The Answer Will Depend On Size and type

The Answer Will Depend On: Size and type of company; industry Whether company is public or private Who are the majority owners, shareholders, investors Items in the news What outside consultants, seminars, trainings are focused on • Individual Board Members and their backgrounds • • • What they consider high risk items • What other boards they sit on 2

ADVISING THE BOARD 3

How Can You Calm Your Board’s Fears? • Identify and discuss risks and threats before issues arise • Use the Enterprise Risk process • Review risk policies and processes and audit plans with the Board (at least once per year) • Demonstrate to the Board that company has strong control environment • Give Board regular updates on risk process and issues (i. e. hotline calls, internal investigations) 4

How Can You Calm Your Board’s Fears? (cont. ) • Walk through how management would propose to handle a “crisis” (i. e. cyberattack, FCPA investigation, black swan event) and get Board to buy-in • Determine if specialized Board committees are necessary for specific risks 5

Advising the Board • Principles of board oversight (general obligation to protect corporate assets) • Directors entitled to rely on management and outside experts • Business judgment rule applies 6

Advising the Board: Investigations • How should management keep Board updated on investigations? • What investigations should be performed under direction of management and which by the Board or Audit Committee? • Remember, there are often competing interests: • Board members • Senior management • Potential whistleblowers 7

CYBERSECURITY 8

Cybersecurity Threats 9

10

Data Breaches • 45% of senior executives say their companies experience cyber attacks hourly or daily • In 2014, over one billion accounts were compromised • In 2014, the global average cost of each data breach was $3. 5 million USD, up 15% in 2013 *Source: Thomson Reuters 11

Cybersecurity Threat • “Hacktivism” • Foreign Governments • Proprietary Data – APT • Attacks on critical infrastructure—SCADA, DCS, PLC • The Pentagon, Department of Homeland Security, NSA-cyber war exercise • Insider Threats 12

Standards • No single standard for private-sector cybersecurity • • NIST framework Dept of Justice, SEC, FTC, FCC States differ - 49 different state laws DOJ - Computer Crimes & Intellectual Property Section – Best Practices • SEC - policing cybersecurity preparedness • SEC comments • Energy Sector Guidelines 13

Civil and Criminal Remedies • Computer Fraud and Abuse Act • Access without authorization • Wiretap Act • Prohibits interception of electronic communication • Stored Communications Act • Prohibits access of a facility through which electronic communication are provided • State trade secret laws • RICO • State computer crime laws 14

Personally Identifiable Information • Privacy Laws • 49 states have data security breach laws • Comprehensive privacy laws in many countries, including EU Data Privacy laws and China State Secret Laws • Requirements to notify affected individuals • Attorney General • Consumer reporting agencies 15

Insurance • Third party claims • Banks, consumers, counter-parties • • Business interruption Crisis management Implementation of response Cyber extortion 16

COMPLIANCE 17

Global Anti-Corruption Laws • The U. S. Foreign Corrupt Practices Act (FCPA) • Prohibits giving anything of value (or promises to do so) to foreign officials to obtain or retain business (DOJ) • Requires issuers of U. S. securities to make and keep accurate books and records and to maintain adequate internal accounting controls; prohibits knowingly falsifying books and records or knowingly failing to implement internal controls (SEC) • Other anti-corruption statutes in the UK, China and other major countries 18

Enforcement Environment • Enforcement trends • Companies even more accountable for conduct of foreign subsidiaries/JV partners • More violations on the accounting controls/books and records violations side • More DOJ talk about going after individuals • Adequate vs. inadequate compliance programs 19

Criminal Prosecution of Individuals “If you want full cooperation credit, make your extensive efforts to secure evidence of individual culpability the first thing you talk about when you walk in the door to make your presentation” “Even the identification of culpable individuals is not true cooperation if the company fails to locate and provide facts and evidence that implicate those individuals” - Speech by Principal Deputy Assistant Attorney General, September 2014 20

Criminal Prosecution of Individuals (cont. ) • Petro. Tiger - June 2015 • General Counsel and Co-CEO pled guilty • Hyperdynamics – May 2015 • DOJ declined prosecution because company cooperated • Alstom – December 2014 • $772 million criminal penalty • Failed to provide “thorough cooperation” 21

International Trade Compliance • OFAC/Sanctioned Country Issues • Russia – September 2014 • Applicability to certain projects uncertain • How to comply? • Iran • Nuclear technology accord reached • What if the market opens? • Cuba • Import Control Issues/C-TPAT Issues/Boarder Control 22

BLACK SWAN EVENTS 23

Black Swan Events • What is a Black Swan Event? An event that comes as a surprise, has a major effect, and is often inappropriately rationalized after the fact with the benefit of hindsight • Examples • • Macondo 9/11 Sub-prime mortgage crisis Decline in oil prices 24

Black Swan Events (cont. ) • What can be done to control the chaos during events? • What can be done to keep them from being enterprise threatening/destroying events? 25

What Keeps Your Board Up At Night? August 6, 2015 ACC Chapter Meeting CLE THE Woodlands MICHAEL FARNELL, Chief Legal Officer, Nexeo Solutions LLC RACHEL EHLERS, Director of Compliance, Nexeo Solutions LLC SEAN GORMAN, Partner, Bracewell & Giuliani, LLP 26