Fit for the Future: An Urgent Imperative for Board Leadership

It is a truism that the only constant in business is change. But that statement does not remotely do justice to the scale and scope of the multiple changes confronting business in the first half of the twenty-first century:

  • Rapid and far-reaching advances in technology are reshaping competition and the process of value creation in every business sector.
  • The struggle to deal with climate change is beginning to transform the economics of extractive industries and others.
  • Global supply chains are challenged by geopolitical and mercantile conflicts.
  • Investor scrutiny is more demanding than ever.
  • Society’s expectations of business are increasing as governments struggle to address mounting challenges—income inequality, threats to data privacy, crumbling infrastructure, global warming, and so forth.

Each of these changes in itself is seismic. But what makes the current epoch uniquely unpredictable and hard to navigate is the fact that these changes are happening concurrently, interacting with and amplifying each other, as illustrated in the figure below. As a result, companies may find it extremely difficult to anticipate the full impact or the second- or third-order effects of these disruptions in the next few years. This is especially true for boards of directors and their leaders, whose job it is to secure the long-term success of their companies. It is a challenge that is not going away any time soon—indeed, all indications are that it will become more acute.

NACD 1

AN EXISTENTIAL THREAT

As last year’s Blue Ribbon Commission report on board oversight of disruptive risks pointed out, these trends

  • “have the potential to change industry structure or operating conditions,
  • make existing business models obsolete,
  • derail growth,
  • or otherwise pose a fundamental threat [or transformative opportunity] to the long-term strategy of the organization.”

But while the threats are clearly existential, it is far from clear that all companies and their boards are adequately equipped to respond, because many of the big issues facing business are in new or uncharted territories. Technology is one obvious disruptor which is reshaping industries and forcing companies to consider new forms of collaboration that would have been unimaginable a few years ago. For example, the car industry is having to retool its entire production system to meet rising projected demand for electric vehicles while forming partnerships and joint ventures with leading software providers to exploit the emerging markets for autonomous cars. The competitive battleground and source of value creation has shifted rapidly and radically from the vehicles’ hardware to the systems driving it. Another challenge is the complex issue of climate change, where companies are feeling their way toward a response to fundamental market shifts involving international politics, governmental regulation, and investor expectations while considering the economic impact of climate risk. Boards need to bolster their capacity to navigate this labyrinth. A third and rapidly-moving set of challenges is emerging from tectonic shifts in geopolitics and in particular from the rise of great-power rivalry, trade protectionism, and mercantilism—notably in the domain of technology, where the United States and China are engaged in what some see as a new arms race for control over the systems of the future.

Overarching all of these trends is another relatively new pressure: the pressure for companies to articulate and justify their broader purpose, in terms of how they address society’s unmet needs in an era of great social change, activism, and political uncertainty. This is certainly the message from some of the largest institutional investors. As Larry Fink, CEO of BlackRock, put it in his 2019 CEO letter to portfolio companies, “Companies that fulfill their purpose and responsibilities to stakeholders reap rewards over the long-term. Companies that ignore them stumble and fail. This dynamic is becoming increasingly apparent as the public holds companies to more exacting standards. And it will continue to accelerate as millennials—who today represent 35 percent of the workforce—express new expectations of the companies they work for, buy from, and invest in.”

CREATIVE DESTRUCTION ACCELERATES

One important inference from these trends is that the formula for past success matters even less to companies considering their future. Research conducted in 2018 for the Fortune Future 500 initiative (the public companies with the best long-term growth outlook) shows that for large companies, there is now less correlation than there was before between past and future financial and competitive performance over multiple years. This means that companies can no longer hope to prosper merely by sticking to their historical growth strategies and competitive advantages. Relying on past success can engender complacency—itself an existential threat.

