Investors Are Worried About Cybersecurity: What Boards Should Do

With breaches, billion-dollar regulatory fines, credit downgrades, and share price declines dominating the headlines, board members are not the only ones who are worried about cybersecurity. 

Investors are worried, too—and the drumbeat is getting louder. Almost two-thirds of the world’s institutional investors are concerned about the impact of cybersecurity threats on their investments, making cyber issues investors’ top environmental, social, and governance risk, according to the 2019 RBC Global Asset Management Responsible Investment Survey. As reported in a recent Ernst & Young Global survey of institutional investors with more than $35 trillion in assets under management, cyber risk is the number-three threat to portfolio companies’ strategic success over the next three to five years. And even the world’s greatest investor, Warren Buffet, commented within the past few years on cybersecurity: “There’s a very material risk which didn’t exist 10 or 15 years ago and will be much more intense as the years go along.”

What do investors want? More information from companies about their cybersecurity performance. What investors are currently getting is inconsistent, boilerplate information with significant gaps; the lack of data and transparency is leading to increased frustration and concern throughout the investor community as breaches pile up and risks remain unknown. Similar to the growing demand for sustainability and governance information, investors want real, quantifiable, and objective data and metrics about cybersecurity performance. How much is the organization spending on cybersecurity? How effective are the security measures? Have they experienced an incident?

For board members, this may sound all too familiar. In many ways, what investors desire by way of data and insights are exactly the data and insights that the board struggles to access. And the lack of measurable data is having a negative impact on the board’s ability to understand and manage cybersecurity. In a new study from Swiss Re Institute and GEC Risk Advisory, 90 percent of executives reported a “limited understanding” of cyber resilience at their companies. This mirrors previous board-level surveys, including a 2016 study conducted by Stanford Law School which found that 91 percent of board members actually can’t interpret their company’s cybersecurity reports. It is an issue we hear time and time again from board members: While surveys suggest that the board’s understanding of cyber risk continues to improve, the information that security and risk professionals provide in their board reporting is still far too technical for directors to digest.

On the one hand, security professionals need to change the way that they communicate security performance information and focus on the metrics that matter. But while the chief information security officer must do better, so too must the board member. Ultimately, the board is responsible for getting the right type and level of insight into the security posture of the company and ensuring that information is effectively communicated to investors to provide greater assurance.

So, what should board members do? They can start by seeking answers to two critical questions:

Do we have a strategy to minimize a material cyber incident? Not all cyberattacks are meaningful. A material cyber incident is one that would have an impact on an investor’s investment decision-making. The loss of valuable intellectual property, blueprints, research and development, or critical customer data? The disruption of information technology infrastructure, causing delivery failures? These are the incidents that demand the board’s attention and are at the forefront of investors’ focus and concern. In collaboration with senior management, the board should be involved in the development of a cyber-risk management strategy with the goal of preventing a material cyber incident from occurring. This strategy should include approaches to mitigate risk through technology, training, and policies; transfer risk through the acquisition of cyber insurance; and consciously accept risk knowing that not all risks can be remediated. By focusing on the most critical risks, boards can communicate more effectively with investors about strategic initiatives, which should provide confidence that the company is focused on the right things.

How do we measure the effectiveness of our cybersecurity program? Boards should be leveraging a variety of performance metrics (see the NACD Director’s Handbook on Cyber-Risk Oversight, pp. 60-62) that are well understood by directors, including strategic, operational, and tactical metrics that help communicate the effectiveness of the organization’s program. One critical metric to include is independent peer benchmarking to provide a context for the company’s performance. The importance of benchmarking cannot be overstated. According to the Council of Institutional Investors’ 2016 Prioritizing Cybersecurity guide, significant disparities in cybersecurity performance between a company and its peers “may signal that the company’s existing strategy is ill-suited to its size or industry, is not being carried out effectively by management or personnel, or involves security controls and/or technology that have not been deployed or configured properly.”
The board’s role is critical in overseeing cybersecurity, but also in effectively communicating to investors and other stakeholders. Board members can do their part by focusing on these two critical questions, changing the way that they understand cybersecurity, but also taking a step toward creating a stronger relationship with investors on this most critical issue. 

