Technology is changing at the fastest rate in history. As a result, corporate boards are struggling to figure out how to ride the tiger: how to harness the awesome possibilities of technology while limiting the risks and damage it can cause to the company's finances, strategic interests and reputation.
Boards are also being forced to consider whether familiar committee structures are sufficient for the task. Should they rely on the existing board structure to work problems out, bring on new directors with technology expertise, or create new technology and risk committees to guide strategy and guard against data breaches or cyberattacks?
However a company chooses to oversee cybersecurity, to be effective, cyber governance needs to have board, C-suite and senior cybersecurity staff involvement, according to Andrea Bonime-Blanc, CEO of GEC Risk Advisory LLC, and author of a recent report for The Conference Board that examined best practices in cyber risk governance. General counsel have a critical role to play in ensuring that cyber risk is managed as a strategic risk, and in making board members and staff aware of compliance issues and legal risks related to email, texting and social media, she says.
In some companies, that may not be so easy. A 2015 survey by the Ponemon Institute found that 35 percent of directors did not want the board to be responsible for IT security. Of these, 80 percent thought it was best handled by management. Half feared director liability, and one quarter said they lacked expertise. Surprisingly, 13 percent did not consider cybersecurity a priority issue.
On the other side, Securities and Exchange Commissioner Luis A. Aguilar has been among the most vocal in urging the boards of public companies to play a far greater role in their companies’ security efforts. In a June 2014 speech, he noted that companies have good reason to comply. “In addition to the threat of significant business disruptions, substantial response costs, negative publicity, and lasting reputational harm, there is also the threat of litigation and potential liability for failing to implement adequate steps to protect the company from cyber-threats,” Aguilar stated. And, he reminded his audience, derivative lawsuits have been filed against companies and their officers following data breaches.
Again, the responsibility for dealing with many of these consequences will fall on GCs.
Most companies have assigned responsibility for preventing data breaches and other cyber-attacks either to the full board or the audit committee. However, both Mary Jo White, chair of the Securities and Exchange Commission, and SEC Chief Accountant James V. Schnurr gave notice in December that they believe audit committees are being overburdened, with Schnurr pointing out that audit committees are often charged with oversight of risks like cybersecurity, emerging technologies and compliance that are not part of their primary functions.
“In this environment of growing audit committee agendas, it is important not to lose sight of the key SEC and exchange listing requirements for audit committee performance,” Schnurr warned.
Bonime-Blanc agrees. “It is better to have a separate risk and compliance committee and assign to it all non-financial risk, including cyber, compliance and reputation risk,” she argues.
There are signs that companies are slowly moving to this position. PwC's 2015 annual corporate directors survey found that 10 percent of respondents now have a separate risk committee with primary responsibility for oversight of IT risk—up from 7 percent in 2012; 4 percent have a separate IT committee. Nevertheless, 54 percent of companies still assign the job to the audit committee, and 27 percent to the full board. According to the 2015 Spencer Stuart Board Index, 12 percent of S&P 500 companies now have standalone risk committees—compared to 4 percent in 2010—with 81 percent composed entirely of independent directors.
Still, according to the PwC survey, boards continue to prize financial, industry and operational expertise well above IT strategy or cyber-risk expertise.
Cybersecurity risk is one thing. The risk of going out of business because an unforeseen new technology has made yours irrelevant is another. Failing to keep up with new advances or make the right investments can be a deathblow.
To oversee strategy, some boards have formed technology committees. According to the Spencer Stuart index, 9 percent of S&P 500 boards have technology committees—up from 6 percent in 2010. Over 80 percent are composed entirely of independent directors.
Spencer G. Feldman, a partner with Olshan Frome Wolosky in New York has written about the role of technology committees. Feldman points out that these committees can define the company's overall technology strategy and help when corporations are making key decisions about issues such as their overall capital investment in new technologies, moving to the cloud, employees’ use of mobile devices, or new computer systems.
Feldman says the committee should be a cross-section of the board and favors a balance between inside and outside directors with the necessary expertise. “A technology committee can also be set up as a standing committee that only meets when necessary, or as an ad hoc committee in connection with an acquisition to make sure the target's systems are compatible with your own,” he says, noting that the committee's mission statement may vary from company to company.
For example, the purpose of Morgan Stanley's Operations and Technology Committee is “to assist the Board in its oversight of (i) the Company's operations and technology strategy and significant investments in support of such strategy and (ii) operations and technology risk.” In a company with a high research and development component, the committee may focus more on its scientific and technical direction. At Walmart, its bailiwick is oversight of “technology, eCommerce and innovation.” Target Corp. assigns IT risk to its Risk and Compliance Committee while technology strategy falls under its Infrastructure and Investment Committee.
Vivek Wadhwa, a Fellow at the Rock Center for Corporate Governance at Stanford University, supports the use of technology committees. Wadhwa says flatly that directors who don't understand the impact of new technologies should not be serving on boards because they are not qualified to do so. “Every industry will be impacted and they will not be able to provide the right guidance. And it will be more so in the next five years,” he says.
The strategy challenges go beyond cybersecurity to robotics, sensors, artificial intelligence, gene editing and other new technologies that are designed to be disruptive. “Directors don't need to know how to build it, but what they are, how they work, and how they might impact your business,” Wadhwa states, contending that directors need at least the high-level view offered by magazines like Wired and Fast Company.
And he warns it's not just companies in the high-tech industries that need to worry. Amazon has disrupted not just booksellers like Barnes & Noble but also retailers like Wal-Mart. Hotel chains have been blindsided by Airbnb, taxicabs by Uber, and manufacturing by the impact of 3-D printing. Wadhwa himself teaches a workshop in which participants are challenged “to think and act like the Silicon Valley entrepreneurs who are gunning for Goliath.”
In this cauldron of change, GCs will play a vital role, Wadhwa says. “They should be educating directors about the effects of new technologies, and introducing discussions about the ethical and legal issues that will arise.”