It is certainly true that the process Joseph Schumpeter called “creative destruction” is accelerating, and in consequence corporate lifespans are shrinking. A 2018 Innosight study showed that, based on recent trends, nearly half of the corporate constituents of the S&P 500 could be expected to be replaced over the next 10 years. While companies in the S&P 500 had an average tenure of 33 years in 1964, tenures had narrowed to 24 years by 2016 and are forecasted to shrink to just 12 years by 2027. This accelerating churn is to be seen also among very young firms—for example, five-year survival rates for newly-listed firms have declined by nearly 30 percentile points (dropping from 92 percent to 63 percent) since the 1960s. In a parallel trend, the median CEO tenure for large-cap companies has been shrinking steadily over time—indeed, it dropped by one full year between 2013 and 2017. Median tenure is now five years.

Structural change and industry consolidation are also impacting the nature of competition, creating a “winnertakes-most” dynamic in an increasing number of business sectors. Recent research based on analysis of 5,750 of the world’s largest companies shows just how unevenly the fruits of success are now distributed in terms of economic profit (a measure of a company’s invested capital times its return above its weighted cost of capital). The top 10 percent of these companies captured fully 80 percent of positive economic profit between 1994 and 2016.

All of these implications are brought into sharper focus by the increasing shareholder scrutiny which companies are now under, not only from activist investors but also increasingly from institutional investors who wield their significant influence to demand change. Stephen Murray, the president and CEO of private equity firm CCMP Capital, goes so far as to say, “The whole activist industry exists because public boards are often seen as inadequately equipped to meet shareholder interests.” So the challenges for boards and management teams are stark—probably more so now than at any time since the birth of the modern corporation a little more than a century ago. They mean that some, though by no means all, of these individuals’ accumulated experience in strategy development and execution may be less relevant in the future than in the past. And they suggest that board leaders in particular need to adopt a new mind-set and consider a different modus operandi attuned to the demands of this rapidly-changing environment.

IMPLICATIONS FOR BOARDS

Three years ago, in its Report of the Blue Ribbon Commission on Building the Strategic-Asset Board, NACD first pointed out that a new leadership mandate for boards was emerging, driven by “an operating environment . . . that is characterized by increased complexity and uncertainty and includes new sources of risk and opportunity.” It highlighted the role of the board leader in driving a continuous improvement ethos to ensure that the board remains fit for its purpose. Yet performance expectations for boards continue to rise. In a 2019 NACD survey, 73 percent of directors reported that board leadership is more challenging now than it was three years ago, and 84 percent reported that performance expectations had gone up for all board members. Directors admit that they find it really challenging to keep up with change. In the same NACD survey, 36 percent of directors cited the struggle to stay abreast of the changing speed of business as one of the key impediments to the effectiveness of board leaders. Commissioners for this report echoed that concern and highlighted it as a challenge for the entire board. “Many directors don’t feel comfortable talking about emerging technologies, cybersecurity, and other complex topics,” said one Commissioner. “As a result, they tend to defer to others, which can become an abdication of their responsibility to be active board members.”

In the view of the Commission, this shifting business paradigm has profound and immediate implications for boards, and these implications will intensify dramatically over the next 5 to 10 years. They cover

  • board engagement with management,
  • board renewal,
  • operations,
  • transparency,
  • and accountability.

Some of these implications are not new—indeed, boards have been grappling with all of them with greater or lesser success for some time. But there is no doubt that all of them have recently become more acute, and now pose an urgent challenge to board leaders.

  1. IMPLICATION 1: Boards must engage more proactively, deeply, and frequently on entirely new and fast-changing drivers of strategy and risk.
  2. IMPLICATION 2: Boards must approach their own renewal through the lens of shifting strategic needs to ensure longterm competitive advantage.
  3. IMPLICATION 3: Boards must adopt a more dynamic operating model and structure.
  4. IMPLICATION 4: Boards must be much more transparent about how they govern.
  5. IMPLICATION 5: Boards must hold themselves more accountable for individual director and collective performance.

NACD 2

SETTING EXPECTATIONS FOR THE NEW BOARD LEADER

The fundamental role of board leadership stays the same: building and maintaining high-performing boards that build long-term value. Here is how NACD has described board leaders and their role in its past Blue Ribbon Commission reports:

Board leaders are the linchpins on many key issues, including the board-CEO relationship, board dynamics and culture, setting the board agenda, information flows between the board and management, and stakeholder relations (especially board-shareholder engagement).

