Law in the Boardroom 2015

2ND QUARTER 2015

Research

By Kimberley S. Crowe

There’s no denying the behemoth that technology has become in corporate America—and while it fuels progress, it also creates vulnerability. Accordingly, directors and GCs strongly agree that the single biggest issue companies face today is getting their arms around IT and cyber risks. But as daunting as that may be, boards, executives, and their legal teams also have plenty of other critical issues to consider—some of which, like operational risks, compliance issues, and crisis preparedness, are simply the result of managing the business, while others, such as maintaining a competitive strategy, engaging with shareholders, and harnessing social media are an outgrowth of high performance—and wanting that performance to continue.

With those concerns in mind, we designed our annual Law in the Boardroom study, a co-venture with longtime partner FTI Consulting, to draw out details on the key risk issues and legal trends facing public companies today. Earlier this year, our universe of directors and general counsel answered our call for input, allowing us to gather data and opinions and compare and contrast each group’s perspectives on the top issues companies are wrestling with today.

Overview

According to our most recent survey, IT/cybersecurity is indeed the No. 1 worry for both directors and general counsel, with 90% of directors and 86% of GCs indicating they are either extremely concerned or concerned about this issue (Figure 1). Directors and GCs as a group are also concerned about operational risk, crisis preparedness, and corporate reputation—note that the latter two may be intrinsically related to IT security as cyber breaches touch off critical risk that involve a company’s preparedness and reputation.

Separately, GCs are worried about regulatory compliance, which is a big part of their job focus and was among directors’ top tier of concerns, while directors are becoming more focused on succession plans and leadership transitions, which may be related to an increase in shareholder activism.

In terms of trends, directors have a number of escalating concerns: FCPA/anticorruption, IT/data security, and crisis preparedness all jumped 15 percentage points or more from last year, while corporate reputation and shareholder activism also showed notable increases; for GCs, operational risk is of significant concern to 70% of those surveyed this year, up from 46% last year, while 86% of GCs this year show significant concern about IT/data security, up from 76% in 2014.

We specifically asked directors and GCs to rate each other’s strengths and weaknesses in managing these issues. GCs are confident that their directors have executive compensation, corporate ethics, insider trading, internal controls, and whistleblower program management well in hand. Directors, on the other hand, are secure in their GCs’ ability to handle insider trading, corporate ethics, confidentiality issues, ERISA/HR compliance, and labor disputes/litigation.

GCs are least confident about their directors’ oversight of e-discovery and document retention (though these issues generally fall more in the GCs’ purview) and social media. It’s somewhat surprising that GCs don’t show a more acute lack of confidence in boards’ oversight of IT/cybersecurity, given how high it is on their worry list. Directors show the least confidence in their GCs’ oversight of IT/cybersecurity, global expansion, and social media.

To further present our survey results, we’ve identified five key areas of concern that are more thoroughly broken down and analyzed in the following sections. Read on to discover how directors and general counsel separately and together approach these important topics.

Grappling with Cybersecurity

IT and cyber risks pose some of the most dangerous, elusive, and costly threats to companies today. Indeed more than three-fourths (77%) of both directors and GCs we surveyed believe that the risk of cyber liability at their company has increased over the last two years (Figure 2). Unfortunately, directors are far from comfortable they have the knowledge to provide good governance

in this area. Approximately three-fourths of directors and two-thirds of GCs still believe they need more information on IT/cybersecurity risk (Figure 3). Moreover, the costs keep rising. According to the Ponemon Institute’s “Cost of Cybercrime 2014” report, cyber attacks cost the average US company $12.7 million, an increase of more than 9% over 2013, with some companies experiencing up to $61 million in losses. Ponemon says businesses in other countries are close behind.

Financial losses, however, are only part of the story. Once a breach occurs, there are multiple stages of crisis that must be dealt with—making this risk area one that truly affects every aspect of the corporation and its stakeholders. Companies must be ready with crisis management plans and protocols immediately following the notice of a breach to mitigate both tangible and reputational losses. Given that, it’s no surprise that both crisis preparedness and corporate reputation rank in the top five list for concerns both GCs and directors lose sleep over.

“Cyber risk poses an existential threat to companies, with a potentially devastating effect on a business’s reputation and bottom line,” states Tom Brown, senior managing director with FTI Consulting and a leading expert in cybersecurity and investigations. “In our experience, speed is essential in dealing with a breach. Companies that have a well-prepared and rehearsed cyber response plan are in the best position to address quickly and successfully contain the fallout from a cyber event,” says Brown.

