KFMC 100 Cybersecurity for Boards by Korn Ferry

KORN FERRY KFMC100 2014

About Korn Ferry At Korn Ferry, we design, build, attract and ignite talent. Since our inception, clients have trusted us to help recruit world-class leadership. Today, we are a single source for leadership and talent consulting services to empower businesses and leaders to reach their goals. Our solutions range from executive recruitment and leadership development programs, to enterprise learning, succession planning and recruitment process outsourcing (RPO). Visit www.kornferry.com for more information on our services, and www.kornferryinstitute.com for more articles, research and insights.

2014 KFMC

The Korn Ferry Market Cap 100 2014

KORN FERRY MARKET CAP 100

Contents Introduction .................................................................................

Translating cyber-risks into business terms ....................................

Asking the right questions ............................................................

Managing cybersecurity risk .........................................................

The bigger context and the bigger threat ......................................

Conclusion ................................................................................... 20 Appendix A: The KFMC100 companies ............................................ 24 Appendix B: The KFMC100 Class of 2013 ......................................... 30 Appendix C: The KFMC100 boards .................................................. 42

KORN FERRY MARKET CAP 100

Introduction Cybercrime comes with a staggering price tag: an estimated .4% to 1.4% of global GDP. The cost to the US economy alone could be as high as $100 billion annually, according to a 2013 report by the Center for Strategic and International Studies, a Washington, DC-based public policy research institution. High-profile companies—as well as those that don’t make the headlines—routinely fall prey to cybercrime of one variety or another: data theft, financial fraud, denialof-service attacks, corporate espionage. The losses are not simply financial, but also of intellectual property, equipment, consumer trust, reputation, and growth.

Cybersecurity increasingly is viewed as part of the array of risks boards are charged with overseeing—and not something that can be outsourced.

Boards are taking notice. Cybersecurity increasingly is viewed as part of the array of risks boards are charged with overseeing—and not something that can be outsourced. According to a recent article in The Wall Street Journal: “After a series of high-profile data breaches and warnings, corporate boards are waking to cyber-threats, grappling with security issues they once relegated to technology experts.”

But awareness doesn’t always translate into practical ways of addressing the problem. How can boards fulfill their fiduciary duties and ensure their companies are adequately prepared to deal with inevitable breaches? In this year’s KFMC100 we focus on the questions that are of critical concern to boards tackling cybersecurity: What information must directors review? How can they ensure they are making informed decisions? What people and expertise do they need in what roles? And how should they aim to improve oversight going forward? Complete protection is a lofty but unrealistic goal cybersecurity. Given the sheer number and types of they are continually morphing, the odds of avoiding Preparedness and managing business consequences

when it comes to incidents, and how an attack are slim. are realistic goals,

however. In our report we suggest specific steps boards and management can takeâ&#x20AC;&#x201D;in advance of an attackâ&#x20AC;&#x201D;to ensure speedy detection, diagnosis, response, and recovery in the event of a breach. These precautions can serve to minimize damage and avert potential catastrophe. At many companies, the line of sight that directors require to effectively assess and deal with the issue remains obscured by barriers both structural and informational. One way to surmount these barriers is to recruit a cybersecurity expert to the board, a step those we interviewed had varying opinions on. Our research shows that among the 98 directors The odds of added to KFMC100 boards in 2013, only 3% had avoiding an attack specific security experience. But risk management are slim. But experience climbed from 5% of new directors in preparedness and 2012 to 21% in 2013, and compliance experience managing business also rose, from 12% to 24% of new directors. Clearly consequences are boards have their eye on risks. Recruiting some variety of cybersecurity expert to the board may be realistic goals. a necessity for some companies. But, depending on specific circumstances at individual companies, there also are ways to properly manage the exposure of networks and security without adding that expertise. We discuss a range of options boards can employ to ensure they are covered. We also address the broader concerns companies have about building a more cybersecure world. The process of addressing cyberthreats may start at the individual company level, but more effective, permanent solutions lie in partnerships and initiatives taken with other companies and cooperation with the public sector. The need to safeguard confidential corporate information, customer data, and intellectual property is significant. But at their worst, cyberattacks are not just threats to corporations but to the entire global infrastructure, affecting a wide span of systems, from water to power, transportation, communications, and others. We would like to thank a number of individuals for their time and insights, which added immeasurably to this report. First, our external experts, who provided a range of views that helped crystallize the issues and define steps forward for boards: Melissa Hathaway â&#x20AC;&#x201D; a private sector cybersecurity expert known for her work as the director of the Joint Interagency Cyber Task Force within the US Office of the Director of National Intelligence from 2007 to 2009.

KORN FERRY MARKET CAP 100

John Hinshaw — the executive vice president of technology and operations for Hewlett-Packard and former chief information officer (CIO) at Verizon Wireless and Boeing. He recently joined the board of BNY Mellon. Dr. Ronald Sugar — the former chairman and CEO of Northrop Grumman who currently serves on the boards of Air Lease, Chevron, Amgen, and Apple. Ambassador R. James Woolsey Jr. — a former director of Central Intelligence, who chairs the board of the Foundation for Defense of Democracies, and is a Venture Partner with Lux Capital Management. He has served on numerous corporate and non-profit boards. We would also like to thank our internal team of experts who contributed to this report: Vice Chairmen Dennis Carey, Robert Hallagan, and Stephen Mader of Korn Ferry’s Board & CEO Services Practice, as well as co-leaders of the firm’s cybersecurity practice, Aileen Alexander and Jamey Cummings. It is our hope that the insights captured in this report will arm directors with the right questions as they grapple with this newer, far more insidious breed of risk and provide them with some focus as they determine how best to protect all their stakeholders.

Translating cyber-risks into business terms. “I have a hypothesis,” says Melissa Hathaway, private sector cybersecurity expert and former cybersecurity “czar” under Presidents George W. Bush and Barack Obama: “Until cybersecurity is reflected in balance sheet terms, it’s never going to be fully embraced by the board.” The key to a board’s successful oversight of cybersecurity, observes Hathaway, is identifying it as risk, albeit in a new guise, and managing it with the same diligence and processes applied to other risks. That will help to ensure cybersecurity remains visible on directors’ dashboards and that key metrics will be used to measure how well the job is being done. Cybersecurity is a major concern at companies of all sizes and has a measureable impact on many facets of operations, and certainly profitability. Yet the scale of that impact is often obscured or lost in translation. Unless directors can cut through the technical jargon in what are often massive amounts of information they receive, the size of the risk and the steps to mitigate it may not be clear. Instead, Hathaway says, the risks need to be translated into a language most directors know well: dollars and cents. Companies have for years turned to IT to lower As companies reduce manpower costs and increase productivity to operations costs through add to the bottom line. But—and this is a big technology, they but, Hathaway warns—as companies leverage should factor into the this “IT dividend,” more open and available equation—in both capital access to networks presents a far greater risk and operational terms— of service disruption, unprecedented crimes the toll of inevitable against the infrastructure, IP theft, and more. breaches. It’s a chilling prospect, especially when one considers how our essential services, from the power grid to the banking system to air traffic control, are all dependent on a functioning Internet. Capturing this increased risk, and potential attendant costs, is crucial. As companies reduce operations costs through technology, they should factor

KORN FERRY MARKET CAP 100

into the equation—in both capital and operational terms—the toll of inevitable breaches. “How do you measure the cost of replacing infrastructure? Or replacing millions of credit cards? Most companies are not reflecting this in balance sheet terms, so costs are hidden,” Hathaway says. Tackling cybersecurity will also require some ingenuity. “We can’t solve the problem with the same thinking that was used when we created the Internet,” Hathaway observes. The US government-funded Internet was created with the express and limited purpose of enabling direct communications between the president and the military in the event of nuclear disaster. “It was not designed to be the global backbone of e-commerce,” she contends. “In 1990, the World Wide Web was created by an engineer working at CERN, the particle physics laboratory in Geneva, Switzerland. That innovation was quickly followed by the development of search engines designed to navigate the web. From that point, governments were challenged to enable and ensure ready availability of high-speed connectivity at a low price point so we could all benefit from the information society. That challenge unfortunately did not include a focus on security.” The Internet grew exponentially more sophisticated and accessible over those 25 years, but it now has to be retrofitted to build security into its very infrastructure. “Currently, we all have two or three Internet-enabled devices. By 2015 we’ll have an average of five or so, and by 2020 we’ll have a minimum of 10,” Hathaway says. “If we haven’t addressed security issues, cyber-risks will double by 2015 and continue to multiply. We’re running out of time.” As part of a plan to make their companies more cybersecure, boards should be aware of all the unauthorized ways individuals or organizations can gain access to their networks. Hathaway notes that “it might be a trusted employee who comes to work with tainted technology,” a more common scenario now given the popularity of bring-your-device-to-work policies. “Or it could be an employee with more malevolent intentions using a thumb drive or a DVD to steal critical information or poison the infrastructure,” she says.

