Korn Ferry Market Cap 100 - 2014 · KORN FERRY MARKET CAP 100 1 Introduction Cybercrime comes with a staggering price tag: an estimated .4% to 1.4% of global GDP. The cost to the

About Korn Ferry

At Korn Ferry, we design, build, attract

and ignite talent. Since our inception,

clients have trusted us to help recruit

world-class leadership. Today, we

are a single source for leadership and

talent consulting services to empower

businesses and leaders to reach their

goals. Our solutions range from executive

recruitment and leadership development

programs, to enterprise learning,

succession planning and recruitment

process outsourcing (RPO).

Visit www.kornferry.com for more

information on our services, and

www.kornferryinstitute.com for

more articles, research and insights.

2014 KFMC

KO

RN

FE

RR

Y

KF

MC

100

20

14

The Korn Ferry Market Cap 100 2014

KORN FERRY MARKET CAP 100

Contents

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Translating cyber-risks into business terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Asking the right questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Managing cybersecurity risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

The bigger context and the bigger threat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Appendix A: The KFMC100 companies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Appendix B: The KFMC100 Class of 2013 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Appendix C: The KFMC100 boards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1

4

8

12

16

20

24

30

42

1KORN FERRY MARKET CAP 100

Introduction

Cybercrime comes with a staggering price tag: an estimated .4% to 1.4%

of global GDP. The cost to the US economy alone could be as high as

$100 billion annually, according to a 2013 report by the Center for Strategic

and International Studies, a Washington, DC-based public policy research

institution.

High-profile companies—as well as those that don’t

make the headlines—routinely fall prey to cybercrime of

one variety or another: data theft, financial fraud, denial-

of-service attacks, corporate espionage. The losses are

not simply financial, but also of intellectual property,

equipment, consumer trust, reputation, and growth.

Boards are taking notice. Cybersecurity increasingly

is viewed as part of the array of risks boards are

charged with overseeing—and not something that

can be outsourced. According to a recent article in

The Wall Street Journal: “After a series of high-profile

data breaches and warnings, corporate boards are waking to cyber-threats,

grappling with security issues they once relegated to technology experts.”

But awareness doesn’t always translate into practical ways of addressing

the problem. How can boards fulfill their fiduciary duties and ensure their

companies are adequately prepared to deal with inevitable breaches?

In this year’s KFMC100 we focus on the questions that are of critical concern

to boards tackling cybersecurity: What information must directors review?

How can they ensure they are making informed decisions? What people and

expertise do they need in what roles? And how should they aim to improve

oversight going forward?

Complete protection is a lofty but unrealistic goal when it comes to

cybersecurity. Given the sheer number and types of incidents, and how

they are continually morphing, the odds of avoiding an attack are slim.

Preparedness and managing business consequences are realistic goals,

Cybersecurity

increasingly is

viewed as part

of the array of

risks boards are

charged with

overseeing—and

not something

that can be

outsourced.

2

however. In our report we suggest specific steps boards and management

can take—in advance of an attack—to ensure speedy detection, diagnosis,

response, and recovery in the event of a breach. These precautions can serve

to minimize damage and avert potential catastrophe.

At many companies, the line of sight that directors require to effectively assess

and deal with the issue remains obscured by barriers both structural and

informational. One way to surmount these barriers is to recruit a cybersecurity

expert to the board, a step those we interviewed had varying opinions on.

Our research shows that among the 98 directors

added to KFMC100 boards in 2013, only 3% had

specific security experience. But risk management

experience climbed from 5% of new directors in

2012 to 21% in 2013, and compliance experience

also rose, from 12% to 24% of new directors. Clearly

boards have their eye on risks. Recruiting some

variety of cybersecurity expert to the board may be

a necessity for some companies. But, depending on specific circumstances at

individual companies, there also are ways to properly manage the exposure

of networks and security without adding that expertise. We discuss a range

of options boards can employ to ensure they are covered.

We also address the broader concerns companies have about building a

more cybersecure world. The process of addressing cyberthreats may start

at the individual company level, but more effective, permanent solutions lie

in partnerships and initiatives taken with other companies and cooperation

with the public sector. The need to safeguard confidential corporate

information, customer data, and intellectual property is significant. But at

their worst, cyberattacks are not just threats to corporations but to the entire

global infrastructure, affecting a wide span of systems, from water to power,

transportation, communications, and others.

We would like to thank a number of individuals for their time and insights,

which added immeasurably to this report.

First, our external experts, who provided a range of views that helped

crystallize the issues and define steps forward for boards:

Melissa Hathaway — a private sector cybersecurity expert known for her

work as the director of the Joint Interagency Cyber Task Force within

the US Office of the Director of National Intelligence from 2007 to 2009.

The odds of

avoiding an attack

are slim. But

preparedness and

managing business

consequences are

realistic goals.


John Hinshaw — the executive vice president of technology and

operations for Hewlett-Packard and former chief information officer

(CIO) at Verizon Wireless and Boeing. He recently joined the board of

BNY Mellon.

Dr. Ronald Sugar — the former chairman and CEO of Northrop Grumman

who currently serves on the boards of Air Lease, Chevron, Amgen, and

Apple.

Ambassador R. James Woolsey Jr. — a former director of Central

Intelligence, who chairs the board of the Foundation for Defense of

Democracies, and is a Venture Partner with Lux Capital Management.

He has served on numerous corporate and non-profit boards.

We would also like to thank our internal team of experts who contributed to

this report: Vice Chairmen Dennis Carey, Robert Hallagan, and Stephen Mader

of Korn Ferry’s Board & CEO Services Practice, as well as co-leaders of the

firm’s cybersecurity practice, Aileen Alexander and Jamey Cummings.

It is our hope that the insights captured in this report will arm directors with

the right questions as they grapple with this newer, far more insidious breed

of risk and provide them with some focus as they determine how best to

protect all their stakeholders.

4

Translating cyber-risksinto business terms.

“I have a hypothesis,” says Melissa Hathaway, private sector cybersecurity

expert and former cybersecurity “czar” under Presidents George W. Bush and

Barack Obama: “Until cybersecurity is reflected in balance sheet terms, it’s

never going to be fully embraced by the board.”

The key to a board’s successful oversight of cybersecurity, observes Hathaway,

is identifying it as risk, albeit in a new guise, and managing it with the same

diligence and processes applied to other risks. That will help to ensure

cybersecurity remains visible on directors’ dashboards and that key metrics

will be used to measure how well the job is being done.

Cybersecurity is a major concern at companies of all sizes and has a

measureable impact on many facets of operations, and certainly profitability.

Yet the scale of that impact is often obscured or lost in translation. Unless

directors can cut through the technical jargon in what are often massive

amounts of information they receive, the size of the risk and the steps to

mitigate it may not be clear. Instead, Hathaway says, the risks need to be

translated into a language most directors know well: dollars and cents.

Companies have for years turned to IT to lower

manpower costs and increase productivity to

add to the bottom line. But—and this is a big

but, Hathaway warns—as companies leverage

this “IT dividend,” more open and available

access to networks presents a far greater risk

of service disruption, unprecedented crimes

against the infrastructure, IP theft, and more.

It’s a chilling prospect, especially when one

considers how our essential services, from the power grid to the banking

system to air traffic control, are all dependent on a functioning Internet.

Capturing this increased risk, and potential attendant costs, is crucial. As

companies reduce operations costs through technology, they should factor

As companies reduce

operations costs through

technology, they

should factor into the

equation—in both capital

and operational terms—

the toll of inevitable

breaches.


into the equation—in both capital

and operational terms—the toll

of inevitable breaches. “How do

you measure the cost of replacing

infrastructure? Or replacing millions

of credit cards? Most companies

are not reflecting this in balance

sheet terms, so costs are hidden,”

Hathaway says.

Tackling cybersecurity will also require some ingenuity. “We can’t solve the

problem with the same thinking that was used when we created the Internet,”

Hathaway observes. The US government-funded Internet was created with

the express and limited purpose of enabling direct communications between

the president and the military in the event of nuclear disaster.

