Dear reader,

Welcome to the March 2020 edition of The Director’s Dilemma. This month our dilemma concerns a director who had assumed the governance was good enough and then discovered that – when things went wrong – it wasn’t. Although the thing that went wrong on this occasion was a technology issue, the failings would probably have been thrust into the spotlight if the issue had involved inappropriate culture, supply chain, payroll, or any number of other topics.

Our three contributors have provided a great range of ideas in response to the dilemma. I hope that you enjoy their insights and find them helpful in extending your governance knowledge.

Please remember that my twenty years’ experience consulting to, and sitting on, boards, is available to you if you should need a board performance review, strategy workshop, or director education session.  Read to the end of this newsletter for details of a book review, a webinar on how to build a cohesive board, the ‘quote of the month’, and information on what has been happening in my world over the past months.

To read this email in a browser, go to www.mclellan.com.au/newsletter.html and click on 'read the latest issue'.

Trevor is a director of a listed company that has been a 'market darling'. The company provides credit assessments and data verification. The founders both have a strong background in the sector and a healthy network of contacts that led to a growing client list which included governments and financial institutions.

After the listing, two years ago, the company has met or exceeded forecasts and Trevor has been proud to be the only independent director on the board alongside the two founders and the CEO. He chairs the audit committee and, unofficially, has been the guiding force behind establishing governance processes and documentation.

The founders have remained very active in the business and Trevor has occasionally worried that they make strategic decisions and tell him about them afterwards at the board meetings. As Trevor's background is audit and assurance, he assumes he wouldn't add much value beyond ensuring sound processes and keeping records.

Three weeks ago, everything changed. A large amount of the company's data was 'dumped' on the dark web. It included the financial details of people who had been assessed as well as identification details such as tax file numbers and residential addresses. Worse, the company initially claimed that the information had not come from their systems and then admitted that they had received ransom demands indicating that data had been filched as long as a year before this disaster.

Clients have withdrawn their business, shareholders are dismayed, the share price is in free fall, and the press are clamouring for information.

How should Trevor help the company weather this storm?

This is a critical time for Trevor legally and reputationally, it is also a time when being an independent director carries additional responsibility to the company, the shareholders, the staff and the customers.

All Directors and Executives can only have one response to a blackmail attempt.  That is to immediately report it to the police and not respond to the ransomware demands.  Secondly the company should have had a crisis management plan in place ready for such an eventuality.  In this day and age, no company should operate without a cybercrime contingency plan.

In this case it is unclear, but it appears that the authorities were not informed and that Trevor's company was unprepared for a data breach or ransomware demands.

There are 2 scenarios open to Trevor:

1) If Trevor was not informed straight away of the ransom demands and the CEO and founding Executive Directors knew but did not brief him on the ransom issue and the company's response, then his independent status has been compromised and he should resign.

2) If Trevor was informed and the whole Board was involved in the response, then Trevor must remain and help the company ride out the storm.   This will involve working with the police, the ASX and crisis management guidance from external suppliers - technical and PR. 

The rule to follow is full transparency and speedy action. 

Trevor should refer to the recent ransomware attack on Toll Logistics and their response which was exemplary.

Adam Salzer OAM is the Chair and Global Designer for Whitewater Transformations. His other board experience includes Australian Transformation and Turnaround Association (AusTTA), Asian Transformation and Turnaround Association (ATTA), Australian Deafness Council, Bell Shakespeare Company, and NSW Deaf Society. He is based in Sydney, Australia.

This is a listed company; Trevor must ensure appropriate disclosure. A trading halt may give the company time to investigate, and respond to, the events and then give the market time to disseminate the information. His customer liaison at the stock exchange should assist with implementing a halt and issuing a brief statement saying what has happened and that the company will issue more information when it becomes available.

This will be a costly and distracting exercise that could derail the company from its current successful track.

Three of the four board members are executives. That doesn't mean the fourth can rely on their efforts. Trevor must add value by asking intelligent questions that people involved in the operations will possibly not think to ask. This board must work as a team rather than a group of individuals who each contribute their own expertise and then come together to document decisions that were not made rigorously or jointly.

Trevor has now learnt that there is more to good governance than just having meetings and documenting processes. He needs to get involved and truly understand the business. If his fellow directors do not welcome this, he needs to consider whether they are taking him seriously or just using him as window-dressing. He should ensure that the whole board is never again left out of the information flow when something important happens (or even when it perhaps might happen).

He should also take the lead on procuring legal advice (they are going to need it), liaising with the regulators, and establishing crisis communications. Engaging a specialist communications firm may help.

Julie Garland McLellan is a non-executive director and board consultant based in Sydney, Australia.

I recommend three separate parallel streams of work for Trevor. 

1. Immediate public facing actions
Immediately apologize and state your commitment to your customers.  Hire a PR firm and have the most public facing person issue an apology. The person selected to issue the apology has to be selected carefully (cannot be the person responsible for leak, and has potential to become the new trusted CEO)

2. Tactical internal actions
Assess the damage and contain the incident.  Engage an incident response firm to assess how the breach happened, when it happened, what was stolen. Confirm that leak doors are closed. Select your IR firm carefully - the better reputed they are, the better you will look in litigation.
Conduct an immediate audit and investigation. You need to understand who knew, when and why this was buried for a year.
Take disciplinary action against anyone who was part of the breach. Post audit, either allow them to keep their equity or buy them out.