Jake Olcott is vice president of communications and government affairs at BitSight.

NACD’s Summit 2020 is going virtual with complimentary access to select programming included with your membership.

Register today for your free ticket.

NACD: Tools and resources to help guide you in unpredictable times.

Realizing the Climate Opportunity

While it is often discussed in boardrooms as a major risk, climate change is also a business opportunity. The low-carbon transition creates opportunities for efficiency, innovation, and growth that extend beyond high-carbon industries like energy and transport to all sectors. Companies can save energy and materials costs, serve new customer needs, enhance their reputations, and better attract and retain talent—all as a consequence of working to reduce their emissions and those of their customers and suppliers.

Through their governance role, boards can help to ensure that climate opportunities are captured by reviewing corporate strategy and focussing on long-term value. This is truer than ever before as companies navigate the fallout from COVID-19 and plan for recovery: Executive teams are occupied with the “here and now” of operational and financial management and boards will need to keep the pressure on management teams to engage with the strategic questions of what comes next. As we show below, those that apply a “green” lens to recovery planning could uncover trillions of dollars in low-carbon opportunities.

Cost Management

Green operations are lean operations, and companies with sufficient capital expenditure flexibility to make smart green investments can reduce their costs at a time when every dollar counts.

Research undertaken by Oliver Wyman and CDP, a nonprofit that runs the leading global climate-related disclosure system, found that European corporations are realizing significant operating cost savings from comparably modest spending on emissions reductions. Investments last year in low-carbon projects such as renewables and energy efficiency were expected to net companies $45 billion over the investments’ lifetimes—a savingsof $20 for every metric ton of carbon dioxide equivalent avoided. The same is happening in the United States, where a 2017 analysis found that Fortune 500 companies were saving $24 per metric ton. Last year, US corporations signed power purchase agreements with renewables developers that will bring 13.6 GW of clean energy into operation. This is equivalent to almost two thirds of the generation capacity added in the United States last year (20.7 GW)—renewables, fossil fuels, and nuclear energy included.

Greener operations can also reduce capital costs. The rapid growth in green lending (where use of proceeds is tied to specific low-carbon projects) and sustainability-linked lending (where borrowing costs are linked to sustainability performance, but with flexibility as to how proceeds are used) provides new opportunities to access cheaper finance. For example, Prologis, Avangrid, CMS Energy and Xylem have all agreed to new credit arrangements with interest rates linked to sustainability performance, and US banks are targeting this new market for growth.

Questions for the board to ask management

How have opportunities to increase operational efficiency through investment in clean energy investments and energy efficiency been evaluated? How often are these reconsidered?
What opportunities are there to access cheaper green financing?

Capitalizing on Changes in Behavior

The pandemic has imposed changes in working arrangements and lifestyles that may create opportunities to increase green efficiency savings. For example, a shift to remote working may provide opportunities to reduce travel and cut office use and energy costs. However, more fundamental shifts in attitudes may also be underway.

Research firm IPSOS Mori found that more than half of Americans (59%) think that climate change is as serious a problem as COVID-19 and want to see it prioritized in recovery planning—a finding replicated across the world. Companies that capitalize on these attitudes may be able to enhance brand loyalty and increase market share among concerned consumers. Research by New York University’s Stern Center for Sustainable Business has found that sustainable brands have increased their share of the US market during the pandemic—demonstrating this trend.

These dynamics are also relevant to workforces. Strong corporate environmental performance is associated with increased staff satisfaction and attractiveness to talent, with the most popular companies producing significantly lower emissions per dollar of revenues than their peers (see Figure 1).

Put another way, companies with leading environmental credentials will be at an advantage when recovery takes off and the competition for talent heats up. The benefits will continue to increase well after the pandemic has waned, as the labor force becomes increasingly dominated by millennial and Gen Z cohorts who place a higher premium on employers’ climate credentials.