Many NACD principles and positions about what constitutes good board practice are contingent upon having a strong and effective leader in this role. Strong, qualified individuals in this role “[have] the ability to give the board a competitive advantage.”

As seen in the infographic that follows, based on 2019 NACD analysis of S&P 500 chairs and lead directors, board leaders today have extensive tenure on the boards they serve, bringing with them strong institutional memory, and they almost always have past experience in business leadership roles and a proven track record in strategy and execution.

NACD 3

PRIORITY RESPONSIBILITIES FOR BOARD LEADERS OF TODAY
Lead the setting and monitoring of board performance goals that are regularly synchronized with the (shifting) business strategy.

  • Drive alignment and connectivity. This includes staying connected on material new initiatives and strengthening alignment in how committees and the full board engage on crucial, but now fast-changing, issues such as strategy, risk, disruption, talent, corporate culture, incentives, and technology.
  • Lead the setting of shared values and expectations for a well-functioning board, including the use of a fully candid board, committee, and individual-director performance evaluation.
  • Pay continuous attention to (a) what’s working and why, (b) what’s not working and why, and (c) how the board can use this knowledge to improve its effectiveness.
  • Spend considerable time in one-on-one discussions on key topics with other board members, the CEO, and the management team, with a focus on ensuring openness of discussion and constructive group dynamics.

DESIRED ATTRIBUTES FOR BOARD LEADERS OF TODAY
Fortitude and vigilance to ensure that changes in board processes and practices change behaviors over time

  • Adaptability—a willingness to recognize a board’s new needs and responsibilities and adjust board practices, processes, agenda setting, and structures accordingly
  • Superb communication skills, especially with regard to difficult communications, including sensitive messages to the CEO and to fellow directors
  • Aptitude for relationship building, not just with the board, the CEO, and the senior team, but also with key shareholders, stakeholders, and regulators
  • Inclusiveness—ensuring that the growing diversity of the boardroom is optimized, and enhancing collaboration that is inclusive of different, unconventional thinking
  • Humility—placing a high premium on listening and seeking to understand the (contrasting) views of others. The successful board leader presents himself/herself as “last among equals”

STRENGTHENING BOARD ENGAGEMENT

Board leaders will need to orchestrate more meaningful board engagement to help inform strategic choices and to understand the risks being taken in a much more uncertain and fast-changing environment. Earlier, we described the pressures for boards to become more actively engaged with their companies, without falling into the trap of micromanagement or losing the objectivity required to oversee the business. We suggest that this requires collaboration and candid dialogue between boards and management teams about respective roles and responsibilities.

  • Clarifying where the board would like to seek deeper involvement and why this creates better governance. Examples might be earlier and more in-depth understanding/verification of strategy development and underlying assumptions, preparations for responding to disruption, and plans for major corporate transformations.
  • Creating a shared picture of the present, and of the future, and of where the industry and the competition are headed, and of what that means for strategy.
  • Enhancing board focus on innovation and change. Here is another shift made imperative by the speed of business change. Where in the past a board’s typical posture may have been to act as a brake on management’s ambitions, an equally important goal should now be to work with management to ensure that they embrace innovation and can successfully drive change in the organization.
  • Assessing how well management is maintaining critical alignments among key determinants of performance (e.g., strategy, risk management, innovation, controls, incentives, culture, and talent). This becomes increasingly important as strategies are more frequently being recalibrated.
  • Establishing a framework for more frequent, focused management communication with the board between formal meetings. This can help streamline the meetings themselves, freeing up time to focus on the most critical strategic matters.