3. Strategic actions
Review and update your cybersecurity incident response process.  This includes your ransomware processes (e.g. will you pay, how you pay, etc.), and how you communicate incidents. 
Build cybersecurity awareness, behavior and culture up, down and across your company.  Ensure that everyone from the board down are educated, enabled and enthusiastic about their own and your company's cyber-safety. This is a journey not a one-off miracle.
Extend cybersecurity engagement to your customers. Be proactive not only on the status of this incident, but also on how you are keeping their data safe.  Go a step further and offer them help in their own cyber-safety.
Create a forward thinking, business and risk-aligned cybersecurity strategy. Understand your current people, process and technology gaps which led to this decision and how you'll fix them.
Elevate the role of cybersecurity leadership.  You will need a chief information security officer who is empowered to execute the strategy, and has a regular and independent seat at the board table. 

Jinan Budge is Principal Analyst Serving Security and Risk Professionals at Forrester and a former Director Cyber Security, Strategy and Governance at Transport for NSW. She is based in Sydney, New South Wales, Australia

Book Review - Dilemmas, Dilemmas II: MORE PRACTICAL CASE STUDIES FOR COMPANY DIRECTORS (VOLUME 2)

This book allows directors to practise and develop their judgement. Contributions from international governance experts, including directors, advisers, consultants, and academics provide insights that extend and enhance the ability of the reader to respond to situations that arise in boardrooms.
 
Directorship is about judgement and this book provides a range of responses from which readers can rapidly assess and enhance their own responses to more effectively meet the challenges of their own board roles. These case studies are drawn from real life. They are up-to-date, entertaining and educational. They will make you a better director!
 
With contributions from around the world and examples of applying good governance to commercial, family, not-for-profit and government sector boards this book is an authoritative and comprehensive source of inspiration for experienced and aspiring directors.

Available on amazon.com or amazon.com.au and specialist bookstores.

 

Julie's News - In February

Sydney’s wild weather continued into February with the bushfires giving way to torrential rain and high winds.
Highlights for the month were helping a client’s board to recruit the right CEO to drive future growth, an excellent briefing on the practical implementation of safe harbour for company directors by Worrells, a fascinating breakfast address on the future of AI and how boards should lead in this space, a round table with Microsoft’s global VP of AI and Innovation, my own board meetings, two facilitated strategy sessions for client’s boards and senior executive teams, some excellent networking and inspirational events themed for International Women’s Day, and a trip to Nowra!

I am always keen to work more and will be delighted to hear from you if you would like to arrange a board strategy workshop, education session, or board performance review! Just call me on +61 411 262 470 or reply to this email for a discussion of how I might help your board.

Inspirational quote for March - This month my favourite quote is:

Our protagonist, Trevor, will need to develop his ‘inner pitbull’ and become tenacious about making sure he is included in all discussions that require board-level decisions. I am a long-time admirer of Warren Buffet and his incessant focus on value foundations.

A note on names - few readers have asked me where I find the names for the protagonists in each case study; I 'borrow' them from people I meet or things that I read. Trevor is a name of either Irish or Welsh origin and can mean 'industrious', 'ambitious', or 'prudent'. Our protagonist will need to be all three if he is to provide leadership to his company and fellow directors in this time of great need.

Free webcast “The Secrets of Cohesive Boards” - Great boards pull together through any crisis. Cohesion can be built and enhanced. On 6 February I presented a webinar with Phil Preston about the techniques that I have seen used to successfully build board cohesion. Things that any director, not just the chair, can do. You can access the recording at this link: https://vimeo.com/389639190 (password is "collaboration").

This newsletter - If you have any ideas for improving the newsletter please let me know. If you are reading a forwarded copy please visit my website and sign up for your own subscription.

Suggestions for dilemmas - Thank you to all the readers who have suggested dilemmas. They are greatly appreciated. I will answer them all eventually. I could not write this newsletter without your help and without the generous help of all the experts who respond each month to the case studies.

Be a contributor - If you would like to attempt a response to the dilemmas for publication you will be most welcome. Simply reply to this email and let me know.

Let's connect - I use LinkedIn to share information about boards and directorship with my friends and acquaintances. If you use LinkedIn and we are not yet connected I will welcome a connection from you. You can find me at linkedin.com/in/juliegarlandmclellan.

Let me help you - If you would like me to speak to or train your board, staff, audience and/or group please contact me at julie@mclellan.com.au.

Farewell until the next issue (due 1 April 2020; and yes - I am aware that it will be April Fool's Day for many of you). I look forward to greeting you again then. In the interim I hope you will enjoy health, happiness and hard work on your board careers: Enjoy governing your companies; we are privileged to do what we do!

Best regards,

Julie

Photo Credits: Personal images in this newsletter are provided courtesy of the contributors, course attendees and conference participants.

Disclaimer: The opinions expressed above are general in nature and are designed to help you to develop your judgement as a director. They are not a definitive legal ruling and do not constitute legal advice. Names and some circumstances in the case study have been changed to ensure anonymity. Contributors to this newsletter comment in the context of their own jurisdiction; readers should check their local laws and regulations as they may be very different.

Privacy: I am privileged to have your contact details and keep them as safely as possible. I will alert you if they are ever accessed by any unauthorised person (the technical staff at ayuda help with publishing and issuing the Director's Dilemma and have access so they can send the newsletters to you). I do not sell your details to anyone; they are kept only for the intended purpose - sending you this newsletter and helping to build the judgement of company directors by providing a safe way to consider potential responses to real life events.