Managing Cyber Risk | FTI Consulting

Managing Cyber Risk: Job #1 for Directors and General Counsel

The results of the FTI Consulting 2014 Law in the Boardroom Study, conducted with NYSE Governance Services, publisher of Corporate Board Member magazine.

Managing Cyber Risk: Job #1

Each year, FTI Consulting and NYSE Governance Services survey public company directors and general counsel about the legal and governance issues that concern them the most.

Early this year, nearly 500 directors and general counsel participated in the 2014 Law in the Boardroom Study. Over time, this annual survey has given us the opportunity to identify the key concerns of directors and general counsel and see how these issues evolve from year to year. What directors and general counsel say provides a unique insider’s view of the “currents” and practices of business, both in the United States and globally. This work also allows us to compare and contrast each group’s outlook on the year’s critical issues so we can gauge how well they are aligned, and it helps boards and their legal team peek over the battlements of their own enterprise and put their challenges and practices into better perspective.

In the 2014 survey, after the traditional topic of regulatory compliance — which, of course, regularly disturbs general counsel — data security topped both directors’ and general counsel’s lists of worries, outranking, for directors, 2013’s top concern of succession and leadership transition. The risks that come along with the digitization of business (and everything else) are multiplying, as are the costs of protecting against and remediating the impact of cyberattacks and data breaches. This year, information technology (IT) cyber risk oversight was chosen by 41 percent of directors and 33 percent of general counsel as an issue upon which they will spend significant time, appreciably more than last year’s 28 percent for directors and 27 percent for general counsel.

Carrying over from 2013 were the challenges presented by the seemingly unstoppable merger and acquisition (M&A) market, the (perhaps) connected demand for increased shareholder engagement, the risks presented by social media, and the traditional issues of enterprise risk management (ERM), compliance and compensation.

What follows is a closer look at these broad areas of concern.

IT/Cyber Risk and Data Security

According to the Ponemon Institute’s 2013 Cost of Cyber Crime Study: United States, the average annualized cost of cybercrime in 2013 was $11.6 million per company studied, with a range from $1.3 million to $58 million. The average annualized cost in 2012 was $8.9 million. This 2013 cost figure represents a 30 percent increase over 2012 — little wonder that cyber risk has risen to the top of what keeps directors up at night.

Managing Cyber Risk: Job #1

Indeed, 34 percent of general counsel and 27 percent of directors are not convinced their company is secure from hackers. What may be even more troubling is that a quarter of both directors and general counsel surveyed believed their company is secure despite the fact that the Ponemon study found that the 60 U.S. companies it surveyed reported two successful attacks per company per week, an increase of nearly 20 percent over 2012’s rate.

In other words, evidence indicates that the hackers are getting better at their exploits, and corporate security is not keeping up. This suggests that the confidence level expressed by general counsel in the board’s ability to ask management the right questions may be ill-founded (54 percent of general counsel were either extremely confident or confident) regarding the status and risks associated with the company’s IT strategy — which mirrors the confidence of directors (50 percent).

“Board-level concern often is confounded by the fact that the technology underlying cyber issues can be opaque to many executives,” says Thomas Brown, Senior Managing Director in the FTI Consulting Global Risk and Investigations Practice. (Until recently, Brown led cybercrime prosecutions in the U.S. Attorney’s Office in Manhattan.) FTI Consulting’s role, Brown says, is to help bridge that gap, which is of utmost importance given cyber risk’s ubiquity in a world in which business is increasingly conducted digitally over the Internet.

“Cyber risk’s pervasive nature presents an existential threat to the operation, reputation and bottom line of virtually every company, regardless of industry,” Brown says. “The priority that board members and general counsel place on cybersecurity and data protection not only reflects this reality but is entirely in line with our experience assisting clients to address this threat.”

FTI Consulting, Brown says, has been helping more and more corporations develop incident response plans and internal controls, assess networks for vulnerabilities, secure the organization’s data and evaluate cyber insurance options.