DRIVING STRATEGIC BOARD RENEWAL

In order to deliver more meaningful and deeper engagement on entirely new issues, the board leader and the chair of the nominating and governance committee should thoroughly assess whether the board has the right human capital to fulfill its mandate and deliver ongoing value. One of the key questions will be whether the board’s existing composition is aligned with the challenges likely to face the business in the future sketched out together with the management team, and if not, how it should best be renewed. One useful way of thinking about this task could be a “clean-sheet” approach to board diversity and composition, which NACD first recommended in its Blue Ribbon Commission report on building the strategic-asset board. In particular, nominating and governance committees should consider asking the following questions:

  • If we were to create a board from scratch today, what would it look like holistically, from the standpoint of skills, leadership styles, and backgrounds? What will we need in three, five, or more years?
  • Have we sufficiently mapped out our strategy and risks into the future to understand what profiles we need?
  • How should our board composition represent the characteristics of the company’s current and future customer base as well as its workforce?
  • If we are anticipating adding one or more new directors in the next couple of years, have we vetted our recruitment profile to ensure criteria are relevant and that they are not unnecessarily restricting access to appropriate candidates (e.g., requiring CEO or prior board experience)?

BUILDING AN INCLUSIVE BOARD CULTURE

Boards already know how to be purposeful in seeking out individuals who bring a variety of backgrounds, perspectives, and skills. Now they need to be just as purposeful in creating an environment that enables those diverse voices to be heard. The board leader has a critical role to play in activating diversity in the boardroom by recognizing that the aim is not “hiring for diversity and then managing for assimilation.” The goal of the board leader after bringing in new board members is not assimilation but rather enhancing collaboration that is inclusive of different, unconventional thinking. With higher levels of diversity in the boardroom—whether this is diversity in experience, skills, gender, race, ethnicity, or age—it’s critical for board leaders to create a culture that facilitates constructive and candid interactions between board members and that ensures that each director is heard from on important issues.

FOSTERING CONTINUOUS LEARNING

“Continuous lifelong learning’’ is such an oft-heard phrase that it’s close to becoming a cliché. But it’s nonetheless a worthwhile approach for boards and management teams to adopt—because when the pace of change is accelerating, “the fastest-growing companies and most resilient workers will be those who learn faster than their competition.”

This, too, will function most effectively as a collaborative effort between the board and the management team. It’s the role of management to help educate the board about the future and its impact on strategy. The board leader should help the C-suite understand the board’s expectations for the learning process, the time line, and the board’s information needs. At the same time, the board leader should set the expectation that directors not rely solely on management for all of the information they receive, but rather seek out other external sources proactively to deepen their understanding of the business. The agenda for potential learning is vast and constantly growing. “Some learning opportunities may be specific to individual directors; others may be common to all members of a committee or to the entire board (e.g., raising the board’s collective knowledge about cyber threats). Individual, committee, or board-level learning agendas might include

  • industry-specific topics;
  • emerging economic and technology trends;
  • governance matters;
  • regulatory developments;
  • shareholder/stakeholder issues;
  • and/or team dynamics and decision making.”

Commissioners offered a number of observations about the pursuit of structured board learning:

  • First, that it is not just a matter for board leaders and committee chairs—it is a collective task for the whole board to stay “constantly curious.” This can be assisted through experiential learning, where the board visits company sites or meets local managers.
  • Second, there is a constant need to focus collective learning on new technologies—not just the features of emerging technologies but also the reasons why they are so disruptive and how competitors have succeeded in commercializing them.
  • Third, longer-serving directors will benefit from periodically refreshing their knowledge of the basics—for example, by joining new director orientation in order to understand how management’s presentation of the issues may have changed.
  • Finally, the learning imperative applies equally to management. To this end, selected executives should be encouraged to take board positions with companies that are not competitors.

BUILDING AGILITY INTO BOARD OPERATIONS AND STRUCTURE

As stated earlier, the dynamic external environment requires boards to be more careful than before about how they allocate their time, but also more flexible in responding to events. The starting point is effective agenda setting for board meetings.