Yet despite the increased emphasis on cybersecurity and directors’ and GCs’ obvious concerns, neither expect to spend the bulk of their time dealing with the issue; instead, corporate strategy was the area most often selected by directors as requiring a substantial time commitment in 2015, along with M&A. GCs expect to spend the bulk of their time on regulatory compliance, M&A, and litigation. While at first glance this might appear to be inconsistent, it’s important to examine and consider the issues that directors and GCs have responsibility for in a relative sense.

“These findings are certainly in accordance with what we would expect, even with the increased spotlight on cyber issues this year,” notes Deborah Scally, editor, Corporate Board Member. “In fact, one might argue it’s healthy. Just because cybersecurity is a looming issue does not mean it overshadows such critical responsibilities as ensuring the company is performing in accordance with the strategic plan or evaluating growth and the associated risk of mergers and acquisitions,” she said. “These are truly foundational aspects of the role of a public company director and part of a director’s fiduciary responsibility.”

Admittedly, the security breaches suffered by companies such as Target, Home Depot, U.S. Steel, and countless others have changed the governance and compliance landscape; accordingly, directors and GCs are being asked to fine-tune their risk oversight radar. Reporting up to the board about security information and potential threats is an important aspect of the general counsel’s role as GCs work in tandem with chief information security officers (CISOs) and other IT executives. For their part, boards are requiring more reports on threat plans and policies, security status evaluations, and on the company’s inventory of data assets.

Along these lines, the survey asked about directors’ and GCs’ confidence levels in each others’ abilities to oversee and manage cyber risk. Less than half of the directors surveyed reported being very confident/confident in their GC’s oversight of cyber risk, while GCs were slightly more bullish (65% said they were very confident/confident in directors’ cyber oversight). In both cases, what’s more telling is that their confidence levels in cyber risk oversight was lower than nearly every other risk area measured.

“What is even more interesting is what is left unsaid by these statistics,” observes Chris Tarbel, an FTI Consulting managing director and specialist in cyber investigative techniques. “Are significant percentages of directors and general counsel unsure about their ability to oversee and manage cyber risk because they lack sufficient insight into the degree of that risk at their companies or because they have sufficient insight and are not confident in their businesses’ ability to address that risk effectively?” he asks. “Either way, these numbers are troubling.”

This year’s survey also sought to ascertain how comfortable directors and GCs are with specific measures of cybersecurity. The vast majority (98%) of directors and GCs understand and admit their companies are not completely impervious to hackers. Moreover, nearly half of GCs and 57% of directors are not entirely confident that their company could quickly detect a cyber breach. This data appears to dovetail with the Ponemon report, which puts the average time to resolve a cyber attack at 45 days (with an average cost to participating organizations of $1.6 million, a 33% increase from last year’s average cost, which was based on a 32-day resolution period).

And while most directors and GCs are fairly confident their board knows the right questions to ask management about the company’s IT/cyber strategy, about a third of directors admit they probably don’t.

“This is an area where directors in particular will be looking to ramp up their knowledge in the months ahead,” Corporate Board Member’s Scally says. “Investors have increased their scrutiny of boards’ involvement with cyber risk oversight and are expecting them to hold managements accountable for sound processes and procedures, as well as for transparency related to breaches and proper response protocols when they occur.”

Also lukewarm is a finding that shows more than 40% of both groups lack confidence in their company’s response plan in the event of a breach—arguably one of the most critical aspects of cybersecurity (Figure 4). In today’s environment, it’s truly not a question of “if” but “when” a breach will occur, experts say. Therefore all companies must prepare for that inevitable day, and boards must ensure that thoroughly vetted processes are in place that not only address the stemming of the loss and compromising of data, but, importantly, also address the plan for communication—both immediate and longer term—with investors, employees, the public, and the media.

“Boards of directors can take several steps to place themselves in a better position to ask the right questions and insist on full and detailed answers about the state of cyber readiness at their companies,” FTI Consulting’s Brown says.

For example, they can designate a single manager—such as a chief information security officer—to ‘own’ cybersecurity and to report directly to the board. Boards may also consider bringing in an independent third-party with cyber expertise to advise them. Unlike company insiders who may be motivated to hide hard truths from the board, third-party cyber experts have no such vested interests and can provide a clear, unbiased picture of a company’s true cyber risk,” Brown explains.

