To Mitigate Cyber Risks, Some Board Members Should Look in the Mirror

When chief information security officers (CISOs) present the state of cybersecurity to board members, the “insider threat” is a common topic. And for good reason—insiders are the number one security threat facing organizations today, according to the Optiv Security 2019 State of the CISO Report. CISOs tell the board often that they are trying to mitigate this problem through employee education, since many breaches caused by insiders are due to careless, rather than malicious, behavior.

But one thing CISOs probably don’t talk about—unless they’re
particularly brave—is that board members can identify the most dangerous
non-malicious insider threats by looking in the mirror. When one considers that
board members have access to the company’s most sensitive information, and that
they are likely too busy (or too disinterested) to participate in cybersecurity
training programs, it becomes clear that this toxic combination makes them a significant
security threat.

How Board Members Become Insider Threats

There are a number of ways in which board members
inadvertently become security risks:

Falling victim to “whaling” attacks. These are highly researched, highly targeted phishing attacks directed at board members, designed to gain access to their computers and to sensitive information. For example, a whaling attack could take the form of a spoofed email from the chief financial officer with a malicious file attachment and a message saying, “I’ve attached the minutes from the meeting last week—please let me know if you have any changes. We need approval from everyone by 5 PM tomorrow.” Board members who are unaware that they are prime targets for whaling attacks can be susceptible to these types of scams and click on the attachment.Using personal email. A study by Forrester Consulting and Diligent Corp. found that 56 percent of board members use personal email, rather than business email, to communicate with other directors and executives. This may be well-intentioned—they may be concerned that IT personnel monitoring email could see their messages—but as a cyber risk, this practice is a disaster. Companies should establish secure portals or encrypted email for all board communications.Giving away too much personal information. As noted in the discussion of whaling attacks, cybercriminals understand who the most valuable targets are, and will conduct in-depth research as the basis for targeted social engineering scams. Board members may be contributing to this problem without knowing it. If they, or even their family members, disclose personal information on social media channels, it can be used as the basis for such attacks. For example, if criminals see through posted photos or the like that a CEO’s family is going to Hawaii on vacation, they can execute a business email compromise attack where they send a bogus message from the CEO to an accounts-payable person in the company, saying, “My Hawaii vacation is off to a terrible start—the president of one of our biggest partners called me in the airport about this delinquent invoice. Please wire the money to them ASAP. I don’t want to be bothered by this.” There would be a bogus invoice with wiring instructions to the criminals’ bank account attached to the email, and the poor finance person would wire the money, fearing the wrath of the CEO. The FBI reports that these kinds of scams bilked companies out of $26 billion between June 2016 and July 2019, and they are growing by 100 percent every year.  Turning Insider Threats into Hardened Targets

These are just three examples of how board members can
compromise the security of their companies. The first step to solving this
problem is to remember the famous quote from the classic comic strip Pogo: “We have met the enemy, and he is
us.”

Once board members have established that degree of
self-awareness, the next step is to ask the CISO to make sure to include the
board and all senior executives in cybersecurity training and awareness
programs. Then, when they look in the mirror, they’ll see a hardened target—not
an insider threat.

Brian Wrozek is vice president of Corporate Security at Optiv.

Survey Finds Appetite for Board’s Role in M&A Oversight to Grow

Mergers and acquisitions (M&A) activity continues to be a significant strategic tool for many organizations, and the management teams of organizations are looking to the board for deeper involvement and for their own wisdom. In an effort to gauge the extent to which boards are sufficiently equipped to support management on this front, NACD partnered with Deloitte to conduct a poll on the subject. Two hundred and nine NACD members responded to the poll between May 22 and June 24, 2019. Two findings from the survey are particularly noteworthy:

Both directors and management seek greater involvement from the board’s nonexecutive directors. Integration is a critical phase of M&A, and one where the board’s greater involvement can serve as a real asset to their organization.Boards Seek a Greater Role

There
is evidence that efforts to combine businesses remain an important lever in
formulating and executing business strategy, as the pace of M&A activity
remains high. Survey respondents indicate that boards would like to be more
directly involved in M&A activity, and there is good evidence that
management is increasingly keen on this growing board involvement.