The need for this kind of bridge is underscored by the fact that this is an area in which directors and general counsel question each other’s abilities: Thirty-eight percent of directors found general counsel only somewhat effective at IT/cyber risk oversight; 37 percent of general counsel said the same about their board.

M&A and Other Competitive Factors

According to Thomson Reuters, worldwide M&A totaled $710 billion in the first quarter of 2014, an increase of 54 percent compared with year-to-date 2013. U.S. M&A announced so far in 2014 comes to $361.1 billion, up 62 percent from 2013 year to date, representing the strongest period of dealmaking in the United States since 2007, the year before the global credit crisis. (U.S. M&A currently accounts for 51 percent of global activity.)

Investment banking expert Jeff Golman, on, wrote that he believes 2014 will be an unusually strong year for U.S. M&A, given favorable credit markets, continuing low interest rates, increased corporate cash reserves, a large inventory of private equity-owned companies with finite ownership horizons, a healthy stock market and an uptick in cross-border M&A activity.

With M&A heating up across all industries, along with other forms of corporate growth, 54 percent of directors said they’ll be making a large time commitment to M&A in 2014, as did 51 percent of general counsel. That’s a significant increase from 2013, when 42 percent of directors and 36 percent of general counsel identified M&A as an area to which they’d be devoting increased time. M&A strategy also made directors’ top five in terms of areas where the board needs better information and processes in order to be as effective as possible.

Shareholder Engagement

The rules of shareholder engagement have changed dramatically over the last decade. Increasingly, vocal shareholders expect dialogue not only with management but with the board itself. Accordingly, most of our director respondents reported that their board had proactively engaged in a dialogue with shareholders in the last 12 months, and 57 percent said those interactions touched on the topics of M&A and corporate growth strategies. Nearly half said they also discussed board structure and director qualifications (49 percent), and 46 percent reported their board also recently has discussed executive compensation with shareholders. And the majority of general counsel were comfortable with their board discussing these topics with shareholders.

The directors believed the way they handle shareholder communications is quite effective (81 percent), but 26 percent said they are only somewhat effective in developing strategic communications plans to build shareholder support. This suggests that directors could do a better job of monitoring shareholder sentiment to determine if and how discontent is bubbling up.

We asked general counsel if they are comfortable with this degree of openness on the part of directors and found (as we did in 2013) that approximately 80 percent said they are comfortable with directors discussing board structure and director qualifications and compensation, although general counsel were split when it comes to whether the board should engage with shareholders on matters of M&A and growth strategies (54 percent in favor), corporate social responsibility (54 percent in favor) and political contributions (51 percent in favor).

“The rise of shareholder activism has brought corporate governance and transparency to the forefront of investors’ minds,” says Elizabeth Saunders, Senior Managing Director and Americas Chairman of the Strategic Communications segment at FTI Consulting. Board members, says Saunders, can play an important role by engaging proactively with shareholders in a controlled forum where the board can listen to investors’ concerns and provide them with insight on how the board interacts with management to guide strategy, protect against risk, and identify and evaluate opportunities.

“The key,” Saunders says, “is to be proactive to build investor confidence prior to a proxy contest or crisis. Once an issue hits, it’s often too late, and board members may find themselves on their back foot.”

Social Media

Managing Cyber Risk: Job #1

Social media is looking more and more like a permanent fixture in our society. Last year, in our first foray into the topic, when we asked whether companies had developed a formal policy on the use of corporate social media, 59 percent have not done so or are unsure. Only 16 percent of directors said they have formally discussed social media issues, and 25 percent said they have no plans to do so. This year, 73 percent of general counsel and 44 percent of directors said their company has a formal policy (a significant disconnect between general counsel and directors, perhaps illustrating the still-conflicted attitude of directors toward social media), and 14 percent and 12 percent, respectively, said they are in the process of creating one — a huge change which, if fully implemented, would mean almost all companies would have social media policies next year. Still, 17 percent of directors said their company has no policy and has no plans for creating one. And 27 percent of directors were unsure of whether their company even has a social media policy.