Another burgeoning threat stems from employees’ use of their own devices over free Wi-Fi networks that lack a secure connection. “It’s easy for someone to get sensitive information and gain access to the enterprise by deploying a technology in the proximity of a network or database,” she explains. Perhaps an even more troublesome threat, according to Hathaway, is infiltration that might happen somewhere in the global supply chain. Mechanisms are needed to protect against malicious modification or substitution of technology anywhere along the IT product life cycle: design, manufacturing, integration, distribution, operation, maintenance, and retirement. Hackers also can gain access via the digital links used by third parties—suppliers, contractors, or consultants—a security gap that may be overlooked. “This strain is particularly insidious because it is difficult to determine if illicit activity is taking place in the infrastructure. We’re facing a dangerous combination of known and unknown vulnerabilities—strong adversary capabilities and weak situational awareness—across those different attack vectors,” Hathaway says. As both a cybersecurity consultant and corporate director, she sees some possible solutions but is also realistic about the challenges of taming the cybersecurity risk. Looking through her director’s lens, she says, boards should be regularly asking: Is cyber-risk accounted for in our overall corporate planning process? The board needs to be assured that cyber-risk is an element of a broader risk framework and that exposures are recognized and being planned for. “For most companies, this is not the case,” Hathaway observes. “Cyber-risk is not viewed alongside other risks in the planning process.” What is the process for evaluating security and measuring liabilities? Boards should know not only what controls are in place, but how they are evaluated. Is the company following best practices for its security? If so, what is the source? “Boards should also know whether there is a third-party audit and how often there are breaches and their costs,” she says. “All of this will vary by company and industry, but you’ve got to measure the cost and make sure it’s reflected on the balance sheet like other liabilities.” Do we have directors with relevant expertise? Although there is a difference of opinion on whether boards require general technology expertise—let alone specific security expertise—Hathaway believes it’s important to have one or

KORN FERRY MARKET CAP 100

more directors who understand IT and its associated risks, or have a security background. “It’s an important risk area that must be managed by someone with qualifications. And it needs to be integrated properly into the committee process, whether on the audit, finance, governance, or risk committee, rather than a general topic that is discussed in detail with the full board,” Hathaway says. Have we identified executive ownership of the issue? Hathaway believes the CEO has ultimate accountability for cybersecurity. “The CEO should have controls in place that indicate how cybersecurity is being managed and the true costs to the business, which should be part of both an internal and external audit,” she suggests. What will we do in the event of a breach? If and when there is a problem, can we deal with it quickly and minimize the damage? Do we have a process for communicating effectively, internally and externally? How will we deal with the costs? Hathaway offers a few other cautionary observations, starting with attending to the executive reporting structure. “Often the chief information security officer (CISO) reports to the CIO, and decisions made this way could potentially make the enterprise less secure,” she notes. “The CISO is responsible for keeping the enterprise safe and the CIO is responsible for keeping the enterprise running 24/7. An inherent conflict. It should be a shared decision in the C-suite with the CEO assuming ultimate responsibility.” Hathaway also warns that computer network security regulations are probably coming down the pike; the SEC’s recent announcement of “no-notice audits” of financial institutions is a signal of what boards should anticipate. “Will the SEC provide general guidance or be prescriptive? Or will boards be in a position to tell the SEC what they’re already doing? Certainly boards that can demonstrate rigorous oversight of cybersecurity prior to any formal regulations will be in a far stronger position,” she says.

Asking the right questions. Boards should recognize that it is best governance practice—indeed, directors’ fiduciary duty—to anticipate digital attacks. Taking aggressive cybersecurity steps, rather than merely battening down the hatches and waiting for regulations to emerge, is the way to go. The challenge of cybersecurity can’t be overstated. That’s the view of Dr. Ronald Sugar, former CEO of Northrop Grumman, who currently serves on the boards of Air Lease, Chevron, Amgen, and Apple. He quotes former NSA Director General Keith Alexander, who called cyberindustrial espionage—possibly the most serious digital threat to major corporations—“the greatest transfer of wealth in history.” Perhaps in part because he served as CEO of a major defense contractor, Sugar has been hyperaware of the need for greater cybersecurity and the changing nature of the threats companies face. The focus used to be on updating antivirus software and building a protective firewall around systems. But with increasingly complex networks and mobile device access, there is no longer a clear perimeter. “We have to figure out other ways to deal with this,” he says. “The whole concept of the Internet is that it is uncurated; it was created to connect, not to protect. No one is in charge of it. There’s no magic bullet that will solve the security problem, but it helps to have smart people in your company, advised by other smart people on the outside, and to build layered defenses.” As a defense industry leader, Sugar sounded the alarm early, in 2009, in an open letter to President Obama: “These cyber attacks occur daily and are increasing. The race to defend against them constitutes the most critical military and economic imperative of this century. Yet this is a race we are

KORN FERRY MARKET CAP 100

losing,” he wrote. In the letter, published in Aviation Week & Space Technology magazine, he recommended actions government and industry should consider to meet this challenge. Five years on, he’s seen some gains. “There’s been enormous progress in the area of awareness,” Sugar notes. “Unlike 2009, there is no one in corporate America today in a serious position of responsibility who doesn’t know about this threat. Everyone is talking about it—although some are doing more than others.” As Sugar sees it, that’s the challenge that remains: moving from knowing about the threat to putting controls in place. “On boards I’m involved with, I see management paying more attention to

cyber-risk

now;

they

understand

the serious consequences to finances and reputation. CEOs can be fired over this. So it’s garnering more attention in boardrooms across the country,” he says. “The big challenge is that very few board members have expertise in this area. What should the board be asking management so the board knows the company is

“The big challenge is that very few board members have expertise in this area. What should the board be asking management so the board knows the company is reasonably protected?” — Dr. Ronald Sugar

reasonably protected?” Adopt the perspective of a hacker, Sugar suggests. Ask this question: If you wanted to destroy the value of your company, what would you do? “The board should regularly be addressing this topic with management: What are the biggest threats we face and what are the potential consequences?” he says. This is a dialogue the board should have with the CEO, Sugar contends, not something you want only a report on from the CIO. Boards also must scrutinize how the company invests in IT security. Is it spending just enough to get by, or investing to get a reasonable level of protection given the assumption that some risk will always remain? Dashboards and charts may aid these discussions, but in the end, directors fundamentally must decide if they are confident that management has a comprehensive cybersecurity plan in place. “There may be a quantitative basis to the discussion, but it really comes down to a gut feel the board has concerning whether management knows what it’s doing,” Sugar says.

To reach that degree of confidence, boards should seek answers to the most basic questions: In the event of a breach, who is in charge internally and how is it communicated externally? “The company’s brand is the trust people put in you,” Sugar says, “and, for example, laying low on reporting credit cards that were stolen three weeks ago is not a good strategy.” Do we have the right team and resources dedicated to this? The CISO needs to come before the board at least twice a year. But if his or her briefings are unduly technical or complicated, that’s a red flag. If that gut feeling is that the company is at risk and management isn’t taking appropriate action, it is the board’s fiduciary duty to bring in an outside consultant. But that should be a last-ditch option, Sugar says, because it’s one that indicates a lack of confidence in management—equivalent to bringing in outside counsel rather than relying on the general counsel. In Sugar’s view, the board doesn’t necessarily need a director with cybersecurity expert credentials. Rather, the board requires directors with a high level of awareness regarding the issue. “You need broad expertise on the board,

“You need broad expertise on the board, but it is helpful to have one or two directors who are capable of understanding the key issues related to cybersecurity.” — Dr. Ronald Sugar

but it is helpful to have one or two directors who are capable of understanding the key issues related to cybersecurity,” Sugar notes. He or she doesn’t need to be a certified expert, he explains, but should be someone who is capable of grasping the issues, formulating questions for management, and willing to serve on the committee responsible for risk. That’s the role Sugar says he plays on several of his boards. Another modus operandi that Sugar suggests is to periodically drop in—with the CEO’s blessing—on the people who manage cybersecurity day to day to “spend time with them in their native habitat and gain an understanding of threats they’re dealing with.” It’s a more natural way of learning and absorbing information, and far preferable to putting someone on the spot in a formal board meeting. It’s in these less-formal conversations with someone like the CIO or CISO that board members may identify risk-protection measures that

KORN FERRY MARKET CAP 100

are needed but not appropriately budgeted for. In that case, it’s the board’s duty to bring the gap to the attention of the CEO, asking, “What if something went bad and we hadn’t adequately funded security efforts?” Most acutely, Sugar worries about the inevitability of a “cyber Pearl Harbor,” an attack that would require a fast and coordinated response from the public and private sectors. A chief concern is that US policies are generally reactive rather than proactive. “The regulatory response to Enron was Sarbanes-Oxley; the financial crisis led to Dodd-Frank. What will we as a nation immediately do when there is a risk to our water or power or communication systems? They are the only things that separate us from living in the Stone Age,” he says. In the boardroom, however, directors have to view risk management— including the digital kind—as a balancing act. “Some people want to ensure that companies never take big risks. But a company can’t be competitive without innovation and calculated risk,” Sugar contends. “In the end, the greatest risk is getting overwhelmed by the competition. That’s why you want people with judgment on boards—because if you’re not willing to take some risk, and you’re just doing what everyone else is doing, why should you be entitled to a superior financial return?”

