'THE DAILY CORPORATE GOVERNANCE REPORT’ (for public company boards, the C-suite and GCs)
? ? ? ? ?Please see the items below with the related links (NOTE: access to link content may be metered, require a no-charge registration or require a paid digital subscription)?
? ? ? ? ? ? ? (i) EY report on investor focus on board AI oversight: On Feb. 10, EY?posted on its Center for Board Matters website this report, "What Directors Should Know About the 2025 Proxy Season", based on conversations held in Oct.--Dec./24 "with governance specialists from institutional investors representing US$55 trillion in assets under management." Below is from section 2 of the report, "Stewardship shifts toward board quality and AI oversight":
? ? ? ? ? ? ? ? ? "AI oversight: AI oversight has rapidly become a key priority for investors in just two years, with 36% citing the topic as an engagement priority in 2025,?up from 19% last year. Beyond the 36% who are prioritizing engagement on AI, investors generally expect AI to be a subject of discussion and are considering related questions for companies. Importantly for board members, AI oversight is the leading topic of interest (69%):?Investors want to know how boards are governing AI, including how they are cultivating the acumen needed to effectively oversee management’s strategy and inform risk oversight and capital allocation.
? ? ? ? ? ? ? ? ? ? ? ? Where AI is fundamental to a company’s strategy (e.g., AI developers), many investors said they expect to see some level of AI expertise in the boardroom. Otherwise, they are generally more focused on how boards are accessing external expertise and upskilling through ongoing training and education.?Based on our 2024 research?over a quarter (26%) of Fortune 100 companies cited AI in at least one director biography or in the boards skills matrix; just 8% disclosed that AI had been a recent subject of board education or training.?
? ? ? ? ? ? ? ? ? ? ? ? Nearly all investors said they are agnostic about where AI oversight resides in a board’s committee structure;?however, they do want to know how oversight of technology is structured and the board’s rationale behind that approach. For boards with technology committees (13% of S&P 500 companies), investors are interested in the related skills of directors serving on that committee,?as well as how the board is ensuring engagement by all directors on technology-related matters, to avoid oversight becoming siloed. For boards without technology or risk committees (78% of S&P 500 companies), some investors did raise concerns about the audit committee being overloaded."
? ? ? ? ? ? ? (ii) suggesting boards take a more pro-active approach in AI oversight: Below are excerpts from this client memorandum posted by Grant Thornton?on its website on Feb.26, "Support for AI progress goes far beyond risk management":
? ? ? ? ? ? ? ? ? ? ? "In AI risk management, the biggest risk to many organizations might be failing to take advantage of AI’s transformative capabilities. This risk should be top of mind for boards as they perform their governance and oversight duties over AI. Their savviest competitors are almost certainly adopting AI, driving efficiency and providing insights that can make their organizations more profitable.
? ? ? ? ? ? ? ? ? ? ? "Many boards initially saw their AI-related responsibility as urging management to develop guardrails to protect organizations from the risks?related to bias, data security and transparency that are associated with the technology. But it’s long past time to go beyond a protective stance related to AI and take a proactive approach?toward the technology. “The board can and should encourage management to proceed with AI initiatives and be comfortable with being uncomfortable once they have strong risk management and controls in place related to AI,” said Grant Thornton Growth Advisory Services Managing Director Joe Ranzau......Ranzau.....provides a deeper dive on AI’s impact on human capital in this Q&A, with an emphasis on the board’s role as an AI champion:
? ? ? ? ? ? ? ? ? ? ?"How can boards make sure management provides employees with enough room to experiment with and pilot AI while maintaining appropriate guardrails??In some cases, management isn’t especially supportive of AI use, and boards need to push leadership forward. Although 60% of finance leaders?in Grant Thornton’s CFO survey?for the fourth quarter of 2024 said their organizations are using generative AI, that means 40% weren’t using it yet,?even though most of them are exploring potential use cases.?
? ? ? ? ? ? ? ? ? ? ? ? ? ?Especially when management is reluctant to implement AI, boards need to set expectations for moving forward with AI, establishing a supportive environment with proper resources for AI initiatives that align with the organization’s strategy and ethical standards. Management must be ready for AI use to advance throughout the business environment — and it’s advancing quickly.?It’s the board’s role to make sure that management provides employees with AI tools and training needed to succeed with the right controls in place to remain within the guardrails. These elements sometimes aren’t in place. In our most recent CFO survey, two-thirds of respondents who are using generative AI said they have clearly defined acceptable use policies for the technology. That leaves fully one-third of these organizations whose people can’t be certain when they can use generative AI — and when it’s off-limits.