Agendas

The Commissioners offered a number of specific ideas for enhancing board meeting effectiveness:

  1. First, think holistically about the entire cycle of meetings throughout the year and not just about the agenda for individual meetings. The objective is to ensure the highest return on the time that the board spends together and with management—including what happens outside, around, and in between the actual board meetings.
  2. Second, make a deliberate effort to ensure that board meetings are not predominantly focused on the past and on compliance—on the rear-view mirror, so to speak. Create “white space” time for open conversation and time to delve into identified issues of importance. Foster dialogue and minimize time spent on formal presentations.
  3. Third, take a strategic and almost mathematical approach to time allocation. One Commissioner described how the board tracks how it is spending its time in meetings, then asks board members their opinions about how the board should be spending time, and periodically optimizes the mix.
  4. Fourth, try to maximize one-on-one time with the CEO and the board. It is important to spend time with the CEO without other managers present. An hour and sometimes more at the start of every meeting, and then again at the end, coupled with a CEO/director-only dinner, is an effective way “to get everything that needs airing out on the table.”

NACD 4 (2)

 

Click here to access NACD’s entire report

Global Governance Insights on Emerging Risks

A HEIGHTENED FOCUS ON RESPONSE AND RECOVERY

Over a third of directors of US public companies now discuss cybersecurity at every board meeting. Cyber risks are being driven onto the agenda by

  • high-profile data breaches,
  • distributed denial of services (DDoS) attacks,
  • and rising ransomware and cyber extortion attacks.

The concern about cyber risks is justified. The annual economic cost of cyber-crime is estimated at US$1.5 trillion and only about 15% of that loss is currently covered by insurance.

MMC Global Risk Center conducted research and interviews with directors from WCD to understand the scope and depth of cyber risk management discussions in the boardroom. The risk of cyberattack is a constantly evolving threat and the interviews highlighted the rising focus on resilience and recovery in boardroom cyber discussions. Approaches to cyber risks are maturing as organizations recognize them as an enterprise business risk, not just an information technology (IT) problem.

However, board focus varies significantly across industries, geographies, organization size and regulatory context. For example, business executives ranked cyberattacks among the top five risks of doing business in the Asia Pacific region but Asian organizations take 1.7 times longer than the global median to discover a breach and spend on average 47% less on information security than North American firms.

REGULATION ON THE RISE

Tightening regulatory requirements for cybersecurity and breach notification across the globe such as

  • the EU GDPR,
  • China’s new Cyber Security Law,
  • and Australia’s Privacy Amendment,

are also propelling cyber onto the board agenda. Most recently, in February 2018, the USA’s Securities and Exchange Commission (SEC) provided interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents.

Regulations relating to transparency and notifications around cyber breaches drive greater discussion and awareness of cyber risks. Industries such as

  • financial services,
  • telecommunications
  • and utilities,

are subject to a large number of cyberattacks on a daily basis and have stringent regulatory requirements for cybersecurity.

Kris Manos, Director, KeyCorp, Columbia Forest Products, and Dexter Apache Holdings, observed, “The manufacturing sector is less advanced in addressing cyber threats; the NotPetya and WannaCry attacks flagged that sector’s vulnerability and has led to a greater focus in the boardroom.” For example, the virus forced a transportation company to shut down all of its communications with customers and also within the company. It took several weeks before business was back to normal, and the loss of business was estimated to have been as high as US$300 million. Overall, it is estimated that as a result of supply chain disruptions, consumer goods manufacturers, transport and logistics companies, pharmaceutical firms and utilities reportedly suffered, in aggregate, over US$1 billion in economic losses from the NotPetya attacks. Also, as Cristina Finocchi Mahne, Director, Inwit, Italiaonline, Banco Desio, Natuzzi and Trevi Group, noted, “The focus on cyber can vary across industries depending also on their perception of their own clients’ concerns regarding privacy and data breaches.”

LESSONS LEARNED: UPDATE RESPONSE PLANS AND EVALUATE THIRD-PARTY RISK

The high-profile cyberattacks in 2017, along with new and evolving ransomware onslaughts, were learning events for many organizations. Lessons included the need to establish relationships with organizations that can assist in the event of a cyberattack, such as l

  • aw enforcement,
  • regulatory agencies and recovery service providers
  • including forensic accountants and crisis management firms.