“It was not designed to be the global backbone of e-commerce,” she contends.

“In 1990, the World Wide Web was created by an engineer working at CERN,

the particle physics laboratory in Geneva, Switzerland. That innovation was

quickly followed by the development of search engines designed to navigate

the web. From that point, governments were challenged to enable and ensure

ready availability of high-speed connectivity at a low price point so we could

all benefit from the information society. That challenge unfortunately did not

include a focus on security.”

The Internet grew exponentially more sophisticated and accessible over

those 25 years, but it now has to be retrofitted to build security into its

very infrastructure. “Currently, we all have two or three Internet-enabled

devices. By 2015 we’ll have an average of five or so, and by 2020 we’ll have

a minimum of 10,” Hathaway says. “If we haven’t addressed security issues,

cyber-risks will double by 2015 and continue to multiply. We’re running out

of time.”

As part of a plan to make their companies more cybersecure, boards should

be aware of all the unauthorized ways individuals or organizations can gain

access to their networks. Hathaway notes that “it might be a trusted employee

who comes to work with tainted technology,” a more common scenario now

given the popularity of bring-your-device-to-work policies. “Or it could be an

employee with more malevolent intentions using a thumb drive or a DVD to

steal critical information or poison the infrastructure,” she says.

6

Another burgeoning threat stems from employees’ use of their own devices

over free Wi-Fi networks that lack a secure connection. “It’s easy for someone

to get sensitive information and gain access to the enterprise by deploying a

technology in the proximity of a network or database,” she explains. Perhaps

an even more troublesome threat, according to Hathaway, is infiltration that

might happen somewhere in the global supply chain. Mechanisms are needed

to protect against malicious modification or substitution of technology

anywhere along the IT product life cycle: design, manufacturing, integration,

distribution, operation, maintenance, and retirement. Hackers also can gain

access via the digital links used by third parties—suppliers, contractors, or

consultants—a security gap that may be overlooked.

“This strain is particularly insidious because it is difficult to determine if

illicit activity is taking place in the infrastructure. We’re facing a dangerous

combination of known and unknown vulnerabilities—strong adversary

capabilities and weak situational awareness—across those different attack

vectors,” Hathaway says.

As both a cybersecurity consultant and corporate director, she sees some

possible solutions but is also realistic about the challenges of taming the

cybersecurity risk. Looking through her director’s lens, she says, boards

should be regularly asking:

Is cyber-risk accounted for in our overall corporate planning process? The

board needs to be assured that cyber-risk is an element of a broader risk

framework and that exposures are recognized and being planned for. “For

most companies, this is not the case,” Hathaway observes. “Cyber-risk is not

viewed alongside other risks in the planning process.”

What is the process for evaluating security and measuring liabilities? Boards

should know not only what controls are in place, but how they are evaluated.

Is the company following best practices for its security? If so, what is the

source? “Boards should also know whether there is a third-party audit and

how often there are breaches and their costs,” she says. “All of this will vary by

company and industry, but you’ve got to measure the cost and make sure it’s

reflected on the balance sheet like other liabilities.”

Do we have directors with relevant expertise? Although there is a difference

of opinion on whether boards require general technology expertise—let alone

specific security expertise—Hathaway believes it’s important to have one or


more directors who understand IT and its associated risks, or have a security

background. “It’s an important risk area that must be managed by someone

with qualifications. And it needs to be integrated properly into the committee

process, whether on the audit, finance, governance, or risk committee, rather

than a general topic that is discussed in detail with the full board,” Hathaway

says.

Have we identified executive ownership of the issue? Hathaway believes

the CEO has ultimate accountability for cybersecurity. “The CEO should

have controls in place that indicate how cybersecurity is being managed and

the true costs to the business, which should be part of both an internal and

external audit,” she suggests.

What will we do in the event of a breach? If and when there is a problem, can

we deal with it quickly and minimize the damage? Do we have a process for

communicating effectively, internally and externally? How will we deal with

the costs?

Hathaway offers a few other cautionary observations, starting with attending

to the executive reporting structure. “Often the chief information security

officer (CISO) reports to the CIO, and decisions made this way could potentially

make the enterprise less secure,” she notes. “The CISO is responsible for

keeping the enterprise safe and the CIO is responsible for keeping the

enterprise running 24/7. An inherent conflict. It should be a shared decision in

the C-suite with the CEO assuming ultimate responsibility.”

Hathaway also warns that computer network security regulations are probably

coming down the pike; the SEC’s recent announcement of “no-notice audits”

of financial institutions is a signal of what boards should anticipate. “Will

the SEC provide general guidance or be prescriptive? Or will boards be in

a position to tell the SEC what they’re already doing? Certainly boards that

can demonstrate rigorous oversight of cybersecurity prior to any formal

regulations will be in a far stronger position,” she says.

8

Asking the right questions.

Boards should recognize that it is best governance practice—indeed, directors’

fiduciary duty—to anticipate digital attacks. Taking aggressive cybersecurity

steps, rather than merely battening down the hatches and waiting for

regulations to emerge, is the way to go. The challenge of cybersecurity can’t

be overstated.

That’s the view of Dr. Ronald Sugar, former CEO of Northrop Grumman,

who currently serves on the boards of Air Lease, Chevron, Amgen, and

Apple. He quotes former NSA Director General Keith Alexander, who called

cyberindustrial espionage—possibly the most serious digital threat to major

corporations—“the greatest transfer of wealth in history.”

Perhaps in part because he served as CEO of

a major defense contractor, Sugar has been

hyperaware of the need for greater cybersecurity

and the changing nature of the threats companies

face. The focus used to be on updating antivirus

software and building a protective firewall around

systems. But with increasingly complex networks

and mobile device access, there is no longer a

clear perimeter.

“We have to figure out other ways to deal with this,” he says. “The whole

concept of the Internet is that it is uncurated; it was created to connect, not

to protect. No one is in charge of it. There’s no magic bullet that will solve the

security problem, but it helps to have smart people in your company, advised

by other smart people on the outside, and to build layered defenses.”

As a defense industry leader, Sugar sounded the alarm early, in 2009, in an

open letter to President Obama: “These cyber attacks occur daily and are

increasing. The race to defend against them constitutes the most critical

military and economic imperative of this century. Yet this is a race we are


losing,” he wrote. In the letter, published in Aviation Week & Space Technology

magazine, he recommended actions government and industry should

consider to meet this challenge.

Five years on, he’s seen some gains. “There’s been enormous progress in the

area of awareness,” Sugar notes. “Unlike 2009, there is no one in corporate

America today in a serious position of responsibility who doesn’t know about

this threat. Everyone is talking about it—although some are doing more than

others.”

As Sugar sees it, that’s the challenge that remains: moving from knowing

about the threat to putting controls in place. “On boards I’m involved with,

I see management paying more attention

to cyber-risk now; they understand

the serious consequences to finances

and reputation. CEOs can be fired over

this. So it’s garnering more attention in

boardrooms across the country,” he says.

“The big challenge is that very few board

members have expertise in this area. What

should the board be asking management

so the board knows the company is

reasonably protected?”

Adopt the perspective of a hacker, Sugar suggests. Ask this question: If you

wanted to destroy the value of your company, what would you do? “The

board should regularly be addressing this topic with management: What are

the biggest threats we face and what are the potential consequences?” he

says. This is a dialogue the board should have with the CEO, Sugar contends,

not something you want only a report on from the CIO.

Boards also must scrutinize how the company invests in IT security. Is

it spending just enough to get by, or investing to get a reasonable level

of protection given the assumption that some risk will always remain?

Dashboards and charts may aid these discussions, but in the end, directors

fundamentally must decide if they are confident that management has a

comprehensive cybersecurity plan in place. “There may be a quantitative

basis to the discussion, but it really comes down to a gut feel the board has

concerning whether management knows what it’s doing,” Sugar says.

“The big challenge is

that very few board

members have expertise

in this area. What should

the board be asking

management so the board

knows the company is

reasonably protected?”