? ? ? ? ? ? ? ? ? ? ? ? ? Boards that allow management to be complacent on this issue should be forewarned: If the companies don’t provide guidance, there’s a good chance their employees are using AI anyway — and they might even be paying for their own AI tools. Boards must make sure that management is providing employees with clear direction on when it’s OK to use AI and when it’s not. Proper oversight by the board is required to make sure organizations provide employees with an organizational framework for AI — and abundant opportunities within that framework for employees to experiment with AI....."
? ? ? ? ? ? ? (iii) Glass Lewis on board oversight of cybersecurity (with a case study of MGM Resort's response to a recent significant cyber incident)/what’s 'top of mind' about cybersecurity for board members and CISO's in 2025.:?
? ? ? ? ? ? ? ? ? ?(a) Below is from this Glass Lewis blog post on Feb.25, "Board Oversight of Cybersecurity Incidents", noteworthy in particular for its inclusion of a case study of MGM Resorts International's response to a recent significant cyber incident (see item (ix)(b) from Sept.18/23, and item (iv)(a) from Oct.10/23 where this cyber incident is discussed, with links to MGM's public disclosure of the incident):
? ? ? ? ? ? ? ? ? ? ? ? ".......Many boards are....adapting to promote risk oversight that includes cybersecurity threats.?There has been a significant increase in disclosure of companies’ and boards’ approaches to cybersecurity following the introduction of new SEC rules in July 2023.?Those rules require disclosure of material cybersecurity incidents within four days, as well as a discussion of the role of management and the board’s committees in overseeing cybersecurity matters to be included in annual reports.?
? ? ? ? ? ? ? ?? ? ? ?"We found that approximately 74% of companies in the Russell 3000 index have taken the additional step of codifying oversight of cybersecurity at the full board level or with a board committee in their governing documents or committee charters......
? ? ? ? ? ? ? ? ? ? ? "Case Study: MGM Resorts International (MGM): On September 12, 2023, MGM disclosed that the company “had recently identified a cybersecurity issue affecting certain of the Company’s U.S. systems,” predominantly at its Las Vegas resorts. Hackers gained access to MGM’s private data by gathering the information of a company employee from a public LinkedIn profile, then using that information to impersonate the employee while requesting administrative login assistance. ?This type of social engineering scheme has grown increasingly popular among hacker groups?in recent years, and is effective because it allows attackers to take advantage of human safeguards without having to bypass the more sophisticated software defenses that companies employ, such as firewalls or data encryption......
? ? ? ? ? ? ? ? ? ? ? ? ? ? ?Company Response: MGM issued a statement the day after the incident disclosing that the company was working alongside the FBI and the U.S. Cybersecurity and Infrastructure Agency to remediate. Additionally, the company stated that it had retained cybersecurity experts and technology consultants to assist in the remediation process......The hackers ransomed the stolen data at $30 million, but MGM instead chose to ignore the ransom and start from scratch by rebuilding their compromised systems using data backups.....
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? In reviewing a company’s response to a cybersecurity incident, we expect a level of responsiveness and remediation that is commensurate with the impact of the incident. MGM provided timely communication to shareholders, was able to resume normal operations within a relatively short time frame, and limited the impact of the incident to low-stakes data like names and phone numbers.?
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? In its?2023 annual report,?MGM discusses that its audit committee and its chief information security officer oversee its enterprise risk management process. This process is audited annually, with emphasis on aligning the company’s framework with the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, as well as Privacy and Payment Card Industry (“PCI”) controls. These standards provide compliant companies with best practices for cybersecurity and payments processing, respectively. In its discussion of the role of management in overseeing cybersecurity risk, MGM provides that its CISO reviews the company’s cybersecurity controls and lists a series of relevant certifications and qualifications that its CISO possesses.?
?
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?We view a company’s adherence to established standards and best practices as a favorable component of cybersecurity oversight. In arriving at our recommendation that shareholders vote in favor of the members of MGM’s audit committee, we considered?the company’s above-average level of disclosure, specifically around the frequency of its internal and external audits, the qualifications of its CISO, and the standards with which the company aligns its cybersecurity framework. ?
? ? ? ? ? ? ? ? ? ? ? "Conclusion: .....Boards should ensure proper audit committee refreshment and training to ensure committee members possess the necessary skills and knowledge to oversee the cybersecurity risks their companies face. Having observed a sharp uptick in cyberattacks in recent years, we expect boards to continue to grapple with appropriate structures for cybersecurity risk oversight and how to appropriately respond to cyberattacks."
? ? ? ? ? ? ? ? ? (b) Below is from last Friday's Fortune?Data Sheet Newsletter:
? ? ? ? ? ? ? ? ? ? ? ? "I hosted a lively roundtable discussion yesterday about what’s top of mind about cybersecurity for board members and chief security information officers in 2025. Three questions to ask if you’re in that spot, according to the participants: ???