Managing cybersecurity risk. As the executive vice president of technology and operations at HewlettPackard, John Hinshaw oversees the company’s global information technology group as well as key operations, including global sales operations, procurement, real estate, and global business services. With this, comes responsibility for HP’s cybersecurity. Hinshaw knows that discussions on cybersecurity can quickly become a deep technical debate with the potential to lose relevance to the business impact. His years as a CIO—previously at Boeing and Verizon— plus his broad management experience give him the ability to advise on security topics at the board level, educate in nontechnical terms on cybersecurity, and recommend approaches for cybersecurity oversight. Although the topic is new to many boards, it’s familiar terrain to Hinshaw. In the late ’90s, he was responsible for briefing Verizon’s board on the Y2K threat. At that time there was no framework for assessing risks to information

As the risks to IT systems and cyberthreats are now reality for all companies, a framework focused on people, processes, and technology is the right approach for boards to guide their discussions and make sure they are taking a rigorous and systematic approach to cybersecurity.

technology systems at the board level. Shortly thereafter came the SarbanesOxley Act, which addressed controls and risk in key systems and processes. As the risks to IT systems and cyberthreats are now reality for all companies, a framework focused on people, processes, and technology is the right approach for boards to guide their discussions and make sure they are taking a rigorous and systematic approach to cybersecurity. People. “First, it’s essential to make sure the right people are in the right jobs,” Hinshaw says. The team working on cybersecurity must fully understand today’s array of risks and know how to stay abreast of new threats. They have to build a network with other companies and educate employees about

KORN FERRY MARKET CAP 100

safe computing practices. “Directors need to be assured that they have the right chief information security officer with the best technical team to mitigate the cybersecurity risk for the company,” he warns. Processes. To ensure boards are addressing a

wide

array

cybersecurity

risks,

Hinshaw advises that directors review a comprehensive list of computing risks and understand the remediation and timeline accordingly. “Some security risks focus on compliance and have a standard associated with them. Examples of compliance risks are processing credit cards, resetting passwords, and establishing firewalls,” he explains. The goal is to thoroughly grasp how the security issues could put the company at risk. “You have to possess an in-depth understanding of the company, the products and services offered, and where the risk points are,” he asserts. For retailers, that is likely point-of-sale systems. For manufacturers, it’s the factory and supply chain systems. For connected devices, it’s the products themselves and the microcode that enables them. On top of that, every company needs to protect employee and customer data, Hinshaw says. Technology. There are some specific questions boards need to ask on a regular basis, according to Hinshaw: “Do we have adequate firewalls and intrusion prevention in place, and how often are the associated policies updated? Are desktops and mobile devices fully secured to prevent attacks from malicious websites and Trojan horses? How often do we educate employees on cybersecurity risks and what to do if they think they’ve been breached? How is company data encrypted and who has access to the encryption keys?” One growing challenge, at HP as elsewhere, is the “bring your own device” trend. With more than 160,000 such devices at HP, a great deal of coordination is required for people to access what they need without compromising corporate security. “Employees expect to connect to our global systems on their smartphones and it’s key to business needs in many cases. We employ a variety of technologies to protect corporate data,” Hinshaw says. “We have to ensure employees’ personal use of the device doesn’t compromise corporate security.”

The most crucial information in the company needs special safeguarding. “The ‘keys to the kingdom’ should be locked down on their own separate network, with a multilayered defense strategy, and accessible to as few people as possible,” he advises. Even with the right people, processes, and technology, every company remains at risk and a frequent review by directors is vital to ensuring these risks are understood and addressed with urgency. As he explains his framework, Hinshaw says he realized early in his career that security was going to be an important topic. “I took a computer security class in college 25 years ago and heard about students hacking into the library so they could check out more than one book at a time. Today major corporations being hacked is an everyday event and as I meet with HP’s key customers, security is always top of mind.”

The bigger context and the bigger threat. “You’ve got to think like a bad guy,” advises Ambassador R. James Woolsey Jr., former director of Central Intelligence. Woolsey is waging an awareness campaign about a potentially devastating cyberattack: one on the electrical grid. Even a major corporate breach seems like small potatoes compared with a serious blow to the foundation on which we all depend for survival. “Anyone who understates the problem doesn’t really “Anyone who understates understand it,” says Woolsey, who now chairs the problem doesn’t the board of the Foundation for Defense of really understand it.” Democracies and is a venture partner with — Amb. James Woolsey Lux Capital Management. The nation’s critical infrastructure—the systems that deliver water, power, fuel, transportation, communications, and more—were developed largely by happenstance over time and are fragile. They also are all dependent on electricity. A power disruption of more than a few days could make companies forget the inconvenience and expense of replacing customers’ credit cards or reversing the corrosive effects of malware. “We would quickly move into a world where people would not have access to water or food and wouldn’t be able to communicate or gain access to resources,” Woolsey says. “Financial assets would be useless because, let’s face it, what most of us own is not anything tangible but rather a collection of ones and zeroes in a computer in some bank somewhere.” The “bad guy” mindset Woolsey adopts to fashion solutions to such a potential catastrophe is something he learned from his father, who was a trial lawyer. Preparing your opponent’s case is always the way to start, his dad told him, “not only what he’s likely to do but anticipating the worst, nastiest thing you can imagine. Prepare that case and figure out how to defeat it.” The nastiest attack Woolsey imagines could come from cybercriminals, terrorists, or hostile nations. As he asks himself what they might do, Woolsey

KORN FERRY MARKET CAP 100

returns to our dependence on the electrical grid and its vulnerability. “Our enemies have the ability—if they hate us enough—to take down all or part of the grid for a substantial period of time and cause greater devastation than if they were to use nuclear weapons, which might destroy a vast area but not undercut all of the infrastructure,” Woolsey warns. The electrical grid is vulnerable to physical attacks but also to an electromagnetic pulse, whether naturally occurring or intentionally created. The pulses that cause the greatest concern are long wavelength pulses from the sun or a nuclear source, he says. “They travel along long transmission lines and destroy transformers at the heart of the grid,” Woolsey explains. “Those transformers are tooled for specific applications and if you lose them you’re one to two years away, at best, from fixing them.” Certain solar events can cause these long wavelength pulses, but so can detonation of a nuclear weapon in orbit perhaps only 50 miles above Earth, Woolsey says. Considering the sci-fi-like scenario of destruction and the relative ease of such an attack, Woolsey is stunned by how little the federal government and industry are doing to prevent such disasters. Russia, Israel, and China are protecting their infrastructure against electromagnetic pulses, but not the United States. To raise awareness and marshal support for his view, he recently wrote an op-ed in The Wall Street Journal supporting the Secure High-voltage Infrastructure for Electricity from Lethal Damage, or SHIELD Act, and the Critical Infrastructure Protection Act. So far the federal government has taken little action on grid vulnerability. Utility companies have been similarly disinclined to action. “Who’s in charge? No one, really. There are 50 public utility commissions, one for each state, usually run by retired public utility executives,” he says. The lack of incentive also has to do with utility companies’ shared infrastructure dependence, meaning a whole grid could collapse because of one weak spot anywhere along the line. “Each utility “Ain’t anybody in says, if I fix these things and my neighbor charge? Why don’t we goes down he’s taking me with him so it’s have a national energy not worth the investment. Ain’t anybody in strategy? Because no charge? Why don’t we have a national energy strategy? Because no one is in charge,” one is in charge.” — Amb. James Woolsey Woolsey laments.