— Dr. Ronald Sugar

10

To reach that degree of confidence, boards should seek answers to the most

basic questions:

In the event of a breach, who is in charge internally and how is it communicated

externally? “The company’s brand is the trust people put in you,” Sugar says,

“and, for example, laying low on reporting credit cards that were stolen three

weeks ago is not a good strategy.”

Do we have the right team and resources dedicated to this? The CISO needs

to come before the board at least twice a year. But if his or her briefings are

unduly technical or complicated, that’s a red flag.

If that gut feeling is that the company is at risk and management isn’t taking

appropriate action, it is the board’s fiduciary duty to bring in an outside

consultant. But that should be a last-ditch option, Sugar says, because it’s

one that indicates a lack of confidence in

management—equivalent to bringing in outside

counsel rather than relying on the general

counsel.

In Sugar’s view, the board doesn’t necessarily

need a director with cybersecurity expert

credentials. Rather, the board requires directors

with a high level of awareness regarding the

issue. “You need broad expertise on the board,

but it is helpful to have one or two directors who are capable of understanding

the key issues related to cybersecurity,” Sugar notes. He or she doesn’t need

to be a certified expert, he explains, but should be someone who is capable

of grasping the issues, formulating questions for management, and willing

to serve on the committee responsible for risk. That’s the role Sugar says he

plays on several of his boards.

Another modus operandi that Sugar suggests is to periodically drop in—with

the CEO’s blessing—on the people who manage cybersecurity day to day to

“spend time with them in their native habitat and gain an understanding of

threats they’re dealing with.” It’s a more natural way of learning and absorbing

information, and far preferable to putting someone on the spot in a formal

board meeting. It’s in these less-formal conversations with someone like the

CIO or CISO that board members may identify risk-protection measures that

“You need broad

expertise on the board,

but it is helpful to have

one or two directors

who are capable of

understanding the

key issues related to

cybersecurity.”

— Dr. Ronald Sugar


are needed but not appropriately budgeted for. In that case, it’s the board’s

duty to bring the gap to the attention of the CEO, asking, “What if something

went bad and we hadn’t adequately funded security efforts?”

Most acutely, Sugar worries about the inevitability of a “cyber Pearl Harbor,”

an attack that would require a fast and coordinated response from the public

and private sectors. A chief concern is that US policies are generally reactive

rather than proactive. “The regulatory response to Enron was Sarbanes-Oxley;

the financial crisis led to Dodd-Frank. What will we as a nation immediately

do when there is a risk to our water or power or communication systems?

They are the only things that separate us from living in the Stone Age,” he

says.

In the boardroom, however, directors have to view risk management—

including the digital kind—as a balancing act. “Some people want to ensure

that companies never take big risks. But a company can’t be competitive

without innovation and calculated risk,” Sugar contends. “In the end, the

greatest risk is getting overwhelmed by the competition. That’s why you want

people with judgment on boards—because if you’re not willing to take some

risk, and you’re just doing what everyone else is doing, why should you be

entitled to a superior financial return?”

12

Managing cybersecurity risk.

As the executive vice president of technology and operations at Hewlett-

Packard, John Hinshaw oversees the company’s global information

technology group as well as key operations, including global sales operations,

procurement, real estate, and global business services. With this, comes

responsibility for HP’s cybersecurity.

Hinshaw knows that discussions on cybersecurity can quickly become a deep

technical debate with the potential to lose

relevance to the business impact. His years

as a CIO—previously at Boeing and Verizon—

plus his broad management experience give

him the ability to advise on security topics

at the board level, educate in nontechnical

terms on cybersecurity, and recommend

approaches for cybersecurity oversight.

Although the topic is new to many boards, it’s

familiar terrain to Hinshaw. In the late ’90s, he

was responsible for briefing Verizon’s board

on the Y2K threat. At that time there was no

framework for assessing risks to information

technology systems at the board level. Shortly thereafter came the Sarbanes-

Oxley Act, which addressed controls and risk in key systems and processes.

As the risks to IT systems and cyberthreats are now reality for all companies,

a framework focused on people, processes, and technology is the right

approach for boards to guide their discussions and make sure they are taking

a rigorous and systematic approach to cybersecurity.

People. “First, it’s essential to make sure the right people are in the right jobs,”

Hinshaw says. The team working on cybersecurity must fully understand

today’s array of risks and know how to stay abreast of new threats. They

have to build a network with other companies and educate employees about

As the risks to IT systems

and cyberthreats

are now reality for

all companies, a

framework focused on

people, processes, and

technology is the right

approach for boards to

guide their discussions

and make sure they are

taking a rigorous and

systematic approach to

cybersecurity.


safe computing practices. “Directors need

to be assured that they have the right chief

information security officer with the best

technical team to mitigate the cybersecurity

risk for the company,” he warns.

Processes. To ensure boards are addressing

a wide array of cybersecurity risks,

Hinshaw advises that directors review a

comprehensive list of computing risks and

understand the remediation and timeline

accordingly. “Some security risks focus on

compliance and have a standard associated

with them. Examples of compliance risks

are processing credit cards, resetting passwords, and establishing firewalls,”

he explains. The goal is to thoroughly grasp how the security issues could put

the company at risk. “You have to possess an in-depth understanding of the

company, the products and services offered, and where the risk points are,”

he asserts. For retailers, that is likely point-of-sale systems. For manufacturers,

it’s the factory and supply chain systems. For connected devices, it’s the

products themselves and the microcode that enables them. On top of that,

every company needs to protect employee and customer data, Hinshaw says.

Technology. There are some specific questions boards need to ask on a regular

basis, according to Hinshaw: “Do we have adequate firewalls and intrusion

prevention in place, and how often are the associated policies updated? Are

desktops and mobile devices fully secured to prevent attacks from malicious

websites and Trojan horses? How often do we educate employees on

cybersecurity risks and what to do if they think they’ve been breached? How

is company data encrypted and who has access to the encryption keys?”

One growing challenge, at HP as elsewhere, is the “bring your own device”

trend. With more than 160,000 such devices at HP, a great deal of coordination

is required for people to access what they need without compromising

corporate security. “Employees expect to connect to our global systems on

their smartphones and it’s key to business needs in many cases. We employ a

variety of technologies to protect corporate data,” Hinshaw says. “We have to

ensure employees’ personal use of the device doesn’t compromise corporate

security.”

14

The most crucial information in the company needs special safeguarding.

“The ‘keys to the kingdom’ should be locked down on their own separate

network, with a multilayered defense strategy, and accessible to as few people

as possible,” he advises.

Even with the right people, processes, and technology, every company

remains at risk and a frequent review by directors is vital to ensuring these

risks are understood and addressed with urgency.

As he explains his framework, Hinshaw says he realized early in his career that

security was going to be an important topic. “I took a computer security class

in college 25 years ago and heard about students hacking into the library so

they could check out more than one book at a time. Today major corporations

being hacked is an everyday event and as I meet with HP’s key customers,

security is always top of mind.”

16

The bigger contextand the bigger threat.

“You’ve got to think like a bad guy,” advises Ambassador R. James Woolsey

Jr., former director of Central Intelligence. Woolsey is waging an awareness

campaign about a potentially devastating cyberattack: one on the electrical

grid.

Even a major corporate breach seems like small potatoes compared with a

serious blow to the foundation on which we all depend for survival. “Anyone

who understates the problem doesn’t really

understand it,” says Woolsey, who now chairs

the board of the Foundation for Defense of

Democracies and is a venture partner with

Lux Capital Management.

The nation’s critical infrastructure—the systems that deliver water, power,

fuel, transportation, communications, and more—were developed largely

by happenstance over time and are fragile. They also are all dependent on

electricity. A power disruption of more than a few days could make companies

forget the inconvenience and expense of replacing customers’ credit cards or

reversing the corrosive effects of malware. “We would quickly move into a

world where people would not have access to water or food and wouldn’t be

able to communicate or gain access to resources,” Woolsey says. “Financial

assets would be useless because, let’s face it, what most of us own is not

anything tangible but rather a collection of ones and zeroes in a computer in

some bank somewhere.”

