mervyn king corporate governance -pwc higher education ...€¦ · corporate governance higher...

CORPORATEGOVERNANCE

Higher Education Conference31 August 2015

Presented by Mervyn E King SC

Corporate Legal Advisers

ENTITY

No mind of its own

Sovereign – juristic person

Immortal

Owner of Higher Education entity?

Entity owner of its assets


CORPORATE GOVERNANCE

How is an entity directed and controlled?– standard definition

Entity directed by its mortal leaders

How do these leaders direct or steer?

How is the business of an entityimplemented?


PRACTICES AND ENTERPRISE

Governance about practices

Enterprises – strategic

Risk for reward – business judgment calls

Good governance and judgment error

Acceptable

Bad governance – error – scandal

Not acceptable


THE GOVERNANCE EQUATION

Governance

Governance Enterprise and

principles and business judgment

best practice calls (strategy)


THE GOVERNANCE REGIME

Incapacitated entity

Licence to operate

Framework of governance

Inclusive approach

Laws and regulations

The duties of councillors

Rules vs principles

EU and Commonwealth vs Sarbanes Oxley


COMPLIANCE

Mindless quantitative compliance?

Is that good governance?

Compliance officer?

Councillors must apply their minds

A recommendation not suitable for the business ofthe entity

Do not apply it – use alternative

Explain

Market ultimate compliance officer

Stakeholders support or flee


A COUNCILLOR’S DUTIES -RESPONSIBILITIES

Good faith

Care

Skill

Diligence


INCAPACITY

Human being

Best interests, care, skill, diligence

Decent thing to do

Company a juristic citizen

Incapacitated

Director – heart, mind and soul


WHO IS THE LEADER OF THE UNIVERSITY?

Separate legal entity

Owner of assets

On appointment duty to company

Boss of council – direction – chairman theleader

Boss of operations – implementation –vice chancellor

No leader of the university


TO WHOM IS THE COUNCILACCOUNTABLE?

Accountable to the university

Through university to stakeholders

Not to stakeholders

Accountable to everyone – accountable to noone

Take account of the legitimate and reasonableinterests and expectations of stakeholders


REGULATIONS FOR REPORTING

Adopt RAFT principles

Foundation I H

Accountable as recommended in King III

The six capitals

Stakeholders’ NIEs

Integrated thinking

Integrated reporting

theiirc.org


INFORMATION SECURITY

Napoleon, the Three Musketeers

The wax seal

Information to enemy

Disastrous for battle or the war


UNAUTHORISED

Use

Access

Disclosure

Disruption or elimination

Changes

Prudent and reasonable steps or legislation

Care and diligence


THE WAX SEAL

Confidentiality – job application

Integrity – no change without authorisation

Availability – system functioning correctly

Possession – stolen laptop

Authenticity – information genuine

Utility – usable and useful


INFORMATION, COMMUNICATIONAND TECHNOLOGY

Align IT with business strategy

Cascade IT into the business

IT should facilitate achievement of strategy

Measure IT performance

Manage the security of IT

IT governance charter


MANAGEMENTRESPONSIBILITY

For all the structures, processes and mechanisms

To execute the IT framework

Is IT on track to achieve its objective?

Is it resilient enough to adapt to the strategy?

Is it adequately protected from the risks it faces?

Can opportunities be proactively recognised andacted upon?

CIO responsible for the management of IT


APPROPRIATE TECHNOLOGY

Is the entity generating value from its ITinvestment?

Is the amount spent on IT being measured andmanaged?

Is there independent assurance on the qualityof outsourced IT?

Are there effective review processes byindependent experts?


RISK MANAGEMENT

IT risks form part of the entity’s riskmanagement

Are there adequate arrangements for disasterrecovery?

Are there IT legal risks involved?

Is the entity complying with applicable IT laws?


INFORMATION PRIVACY

Personal information should be secured as anasset

Personal information that is processed by theentity should be identified

Personal information should be processedaccording to applicable laws

POPI Act


INFORMATION SECURITY

Develop an information security management system(ISMS)

Council should oversee the ISMS

Management is to implement the ISMS

ISMS should include :

ensuring the confidentiality of information

ensuring the integrity of information

ensuring the availability of information andinformation systems in a timely manner


DR OR BC PLAN

Ability to recover from disaster orunexpected event

Must have a plan

Before the disaster or unexpected event

Perform an audit of disaster recoverycapacity


ISSUES

Alternate site

Data backup

Insurance

Training of personnel

Objectives of the audit plan


PLANNING (1)

Awareness

Education of council

Agenda item

Make project manager the head

The plan

Knowledge of the business and the IT involved

The auditor must assess the ability of the projectmanager


PLANNING (2)

Project manager training

Usually referred to as a disaster recovery officer

Document and strategy

Recovery plan in writing

In clear, concise and understandable language

Strategy can involve hot, cold or warm sites

Whether hot, cold or warm?

