How should boards deal with sexual harassment issues? What is the best way to protect a company from cybersecurity threats? What is it really going to take to improve diversity in the boardroom? Why does every company need a digital director and a tech committee?
During a wide-ranging and informative interview, veteran board member and venture capitalist Betsy Atkins and Bloomberg Radio host and former SEC Chairman Arthur Levitt discuss these important topics, and more. We have divided their interview into three separate articles, which we will post over the coming months. Part 1 is presented below.
Arthur Levitt: You have spent decades on multiple boards. What is the current state of boards? Are most boards still stuck in the past, or are they evolving with the times?
Betsy Atkins: Boards are evolving with the times, but not quickly enough. Velocity of change has not totally permeated the boardroom. Boards are still heavily focused on a one-year lens with a quarterly operational focus, versus a longer-term horizon of understanding the rapidly changing competitive landscape and the need of the company to stay contemporary and vibrant for the future.
AL: What will be the "big issues" for boards during 2018?
BA: There are two ways to answer that: There are the "corporate governance watchdog" issues of Institutional Shareholder Services such as board committees, refreshment, diversity, and ESG (environmental, social, and governance) issues. However, I think the bigger and more important issue for corporate boards is going to be "the business of the business." Failing to employ new technologies and new business models to keep companies competitive is a bigger threat to the well-being of a business than corporate hygiene governance issues.
Companies underperform when they don't remain vibrant and contemporary. The big issues are understanding new business models like the Ebay (Nasdaq: EBAY) marketplace and how that applies to other businesses, or the sharing economy where you see Airbnb emerge or the rise of the gig economy which has employees working "gigs" as opposed to full-time corporate jobs. Boards need to examine how to employ machine learning and AI to replicate highly-paid white collar employees in traditional industries like insurance. The biggest threat is that a company slowly melts while new interlopers capture their market share.
AL: How would you counsel boards to deal with the issue of sexual harassment both in resolving potential current issues and how to move forward? What kind of crisis plan would you recommend boards consider?
BA: Boards are responsible for oversight of tone at the top, compliance training and the escalation process; the values and code of conduct of the company are exemplified by the full leadership team. Most companies have mechanisms in place to escalate issues, including hotlines to the audit committee, the chief human resources officer, or the general counsel. When a potential issue is raised, the board needs to own it quickly, conduct a rapid first-pass review to determine if a serious problem exists, and then make a business decision whether or not to conduct a broader investigation.
One mistake many boards make is to abdicate that first-pass review to their outside law firm instead of using a firm that specializes in background checks and investigations. Outside law firms are slower, more expensive, and they typically subcontract out those internal investigations.
AL: 145 million Americans had their data breached at Equifax. Did this rattle companies about cybersecurity threats, and is this the biggest issue for boards now?
BA: Cybersecurity breach is inevitable. Boards need to understand that statistically, every company has already been breached. The relevant question to ask is "What is the board's cyber oversight practice?"
Boards should utilize standard measures like the National Institute of Standards and Technology framework of 22 computer security items. The company should conduct regular, unscheduled penetration testing, and ensure that critical intellectual property is segmented and protected. For example, if a pharmaceutical company is developing a new blockbuster drug, it's critical to shareholders that data related to the new molecule compound is segregated and has special protection. Companies should implement appropriate training so employees don't respond to phishing. Large companies should also have an independent, third-party cyber monitoring service.
Corporations also need standing tech committees, versus overloading their audit committees. Cyber is a forward-looking threat, while most audit functions are forensic and backward-looking.
However, cyberthreats are not the biggest issue for boards now. The biggest issue is that the company continuously evolves to remain contemporary, innovative, and competitive.
AL: At HD Supply, where you are on the board, the company did a review of cyberthreats. What did you find and what did management do?
BA: HD does very serious cyber oversight and brings in external cyber experts to educate the board. HD also has the chief information security officer present to the board annually and the company leans in to be sure we have proper training of our employees against phishing, which is the biggest vulnerability. With Distributed Denial of Service (DDoS) ransomware attacks gaining prevalence, we took the step to adopt a ransomware policy and we opened a bitcoin account, so we would be able to decrypt files if we had a DDoS attack.
AL: Betsy, you advise that these days, all boards need a digital director. What is this?
BA: A digital director has broad technology experience in tech realms such as large enterprise software systems, on-premise software and cloud computing, mobile, social media, machine learning, AI and cyber. More importantly, good digital directors bring understanding of innovation methodologies like distributed agile development and new business models like online marketplaces, gig economies like TaskRabbit and Thumbtack, and shared economy ownership models like Uber and Airbnb.
Digital competency is not covered by just one tech silo, so boards need at least one, but preferably two or three, digital directors due to the velocity of change.
AL: On February 20, the SEC voted to force companies to disclose cyberattacks. The Securities and Exchange Commission's new guidance says companies should inform investors about cybersecurity risks, even if they have not yet been targeted by hackers in a cyberattack. It also stresses that companies publicly disclose breaches in a timely fashion, and instructs firms to take steps to prevent executives and others with previous knowledge of a breach from trading in its securities before the information is made public.
BA: The SEC guidance on cybersecurity disclosure is sensible. The market will reward or punish companies that do or don't disclose. We must be mindful of the impact of over-regulation, which you can see as Sarbanes Oxley has impacted the number of IPOs. Before SOX, there were an average 528 IPOs a year. Since it was enacted, an unintended consequence is that number has fallen to 135, a decline of nearly 75 percent.
AL: Where should responsibility rest for cybersecurity: with the audit committee and board, with congress or with regulators?
BA: Cybersecurity oversight should rest with the board, under the purview of a newly created tech committee—audit committees are too busy. The free market will reward or punish companies that are not careful with data patching, current cyber protection and breach mitigation. Corporations have a huge economic incentive to protect their brand with consumers and to protect their most valuable intellectual properties.
Betsy Atkins serves as President and Chief Executive Officer at Baja Corp, a venture capital firm. She is currently on the board of directors of Schneider Electric, Cognizant, and a private company, Volvo Car Corporation, and served on the board of directors at The Nasdaq Stock Market LLC and as CEO and Board Chairman at Clear Standards.
Arthur Levitt is currently the host of Bloomberg Radio's "A Closer Look with Arthur Levitt" and serves on the board of directors at Bloomberg LP. Levitt was the 25th Chairman of the U.S. Securities and Exchange Commission, and in 1999, became the Commission's longest-serving Chairman until his resignation in 2001. He also serves as a senior advisor to Goldman Sachs & Co. and an advisory board member of the Knight Capital Group.
The views and opinions expressed herein are the views and opinions of the contributors at the time of publication and may not be updated. They do not necessarily reflect those of Nasdaq, Inc. The content does not attempt to examine all the facts and circumstances which may be relevant to any particular company, industry or security mentioned herein and nothing contained herein should be construed as legal or investment advice.
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.