The “bad guy” mindset Woolsey adopts to fashion solutions to such a

potential catastrophe is something he learned from his father, who was a trial

lawyer. Preparing your opponent’s case is always the way to start, his dad told

him, “not only what he’s likely to do but anticipating the worst, nastiest thing

you can imagine. Prepare that case and figure out how to defeat it.”

The nastiest attack Woolsey imagines could come from cybercriminals,

terrorists, or hostile nations. As he asks himself what they might do, Woolsey

“Anyone who understates

the problem doesn’t

really understand it.”

— Amb. James Woolsey


returns to our dependence on the electrical grid and its vulnerability. “Our

enemies have the ability—if they hate us enough—to take down all or part of

the grid for a substantial period of time and cause greater devastation than

if they were to use nuclear weapons, which might destroy a vast area but not

undercut all of the infrastructure,” Woolsey warns.

The electrical grid is vulnerable to physical attacks but also to an electromagnetic

pulse, whether naturally occurring or intentionally created. The pulses that

cause the greatest concern are long wavelength pulses from the sun or a

nuclear source, he says. “They travel along long transmission lines and destroy

transformers at the heart of the grid,” Woolsey explains. “Those transformers

are tooled for specific applications and if you lose them you’re one to two

years away, at best, from fixing them.”

Certain solar events can cause these long wavelength pulses, but so can

detonation of a nuclear weapon in orbit perhaps only 50 miles above Earth,

Woolsey says.

Considering the sci-fi-like scenario of destruction and the relative ease of

such an attack, Woolsey is stunned by how little the federal government

and industry are doing to prevent such disasters. Russia, Israel, and China

are protecting their infrastructure against electromagnetic pulses, but not

the United States. To raise awareness and marshal support for his view, he

recently wrote an op-ed in The Wall Street Journal supporting the Secure

High-voltage Infrastructure for Electricity from Lethal Damage, or SHIELD

Act, and the Critical Infrastructure Protection Act.

So far the federal government has taken little action on grid vulnerability.

Utility companies have been similarly disinclined to action. “Who’s in

charge? No one, really. There are 50 public utility commissions, one for

each state, usually run by retired public utility executives,” he says. The lack

of incentive also has to do with utility companies’ shared infrastructure

dependence, meaning a whole grid could collapse because of one weak

spot anywhere along the line. “Each utility

says, if I fix these things and my neighbor

goes down he’s taking me with him so it’s

not worth the investment. Ain’t anybody in

charge? Why don’t we have a national energy

strategy? Because no one is in charge,”

Woolsey laments.

“Ain’t anybody in

charge? Why don’t we

have a national energy

strategy? Because no

one is in charge.”

— Amb. James Woolsey

18

There are simple, relatively inexpensive fixes, he

says. Surge arrestors, for example, which would

cost a few billion dollars to install as opposed to

the hundreds of billions it would cost to recover

from a serious incident. “That would mean

adding a few cents to the kilowatt hours on

people’s electric bills, that’s all,” he notes.

The core problem, as Woolsey frames it, is that

no one wants to contemplate an electrical grid-

induced Armageddon. But corporate boards,

whose duties include scoping unimagined risks,

can step into this leadership vacuum. His own

consulting firm, Energy Security Group, is pulling together public and private

partners to work for change, initially at the state level.

“To make this approach work and to gain the cooperation of individual

companies and various state governments, you need a mover and a shaker

or two. But I’ve been on 15 boards over the years, mostly in aerospace, and it

matters a lot whether you have a chairman and one or two key members who

are willing to step up and look at a crucial issue from a national perspective

rather than from a quarterly bottom-line perspective. Get the right people

together and you can get something done quickly.”

20

Conclusion

A recent cartoon in The New Yorker features a group of directors around

a boardroom table, with the chairman addressing them: “We may need to

rethink our strategy of hoping the Internet will just go away.”

Indeed, the Internet is not going away. For better and worse, it is the main

artery to a company’s heart: its employee data, operations systems, customer

account information, and more. With cyberthreats proliferating, and the

negative implications for stakeholders multiplying, security is an issue boards

must get a handle on. Security breaches have the potential to bring large

corporations to their knees, rapidly eroding hard-won reputation and market

share.

It’s become a tech cliché, but unfortunately it seems true: there are companies

that have been hacked, and those that just don’t know they’ve been hacked.

Even if your company hasn’t suffered a damaging breach, is that because of

effort or luck?

A few startling statistics from the Ponemon

Institute, which conducts independent research

on privacy, data protection, and information

security policy: The number of breached records

rose by 350% in 2013, with approximately half

of the US population’s personal information

exposed in a 12-month period. The average time

it took an organization to detect a breach was 32

days—a period during which a great deal of damage could have been done—

an increase of 55% from the prior year.

And the expense of dealing with security breaches? Ponemon’s 2014 Cost of

Data Breach Study: Global Analysis states that the average cost to a company

was $3.5 million, 15% higher than the previous year. Cleanup averaged $250

per data record, and $250,000 to clear up an infection. Most organizations

experience two successful breaches per week in which their core networks

or enterprise system is infiltrated, and all told, most companies will spend

With cyberthreats

proliferating, and the

negative implications

for stakeholders

multiplying, security

is an issue boards

must get a handle on.


at least $1 million on cleanup. And that doesn’t account for “cost” in terms

of lost intellectual property, competitive advantage, customer confidence,

potentially plummeting stock price, and job losses.

Fortunately there are concrete steps boards can take to protect their

companies from this new form of risk, which should be added to the broader

risk portfolio they oversee.

One expert we spoke with was Edward Guiliano, president of the New

York Institute of Technology, which provides intensive training for the next

generation of cybergatekeepers. Board members, he says, need ongoing

education on cybersecurity. They must personally understand where security

risks lie, in hardware as well as software, and ensure that there is proper

training throughout the organization.

“People are always the weakest link in cybersecurity,” Guiliano says. Raising the

average information technology IQ can go a long way toward “safeguarding

business plans, patents before they’re filed, employee data, and everything

else that may be easily accessible on the Internet,” or what he refers to as “our

global nervous system.”

At a minimum, boards should regularly address:

Security strategy. The board must ensure that the company has a strategic

vision and a tactical road map that proactively protect assets and keep pace

with escalating threats and evolving regulatory requirements.

Policy and budget review. Company security policies, and roles and

responsibilities of all relevant leadership, should be evaluated, along with data

security and privacy budgets to ensure they are adequately funded.

Security leadership. The board needs to confirm that the organization has

the credible leadership and talent to develop, communicate, and implement

an enterprise-wide plan to manage cyber-risk.

Incident response plan. The board should oversee the development of a

comprehensive incident response plan that is widely understood, rehearsed,

and stress tested.

Ongoing assessment. The board should periodically review a thorough

assessment of the organization’s information security capabilities, targeting

internal vulnerabilities and external threats.

22

Internal education. The board should ensure that the company implements

a strong communication and education program to create an environment in

which all employees embrace responsibility for cybersecurity.

These recommendations are a beginning, not an end. Boards that seek to

manage cyber-risk as well as they realistically can must distill these items

into specific goals and actions that can be counted, measured, and results

discussed with management.

The precise metrics will depend on the nature of the business and the likely

threats. Those we interviewed suggested some possibilities: If management

should be collaborating with external organizations, such as the government,

to share knowledge of threats and enhance mutual security, what are they

doing to further that objective? Whom are they partnering with? Similarly, if

the time to recognition of a security breach is unacceptably long, what is a

more appropriate target, and what action is management taking to achieve

that? Have we defined the categories of likely security breaches, determined

the response to each, and assigned executive ownership for each step in the

process? These are but a few examples of cyber-security topics on which

boards and management will need to engage.

Cyber threats abound, from vengeful acts by disgruntled employees, to data

theft by organized gangs of hackers, to foreign industrial espionage. Although

there may be no infallible prophylactic, board involvement and oversight can

keep a company vigilant and go a long way toward safeguarding its value and

reputation.

