March 3, 2021
Robin Ferracone and Bob Zukis Talk Systemic Risk and Stakeholders
(Robin Ferracone) Bob—you are the founder of the Digital Directors Network (DDN). With cybersecurity and privacy issues becoming top of mind for everyone from Wall Street to Main Street, what is the role of the DDN?
(Bob Zukis) Robin, let me frame the “Big” picture. DDN is fixing what we see as a digital and cybersecurity leadership crisis in the boardrooms of companies around the world. More tactically, our mission is to first develop board-ready technology executives who can frame technology [and its inherent risks] within the context of the business. This will enable them to work with their boards and also pursue board positions. Second, we help full boards build a demonstrated competency in digital and cybersecurity oversight. And lastly, and probably most importantly, we’re developing boardroom and enterprise capability in systemic risk governance and management, which goes straight to addressing President Biden’s recent Executive Order on supply chain risks.
(Robin) You mention systemic risk. How is this different than Enterprise Risk? What do boards of directors and executives need to know and what should they be doing to address this?
(Bob) Chief Justice Seitz of the Delaware Supreme Court recently said, “boards must be able to demonstrate credibly that they’re thinking proactively about potential systemic risks.” We’re helping them do that. The courts are holding boards accountable to it and the threat of systemic failure is a major boardroom issue, as is systemic change.
Systemic risk is the inherent risk between the parts of a complex system that can threaten the larger system. COVID is an example of a systemic failure, as is the Texas energy collapse. It’s also not the same as cybersecurity risk, although cyber risk thrives on the systemic weaknesses in every company’s digital business system. Cyber is an active threat with an adversary that looks to exploit systemic weaknesses. Systemic risk is inherent in the many complex systems we’ve built, especially within the digital business system powering every company. Enterprise risk management was really focused on the risks to the parts within the system, not the threat of the component to the larger system. The biggest difference between ERM and systemic risk is ERM tended to discount and often ignore low probability risks. With systemic risk, you can’t do this, as small or remote risks often cascade and create catastrophic failure in large complex systems. A common metaphor we use is, “ERM is the risk of a flat tire on a car. Systemic risk is the risk and threat to the trip and the impact on the thousands of other drivers on the 405 in Southern California when your one tire goes flat in the middle of rush hour.”
(Robin) An easy follow-up question: Are boards of directors ready for the systemic risk of cyber gone awry? Who on the board owns this? Or maybe the better question is who should own this?
(Bob) No, boards are not ready on either the cyber risk or systemic risk issues, and it’s long overdue. Fundamentally the skills and competencies are lacking in the boardroom to understand and effectively govern these issues. That’s to be expected, as these are relatively new risk domains. Some companies are adding directors who understand cybersecurity risk, but very few have, and all need to.
Every boardroom needs these skills, as cyber risks don’t discriminate between large, medium-sized or smaller firms. When a ransomware attack can cause the ultimate business risk, i.e. a shutdown, these become major boardroom issues that need the skills and capabilities to govern and lead. And boards are even further behind on addressing the Chief Justice’s comments on boardroom capability and having a proactive approach to systemic risk. As a final thought, this isn’t another thing for the audit committee to do. Most boards throw cyber risk to their audit committee. Boards need to rethink how they are organized on these issues; we’re big advocates for Technology and Cybersecurity Committees. A few companies, like FedEx, have done this.
(Robin) We recently released our Farient/Global Governance and Executive Compensation Group 2021 and Beyond: Global Trends in Corporate Governance Research, which focuses on Global Stakeholder Incentives impacting employees, customers, suppliers, and communities. How do you see cybersecurity, privacy and risk playing out within the context of accountability and executive pay?
(Bob) The financial impacts of a massive breach or systemic failure will certainly threaten the ability to reach executive pay targets given their direct financial impact and/or litigation impacts. We’ve also seen a few shareholder resolutions, e.g., Disney, that have tried to tie executive pay to cybersecurity but haven’t moved forward.