Only 22 percent of directors thought their company has a good grasp of social media, with 45 percent saying they need more information, and 19 percent declared they have no plans to discuss the subject.

Last year, Saunders cautioned that “organizations can’t ignore social media as part of their communications program to investors and stakeholders,” pointing to the U.S. Securities and Exchange Commission’s (“SEC”) recognition of social media as a valuable disclosure medium. While directors and general counsel are recognizing the importance of creating a formal social media policy to mitigate risk, there still is, it seems, a worrisome lag.

ERM, Compliance, Compensation and Succession

Among the more traditional issues with which boards and general counsel deal, enterprise risk management (ERM) was chosen most often by general counsel (48 percent) as the area in which their legal department needs better information and processes in order to be as effective as possible in 2014, followed by regulatory compliance at 46 percent. Along with data security, compliance was the top issue over which general counsel said they are most likely to lose sleep. Directors did not rate those two areas as highly, although 33 percent agreed they need better information to handle ERM. Nearly 40 percent said that regulatory compliance is one of the most significant challenges to the company’s ability to meet its 2014 performance goals.

Increasingly, governments and agencies are focusing on anti-corruption regulation, third-party liability, money laundering and insider trading. According to Erica Salmon Byrne, Executive Vice President, Compliance & Governance Solutions, NYSE Governance Services, compliance and ethics programs are the most effective way companies can mitigate people-created risk. “The risk that employees are out there doing the wrong thing on any given day is great.” Having those programs, she says, “is the most important thing the board can do to make sure the company is utilizing shareholder assets appropriately and is effectively controlling the risk.”

According to Neal Hochberg, Senior Managing Director and Global Leader of FTI Consulting’s Forensic & Litigation Consulting segment, “Compliance concerns are at an all-time high for publicly traded companies. With 81 percent of general counsel listing compliance as a chief concern, it is critical that companies invest in a proactive compliance program to protect their enterprise value. In this ever-changing environment with increased regulatory inquiries, companies must remain vigilant to avoid potential violations. An effective compliance program, training and continuous monitoring can play a crucial role in preventing violations that could tarnish a corporation’s image.”

When asked which issues their legal department or management has specifically reviewed with the board, 77 percent of directors chose the SEC’s pay ratio disclosure rules, and 65 percent said they have discussed the implication of the upcoming rules on compensation clawback policies — not surprising as compensation continues to be on the board’s radar despite slipping from first to second (and to third for general counsel) in terms of the area likely to require the lion’s share of the board’s time.

Succession planning was second on the directors’ worry list and third for requiring the greatest time commitment.

Looking Ahead

Although it’s hard to predict what the next big issues will be, it’s not unreasonable to imagine that the deployment of data and analytics, the worsening of the cybersecurity threat and the emerging risks associated with social media in the corporate environment will continue to consume the time and attention of directors and general counsel. Most of those we surveyed indicated that these are areas that demand a firmer grasp on the part of board members as they plan their company’s strategies going forward. Increasingly, regulators are suggesting (and expecting) that directors gain a better understanding of all IT-related corporate risks, including data security, intellectual property theft, privacy issues and social media usage to guard their company against the breaches and data disasters that could cause material financial and reputational harm. We’ve already seen that happen with great frequency in the first part of 2014, and there’s little indication that these threats will dissipate or become less damaging.

The FTI Consulting 2014 Law in the Boardroom Study showed that directors and general counsel increasingly are aware of these concerns, which is a good first step.

This article summarizes the results of the FTI Consulting Law in the Boardroom Study, conducted with NYSE Governance Services, publisher of Corporate Board Member magazine.

Managing Cyber Risk: Job #1

© Copyright 2014. The views expressed in this article are those of the author and not necessarily those of FTI Consulting, Inc., or its other professionals.

More Info

Share this page