When I came back to the office after the holidays, I came across a couple of recent surveys of Australian directors which reveal some of the issues that most concern the people who run companies in this country in 2017. Regulatory and personal risks are always near the top of these lists, and the recurring themes include:
- How do I make sure my business complies with all of the relevant regulations, especially OH&S
- How can I protect my brand and the reputation of the business
- How do I deal with digital disruption in my industry
- How can I make sure my business is innovative and keeps up with the market
- How can I better manage risks with IT systems, cyber security and data protection
- How can I reduce the risk of personal liability, particularly in connection with insolvent trading and operating distressed companies?
Management of these regulatory risks should be part of the strategic planning for any business. It is very difficult to make informed decisions about a company's strategy without a comprehensive understanding of the risks involved. And in our increasingly interconnected world, new and more complex risks constantly appear, along with increased scrutiny by regulators, shareholders, the media and the public.
I have dealt with some of the major concerns identified by directors in this blog.
Social media - social media now has a significant effect on customers, employees, and investors. Facebook recently reported daily active users of more than one billion. Twitter reported 66 million average monthly active users in the United States and 254 million in the rest of the world. These are both significant increases from the previous years. Many companies are using social media marketing to increase their product and brand awareness, build their reputation and customer loyalty and encourage customer engagement, all of which can increase revenue. Customers increasingly post reviews of products, brands and companies, which influence new customers. But in addition to customer relationships, social media also creates a risk of damage to a company's reputation (for example when a post goes viral, particularly if the company has an inadequate or delayed response, or by the misuse of social media by company personnel and the posting of confidential or proprietary information on a social media platform). As the old saying goes, "It takes 20 years to build a reputation and five minutes to ruin it."
Cyber security – an increasing number of directors are concerned that cyber threats could adversely impact their business, and one of the biggest concerns facing boards at the moment is how to provide effective oversight of cyber security. For example, assigning someone with responsibility for cyber issues, identifying the main assets at risk (intellectual property, personal information and trade secrets), preparing an incident response plan (and testing it), providing training to employees, limiting access rights and backdoors to key data entry points, conducting cyber due diligence on any target or recently acquired companies, checking that third-party contracts contain proper data breach notification, audit rights, and indemnification provisions, obtaining specific cyber insurance, and conducting an annual third-party risk assessment to review current practices and risks.
Increased regulation - I would anticipate increased regulation for companies in the area of cyber security. In the US, the Federal Trade Commission and the SEC have already increased their activity in this space and recently the SEC brought an enforcement action against an investment adviser for failure to adopt policies reasonably designed to protect customer records and information. Although there was no evidence that any client suffered financial harm, the investment adviser settled the action for US$75,000.
Increased litigation exposure – the position on liability for data breaches is not always clear. For example, in Target's recent multi-million dollar settlement with certain major credit card brands, companies are fighting over who should be liable for exposure in a data breach, and credit card companies are trying to shift liability to the merchants who failed to implement smart chip technology to credit cards. It is also worth noting the recent trend in the US of class actions being filed by consumers after companies notify data security breaches (for example where credit card information of customers is disclosed).
Directors' personal liability - directors of companies that experience major data breaches can be faced with derivative actions following an event. However, provided that boards have been actively engaged in monitoring their companies' efforts to avoid and mitigate such a breach, the risk of personal liability appears to be slim. In a recent case, the derivative lawsuit against a company's board of directors was dismissed as the directors had conducted a detailed investigation, discussed the cyber attacks at multiple meetings during the relevant time frame, and retained a third-party technology firm to investigate each breach and recommend enhancements to the company's systems.
Crisis management – what starts as a minor failure to manage risks effectively can easily lead to a crisis for a company. A crisis may be gradual, such as emerging competitive threats or an economic downturn, or it could be sudden, such as a cyber attack, allegations of fraud, technology failure or a natural disaster. Companies should have an effective crisis response plan, with a team responsible for internal and external communications, and external legal and investor relations experts who can help the company respond quickly and effectively.
The key to dealing with all of these risks is advance planning and preparation, to minimise the risks, and to ensure that there is a plan in place in the event that something goes wrong.
I would be interested to hear people's views on the risks I have mentioned above, or whether you have any other areas of concern which you would add to the list.
For further information please contact:
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.