital leaders are better at monitoring security activity and have stronger detection measures. Also, they are more likely to have an expanded attack surface due to the new technologies and digitization capabilities they employ. Organizations need to stay focused and keep cybersecurity a critical priority as they advance their digital maturity. To minimize risks, companies should build cybersecurity into each step along their digital transformation process.

Manage the “cyber
squeeze” on innovation funding.
How does the board effectively address cyber risk without throttling innovation? This important question is
a double-edged sword, as
innovating creates more
cyber risk because it almost always involves embracing new digital
technologies. The roundtable discussion emphasized that innovation is about business strategy and should not be an
information technology (IT) or “innovation” budget item. Innovation should be
part of an overall budget for the enterprise’s growth strategy. Also, risk and
cybersecurity should be embedded into the
design and developmental approaches—including the Agile and DevOps methods—that
innovation teams use so that innovation is undertaken securely.

Mind the
enemy within.

According to Protiviti’s research,
nearly all firms (87%) see untrained
general staff as the greatest cyber risk to their business because they may provide a conduit for outside attackers. As noted by
several directors, there are solutions to help combat internal threats, but the
board is typically not aware of how effective they are. Exposure to attacks by
nation-states and sophisticated external attackers is compounded in that these
groups often exploit untrained insiders.

The directors
agreed that boards need to turn up the volume on their inquiries of cyber
management as to what is being done about insider risk, including exposure to
third parties. One tried-and-true, not to mention low-cost, cybersecurity
measure—at least for insiders—remains employee training and communication.

Quantify cyber risk to put a value on the crown jewels. Quantification will help management and the board significantly as they work to understand the different types of data and information systems assets the organization maintains. More importantly, it will help them understand what needs to be protected most and oversee how asset protection is being prioritized. The FAIR methodology can assist with this analysis, as it employs risk quantification software to analyze risk using techniques such as the Monte Carlo method, which simulates risk scenarios. Conducting a quantitative risk analysis forces IT and security teams to set risk appetite thresholds, which enhances cybersecurity communications with the board.

Increase the board’s confidence in its cybersecurity oversight. Cyber threats represent a legitimate concern. A company reputation established and nurtured for 100 years can suffer severe and lasting damage following just one high-profile cyberattack. As a result, it can be difficult for boards to feel fully confident in how they are monitoring cybersecurity risk, both within the organization and among third parties. The roundtable discussion participants noted that while directors must rely on management for this information, they should be proactive in refreshing the board’s oversight capabilities: asking appropriate questions, receiving independent assurances, monitoring focused dashboards, and setting clear expectations regarding the need to preserve reputation and brand image.

Take stock of a changing landscape. Throughout the roundtable discussion, numerous comments were made regarding the changing cyber-threat landscape and the importance of staying informed as it evolves (e.g., ransomware, expanding the value of data beyond credit cards, unapproved mobile devices, third-party threats, and state-sponsored cyberattacks). The complexity of the evolving threat landscape is prompting a need for increased cooperation and information-sharing between the private and public sectors, an objective that remains elusive due to concerns over disclosing confidential and other sensitive information.

The game has now changed. Virtually any organization is
susceptible to cyberattack, even if it does not harbor customers’ personal data
or credit card information. Continue to monitor your company’s cybersecurity
maturity using these and other steps and resources to ensure management has
mitigated risks appropriately.

For a more complete look at the NACD roundtable, including key takeaways, read Protiviti’s full summary of the event.

Gender Pay Equity Analysis Is Here to Stay. Is Your Company Doing It Right?

Equal pay for equal work by people of different genders is top of mind for most companies in 2019, with a December World Economic Forum report noting the gender pay gap is on track to persist for the next twenty decades.

There is absolutely no
reason for the pay gap to persist, and some actors have begun taking steps on
what they have realized is a solvable problem. For example, many states are
enacting laws that require organizations of all sizes to close the gender pay
gap. Shareholder activists, third-party organizations, and activist fund
managers are pressing companies for transparency on their pay equity to avoid
facing a shareholder proposal. Within companies, employee networks are more
frequently sharing their own pay information when pressing their employers on
pay equity.