Directors want to
share their business wisdom. More
than 80 percent of survey respondents indicated that there is a greater
opportunity for nonexecutive directors to use their previous management
experience to support management throughout the M&A process. Management is
reaching out to the board for help. Sixty-three
percent of respondents report that senior management has attempted to engage
the board more frequently about M&A activities compared to prior years. Further,
management is looking at new and innovative ways to engage with directors. Senior
management has gone on to employ new M&A tools or methods to involve the
board in more dialogue around M&A at 45 percentof respondent companies.Boards are seeking directors
with M&A expertise. Nearly a quarter (24%)
of poll respondents indicated that their board has
considered bringing on new directors with specific M&A expertise.Click graph to enlarge in a new window.

Click graph to enlarge in a new window.

Opportunity Abounds for Board Involvement In Integration

While
it is evident that there is an increased desire for board guidance through the
span of the M&A process, the integration stage in particular may merit more
nonexecutive director support. It might also be the stage where their advice
could yield the greatest value.

The board can help
field points of increased scrutiny in the deal. Nearly two-thirds (64%) of respondents feel it is likely that
the integration stage of the acquisition process will be subject to increased
levels of scrutiny by a range of stakeholders. This stage may deserve this
extra attention, as the complexities of merging finances and cultures can
hinder any sought-after efficiencies. It is at this stage where many deals fall
flat, leading to decreased yield on the deal’s potential value. Having the help
of an engaged board could help companies avoid deal failure.Integration is a key opportunity
for board contribution. After reviewing
management’s strategy with respect to a given transaction and subsequently approving
that transaction, the third-most-common task undertaken by respondent boards is
holding management accountable for integration strategy. Currently, 66 percent
of respondents indicate that their boards review post-merger integration plans,
and 40 percent go on to oversee post-merger execution. However, further
nonexecutive director involvement may be necessary, as a narrow majority (50%) of respondents feel
that it is very
importantor extremely importantthat the
board include at least one nonexecutive board member who has experience
managing or overseeing integrations. Executives welcome board
support. This sentiment was particularly strong
among executives who indicated that they would value the input of directors
whose professional involvement with M&A was in an executive role (as
opposed to a director or advisor), perhaps reflecting the value such a director
can have for a sitting executive.Click graph to enlarge in a new window.

Click graph to enlarge in a new window.

Click graph to enlarge in a new window.

Click graph to enlarge in a new window.

There are a number of complicated issues (financial and cultural issues, for example) that boards should help executives consider and sort out at the integration stage, up to and including what happens to the board itself.  Nearly half of respondents indicate that they have recently discussed the impact that an M&A transaction would have on the board. The difficulties encountered at this stage are many, and given the consequences of failure, it is perhaps not surprising to find that additional board guidance may be required—even on tough topics that might lead to the elimination of a board seat, for instance, in the name of deal success.

Additional Resources

NACD can support directors in several ways. A recent report from NACD’s Director Essentials series on “Strengthening Oversight of M&A” includes a summary of M&A trends and provides guidance for boards in fulfilling their role throughout the M&A process. Additionally, Deloitte’s report, The State of the Deal: M&A Trends 2019, provides an overview of the outlook for M&A in 2019 and can be found here.

For more NACD content related to the board’s role in M&A oversight, please visit our Resource Center dedicated to the topic.

Proposed International Tax Changes Could Rattle Multinationals

After decades of operating within a generally stable
international tax regime, multinational companies have had to acquaint
themselves with a flurry of new acronyms and rules in the past several years. In
2015, efforts by regulators got underway to reduce BEPS, or base erosion and profit
shifting. US tax law changes in 2017 introduced GILTI to address global intangible
low-taxed income and the BEAT, a base erosion and anti-abuse tax.

The acronym that those in the boardroom should be
familiar with now? OECD.

The Organisation for Economic Co-operation and
Development is hosting an ambitious project consisting of 130-plus nations
attempting to revise the international tax architecture to account for the ways
in which the digitalized economy has blurred traditional lines of jurisdiction.
Whether consensus can be reached—and, in particular, whether it can be reached
by the target of year-end 2020 by countries with vastly different priorities,
politics, and domestic industries—remains to be seen. But there may be
significant risk to those entities ignoring this project.

