Per­son­al risks for direc­tors in mod­ern times

When I came back to the office after the hol­i­days, I came across a cou­ple of recent sur­veys of Aus­tralian direc­tors which reveal some of the issues that most con­cern the peo­ple who run com­pa­nies in this coun­try in 2017. Reg­u­la­to­ry and per­son­al risks are always near the top of these lists, and the recur­ring themes include:

  • How do I make sure my busi­ness com­plies with all of the rel­e­vant reg­u­la­tions, espe­cial­ly OH&S
  • How can I pro­tect my brand and the rep­u­ta­tion of the business
  • How do I deal with dig­i­tal dis­rup­tion in my industry
  • How can I make sure my busi­ness is inno­v­a­tive and keeps up with the market
  • How can I bet­ter man­age risks with IT sys­tems, cyber secu­ri­ty and data protection
  • How can I reduce the risk of per­son­al lia­bil­i­ty, par­tic­u­lar­ly in con­nec­tion with insol­vent trad­ing and oper­at­ing dis­tressed companies?

Man­age­ment of these reg­u­la­to­ry risks should be part of the strate­gic plan­ning for any busi­ness. It is very dif­fi­cult to make informed deci­sions about a company’s strat­e­gy with­out a com­pre­hen­sive under­stand­ing of the risks involved. And in our increas­ing­ly inter­con­nect­ed world, new and more com­plex risks con­stant­ly appear, along with increased scruti­ny by reg­u­la­tors, share­hold­ers, the media and the public.

I have dealt with some of the major con­cerns iden­ti­fied by direc­tors in this blog.

Social media - social media now has a sig­nif­i­cant effect on cus­tomers, employ­ees, and investors. Face­book recent­ly report­ed dai­ly active users of more than one bil­lion. Twit­ter report­ed 66 mil­lion aver­age month­ly active users in the Unit­ed States and 254 mil­lion in the rest of the world. These are both sig­nif­i­cant increas­es from the pre­vi­ous years. Many com­pa­nies are using social media mar­ket­ing to increase their prod­uct and brand aware­ness, build their rep­u­ta­tion and cus­tomer loy­al­ty and encour­age cus­tomer engage­ment, all of which can increase rev­enue. Cus­tomers increas­ing­ly post reviews of prod­ucts, brands and com­pa­nies, which influ­ence new cus­tomers. But in addi­tion to cus­tomer rela­tion­ships, social media also cre­ates a risk of dam­age to a company’s rep­u­ta­tion (for exam­ple when a post goes viral, par­tic­u­lar­ly if the com­pa­ny has an inad­e­quate or delayed response, or by the mis­use of social media by com­pa­ny per­son­nel and the post­ing of con­fi­den­tial or pro­pri­etary infor­ma­tion on a social media plat­form). As the old say­ing goes, It takes 20 years to build a rep­u­ta­tion and five min­utes to ruin it.”

Cyber secu­ri­ty – an increas­ing num­ber of direc­tors are con­cerned that cyber threats could adverse­ly impact their busi­ness, and one of the biggest con­cerns fac­ing boards at the moment is how to pro­vide effec­tive over­sight of cyber secu­ri­ty. For exam­ple, assign­ing some­one with respon­si­bil­i­ty for cyber issues, iden­ti­fy­ing the main assets at risk (intel­lec­tu­al prop­er­ty, per­son­al infor­ma­tion and trade secrets), prepar­ing an inci­dent response plan (and test­ing it), pro­vid­ing train­ing to employ­ees, lim­it­ing access rights and back­doors to key data entry points, con­duct­ing cyber due dili­gence on any tar­get or recent­ly acquired com­pa­nies, check­ing that third-par­ty con­tracts con­tain prop­er data breach noti­fi­ca­tion, audit rights, and indem­ni­fi­ca­tion pro­vi­sions, obtain­ing spe­cif­ic cyber insur­ance, and con­duct­ing an annu­al third-par­ty risk assess­ment to review cur­rent prac­tices and risks.

Increased reg­u­la­tion - I would antic­i­pate increased reg­u­la­tion for com­pa­nies in the area of cyber secu­ri­ty. In the US, the Fed­er­al Trade Com­mis­sion and the SEC have already increased their activ­i­ty in this space and recent­ly the SEC brought an enforce­ment action against an invest­ment advis­er for fail­ure to adopt poli­cies rea­son­ably designed to pro­tect cus­tomer records and infor­ma­tion. Although there was no evi­dence that any client suf­fered finan­cial harm, the invest­ment advis­er set­tled the action for US$75,000.

Increased lit­i­ga­tion expo­sure – the posi­tion on lia­bil­i­ty for data breach­es is not always clear. For exam­ple, in Target’s recent mul­ti-mil­lion dol­lar set­tle­ment with cer­tain major cred­it card brands, com­pa­nies are fight­ing over who should be liable for expo­sure in a data breach, and cred­it card com­pa­nies are try­ing to shift lia­bil­i­ty to the mer­chants who failed to imple­ment smart chip tech­nol­o­gy to cred­it cards. It is also worth not­ing the recent trend in the US of class actions being filed by con­sumers after com­pa­nies noti­fy data secu­ri­ty breach­es (for exam­ple where cred­it card infor­ma­tion of cus­tomers is disclosed).

Direc­tors’ per­son­al lia­bil­i­ty — direc­tors of com­pa­nies that expe­ri­ence major data breach­es can be faced with deriv­a­tive actions fol­low­ing an event. How­ev­er, pro­vid­ed that boards have been active­ly engaged in mon­i­tor­ing their com­pa­nies’ efforts to avoid and mit­i­gate such a breach, the risk of per­son­al lia­bil­i­ty appears to be slim. In a recent case, the deriv­a­tive law­suit against a company’s board of direc­tors was dis­missed as the direc­tors had con­duct­ed a detailed inves­ti­ga­tion, dis­cussed the cyber attacks at mul­ti­ple meet­ings dur­ing the rel­e­vant time frame, and retained a third-par­ty tech­nol­o­gy firm to inves­ti­gate each breach and rec­om­mend enhance­ments to the company’s systems.

Cri­sis man­age­ment – what starts as a minor fail­ure to man­age risks effec­tive­ly can eas­i­ly lead to a cri­sis for a com­pa­ny. A cri­sis may be grad­ual, such as emerg­ing com­pet­i­tive threats or an eco­nom­ic down­turn, or it could be sud­den, such as a cyber attack, alle­ga­tions of fraud, tech­nol­o­gy fail­ure or a nat­ur­al dis­as­ter. Com­pa­nies should have an effec­tive cri­sis response plan, with a team respon­si­ble for inter­nal and exter­nal com­mu­ni­ca­tions, and exter­nal legal and investor rela­tions experts who can help the com­pa­ny respond quick­ly and effectively.

The key to deal­ing with all of these risks is advance plan­ning and prepa­ra­tion, to min­imise the risks, and to ensure that there is a plan in place in the event that some­thing goes wrong.

I would be inter­est­ed to hear people’s views on the risks I have men­tioned above, or whether you have any oth­er areas of con­cern which you would add to the list.

This arti­cle orig­i­nal­ly appeared as a blog on LinkedIn. You can read the orig­i­nal here.