24

About the 2014 Korn Ferry Market Cap 100.

The Korn Ferry Market Cap 100 (KFMC100) are the US companies that had

the largest market capitalization as of the close of markets on May 1, 2014,

after the end of most firms’ 2013 fiscal year. Companies were removed from

the list if they were not traded primarily on the NYSE or Nasdaq, or were real

estate investment trusts or public investment firms.

Appendix A: The KFMC100 companies

Eight companies joined the ranks of the KFMC100 in the last year:

Twenty-First Century Fox, Inc. EOG Resources

Lockheed Martin Corp. Accenture

LyondellBasell Industries Thermo Fisher Scientific Inc.

Capital One Financial Corp. DirecTV

Market capitalization of the KFMC100 companies.

The KFMC100 companies had a median market capitalization of $74 billion

on May 1, 2014, after the close of most companies’ fiscal year. Of the 100

companies, 34 were valued at $100 billion or more. This was the first year

there were no KFMC100 companies valued at less than $40 billion.

Market Cap Companies

$40 billion – $59.99 billion 32





$200 billion and over 11

Figure 1


Industry sectors represented.

Technology and services were the two largest sectors again this year, and

together represented more than a third of the 2014 KFMC100 list.

Sector Companies

Basic materials 13

Conglomerates 3

Consumer goods 13

Financial 13

Health care 14

Industrial goods 6

Services 20

Technology 15

Utilities 3

The Korn Ferry Market Cap 100.

The KFMC100 companies ranked in order of market capitalization as of the

close of markets on May 1, 2014.

Rank CompanyMarket cap* Industry

1 Apple Inc. (NasdaqGS:AAPL)

$509.7 Computer hardware

2 Exxon Mobil Corp. (NYSE:XOM)

$439.0 Integrated oil and gas

3 Google Inc. (NasdaqGS:GOOG)

$356.5 Internet software and services

4 Microsoft Corp. (NasdaqGS:MSFT)

$330.2 Systems software

5 Johnson & Johnson (NYSE:JNJ)

$283.9 Pharmaceuticals

6 General Electric Co. (NYSE:GE)

$268.7 Industrial conglomerates

7 Wells Fargo & Co. (NYSE:WFC)

$260.5 Diversified banks

8 Wal-Mart Stores Inc. (NYSE:WMT)

$257.1 Hypermarkets and super centers

*on May 1, 2014 (in billions USD)

Figure 2

Figure 3

26


9 Chevron Corp. (NYSE:CVX)


10 Procter & Gamble Co. (NYSE:PG)

$223.3 Household products

11 JPMorgan Chase & Co. (NYSE:JPM)

$210.4 Financial services

12 Pfizer, Inc. (NYSE:PFE)


13 International Business Machines Corp. (NYSE:IBM)

$195.3 IT consulting and other services

14 Verizon Communications, Inc. (NYSE:VZ)

$195.0 Integrated telecommunication services

15 AT&T, Inc. (NYSE:T)

$184.8 Integrated telecommunication services

16 Oracle (NasdaqGS:ORCL)

$182.1 Systems software

17 The Coca-Cola Co. (NYSE:KO)

$178.7 Soft drinks

18 Merck & Co., Inc. (NYSE:MRK)


19 Bank of America Corp. (NYSE:BAC)


20 Facebook, Inc. (NasdaqGS:FB)

$155.1 Social media

21 Citigroup, Inc. (NYSE:C)


22 Amazon.com Inc. (NasdaqGS:AMZN)

$141.5 Internet retail

23 Walt Disney Co. (NYSE:DIS)

$139.2 Movies and entertainment

24 Philip Morris International, Inc. (NYSE:PM)

$135.9 Tobacco

25 Comcast Corp. (NasdaqGS:CMCSA)

$135.0 Cable and satellite

26 QUALCOMM, Inc. (NasdaqGS:QCOM)

$133.6 Communications equipment

27 Schlumberger Limited (NYSE:SLB)

$131.5 Oil and gas equipment and services

28 Intel Corp. (NasdaqGS:INTC)

$131.4 Semiconductors

29 Visa, Inc. (NYSE:V)

$130.5 Data processing and outsourced services

30 PepsiCo, Inc. (NYSE:PEP)

$129.5 Soft drinks

31 Gilead Sciences, Inc. (NasdaqGS:GILD)

$121.2 Biotechnology




32 Cisco Systems, Inc. (NasdaqGS:CSCO)

$118.3 Communications equipment

33 The Home Depot, Inc. (NYSE:HD)

$109.1 Home improvement retail

34 United Technologies (NYSE:UTX)

$107.0 Aerospace and defense

35 McDonald’s (NYSE:MCD)

$99.9 Restaurants

36 The Boeing Co. (NYSE:BA)


37 ConocoPhillips (NYSE:COP)


38 3M Co. (NYSE:MMM)

$92.0 Industrial conglomerate

39 American Express Co. (NYSE:AXP)

$91.6 Consumer finance

40 United Parcel Service, Inc. (NYSE:UPS)

$90.6 Air freight and logistics

41 MasterCard International Inc. (NYSE:MA)

$88.3 Data processing and outsourced services

42 CVS Caremark Corp. (NYSE:CVS)

$86.0 Drug retail

43 Union Pacific Corp. (NYSE:UNP)

$85.6 Railroads

44 Amgen Inc. (NasdaqGS:AMGN)

$85.2 Biotechnology

45 Bristol-Myers Squibb Co. (NYSE:BMY)


46 AbbVie, Inc. (NYSE:ABBV)


47 Altria Group, Inc. (NYSE:MO)

$79.5 Tobacco

48 American International Group, Inc. (NYSE:AIG)

$77.0 Multi-line insurance

49 Occidental Petroleum Corp. (NYSE:OXY)


50 UnitedHealth Group, Inc. (NYSE:UNH)

$74.6 Managed health care

51 The Goldman Sachs Group, Inc. (NYE:GS)

$74.3 Investment banking and brokerage

52 U.S. Bancorp (NYSE:USB)

$73.5 Diversified banks

53 Twenty-First Century Fox, Inc. (NASDAQ:FOXA)


54 Honeywell International, Inc. (NYSE:HON)



28


55 Biogen Idec Inc. (NasdaqGS:BIIB)

$68.0 Biotechnology

56 eBay Inc. (NasdaqGS:EBAY)

$67.1 Internet software and services

57 Walgreen Co. (NYSE:WAG)

$66.0 Drug retail

58 Caterpillar Inc. (NYSE:CAT)

$65.7 Construction and farm machinery and heavy trucks

59 Nike, Inc. (NYSE:NKE)

$64.0 Footwear and apparel

60 Eli Lilly & Co. (NYSE:LLY)


61 Ford Motor Co. (NYSE:F)

$62.7 Automobile manufacturing

62 Hewlett-Packard Co. (NYSE:HPQ)

$61.7 Computer hardware

63 Colgate-Palmolive Co. (NYSE:CL)


64 priceline.com, Inc. (NasdaqGS:PCLN)