Questions for the board to ask management

What impact will growing consumer concerns about climate change have on the company? What opportunities does this create?
How does the company’s performance on climate change compare to that of its peers?
How does the current talent strategy take into account growing public concerns about climate change?

New Revenue Opportunities

The low-carbon transition is creating demand for new sustainable goods and services worth trillions of dollars across all sectors. The transportation sector has seen rapid growth in zero-emission vehicles and the explosion of new mobility services. By 2030, electric vehicles may account for 28 percent of global passenger vehicle sales; this year, Tesla became the most valuable car maker in the world, despite generating less than one-tenth of the revenues of the second-most-valuable company. In the United States, the green economy is already worth $1.3 trillion and it is growing at over 20 percent a year. Fifty percent of recent growth in consumer packaged goods has come from sustainable product lines while sales of plant-based foods—which generally have a significantly lower carbon footprint than animal-based alternatives—have grown at five times the market rate, to reach $5 billion. New financial products and services are emerging in response—Oliver Wyman estimates that revenues from sustainable finance could amount to $100–150 billion a year.

Even before the coronavirus hit, the multitrillion-dollar scale of the low-carbon business opportunity was abundantly clear. In 2018, 225 of the world’s largest companies reported over $2 trillion of climate-related opportunities from low-carbon goods and services, shifting consumer preferences, and the potential to gain new forms of competitive advantage. Last year, European companies alone identified $1.4 trillion of opportunities—more than six times the cost to realize them. With the United States having the largest green economy in the world, low-carbon opportunities for American companies should be larger still.

Questions for the board to ask management

What impact does the low-carbon transition have on our current strategy? What is the plan to realize low-carbon opportunities?
What is the estimated size of potential low-carbon revenue opportunities for the company? What investments need to happen to realize these opportunities?

The Green Horizon

COVID-19 has not erased these opportunities. The immediate challenges of dealing with the crisis may distract from decarbonization efforts in the short term, and the pace of transition may be slowed if government stimulus plans favor high-carbon activities over low-carbon ones—by providing royalties relief for oil and gas companies rather than providing incentives for efficiency technology upgrades or electric vehicles, for example. But the final destination—a zero-emission economy—is inevitable. This is for the simple reason that climate change will stop only once net global emissions have reached zero. The transition has a long way to go and a lot more value to create.

With many management teams focused on tactical matters of survival in the wake of the coronavirus pandemic, directors have a critical role to play in making sure that strategies keep sight of the trillions of dollars to be gained from low-carbon opportunities on the other side of the crisis. The prize is only going to get bigger.

This is the fourth blog in a five-part series. Check back next week for more insights from MMC on board oversight of climate change.

Rob Bailey is director of climate resilience for Marsh & McLennan Advantage. Scott McDonald is CEO of Oliver Wyman and leader of the Marsh & McLennan Climate Resilience Initiative.

NACD’s Summit 2020 is going virtual with complimentary access to select programming included with your membership.

Register today for your free ticket.

NACD: Tools and resources to help guide you in unpredictable times.

What Changing Director Demographics Tell Us about Board Work

The forces that are shaping business are changing as much as they are intensifying, and with that comes evolving needs for board oversight. Given the extreme turbulence of 2020, NACD partnered with Main Data Group to empirically describe the size, shape, and structure of Russell 3000 boards. MyLogIQ also provided additional data to supplement our work. The research, which is collected in the forthcoming NACD publication The Shape of the American Boardroom, looks at the dimensions of market capitalization and three-plus year market trends to assess how boards are changing. Board turnover in particular illuminates shifts in board demographics, in terms of gender diversity, skill sets, and overall size.

Boards and Committees Are Getting Larger

According to Main Data Group, the average board size has grown steadily between 2017 and 2020. In 2017, the average board size consisted of 9.88 members, and today that figure stands at 10.13; in the Russell 3000, this means the addition of more than 1,000 board seats. Small- and mid-cap companies have largely driven this trend, whereas large- and mega-cap companies have seen, on average, a slight decrease in board size: 12.29 members down to 12.12.