But more than the legal
requirements or external and internal pressure, gender-based pay equity is the
right thing to do. When employees know a company takes pay practices seriously,
they are more engaged, happier, more productive, and less likely to leave. Employers
that are transparent about their commitment to pay equity earn trust, and a
reputation for pay equity is also the number-one way to attract top talent.

The current solutions
for addressing pay disparities between men and women may actually be
perpetuating the problem. Employers wisely choosing to address pay equity are
often left thinking that fixing the problems is an expensive, complex, and time-consuming
task that may not be worth the investment because—year after year—they must
hire legions of lawyers, experts, or consultants with advanced degrees to
find pay gaps. The industry has conditioned employers to believe the process is
fraught with peril.

Because these costs appear
to be so prohibitive, the industry recommends a “one-and-done” model in which companies
pay for this massive undertaking once a year. The truth is the “one-and-done”
model exists because few companies can afford to do it more than once a year,
or want to endure the process more than once.

What’s worse, one-and-done
reviews don’t sufficiently address the root causes of disparities in pay
between genders. They are forever behind—rather than ahead of—risk. The old
model looks backward, helping companies explain and maintain differences to
assure leaders that while differences exist, they are explainable and won’t
lead to lawsuits. Remedial action, or “catch-up” payments made to underpaid
women annually, is tantamount to fixing symptoms each year but never addressing
the underlying problems.

If
“one and done” actually worked, by definition, we would be “done.” And yet the
gap persists.

So, how do you know
whether your company is engaged in meaningful pay analyses and committed to
eradicating pay disparities between workers of different genders? We’ve
compiled several questions to ask, which will enable you and your board
colleagues to understand more deeply whether your company has seriously and
genuinely addressed pay equity.

Seven Qestions Every Board
Member Concerned About Pay Equity Sholud Ask:

  1. Did the company conduct a pay equity analysis this year? If not, is that because pay fairness is not a priority? Is it not prioritized due to fear of finding a problem, or some other reason? Is that reason acceptable?
  2. What were the results, and can you show me those results in a clear and dynamic dashboard?
  3. How long did the process take, and at what cost?
  4. Are the results presented in a way that is usable for you to take action?
  5. If compensation changes were made as a result, what did you learn about the underlying problems that led to the disparities? What policy or behavioral changes will be made?
  6. Are all compensation events analyzed? This includes base pay, new hire starting pay, stock grants, mid-year changes, bonuses, reorgs, or re-leveling exercises and the like.
  7. Does the company analyze pay during the pay-setting cycle so that changes can be made before pay is finalized? And does the company monitor pay equity throughout the year?

Once you have the
answers to these questions, you will be able to assess risk and evaluate the
company’s commitment to pay equity. Most companies engage in ongoing changes in
the employee lifecycle, including hiring, setting pay, promotions, terminations
and turnover, and reorganizations. Companies not analyzing pay equity, or doing
it just once per year, are incurring unnecessary risk—and doing so at a time
when third parties are becoming dramatically more sophisticated in pressing
companies to demonstrate gender pay equity results.

One of the most
important elements of employee satisfaction and engagement is fair pay. A
company genuinely committed to pay equity is not only doing the right thing. It
also has an incredible opportunity for brand marketing and public relations, as
well as a differentiator for recruiting top talent.

If you’d like to talk more about an ongoing or new pay equity initiative at your organization, get started in the comment section below.

Zev Eigen is the founder and chief data scientist at Syndio. Eigen speaks on the topic of pay equity at regional NACD events, most recently at the Colorado Chapter meeting in December 2018.

Why Executives Need Career Transition Support, Even in a Hot Job Market

In a hot job market, certain business leaders question whether they should continue to provide career transition support for executives.  Unemployment is down.  Companies are clamoring for good talent.  “Surely, they will find something quickly.”

