Aujourd’hui, j’attire votre attention sur un article publié par Tom Hogue, paru sur le site Cisco Blog, qui porte sur les nouvelles responsabilités qui incombent aux membres des conseils d’administration en matière de surveillance des risques cybernétiques globaux de la société..
Il existe des « guidelines » très utiles qui peuvent aider les membres de la direction (CxC), ceux qui doivent attester (signer) de la véracité des éléments de divulgation relatifs aux risques cybernétiques.
Également, il existe des moyens pour les membres de conseils d’administration de s’assurer qu’ils exercent une veille efficace de ces risques. Cet article fait écho à la conférence du Gartner Security and Risk Management Summit, plus particulièrement à la session « Finding the Sweet Spot to Balance Cyber Risk ».
À mon avis, tous les administrateurs devraient se familiariser avec l’environnement et la gestion des cyber-risques car ceux-ci peuvent avoir des conséquences dramatiques sur la performance de l’organisation.
La lecture de cet article vous sensibilisera davantage à votre rôle d’administrateur et aux conséquences qui en découlent. Voici un extrait de celui-ci. Bonne lecture !
During the session, the panel had been discussing how the senior leadership teams address the problem of putting their signatures against the risk that cyber threats pose to their organizations. Tammie Leith made a point to the effect that it is just as important for our teams to tell us why we should not accept or acknowledge those risks so that we can increase investments to mitigate those risks.
What caught my attention was that the senior management teams are beginning to question the technical teams on whether or not appropriate steps have been taken to minimize the risks to the corporation. The CxO (senior leadership team that has to put their signature on the risk disclosure documents) teams are no longer comfortable with blindly assuming the increasing risks to the business from cyber threats.
To make matters worse, the CxO teams and the IT security teams generally speak different languages in that they are both using terms with meanings relevant to their specific roles in the company. In the past, this has not been a problem because both teams were performing very critical and very different functions for the business. The CxO team is focused on revenue, expenses, margins, profits, shareholder value, and other critical business metrics to drive for success. The IT security teams, on the other hand, are worried about breaches, data loss prevention, indications of compromise, denial of services attacks and more in order to keep the cyber attackers out of the corporate network. The challenge is that both teams use the common term of risk, but in different ways. Today’s threat environment has forced the risk environment to blend. Sophisticated targeted attacks and advanced polymorphic malware affect a business’s bottom line. Theft of critical information, such as credit card numbers, health insurance records, and social security numbers, result in revenue losses, bad reputation, regulatory fines, and lawsuits. Because these teams have not typically communicated very well in the past, how can we ensure that they have a converged meaning for risk when they are speaking different “languages”?
In order to fully explore the variations to the term “risk” for the business, I wanted to understand what the Security Exchange Commission (SEC) required of corporations in reporting requirements to their shareholders. The 2013 Cybersecurity Executive Order signed by President Obama, and the release of the NIST Cyber Framework seemed to be giving the SEC a new reason to revisit the topic of cyber security with a revitalized vigor.
The SEC had already published guidance on how corporations should provide cyber security risk disclosures in the CV Disclosure Guidance: Topic No. 2 Date: October 13, 2011. However, the speech that SEC Commissioner Luis A. Aguilar gave at the “Cyber Risks and The Boardroom Conference” at the New York Stock Exchange on June 10 discussed what the “boards of directors can, and should, do to ensure that their organizations are appropriately considering and addressing cyber risks.” In proposing a strong case for the boards of directors to take action, he discussed the “threat of litigation and potential liability for failing to implement adequate steps to protect the company from cyber-threats.” He also discussed the derivative lawsuits that were brought against companies, their officers and directors relating to data breaches. What caught my attention most about the speech is when he said, “Thus, boards that chose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.”
Commissioner Aguilar made a strong recommendation for corporations to voluntarily adopt the NIST Cybersecurity Framework in order to begin addressing the problem with the statement, “While the Framework is voluntary guidance for any company, some commenters have already suggested that it will likely become a baseline for best practices by companies, including assessing legal or regulatory exposure to these issues or for insurance purposes.”
I am not disagreeing with Commissioner Aguilar, but in practice, this is an incredible challenge for any board of directors as they are now being asked to provide direct cyber security oversight to the internal day-to-day operations of the organization or risk “peril.”
The Future of Information Technology (Photo credit: MDGovpics)
Vous trouverez, ci-dessous, les résultats d’un sondage très poussé effectué par la firme PROTIVITI qui présente les priorités 2014 dans le domaine des technologies de l’information.
Ce document expose une liste assez exhaustive de thèmes à considérer sur diverses problématiques IT. On y commente les principaux résultats du sondage et on fait état des questions-clés susceptibles d’intéresser les administrateurs et les dirigeants.
À l’instar de Denis Lefort, CPA, expert-conseil en Gouvernance, audit et contrôle, je vous encourage à lire ce document récent et très pertinent pour les organisations aux prises avec diverses problématiques liées au champ IT.
Voici un billet de David A. Bell, associé de la firme Fenwick & West LLP qui a récemment été publié sur le blogue du Harvard LawSchool.Ce texte est un résumé de la publication Corporate Governance Practices and Trends: A Comparison of Large Public Companies and Silicon Valley Companies (2013) dont le texte complet est disponible ici.
Depuis 2003, Fenwick fait l’inventaire des pratiques de gouvernance issues des corporations du Standard & Poor’s 100 Index (S&P 100) qui sont pertinentes pour les entreprises de haute technologie cotées de la Silicon Valley 150 Index (SV 150). Vous trouverez dans le document ci-joint des données comparatives, souvent étonnantes et très significatives, entre les deux groupes sur les thèmes suivants :
Composition du conseil d’administration;
Nombre d’administrateurs exécutifs sur le conseil;
Diversité du membership, notamment la proportion de femmes;
La taille et le nombre de réunions du C.A. et de ses comités statutaires;
Les pratiques du « majority voting » et du « board classification »;
L’utilisation de la structure du vote à classes multiples;
Les directives concernant l’actionnariat des administrateurs;
La fréquence ainsi que le nombre de propositions des actionnaires activistes.