There are simple, relatively inexpensive fixes, he says. Surge arrestors, for example, which would cost a few billion dollars to install as opposed to the hundreds of billions it would cost to recover from a serious incident. “That would mean adding a few cents to the kilowatt hours on people’s electric bills, that’s all,” he notes. The core problem, as Woolsey frames it, is that no one wants to contemplate an electrical gridinduced Armageddon. But corporate boards, whose duties include scoping unimagined risks, can step into this leadership vacuum. His own consulting firm, Energy Security Group, is pulling together public and private partners to work for change, initially at the state level. “To make this approach work and to gain the cooperation of individual companies and various state governments, you need a mover and a shaker or two. But I’ve been on 15 boards over the years, mostly in aerospace, and it matters a lot whether you have a chairman and one or two key members who are willing to step up and look at a crucial issue from a national perspective rather than from a quarterly bottom-line perspective. Get the right people together and you can get something done quickly.”

Conclusion A recent cartoon in The New Yorker features a group of directors around a boardroom table, with the chairman addressing them: “We may need to rethink our strategy of hoping the Internet will just go away.” Indeed, the Internet is not going away. For better and worse, it is the main artery to a company’s heart: its employee data, operations systems, customer account information, and more. With cyberthreats proliferating, and the negative implications for stakeholders multiplying, security is an issue boards must get a handle on. Security breaches have the potential to bring large corporations to their knees, rapidly eroding hard-won reputation and market share. It’s become a tech cliché, but unfortunately it seems true: there are companies that have been hacked, and those that just don’t know they’ve been hacked. Even if your company hasn’t suffered a damaging breach, is that because of effort or luck? A few startling statistics from the Ponemon With cyberthreats Institute, which conducts independent research proliferating, and the on privacy, data protection, and information negative implications security policy: The number of breached records for stakeholders rose by 350% in 2013, with approximately half multiplying, security of the US population’s personal information is an issue boards exposed in a 12-month period. The average time must get a handle on. it took an organization to detect a breach was 32 days—a period during which a great deal of damage could have been done— an increase of 55% from the prior year. And the expense of dealing with security breaches? Ponemon’s 2014 Cost of Data Breach Study: Global Analysis states that the average cost to a company was $3.5 million, 15% higher than the previous year. Cleanup averaged $250 per data record, and $250,000 to clear up an infection. Most organizations experience two successful breaches per week in which their core networks or enterprise system is infiltrated, and all told, most companies will spend

KORN FERRY MARKET CAP 100

at least $1 million on cleanup. And that doesn’t account for “cost” in terms of lost intellectual property, competitive advantage, customer confidence, potentially plummeting stock price, and job losses. Fortunately there are concrete steps boards can take to protect their companies from this new form of risk, which should be added to the broader risk portfolio they oversee. One expert we spoke with was Edward Guiliano, president of the New York Institute of Technology, which provides intensive training for the next generation of cybergatekeepers. Board members, he says, need ongoing education on cybersecurity. They must personally understand where security risks lie, in hardware as well as software, and ensure that there is proper training throughout the organization. “People are always the weakest link in cybersecurity,” Guiliano says. Raising the average information technology IQ can go a long way toward “safeguarding business plans, patents before they’re filed, employee data, and everything else that may be easily accessible on the Internet,” or what he refers to as “our global nervous system.” At a minimum, boards should regularly address: Security strategy. The board must ensure that the company has a strategic vision and a tactical road map that proactively protect assets and keep pace with escalating threats and evolving regulatory requirements. Policy and budget review. Company security policies, and roles and responsibilities of all relevant leadership, should be evaluated, along with data security and privacy budgets to ensure they are adequately funded. Security leadership. The board needs to confirm that the organization has the credible leadership and talent to develop, communicate, and implement an enterprise-wide plan to manage cyber-risk. Incident response plan. The board should oversee the development of a comprehensive incident response plan that is widely understood, rehearsed, and stress tested. Ongoing assessment. The board should periodically review a thorough assessment of the organization’s information security capabilities, targeting internal vulnerabilities and external threats.

Internal education. The board should ensure that the company implements a strong communication and education program to create an environment in which all employees embrace responsibility for cybersecurity. These recommendations are a beginning, not an end. Boards that seek to manage cyber-risk as well as they realistically can must distill these items into specific goals and actions that can be counted, measured, and results discussed with management. The precise metrics will depend on the nature of the business and the likely threats. Those we interviewed suggested some possibilities: If management should be collaborating with external organizations, such as the government, to share knowledge of threats and enhance mutual security, what are they doing to further that objective? Whom are they partnering with? Similarly, if the time to recognition of a security breach is unacceptably long, what is a more appropriate target, and what action is management taking to achieve that? Have we defined the categories of likely security breaches, determined the response to each, and assigned executive ownership for each step in the process? These are but a few examples of cyber-security topics on which boards and management will need to engage. Cyber threats abound, from vengeful acts by disgruntled employees, to data theft by organized gangs of hackers, to foreign industrial espionage. Although there may be no infallible prophylactic, board involvement and oversight can keep a company vigilant and go a long way toward safeguarding its value and reputation.

About the 2014 Korn Ferry Market Cap 100. The Korn Ferry Market Cap 100 (KFMC100) are the US companies that had the largest market capitalization as of the close of markets on May 1, 2014, after the end of most firms’ 2013 fiscal year. Companies were removed from the list if they were not traded primarily on the NYSE or Nasdaq, or were real estate investment trusts or public investment firms.

Appendix A: The KFMC100 companies Eight companies joined the ranks of the KFMC100 in the last year: Twenty-First Century Fox, Inc. Lockheed Martin Corp. LyondellBasell Industries Capital One Financial Corp.

EOG Resources Accenture Thermo Fisher Scientific Inc. DirecTV

Figure 1

Market capitalization of the KFMC100 companies. The KFMC100 companies had a median market capitalization of $74 billion on May 1, 2014, after the close of most companies’ fiscal year. Of the 100 companies, 34 were valued at $100 billion or more. This was the first year there were no KFMC100 companies valued at less than $40 billion. Market Cap

Companies

$40 billion – $59.99 billion

$60 billion – $79.99 billion

$80 billion – $99.99 billion

$100 billion – $149.99 billion

$150 billion – $199.99 billion

$200 billion and over

KORN FERRY MARKET CAP 100

Figure 2

Industry sectors represented. Technology and services were the two largest sectors again this year, and together represented more than a third of the 2014 KFMC100 list. Sector

Companies

Basic materials

Conglomerates

Consumer goods

Financial

Health care

Industrial goods

Services

Technology

Utilities

Figure 3

The Korn Ferry Market Cap 100. The KFMC100 companies ranked in order of market capitalization as of the close of markets on May 1, 2014. Rank

Company

Market cap*

Industry

Apple Inc.

$509.7

Computer hardware

$439.0

Integrated oil and gas

$356.5

Internet software and services

$330.2

Systems software

$283.9

Pharmaceuticals

$268.7

Industrial conglomerates

$260.5

Diversified banks

$257.1

Hypermarkets and super centers

(NasdaqGS:AAPL)

Exxon Mobil Corp. (NYSE:XOM)

Google Inc. (NasdaqGS:GOOG)

Microsoft Corp. (NasdaqGS:MSFT)

Johnson & Johnson (NYSE:JNJ)

General Electric Co. (NYSE:GE)

Wells Fargo & Co. (NYSE:WFC)

Wal-Mart Stores Inc. (NYSE:WMT)

*on May 1, 2014 (in billions USD)

Rank

Company

Market cap*

Industry

Chevron Corp.

$238.6

Integrated oil and gas

$223.3

Household products

$210.4

Financial services

$198.6

Pharmaceuticals

(NYSE:CVX)

Procter & Gamble Co. (NYSE:PG)

JPMorgan Chase & Co. (NYSE:JPM)

Pfizer, Inc. (NYSE:PFE)

International Business Machines Corp. (NYSE:IBM)

$195.3

IT consulting and other services

Verizon Communications, Inc.

