Horizons Spring/Summer 2021

Commitments: ∙ How confident is the company (and the board) that technology commitments are being met despite people and technology disruption due to the pandemic? Working From Anywhere: ∙ How has the company secured information due to employees’ and contractors’ working remotely? ∙ Is the company providing employees appropriate safeguards to securely operate remotely, including training? Compliance: ∙ How is the company maintaining and validating compliance with its legal and regulatory requirements? Plans: ∙ What are the company plans for the “worst-case scenario” for pandemic- related incidents or outages? Have tabletop exercises been performed? ∙ What new metrics is the company providing for the board to monitor risk, including company viability? Are communication triggers in place for cases of unexpected disruption? ∙ How has the company applied lessons learned about its pandemic preparedness from its recent situations or situations from others in their industry? ∙ What changes to the scenario planning need to be made to improve the company’s future resilience? ∙ Have appropriate resources, including funding and personnel, been allocated to manage future risk? Broadening Role for the Board The National Association of Corporate Directors defines two critical roles for corporate boards: (1) “overseeing management on behalf of shareholders and other constituencies”; and (2) “advising

management, albeit with limited involvement in everyday company operations.” Amid the pandemic, the board has an enhanced responsibility to provide advice based on past experiences, across industries, and based on current experiences, across organizations. To support this expanded responsibility, boards are: ∙ Adding directors for technology risks due to, for example, the work-from-anywhere environment. ∙ Adopting a technology and cyber committee to work with the company’s pandemic team. ∙ Requesting expert sessions for technology and security considerations for managing through the pandemic. ∙ Continuing to ask about security and technology risks in the supply chain, including vendor and business dependencies. The Role of the Company In this board conversation, the company also has responsibilities. Here are some of the technology-related items for the company to address with the board. Companies should be prepared to communicate to the board that they are learning from the past, are performing scenario planning/tabletop exercises, are updating their strategic plans where necessary, and are ready to roll as they are presented with new changes and challenges. Companies should have strategic plans for the “next normal” and perform scenario planning to consider:

Who: ∙ Key employee dependency and succession planning.

∙ Commitments made to clients, regulators, etc. for security, availability, confidentially, and compliance. ∙ Primary vendor, business partner, and service organization dependency for technology and security commitments (with knowledge that outsourcing does not remove company accountability).

8 Corporate Governance in COVID-19: Cybersecurity & Technology Considerations