Boards need independent assessments of their firms' cyber threat environments, practices to overcome potential suppression of vulnerabilities by internal staff
Information technology and cyber-security continue to be the leading concern for both directors and general counsel, according to the fifteenth annual Law in the Boardroom study released recently by FTI Consulting and NYSE Governance Services. The survey of nearly 500 directors and GCs finds that operational risk, crisis preparedness and corporate reputation are also among the five leading concerns for both groups. Directors name succession planning as an additional leading concern, while GCs cite regulatory risk.
More than three quarters (77 percent) of both directors and GCs say the risk of cyber liability at their company has increased over the past two years. Roughly three quarters of directors and two thirds of GCs believe they need more information about IT/cyber risk to be able to provide good governance in this area.
‘I think some GCs believe they have insufficient information and know that they need more information to be able to [provide] a complete answer. And I think the flip side is equally true: they’re not quite sure whether they have a full grip on all the relevant information to be able to gauge risk, compliance, remediation,’ says Tom Brown, senior managing director at FTI Consulting.
Boards are seeking out independent assessments of the vast cyber-threat environment and of how well prepared their companies are to confront such risks, says Chris Tarbell, a managing director at FTI Consulting and specialist in cyber investigative techniques.
‘They’re also looking to be educated so they know how to ask the right questions. In the event of a breach or [another] event, they’re conducting their own post-breach assessments to fulfill their fiduciary obligations,’ Brown says. Boards want to know whether their company‘s responses to and remediation of cyber security threats are timely and effective and how to best structure themselves to be able to address and deal robustly with these events, he says.
Another point of interest is what the survey reveals about each group’s perceptions of the other’s capabilities in this area. Less than half of the directors polled say they are very confident or confident in their GC’s oversight of cyber risk, while 65 percent of GCs say they are very confident or confident in their directors’ oversight in this area. Equally illuminating is that for both groups confidence in cyber risk oversight is lower than in all other areas.
‘This is a developing area for boards,’ says Brown. ‘I think the average company now recognizes this is a risk and boards are taking steps to get their arms around it, but it’s not an overnight process. It requires a lot of careful study. They need to have expert guidance because of the complex nature of the field.
It would be beneficial for boards to get independent guidance given the potential conflicts of interest among internal staff, where there may be a tendency to circle the wagons to the extent that one or more departments may be sitting on a security vulnerability that they don’t necessarily want others to know about, he explains.
‘Having an outside expert kick the tires and see where the company is in terms of best practices and compare that with its peers is a useful thing,’ he adds. ‘And I think that board members who are looking to fulfill their fiduciary responsibilities would do well to consider cyber as an important issue and at least to get some comfort that the company’s on the right track with respect to cyber security.’
Shareholder activism is another area where both directors and GCs believe they are in need of further training. While more than two thirds of both groups say they have evaluated how vulnerable their companies are to being targeted by activists and roughly two thirds say their companies have formal protocols in place for shareholder engagement and communications, about 60 percent of both groups believe their boards ‘would benefit from participating in an activist training scenario.’
Before activists approach management with demands, companies would do well to consider four critical steps to activist preparedness, the report recommends. They range from forming an activist response team that includes key internal staff members and outside advisers and monitoring for activist activity to engaging with shareholders and communicate broadly to the market.
Thirty-six percent of directors polled say they are extremely concerned or concerned about shareholder activism and litigation this year, versus 43 percent of GCs. One quarter of directors and roughly one third of GCs believe their risk of liability from shareholder lawsuits has increased over the last two years, while 62 percent of directors and 68 percent of GCs say their company has formal shareholder engagement protocols in place.