How successfully companies address the challenges and seize the opportunities of emerging technologies will be a key factor of business success in the years ahead, argues the winning paper in the Institute’s latest Corporate Governance Paper Competition.

Companies need to adapt their approaches to corporate governance to better manage the opportunities and mitigate the risks of the digital age. This article will look at some of the major challenges and opportunities for corporate governance in the digital age, and will assess the responsibilities of directors, company secretaries and managers in upholding effective IT governance.

1. Challenges for corporate governance in the digital age

Data breaches

One of the biggest challenges for corporate governance in the digital age is data breaches – the unauthorised transfer of confidential information from a computer or data centre to the outside world. Due to advances in technology, access to data has become relatively easy and this helps in the accidental spreading of confidential data. According to the Privacy Commissioner for Personal Data (PCPD), there was a nearly 20% increase in data breach notifications received by the PCPD office in 2017 compared to the previous year. This shows how technological advancement not only makes it more difficult to protect an organisation’s internal data, but also creates huge impacts on the business environment because of data leakage. Let’s look at one example. In 2018, the Hong Kong Broadband Network (HKBN) was hacked and data relating to 380,000 customers was stolen, including 43,000 credit card numbers. Francis Fong, President of the Hong Kong Information Technology Federation, commented that it was negligent for an internet service provider of this scale to be hacked and he questioned whether the company had afforded the same level of protection to all its databases. This led to a fall in the company’s stock price, showing the damage that can be done by a data leakage to a company and its customers.

Insider threats

Awareness of the insider threat issue – the threat that someone close to an organisation with authorised access may misuse that access to negatively impact the organisation’s critical information or systems – has increased over the previous decade. A survey for Insider Threat Report in 2018 from CA Technologies found that 53% of respondents confirmed there had been insider attacks against their organisation in the previous 12 months, while 27% of organisations said that insider attacks had become more frequent. These results suggest that the main factors behind insider attacks are:

• too many users enjoy excessive access privileges
• there are more devices with access to sensitive data, and
• there has been an increase in complex technologies that are difficult to control.

Network attacks

According to the Quarterly Threat Report, published by McAfee Labs in September 2017, browser, brute force and denial-of-service (DDoS) attacks were the top three types of network attacks in 2017. Browser attacks. These attacks often appear on legitimate but vulnerable websites. When new visitors arrive, the infected site tries to force malware to spread into their systems by exploiting vulnerabilities in their browsers. The popular web browsers – Microsoft Internet Explorer, Google Chrome and Mozilla Firefox – were shown to be the most vulnerable web browsers in 2016. For example, assume a corporate system uses JavaScript. Malware authors then use it to accomplish attacks by embedding an obfuscated Adobe Flash file within JavaScript. First, the Flash code invokes PowerShell, a powerful operating system (OS) tool that can perform administrative operations. Then, Flash feeds instructions to PowerShell through its command line interface. Next, PowerShell connects to a stealth command and control server owned by the attackers. After that, the command and control server downloads a malicious PowerShell script to the victim’s device that captures sensitive data and sends it back to the attacker. By complying with these instructions, the attackers successfully get into victims’ systems. Brute force attacks. In this type of attack, the attacker tries to discover the password for a system or service through trial and error. Since this is time consuming, attackers usually use software to automate the task of typing hundreds of passwords. Denial-of-service attacks. This refers to an interruption in an authorised user’s access to a computer network, typically caused with malicious intent. According to a Kaspersky Labs survey of 5,200 people from businesses in 29 countries, half of respondents agreed that DDoS attacks are growing in frequency and complexity. This reveals that network attacks are a growing trend in the 21st century.

Ransomware

Ransomware is a kind of cyber attack in which the perpetrators encode an organisation’s data and then a monetary payment is demanded via cryptocurrencies, such as Bitcoin, for the decode key. 2017 was a pivotal year for ransomware as three unprecedented attacks expanded the number of victims. One significant case was the WannaCry ransomware attack which occurred in May 2017. Hong Kong companies were among the victims with at least three reported cases of companies that had not updated their Windows 7 operating systems and Internet browsers. Renault, a car manufacturer, had to close its largest factory in France due to WannaCry. In June, Honda’s production facilities and 55 speed cameras in Victoria, Australia, were also forced to shut down. Estimates are that there were nearly three-quarters of a million victims in this incident. Over the past year, the number of reported ransomware incidents almost doubled, from 54,000 in 2016 to more than 96,000 last year. This implies that ransomware has become the leading source of cyber attacks and has affected corporates severely.