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? — What risk level is your organization comfortable with?
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? — Do you actually know what your AI is doing and how you’re governing it? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? — Have you properly handled the security basics, where so many threats persist?
? ? ? ? ? ? ? ? ? ? ? ?"Many thanks to?top execs from Accenture, Cisco,?and FGS?for their perspectives......"
? ? ? ? ? ? ? (iv) press releases/precedents of?the day (consulting agreement between Bumble and its new interim CFO's consulting company; Match Group's employment agreement with its new chief operating officer):
? ? ? ? ? ? ? ? ? (a) NYSE-listed supermarket chain Albertsons Companies, Inc.?announced last Monday in this press release?a "CEO?succession plan"?pursuant to which the chief operations officer will assume the role of CEO following the planned retirement of the current CEO, as follows:
? ? ? ? ? ? ? ? ? ? ?"Albertsons Companies, Inc. today announced a CEO succession plan under which Susan Morris, Executive Vice President and Chief Operations Officer, will assume the role of CEO following the planned retirement of Vivek Sankaran, effective May 1, 2025. During the transition period, Morris will work closely with Sankaran?to continue execution of the Company’s Customers for Life strategy. On the effective date, Morris will join the Albertsons Cos. Board of Directors, replacing Sankaran.
? ? ? ? ? ? ? ? ? ? ? "Jim Donald, Chair of the Albertsons Cos. Board of Directors, said,?“Over the past several years, the Board has engaged in a thoughtful and comprehensive succession planning process to identify Albertsons Cos.’ next CEO, including evaluating internal and external candidates.......".....Morris has served as the Company’s Executive Vice President and Chief Operations Officer since January 2018.?In this role, she leads the Company’s retail operations, overseeing more than 2,200 stores across 34 states......"
? ? ? ? ? ? ? ? ?(b) On Dec.2/24, Nasdaq-listed Bumble Inc.,?the parent company of the global dating and social connection apps Bumble and Badoo, announced in this press release?that its CFO, Anu Subramanian, would be resigning as CFO "to pursue opportunities outside the Company", but would continue to serve in her role through March 14, 2025 (see item (iv)(c) from Dec.3/24). On Feb. 28/25, Bumble announced in this press release?the appointment as interim CFO of Ronald Fior, currently serving as a consultant to the Company as a?partner at FLG Partners (a financial consulting firm specializing in CFO and board advisory services), as follows:
? ? ? ? ? ? ? ? ? ? ?"Bumble Inc. today announced the appointment of Ronald J. Fior as the Company’s Interim Chief Financial Officer, effective March 15, 2025. Mr. Fior is currently serving as a consultant to the Company and he will remain a consultant following his transition to the role of Interim Chief Financial Officer. His appointment follows the previously announced resignation of Anu Subramanian, Chief Financial Officer, effective March 14, 2025. Mr. Fior, who is currently a partner of FLG Partners, LLC, a financial consulting firm specializing in CFO and board advisory services, brings over 30 years of chief financial officer experience to Bumble...."
? ? ? ? ? ? ? ? ? ? ?In connection with retaining Fior as its Interim CFO, ?the Company entered into this?Consulting Agreement?with?FLG Partners for the provision of Fior’s consulting services,?as summarized in the related Current Report?filed with the SEC.?
? ? ? ? ? ? ? ?(c) Nasdaq-listed Match Group, Inc. (owner of dating apps Tinder, Hinge and OkCupid) announced last Monday in this press release?the promotion of a senior executive to the position of Chief Operating Officer, with the current President to step down,?as follows:
? ? ? ? ? ? ? ? ? ? ?"Match Group today announced?the promotion of?Hesam Hosseini?to Chief Operating Officer, effective?April 1. After a decade in senior leadership roles at the company,?Gary Swidler?will step down as President on that date and continue as an advisor to the company until?July 4, 2025, as part of a thoughtfully planned transition. Hosseini, a seasoned leader within Match Group, brings extensive experience driving transformation and operational excellence across the company's global portfolio. Hosseini currently serves as CEO of Evergreen & Emerging Brands.....
? ? ? ? ? ? ? ? ? ? ?"In his new role, Hosseini will focus on driving growth and execution across the company while retaining oversight of the Evergreen & Emerging business unit and Match Group Trust & Safety. Additionally, he will now lead Corporate Development, Corporate Strategy, and the advertising sales team......"
? ? ? ? ? ? ? ? ? ? In connection with the above, the new COO and the company entered into this?Employment Agreement, as summarized in the related Current Report?filed with the SEC.
? ? ? ? ? ? ? -----------------------------------------------------?
Please contact me if you would like to be on the distribution list and receive every issue of this newsletter directly in your inbox.