Given this overall trend, it’s to be expected that the average size of committees also increases. But this isn’t the case for all of the standard three board committees. While the average audit committee has held steady at 3.9 directors since 2017, the average compensation committee grew from 3.7 members to 3.9, an increase in the overall Russell 3000 by almost 500 committee members. In that same period, the average nominating and governance committee grew from 3.6 members to 3.9, an increase of over 400 committee members across the Russell 3000.

The nominating and governance and compensation committees going through a growth spurt is not particularly surprising. First, financial expertise is generally viewed as a requirement for serving on the audit committee, and for many new directors, this may not be an ideal committee assignment. Among directors new to board service in 2020, there is a lower level of financial skill than among their predecessors, meaning there could be a steeper learning curve for these directors. Data from MyLogIQ show that only 41 percent of new directors have finance skills, compared to 61 percent of outgoing directors. Another possible conclusion is that audit committees are traditionally where new board responsibilities are sent to reside, so the growth of other committees could be evidence that such new tasks are becoming more evenly distributed and that a wider array of perspectives are needed.

Incremental Progress Toward Gender Parity

The gender balance on corporate boards is slowly evening out. According to Main Data Group, as of the Russell 3000 rebalancing in June 2020, 61 percent of incoming directors were male, while 39 percent were female. Contrasting this with the gender breakdown of outgoing directors—86 percent male and 14 percent female—this has made the overall Russell 3000 gender breakdown 79 percent male and 21 percent female. While this shift won’t get boards to gender parity, it does work to increase the proportion of women on boards.

On a market-weighted basis, our 2020 data confirm the prevailing evidence that larger companies have more women on boards. The data show that 25 percent of large-cap and 30 percent of mega-cap board seats are held by women, whereas 19 percent and 22 percent of small- and mid-cap board seats, respectively, are held by women. This could be for a number of reasons, one of which is that larger companies are held under a larger microscope by shareholders and outside organizations, and therefore face pressure to strive for gender balance in a way that smaller companies may not.

Shifting Skill Sets

According to the data provided by MyLogIQ—360° Public Company Intelligence, 87 percent of overall Russell 3000 directors, as of August 7, 2020, have leadership skills, 60 percent have management and strategic vision skills, 33 percent have technology skills, and 35 percent have investor experience. On the other hand, of directors appointed to their first public company boards in 2020, 93 percent have leadership skills, 41 percent have management and strategic vision skills, 29 percent have technology skills, and 21 percent have investor experience. It should be noted that director skills are determined by MyLogIQ and are pulled from director biographies.

Despite the increasingly complex ways in which technology is reshaping business—and will continue to do so—there is not a significant difference in the average number of incoming directors with technology skills compared to retiring directors. Oddly, incoming first-time public company directors  on average have less technology experience, challenging the idea that boards’ desire to have this specialized area of knowledge represented at the table is a driver of board refreshment.

For a broader look at the role of the nominating and governance committee in today’s world, register today for Virtual NACD Summit 2020’s Nominating and Governance Committee Forum, which will take place on November 9 from 11 AM to 2 PM ET.

NACD’s Summit 2020 is going virtual with complimentary access to select programming included with your membership.

Register today for your free ticket.

NACD: Tools and resources to help guide you in unpredictable times.

Board Trust and Cohesion Vital to the ‘New Next’

The world is changing, and boardrooms are feeling the stress of keeping up.

What many thought would be a one-to-two month crisis has turned into a protracted period of distress that has destabilized our society, our economy, and the very way we approach business. Most recent estimates indicate that the pandemic has had “a more negative impact on economic activity in the first half of 2020 than anticipated, and the recovery is projected to be more gradual than previously forecast.”

Beyond the current crisis, the future will be characterized by volatility and long-term uncertainty. How can boards ensure that they achieve the effectiveness necessary to deliver stakeholder value in the ‘new next’? It starts with a winning culture.

