Support our nonpartisan, nonprofit research and insights which help leaders address societal challenges.Donate
25 Jul. 2018 | Comments (0)
On Governance is a series of guest blog posts from corporate governance thought leaders. The series, which is curated by the Governance Center research team, is meant to serve as a way to spark discussion on some of the most important corporate governance issues.
We have witnessed various corporate crises over the years: Enron, Worldcom, AIG, Lehman, and the like. We have also witnessed the reforms and regulations that followed those crises along with changed expectations of directors serving on a public company’s board.
We now face a new set of crises, including Wells Fargo’s customer account fraud, Equifax’s data breaches, and Fox News’ and Wynn Resorts’ toxic workplace problems. This blog will focus on the expanding expectations of directors in overseeing risks related to cybersecurity and toxic workplace environment.
As in the past, reforms and regulations are already being proposed. Case in point, in response to the Equifax and other cybersecurity debacles, in February 2018, the SEC issued new guidance regarding cybersecurity disclosures. The new guidance expands on prior guidance and advises public companies to evaluate cyber risks and make prompt disclosure. The guidance emphasizes board oversight and advises that the board’s role in cyber risk management must be disclosed when cyber risks are material to the company. This call by the SEC for more disclosure certainly expandsthe expected role of directors in overseeing the top executives’ risk management.
As part of the same guidance, the SEC also warned about trading by directors, officers, and other insiders before disclosure of an event, with a new emphasis on warning IT personnel, the Chief Information Security Officer, and other data divisions that insider trading policies apply to them as well. The SEC has already shown its resolve to investigate alleged insider trading. Equifax’s CISO was investigated and is being charged by the SEC with insider trading after he put “two and two together” and sold off his holdings. In a similar vein, the Federal Trade Commission told lawmakers on February 18, 2018, that if the public wants companies to handle the companies’ information carefully, then the Commission needs the power to impose fines for violations of consumer and data security laws.
In addition to legislative reforms and regulations, the courts may also play a role in shapingnew levels of director oversight. Traditionally, courts, especially in Delaware, have afforded strong protection to director oversight under the Caremarkdoctrine. A Caremark claim, that is, the failure by a board to properly oversee risk management, remains the most difficult claim for investors to assert successfully. Although there is little or no case law addressing the board’s role in overseeing risks concerning cybersecurity and toxic work environment, a couple of recent cases indicate that courts may be willing to assess more critically the protections previouslyafforded under the Caremark and business judgment doctrines.
In re Wells Fargo & Company Shareholder Derivative Litigation, decided in 2017, a California court applying Delaware law denied the defendants’ motion to dismiss a Caremark claim based upon the plaintiffs’ well pleaded allegations that there were numerous “red flags”of which the directors were or should have been aware that the employees were creating accounts without the customers’ knowledge or consent. Viewing the allegations collectively, the court found the plaintiffs had adequately pleaded that the directors consciously disregarded the red flags in dereliction of their fiduciary duties.
To date, the Delaware Supreme Court has not indicated that it will relax the strong protections afforded under Caremark. However, in the 2017 decision of City of Birmingham Retirement and Relief System v. Good, Chief Justice Leo Strine, in a strong dissent, signaled his willingness to hold directors responsible for ignoring red flags. The case arose out of the major damage from the collapse of a Duke Energy storm water pipe. The majority decision affirmed the lower court’s dismissal holding that the challenged “conduct must imply that directors are knowingly acting for reasons other than the best interest of the corporation.” On the other hand, the chief justice said he would have reversed the lower court finding that the plaintiffs’ complaint adequately supported an inference that Duke had consciously violated the law.
And for good measure, media coverage makes plain that investors are looking to the board of directors and asking the same basic question: was the board asleep at the switch or turning a blind eye?
In this kind of environment it is natural to ask whether the time has come when fiduciary responsibilities require directors to assure themselves personally that whatever can be done by management is in fact being done to provide cybersecurity and a positive corporate culture. And if so, how do directors get themselves adequately informed on such a technical subject as cybersecurity and such an amorphous topic as corporate culture. I believe the time has come based simply on the obvious need. Alternatively, and unfortunately, I fear both the time and the need may be made plain sooner or later, courtesy of a court opinion.
So, how can a board go about creating the kind of communication channels needed to put directors in a position to monitor cybersecurity and corporate culture successfully?
The obvious first point is not to wait for the court opinion or your company’s first such crisis to take action. Plans and internal controls need to be in place not only to try to prevent or mitigate the conduct or event, but also to deal with the aftermath, including disclosure of the problem(s).