Increased Shareholder Engagement

Given the rise in shareholder activism and the push for additional disclosure and transparency, many companies realize they must engage their shareholder base more successfully to avoid conflict. The balance of power, many would argue, has swung significantly toward shareholder activists, as demonstrated by such high-profile stories as the ouster of the full board at Darden Restaurants and other recent proxy battles. While shareholder activism did not rank as one of the top five issues that keep directors up at night, it is higher on their radar this year than previously seen.

Specifically, increased investor scrutiny on board refreshment, diversity, and board independence, has been very prominent in the last year, as have battles over corporate restructuring, M&A, and spinoffs (see related story, page 24.) Overall, 36% of directors noted they are extremely concerned/concerned about shareholder activism and litigation this year; 43% of GCs have the same level of concern. A quarter of directors and about a third of GCs surveyed think their risk of liability from shareholder litigation has increased over the last two years.

The spotlight on shareholder activism has prompted another key area where boards are being asked to oversee their company’s preparedness—sometimes by undergoing training scenarios that help them identify chinks in the armor. More than two-thirds of directors and GCs say they have evaluated the vulnerabilities that might make their company the target of activists, and approximately two-thirds of both groups say their company has formal shareholder engagement/communications protocols in place. About 60% of both groups believe their boards would benefit from participating in an activist training scenario (Figure 5).

“Shareholder activism unquestionably is gaining momentum, and in this changing environment, every company is a target. Size and stock price performance no longer are deterrents to activists, and activists no longer need to take large positions in order to win proxy fights,” says Basil Imburgia, North America leader of FTI Consulting’s Forensic and Litigation Consulting segment. Before activists engage management, there are four critical steps Imburgia recommends companies consider to achieve shareholder activism preparedness: 1) form an activist response team that includes key internal personnel and outside advisers; 2) monitor for activism activity; 3) engage shareholders; 4) communicate broadly to the market.”

Finally, we asked if there are any significant issues directors and GCs foresee addressing during the upcoming proxy season. According to directors and GCs, executive compensation and director qualifications/board refreshment are the two areas most likely to be addressed with shareholders in 2015.

Heightened M&A Risk

M&A trends run in cycles and there is no denying the M&A boom is back, largely encouraged by low interest rates, record stock prices, improving employment numbers, and an abundance of cash. Across the spectrum, companies are actively engaging in transactions of all stripes: purchases, divestitures, partial spinoffs, and other creative restructurings. This sustained momentum of deal activity, however, brings an associated level of transaction risk, requiring companies to maintain even higher levels of scrutiny during due diligence. The risk of acquiring bad assets, post-merger integration woes, and a clash of cultures can all create losses instead of the intended gains. Therefore, as transaction sizes and volume increase, boards are well served to keep a firm hand on M&A risk oversight.

Interestingly, while nearly half of both groups conceded that operational and market risks have increased for their companies, M&A due diligence is an area they feel relatively confident in their team overseeing, which is a good thing, as about half of the directors and GCs we surveyed predict M&A will require a substantial time commitment in 2015.

“Before this latest M&A boom, companies hadn’t flexed their due diligence muscles for a number of years, and we have found many corporations struggle to adjust to the heightened M&A risks,” notes Michael Pace, senior managing director and global leader of the Global Risk and Investigations Practice at FTI Consulting. “The nature of M&A risks, particularly in emerging markets, has expanded dramatically, requiring the right resources and approach to assessing and mitigating the risks. New levels of regulatory scrutiny around corruption in particular require acquiring enterprises to design certain anticorruption and compliance programs as well as to develop thorough monitoring and auditing capabilities within their systems.”

Adds Jeff Litvak, a post-acquisition disputes expert and senior managing director with FTI Consulting, “In addition to conducting extensive due diligence before a deal, some potential considerations for sellers and buyers to consider to avoid post-M&A disputes include sellers ‘carving out’ troubled items, i.e., inventories that may not be in accordance with GAAP, and buyers bridging the possible valuation differences by structuring an earnout, which would be paid to the seller if the business sustained projected profitability.”

Overseeing Governance and Compliance

The SEC and other regulatory bodies have enormous influence on the oversight responsibilities for boards and executive management. While these bodies are often accused of responding to problems with rules akin to using a sledgehammer to crack a nut, in time, many such compliance rules are seen in a more favorable light. In fact, companies often learn to accept and internalize even the most burdensome rules and regulations—think Sarbanes-Oxley’s Section 404, Dodd-Frank’s say on pay, listing requirements for board independence, and others.

