2
The Answer Will Depend On:• Size and type of company; industry• Whether company is public or private• Who are the majority owners, shareholders, investors• Items in the news• What outside consultants, seminars, trainings are
focused on• Individual Board Members and their backgrounds• What they consider high risk items• What other boards they sit on
3
ADVISING THE BOARD
4
How Can You Calm Your Board’s Fears?• Identify and discuss risks and threats before issues arise • Use the Enterprise Risk process• Review risk policies and processes and audit plans with
the Board (at least once per year)• Demonstrate to the Board that company has strong
control environment• Give Board regular updates on risk process and issues
(i.e. hotline calls, internal investigations)
5
How Can You Calm Your Board’s Fears? (cont.)
• Walk through how management would propose to handle a “crisis” (i.e. cyberattack, FCPA investigation, black swan event) and get Board to buy-in
• Determine if specialized Board committees are necessary for specific risks
6
Advising the Board
• Principles of board oversight (general obligation to protect corporate assets)
• Directors entitled to rely on management and outside experts
• Business judgment rule applies
7
Advising the Board: Investigations
• How should management keep Board updated on investigations?
• What investigations should be performed under direction of management and which by the Board or Audit Committee?
• Remember, there are often competing interests:• Board members• Senior management• Potential whistleblowers
8
CYBERSECURITY
9
Cybersecurity Threats
10
11
Data Breaches• 45% of senior executives say their companies
experience cyber attacks hourly or daily
• In 2014, over one billion accounts were compromised
• In 2014, the global average cost of each data breach was $3.5 million USD, up 15% in 2013
*Source: Thomson Reuters
12
Cybersecurity Threat
• “Hacktivism”• Foreign Governments• Proprietary Data – APT • Attacks on critical infrastructure—SCADA, DCS, PLC• The Pentagon, Department of Homeland Security, NSA-cyber
war exercise
• Insider Threats
13
Standards
• No single standard for private-sector cybersecurity• NIST framework• Dept of Justice, SEC, FTC, FCC • States differ - 49 different state laws• DOJ - Computer Crimes & Intellectual Property Section – Best
Practices
• SEC - policing cybersecurity preparedness• SEC comments
• Energy Sector Guidelines
14
Civil and Criminal Remedies• Computer Fraud and Abuse Act• Access without authorization
• Wiretap Act• Prohibits interception of electronic communication
• Stored Communications Act• Prohibits access of a facility through which electronic
communication are provided• State trade secret laws • RICO • State computer crime laws
15
Personally Identifiable Information
• Privacy Laws• 49 states have data security breach laws • Comprehensive privacy laws in many countries, including EU
Data Privacy laws and China State Secret Laws• Requirements to notify affected individuals • Attorney General• Consumer reporting agencies
16
Insurance
• Third party claims • Banks, consumers, counter-parties
• Business interruption• Crisis management• Implementation of response• Cyber extortion
17
COMPLIANCE
18
Global Anti-Corruption Laws
• The U.S. Foreign Corrupt Practices Act (FCPA)• Prohibits giving anything of value (or promises to do so) to
foreign officials to obtain or retain business (DOJ)• Requires issuers of U.S. securities to make and keep accurate
books and records and to maintain adequate internal accounting controls; prohibits knowingly falsifying books and records or knowingly failing to implement internal controls (SEC)
• Other anti-corruption statutes in the UK, China and other major countries
19
Enforcement Environment
• Enforcement trends• Companies even more accountable for conduct of foreign
subsidiaries/JV partners• More violations on the accounting controls/books and records
violations side• More DOJ talk about going after individuals• Adequate vs. inadequate compliance programs
20
Criminal Prosecution of Individuals
“If you want full cooperation credit, make your extensive efforts to secure evidence of individual culpability the first thing you talk about when you walk in the door to make your presentation”
“Even the identification of culpable individuals is not true cooperation if the company fails to locate and provide facts and evidence that implicate those individuals”
- Speech by Principal Deputy Assistant Attorney General, September 2014
21
Criminal Prosecution of Individuals (cont.)
• PetroTiger - June 2015• General Counsel and Co-CEO pled guilty
• Hyperdynamics – May 2015• DOJ declined prosecution because company cooperated
• Alstom – December 2014• $772 million criminal penalty• Failed to provide “thorough cooperation”
22
International Trade Compliance
• OFAC/Sanctioned Country Issues• Russia – September 2014• Applicability to certain projects uncertain• How to comply?
• Iran• Nuclear technology accord reached• What if the market opens?
• Cuba
• Import Control Issues/C-TPAT Issues/Boarder Control
23
BLACK SWAN EVENTS
24
Black Swan Events• What is a Black Swan Event?
An event that comes as a surprise, has a major effect, and is often inappropriately rationalized after the fact with the benefit of hindsight
• Examples• Macondo• 9/11• Sub-prime mortgage crisis• Decline in oil prices
25
Black Swan Events (cont.)
•What can be done to control the chaos during events?
•What can be done to keep them from being enterprise threatening/destroying events?
26
What Keeps Your Board Up At Night?
August 6, 2015ACC Chapter Meeting CLE
THE Woodlands
MICHAEL FARNELL, Chief Legal Officer, Nexeo Solutions LLCRACHEL EHLERS, Director of Compliance, Nexeo Solutions LLC
SEAN GORMAN, Partner, Bracewell & Giuliani, LLP