CORPORATE GOVERNANCE Higher Education Conference 31 August 2015 Presented by Mervyn E King SC
CORPORATEGOVERNANCE
Higher Education Conference31 August 2015
Presented by Mervyn E King SC
Corporate Legal Advisers
ENTITY
No mind of its own
Sovereign – juristic person
Immortal
Owner of Higher Education entity?
Entity owner of its assets
Corporate Legal Advisers
CORPORATE GOVERNANCE
How is an entity directed and controlled?– standard definition
Entity directed by its mortal leaders
How do these leaders direct or steer?
How is the business of an entityimplemented?
Corporate Legal Advisers
PRACTICES AND ENTERPRISE
Governance about practices
Enterprises – strategic
Risk for reward – business judgment calls
Good governance and judgment error
Acceptable
Bad governance – error – scandal
Not acceptable
Corporate Legal Advisers
THE GOVERNANCE EQUATION
Governance
Governance Enterprise and
principles and business judgment
best practice calls (strategy)
Corporate Legal Advisers
THE GOVERNANCE REGIME
Incapacitated entity
Licence to operate
Framework of governance
Inclusive approach
Laws and regulations
The duties of councillors
Rules vs principles
EU and Commonwealth vs Sarbanes Oxley
Corporate Legal Advisers
COMPLIANCE
Mindless quantitative compliance?
Is that good governance?
Compliance officer?
Councillors must apply their minds
A recommendation not suitable for the business ofthe entity
Do not apply it – use alternative
Explain
Market ultimate compliance officer
Stakeholders support or flee
Corporate Legal Advisers
A COUNCILLOR’S DUTIES -RESPONSIBILITIES
Good faith
Care
Skill
Diligence
Corporate Legal Advisers
INCAPACITY
Human being
Best interests, care, skill, diligence
Decent thing to do
Company a juristic citizen
Incapacitated
Director – heart, mind and soul
Corporate Legal Advisers
WHO IS THE LEADER OF THE UNIVERSITY?
Separate legal entity
Owner of assets
On appointment duty to company
Boss of council – direction – chairman theleader
Boss of operations – implementation –vice chancellor
No leader of the university
Corporate Legal Advisers
TO WHOM IS THE COUNCILACCOUNTABLE?
Accountable to the university
Through university to stakeholders
Not to stakeholders
Accountable to everyone – accountable to noone
Take account of the legitimate and reasonableinterests and expectations of stakeholders
Corporate Legal Advisers
REGULATIONS FOR REPORTING
Adopt RAFT principles
Foundation I H
Accountable as recommended in King III
The six capitals
Stakeholders’ NIEs
Integrated thinking
Integrated reporting
theiirc.org
Corporate Legal Advisers
INFORMATION SECURITY
Napoleon, the Three Musketeers
The wax seal
Information to enemy
Disastrous for battle or the war
Corporate Legal Advisers
UNAUTHORISED
Use
Access
Disclosure
Disruption or elimination
Changes
Prudent and reasonable steps or legislation
Care and diligence
Corporate Legal Advisers
THE WAX SEAL
Confidentiality – job application
Integrity – no change without authorisation
Availability – system functioning correctly
Possession – stolen laptop
Authenticity – information genuine
Utility – usable and useful
Corporate Legal Advisers
INFORMATION, COMMUNICATIONAND TECHNOLOGY
Align IT with business strategy
Cascade IT into the business
IT should facilitate achievement of strategy
Measure IT performance
Manage the security of IT
IT governance charter
Corporate Legal Advisers
MANAGEMENTRESPONSIBILITY
For all the structures, processes and mechanisms
To execute the IT framework
Is IT on track to achieve its objective?
Is it resilient enough to adapt to the strategy?
Is it adequately protected from the risks it faces?
Can opportunities be proactively recognised andacted upon?
CIO responsible for the management of IT
Corporate Legal Advisers
APPROPRIATE TECHNOLOGY
Is the entity generating value from its ITinvestment?
Is the amount spent on IT being measured andmanaged?
Is there independent assurance on the qualityof outsourced IT?
Are there effective review processes byindependent experts?
Corporate Legal Advisers
RISK MANAGEMENT
IT risks form part of the entity’s riskmanagement
Are there adequate arrangements for disasterrecovery?
Are there IT legal risks involved?
Is the entity complying with applicable IT laws?
Corporate Legal Advisers
INFORMATION PRIVACY
Personal information should be secured as anasset
Personal information that is processed by theentity should be identified
Personal information should be processedaccording to applicable laws
POPI Act
Corporate Legal Advisers
INFORMATION SECURITY
Develop an information security management system(ISMS)
Council should oversee the ISMS
Management is to implement the ISMS
ISMS should include :
ensuring the confidentiality of information
ensuring the integrity of information
ensuring the availability of information andinformation systems in a timely manner
Corporate Legal Advisers
DR OR BC PLAN
Ability to recover from disaster orunexpected event
Must have a plan
Before the disaster or unexpected event
Perform an audit of disaster recoverycapacity
Corporate Legal Advisers
ISSUES
Alternate site
Data backup
Insurance
Training of personnel
Objectives of the audit plan
Corporate Legal Advisers
PLANNING (1)
Awareness
Education of council
Agenda item
Make project manager the head
The plan
Knowledge of the business and the IT involved
The auditor must assess the ability of the projectmanager
Corporate Legal Advisers
PLANNING (2)
Project manager training
Usually referred to as a disaster recovery officer
Document and strategy
Recovery plan in writing
In clear, concise and understandable language
Strategy can involve hot, cold or warm sites
Whether hot, cold or warm?
