2

The Answer Will Depend On:• Size and type of company; industry• Whether company is public or private• Who are the majority owners, shareholders, investors• Items in the news• What outside consultants, seminars, trainings are

focused on• Individual Board Members and their backgrounds• What they consider high risk items• What other boards they sit on

3

ADVISING THE BOARD

4

How Can You Calm Your Board’s Fears?• Identify and discuss risks and threats before issues arise • Use the Enterprise Risk process• Review risk policies and processes and audit plans with

the Board (at least once per year)• Demonstrate to the Board that company has strong

control environment• Give Board regular updates on risk process and issues

(i.e. hotline calls, internal investigations)

5

How Can You Calm Your Board’s Fears? (cont.)

• Walk through how management would propose to handle a “crisis” (i.e. cyberattack, FCPA investigation, black swan event) and get Board to buy-in

• Determine if specialized Board committees are necessary for specific risks

6

Advising the Board

• Principles of board oversight (general obligation to protect corporate assets)

• Directors entitled to rely on management and outside experts

• Business judgment rule applies

7

Advising the Board: Investigations

• How should management keep Board updated on investigations?

• What investigations should be performed under direction of management and which by the Board or Audit Committee?

• Remember, there are often competing interests:• Board members• Senior management• Potential whistleblowers

8

CYBERSECURITY

9

Cybersecurity Threats

10

11

Data Breaches• 45% of senior executives say their companies

experience cyber attacks hourly or daily

• In 2014, over one billion accounts were compromised

• In 2014, the global average cost of each data breach was $3.5 million USD, up 15% in 2013

*Source: Thomson Reuters

12

Cybersecurity Threat

• “Hacktivism”• Foreign Governments• Proprietary Data – APT • Attacks on critical infrastructure—SCADA, DCS, PLC• The Pentagon, Department of Homeland Security, NSA-cyber

war exercise

• Insider Threats

13

Standards

• No single standard for private-sector cybersecurity• NIST framework• Dept of Justice, SEC, FTC, FCC • States differ - 49 different state laws• DOJ - Computer Crimes & Intellectual Property Section – Best

Practices

• SEC - policing cybersecurity preparedness• SEC comments

• Energy Sector Guidelines

14

Civil and Criminal Remedies• Computer Fraud and Abuse Act• Access without authorization

• Wiretap Act• Prohibits interception of electronic communication

• Stored Communications Act• Prohibits access of a facility through which electronic

communication are provided• State trade secret laws • RICO • State computer crime laws

15

Personally Identifiable Information

• Privacy Laws• 49 states have data security breach laws • Comprehensive privacy laws in many countries, including EU

Data Privacy laws and China State Secret Laws• Requirements to notify affected individuals • Attorney General• Consumer reporting agencies

16

Insurance

• Third party claims • Banks, consumers, counter-parties

• Business interruption• Crisis management• Implementation of response• Cyber extortion

17

COMPLIANCE

18

Global Anti-Corruption Laws

• The U.S. Foreign Corrupt Practices Act (FCPA)• Prohibits giving anything of value (or promises to do so) to

foreign officials to obtain or retain business (DOJ)• Requires issuers of U.S. securities to make and keep accurate

books and records and to maintain adequate internal accounting controls; prohibits knowingly falsifying books and records or knowingly failing to implement internal controls (SEC)

• Other anti-corruption statutes in the UK, China and other major countries

19

Enforcement Environment

• Enforcement trends• Companies even more accountable for conduct of foreign

subsidiaries/JV partners• More violations on the accounting controls/books and records

violations side• More DOJ talk about going after individuals• Adequate vs. inadequate compliance programs

20

Criminal Prosecution of Individuals

“If you want full cooperation credit, make your extensive efforts to secure evidence of individual culpability the first thing you talk about when you walk in the door to make your presentation”

“Even the identification of culpable individuals is not true cooperation if the company fails to locate and provide facts and evidence that implicate those individuals”

- Speech by Principal Deputy Assistant Attorney General, September 2014

21

Criminal Prosecution of Individuals (cont.)

• PetroTiger - June 2015• General Counsel and Co-CEO pled guilty

• Hyperdynamics – May 2015• DOJ declined prosecution because company cooperated

• Alstom – December 2014• $772 million criminal penalty• Failed to provide “thorough cooperation”

22

International Trade Compliance

• OFAC/Sanctioned Country Issues• Russia – September 2014• Applicability to certain projects uncertain• How to comply?

• Iran• Nuclear technology accord reached• What if the market opens?

• Cuba

• Import Control Issues/C-TPAT Issues/Boarder Control

23

BLACK SWAN EVENTS

24

Black Swan Events• What is a Black Swan Event?

An event that comes as a surprise, has a major effect, and is often inappropriately rationalized after the fact with the benefit of hindsight

• Examples• Macondo• 9/11• Sub-prime mortgage crisis• Decline in oil prices

25

Black Swan Events (cont.)

•What can be done to control the chaos during events?

•What can be done to keep them from being enterprise threatening/destroying events?

26

What Keeps Your Board Up At Night?

August 6, 2015ACC Chapter Meeting CLE

THE Woodlands

MICHAEL FARNELL, Chief Legal Officer, Nexeo Solutions LLCRACHEL EHLERS, Director of Compliance, Nexeo Solutions LLC

SEAN GORMAN, Partner, Bracewell & Giuliani, LLP