$195.0

Integrated telecommunication services

$184.8

Integrated telecommunication services

$182.1

Systems software

$178.7

Soft drinks

$174.8

Pharmaceuticals

$158.6

Financial services

$155.1

Social media

$144.7

Financial services

$141.5

Internet retail

$139.2

Movies and entertainment

$135.9

Tobacco

$135.0

Cable and satellite

$133.6

Communications equipment

$131.5

Oil and gas equipment and services

$131.4

Semiconductors

$130.5

Data processing and outsourced services

$129.5

Soft drinks

$121.2

Biotechnology

(NYSE:VZ)

AT&T, Inc. (NYSE:T)

Oracle (NasdaqGS:ORCL)

The Coca-Cola Co. (NYSE:KO)

Merck & Co., Inc. (NYSE:MRK)

Bank of America Corp. (NYSE:BAC)

Facebook, Inc. (NasdaqGS:FB)

Citigroup, Inc. (NYSE:C)

Amazon.com Inc. (NasdaqGS:AMZN)

Walt Disney Co. (NYSE:DIS)

Philip Morris International, Inc. (NYSE:PM)

Comcast Corp. (NasdaqGS:CMCSA)

QUALCOMM, Inc. (NasdaqGS:QCOM)

Schlumberger Limited (NYSE:SLB)

Intel Corp. (NasdaqGS:INTC)

Visa, Inc. (NYSE:V)

PepsiCo, Inc. (NYSE:PEP)

Gilead Sciences, Inc. (NasdaqGS:GILD)

*on May 1, 2014 (in billions USD)

KORN FERRY MARKET CAP 100

Market cap*

Industry

Cisco Systems, Inc. (NasdaqGS:CSCO)

$118.3

Communications equipment

The Home Depot, Inc. (NYSE:HD)

$109.1

Home improvement retail

United Technologies

$107.0

Aerospace and defense

$99.9

Restaurants

$93.6

Aerospace and defense

$92.0

Integrated oil and gas

$92.0

Industrial conglomerate

$91.6

Consumer finance

$90.6

Air freight and logistics

$88.3

Data processing and outsourced services

$86.0

Drug retail

$85.6

Railroads

$85.2

Biotechnology

$82.0

Pharmaceuticals

$81.9

Pharmaceuticals

$79.5

Tobacco

Rank

Company

(NYSE:UTX)

McDonaldâ&#x20AC;&#x2122;s (NYSE:MCD)

The Boeing Co. (NYSE:BA)

ConocoPhillips (NYSE:COP)

3M Co. (NYSE:MMM)

American Express Co. (NYSE:AXP)

United Parcel Service, Inc. (NYSE:UPS)

MasterCard International Inc. (NYSE:MA)

CVS Caremark Corp. (NYSE:CVS)

Union Pacific Corp. (NYSE:UNP)

Amgen Inc. (NasdaqGS:AMGN)

Bristol-Myers Squibb Co. (NYSE:BMY)

AbbVie, Inc. (NYSE:ABBV)

Altria Group, Inc. (NYSE:MO)

American International Group, Inc. (NYSE:AIG)

$77.0

Multi-line insurance

Occidental Petroleum Corp.

$75.6

Integrated oil and gas

$74.6

Managed health care

$74.3

Investment banking and brokerage

$73.5

Diversified banks

$73.1

Movies and entertainment

$72.3

Aerospace and defense

(NYSE:OXY)

UnitedHealth Group, Inc. (NYSE:UNH)

The Goldman Sachs Group, Inc. (NYE:GS)

U.S. Bancorp (NYSE:USB)

Twenty-First Century Fox, Inc. (NASDAQ:FOXA)

Honeywell International, Inc. (NYSE:HON)

*on May 1, 2014 (in billions USD)

Rank

Company

Market cap*

Industry

Biogen Idec Inc.

$68.0

Biotechnology

$67.1

Internet software and services

$66.0

Drug retail

$65.7

Construction and farm machinery and heavy trucks

$64.0

Footwear and apparel

$63.2

Pharmaceuticals

$62.7

Automobile manufacturing

$61.7

Computer hardware

$61.4

Household products

$61.4

Internet retail

$61.3

Investment banking and brokerage

$61.2

Diversified chemicals

$60.5

Packaged foods

$60.4

Biotechnology

$59.7

Movies and entertainment

$59.7

Pharmaceuticals

$59.3

Health care equipment

$58.0

Diversified chemicals

$57.7

Fertilizers and agricultural chemicals

$57.7

Life and health insurance

$55.9

Automobile manufacturers

$53.7

Restaurants

$53.4

Oil and gas equipment and services

(NasdaqGS:BIIB)

eBay Inc. (NasdaqGS:EBAY)

Walgreen Co. (NYSE:WAG)

Caterpillar Inc. (NYSE:CAT)

Nike, Inc. (NYSE:NKE)

Eli Lilly & Co. (NYSE:LLY)

Ford Motor Co. (NYSE:F)

Hewlett-Packard Co. (NYSE:HPQ)

Colgate-Palmolive Co. (NYSE:CL)

priceline.com, Inc. (NasdaqGS:PCLN)

Morgan Stanley (NYSE:MS)

E.I. DuPont de Nemours & Co. (NYSE:DD)

Mondelez International, Inc. (NasdaqGS:MDLZ)

Celgene Corp. (NasdaqGS:CELG)

Time Warner, Inc. (NYSE:TWX)

Abbott Laboratories (NYSE:ABT)

Medtronic, Inc. (NYSE:MDT)

The Dow Chemical Co. (NYSE:DOW)

Monsanto Co. (NYSE:MON)

MetLife, Inc. (NYSE:MET)

General Motors Co. (NYSE:GM)

Starbucks Corp. (NasdaqGS:SBUX)

Halliburton Co. (NYSE:HAL)

*on May 1, 2014 (in billions USD)

KORN FERRY MARKET CAP 100

Rank

Company

Market cap*

Industry

EOG Resources

$52.9

Oil, gas, and coal

$52.7

Electric utilities and natural gas distribution

$51.9

Aerospace and defense

$51.8

Computer storage and peripherals

$51.6

Industrial machinery

$51.4

Health care services

$50.7

Hypermarkets and super centers

$50.5

Business services

$50.3

Chemicals

$50.2

Pharmaceuticals and medical devices

$49.9

Oil and gas exploration and production

$49.4

Integrated oil and gas

$49.1

Semiconductors

$47.6

Electrical components and equipment

$47.1

Home improvement retail

$44.9

Medical equipment

(NYSE:EOG)

Duke Energy Corp. (NYSE:DUK)

Lockheed Martin Corp. (NYSE:LMT)

EMC Corp. (NYSE:EMC)

Danaher (NYSE:DHR)

Express Scripts Holding Co. (NasdaqGS:ESRX)

Costco Wholesale (NasdaqGS:COST)

Accenture (NYSE:ACN)

LyondellBasell Industries (NYSE:LYB)

Allergan, Inc. (NYSE:AGN)

Anadarko Petroleum Corp. (NYSE:APC)

Phillips 66 (NYSE:PSX)

Texas Instruments, Inc. (NYSE:TXN)

Emerson Electric Co. (NYSE:EMR)

Loweâ&#x20AC;&#x2122;s Companies, Inc. (NYSE:LOW)

Thermo Fisher Scientific Inc. (NYSE:TMO)

PNC Financial Services Group Inc. (NYSE:PNC)

$44.5

Regional banks

NextEra Energy, Inc.

$43.5

Electric utilities and renewable energy

(NYSE:NEE)

Capital One Financial Corp.

$42.3

Financial services

Dominion Resources, Inc.

$42.2

Electric utilities and natural gas distribution

$42.0

Household products

(NYSE:D)

Kimberly-Clark Corp. (NYSE:KMB)

DirecTV

$41.1

Cable and satellite

100

The TJX Companies, Inc.