Why should boards be concerned? The OECD project has
the potential to significantly impact a company’s risk profile and strategic
planning, two of the key areas of board oversight. Accordingly, directors
should stay informed about the status of the project and how it might impact
the companies they serve.

At its core, the multilateral effort—which also has a
mandate from the finance ministers of the G20—seeks to write new rules that reallocate
some portion of companies’ profits to the market jurisdictions where they have
sales and/or users, but not necessarily a physical presence. The revisions seek
to take into account the fact that physical presence is no longer required for
entities to profit from a jurisdiction (what the OECD has dubbed Pillar 1 of
the project), and to ensure that profitable companies are paying some minimal
level of tax (Pillar 2).

In the project’s earliest stages, a cohort of key
countries, led by France, had their sights set on a relatively small group of digital
giants—just about all of which are headquartered in the US. After the US made it
clear that it would not sign on to an effort targeting only its own high-profile,
high-tech companies, the countries engaged have generally conceded that any new
regime will need to apply more broadly. The work being done is now looking not
just at highly digital business models but also at other large, high-profit multinationals
that benefit from marketing intangibles.

It’s not clear that there has been significant progress made towards a consensus design, but in early October the OECD staff released a proposed “unified approach” to Pillar 1. This proposal is an attempt to move the ball forward, and it gives companies and business organizations the opportunity to provide input on both the overarching design of new rules and the myriad details that will be critical to the impact on any individual company.

Should a group’s profits be looked at on a global
basis? By business line? By region? Should there be size thresholds? Exempt
sectors? While the proposal seeks to reallocate to markets a company’s operating
margin in excess of a formulaic “routine return,” it is not yet agreed what
constitutes a “routine return” and whether it should differ from industry to
industry. How much of the residual return should taxing jurisdictions get? And the
questions go on, and on.   

This project is a political one as much as a technical
one, and the government participants have acknowledged the implementation
challenges that lie ahead even if consensus on the details is reached. However,
with many countries anxious to stake a claim to profits beyond their
traditional reach, the only greater risk for multinationals than a new global
agreement may be the failure to reach
a new global agreement. One need look no further than France, which implemented
a digital services tax (DST) this summer, to foresee the challenging landscape
that dozens (or more) of similar but uncoordinated unilateral measures may create
for businesses. 

Because the project has the potential to change
international tax rules well into the future, directors are strongly advised to
learn and understand how the proposals could affect their company’s bottom line
and strategic decisions. There is a great deal of engagement by the business
community, with both their respective governments and the OECD itself. How is
your company engaged?

Bob Stack is a managing director in the international tax group of Deloitte LLP’s Washington National Tax practice. Storme Sixeas is a senior tax policy manager in Deloitte LLP’s Washington National Tax practice.

As used above, Deloitte refers to a US member firm of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (DTTL). This article contains general information only and Deloitte is not, by means of this article, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This article is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this article. Copyright ©2019 Deloitte Development LLC.

It’s Time to Reassess ESG and Sustainability Reporting

Nearly all S&P 500 companies provide some form of environmental,
social, and governance (ESG) or sustainability reports today, but there are
growing concerns by a range of stakeholders—investors, employees, customers,
regulators, and activists—regarding the quality, comparability, and usefulness
of these reports. For a variety of reasons discussed below, and based on
analysis of several approaches to disclosure, we expect increasing stakeholder demands
for more transparent and higher quality ESG reporting.

The Current State of
ESG Reporting

In a post in the Harvard Law School Forum on Corporate Governance, the Investor Responsibility Research Center Institute’s Jon Lukomnik describes the current state of ESG reporting based on findings of a 2018 report by the Sustainable Investments Institute (Si2): “Most companies reporting on sustainability issues are navigating the landscape in their own way, using multiple reporting models and customizing guidance for their own needs. […] But Si2 also found a surprising share of companies are including sustainability information in their financial filings—annual reports, Forms 10-K and proxy statements—indicating elementary but growing acceptance that sustainability information is material to investors. All these findings show most companies are paying attention and adapting to raised expectations from stakeholders, including but not limited to investors. Integrated reporting just may be the future of corporate disclosure its proponents assert, even if change is slow and constantly shifting.”