Overseeing risk management, and where necessary, challenging how executives manage the risks to the company, should be a top priority for the board. To do that, a director can no longer be passive, or rely blindly on management or experts. Independent directors in particular have in the words of the former chancellor of the Delaware Court of Chancery and current Chief Justice Strine of the Delaware Supreme Court a duty not to be “dummy directors.”
In the case of cybersecurity, there can no longer be complete delegation to the IT department with routine reports to the board. Cybersecurity needs to be everyone’s business. Given the recent data breaches, boards are increasingly expected to help ensure cybersecurity through expanded oversight, but most boards are unprepared to do this. Boards need to understand that their role is not limited to approving substantial cybersecurity investments. Boards need to be able to judge the effectiveness of the current and proposed strategies, to know what effective security looks like, and to know the right questions to ask management and other key employees.
Easy to say; not so easy to do. So, some thoughts on how to improve meaningful oversight with respect to cybersecurity:
- Education is key to understanding the issues of security and resilience at a sufficiently detailed level to make the necessary judgments.
- Directors, management, and other key employees such as the CISO can develop a common language regarding cybersecurity issues as a part of regular interactions at board meetings.
- More face time and access to the CISO and others in the IT department would be helpful in both formal and informal settings as means of education and developing a common language.
- Internal controls on cybersecurity, including the company’s resilience in case of an attack, should be regularly reviewed and continually assessed at the board level with the appropriate IT personnel in attendance to respond to questions. Again, such interactions will help to build the communications channels and understanding that directors need to make their judgments—and to defend them if the occasion arises.
- Timely disclosure is an event in itself that needs to have its own advance protocols approved by the board and included in regularly board reviews for both readiness and effectiveness.
In the case of the toxic workplace environment, the corporate culture tone needs to be appropriate, starting at the top. Given the “MeToo movement” and the high-profile cases such as Fox News and Wynn Resorts, corporate culture is now front and center. Despite the media and public scrutiny, according to recent surveys boards are still not appropriately assessing the policies and procedures in place to prevent a hostile workplace. A 2018 survey by the BoardList indicated that 78 percent of boards (400 public and private) have not discussed implementing a plan of action.
Finally, some thoughts about effective oversight with respect to hostile workplace issues:
- A basic issue in this area is who decides what workplace issues are brought to the board and what kinds of considerations are given to that judgment. At the very least, the board should be briefed from time to time on both the “who” and the “what” that determine when workplace issues are called to the board’s attention.
- Periodic review and evaluation of the policies, procedures, and internal controls regarding sexual harassment, assault, and discrimination is certainly a good idea in today’s environment. Again, this is an activity that will help educate and establish common ground in advance of the difficult workplace issues that do reach the board.
- If not already in place, boards might also consider whether employee training programs and protocols on sexual misconduct would be helpful in both addressing and resolving such issues.
- A crisis plan already in place for a prompt, organized, and effective response to a major workplace issue would seem highly desirable. Presumably, such a plan would be developed by the appropriate HR personnel with C-suite and general counsel input and approval, and ultimately including a board briefing. That way everyone who may be involved in a crisis will know in advance not only the procedures to be followed, but what will be expected of them.
There may also be lessons to be learned from the recent Fox News settlement in the Court of Chancery earlier this year. In that blockbuster scandal, the Court of Chancery approved a $90 million recovery and unprecedented corporate governance provisions. The Fox News settlement, among other things, provides for a six-member council to facilitate board level engagement and to monitor workplace harassment and discrimination and to recommend investigations when needed. The council includes a former judge and experts in HR and diversity matters. The chancellor in approving the settlement commended the parties and called the result a sensible and practical way to deal with a sticky situation and agreed that the settlement produced real benefits.
In conclusion, I believe that in the current environment anything short of heightened and meaningful board oversight of risk management is in jeopardy of being viewed as an abdication of fiduciary duty not worthy of protection. Again, directors may not be able to prevent problems such as data breaches or hostile work environment, but improved oversight at a deeper level should go a long way toward better handling of such crises and toward satisfying courts, investors, and regulators by assuring all of them that procedures and controls are in place; are being followed and maintained (not left to gather dust in a drawer); and are regularly reviewed and confirmed at the board level.
The views presented on the Governance Center Blog are not the official views of The Conference Board or the Governance Center and are not necessarily endorsed by all members, sponsors, advisors, contributors, staff members, or others associated with The Conference Board or the Governance Center.