March 15, 2015

Authored by: Jane Chwick

Technology: It's Not Just About Cyber

1

Tech

nolo

gy: I

t's N

ot Ju

st A

bout

Cyb

er |

3/1

5/20

15

Technology: It 's Not Just About Cyber I n t r o d u c t i o n Cyber-attacks on businesses and governments are constantly in the headlines. Corporate Boards recognize the severity of this threat and are beginning to ask questions surrounding their company’s cyber capabilities. This is necessary, and a good start, but not sufficient.

Assessing and dealing with cyber threats are only a portion of the technology discussion that should take place in the boardroom. The importance of technology to a firm goes far beyond the risk of a cyber-attack. Non-cyber technology glitches have caused companies to declare bankruptcy overnight. Failure to keep up with technology innovation has also led some companies into bankruptcy. More common are examples of system glitches leading to downtime, and lost revenues. There are also numerous examples of increases in revenue as a result of investment in technology. Conversely, a lack of technology investment can result in a loss of revenue opportunity. It is therefore imperative, that Corporate Boards, as part of their corporate governance responsibilities, look at their companies through a technology lens and ensure that their management teams have an appropriate technology strategy, both to address revenue opportunities and to ensure appropriate risk management.

A l o o k a t s o m e r e a l e x a m p l e s Let's start with some real scenarios…..

The cyber examples are numerous and seen on an almost daily basis. Anthem, Target, Home Depot, JP Morgan, Sony have all fallen victim to significant cyber-attacks. But the list is much broader, and the frequency and breadth of impact is increasing. Many think cyber-attacks are merely directed at stealing credit cards or private information. However, the attacks are not limited to just stealing an individual’s information. They often result in the theft of sensitive intellectual property. In other cases the attacks have come in the form of brand defamation, i.e. a hacktivist organization may deface a company web site or social media page. The cyber-attack may also be done through a denial of service where a group may direct so much fake traffic to a company’s site that real business transactions cease.

Many technology outages, or ‘glitches’, are not caused by cyber-attacks. An instructive example of a technology glitch causing a firm to quickly lose significant value happened in August 2012 to Knight Capital. Knight Capital was a financial firm engaged in market making and electronic execution of financial products. On August 1, 2012 a technology error occurred while installing a new version of the trading system. The mistake caused major price moves on almost 150 stocks traded on the New York Stock Exchange. The glitch caused Knight Capital to buy and

ADVICE FOR DIRECTORS Create a process for technology oversight that is in line with that of financial reporting

- Ensure  that  the  CIO  has  a  seat  at  the  table  

- Include  CIO  succession  planning  as  a  priority  for  the  board  

- Add  quarterly  technology  updates  to  the  board  agenda  

- Hire  an  independent  firm  to  review  the  technology  strategy  and  controls  on  behalf  of  the  board  

2

Tech

nolo

gy: I

t's N

ot Ju

st A

bout

Cyb

er |

3/1

5/20

15

sell millions of shares of over one hundred stocks in less than 45 minutes. Selling and covering those positions cost Knight Capital over $450mm, which was over 4 times its prior year’s profits. Knight Capital's share price went down over 75% in two days. As a result of that issue, 70% of Knight Capital was purchased by the firms that bailed them out. (Popper)

But Knight Capital is not the only firm to have faced significant impact from a technology outage. A few years ago the investment firm AXA Rosenberg paid $217 million to cover investor losses from what it called a "significant error" in the computer code for one of its investment models. (Eha)

Many stock exchanges have had to deal with technology issues. NASDAQ faced significant volume of orders in its pre-IPO auction process during the launch of the Facebook IPO. The Singapore Stock Exchange faced three technology caused outages in 2014. (Hope, Scaggs and Stumpf)

Retail firms have also faced their share of non-cyber technology issues. On this past Black Friday, the Best Buy website was unavailable all morning due to record levels of website traffic. In the same month, Comcast internet and cable customers were impacted by a lengthy outage caused by a problem with a software upgrade. (Brodkin)