But is this really the case?  According to the December 2018 report from the U.S. Bureau of Labor Statistics, the average unemployment duration was over 21 weeks.  As employees climb the ladder it takes longer and longer to find a position on par with their talents.  For executives, it is not unusual for the hunt to take over a year, placing considerable strain on the job seeker.

While your displaced former executive is hunting for a job how are they filling their time?  Are they sharing their discontent with former colleagues at the organization?  Have they visited Glass Door and left a scathing review for the world to see?  Or have they been given the support needed to move on in their career with a future focus, reflecting on their time with your company as a period that was enriching for their career?  Regardless of job market conditions, the challenges of a career transition still exist. Your executives are unlikely to be prepared for the emotional challenges of dealing with a job loss, the technical difficulty of conducting a modern job search at the executive level, and the motivational struggle of sustaining a typical, extended search.  Without support, this could prove detrimental to your employer brand.

Career Partners International (CPI) has over thirty years of experience getting executives back to work quickly.  Our combination of expert level coaching facilitated through world-class technology helps executives convey their value to the market and land new opportunities suited to their talent.  CPI coaches guide job seekers through this complex market, while our technology ensures that executives perfect every detail of their job search documents and interview interactions.  Over the course of 2018, this system has helped the average CPI Executive candidate land in under 20 weeks, a significant decrease in search time compared to executives without a career transition plan and support.

If you’re charged with deciding whether to provide executive outplacement services, don’t think for a minute that it is any less stressful or any easier to find a new role in a “hot market.”  Sure, there may be more opportunities in an expanding economy, but the competition is tough and the process of finding the right opportunity can be extremely difficult, especially for executives who haven’t been out in the market or haven’t been hands-on in a search for a while.

Having a professional on your side with experience in career transitions and industry-leading technological support is the exact backing your executives need. Your executives are accomplished in many things but bootstrapping their own career transition is not one of them.  An executive career coach who is trained to help executives identify their goals, polish their messaging and networking skills, facilitate important introductions, negotiate their next package, and generally put their best foot forward can help them navigate this unfamiliar territory and come out the other side for the better. Not to mention, executive career coaches can also help ensure that your company brand is protected and positively represented by your most visible employees – a worthwhile investment indeed.

 

Written by John Myers, Managing Partner at Kensington International, a Career Partners International Firm

The post Why Executives Need Career Transition Support, Even in a Hot Job Market appeared first on CPIWorld.

Why is Your Virtual Dream Team Not Living Up to Expectations?

Harness the Potential of Virtual Teams – March 12th and 14th – 1 SHRM PDC

With over thirty years of experience in talent development and career transition services, Career Partners International (CPI) has provided clients with the tools to navigate through decades of change in the workplace. Despite the best preparations, new challenges continually emerge for HR and Management teams.

Join us for Harnessing the Potential of Virtual Teams, a CPI Webinar Series program, on March 12th and 14th, 2019 as we discuss how to bring out the best in your remote workforce.  Many organizations already have or are beginning to introduce remote workers to their team.  The benefits of this arrangement are numerous.  Leaders can source scare talent from all over the world, not limited to a commutable range.  With constant improvements in technology, connectivity becomes easier despite physical separation.  Engagement and retention are improved.  Employers are even keeping cost down by reducing worksite overhead.

Whether they have given their teams an added perk of remote work flexibility or have just assembled a completely virtual “dream team” many employers are still struggling to see the promised returns of a digital team.  Why are these teams not delivering at the level of their onsite counterparts despite being, on paper, a superior group of employees?  Bill Florin of Learning Dynamics, a CPI Partner Firm, joins us to discuss some of the more treacherous obstacles to realizing the potential of a virtual team.