$61.4 Internet retail

65 Morgan Stanley (NYSE:MS)

$61.3 Investment banking and brokerage

66 E.I. DuPont de Nemours & Co. (NYSE:DD)

$61.2 Diversified chemicals

67 Mondelez International, Inc. (NasdaqGS:MDLZ)

$60.5 Packaged foods

68 Celgene Corp. (NasdaqGS:CELG)

$60.4 Biotechnology

69 Time Warner, Inc. (NYSE:TWX)


70 Abbott Laboratories (NYSE:ABT)


71 Medtronic, Inc. (NYSE:MDT)

$59.3 Health care equipment

72 The Dow Chemical Co. (NYSE:DOW)

$58.0 Diversified chemicals

73 Monsanto Co. (NYSE:MON)

$57.7 Fertilizers and agricultural chemicals

74 MetLife, Inc. (NYSE:MET)

$57.7 Life and health insurance

75 General Motors Co. (NYSE:GM)

$55.9 Automobile manufacturers

76 Starbucks Corp. (NasdaqGS:SBUX)

$53.7 Restaurants

77 Halliburton Co. (NYSE:HAL)

$53.4 Oil and gas equipment and services




78 EOG Resources (NYSE:EOG)

$52.9 Oil, gas, and coal

79 Duke Energy Corp. (NYSE:DUK)

$52.7 Electric utilities and natural gas distribution

80 Lockheed Martin Corp. (NYSE:LMT)


81 EMC Corp. (NYSE:EMC)

$51.8 Computer storage and peripherals

82 Danaher (NYSE:DHR)

$51.6 Industrial machinery

83 Express Scripts Holding Co. (NasdaqGS:ESRX)

$51.4 Health care services

84 Costco Wholesale (NasdaqGS:COST)

$50.7 Hypermarkets and super centers

85 Accenture (NYSE:ACN)

$50.5 Business services

86 LyondellBasell Industries (NYSE:LYB)

$50.3 Chemicals

87 Allergan, Inc. (NYSE:AGN)

$50.2 Pharmaceuticals and medical devices

88 Anadarko Petroleum Corp. (NYSE:APC)

$49.9 Oil and gas exploration and production

89 Phillips 66 (NYSE:PSX)


90 Texas Instruments, Inc. (NYSE:TXN)

$49.1 Semiconductors

91 Emerson Electric Co. (NYSE:EMR)

$47.6 Electrical components and equipment

92 Lowe’s Companies, Inc. (NYSE:LOW)

$47.1 Home improvement retail

93 Thermo Fisher Scientific Inc. (NYSE:TMO)

$44.9 Medical equipment

94 PNC Financial Services Group Inc. (NYSE:PNC)

$44.5 Regional banks

95 NextEra Energy, Inc. (NYSE:NEE)

$43.5 Electric utilities and renewable energy

96 Capital One Financial Corp. $42.3 Financial services

97 Dominion Resources, Inc. (NYSE:D)

$42.2 Electric utilities and natural gas distribution

98 Kimberly-Clark Corp. (NYSE:KMB)


99 DirecTV $41.1 Cable and satellite

100 The TJX Companies, Inc. (NYSE:TJX)

$41.0 Apparel retail


30

Appendix B: The KFMC100 Class of 2013Turnover on KFMC100 boards remained low during the 2013 calendar year.

Thirty-nine companies in the KFMC100 added no new director at all during

the year.

The Class of 2013 comprised 105 total appointments, down from 113 in 2012.

With 1,208 total board seats available, that represents a turnover rate of just

8.7%.

Governance experience in the Class of 2013.

The large majority of KFMC100 boards added directors with previous board

experience with a public company—87%, compared with 73% the previous

year.

New directorships by governance experience (n=105)

First time directors 13%

Experienced directors 87%

CEO experience in the Class of 2013.

Even as companies restrict their CEOs’ availability for outside board service,

the large companies in the KFMC100 have continued to attract high levels of

current and retired CEOs to their boards: 56% in 2013, up from 41% in 2012.

Past or present CEO experience with a public company

Seats newly filled in 2013 56%

Incumbents’ seats 53%

Figure 4

Figure 5


Professional experience in the Class of 2013.

The KFMC100 covers a wide array of industries, and board makeup varies

accordingly. But two types of experience emerged as prominent in the Class

of 2013: finance/audit experience rose to 53% from 35% the previous year.

And marketing/sales was 38%, up from 17% in 2012. Technology also rose to

22% from 13%.

New directorships (n=105)

Same-industry experience 42%

Finance/Audit 53%

COO/Operations 30%

Public policy/Government 24%

Academic/Research 17%

Marketing/Sales 38%

Academic administration 7%

Nonprofit 6%

Technology 22%

Legal 11%

Age of Class of 2013 directors.

The median age of a director joining a board in 2013 was 59, six years

younger than the median age for all directors.

3% 49 or younger

20% 50 to 54

33% 55 to 59

25% 60 to 64

16% 65 to 69 3% 70 and over

Figure 6

Figure 7

32

Board service among the Class of 2013.

A majority of the 99 new non-executive directors were on only one or two

boards, but 14 served on four or more.

1

2

3

4

5

6

26 directors

36 directors

23 directors

9 directors

3 directors

2 directors

Number of boards served

Women in the Class of 2013.

Of the 105 total directors added to these boards in 2013, 22% were women,

a proportion nearly unchanged from the year before.

22% Female

78% Male

Figure 8

Figure 9


Minorities in the Class of 2013.

KFMC100 boards added twice as many new African American and Hispanic American directors in 2013 as they did in 2012. But the overall rates of diversity hardly changed on KFMC100 boards. Note that ethnicity information was not available for all of the directors.

Class of 2013 (n=80) Incumbents’ seats (n=966)

African American 13% 9%

Asian American 1% 1%

Hispanic American 6% 3%

Nationality of the Class of 2013.

The percentage of foreign director appointments to KFMC100 boards returned to 15%, after a rise to 21% in 2012.

American Non-American

Seats filled in 2013 85% 15%

Incumbents’ seats 86% 14%

Figure 10

Figure 11

Global experience of the Class of 2013.

Other indicators of global experience also dropped in 2013. International work experience among new appointees dropped to 28% from 36%. Only 17% of new appointees were born or educated abroad, down from 29% in the previous year.

International work experience

Seats filled in 2013 28%


Born and/or educated abroad

Seats filled in 2013 17%


Figure 12

34

Edward (Spencer) AbrahamNew BoardOccidental Petroleum Corp. ProfileIndependent Vice Chairman, Occidental Petroleum Corp.Other board(s)Two Harbors Investment Corp.; NRGEnergy, Inc.; PBF Energy, Inc.

Rodney C. AdkinsNew BoardUnited Parcel Service, Inc. ProfileSenior Vice President, Corporate Strategy, International Business Machines Corp.Other board(s)Pitney Bowes, Inc.

Robert J. AlpernNew BoardAbbVie, Inc. ProfileDean, Yale School of MedicineOther board(s)Abbott Laboratories

Shellye L. ArchambeauNew BoardVerizon Communications, Inc. ProfileChief Executive Officer, MetricStream, Inc.Other board(s)Arbitron, Inc.

Jaime ArdilaNew BoardAccenture ProfileExecutive VP/Regional President South America, General Motors Co.

Timothy ArmstrongNew Boardpriceline.com, Inc.ProfileChairman/CEO, AOL, Inc.Other board(s)AOL, Inc.

Delphine Arnault-GanciaNew BoardTwenty-First Century Fox, Inc.ProfileDirector, Louis Vuitton SAOther board(s)Havas SA; Christian Dior SA; M6-MetropoleTelevision SA; Louis Vuitton SA

Roxanne S. AustinNew BoardAbbVie, Inc. ProfileFormer President/CEO, Move Networks, Inc.Other board(s)Ericsson; Teledyne Technologies, Inc.; Abbott Laboratories

Linda B. BammannNew BoardJPMorgan Chase & Co. ProfileDeputy Head, Risk Management, JPMorgan Chase & Co.

Ajaypal (Ajay) S. BangaNew BoardThe Dow Chemical Co. ProfilePresident/CEO, MasterCard International, Inc.Other board(s)MasterCard International, Inc.

Eugene (Gene) L. BatchelderNew BoardOccidental Petroleum Corp. ProfileFormer Senior VP/CAO, ConocoPhillips

Richardson BennettNew BoardHewlett-Packard Co.ProfilePrincipal, First Western Financial, Inc.Other board(s)Liberty Media Corp.; Discovery Communications Inc.; Sprint Corp.

Members of the Class of 2013The following list includes all directors who joined one or more KFMC100

board in 2013. New directors who are also CEO of that company are

marked with an asterisk (*).


Mark A. BlinnNew BoardTexas Instruments, Inc. ProfilePresident/CEO, Flowserve Corp.Other board(s)Flowserve Corp.

