'THE DAILY CORPORATE GOVERNANCE REPORT’ (for public company boards, the C-suite and GCs)
?????Please see the items below with the related links (NOTE: access to link content may be metered, require a no-charge registration or require a paid digital subscription)
????????(i) *?Globe and Mail updates its 'Board Games' methodology for 2023:?Every year at the end of November or in early December the?Globe and Mail?publishes?its highly anticipated and widely consulted?"Board Games",?its "annual comprehensive rankings of Canada's boards and the corporate governance practices of Canada's largest publicly traded companies", ie.,?those that comprise the?S&P/TSX Composite Index. On Friday, in this article, "The Globe and Mail updates Board Games methodology for 2023", the?Globe and Mail?published?the changes it was making to the Board Game's corporate governance criteria for 2023,?the first time it has done so in advance of the release of that year's Board Games report:
???????????"For the 22nd year in a row, Report on Business will rate the work of Canada’s?corporate boards using a rigorous set of governance criteria designed to go far beyond minimum mandatory rules imposed by regulators.?This year, The Globe and Mail has committed to publishing the marking criteria prior to the release of the?Board Games?report, which will occur later this year.
???????????"The Globe’s data partner, Global Governance Advisors, will examine the boards of directors of companies and trusts in the S&P/TSX Composite Index to assess the quality of their governance practices and disclosure.?In 2022, The Globe made a number of major changes to Board Games criteria, including removing many questions for which the overwhelming majority of companies – roughly 90 per cent or more – received full credit. The Globe also reallocated several marks to other questions, particularly those about diversity. And it raised thresholds in those areas and others.
??????????"In 2023, there are fewer changes. There are two new criteria, however, on matters related to board oversight of climate issues, a first for Board Games. The questions examine whether a board has at least one director with climate expertise and whether companies provide climate-related education sessions to their boards.?To make room for the new criteria, which bring the total Board Games criteria to 34, The Globe reallocated points from some of the criteria in place in 2022....."
?????????Note that?the article lists the complete 34 corporate governance criteria that will apply to the 2023 Board Games rankings, as well as the number of points allocated to each criteria.
???????(ii)?board cyber experience in light of the new SEC cybersecurity disclosure rule/veteran director on board cybersecurity oversight?in light of the new SEC cybersecurity disclosure rule:?
?????????????(a) Conspicuous by its absence in the SEC's new rule mandating cybersecurity disclosure adopted last Wednesday (see item (i) from last Thursday), was?a key element that had been in the initial proposed rule, namely the requirement?to disclose a board's cyber expertise,?the SEC explaining its decision to drop this requirement as follows:
???????????????"We are persuaded that effective cybersecurity processes are designed and administered largely at the management level, and that directors with broad-based skills in risk management and strategy often effectively oversee management’s efforts without specific subject matter expertise, as they do with other sophisticated technical matters......"
???????????????Nonetheless, the new rule does require that?companies "describe the board of directors’ oversight of risks from cybersecurity threats", and?the importance of having some level of cyber experience on the board to meet the board's oversight duties?is discussed in this?WSJ?article last Friday, "Cyber Experience on Boards Still Seen as Critical in New SEC Rules", inter alia quoting?Phil Venables,?CISO at?Alphabet's?Google Cloud unit, and?Merritt Baer,?part of the office of the CISO at?Amazon's?AWS cloud company until this month:
????????????????"Companies will no longer need to say if their boards have cybersecurity experts under new rules from U.S. financial regulators, but that hasn’t diminished the importance of having them available, company directors say.?The U.S. Securities and Exchange Commission proposed regulations in March 2022 that would have required companies to disclose which, if any, of their board directors had significant knowledge of or experience in cybersecurity. The SEC dropped that provision in the final version of the rule?adopted Wednesday.....
????????????????"The SEC didn’t let boards entirely off the hook.?Directors are expected to exercise oversight of cybersecurity risk management processes, and those must be detailed in annual reports, according to the final rule.?This means that even if boards don’t have to disclose which directors have experience in cybersecurity issues, they still need people with that knowledge, said Merritt Baer,?field chief information security officer at cloud security provider Lacework.?“Disclosing the oversight process is a motivator to get more board expertise—or it should be,” said Baer, who was part of the office of the CISO at?Amazon's?AWS cloud company until this month.?“When we see enterprises with security expertise on the board, they’re better equipped to make decisions about risk but also make decisions about future business initiatives,”?she said.?
???????????????????"Many larger companies, particularly those in highly regulated critical infrastructure sectors such as financial services, won’t need to dramatically adjust their approach to board oversight, said Phil Venables,?CISO at?Alphabet's?Google Cloud unit.?“A big chunk of the Fortune 500 have got this reasonably well-covered. But there’s a long tail of small-to-medium-sized public companies that are probably going to have to figure this out,”?he said.?A likely outcome is that boards will be engaging more with the executives responsible for cyber risk management......"
?????????????(b) As noted in (a) above, the new SEC rules for cybersecurity disclosure released last Wednesday inter alia require U.S. companies "to describe the board of directors’ oversight of risks from cybersecurity threats."?In this?Forbes?blog post last Thursday, "SEC Adopts New Cybersecurity Disclosure Rules",?Betsy Atkins, a veteran director who has served on the board of several prominent public companies,?suggests questions that boards should ask management in connection with their oversight of cyber risks:?