Among Si2’s other findings cited in the Harvard blog
mentioned above:

Of all the S&P 500 companies, 92 percent posted
public sustainability data on their sites.78 percent publish sustainability reports, and
these come in the form of a download or are posted on a website.97 percent of companies with such reports
customized their sustainability reporting rather than adopting a single
structure.35 of the 395 reporting companies pointed to the
Sustainability Accounting Standards Board (SASB) frameworks and 4 companies
pointed to the International Integrated Reporting Council frameworks as having
helped shape their own.In 2018, a total of 14 S&P 500 companies published
an integrated report.Demands for More Transparent,
Higher Quality ESG Reporting

ESG reporting has been of growing importance and concern to institutional investors for a number of years. BlackRock has cited ESG disclosure as one of the priorities of its stewardship program, stating that “the quality of information which underpins both investors’ and businesses’ pursuit of greater sustainability is uneven and presents a barrier for further progress in sustainable finance.”

Institutional investors understand that ESG issues may pose huge financial risks. The World Economic Forum’s The Global Risks Report 2019 shows that ESG-related matters account for more than half of the world’s top 10 risks in terms of both likelihood and impact. Investors are demanding information—and seeking engagement with companies—on core ESG issues and their impact on such companies.

Employee activism regarding ESG issues is in its early
stages but is growing rapidly. Millennials have a particular interest in ESG
issues. And the number (and success) of shareholder proposals relating to ESG
matters—particularly
the “E” and the “S”—continues to increase.

Shearman & Sterling LLP’s 2019 Corporate Governance & Executive Compensation Survey identifies other forces driving ESG, including the proliferation of ESG research and ratings firms. Institutional Shareholder Services and Glass, Lewis & Co. have indicated they will make voting recommendations based on ESG positions taken by a company, and state governments and European countries have been catalysts for change.

In August, the Business Roundtable released its “Statement on the Purpose of a Corporation,” which, according to its press release, redefined the purpose of a corporation “to promote ‘an economy that serves all Americans.’” The statement was signed by 181 CEOs who committed “to lead their companies for the benefit of all stakeholders—customers, employees, suppliers, communities and shareholders.” The statement concluded, “Each of our stakeholders is essential. We commit to deliver value to all of them, for the future success of our companies, our communities and our country.” In light of this statement, expectations will be high for organizations to articulate in their ESG disclosures how they are meeting their commitments to stakeholders and reconciling competing interests.

Considering an ESG disclosure
reporting framework

According to a recent World Economic Forum whitepaper, there is general agreement that one of the biggest problems with ESG reporting is that a specific organization’s ESG data, thanks to varying voluntary reporting standards across industries, geographies, and other factors, isn’t easily compared to other organizations’ reporting. To date, over 100 ESG standard-setting initiatives have been developed, causing option overload. Among the most prominent are SASB, the Global Reporting Initiative, and the Task Force on Climate-Related Financial Disclosure.

The Financial Times has reported that poultry business Sanderson Farms received a shareholder proposal urging the company to follow SASB’s guidelines in its ESG disclosures, and that similar requests are expected to be submitted at other companies across sectors during the 2020 proxy season.

Conclusion

Given the heightened focus and attention on ESG reporting, boards
should encourage their management teams to reassess the scope and quality of
the company’s ESG reports and disclosures—including benchmarking against peers,
consideration of the methodologies and standards of various ESG raters, and
understanding the expectations of investors and other stakeholders—and review
various ESG reporting frameworks for possible adoption by the company. To bring
the right focus and attention to the effort, a board committee, such as the
audit or governance committee (depending on bandwidth and expertise), should
oversee the effort. Management’s disclosure committee should be part of these
discussions to help ensure that the company has the necessary infrastructure, including
disclosure controls and procedures, to support its ESG reporting.

For more about connecting ESG, strategy, and long-term value, see The ESG journey: Lessons from the boardroom and C-suite.