Ana BotinNew BoardThe Coca-Cola Co.ProfileCEO/Executive Director, Santander UK plcOther board(s)Banco Santander SA; Santander Investment SA

Gregory (Greg) H. BoyceNew BoardMonsanto Co. ProfileChairman, Peabody Energy Corp.Other board(s)Peabody Energy Corp.; Marathon Oil Corp.

Angela F. BralyNew BoardLowe’s Companies, Inc. ProfileFormer Chairwoman/President/CEO, WellPoint, Inc.Other board(s)Procter & Gamble Co.

Gregory Q. BrownNew BoardCisco Systems, Inc. ProfileChairman/President/CEO, Motorola Solutions, Inc.Other board(s)Motorola Solutions, Inc.

Thomas K. BrownNew Board3M Co. ProfileRetired Group Vice President, Global Purchasing, Ford Motor Co.Other board(s)Conagra Foods, Inc.

Abelardo (Al) E. BruNew BoardDirecTV ProfileFormer President/CEO, Frito Lay North America, Inc.Other board(s)Kraft Foods Group, Inc.; Kimberly-Clark Corp.

William (Willie) H. BurnsideNew BoardAbbVie, Inc. ProfileAdvisor, Boston Consulting Group, Inc.

André Calantzopoulos*New BoardPhilip Morris International, Inc.ProfileCEO, Philip Morris International, Inc.

Kurt M. CampbellNew BoardMetLife, Inc.ProfileChairman/CEO, Asia Group LLCOther board(s)Standard Chartered PLC

William S. Demchak*New BoardPNC Financial Services Group Inc.ProfilePresident/CEO, PNC Financial Services Group Inc.Other board(s)Blackrock, Inc.

Nancy-Ann M. DeParleNew BoardCVS Caremark Corp.ProfileCo-Founding Partner, Consonance Capital Partners, LLC

Susan Desmond-HellmanNew BoardFacebook, Inc. ProfileCEO, Bill and Melinda Gates Foundation; Former Chancellor, University of California, San FranciscoOther board(s)Procter & Gamble Co.

36

Pierre J. P. de WeckNew BoardBank of America Corp. ProfileFormer Chairman/Global Head, Private Wealth Management, Deutsche Bank AGOther board(s)SAL Oppenheim jr. & Cie. AG & Co. KGaA

Nance K. DiccianiNew BoardLyondellBasell Industries ProfileFormer Division President/CEO, Honeywell International, Inc.Other board(s)Halliburton Co.; Praxair, Inc.

Arnold W. DonaldNew BoardBank of America Corp. ProfileFormer Chairman/CEO, Merisant Co.Other board(s)Crown Holdings, Inc.; Carnival Corp.; Laclede Group; Carnival Plc; Oil-Dri Corp. of America

Scott C. DonnellyNew BoardMedtronic, Inc. ProfileCEO/Chairman/President, Textron, Inc.Other board(s)Textron, Inc.

Francisco D’SouzaNew BoardGeneral Electric Co.ProfileCEO, Cognizant Technology Solutions Corp.Other board(s)Cognizant Technology Solutions Corp.

James O. Ellis Jr.New BoardDominion Resources, Inc. ProfileIndependent Chairman, Level 3 Communications, Inc.Other board(s)Level 3 Communications, Inc.; Lockheed Martin Corp.

Gay H. EvansNew BoardConocoPhillips ProfileFormer Division Vice Chairman, Investment Banking and Investment Management, Barclays PLCOther board(s)Aviva PLC; London Stock Exchange Group PLC

Andrew T. FeldsteinNew BoardPNC Financial Services Group Inc.ProfileCEO/CIO, BlueMountain Capital Management LLC

Helena B. FoulkesNew BoardThe Home Depot, Inc. ProfilePresident, CVS Pharmacy, Inc.

Greg C. GarlandNew BoardAmgen, Inc. ProfileChairman/President/CEO, Phillips 66Other board(s)Phillips 66

Helene D. GayleNew BoardThe Coca-Cola Co.ProfilePresident/CEO, CARE USAOther board(s)Colgate-Palmolive Co.

Thomas (Tom) H. GlocerNew BoardMorgan Stanley ProfileRetired Chief Executive Officer, Thomson Reuters Corp. Other board(s)Merck & Co., Inc.

Lynn J. Good*New BoardDuke Energy Corp. ProfileVice Chairman/President/CEO, Duke Energy Corp.Other board(s)Hubbell, Inc.


William (Bill) D. GreenNew BoardEMC Corp. ProfileFormer Chairman/CEO, AccentureOther board(s)McGraw Hill Financial, Inc.

Jose C. GrubisichNew BoardHalliburton Co. ProfileCEO, Eldorado Brasil Celulose SAOther board(s)Vallourec SA

Carlos M. GutierrezNew BoardsTime Warner, Inc. and MetLife, Inc.ProfilePresident/CEO, Kellogg Canada, Inc.Other board(s)Occidental Petroleum Corp.

James P. HackettNew BoardFord Motor Co.ProfileIndependent Chairman, Fifth Third BancorpOther board(s)Steelcase, Inc.; Fifth Third Bancorp

Kirk S. HachigianNew BoardNextEra Energy, Inc. ProfileFormer Chairman/President/CEO, Cooper Industries PLCOther board(s)Allegion PLC; Paccar, Inc.

Duncan P. HennesNew BoardCitigroup, Inc. ProfileCo-Founder/Partner, Atrevida Partners, LLC

John T. HerronNew BoardDuke Energy Corp.ProfileFormer CEO/President/Chairman, System Energy Resources, Inc.

Benjamin P. Jenkins IIINew BoardCapital One Financial Corp. ProfileFormer Vice Chairman, Wachovia Corp.

William (Jerry) G. JurgensenNew BoardAmerican International Group, Inc. ProfileFormer CEO/Chairman, Nationwide Financial Services, Inc.Other board(s)Conagra Foods, Inc.

Debra J. Kelly-EnnisNew BoardAltria Group, Inc. ProfileFormer Division Manager, General Motors Co.Other board(s)Hertz Global Holdings, Inc.; Carnival Corp.; PulteGroup, Inc.

Muhtar KentNew Board3M Co. ProfileChairman/President/CEO, The Coca-Cola Co.Other board(s)The Coca-Cola Co.

William E. KennardNew BoardMetLife, Inc. ProfileFormer Chairman/General Counsel, Federal Communications Commission (FCC)Other board(s) Duke Energy Corp.

Ronald (Ron) KirkNew BoardTexas Instruments, Inc. ProfileFormer US Trade Representative

William (Bill) R. KlesseNew BoardOccidental Petroleum Corp.ProfileChairman/CEO, Valero Energy Corp.Other board(s)Valero Energy Corp.

38

Brian M. Krzanich*New BoardIntel Corp. ProfileCEO, Intel Corp.

Alan G. Lafley*New BoardProcter & Gamble Co.ProfileChairman/CEO, Procter & Gamble Co.Other board(s)General Electric Co.

Anne LauvergeonNew BoardAmerican Express Co. ProfileFormer Chairman/CEO, Areva SAOther board(s)Vodafone Group PLC; Total SA; Airbus Group NV

John C. LechleiterNew BoardFord Motor Co.ProfileChairman/President/CEO, Eli Lilly & Co.Other board(s)Eli Lilly & Co.; Nike, Inc.

Dawn G. LeporeNew BoardThe TJX Companies, Inc. ProfileFormer Chairman/CEO/President, Drugstore.com, Inc.Other board(s)Coupons.com, Inc.; RealNetworks, Inc.; AOL, Inc.

Edward (Ed) M. LiddyNew BoardAbbVie, Inc. ProfileFormer Chairman/CEO, American International Group, Inc.Other board(s)Abbott Laboratories; Boeing Co.; 3M Co.

Terry LundgrenNew BoardProcter & Gamble Co.ProfilePresident/CEO, Macy’s, Inc.Other board(s)Macy’s, Inc.; Kraft Foods Group, Inc.

