2
Corporate Governance and Digital Responsibility

2.1. Corporate governance and stakeholders

As Hervé Guillou stated in October 2016 at a conference:

The subject of cybersecurity is both an economic development issue for companies and a national security and resilience issue: an economic issue because cybersecurity is a catalyst for the digital transformation of the company, at the heart of the protection of its industrial and intellectual heritage and therefore of its value1.

Hervé Guillou adds the following information:

Needless to say, the subject of cybersecurity must be a major concern for business leaders and boards of directors. It directly concerns the company's image, its sustainability, its strategic and commercial positioning and is therefore strictly in the company's corporate interest.

The main objective of good governance is to ensure that shareholders and all stakeholders have confidence in the sustainability of the company, some because they invest in a company, others because they work for it as an employee or subcontractor, or because it is a critical partner, banks involved in the credits set up, tax authorities or social organizations.

Governance is the system that organizes the relationships and powers between shareholders, the board of directors and managers, to ensure the proper management of the company, the creation of value, limit risks, guide strategic decisions, supervise the proper execution of the strategy and control the company's performance to ensure the best interests of shareholders, while contributing to the safeguarding of the interests of all stakeholders.

The board of directors has a major role: it represents shareholders, guides strategy, appoints and controls management. The role of directors has increased, due to the greater complexity of the economy, linked in particular to international competition, a strengthened international regulatory environment, and the emergence of new technologies that are transforming business models and the organization of the company and its ecosystem. The emergence of new risks as a result of all these phenomena increases the responsibilities of the boards of directors, whose skills must evolve, as well as the areas of vigilance.

The digital transformation of the economy has consequences on the information available to shareholders, the board of directors and all stakeholders. The new challenges for the company's governance bodies are numerous: e-reputation, price volatility, dematerialization of operations, protection of board information, disintermediation and emergence of new players, which can have significant impacts on the company's valuation.

2.2. The shareholders

Beyond the strategic risks associated with the entry of new competitors, the digital transformation of companies, the connections of its information systems with its customers, suppliers, banks and administrations increase IT risks, the risks of fraud and vulnerabilities to attacks, which can lead to either operational problems or data leaks.

2.2.1. Valuation of the company

The valuation of the company depends on the quality of its strategy and execution. The digital strategy in all its dimensions is essential: digital transformation is not an end in itself, but a means to access new markets, develop new products and services, as well as to improve sales, production and management processes.

In addition, the company's resilience, i.e. its ability to restart its information, production or sales systems, to protect them, to anticipate crises, to set up solutions to detect and respond to incidents and finally its ability to take the right corrective measures following the attack, is essential for shareholders and value creation.

According to a study conducted by PwC France (PricewaterhouseCoopers) in 2018 on around 30 incidents, more than half of the companies suffered a stock market loss of between 10% and 20% more than a year after the incident, and consequently a loss of market confidence. For about 20% of companies, the price fell by 6% in the first 10 days, but the price recovered in the following 6-12 months, thanks to good crisis management, the implementation of cybersecurity measures and investments, as well as communication on these measures that helped to restore market confidence.

Cyber-attacks exert an impact on the stock price if they are the result of proven negligence, as in the case of Equifax in the United States (the price dropped by 40%; the administration's recommendations regarding software updates were not followed by Equifax) or Talk Talk in the United Kingdom (the price dropped by 30% because the sensitive data was not encrypted), but have no lasting impact on the share price, if measures are taken in terms of management (general management, IT and IT security department, security policies, training, strengthening IT and security budgets) and if customer confidence has not been lost.

The market's response will therefore depend on the vigilance of the board of directors and managers, before and after, on its skills and responsiveness, as well as on its awareness of digital issues, the feedback that will have been organized by the board of directors and the procedures put in place, particularly regarding risk mapping.

The cyber avoiders sitting on the board of directors are not an asset for shareholders, regardless of the risk area, and in particular for all cybersecurity and data protection issues.

Conversely, even if no company is immune to attack, computer crashes and data leaks, anticipating, being vigilant and implementing a cybersecurity system will be an asset to the company's reputation and the trust of all stakeholders.

2.2.2. Cyber rating agencies

Cyber rating agencies have been developed in the United States and are based in Europe. Their objective is to highlight facts and events related to the cybersecurity of organizations' assets and to compare them with the best cybersecurity standards and practices.

There is also a greater willingness on the part of shareholders, gathered in groups of institutional investors, investment funds or activist shareholders, to engage in corporate governance. Activist shareholders will want to know if the companies in which they have invested are well secured. Indeed, cybersecurity will increasingly become a topic for shareholders (risk of loss of value).

As a result of this significant risk of loss of value, shareholders will increasingly seek to know what measures companies have in place, require information on risks and remediation measures, and will be vigilant about compliance with new regulations and about the confidence that customers can place in a company's ability to protect data, and in particular its customers' data. This trust will depend on the company's transparency on its methods of collecting and protecting the data it holds, and in particular those of its customers.

After Standard & Poor's drew attention to cyber-risks, particularly in the banking sector, it is now Moody's turn to include cybersecurity among the criteria for evaluating companies. The risk involved is such that investors must be informed of the level of protection against cyber-attacks.

"We expect companies to set up cybersecurity steering bodies", warns Moody at the end of November 2015. IT security managers are no longer the only ones to sound the alarm.

2.2.3. Insider trading

Increased vigilance is needed regarding the risks of insider trading following a cyber incident. The Equifax example is a famous example not to be followed. In September 2017, Equifax, the US credit agency, was the victim of a major data leak: 143 million victims. This data leak, discovered between mid-May and July, was announced to the market in early September. As a result of this announcement, the value of Equifax decreased by 40%.

The SEC (Securities and Exchange Commission), the US stock exchange police, charged several Equifax executives with selling their shares before the news of the hacking of personal data (names, social security numbers, birth dates, etc.) was made public.

The piracy allegedly cost the company more than 150 million and had significant impacts in terms of reputation and loss of customers, the investigation having revealed in particular negligence on the part of managers regarding the cybersecurity system.

Another case that made headlines in the United States at the end of 2017 was the sale by Intel's CEO of part of his shares for $39 million ($25 million capital gain), before the disclosure of critical vulnerabilities in Intel processors, and several months after he discovered these vulnerabilities.

In addition, the SEC considers cybersecurity to be a vital issue for all organizations. It requires listed companies to inform the markets by publishing a form detailing the cyber-attacks they have been subjected to, as these events may jeopardize a company's future.

The rules established by the SEC prohibit managers of listed companies from selling their shares when they become aware of information that could affect the share price.

It is therefore recommended that employees holding shares or stock options be informed of the rules governing the sale of these shares, depending on the time of year and the information they may hold on events that may have an impact on the share...