The How, Why, and What of Artificial Intelligence

If you’re anything
like me, you don’t have to step outside your front door to see what an impact
artificial intelligence (AI) is having on our lives. My virtual assistant helps
me to wake up at the right time, informs me what weather I can expect, and
schedules those all-important anniversary reminders. And once I’m on the road,
my satellite navigation system finds me the quickest route while news updates
stream to my phone based on my preference history.

But what exactly is AI and is the current hype surrounding it valid? In a new technology brief from NACD and Accenture Security, we look at the nuts and bolts of AI, where it comes from, and how it works. Here are some of the report’s ideas on the opportunities and risks of AI, and how organizations can take their first steps toward responsibly employing it.

AI is far from
a new idea—but it does offer new opportunities. AI is
likely to become a new driver of economic value for organizations, but
businesses may find it difficult to leverage this technology without first
understanding the opportunities it presents. To set a clearer path forward,
corporate leaders should consider doing the following:

Review and, where appropriate,
introduce automation into business processes,Assess how AI can augment
employees’ current work, andAvoid concentrating or limiting
this technology; instead, diffuse it throughout business units or functions.AI benefits don’t
come risk-free. Organizations should get started on
their AI journeys with a clear-eyed view of the likely risks. AI-associated cyber
risks fall into two broad categories: data integrity and algorithm
manipulation. The learning and decision-making capabilities of AI can be
altered by threat actors modifying the data used in the training process. The
algorithms themselves should also be protected from manipulations by threat
actors hoping to change the outcomes of AI systems for malevolent purposes. Breaches
can also take the form of “poisoning attacks,” where the machine learning model
itself is manipulated.

Four principal
risks should be considered in the near-term:

Trust and transparency: Complex forms of AI often operate in ways that can make it hard to
explain how they arrived at the results produced. New approaches are needed to
offer better explanations of the processes underlying AI decisions. Decisions
taken by AI must be open to interrogation or appeal.Liability: Executive leaders and the board should carefully monitor changes
in legislative and regulatory requirements to ensure compliance.Control: Careful thought is needed on when and how control is or should be
shared or transferred between humans and AI. Security: As the growth of AI into all sectors increases, security becomes
paramount and is compounded by the current lack of protection to both AI models
and the data used to train them. Boards should ensure they are asking the right
questions of management and outside advisors to secure their burgeoning AI
tools.Securing AI

Many of companies’
current investments in cybersecurity are dedicated to securing the
infrastructure underpinning AI models. This includes patching vulnerabilities
in software and systems, implementing robust access management to ensure
employees only engage with the necessary information to do their jobs, and prioritizing
the security of the firm’s most valuable data assets. The adoption of AI
systems generally creates entirely new areas of infrastructure to secure the AI
models themselves and requires better security practices to mitigate against
these vulnerabilities.

Here are some
suggestions around meeting the many challenges of secure AI governance:

Limit the AI learning rate. Limiting the volume of data to be ingested in an AI system over a
set period can act as a major deterrent to hackers, since the learning process
will take longer and malevolent data may be spotted more easily.Validate and protect AI
input. In assessing data integrity practices, both
around protection and validation, companies should carefully focus on inputs
into AI models and confirm that these originate from identifiable and trusted
sources.Restrict access to AI models. Restricting access to AI models by limiting certain employees’
ability to make ad hoc changes is one of the most effective forms of defense.Train AI to recognize
attacks. If enough malicious examples are inserted
into data during the training phase, a machine learning algorithm can
eventually understand how to interpret toxic data and reject adversarial
attacks. Business continuity and disaster recovery are also vital practices.
Organizations should understand how to relearn and recover after a cyber attack
without negatively impacting the business.This article only scratches the surface of a broad topic that is going to have an even greater impact on our individual lives in the future. We know that data integrity is a fundamental requirement to help secure AI from malevolent influence, and we also know that AI raises ethical challenges as people adjust to the larger and more prominent role of automated decision making in society. Going forward, our report concludes that the emphasis needs to be on engineering resilient modeling structures and strengthening critical models against cyberattack by malicious threat actors. 