$41.0

Apparel retail

(NYSE:TJX) *on May 1, 2014 (in billions USD)

Appendix B: The KFMC100 Class of 2013 Turnover on KFMC100 boards remained low during the 2013 calendar year. Thirty-nine companies in the KFMC100 added no new director at all during the year. The Class of 2013 comprised 105 total appointments, down from 113 in 2012. With 1,208 total board seats available, that represents a turnover rate of just 8.7%. Figure 4

Governance experience in the Class of 2013. The large majority of KFMC100 boards added directors with previous board experience with a public company—87%, compared with 73% the previous year. New directorships by governance experience (n=105) First time directors

13%

Experienced directors

87%

Figure 5

CEO experience in the Class of 2013. Even as companies restrict their CEOs’ availability for outside board service, the large companies in the KFMC100 have continued to attract high levels of current and retired CEOs to their boards: 56% in 2013, up from 41% in 2012. Past or present CEO experience with a public company Seats newly filled in 2013

56%

Incumbents’ seats

53%

KORN FERRY MARKET CAP 100

Figure 6

Professional experience in the Class of 2013. The KFMC100 covers a wide array of industries, and board makeup varies accordingly. But two types of experience emerged as prominent in the Class of 2013: finance/audit experience rose to 53% from 35% the previous year. And marketing/sales was 38%, up from 17% in 2012. Technology also rose to 22% from 13%. New directorships (n=105) Same-industry experience

42%

Finance/Audit

53%

COO/Operations

30%

Public policy/Government

24%

Academic/Research

17%

Marketing/Sales

38%

Academic administration

Nonprofit

Technology

22%

Legal

11%

Figure 7

Age of Class of 2013 directors. The median age of a director joining a board in 2013 was 59, six years younger than the median age for all directors. 16% 65 to 69

3% 70 and over 3% 49 or younger

25% 60 to 64

20% 50 to 54

33% 55 to 59

Figure 8

Board service among the Class of 2013. A majority of the 99 new non-executive directors were on only one or two boards, but 14 served on four or more. Number of boards served 1

26 directors

36 directors

23 directors

4 5 6

9 directors 3 directors 2 directors

Figure 9

Women in the Class of 2013. Of the 105 total directors added to these boards in 2013, 22% were women, a proportion nearly unchanged from the year before.

22% Female

78% Male

KORN FERRY MARKET CAP 100

Figure 10

Minorities in the Class of 2013. KFMC100 boards added twice as many new African American and Hispanic American directors in 2013 as they did in 2012. But the overall rates of diversity hardly changed on KFMC100 boards. Note that ethnicity information was not available for all of the directors. Class of 2013 (n=80)

Incumbents’ seats (n=966)

13%

1% 6%

1% 3%

African American Asian American Hispanic American

Figure 11

Nationality of the Class of 2013. The percentage of foreign director appointments to KFMC100 boards returned to 15%, after a rise to 21% in 2012. American

Non-American

Seats filled in 2013

85%

15%

Incumbents’ seats

86%

14%

Figure 12

Global experience of the Class of 2013. Other indicators of global experience also dropped in 2013. International work experience among new appointees dropped to 28% from 36%. Only 17% of new appointees were born or educated abroad, down from 29% in the previous year. International work experience Seats filled in 2013

28%

Incumbents’ seats

26%

Born and/or educated abroad Seats filled in 2013

17%

Incumbents’ seats

17%

Members of the Class of 2013 The following list includes all directors who joined one or more KFMC100 board in 2013. New directors who are also CEO of that company are marked with an asterisk (*). Edward (Spencer) Abraham

Delphine Arnault-Gancia

New Board

Occidental Petroleum Corp.

Twenty-First Century Fox, Inc.

Profile

Independent Vice Chairman, Occidental Petroleum Corp.

Director, Louis Vuitton SA

Other board(s)

Havas SA; Christian Dior SA; M6MetropoleTelevision SA; Louis Vuitton SA

Two Harbors Investment Corp.; NRG Energy, Inc.; PBF Energy, Inc.

Other board(s)

Roxanne S. Austin Rodney C. Adkins

New Board

AbbVie, Inc.

United Parcel Service, Inc.

Profile

Former President/CEO, Move Networks, Inc.

Senior Vice President, Corporate Strategy, International Business Machines Corp.

Other board(s)

Pitney Bowes, Inc.

Ericsson; Teledyne Technologies, Inc.; Abbott Laboratories

Robert J. Alpern

Linda B. Bammann

New Board

AbbVie, Inc.

JPMorgan Chase & Co.

Profile

Dean, Yale School of Medicine

Deputy Head, Risk Management, JPMorgan Chase & Co.

Other board(s)

Abbott Laboratories

Ajaypal (Ajay) S. Banga

Shellye L. Archambeau

New Board

The Dow Chemical Co.

Verizon Communications, Inc.

Profile

Chief Executive Officer, MetricStream, Inc.

President/CEO, MasterCard International, Inc.

Other board(s)

Arbitron, Inc.

MasterCard International, Inc.

Jaime Ardila

Eugene (Gene) L. Batchelder

New Board

Accenture

Occidental Petroleum Corp.

Profile

Executive VP/Regional President South America, General Motors Co.

Former Senior VP/CAO, ConocoPhillips

Timothy Armstrong

New Board

Hewlett-Packard Co.

priceline.com, Inc.

Profile

Principal, First Western Financial, Inc.

Chairman/CEO, AOL, Inc.

Other board(s)

Liberty Media Corp.; Discovery Communications Inc.; Sprint Corp.

AOL, Inc.

Richardson Bennett

KORN FERRY MARKET CAP 100

Mark A. Blinn

Abelardo (Al) E. Bru

New Board

Texas Instruments, Inc.

DirecTV

Profile

President/CEO, Flowserve Corp. Other board(s)

Former President/CEO, Frito Lay North America, Inc.

Flowserve Corp.

Other board(s)

Ana Botin

Kraft Foods Group, Inc.; Kimberly-Clark Corp.

New Board

The Coca-Cola Co.

William (Willie) H. Burnside

Profile

New Board

CEO/Executive Director, Santander UK plc

AbbVie, Inc.

Other board(s)

Profile

Banco Santander SA; Santander Investment SA

Advisor, Boston Consulting Group, Inc.

Gregory (Greg) H. Boyce

New Board

Philip Morris International, Inc.

Monsanto Co.

Profile

CEO, Philip Morris International, Inc.

Chairman, Peabody Energy Corp.

André Calantzopoulos*

Other board(s)

Kurt M. Campbell

Peabody Energy Corp.; Marathon Oil Corp.

New Board

MetLife, Inc. Profile

Angela F. Braly

Chairman/CEO, Asia Group LLC

New Board

Other board(s)

Lowe’s Companies, Inc.

Standard Chartered PLC

Profile

Former Chairwoman/President/CEO, WellPoint, Inc.

William S. Demchak*

Other board(s)

PNC Financial Services Group Inc.

Procter & Gamble Co.

Profile

Gregory Q. Brown

President/CEO, PNC Financial Services Group Inc.

New Board

Other board(s)

Cisco Systems, Inc.

Blackrock, Inc.

Profile

New Board

Chairman/President/CEO, Motorola Solutions, Inc.

Nancy-Ann M. DeParle

Other board(s)

CVS Caremark Corp.

Motorola Solutions, Inc.

Profile

Thomas K. Brown

Co-Founding Partner, Consonance Capital Partners, LLC

New Board

3M Co.

Susan Desmond-Hellman

Profile

New Board

Retired Group Vice President, Global Purchasing, Ford Motor Co.

Facebook, Inc. Profile

Other board(s)

CEO, Bill and Melinda Gates Foundation; Former Chancellor, University of California, San Francisco

Conagra Foods, Inc.

Other board(s)

Procter & Gamble Co.

Pierre J. P. de Weck

Gay H. Evans

New Board

Bank of America Corp.

ConocoPhillips

Profile

Former Chairman/Global Head, Private Wealth Management, Deutsche Bank AG Other board(s)

Former Division Vice Chairman, Investment Banking and Investment Management, Barclays PLC

SAL Oppenheim jr. & Cie. AG & Co. KGaA

Other board(s)

Nance K. Dicciani

Aviva PLC; London Stock Exchange Group PLC

New Board

LyondellBasell Industries

Andrew T. Feldstein

Profile

New Board

Former Division President/CEO, Honeywell International, Inc.

PNC Financial Services Group Inc. Profile

Other board(s)

Halliburton Co.; Praxair, Inc.

CEO/CIO, BlueMountain Capital Management LLC

Arnold W. Donald

Helena B. Foulkes

New Board

Bank of America Corp.

The Home Depot, Inc.

Profile

Former Chairman/CEO, Merisant Co. Other board(s)

Crown Holdings, Inc.; Carnival Corp.; Laclede Group; Carnival Plc; Oil-Dri Corp. of America

President, CVS Pharmacy, Inc. Greg C. Garland New Board

Amgen, Inc. Profile

Scott C. Donnelly

Chairman/President/CEO, Phillips 66

New Board

Other board(s)

Medtronic, Inc.

Phillips 66

Profile

CEO/Chairman/President, Textron, Inc.

Helene D. Gayle

Other board(s)

New Board

Textron, Inc.

The Coca-Cola Co. Profile

Francisco Dâ&#x20AC;&#x2122;Souza

President/CEO, CARE USA

New Board

Other board(s)

General Electric Co.

Colgate-Palmolive Co.

Profile

CEO, Cognizant Technology Solutions Corp.

