May 10, 2018

How Directors Should Oversee (& Leverage) Data Analytics

There’s nothing hotter right now than data analytics. “Big data” can yield some big opportunities – so it would seem that boards would seek this information out when strategizing the big picture. At a minimum, boards should be at least oversee how their companies are using data analytics. This KPMG memo throws out some key questions for boards to consider:

— How is the data being collected and organized within the company and who is involved? Ultimately, who is responsible?

— Can the data be trusted? How is the quality and integrity of the data assessed?

— Does the company have a data ethics policy to protect the brand reputation and reduce legal risk?

— Does the company have the right talent, skills, and resources required to implement/manage its D&A activities?

— Has the company scoped out the near-term and longer-term opportunities for its use of D&A, including financial reporting and predictive analytics?

Trends in Board Cybersecurity Oversight

This recent EY webcast about the board’s cybersecurity oversight role included a poll of director & executive attendees. It appears that most companies aren’t making big changes in response to the SEC’s cybersecurity guidance from earlier this year. Here’s what else they found:

1. Which emerging technology does your board expect to have the greatest impact on the company’s strategy?
– Artificial Intelligence (AI)/Machine Learning and Internet of Things (IoT) – tied at 23%
– Blockchain and Robotic Process automation – tied at 19%

2. As a board member, which of the following do you think is most important to enhance the company’s cyber maturity posture?
– Enhancing data protection and privacy policies – 32%
– Continuously educating and testing the workforce on cybersecurity related matters – 22%
– Improving cyber threat intelligence gathering – 18%

3. How often are your board and management team conducting tabletop exercises and crisis scenario exercises?
– Annually – 31%
– Ad hoc basis/rarely – 30%
– Twice a year or never – tied at 18%

4. Given the recent SEC cybersecurity guidance, do you expect a material change in your disclosure controls process and procedures during your next quarter-end?
– No – 60%
– Yes – 40%

Also see the CAQ’s “Cybersecurity Risk Management Oversight: A Board Tool” that gives a list of questions that can be asked…

New Delaware Website for Data Breach Compliance

Delaware has amended its data breach law for the first time since enacting it in 2005 (see this Pepper Hamilton memo). To help companies comply with the new requirements, it’s now launched this website with template forms. According to this Morgan Lewis blog, the forms can be used for the required data breach notices to the Delaware Attorney General as well as consumers – and the website also provides a link for consumers to file complaints.

Liz Dunshee