At AIIR Consulting, we have conducted extensive research and work in partnership with the University of Pennsylvania’s Wharton Neuroscience Initiative to gain a deeper understanding of team effectiveness. We have concluded that there are two essential ingredients: team performance and team culture. Team performance describes how the team gets work done. Team culture describes how it feels to be on the team.

Boards of directors are facile in identifying problems with team performance. But because board members don’t typically think of themselves as teams, they are less focused on addressing their culture. Compounding this neglect is the unique composition of boards of directors—a mix of high-power individuals from both within and outside of the company. As a result, board members often find themselves operating as individuals rather than cohering into a unit capable of collaboration and complex decision-making on a timely basis.

Overcoming Individual Agendas

While basketball had been an Olympic sport since 1936, the 1992 Summer Olympics were the first games in which professional athletes were allowed to compete, and the USA men’s basketball team was loaded with National Basketball Association superstars, including Michael Jordan, Magic Johnson, Larry Bird, and Charles Barkley.

Coach Chuck Daly, having just led the Detroit Pistons to back-to-back championships, understood the potentially destructive power of the individual egos on the team. So, during a scrimmage with a group of collegiate players, he threw the game. The loss was deeply humbling for the professional players, each of whom was at the top of his career. But it also helped them overcome their individual egos and cohere as a team. The 1992 US men’s team dominated its way to gold, winning each game in the tournament by an average of 43 points.

The 2004 men’s team had similar star power, and included Allen Iverson, Dwayne Wade, Carmelo Anthony, and LeBron James. However, in contrast to the 1992 team, these players failed to cohere. The team lost three games (the most ever for USA Olympic basketball) and took home the bronze, the first non-gold medal since 1988.

Building Cohesion

Trust, psychological safety, and cohesion are the differences between a group of talented individuals and a team. Google’s two-year study of its teams showed that psychological safety was the single most important factor impacting performance. Our work at AIIR strongly indicates that high-level teams with greater levels of trust and cohesion are more engaged, innovative, and more readily able to overcome challenges as they arise.

But trust and cohesion are qualities that have to be actively built and carefully maintained. This takes time, leadership, and purpose. Building trust and cohesion can be especially difficult for a board, even in a “normal” operating environment, as most of the members may see or speak to each other only periodically. This difficulty is exacerbated by current circumstances, in which most boards are unable to interact in person and many social activities (meals, coffee breaks, etc.) are curtailed. Wharton’s neuroscience research has shown that the part of the brain that governs our ability to form and maintain connections with others is physically weakened by isolation.

Coupled with changes in board membership, financial or operating distress, asset sales or acquisitions, and the need to make increasingly critical and complex decisions under extreme time pressure, an inhibited ability to connect and build trust with other directors creates a crucible of board dynamics issues.

Investing for the ‘New Next’

The future will require more of individual directors and boards than anything that has come before. In today’s rapidly evolving, profoundly unknown environment, businesses must fundamentally experiment and take risk. Board members must be able to voice concern and discuss failure, not just success. Only those boards that spend time building trust and cohesion and creating psychological safety will be equipped to handle the changes ahead.

Following a 22-year career as a New York-based investment banker, Jane Sadowsky currently serves as an independent board member for Yamana Gold and Nexa Resources. Jonathan Kirschner is the CEO and founder of AIIR Consulting, a leadership development firm dedicated to helping leaders navigate change and shape a better future.

NACD’s Summit 2020 is going virtual with complimentary access to select programming included with your membership.

Register today for your free ticket.

NACD: Tools and resources to help guide you in unpredictable times.

The Rise of ESG Reporting

We are experiencing a watershed moment for environmental, social, and governance (ESG) issues. Investors increasingly put money into funds comprising public companies with strong environmental policies, social impact, and governance practices. Asset flows into sustainable funds in the United States continued at a record pace through the first half of 2020 to nearly $21 billion, almost the same amount that flowed into such funds in all of 2019, according to Morningstar. This is an extraordinary indication of the value investors place on companies committed to ESG as well as the direction in which companies and their boards are moving.