The result of a cost benefit analysis and the needs ofthe organisation


OTHER ISSUES

Back up processes

Purpose of audit is to determine the effect onthe business

Should be practice drills

Auditor determines adequacy for insurance ofproperty and casualty

Legal liability for lack of performance in theevent of disaster


CYBERSECURITY (1)

Much greater risk than DR today

117339 attacks per day on IT systems

Cost of managing and mitigating breaches arerising, are increasing

Losses in excess of US$20 are more common

(PwC)


CYBERSECURITY (2)

Stuxnet is a computer worm that was discovered in 2010. Itwas designed to attack

industrial PLCs and SCADA systems. “Stuxnet reportedlyruined almost one-fifth of Iran's

nuclear centrifuges”.

Primera Blue Cross (March 2015): The company, a healthinsurer based in

Washington State, said up to 11 million customers could havebeen affected by a

cyberattack last year”…..

Anthem (Feb 2015): One of the USA’s largest health insurerssaid that the personal

(PwC)


CYBERSECURITY (3)

Anthem (Feb 2015): One of the USA’s largest health insurers said that thepersonalinformation of tens of millions of its customers and employees,including its chief

executive, was the subject of a “very sophisticated external cyberattack.”

Sony Pictures (Nov 2014) - President Obama and national security officialssaid North

Korea was behind the attack.

Staples (Oct 2014) The office supply retailer said hackers had broken intothe company’s

network and compromised the information of about 1.16 million creditcards.

Home Depot (Sept 2014) “About 56 million payment cards were probably

compromised”.

(PwC)


SOUTH AFRICA

SA state security

Documents leaked by Al Jazeera

SA businesses unprepared for risk ofcyber attacks

Defending SA’s cyber borders

Defending the country’s cyber space


A GLOBAL ECOSYSTEM

The ecosystem is built around a model of opencollaboration and trust

This is what is being exploited by the hackers

Constant information flow is the life blood ofthe business ecosystem

Adversaries are actively targeting criticalassets throughout the ecosystem


TECHNOLOGY CONVERGENCE

Average is 3 electronic instruments

iPhone, iPad, laptop

Increases opportunity for attack

Presents greater risks of the leaking ofinformation

Greater risk to obtain the data


IT GOVERNANCE

Council agenda item

DR and cyber security

Response to cyber security attack

Average days to correct is 32

Risk of cyber security attack muchgreater then a disaster


10 QUESTIONS COUNCILS ANDCEOs SHOULD BE ASKING (1)

Enhancing their cybersecurity strategy andcapability:

1. Is our cybersecurity programme aligned with ourbusiness strategy?

2. Do we have the capabilities to identify and advise onstrategic threats and adversaries targeting us?

3. Can we explain our cybersecurity strategy to ourstakeholders? Our investors? Our regulators? Ourecosystem partners?

PwC



Understanding and adapting to changes in thesecurity risk environment:

4. Do we know what information is most valuable tothe business?

5. Do we know what our adversaries are after/whatthey would target?

6. Do we have an insider threat programme? Is it inter-departmental?

7. Are we actively involved in relevant public-privatepartnerships?PwC



Advance their security posture through ashared vision and culture:

8. How was our last major event identified; in-houseor government identified?

9. Who leads our incident and crisis managementprogramme? Is our programme cross-functional/inter-departmental?

10. How often are we briefed on our cyber initiatives?Do we understand the cyber risks associated withcertain business decisions and related activities?

PwC


CONCLUSIONS

Disaster and business continuity

Bigger threat is cyber attack

Response plan for cyber attack

Audit for recovery

Destruction of evidence


FIVE CORE FUNCTIONS OF EFFECTIVECYBERSECURITY

(ACCORDING TO THE NIST FRAMEWORK)

IDENTIFY: An understanding of how to managecybersecurity risks to systems, assets, data andcapabilities

PROTECT: The controls and safeguards necessary toprotect assets or deter cybersecurity threats

DETECT: Continuous monitoring to provide proactiveand real-time alerts of cybersecurity-related events

RESPOND: The policies and activities necessary forprompt responses to cybersecurity incidents

RECOVERY: Business continuity plans to maintainresilience and recover capabilities after a cyber breach

(NIST)

THANK YOU

Prof Mervyn E King SC