The result of a cost benefit analysis and the needs ofthe organisation
Corporate Legal Advisers
OTHER ISSUES
Back up processes
Purpose of audit is to determine the effect onthe business
Should be practice drills
Auditor determines adequacy for insurance ofproperty and casualty
Legal liability for lack of performance in theevent of disaster
Corporate Legal Advisers
CYBERSECURITY (1)
Much greater risk than DR today
117339 attacks per day on IT systems
Cost of managing and mitigating breaches arerising, are increasing
Losses in excess of US$20 are more common
(PwC)
Corporate Legal Advisers
CYBERSECURITY (2)
Stuxnet is a computer worm that was discovered in 2010. Itwas designed to attack
industrial PLCs and SCADA systems. “Stuxnet reportedlyruined almost one-fifth of Iran's
nuclear centrifuges”.
Primera Blue Cross (March 2015): The company, a healthinsurer based in
Washington State, said up to 11 million customers could havebeen affected by a
cyberattack last year”…..
Anthem (Feb 2015): One of the USA’s largest health insurerssaid that the personal
(PwC)
Corporate Legal Advisers
CYBERSECURITY (3)
Anthem (Feb 2015): One of the USA’s largest health insurers said that thepersonalinformation of tens of millions of its customers and employees,including its chief
executive, was the subject of a “very sophisticated external cyberattack.”
Sony Pictures (Nov 2014) - President Obama and national security officialssaid North
Korea was behind the attack.
Staples (Oct 2014) The office supply retailer said hackers had broken intothe company’s
network and compromised the information of about 1.16 million creditcards.
Home Depot (Sept 2014) “About 56 million payment cards were probably
compromised”.
(PwC)
Corporate Legal Advisers
SOUTH AFRICA
SA state security
Documents leaked by Al Jazeera
SA businesses unprepared for risk ofcyber attacks
Defending SA’s cyber borders
Defending the country’s cyber space
Corporate Legal Advisers
A GLOBAL ECOSYSTEM
The ecosystem is built around a model of opencollaboration and trust
This is what is being exploited by the hackers
Constant information flow is the life blood ofthe business ecosystem
Adversaries are actively targeting criticalassets throughout the ecosystem
Corporate Legal Advisers
TECHNOLOGY CONVERGENCE
Average is 3 electronic instruments
iPhone, iPad, laptop
Increases opportunity for attack
Presents greater risks of the leaking ofinformation
Greater risk to obtain the data
Corporate Legal Advisers
IT GOVERNANCE
Council agenda item
DR and cyber security
Response to cyber security attack
Average days to correct is 32
Risk of cyber security attack muchgreater then a disaster
Corporate Legal Advisers
10 QUESTIONS COUNCILS ANDCEOs SHOULD BE ASKING (1)
Enhancing their cybersecurity strategy andcapability:
1. Is our cybersecurity programme aligned with ourbusiness strategy?
2. Do we have the capabilities to identify and advise onstrategic threats and adversaries targeting us?
3. Can we explain our cybersecurity strategy to ourstakeholders? Our investors? Our regulators? Ourecosystem partners?
PwC
Corporate Legal Advisers
10 QUESTIONS COUNCILS ANDCEOs SHOULD BE ASKING (2)
Understanding and adapting to changes in thesecurity risk environment:
4. Do we know what information is most valuable tothe business?
5. Do we know what our adversaries are after/whatthey would target?
6. Do we have an insider threat programme? Is it inter-departmental?
7. Are we actively involved in relevant public-privatepartnerships?PwC
Corporate Legal Advisers
10 QUESTIONS COUNCILS ANDCEOs SHOULD BE ASKING (3)
Advance their security posture through ashared vision and culture:
8. How was our last major event identified; in-houseor government identified?
9. Who leads our incident and crisis managementprogramme? Is our programme cross-functional/inter-departmental?
10. How often are we briefed on our cyber initiatives?Do we understand the cyber risks associated withcertain business decisions and related activities?
PwC
Corporate Legal Advisers
CONCLUSIONS
Disaster and business continuity
Bigger threat is cyber attack
Response plan for cyber attack
Audit for recovery
Destruction of evidence
Corporate Legal Advisers
FIVE CORE FUNCTIONS OF EFFECTIVECYBERSECURITY
(ACCORDING TO THE NIST FRAMEWORK)
IDENTIFY: An understanding of how to managecybersecurity risks to systems, assets, data andcapabilities
PROTECT: The controls and safeguards necessary toprotect assets or deter cybersecurity threats
DETECT: Continuous monitoring to provide proactiveand real-time alerts of cybersecurity-related events
RESPOND: The policies and activities necessary forprompt responses to cybersecurity incidents
RECOVERY: Business continuity plans to maintainresilience and recover capabilities after a cyber breach
(NIST)
THANK YOU
Prof Mervyn E King SC