Thomas (Tom) H. Glocer

Other board(s)

Morgan Stanley

Cognizant Technology Solutions Corp.

Profile

James O. Ellis Jr.

Retired Chief Executive Officer, Thomson Reuters Corp.

New Board

Other board(s)

Dominion Resources, Inc.

Merck & Co., Inc.

Profile

New Board

Independent Chairman, Level 3 Communications, Inc.

Lynn J. Good*

Other board(s)

Duke Energy Corp.

Level 3 Communications, Inc.; Lockheed Martin Corp.

Profile

New Board

Vice Chairman/President/CEO, Duke Energy Corp. Other board(s)

Hubbell, Inc.

KORN FERRY MARKET CAP 100

William (Bill) D. Green

Benjamin P. Jenkins III

New Board

EMC Corp.

Capital One Financial Corp.

Profile

Former Chairman/CEO, Accenture

Former Vice Chairman, Wachovia Corp.

Other board(s)

McGraw Hill Financial, Inc.

William (Jerry) G. Jurgensen New Board

Jose C. Grubisich

American International Group, Inc.

New Board

Profile

Halliburton Co. Profile

Former CEO/Chairman, Nationwide Financial Services, Inc.

CEO, Eldorado Brasil Celulose SA

Other board(s)

Conagra Foods, Inc.

Vallourec SA

Debra J. Kelly-Ennis

Carlos M. Gutierrez New Boards Time Warner, Inc. and MetLife, Inc.

New Board

Profile

President/CEO, Kellogg Canada, Inc.

Former Division Manager, General Motors Co.

Other board(s)

Occidental Petroleum Corp. James P. Hackett

Altria Group, Inc. Profile

Hertz Global Holdings, Inc.; Carnival Corp.; PulteGroup, Inc.

New Board

Muhtar Kent

Ford Motor Co.

New Board

Profile

3M Co.

Independent Chairman, Fifth Third Bancorp

Profile

Other board(s)

Chairman/President/CEO, The Coca-Cola Co.

Steelcase, Inc.; Fifth Third Bancorp

Other board(s)

Kirk S. Hachigian

The Coca-Cola Co.

New Board

William E. Kennard

NextEra Energy, Inc.

New Board

Profile

MetLife, Inc.

Former Chairman/President/CEO, Cooper Industries PLC

Profile

Other board(s)

Allegion PLC; Paccar, Inc.

Former Chairman/General Counsel, Federal Communications Commission (FCC) Other board(s)

Duncan P. Hennes New Board

Duke Energy Corp.

Citigroup, Inc.

Ronald (Ron) Kirk

Profile

New Board

Co-Founder/Partner, Atrevida Partners, LLC

Profile

John T. Herron

Texas Instruments, Inc. Former US Trade Representative

New Board

William (Bill) R. Klesse

Duke Energy Corp.

New Board

Profile

Occidental Petroleum Corp.

Former CEO/President/Chairman, System Energy Resources, Inc.

Profile

Chairman/CEO, Valero Energy Corp. Other board(s)

Valero Energy Corp.

Brian M. Krzanich*

Mike McCallister

New Board

Intel Corp.

AT&T, Inc.

Profile

CEO, Intel Corp.

Chairman/CEO, Humana, Inc.

Alan G. Lafley* New Board

Other board(s)

Zoetis, Inc.; Humana, Inc.; Fifth Third Bancorp

Procter & Gamble Co. Profile

Mark. B. McClellan

Chairman/CEO, Procter & Gamble Co.

New Board

Other board(s)

Johnson & Johnson

General Electric Co.

Profile

Former Commissioner, US Food and Drug Administration (FDA); Former Administrator, Centers for Medicare & Medicaid Services, US Department of Health and Human Services

Former Chairman/CEO, Areva SA

Other board(s)

Anne Lauvergeon New Board

American Express Co.

Other board(s)

AVIV Reit, Inc.

Vodafone Group PLC; Total SA; Airbus Group NV

Peter J. McDonnell New Board

John C. Lechleiter

Allergan, Inc.

New Board

Profile

Ford Motor Co. Profile

Chairman/President/CEO, Eli Lilly & Co. Other board(s)

Director/Professor, Wilmer Eye Institute, Johns Hopkins University School of Medicine

Eli Lilly & Co.; Nike, Inc.

Beth E. Mooney

Dawn G. Lepore

AT&T, Inc.

New Board

Profile

New Board

The TJX Companies, Inc.

Chairman/CEO, KeyCorp

Profile

Other board(s)

Former Chairman/CEO/President, Drugstore.com, Inc.

KeyCorp

Other board(s)

Michael (Mike) G. Mullen

Coupons.com, Inc.; RealNetworks, Inc.; AOL, Inc.

General Motors Co.

New Board Profile

New Board

Retired US Navy Admiral; Former Chairman, Joint Chiefs of Staff

AbbVie, Inc.

Other board(s)

Edward (Ed) M. Liddy

Profile

Discovery Air, Inc.; Sprint Corp.

Former Chairman/CEO, American International Group, Inc.

Shantanu Narayen

Other board(s)

New Board

Abbott Laboratories; Boeing Co.; 3M Co.

Pfizer, Inc. Profile

New Board

President /CEO/Director, Adobe Systems, Inc.

Procter & Gamble Co.

Other board(s)

Terry Lundgren

Profile

President/CEO, Macy’s, Inc. Other board(s)

Macy’s, Inc.; Kraft Foods Group, Inc.

Adobe Systems, Inc.; Dell, Inc.

KORN FERRY MARKET CAP 100

Jacques A. Nasser

Clark T. Randt

New Board

Twenty-First Century Fox, Inc.

QUALCOMM, Inc.

Profile

Chairman, BHP Billiton Ltd.

Former US Ambassador to China

Other board(s)

BHP Billiton Ltd.

United Parcel Service, Inc.; Valmont Industries, Inc.

Lionel L. Nowell III New Board

Edward (Ed) J. Rapp

Bank of America Corp.

New Board

Profile

AbbVie, Inc.

Former Senior Vice President/Treasurer, PepsiCo, Inc.

Profile

Other board(s)

Group President/Former CFO, Caterpillar, Inc.

Reynolds American, Inc.; American Electric Power Co., Inc.

Gary M. Reiner New Board

Raymond E. Ozzie

Citigroup, Inc.

New Board

Profile

Hewlett-Packard Co.

Operating Partner, General Atlantic LLC; Former Chief Information Officer, General Electric Co.

Profile

CEO/Founder, Talko, Inc.

Other board(s)

D. C. Paliwal New Board

Hewlett-Packard Co.

Bristol-Myers Squibb Co.

Howard V. Richardson

Profile

New Board

Chairman/President/CEO, Harman International Industries, Inc.

Wells Fargo & Co. Profile

Other board(s)

Former Partner, PricewaterhouseCoopers LLP

Harman International Industries, Inc.; ADT Corp.

Roy S. Roberts

Samuel J. Palmisano

New Board

AbbVie, Inc.

American Express Co.

Profile

Former Group Vice President, General Motors Co.

Former Chairman/President/CEO, International Business Machines Corp. Other board(s)

James E. Rohr

Exxon Mobil Corp.

New Board

Timothy (Tim) D. Proctor

Profile

New Board

Allergan, Inc.

Chairman/CEO, PNC Financial Services Group Inc.

Profile

Other board(s)

Former General Counsel, Diageo PLC James H. Quigley New Board

Wells Fargo & Co. Profile

Retired CEO, Deloitte Touche Tohmatsu Limited Other board(s)

Hess Corp.; Merrimack Pharmaceuticals, Inc.

General Electric Co.

Marathon Petroleum Corp.; EQT Corp.; Allegheny Technologies; Blackrock, Inc.; PNC Financial Services Group Inc.

Clayton S. Rose

James A. Skinner

New Board

Bank of America Corp.

Hewlett-Packard Co.

Profile

Professor, Management Practice, Harvard Business School

Independent Chairman, Walgreen Co.

Other board(s)

Walgreen Co.; Illinois Tool Works, Inc.

Other board(s)

XL Group PLC Theresa M. Stone Thomas E. Rothman

New Board

American International Group, Inc.

priceline.com, Inc.

Profile

Former Vice Chairman, Federal Reserve Bank of Richmond

Former Co-Chairman/Co-CEO, Fox Filmed Entertainment, Inc.

Jackson P. Tai Pamela (Pam) J. Royal

New Board

Eli Lilly & Co.

Dominion Resources, Inc.