Many boards need to increase their focus on their organization’s cyber incident response plans. A recent global survey found that only 30% of companies have a cyber response plan and a survey by the National Association of Corporate Directors (NACD) suggests that only 60% of boards have reviewed their breach response plan over the past 12 months. Kris Manos noted, “[If an attack occurs,] it’s important to be able to quickly access a response plan. This also helps demonstrate that the organization was prepared to respond effectively.”

Experienced directors emphasized the need for effective response plans alongside robust cyber risk mitigation programs to ensure resilience, as well as operational and reputation recovery. As Jan Babiak, Director, Walgreens Boots Alliance, Euromoney Institutional Investor, and Bank of Montreal, stressed, “The importance of the ’respond and recover’ phase cannot be overstated, and this focus needs to rapidly improve.”

Directors need to review how the organization will communicate and report breaches. Response plans should include preliminary drafts of communications to all stakeholders including customers, suppliers, regulators, employees, the board, shareholders, and even the general public. The plan should also consider legal requirements around timelines to report breaches so the organization is not hit with financial penalties that can add to an already expensive and reputationally damaging situation. Finally, the response plan also needs to consider that normal methods of communication (websites, email, etc.) may be casualties of the breach. A cyber response plan housed only on the corporate network may be of little use in a ransomware attack.

Other lessons included the need to focus on cyber risks posed by third-party suppliers, vendors and other impacts throughout the supply chain. Shirley Daniel, Director, American Savings Bank, and Pacific Asian Management Institute, noted, “Such events highlight vulnerability beyond your organization’s control and are raising the focus on IT security throughout the supply chain.” Survey data suggests that about a third of organizations do not assess the cyber risk of vendors and suppliers. This is a critical area of focus as third-party service providers (e.g., software providers, cloud services providers, etc.) are increasingly embedded in value chains.

FRUSTRATIONS WITH OVERSIGHT

Most directors expressed frustrations and challenges with cyber risk oversight even though the topic is frequently on meeting agendas. Part of the challenge is that director-level cyber experts are thin on the ground; most boards have only one individual serving as the “tech” or “cyber” person. A Spencer Stuart survey found that 41% of respondents said their board had at least one director with cyber expertise, with an additional 7% who are in the process of recruiting one. Boards would benefit from the addition of experienced individuals who can identify the connections between cybersecurity and overall company strategy.

A crucial additional challenge is obtaining clarity on the organization’s overall cyber risk management framework. (See Exhibit 1: Boards Need More Information on Cyber Investments.) Olga Botero, Director, Evertec, Inc., and Founding Partner, C&S Customers and Strategy, observed, “There are still many questions unanswered for boards, including:

  • How good is our security program?
  • How do we compare to peers?

There is a big lack of benchmarking on practices.” Anastassia Lauterbach, Director, Dun & Bradstreet, and member of Evolution Partners Advisory Board, summarized it well, “Boards need a set of KPIs for cybersecurity highlighting their company’s

  • unique business model,
  • legacy IT,
  • supplier and partner relationships,
  • and geographical scope.”

CR Ex 1

Nearly a quarter of boards are dissatisfied with the quality of management-provided information related to cybersecurity because of insufficient transparency, inability to benchmark and difficulty of interpretation.

EFFECTIVE OVERSIGHT IS BUILT ON A COMPREHENSIVE CYBER RISK MANAGEMENT FRAMEWORK

Organizations are maturing from a “harden the shell” approach to a protocol based on understanding and protecting core assets and optimizing resources. This includes the application of risk disciplines to assess and manage risk, including quantification and analytics. (See Exhibit 2: Focus Areas of a Comprehensive Cyber Risk Management Framework.) Quantification shifts the conversation from a technical discussion about threat vectors and system vulnerabilities to one focused on maximizing the return on an organization’s cyber spending and lowering its total cost of risk.