If you’d like to pressure-test your management’s preparedness to assess and mitigate the risks associated with AI, take a look at the board primer on artificial intelligence today. It may help to open the dialogue in your organization to some of the questions—and answers—that you need.

Bob Kress is a managing director, co-chief operating officer, and global quality and risk officer for Accenture Security.

Take The Nike Approach To A Job Search To Get An Unfair Advantage

Over its history, Nike approached expansion by minimizing the variables it changed. Do the same in your job search, changing only what you must across your job and function, industry, geography, personal brand. and relationships. That focused approach will give you an unfair advantage over those trying to be everything to everybody.
Nike tackled expansion by changing only one variable at a time. For example, their first entry into any international market was with running shoes branded Nike.
Click here to read more.

The post Take The Nike Approach To A Job Search To Get An Unfair Advantage appeared first on PrimeGenesis.

As An Executive Onboarding Into A New Role, Engage Intellectually, Emotionally And Practically – In That Order

40% of new leaders fail in their first 18 months because of poor fit, poor delivery or a poor ability to adjust to a change down the road. Often the underlying root cause is that they instinctively think that what made them successful before will make them successful in their new job. Wrong. Instead, as an executive onboarding into a new role, you need to apply deliberate thinking to lock down an intellectual framework for your new situation, carefully choose the stories that will help you connect emotionally, and then evolve processes to embed new ways of thinking, feeling and practical action.
Click here to read more.

The post Take The Nike Approach To A Job Search To Get An Unfair Advantage appeared first on PrimeGenesis.

The Lesson For All Leaders From Boris Johnson’s Bare Minimum Brexit Compliance

Last evening Boris Johnson did what the UK Parliament had legally mandated he do. He sent the EU a letter requesting a Brexit delay. This is, of course, just one step in the UK Brexit story. At the same time, it’s a classic lesson in the bare minimum compliance. Yes, he complied with the law and sent that letter. He also sent another letting telling the EU that any further delay was a bad idea. And no one knows what he’s saying behind the scenes. But we can imagine. The lesson for all leaders is that compliance may not be enough. You need contribution or commitment.
Click here to read more.

The post Take The Nike Approach To A Job Search To Get An Unfair Advantage appeared first on PrimeGenesis.

Why Where To Play Must Be Your First Choice

We keep learning the same lesson over and over again – or not. Porter told us that strategy is choosing what not to do. Choosing not to focus is choosing to be average at everything. And average does not win. Marakon’s Neal Kissel just sent me their latest research showing yet again that “the path to superior performance is determined by management’s decisions about where to focus the firm’s strategic resources (time, people and capital).”
Pay attention to the five BRAVE questions. Answer them outside-in in order:
Where to play? (Environment – context)
What matters and why? (Values – purpose)
How to win? (Attitude – strategy)
How to connect? (Relationships – communication)
What impact? (Behaviors – implementation)
Click here to read more.

The post Take The Nike Approach To A Job Search To Get An Unfair Advantage appeared first on PrimeGenesis.

How Nissan’s Makoto Uchida Should Channel Lyndon Johnson As He Takes Over From Carlos Ghosn

It’s not a perfect analogy. But both Makoto Uchida and Lyndon Johnson took over from leaders cut down mid-stream. Jack Kennedy was assassinated. Carlos Ghosn was arrested on charges of financial misconduct. Johnson did an amazing job in his first 100-days of calming down the country, keeping Kennedy’s cabinet intact, and re-starting critical legislation. Uchida should channel Johnson in dealing with emotional, personal and business issues – in that order.
Forbes auto-expert Greg Gardner laid out what Uchida is facing in his article on the Post-Ghosn Turnaround. Key points are that Nissan needs a financial and cultural turnaround. Nissan’s most recent profits fell 94.5% year-on-year. Culturally, the organization needs to move to more “Group leadership, where they all support each other” and are “more transparent” according to Nissan’s chairman, Yasushi Kimura.
Click here to read more.

The post How Nissan’s Makoto Uchida Should Channel Lyndon Johnson As He Takes Over From Carlos Ghosn appeared first on PrimeGenesis.