This year’s survey, for instance, bears out that directors and GCs feel relatively confident about ethics and compliance issues. In particular, GCs highly rate directors’ handling of corporate ethics, insider trading, internal controls, and whistleblower programs, while directors are most confident of GCs’ handling of insider trading, corporate ethics, confidentiality, and ERISA/HR compliance. Although these and other governance and compliance matters have been points of concern in the past, it appears the regulations of the past 10 years have largely had the intended positive effect in these areas.

In the same vein, our survey shows that more than 60% of directors and GCs are confident their companies are doing everything possible to encourage internal reporting of ethical and compliance violations. The remainder are at least somewhat confident; less than 2% of each group label themselves “not confident.” Further supporting this data, most of the directors we surveyed believe liability from ethics investigations has either remained the same or decreased, and both directors and GCs largely believe liability from white-collar crime has either stabilized or decreased. And perhaps in an effort to continue these trends, approximately half of both groups believe both insider trading and ethics training should be mandatory for public company boards. Additionally, eight out of 10 directors believe corporate boards should also receive training in FCPA/antibribery, internal fraud, and HR/discrimination issues, although the majority believe these programs should be voluntary.

In looking at the bigger picture, the US regulatory compliance tide has shifted from implementing procedural-based rules to a much greater emphasis on investor transparency and disclosure. Issues such as conflict minerals, executive pay ratios, proxy access, cybersecurity, political spending, and others are designed to allow all stakeholders a view behind the corporate curtain.

Time will be needed for the corporate community to weigh in on whether these initiatives have created a fundamentally more stable capital and investment market, and we will certainly watch these areas closely in the months ahead.

Advises Martin Wilczynski, FTI Consulting senior managing director and head of the Forensic Accounting and Advisory Services Practice, “In a number of recent cases, the SEC has made it clear that they are committed to enforcing rules requiring registrants to maintain a system of internal controls and adequate books and records, even when no allegations of fraud exist. This SEC focus on the fundamentals makes it imperative for boards of directors and management to pay careful attention to oversight and compliance in these areas, and in particular, to aggressively remediate any instances where controls or documentary standards are found to be deficient in any way.” The best way to head off unwanted scrutiny in this area? “A track record of continuous monitoring and prompt remediation can be very valuable if the SEC challenges a registrant on any accounting, disclosure, or control issue,” advises Wilczynski.

Risks Posed by Social Media

While some may see it as a paper tiger, the risk posed by social media is real and growing, experts warn. According to an April 2014 article on the reality of managing social media risk in business posted on the InsideCounsel website, “Most social media issues arise from lack of due diligence, lack of oversight, and lack of control, which can lead to harm to consumers, legal risks, operational risks, and reputational risks that can change the trust relationship you have with the market.”

The vast majority of directors and general counsel we surveyed realize they do not have a good handle on social media risks. Fully 91% of directors and 79% of GCs affirm they do not have a thorough understanding of the risks related to social media for their company. Interestingly, despite sweeping guidance released from bodies such as the National Labor Relations Board, FFIEC, and other agencies, nearly 30% of directors and just over a third of GCs said their company does not have significant exposure to social media risk and thus report their legal department is not actively engaged in this area (Figure 6).

“Our Law in the Boardroom study underscores the need for companies to have a digital strategy that incorporates social media. There clearly is uncertainty and a diminished sense of control as to how enterprises message and leverage key online influencers,” says Scott Corzine, managing director with FTI Consulting. “Both directors and GCs recognize social media can be a positive or a negative accelerant for how communications are received, disseminated, and shared, and the challenge now is for companies to use emerging media to proactively connect with stakeholders in new and meaningful ways.”

Perhaps as a result of not having a full understanding of the risk themselves, directors reported concern over how well their GCs are prepared to oversee social media risks, with 10% of directors indicating they are not confident in their GC’s ability to handle the company’s social media risk, a higher negative percentage compared to most other risk categories listed.

What Lies Ahead?

So what’s on the risk horizon for directors and GCs in 2016 and beyond? More cyber risks, for sure, and likely more issues involving shareholder activism, M&A, crisis management, global expansion, and the further emergence of social media risk, particularly in regard to its impact on corporate reputation. Undoubtedly, it will take a concerted effort, with directors and their legal teams working together, to stay on top of these risks. Doing so may require training, greater time commitments, and perhaps an infusion of specific talents or skill sets for both boards and corporate legal teams.

We hope the data offered here is valuable to your board and legal department. Corporate Board Member appreciates the support and expertise of its Law in the Boardroom partner, FTI Consulting, and we appreciate the hundreds of survey respondents who participated in our research this year.