CR Ex 2

Directors also emphasized the need to embed the process in an overall cyber risk management framework and culture. “The culture must emphasize openness and learning from mistakes. Culture and cyber risk oversight go hand in hand,” said Anastassia Lauterbach. Employees should be encouraged to flag and highlight potential cyber incidents, such as phishing attacks, as every employee plays a vital role in cyber risk management. Jan Babiak noted, “If every person in the organization doesn’t view themselves as a human firewall, you have a soft underbelly.” Mary Beth Vitale, Director, GEHA and CoBiz Financial, Inc., also noted, “Much of cyber risk mitigation is related to good housekeeping such as timely patching of servers and ongoing employee training and alertness.”

Boards also need to be alert. “Our board undertakes the same cybersecurity training as employees,” noted Wendy Webb, Director, ABM Industries. Other boards are putting cyber updates and visits to security centers on board “offsite” agendas.

THE ROLE OF CYBER INSURANCE

Although the perception of many directors is that cyber insurance provides for limited coverage, the insurance is increasingly viewed as an important component of a cyber risk management framework and can support response and recovery plans. Echoing this sentiment, Geeta Mathur, Director, Motherson Sumi Ltd, IIFL Holdings Ltd, and Tata Communication Transformation Services Ltd., commented, « There is a lack of information and discussion on risk transfer options at the board level. The perception is that it doesn’t cover much particularly relating to business interruption on account of cyber threats.” Cristina Finocchi Mahne also noted, “Currently, management teams may not have a positive awareness of cyber insurance, but we expect this to rapidly evolve over the short-term.”

Insurance does not release the board or management from the development and execution of a robust risk management plan but it can provide a financial safeguard against costs associated with a cyber event. Cyber insurance coverage should be considered in the context of an overall cyber risk management process and cyber risk appetite.

With a robust analysis, the organization can

  • quantify the price of cyber risk,
  • develop effective risk mitigation,
  • transfer and risk financing strategy,
  • and decide if – and how much – cyber insurance to purchase.

This allows the board to have a robust conversation on the relationship between risk, reward and the cost of mitigation and can also prompt an evaluation of potential consequences by using statistical modeling to assess different damage scenarios.

CYBER INSURANCE ADOPTION IS INCREASING

The role of insurance in enhancing cyber resilience is increasingly being recognized by policymakers around the world, and the Organisation of Economic Co-operation and Development (OECD) is recommending actions to stimulate cyber insurance adoption.

Globally, it is expected the level of future demand for cyber insurance will depend on the frequency of high-profile cyber incidents as well as the evolving legislative and regulatory environment for privacy protections in many countries. In India, for example, there was a 50% increase in companies buying cybersecurity coverage 2016 to 2017. Research suggests that only 40% of US boards have reviewed their organization’s cyber insurance coverage in the past 12 months.

LIMITING FINANCIAL LOSSES

In the event of a debilitating attack, cyber insurance and associated services can limit an organization’s financial damage from direct and indirect costs and help accelerate its recovery. (See Exhibit 3: Direct and Indirect Costs Associated with a Cyber Attack.) For example, as a result of the NotPetya attack, one global company reported a decline in operating margins and income, with losses in excess of US$500 million in the last fiscal year. The company noted the costs were driven by

  • investments in enhanced systems in order to prevent future attacks;
  • cost of incentives offered to customers to restore confidence and maintain business relationships;
  • additional costs due to claims for service failures; costs associated with data breach or data loss due to third-parties;
  • and “other consequences of which we are not currently aware but may subsequently discover.”

Indeed, the very process of assessing and purchasing cyber insurance can bolster cyber resilience by creating important incentives that drive behavioral change, including:

  • Raising awareness inside the organization on the importance of information security.
  • Fostering a broader dialogue among the cyber risk stakeholders within an organization.
  • Generating an organization-wide approach to ongoing cyber risk management by all aspects of the organization.
  • Assessing the strength of cyber defenses, particularly amid a rapidly changing cyber environment.