2. Opportunities for corporate governance in the digital age

IT governance

Business leaders increasingly recognise that IT is important for delivering the organisation’s strategy. IT governance ensures that IT investment follows business values and mitigates IT risks. Moreover, research among private-sector organisations has found that top performing enterprises succeed in obtaining value by implementing effective IT governance to support their strategies and institutionalise good practice. The International Board for IT Governance Qualifications (IBITGQ) is an examination board that specifies a syllabus and learning outcomes related to IT governance. The key training areas include: EU General Data Protection Regulation (GDPR), cybersecurity and compliance with the Payment Card Industry Data Security Standard (PCIDSS). This qualification is mainly aimed at the heads of large companies and government officers. By adopting IT governance, companies can create a culture of security awareness and cybersecurity hygiene. Encryption is one of the significant technologies for data and system security. By using encryption, companies can help maintain integrity as it can deter data being altered to commit fraud and corruption. Moreover, encryption can be an effective way to help protect the internal data by meeting compliance requirements.

Compliance and risk management

Digital transformation is also making changes to the practice of regulatory compliance and risk management. Compliance with new data privacy requirements, for example, is a major issue. In Hong Kong, the Personal Data (Privacy) Ordinance (PDPO) has been in force since 2012 and contains six data protection principles. In accordance with these principles, company secretaries must help collect personal data in a lawful and accurate way. They should also protect personal data from unauthorised access and make known to the public the proposed use of data. Moreover, the data subject must be given access to the personal data and be allowed to make corrections if the data is inaccurate. ISO 27001, a specification for an information security management system, can also help companies convince their clients and other stakeholders that they are managing the security of the companies’ information. Compliance with ISO 27001 will assist to:

• protect client and employee information
• manage risks to information security effectively
• achieve compliance with regulations such as the EU GDPR, and
• protect the company’s brand image.

The EU GDPR took effect on 25 May 2018. In the wake of technological developments, globalisation and the constitutionalisation of the right to data protection in the EU, the GDPR aims to harmonise the framework for the digital single market, put individuals in control of their data and formulate a modern data protection governance. This new regulation enhances the right to notice on data processing, to erasure (establishing the right to be forgotten) and to object to data processing. The GDPR also establishes new rights to restriction of processing and to data portability. The reason why the GDPR is relevant to Hong Kong organisations is that when the PDPO was drafted, reference was made to the relevant requirements under the Organisation for Economic Co-operation and Development (OECD) Privacy Guidelines in 1980 and EU directives, hence the PDPO and the GDPR share a number of common features.

3. Roles of the key governance stakeholders

Directors, company secretaries and managers play a crucial role in upholding effective governance but they often need to enhance their IT security awareness. For many board members, technology may not be their area of expertise, but almost all of the hot topics in governance nowadays are technology-related and IT issues need to be integrated into corporate strategy. Thus, board members need to keep updating themselves about the latest industry developments so as to supervise strategy development in these areas. Company secretaries also need to consider the importance of IT in their corporation as this determines the level of IT security awareness throughout the company. For example, company secretaries should be monitoring the effectiveness of cybersecurity measures and informing the board members of progress and threats from time to time. Regarding cybersecurity hygiene, directors, company secretaries and managers can be role models for middle and front-line employees. They should implement a series of security protection policies, such as regular software updates, two-factor authentications, overseeing third-party access carefully, regulating data backups and being alert against phishing attacks. Over time, management has to review the effectiveness of these policies and revise their guidelines if the overall performance does not meet the required standards. Regarding compliance, management needs to review the effectiveness of the IT security policies in order to lessen the probability of cyber attacks. Take cybersecurity as an example. One of the most prevalent standards is to observe if there is a downward trend in these kinds of incidents. The level of seriousness is also significant as it reflects the overall performance of compliance with the requirements. By these means, credit can be given to staff if their performance is satisfactory, which boosts staff morale. However, stricter rules or punishments can be used if performance is far below the target, so as to create an incentive for further improvement. Regarding IT auditing, company secretaries have to integrate technology risks into the company’s audit plan, as well as inform the board or relevant committees, such as the risk management committee, about this. Ma Pui Yee, So Bo Ki and Wong Mei Ming Hang Seng Management College Since 2006, the Institute has been running its annual Corporate Governance Paper Competition to promote awareness of good corporate governance among local undergraduates. This year’s competition concluded with an awards presentation held on 8 September 2018. More information is available on the Institute’s website: www.hkics.org.hk.

SIDEBAR: How technology facilitates the engagement of shareholders and stakeholders

More and more companies are leveraging technology to engage with shareholders as the combination of digital technologies and social media can enable companies to reach shareholders more quickly and easily. There has been a rise in virtual shareholder meetings, for example, with usage increasing sharply in the first six months in 2018 globally. New technologies also assist companies to provide shareholders with a way to participate in voting via the internet and to receive information from issuers. Technology can also ensure better transparency in proxy participation. There are many secure online voting platforms that can collect votes automatically and provide information to shareholders before a general meeting. These systems not only secure companies’ confidential information but also speed up the process of collecting voting instructions. Taking advantage of the increased efficiency offered by technology, companies can improve their shareholder engagement and transparency. New communication channels are also facilitating the conversation between companies and wider stakeholder groups, helping to clarify misunderstandings and prevent misinformation. Users can upload and express their views, as well as disseminate current social movements and content. Companies can choose adequate interaction partners, make necessary decisions, select effective strategies for future development and finally engage with shareholders and stakeholders effectively.