10/19/23 – Issue 8.39 – Your weekly news on all things board. 

Cybersecurity is one of the biggest challenges today’s organizations face, with the biggest impact. We’ve seen massive data breaches in 2023 at large and established companies, all resulting in financial and reputational fallout. Less than half of boards feel their organizations are prepared for a cyberattack. This week brought a plethora of information and advice for boards regarding cybersecurity, from the effect of recently tumultuous geopolitics on cyber risk to news of a new calculator that will help companies measure damages and comply with SEC cybersecurity reporting rules.

In other news, the Nasdaq board diversity rule stays–for now; Rite Aid files for bankruptcy; the U.S. and Singapore sync up on AI governance frameworks ; and a growing call to separate the Chair and CEO roles.
 

In the Spotlight

What The Board Needs To Know: Geopolitics and Cyber Risk

How crises in Israel and the Ukraine might affect your organization’s risk profile

“The U.S. Cybersecurity and Infrastructure Security Agency recommends companies adopt a ‘shields up’ approach to cybersecurity. This involves reducing cyber risks, taking steps to quickly detect intrusions and respond where necessary, and to increase resilience. Organizations with a physical presence in Israel are most at risk, but so too are firms doing business in the country and even businesses linked to governments supporting Israel. Further risks relate to the effect of the war on the ability of companies to defend themselves. Companies operating in Israel may see their cyber teams depleted as reservists are called up and there is potential for Israeli cybersecurity businesses to be disrupted by the temporary loss of human resources and expertise. Israel is home to many cybersecurity startups founded by former military personnel.” WALL STREET JOURNAL

Leadership Steps to Support Corporate Cyber Readiness

SEC rules add yet another layer to complex cyber risk management risks

“The growing concern around cyberthreats for companies across the nation is reflected in the increasingly crowded legislative landscape that provides guidance to organizations, employers, employees, consumers, and investors. As part of that landscape, enterprises — both public and private — operate under an unprecedented level of scrutiny. Last month, new SEC requirements went into effect for public enterprises. Final Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (the “Rule”). The Rule not only requires public enterprises to report cyber breaches within only four days, but it also requires annual disclosure of material information regarding cybersecurity risk management, strategy, and governance.” THE NATIONAL LAW REVIEW

New Calculator Aims to Measure Companies’ Cyber Attack Damages

FAIR Institute assessment will help companies comply with SEC disclosure rules

“A key risk-management body on Tuesday plans to launch a model to estimate damages from a cyberattack—a calculation that companies struggle to make as hacks play out over days and weeks. The FAIR Institute, a nonprofit that helps businesses measure corporate risk, is due to debut its materiality assessment model, along with an online calculator that appraises the financial fallout of a hack as well as intangible damages such as reputational harm.” WALL STREET JOURNAL

10 Ways Boards Are Setting Their Companies Up For Cybersecurity Failure

An ineffective approach to cyber governance can weaken overall company strategy

“The boardroom is a critical control in every company’s system of cybersecurity risk management. An ineffective approach to cybersecurity governance creates an overall system of cybersecurity that is weaker than it needs to be—often much weaker. This weakness is unfortunately pervasive across many boardrooms and it fails investors, management teams, other stakeholders and the promise of the digital future. As economic growth and output continues to grow its dependence upon digital business systems, corporate boards are putting their companies at risk when they are not a high-performing part of the organization’s system of cybersecurity risk. Too much is at stake for corporate boards to not be leading on these issues.” FORBES

Overseeing Cyber Risk

A thorough strategy considers both prevention and aftermath

“Cyber risk management is no longer just about preventing breaches. A good program can also help companies get back on their feet and mitigate financial and reputational damage when a breach occurs. How do you know whether your company is doing all it should? The threat environment is becoming more complex with an increasing number of threat actors, including nation states, using new and more sophisticated tactics. Add to this that during the COVID-19 pandemic, the corporate world embarked upon a rapid digital transformation and many employees started working remotely, increasing companies’ digital footprint—and their cyber risk profile.” PwC via BOARDSPAN

From Boardspan this Week:

NEW WEBINAR: Cybersecurity and Governance: Governing the Ungovernable

Join Abby Adlerman and Bethany Mayer in conversation November 9

The impact of a cyberattack can be financial, reputational, and ultimately existential: No company can claim to be safe. What is the role of the board in governing cybersecurity in this ever-increasing, dynamic threat environment? Is there an appropriate strategy for cybersecurity risk mitigation – and crisis management if prevention is futile? And, what defines cyber expertise and how much of it does a board need? Join Abby and board member/cybersecurity expert Bethany Mayer as they explore these questions and more. 