Profile

Chairman, OSIM Brookstone Holdings LP

Dermatologist/President/Owner, Royal Dermatology and Aesthetic Skin Care, Inc.

Other board(s)

Jonathan J. Rubinstein

Singapore Airlines Ltd.; Koninklijke NV; Bank of China; MasterCard International, Inc.

New Board

QUALCOMM, Inc.

Ratan N. Tata

Profile

New Board

Retired Chairman/President/CEO, Palm, Inc.

Mondelez International, Inc.

Other board(s)

Chairman, Tata Industries Ltd.

Amazon.com, Inc.

Other board(s)

Marschall S. Runge

Profile

Alcoa, Inc.

New Board

Cynthia B. Taylor

Eli Lilly & Co.

New Board

Profile

AT&T, Inc.

Dean, University of North Carolina, Chapel Hill

Profile

Mary L. Schapiro

Other board(s)

New Board

General Electric Co.

President/CEO, Oil States International, Inc. Tidewater, Inc.; Oil States International, Inc.

Profile

Former Chairwoman, US Securities and Exchange Commission (SEC) Robert S. Silberman New Board

Twenty-First Century Fox, Inc.

William (Bill) R. Thomas* New Board

EOG Resources Profile

President/CEO, EOG Resources

Profile

Glenn F. Tilton

Chairman, Strayer Education, Inc.

New Board

Other board(s)

AbbVie, Inc.

Strayer Education, Inc.; Covanta Holding Corp.

Profile

Former Chairman/President/CEO, United Continental Holdings, Inc. Other board(s)

Phillips 66; Abbott Laboratories

KORN FERRY MARKET CAP 100

James (Jim) S. Turley

William C. Weldon

New Boards

Citigroup, Inc.; Emerson Electric Co.

Exxon Mobil Corp.; CVS Caremark Corp.

Profile

Retired Chairman/CEO, Ernst & Young Global Ltd.

Former Chairman/CEO, Johnson & Johnson

Other board(s)

Intrexon Corp.

Chubb Corp.; JPMorgan Chase & Co.

Anthony (Tony) J. Vinciquerra

Catherine G. West

New Board

DirecTV

Capital One Financial Corp.

Profile

Former Chairman/President/CEO, Fox Networks Group

Former COO, Consumer Financial Protection Bureau

David A. Viniar

Rayford Wilkins Jr.

New Board

The Goldman Sachs Group, Inc.

Morgan Stanley

Profile

Former CFO/Executive Vice President, The Goldman Sachs Group, Inc.

Former President/CEO, Southwestern Bell Telephone Co.

Frederick (Rick) H. Waddell New Board

AbbVie, Inc. Profile

Chairman/CEO, Northern Trust Corp. Other board(s)

Northern Trust Corp. Pat Ward New Board

E.I. DuPont de Nemours & Co. Profile

Vice President/CFO, Cummins, Inc. Greg D. Wasson New Board

Verizon Communications, Inc. Profile

President/CEO, Walgreen Co. Other board(s)

Walgreen Co. Robin L. Washington New Board

Honeywell International, Inc. Profile

Senior Vice President/CFO, Gilead Sciences, Inc. Other board(s)

Salesforce.com, Inc.; MIPS Technologies, Inc.

Other board(s)

Valero Energy Corp.

Appendix C: The KFMC100 boards Figure 13

Number of directors on the board. The median size for a KFMC100 board was 12 directors and 82% of boards had between 10 and 15 directors.

6% 16 to 18 directors

12% 7 to 9 directors

24% 13 to 15 directors

58% 10 to 12 directors

Figure 14

Board independence. In the KFMC100, 90% of boards had one or two executive directors. The rest were independent directors.

3% 4 to 5 executive directors 7% 3 executive directors

22% 2 executive directors

68% 1 executive director

KORN FERRY MARKET CAP 100

Figure 15

Who is chairman of the board? The company CEO chaired the board of directors at 66 of the KFMC100 companies in 2013. An additional 18 had chairmen or executive chairmen leading the board, 14 of whom were the former CEO of the company. 16% Non-executive chairman

66% CEO is also chairman of the board

18% Chairman or executive chairman

Figure 16

Compensation and retainers for directors. The median total compensation for KFMC100 directors rose slightly to $288,000 according to figures reported in company proxy statements, and the median cash retainer was $100,000, up from $85,000 the previous year. Two companies stated that they offered no cash retainer to directors. Cash Retainers 6%

>$150,000

$125,001 to $150,000

15%

$100,001 to $125,000

41%

$75,001 to $100,000 $50,001 to $75,000

16%

$25,001 to $50,000

11%

$1 to $25,000

Figure 17

Frequency of board meetings. Half of the KFMC100 boards met eight or more times in 2013, and the average number of meetings was 8.2.

9% 13 to 19 meetings

12% 0 to 5 meetings

17% 10 to 12 meetings

38% 6 to 7 meetings 24% 8 to 9 meetings

Figure 18

Global business experience on KFMC100 boards. Although 88% of KFMC100 boards included at least one director who had held a significant work assignment outside the United States, only 28% had members with experience in Brazil, Russia, India, or China. About 9% of directors joining boards in 2013 were born, educated, or worked in one of those markets. One or more directors with work experience anywhere outside the US One or more directors with work experience specifically in BRIC countries

88%

28%

KORN FERRY MARKET CAP 100

Figure 19

Gender balance on KFMC100 boards. Only 21% of all KFMC100 board seats were held by women, and 95% of those were independent directorships. 21% Female

79% Male

Figure 20

Distribution of female directors among KFMC100 boards. There was at least one women on every board in the KFMC100; as recently as 2011, there were four companies with all-male boards. The average number of women on a KFMC100 board was 2.5. Number of female directors 1

13 companies

42 companies

3 4 5

26 companies 15 companies 4 companies

Figure 21

Age of KFMC100 directors. Excluding CEOs, there were 1,108 individual directors in the KFMC100, half of whom were between the ages of 60 and 69. The median age was 65. Compared with the previous year, there were slightly fewer directors under age 50, and a few more over age 75.

5% 75 and over

3% 49 or younger 7% 50 to 54

17% 70 to 74 18% 55 to 59

29% 65 to 69 21% 60 to 64

Figure 22

KFMC100 retirement age policies. There was an established retirement age for directors at 79 of the KFMC100, with an average mandatory retirement age of 72. The policies seemed to make little difference: 19 companies made exceptions in 2013, and companies with no stated age limit had an average age that was only slightly higher. The average age of a departing director was 68. Retirement policy

Companies

Exceptions Average director age

Mandatory retirement age

63.1

Policy explicitly allows exceptions

No retirement age policy

63.3

KORN FERRY MARKET CAP 100

Figure 23

Duration of directorships. Directors in the KFMC100 tend to serve a long time on boards. Among the 73 directors who left or retired in 2013, the average tenure was 10 years. The current average tenure is 7.9 years, and 26% of directors have been in their seats a decade or longer. Board seats held for 12 years or more

16%

9 years or more

27%

6 years or more 3 years or more

45% 66%

Figure 24

Individual director review policy. Board renewal and improvement were sometimes approached by a vigorous annual review of each individual director. In their 2013 proxy statement, 44 KFMC100 companies indicated that individual reviews were their policy.

56% Boards with no stated individual review policy

44% Boards that perform individual reviews of directors

About Korn Ferryâ&#x20AC;&#x2122;s Board & CEO Services Practice Korn Ferry has recruited CEOs and board directors for more than 40 years. Our dedicated Board & CEO Services practice is committed to improving governance practices worldwide. Our approach includes Board Director and CEO Search and Selection, CEO Succession Planning and Assessment, Board Effectiveness, and Director/Executive Compensation Consulting. Visit www.kornferry.com/BoardCEOServices for more information.

Key contacts: Joe Griesedieck Vice Chairman and Co-Leader, Board & CEO Services joe.griesedieck@kornferry.com +1 415.288.5367

Nels Olson Vice Chairman and Co-Leader, Board & CEO Services nels.olson@kornferry.com +1 202.955.0926

Dennis Carey Vice Chairman dennis.carey@kornferry.com +1 215.656.5348

Robert Hallagan Vice Chairman robert.hallagan@kornferry.com +1 617.790.5790

Stephen Mader Vice Chairman steve.mader@kornferry.com +1 617.790.5700

Jane Stevenson Vice Chairman & Global Leader for CEO Succession jane.stevenson@kornferry.com +1 404.577.7542

ÂŠ 2014 The Korn Ferry Institute

KORN FERRY KFMC100 2014

2014 KFMC