Je vous invite à lire cet extrait, puis si vous souhaitez en savoir plus, lisez aussi le résumé du HLS. Enfin, si l’étude détaillée vous intéresse vous pouvez vous procurer le rapport complet ici.
In each case, comparative data is presented for the S&P 100 companies and for the high technology and life science companies included in the SV 150, as well as trend information over the history of the survey. In a number of instances we also present data showing comparison of the top 15, top 50, middle 50 and bottom 50 companies of the SV 150 (in terms of revenue), illustrating the impact of scale on the relevant governance practices.
Significant Findings
Governance practices and trends (or perceived trends) among the largest companies are generally presented as normative for all public companies. However, it is also somewhat axiomatic that corporate governance practices should be tailored to suit the circumstances of the individual company involved. Among the significant differences between the corporate governance practices of the SV 150 high technology and life science companies and the uniformly large public companies of the S&P 100 are:
English: Apple’s headquarters at Infinite Loop in Cupertino, California, USA. (Photo credit: Wikipedia)
The number of executive officers tends to be substantially lower in the SV 150 than in the S&P 100 (in the 2013 proxy season, average of 6.5 compared to 11.2). In both groups there has been a long-term, slow but steady decline in the average number of executive officers per company, as well as a narrowing in the range of the number of executive officers in each group.
While there has been a general downward trend in both groups, the SV 150 companies continue to be substantially less likely to have a combined board chair/CEO than S&P 100 companies (in the 2013 proxy season, 37% compared to 72%). Where there is a separate chair, they are also substantially more likely to be a non-insider at SV 150 companies (in the 2013 proxy season, 69% compared to 21%). Lead directors are substantially more common among S&P 100 companies (in the 2013 proxy season, 85% compared to 44%).
The S&P 100 companies tend to have larger boards than SV 150 companies (average of 12.0 compared to average of 8.1 in the 2013 proxy season), and tend toward larger primary committees (audit, compensation and nominating). They are also substantially more likely to have other standing committees (83% of S&P 100 companies do, compared to 23% of SV 150 companies in the 2013 proxy season).
Female directors are substantially more common among S&P 100 companies whether measured in terms of average number of female directors (in the 2013 proxy season, 2.4 compared to 0.8) or in terms of average percentage of each board that are women (in the 2013 proxy season, 19.9% compared to 9.1%). While female board membership peaked among SV 150 companies in the 2008 proxy season (average of 12.3% compared to 17.2% for the S&P 100), the overall trend is clearly upward in both groups (compared to averages of 10.9% in the S&P 100 and 2.1% in the SV 150 in the 1996 proxy season). From the 1996 through 2013 proxy seasons, the percentage of companies with no women directors declined from 11% to 2% in the S&P 100 and 82% to 43% in the SV 150.
SV 150 companies continue to have more insiders as a percentage of the full board, while S&P 100 companies continue to have more insider directors measured in absolute numbers (while there has been and longer term downward trend in insiders, both groups have held essentially steady over the past five proxy seasons).
While there is a clear trend toward adoption of some form of majority voting in both groups, the rate of adoption is substantially higher among S&P 100 companies (92% compared to 44% of SV 150 companies in the 2013 proxy season), although it declined 5% from the 2011 proxy season (compared to a 7% increase for the SV 150).
Stock ownership guidelines for executive officers are substantially more common among S&P 100 companies (in the 2013 proxy season, 95% compared to 53%), although that is a substantial increase for both groups over the course of the survey (compared to 58% for the S&P 100 and 8% for the SV 150 in 2004), including a 9% increase in the SV 150 over the last year. Similar trends hold for stock ownership guidelines covering board members (although the S&P 100 percentage is about 20% lower for directors over the period of the survey).
While classified boards used to be similarly common among both groups (about 44% for S&P 100 and 47% for SV 150 in 2004), there has been a marked long-term decline in the rate of their use among S&P 100 companies but not among SV 150 companies (11% for S&P 100 compared to 45% for SV 150 in the 2013 proxy season). Our data shows that within the SV 150, the rate of adoption fairly closely tracks with the size of company (measured by revenue).
Stockholder activism, measured in the form of proposals included in the proxy statements of companies, continues to be substantially lower among the high technology and life science companies in the SV 150 than among S&P 100 companies (whether measured in terms of frequency of inclusion of any such proposals or in terms of number of proposals). However, over the last two proxy seasons, the largest companies in the SV 150 have closed the gap and are now comparable to the S&P 100 in terms of frequency of having a least one such proposal.
Richard Leblanc, professeur associé de Law, Governance & Ethics à l’Université York de Toronto nous propose une liste impressionnante (quasi exhaustive) de lectures susceptibles d’intéresser les membres de conseils qui se posent des questions sur les TI et sur le rôle des médias sociaux.
English: Logo for the Addicted to Social Media Blog (Photo credit: Wikipedia)
Cette liste a été préparée en vue de sa participation à la conférence annuelle de National Association of Corporate Directors (NACD) du 11 au 13 octobre 2013 qui portera sur le leadership du « Board », notamment lorsqu’il s’agit de mieux appréhender les nouvelles technologies de l’information.
Bien sûr, la liste est longue mais en la parcourant rapidement vous trouverez certainement un lien vers un document qui vous intéressera. Bonne lecture.
Gouvernance | Jacques Grisé 