With over three decades of experience in evolving workplace best practices, the team from Learning Dynamics will be illuminating the most frequent disruptors to team productivity and proposing practical resolutions.  We will explore ways to increase engagement, develop relationships, and bridge cultural differences.  Ultimately, the goal of the program is to identify ways to get things done.  With the proper guidance your teams can deliver on those promises of effectiveness and efficiency, achieving well beyond your current results and expectations.

 

This program is valid for 1 PDC toward SHRM-CP and SHRM-SCP recertification.

 

Register today for free at CPIworld.com.

The post Why is Your Virtual Dream Team Not Living Up to Expectations? appeared first on CPIWorld.

Re-Tooling Your SOX Hotline to Combat Sexual Harassment

Companies can no longer view
sexual harassment flippantly—as just another human resources headache. Mishandling
of sexual harassment complaints goes to the heart of the public’s perception of
the company, directly impacting the bottom line. For instance, the Alphabet board
of directors was sued last month for their handling of sexual harassment
complaints at Google. State and federal legislators have since introduced
voluminous legislation targeting sexual harassment. This is a real enterprise
risk that requires board oversight.

As the #MeToo movement continues,
boards should exercise their oversight authority to assure an unequivocal
response to sexual harassment matters by leveraging the powerful tools
developed during the post-Enron era.

Boards should address this
critical risk area urgently, by reviewing existing corporate controls to ensure
that systems in place effectively detect, investigate, and remedy sexual
harassment complaints. As a first step, boards should consider whether their
whistleblower hotlines—already required for accounting matters under the
Sarbanes-Oxley Act (SOX)—are equally as effectively deployed to identify sexual
harassment. Underutilized hotlines and mismanaged complaints have been identified
as critical failures in some of the most prominent and public sexual harassment
scandals. Through basic enhancements to the existing compliance infrastructure,
boards can efficiently and proactively address this critical oversight gap and
create a culture that does not tolerate sexual harassment.    

Using the Tools in Your Arsenal

In the 17 years since SOX was
enacted, a robust compliance framework has developed to address matters raising
serious litigation and public relations risks such as accounting fraud and
corruption. Whistleblower hotlines are a critical control within that framework.
A well-implemented hotline ensures that misconduct is addressed early,
minimizing the harm that can be done by a bad actor and the fallout for the
company more broadly. Mature reporting programs include:

  1. a
    well-publicized hotline;
  2. a
    “tone from the top” that communicates real commitment to addressing
    allegations;
  3. a
    robust investigation protocol; and
  4. engaged
    board oversight. 

Nearly two decades of experience
with SOX-mandated hotlines should put companies in a good position.   However, in the context of sexual harassment,
hotlines are often underutilized or deluged with complaints that are not
addressed thoughtfully. Companies should take a fresh look at their
hotlines, considering the following issues to ensure that the company’s hotline
is set up to detect, assess, and remediate sexual harassment complaints.

Make sure that all employees know about the hotline. A hotline that
is not well publicized is not protecting anyone. In the wake of a scandal, it
is unfortunately all too common for a company to review its hotline files for
related allegations, only to find that personnel were not even aware that a
hotline existed. When Fox Newsfaced
allegations that it failed to address sexual harassment by one of its star
personalities, Fox was quick to point out that it had not received a single
complaint on its hotline.  Employees
swiftly rebuffed this claim, reporting that they had not been made aware of the
hotline, even in sexual harassment training. 

At a minimum, boards should press
their management team to confirm that their hotline is included in any
trainings and materials relating to sexual harassment. Companies should think
critically about the best ways to publicize their hotlines in the context of
their operations, industry, and geographic profile. Boards then should
routinely review hotline statistics and take steps to probe whether the hotline
should be better publicized or re-publicized and whether there are other
impediments that may impact reporting—and, therefore, their oversight of this
matter. 