There are many examples of companies that have profited by stayin ahead of the curve in terms of technology strategy and investment. Starbucks reported impressive financial results for the first quarter of 2015: revenues up 13% and earnings up 14%, despite the negative tail winds from foreign currency translation. The stock was up 6.6% on the earnings report and has increased 14% in the 6 weeks since the results were released. Howard Schultz, Starbucks CEO commented, “…. Starbucks is off to a fantastic start in fiscal 2015 …… the undeniable success of our card, mobile and digital strategies underscore the increasing strength of the Starbucks brand around the world …”. In later commentary, Schultz says, “… we are investing in technologies that will help our partners deliver a consistently elevated Starbucks experience to our customers, including introducing technologies to ease and simplify required store tasks, improving access to core business tools and resources and introducing partner apps ….” Given the investments in technology, Starbucks indicated that they expect earnings to accelerate to the high end of their 16% to 18% growth target in the second half of the year. (Starbucks investor call)

Panera Bread is having a different experience. The company reported 4th quarter revenues up 7% (adjusted for same number of weeks) and earnings up only 2%. The stock declined 11% on the earnings report. According to excerpts from most recent earnings conference call transcripts, “Our fourth quarter operating margin declined by 140 basis points versus last year, due to three factors: one, pressure on food cost and wages; two, the cost of initiatives that are bending the arc on transactions and comp in our core café business; three, expenses related to our strategic investments to make Panera a better competitive alternative and to enable expanded growth.” Later on the call, the company’s CEO, Ronald Shaich provided more detail on the company’s initiatives. “Let’s start our review with Panera 2.0. …. Our intention with 2.0 is to reduce the friction for the guest and to position Panera ahead of the curve, as the marketplace pivots into an increasingly digital environment …. Those individual elements include first web, mobile, kiosk and e-commerce ordering… there are substantial technology installations that must be managed in terms of hardware, software, and instruction…. Panera 2.0 is not a light switch. To do this right takes time and real effort. “(Panera Bread investor call)

There is no guaranteed approach for preventing technology issues. However, there are ways to lessen the chance of occurrence, or lessen the impact if an issue does occur. And while there is no magic bullet for finding revenue opportunities or protecting market share through technology, understanding emerging technology trends across industries can help generate ideas for driving new revenue and protecting a firm’s current business.

3

Tech

nolo

gy: I

t's N

ot Ju

st A

bout

Cyb

er |

3/1

5/20

15

A d v i c e f o r d i r e c t o r s Directors are not expected to prevent an accounting misstep or prevent a financial crisis, but they are expected to understand the company’s financial issues and have a robust discussion before making a decision or approving management’s plan. The same requirement and discussion is now required for technology too. What should a director do when this is not possible in technology related areas? One thing is clear. It is not okay to do nothing, hiding under the well-worn cover of “That’s management’s responsibility”. An increasingly important question for directors is, what is the process the director followed to discharge his or her fiduciary duties regarding the impact of technology? Recognizing the importance of technology is the first key step:

• Recognize  that  the  board  has  accountability  for  technology  strategy,  risk  and  governance.    It  is  no  longer  just  the  responsibility  of  management.    Technology  needs  to  be  a  regular  part  of  the  boardroom  discussion.  

 • Recognize  the  importance  of  technology  in  all  aspects  of  the  company,  as  well  as  the  

potential  harm  that  the  lack  of  controls  can  have  on  shareholder  value.    Managing  technology  risk  goes  far  beyond  ensuring  proper  cyber  security  controls.  

 • Recognize  that  technology  innovation  should  be  used  to  create  revenue  

opportunities.    Every  industry  has  its  own  challenges  as  does  every  company.    A  director  needs  to  understand  the  technology  opportunities  that  may  exist  related  to  their  industry  and  company.    

That all sounds good. Every article and conference and webinar says the same thing. Everyone tells the board which questions to ask. No one acknowledges that asking questions is not the same as having a give and take conversation on the subject of technology. Let’s go back to the notion of process. What would constitute a meaningful change in process such that an outsider (i.e. strike suit lawyer or activist) would agree that the board had followed a process which is similar to the oversight given to financial matters? Moving from recognition to action, here are some suggestions to help ensure and enable the proper focus:

• Ensure  the  CIO  has  a  seat  at  the  table  –  both  with  the  most  senior  ranks  of  the  firm,  and  in  the  boardroom.    The  CIO,  like  the  CFO,  should  be  a  regular  attendee  of  either  the  board  meetings  or  the  audit  or  risk  committee.    The  CIO  should  also  have  a  regular  private  session  at  one  of  these  meetings.    This  relationship  and  dialogue  is  critically  important.  