Thursday, November 9, 2023
12 pm ET

Across the Board

Nasdaq Board-Diversity Rules Stay in Place—for Now
Nasdaq's push for board diversity targets has survived an initial legal challenge

“Nasdaq’s push to set diversity targets for corporate boards has survived the first round of a legal challenge by conservative groups. The Securities and Exchange Commission acted properly when it allowed Nasdaq to implement its diversity rules, three federal judges said in a ruling Wednesday. The SEC approved the rules in 2021 as the exchange’s regulator. Two right-leaning groups sued the agency, arguing Nasdaq shouldn’t be allowed to implement what they called an illegal racial and gender quota.” WALL STREET JOURNAL

2023 Proxy Season Review
Shareholder support overall is at its lowest level in five years

“Support is lower for management proposals and for shareholder proposals alike. We believe this is due—at least in part—both to a decline in market valuations (support for directors and Say-on-Pay proposals generally tracks stock price movements) and a general decrease in support for ESG proposals because many companies have taken steps to be more proactive and transparent.” HARVARD LAW SCHOOL FORUM ON CORPORATE GOVERNANCE

Boards Confront Evolving Risks and Pressures During Another Disruptive Year
The evolving risk landscape will continue to elevate certain ESG risks as priority areas for boards

“Amid ongoing volatility, boards are continuing to address an evolving risk landscape and contend with pushback on how environmental, social, and governance (ESG) risk factors should be addressed. While oversight of enterprise risk management is part of the board’s mandate, executing that remit has become a delicate balancing act. As Blackrock CEO Larry Fink wrote in his 2023 letter to investors, many clients ‘want access to data to ensure that material sustainability risk factors that could impact long-term asset returns are incorporated into their investment decisions.’ However, companies have also faced an increase in anti-ESG shareholder proposals.” HARVARD LAW SCHOOL FORUM ON CORPORATE GOVERNANCE

Rite Aid Files for Bankruptcy Faced with High Debt and Opioid Lawsuits

It also had $750 million in losses for fiscal year 2023 while facing mounting litigation costs

“Debt-laden U.S. drugstore chain Rite Aid (RAD.N) filed for bankruptcy protection late on Sunday and said it would close underperforming stores, sell its pharmacy benefit company Elixir and resolve lawsuits over its sale of addictive opioid medications. Rite Aid, one of the largest U.S. pharmacy retailers, stumbled under its high debt, revenue declines, increased competition, and opioid litigation, according to its court filings…The U.S. government has accused Rite Aid of ignoring "red flags" while filling illegal opioids prescriptions, and the company faces 1,600 other opioid lawsuits from state and local governments, hospitals, and individuals.” REUTERS

What if We Could All Control A.I.? 

An experiment at Anthropic offers an interesting prospect for future AI governance

“One of the fiercest debates in Silicon Valley right now is about who should control A.I., and who should make the rules that powerful artificial intelligence systems must follow…Should A.I. be governed by a handful of companies that try their best to make their systems as safe and harmless as possible? Should regulators and politicians step in and build their own guardrails? Or should A.I. models be made open-source and given away freely, so users and developers can choose their own rules? A new experiment by Anthropic, the maker of the chatbot Claude, offers a quirky middle path: What if an A.I. company let a group of ordinary citizens write some rules, and trained a chatbot to follow them?” THE NEW YORK TIMES

AI Oversight: Bridging Technology and Governance

Approaching AI from the perspective of your company’s mission and values can align strategic decisions

“The exponential growth and availability of artificial intelligence (AI) across every sector is compelling boards to recalibrate their roles in providing oversight on strategy and risk management. While disruptive, this new dynamic presents a mosaic of opportunities for growth and promises significant impact across all stakeholders — customers, communities, employees, and even shareholders. The key to unlocking strategic opportunities to drive value using AI, and to effectively manage the risks it presents, is recognizing that although AI is technology, how we address and use it is profoundly human…AI presents strategic opportunities, risks of adoption, ethical dilemmas, intellectual property concerns, and privacy challenges.” GRANT THORNTON