Encourage Reporting. In the context of headline grabbing
allegations, companies should re-double their efforts to ensure that reporting
internally is an attractive first step when they have a complaint. Employees
often turn to external reporting when they fear their anonymity will not be
protected through internal reporting mechanisms and harbor concerns about
retaliation. Tone from the top is critical in this respect.  It is also important to ensure that reliable
anonymous reporting is made readily accessible and that the company’s
anti-retaliation policy is emphasized at every opportunity. Particularly in the
context of sexual harassment, fear of retaliation appears to be one of the
major concerns driving whistleblowers to report externally or not at all.

Adopt Effective Escalation Procedures. Hotline procedures typically
break allegations into categories such as “Workplace” and “Business Integrity,”
for instance. Allegations falling into Integrity-related categories are subject
to robust investigation protocols and credible reports are often subject to
mandatory board reporting.  “Workplace”
complaints, which may include sexual harassment, may be subject to less
rigorous procedures with no clear requirement as to when the board is made
aware of allegations. Boards should ensure that the procedures implicated by
sexual harassment allegations are commensurate to the significant risks posed
for the company. Boards should also consider mandatory reporting procedures and
ensure that the board has real oversight over the company’s handling of sexual
harassment matters.

The #MeToo movement has shone a
light onto corporate scandals involving sexual harassment, and the related
litigation and legislation is just picking up steam. Boards would be well
served to take steps now to ensure that their companies and employees are
protected. Enhancing whistleblower hotlines already required by SOX would be a
practical and powerful first step in that direction.

Audrey Ingram is a partner and Michael Mann is a partner and founder of the Washington, D.C. office of Richards Kibbe & Orbe. Jamie Schafer is an associate in Richards Kibbe & Orbe’s Washington, D.C. office.

Is Your Board Prepared to Weather an Economic Downturn (or Recession)?

While we’re in the midst of the
second longest economic recovery in history, many economists and business
leaders are questioning whether we’re nearing the end of the bull run. With slower
global gross domestic product growth forecast for 2019 and 2020—particularly in
the EU, the U.S., and emerging economies—and some seeing at least a modest risk
of a U.S. recession in 2019 and a growing risk in 2020, there’s clearly a
growing sense of caution. Financial conditions are tightening in advanced
economies, and a number of Fortune 500 companies have announced first-quarter
earnings forecasts that have fallen short of analysts’ forecasts.

We hear varying levels of concern from
directors about a potential economic downturn and possible recession—concerns
that are compounded by mounting geopolitical uncertainty and risks posed by Brexit,
China’s economic challenges, trade tensions, emerging market debt, and more. While
directors appear to be cautiously optimistic, as one director said, “In this
environment, it’s good to be paranoid.”

Given the uncertainty that
companies are facing today, it is important that board leaders frame their
agendas to help ensure that the company is prepared for a potential economic
downturn—possibly a severe one. While watching for signs of systemic economic
weakness, board leaders should also be mindful of lessons learned from the last
recession. Among the key areas for board focus today and in the months to come:

Scenario planning.
What scenario planning is the company doing around a hard Brexit, tariffs, a
trade war with China, rising inflation, and rising interest rates? Are there
second-order effects that will impact the company’s industry, supply chain, and/or
value chain? Does management prepare a set of probability scenarios for how the
future might unfold and consider the threats and opportunities that those
scenarios present? Do the strategic options balance a commitment to a course of
action with the flexibility to adjust amid different future scenarios?

Growth, capital allocation, and cost cutting. How is the company balancing cost reduction and growth
initiatives? How is it determining whether to invest in capital projects versus
buybacks or dividends? How does the company balance taking advantage of growth
opportunities with belt tightening in anticipation of an economic slowdown? The
world is moving forward regardless of the capital cycles, and companies that
are being disrupted need to make technology investments. At the same time, can
the company head into a downturn with a slightly fatter balance sheet?

Liquidity,
access to capital, and cash flow
.What
are the company’s plans to raise debt/equity in the short and medium term? How
dependent is the company on short-term financing? Are credit lines secure? Is the
company at risk of default on debt covenants?