????????????"Here are some suggested questions for the board to bring to management to serve as discussion starters:
???????????????-- What does the CISO consider the biggest risks for the business?
???????????????-- Which risks are the biggest vulnerabilities and most likely to happen?
???????????????-- Where is the vulnerability with the highest financial impact?
领英推荐
???????????????-- What is the CISO’s recommendation for prioritizing the most essential areas for investment?
???????????????-- As part of tabletop cyber planning, ask the CISO and/or tech team to run you through their post-breach protocol. For example, who is the outside council they would use? Who is the forensic consultant? Who on the communications team is in charge?
??????????????"Board of directors may want to consider incorporating the above topics in discussions with management to help ensure that their companies are in compliance with the new rules."
???????(ii)?(more from)?the?lead?director at Morgan Stanley?on the board's oversight of cyber risk, and communicating with the CISO?(and more):?Tom Glocer is lead director at both?Morgan Stanley?and?Merck & Co., former CEO of?Thomson Reuters, and current?chairman of cyber consulting and investment firm?Istari.?He recently spoke at this?Istari-hosted webinar?on the board's oversight of cyber risk?(note: this was prior to the SEC announcing its new final rule on cybersecurity disclosure),?and was quoted in this?WSJ?Cybersecurity Newsletter?earlier this month (see item (iii) from last Monday). More on of what Tom Glocer said at the webinar appears in this?WSJ?Pro Cybersecurity Newsletter last Monday, "What The Board Needs To Know":
??????????"Communication between security leaders and directors remains one of the biggest roadblocks to boards getting the information they need to properly oversee cyber risk.?Tom Glocer, who holds multiple board positions, including lead director at?Morgan Stanley?and chairman of cybersecurity company Istari Global,?spoke on a variety of cyber resilience topics, including the importance of clear language, in a recent?webinar.?
?????????"Glocer said chief information security officers and other technology executives need the ability to translate complex technical issues into risk evaluation and money terms that are common to the board.?Glocer said if a CISO tells the board about the number of malicious packets a proxy has repelled in the last six months, “everyone looks around and says ‘I have no idea if that’s good or bad’.”?He said the CISO has to?“speak plain English” if they want to board to understand and take the right actions.?CISOs should not be expected to figure it out for themselves. Spending time with the CISO outside briefings will help, as will coaching the CISO on the most useful information and metrics for the board.?
?????????"This presentation?from Professor Chris Labash from Carnegie Mellon University’s Heinz College may also be?helpful in aiding security leaders communicate better with the board.?Key questions for directors to ask include:
??????????"--?Is the board receiving information and metrics that allows it to oversee cyber risk?
???????????-- Is the board providing adequate direction on what it wants to know and giving feedback on what it is briefed on?
???????????-- How are the threat and risk landscapes being tracked by the security executive influenced by broader economic or geopolitical issues?......", and,
???????(iii)?press releases of the day:?
??????????(a)?Walgreens Boots Alliance, Inc. announced last Thursday in?this press release?a?CFO transition process, as follows:
?????????????"Walgreens Boots Alliance, Inc. today announced?the departure of James Kehoe, Executive Vice President and Global Chief Financial Officer. Mr. Kehoe will leave WBA in mid-August to pursue an opportunity in the technology sector. Manmohan Mahajan, Senior Vice President, Global Controller, has been named Interim Global Chief Financial Officer while the company conducts a search to fill the role?with a leader who not only brings deep financial acumen to WBA, but also healthcare experience.......
??????????????"Mr. Mahajan joined Walgreens Boots Alliance in 2016 where he has held several global senior roles in finance, including Vice President, Assistant Global Controller.......With the appointment of Mr. Mahajan as Interim Global Chief Financial Officer, Todd Heckman has been named Interim Global Controller.?Mr. Heckman currently serves as Vice President, Assistant Controller, and has been with WBA for seven years......";
??????????(b)?Unilever PLC?announced last Friday in?this press release?a chair succession,?as follows:
??????????????"Unilever PLC is pleased to announce?the appointment of Ian Meakins as a Non-Executive Director and?Chair Designate?following a comprehensive search process.?Ian will join the Board as Non-Executive Director and?Chair Designate?on 1 September 2023?and?will succeed Nils Andersen as Chair on 1 December 2023. Nils will step down from the Board, after nine years’ service,?at Unilever’s Annual General Meeting in May 2024.
??????????????"Ian is currently Chair of?Compass Group PLC?and?Rexel SA,?and has significant global business experience across a diverse range of industries. He served as Chief Executive of Wolseley plc (now Ferguson plc) from 2009 to 2016, Chief Executive of Travelex Holdings Ltd from 2007 to 2009 and as Chief Executive of Alliance Unichem plc from 2004, until its merger with Boots in 2006. Previously he held positions at Diageo, Bain & Company, and Procter & Gamble......."
---------------------------------------------------------------------
Please contact me if you would like to receive each issue of this daily newsletter