Singapore and US Sync up on AI Governance

Singapore has been a global leader and early adopter in its approach to AI governance

“Singapore and the US have synced up their respective artificial intelligence (AI) frameworks to ease compliance and will continue to work together to drive ‘safe, trustworthy, and responsible’ AI innovation. Singapore's Infocomm Media Development Authority (IMDA) and the US National Institute of Standards and Technology (NIST) completed the joint mapping exercise between IMDA's AI Verify and NIST's AI RMF. The alignment aims to harmonize international AI governance frameworks and reduce the cost of meeting multiple requirements.” ZDNET

Investors Press U.S. Boards To Separate Chair, CEO Roles

One in four S&P 500 companies chaired by a non-independent director received a shareholder proposal calling for change

“The first half of 2023 saw a significant increase in the number of shareholder proposals calling for an independent board chair that went to a vote. Support levels for such proposals increased slightly, contrasting with a decline in support for shareholder proposals that went to a vote overall. Looking at independent chair proposals over the last 10 years, we found that they receive significant investor support but almost never gain a majority. Further, we found a correlation between the trends for combined chair-CEO roles and the correlation with shareholder proposals calling for independent chairs.” HARVARD LAW SCHOOL FORUM ON CORPORATE GOVERNANCE

Study: One-Third of Boards Lack an Onboarding Process for First-Time Directors

Lack of onboarding could contribute to a perception that first-time directors are unengaged

“As organizations strive for sustainability and innovation, the selection and integration of first-time directors play a pivotal role in shaping a company’s future. First-time directors are expected to contribute and play a role in a board’s success. However, 23% of survey respondents expressed concerns that their first-time directors are not engaged and do not contribute meaningfully in strategic discussions...In addition to the absence of an onboarding process, the lack of engagement from first-time directors may be tied to missing mentorship. The survey shows that 71% of companies do not assign their first-time directors a ‘buddy’ or mentor during the onboarding process.” YAHOO FINANCE

Opinion: Why Director Independence Matters, and How Boards Can Ensure It

Director independence is critical as it allows directors to take positions that are in opposition to management

“Public companies must meet legal requirements for appointing directors who don’t have a material relationship with the business and stay out of its day-to-day operations. However, some experts question how useful the current definition of independence is and argue that board members can easily fall under management’s sway, leaving the organization vulnerable to activist investors. Meanwhile, long tenures by directors who might be independent in name only are hindering efforts to boost board diversity.” FORTUNE

Seat at the Table

• PacBio welcomes to its board David Meline, former CFO of Moderna

• Social network Nextdoor appoints to its board Dana Evan, former Venture Partner at Icon Ventures

• CRISPR Therapeutics adds to its board Sandy Mahatme, President, COO and CFO of biomanufacturing company National Resilience

• Public safety company Wrap Technologies elects to its board Timothy Szymanski, Retired Vice Admiral of the U.S. Navy; and Rajiv Srinivasan, Principal Software Engineering Manager at Microsoft Intune

• Defense firm Nano Dimension Ltd. appoints to its board Michael Garrett, Retired U.S. Army 4-Star General

• Savers Value Village welcomes to its board Susan O’Farrell, former Senior Vice President and CFO of wholesale distributor BlueLinx

• Clean energy firm CF Industries Holdings adds to its board Susan Ellerbusch, former CEO of North America at gas firm Air Liquide

• Pharmaceutical firm Oragenics elects to its board Bruce Cassidy, Founder and former CEO of Excel Mining Systems; and John Gandolfo, CFO of biopharmaceutical firm Eyenovia

About Boardspan
Boardspan is the leading provider of digital governance solutions for boards across all sectors. Our cloud-based assessments, benchmarking analytics and governance education programs complement our board search and advisory services to deliver a holistic approach to governance. Boards of all sizes and stages rely on Boardspan to deliver analytics, insights and outcomes that improve their effectiveness and performance. Clients include KKR, The Kellogg Foundation, Ingersoll Rand, Farfetch, McAfee, Beyond Meat, Box, e.l.f. Beauty, Satellite Healthcare and the U.S. Olympic & Paralympic Committee.