CR Ex 3

Click here to access Marsh’s and WCD’s detailed report

 

Cybersecurity Risk Management Oversight – A Tool for Board Members

Companies are facing not only increasing cyber threats but also new laws and regulations for managing and reporting on data security and cybersecurity risks.

Boards of directors face an enormous challenge: to oversee how their companies manage cybersecurity risk. As boards tackle this oversight challenge, they have a valuable resource in Certified Public Accountants (CPAs) and in the public company auditing profession.

CPAs bring to bear core values—including independence, objectivity, and skepticism—as well as deep expertise in providing independent assurance services in both the financial statement audit and a variety of other subject matters. CPA firms have played a role in assisting companies with information security for decades. In fact, four of the leading 13 information security and cybersecurity consultants are public accounting firms.

This tool provides questions board members charged with cybersecurity risk oversight can use as they engage in discussions about cybersecurity risks and disclosures with management and CPA firms.

The questions are grouped under four key areas:

  1. Understanding how the financial statement auditor considers cybersecurity risk
  2. Understanding the role of management and responsibilities of the financial statement auditor related to cybersecurity disclosures
  3. Understanding management’s approach to cybersecurity risk management
  4. Understanding how CPA firms can assist boards of directors in their oversight of cybersecurity risk management

This publication is not meant to provide an all-inclusive list of questions or to be seen as a checklist; rather, it provides examples of the types of questions board members may ask of management and the financial statement auditor. The dialogue that these questions spark can help clarify the financial statement auditor’s responsibility for cybersecurity risk considerations in the context of the financial statement audit and, if applicable, the audit of internal control over financial reporting (ICFR). This dialogue can be a way to help board members develop their understanding of how the company is managing its cybersecurity risks.

Additionally, this tool may help board members with cybersecurity risk oversight learn more about other incremental offerings from CPA firms. One example is the cybersecurity risk management reporting framework developed by the American Institute of CPAs (AICPA). The framework enables CPAs to examine and report on management-prepared cybersecurity information, thereby boosting the confidence that stakeholders place on a company’s initiatives.

With this voluntary, market-driven framework, companies can also communicate pertinent information regarding their cybersecurity risk management efforts and educate stakeholders about the systems, processes, and controls that are in place to detect, prevent, and respond to breaches.

AICPA

Click here to access CAQ’s detailed White Paper and Questionnaires

Make the right decisions about emerging technologies

Today’s businesses are innovating across

  • business models,
  • products,
  • services
  • and customer engagement

while disrupting markets and entire industries. Much of this innovation is driven by applying emerging technologies throughout the value chain. It creates great opportunities but at the same time presents significant challenges and unknown risks and consequences to organizations. Competitors can completely disrupt an industry, or an organization can disrupt itself first and lead a new phase of growth.

This pursuit of everything digital is happening at an accelerating pace. Speed has become a huge source of value whether measured by faster decision-making or how quickly an organization can go from ideation to revenue. This need to deploy digital capabilities quickly and at scale is the antithesis of IT-led projects that are typically months or years long and, as a result, often out of frustration, the business is increasingly sidestepping the IT function to procure new technologies. The combination of an increasingly tech-savvy population combined with the proliferation of cloud-based software as a service (SaaS) solutions has greatly simplified this process. In this race to harness emerging technologies and innovate it is easy to forget about governance and that can lead to significant costs and risks.

Understanding when, how, why, and what new technologies are introduced to an organization is critical to both maximize the opportunities that they present and minimize the inherent risks.

Establishing a governance framework that embraces disruptive technologies and encourages innovation while ensuring risks are identified and managed is essential to an organization’s ability to survive and thrive in a digital world. Innovation / Emerging Technology Councils comprised of the right mix of internal and third party experts can ensure that the right approach is taken, investment is available and prioritized, and opportunities can be scaled.

The unique characteristics of emerging technologies

  • their diverse applications,
  • the myriad concerns raised by some new capabilities,
  • the need for public engagement,
  • and the challenge of effective coordination between governance players

– create the need for a new governance approach and a new lens through which to view risk management.

KPMG1

Click here to access KPMG’s detailed article