Hedging
against commodity, currency, and interest rate fluctuations
.What
will be the impact of tariffs, inflation, and recession on commodity costs and
procurement strategies? How will changes impact the ability to obtain economic
hedges against commodity, currency, and interest rate fluctuations?

Exposure
to third parties
.Does the
company understand its exposure to third parties who may experience financial
difficulty (customers, suppliers, lenders, and others)?

Fair value and asset impairments of businesses. Does management understand how vulnerable the company’s portfolio is to changes in value in
this environment? Has management identified triggering events that may warrant
impairment assessments of goodwill
and other intangible assets? How will changes in financial markets impact the
valuation of pension plan assets and planned or mandatory funding levels? 

While we remain cautiously
optimistic that the economy is on firm footing and that any recession will be
short and shallow, “an ounce of prevention…” as the saying goes.

Dennis T. Whalen is Leader of KPMG’s Board Leadership Center.

Cyber-Risk Considerations During the M&A Process

Data breaches are a
constant in today’s headlines, with this risk front and center for some of the
most significant mergers and acquisitions (M&A) deals in recent years.

For example, Verizon Communications discounted its acquisition price by $350 million in 2017 when Yahoo! Belatedly disclosed that it experienced several massive breaches. In November, Marriott International publicly disclosed that Starwood’s guest reservation database—containing hundreds of millions of personal records—had been compromised since 2014, prior to the Marriott acquisition.

These and countless
other incidents raise critical questions: How should boards be thinking about
cyber risk in the acquisition process?

First, boards must
understand that cyber risk can have a significant impact not only on the
valuation of a deal but also on future legal liability associated with the
transaction. From a board’s perspective, the fallout from the Yahoo breach is
significant—multiple securities class action lawsuits, directors and officers
liability insurance (D&O) suits, and recommendations for  removal of directors from the board. The
board’s responsibility in overseeing cyber risk management has never been more
crucial.

What steps should Boards take to address
this risk prior to the acquisition? Organizations
need to conduct due diligence for a potential acquisition target. In some circumstances, there may be a public record of an
organization’s cybersecurity posture. Organizations may have disclosed security
incidents or issues due to an obligation to state or federal regulators, and
these disclosures may provide insight for an acquiring organization.

But public disclosure is unreliable. Organizations are disincentivized to disclose because it may negatively impact market value, and acquisition targets know that security issues can negatively impact their valuation. In fact, a 2016 survey by Brunswick found that half of all respondents said they would “trim their valuation in situations where the target company had been breached – whether the breach was discovered before, during or after the merger.”

Acquirers will often
try to send their cybersecurity and other information security teams onsite to
gain a deeper perspective on the risks and issues that may arise
post-acquisition. This is important to properly account for any security
“fixes” your organization will have to implement to bring the target up to your
standards. But this, too, comes with challenges. The tools available to an acquirer’s
cybersecurity team include questionnaires and penetration tests, but even if
the target agrees, these methods are both time-consuming and reflect only a
“snapshot in time” view—not necessarily historical performance.

So, how can your organization address these challenges around market transparency? Investors are finding that security ratings can offer significant insight into a target’s cybersecurity posture and address the information asymmetry challenge. Similar to how a credit rating provides unique insight into the transactional history of a consumer, security ratings providers continuously collect data in an automated, non-intrusive fashion to generate a data-driven, objective rating of security performance. Broad and deep data sets are available that highlight security performance and best practices, giving unique insight into what has—or has not—been managed efficiently over time. Armed with this data, information security teams can drill deeper into the security details of an acquisition; valuation teams can consider more deeply some of the risks that were opaque.

It’s never been more
important to consider cyber risk in your investments. The cyber risk that a
given company presents has been an often-overlooked element during the M&A
process, but it doesn’t need to be that way. Asking the right questions—and acquiring
the right data—can go a long way toward reducing financial risk in a
transaction. Board members should not hesitate to raise this issue with
management during the next acquisition meeting.

Learn more about using security ratings for M&A at BitSight for M&A.