With the increasing investor attention, public companies are also ramping up communication around their sustainable business practices. The need for this ESG information has been exacerbated by COVID-19, as investors have sought information and metrics around employee health and well-being.

Despite this trend, one of the biggest challenges to assessing a company’s ESG practices that the Center for Audit Quality hears from investors, companies, and board members is the lack of broadly adopted ESG reporting standards. This contrasts significantly with the well-established standards that exist for reporting and evaluating a company’s financial performance and internal controls effectiveness. The health and stability of our capital markets depend upon the reliability, comparability, and relevancy of such company-reported information.    

What is the solution? A globally accepted system built from existing standards and frameworks, and adapted to market needs, could help to ensure that companies put forth readily comparable ESG information for their investors and other stakeholders.

Building Momentum

The focus on ESG reporting as a way for companies to communicate business risks and opportunities has rapidly translated into growing interest from standard setters, regulators, and corporations in this type of enhanced corporate reporting.

Earlier this month, five leading framework and standard-setting bodies announced plans to collaborate on comprehensive corporate reporting—a move the Center for Audit Quality applauds. At the same time, the International Federation of Accountants called for the creation of a new sustainability accounting standards board that would exist alongside the International Accounting Standards Board.

The Role of Auditors in ESG Assurance

So where do auditors fit in? According to a 2019 study by McKinsey & Co., nearly all participating investors (97%) want assured sustainability information. Nearly seven out of 10 investor respondents (67%) say assurance of sustainability information should be as rigorous as a financial audit.

In our public interest role, public-company auditors play a significant part in the flow of reliable information for decision-making. Auditors are experienced at bringing accountability, standards-based analysis, and objectivity to the review of company-reported information, and these skills are transferable to areas of company-reported information beyond financials. Put another way, third-party assurance from a public-company audit firm enhances the reliability of information presented by companies to investors and other stakeholders, as it does with audits of financial statements and internal control over financial reporting.

We’re already seeing prominent public companies move in this direction. Johnson & Johnson, Guess?, and Etsy, to name a few, are early adopters of obtaining assurance on their ESG reporting and we anticipate that going forward more companies will take this approach.

What Boards Can Do

With investors and other stakeholders placing increased emphasis on ESG information, it is important for boards to understand key ESG risks and opportunities specific to their companies’ business purpose and core operations. Board members must consider where their organizations are today with respect to their ESG information. They should also consider some key questions outlined in the Center for Audit Quality’s recently released report on the role of auditors in company-prepared ESG information, which include the following:

Has the company identified all relevant or material risks associated with ESG reporting?
Does management have the necessary information needed to assess ESG-related risks, and on what cadence should ESG information be provided to the board?
Does the company have the appropriate internal controls, policies, and personnel in place to accurately track and disclose ESG information?
Who in management is preparing and providing the ESG information, and what is the finance function’s role in the preparation of this information?
Do one or more board committees have explicit oversight responsibility for ESG, and what role do other committees and the full board play in ESG oversight (e.g., governance committee involvement in overseeing related factors, audit committee involvement in assessing the appropriateness of management’s risk assessment of this information)?
Where and how is the information currently being reported? Is this in line with where investors expect to see it?
Is the company currently following a framework or a standard for disclosing this information? If so, is it the appropriate framework or standard for the company?

Boards that prioritize these considerations now will have a leg up as stakeholders rally around a market-based system for reporting reliable, comparable, and relevant ESG information. It no longer seems a question of whether this will happen but when.

Julie Bell Lindsay is the executive director of the Center for Audit Quality.

For a deeper dive into the climate-related aspects of ESG oversight, register today for Virtual NACD Summit 2020’s Expert Insights: Environmental Risk Oversight session, which will air on October 15 at 3:00 PM EDT.

NACD’s Summit 2020 is going virtual with complimentary access to select programming included with your membership.

Register today for your free ticket.

NACD: Tools and resources to help guide you in unpredictable times.