 • Ensure  that  CIO  succession  oversight  is  a  priority  for  the  board.      Proper  succession  

for  all  C-­‐suite  positions  is  important  for  a  board.    CIO  succession  planning  should  be  treated  with  the  same  importance.  

 • Ask  the  CEO  for  a  quarterly  review  of  all  matters  related  to  technology.  Not  only  will  

the  board  learn,  the  CEO  will  too.  If  the  CIO  doesn’t  report  directly  to  the  CEO,  ask  questions  about  the  structure  of  the  management  team.  

 

4

Tech

nolo

gy: I

t's N

ot Ju

st A

bout

Cyb

er |

3/1

5/20

15

• Form  a  technology  committee.    Treat  technology  with  as  much  importance  and  concern  about  missteps  as  with  financial  reporting.  Audit  committees  help  boards  fulfill  their  corporate  governance  and  oversight  capabilities  as  it  relates  to  financial  reporting.      Technology  issues  are  so  broad  that  boards  should  consider  establishing  a  technology  committee  to  help  fulfill  governance  and  oversight  with  respect  to  technology  strategy,  governance  and  risk.  

 • Consider  what  you  don’t  know  and  hire  independent  technology  advisors  who  

understand  the  strategic  issues  that  boards  deal  with  –  people  who  can  assess  the  technology  strategy,  risk  and  governance  and  report  back  to  the  board.    Boards  do  not  simply  rely  on  the  CFO.    They  use  independent  auditors  to  validate  the  books  and  records  of  the  company.    Technology  is  as  important  and  as  complicated.    Independent  ,  high  level  diagnostic  reviews,  on  behalf  of  the  board  are  a  critical  way  to  begin  to  help  validate  all  aspects  of  technology.  

 Executing on these action items can go a long way in fulfilling a director’s accountability related to governance and oversight. Over time, following these suggestions will also naturally result in an increase in a director’s knowledge of technology issues and opportunities within the company.

C o n c l u s i o n Directors need the ability to have proper oversight on the full spectrum of technology opportunities and issues. While this may be difficult for a director to accomplish in today’s board construct, implementing a process for technology that mimics the process for financial reporting should result in sufficient oversight. This should include giving the CIO a seat at the table, receiving quarterly technology updates, and reviewing CIO succession plans. As with financial oversight, the process should also include hiring independent technology advisors to validate the technology strategy, controls and governance. While there is not a foolproof approach for ensuring that there will be no technology related issues, implementing a process for the oversight of technology should be viewed as an important part of a director’s responsibility.

There are vast quantities of articles and conferences targeted at educating directors on the importance of having an adequate cyber program. It is time for directors to realize that their technology oversight responsibility is broader – It is not just about cyber.

A b o u t t h e A u t h o r – J a n e C h w i c k

Jane is a retired partner from Goldman Sachs where she spent over 30 years in technology, most recently as the Co-Chief Operating Officer of the 8,000 person technology division. Jane is on the board of Voya Financial and MarketAxess and is the Co-founder of Trewtec, Inc, a technology advisory firm designed to help directors and CEOs evaluate technology in their companies.

S o u r c e s Brodkin, Jon. “Comcast to Issue Discounts for Days-Long Outage Caused by Update” Ars

5

Tech

nolo

gy: I

t's N

ot Ju

st A

bout

Cyb

er |

3/1

5/20

15

Technica. Conde Nast. 7 November 2014. Web. 7 March 2015.

Eha, Brian Patrick. “$440 Million Glitch The Costliest Computer Bug Ever?” @CANTECH,

9 August 2012. Web. 7 March 2015.

Hope, Bradley, et al. “U.S. Stocks Rise; NUSE Experiences Technical Glitch Dow Industrials Ralll

More Than 200 Points” The Wall Street Journal 30 October 2014. Web. 17 December 2014.

Mehta, Nina. “Nasdaq Blames Software for Facebook IPO Glitches” SFGATE. 19 July 2013. Web.

17 December 2014.

Popper, Nathaniel. “Knight Capital Says Trading Glitch Cost it $440 Million” The New York Times.

2 August 2013. Web. 17 December 2014.

Schultz, Howard. Starbucks Investor Call 1/22/2015.

Schaich, Ronald. Panera Bread Investor Call 3/8/2015.