Other stakeholders such as institutional investors and regulators are carrying a bigger accountability stick on these issues. Civil penalties are going through the roof and even criminal penalties are starting to be brought into the conversation by regulators. In some of the proposed regulation, very Sarbanes-Oxley-like board and executive certifications have been proposed. As part of the Equifax settlement with the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB), the Equifax board has to now certify that the company has complied with the order and its requirements around implementing a comprehensive information security program. Regulators are awake and these issues are squarely in the interests of investors and the public. The SEC is very focused on cybersecurity and risk factor disclosures, and we’ve seen the first suit brought against the SolarWinds CEO on their inadequate systemic risk disclosures.
(Robin) You talk about systemic risk and systemic opportunity. What do you mean by systemic opportunity?
(Bob) Well, that’s the good news, kind of. Systemic risk governance and management is of course about understanding and protecting against bad things from happening — making sure that a small risk and failure doesn’t cascade and become a much bigger problem to the larger business system.
But systemic opportunity is the strategic growth opportunity that can and should follow large-scale systemic failures like COVID and its far-reaching impacts on economic, business and social systems. It’s almost the polar opposite; how can a small change in consumer behavior cascade and disrupt an entire industry and/or create a new one? Systemic change is about upside and the growth behind systemic forces and how they can reshape markets and value propositions. Just look at Zoom and the systemic impact and market growth they benefitted from as businesses moved to online video engagement. Many other industries and markets are being disrupted, or created, because of new needs, wants, and the many other forces that will be permanently influenced by COVID. We wrote a book on this in the middle of the pandemic last year, THE GREAT REBOOT – Succeeding in a World of Catastrophic Risk and Opportunity.
(Robin) Final question: What are three things board members and executives can do to protect themselves from the reputational risk inherent in cybersecurity breaches?
(Bob) It’s not the reputational risk they should necessarily be most worried about. Clearly, reputation and brand suffer a major hit during a cyber breach. You can’t ensure your way out of brand or reputational impact, and while there’s some research that claims there is sustainable negative impact, as consumers, we’ve become almost numb to the latest headline. It’s the financial and litigation impacts of breaches and the boardroom and director liabilities that I’m most concerned about. The courts and regulators’ message is clear. They are drawing a line and we’re seeing them raise the bar on director and boardroom accountability. They are demanding that boards do more to be proactive and effective in performing their duties on these issues.
There have been almost US $ 350 million of fines levied under GDPR since its inception in July 2018. The California Consumer Privacy Act (CCPA) and NY Department of Financial Services (NY DFS) 500 and the NY Shield Act are also ramping up. Insurers are also coming to the party, and NY DFS now wants them to understand systemic risk in their insureds. They are jacking up their cyber insurance premiums to cover for the risks and higher classes they’ve been underwriting; now DFS wants them to understand systemic risk. I think they’ll tighten their terms, and the burden will be put back on the boardroom and companies to be more effective at understanding and mitigating both cyber and systemic risk. We’re only in the first inning on these issues, and the boardroom has a long way to go.
The good news is there are some leading practices and leaders who are doing the right things, and it’s having a major positive business impact on their companies. And these steps aren’t really major transformations at the board level, and they can be made relatively quickly. My strong recommendations include:
- Adding and developing digitally and cyber-savvy directors;
- Organizing the board more effectively and efficiently on digital and cyber issues. We love Technology and Cybersecurity Committees; and finally,
- Evolving risk governance and management to understand systemic risk in the digital business system and beyond.
These are things that any board can quickly and easily achieve, and they’ll have an enormous positive impact on reducing litigation risk, business risk and helping with growth. Boards have been too slow in evolving to these new needs, so there will undoubtedly be more bad news coming.
Bob Zukis is Founder/CEO of the Digital Directors Network (DNN) and co-author THE GREAT REBOOT – Succeeding in a World of Catastrophic Risk and Opportunity.