Mike McCallisterNew BoardAT&T, Inc. ProfileChairman/CEO, Humana, Inc.Other board(s)Zoetis, Inc.; Humana, Inc.; Fifth Third Bancorp

Mark. B. McClellanNew BoardJohnson & Johnson ProfileFormer Commissioner, US Food and Drug Administration (FDA); Former Administrator, Centers for Medicare & Medicaid Services, US Department of Health and Human Services Other board(s)AVIV Reit, Inc.

Peter J. McDonnellNew BoardAllergan, Inc. ProfileDirector/Professor, Wilmer Eye Institute, Johns Hopkins University School of Medicine

Beth E. MooneyNew BoardAT&T, Inc. ProfileChairman/CEO, KeyCorpOther board(s)KeyCorp

Michael (Mike) G. MullenNew BoardGeneral Motors Co.ProfileRetired US Navy Admiral; Former Chairman, Joint Chiefs of StaffOther board(s)Discovery Air, Inc.; Sprint Corp.

Shantanu NarayenNew BoardPfizer, Inc. ProfilePresident /CEO/Director, Adobe Systems, Inc.Other board(s)Adobe Systems, Inc.; Dell, Inc.


Jacques A. NasserNew BoardTwenty-First Century Fox, Inc. ProfileChairman, BHP Billiton Ltd.Other board(s)BHP Billiton Ltd.

Lionel L. Nowell IIINew BoardBank of America Corp. ProfileFormer Senior Vice President/Treasurer, PepsiCo, Inc.Other board(s)Reynolds American, Inc.; American Electric Power Co., Inc.

Raymond E. OzzieNew BoardHewlett-Packard Co.ProfileCEO/Founder, Talko, Inc.

D. C. PaliwalNew BoardBristol-Myers Squibb Co.ProfileChairman/President/CEO, Harman International Industries, Inc.Other board(s)Harman International Industries, Inc.; ADT Corp.

Samuel J. PalmisanoNew BoardAmerican Express Co.ProfileFormer Chairman/President/CEO, International Business Machines Corp.Other board(s)Exxon Mobil Corp.

Timothy (Tim) D. ProctorNew BoardAllergan, Inc. ProfileFormer General Counsel, Diageo PLC

James H. QuigleyNew BoardWells Fargo & Co.ProfileRetired CEO, Deloitte Touche Tohmatsu LimitedOther board(s)Hess Corp.; Merrimack Pharmaceuticals, Inc.

Clark T. RandtNew BoardQUALCOMM, Inc.ProfileFormer US Ambassador to ChinaOther board(s)United Parcel Service, Inc.; Valmont Industries, Inc.

Edward (Ed) J. RappNew BoardAbbVie, Inc. ProfileGroup President/Former CFO, Caterpillar, Inc.

Gary M. ReinerNew BoardCitigroup, Inc. ProfileOperating Partner, General Atlantic LLC; Former Chief Information Officer, General Electric Co.Other board(s)Hewlett-Packard Co.

Howard V. RichardsonNew BoardWells Fargo & Co.ProfileFormer Partner, PricewaterhouseCoopers LLP

Roy S. RobertsNew BoardAbbVie, Inc. ProfileFormer Group Vice President, General Motors Co.

James E. RohrNew BoardGeneral Electric Co. ProfileChairman/CEO, PNC Financial Services Group Inc.Other board(s)Marathon Petroleum Corp.; EQT Corp.; Allegheny Technologies; Blackrock, Inc.; PNC Financial Services Group Inc.

40

Clayton S. RoseNew BoardBank of America Corp. ProfileProfessor, Management Practice, Harvard Business SchoolOther board(s) XL Group PLC

Thomas E. RothmanNew Boardpriceline.com, Inc.ProfileFormer Co-Chairman/Co-CEO, Fox Filmed Entertainment, Inc.

Pamela (Pam) J. RoyalNew BoardDominion Resources, Inc. ProfileDermatologist/President/Owner, Royal Dermatology and Aesthetic Skin Care, Inc.

Jonathan J. RubinsteinNew BoardQUALCOMM, Inc.ProfileRetired Chairman/President/CEO, Palm, Inc.Other board(s)Amazon.com, Inc.

Marschall S. RungeNew BoardEli Lilly & Co.ProfileDean, University of North Carolina, Chapel Hill

Mary L. SchapiroNew BoardGeneral Electric Co. ProfileFormer Chairwoman, US Securities and Exchange Commission (SEC)

Robert S. SilbermanNew BoardTwenty-First Century Fox, Inc.ProfileChairman, Strayer Education, Inc.Other board(s)Strayer Education, Inc.; Covanta Holding Corp.

James A. SkinnerNew BoardHewlett-Packard Co.ProfileIndependent Chairman, Walgreen Co.Other board(s)Walgreen Co.; Illinois Tool Works, Inc.

Theresa M. StoneNew BoardAmerican International Group, Inc. ProfileFormer Vice Chairman, Federal Reserve Bank of Richmond

Jackson P. TaiNew BoardEli Lilly & Co.ProfileChairman, OSIM Brookstone Holdings LPOther board(s)Singapore Airlines Ltd.; Koninklijke NV; Bank of China; MasterCard International, Inc.

Ratan N. TataNew BoardMondelez International, Inc. ProfileChairman, Tata Industries Ltd.Other board(s)Alcoa, Inc.

Cynthia B. TaylorNew BoardAT&T, Inc. ProfilePresident/CEO, Oil States International, Inc.Other board(s)Tidewater, Inc.; Oil States International, Inc.

William (Bill) R. Thomas*New BoardEOG Resources ProfilePresident/CEO, EOG Resources

Glenn F. TiltonNew BoardAbbVie, Inc. ProfileFormer Chairman/President/CEO, United Continental Holdings, Inc.Other board(s)Phillips 66; Abbott Laboratories


James (Jim) S. TurleyNew BoardsCitigroup, Inc.; Emerson Electric Co.ProfileRetired Chairman/CEO, Ernst & Young Global Ltd.Other board(s)Intrexon Corp.

Anthony (Tony) J. VinciquerraNew BoardDirecTV ProfileFormer Chairman/President/CEO, Fox Networks Group

David A. ViniarNew BoardThe Goldman Sachs Group, Inc. ProfileFormer CFO/Executive Vice President, The Goldman Sachs Group, Inc.

Frederick (Rick) H. WaddellNew BoardAbbVie, Inc. ProfileChairman/CEO, Northern Trust Corp.Other board(s)Northern Trust Corp.

Pat WardNew BoardE.I. DuPont de Nemours & Co.ProfileVice President/CFO, Cummins, Inc.

Greg D. WassonNew BoardVerizon Communications, Inc. ProfilePresident/CEO, Walgreen Co.Other board(s)Walgreen Co.

Robin L. WashingtonNew BoardHoneywell International, Inc. ProfileSenior Vice President/CFO, Gilead Sciences, Inc.Other board(s)Salesforce.com, Inc.; MIPS Technologies, Inc.

William C. WeldonNew BoardsExxon Mobil Corp.; CVS Caremark Corp.ProfileFormer Chairman/CEO, Johnson & JohnsonOther board(s)Chubb Corp.; JPMorgan Chase & Co.

Catherine G. WestNew BoardCapital One Financial Corp. ProfileFormer COO, Consumer Financial Protection Bureau

Rayford Wilkins Jr.New BoardMorgan Stanley ProfileFormer President/CEO, Southwestern Bell Telephone Co.Other board(s) Valero Energy Corp.

42

Appendix C: The KFMC100 boards

Number of directors on the board.

The median size for a KFMC100 board was 12 directors and 82% of boards had

between 10 and 15 directors.

Board independence.

In the KFMC100, 90% of boards had one or two executive directors. The rest

were independent directors.

Figure 13

Figure 14

6% 16 to 18 directors




68% 1 executive director

22% 2 executive directors

7% 3 executive directors

3% 4 to 5 executive directors


Who is chairman of the board?

The company CEO chaired the board of directors at 66 of the KFMC100

companies in 2013. An additional 18 had chairmen or executive chairmen

leading the board, 14 of whom were the former CEO of the company.

Compensation and retainers for directors.

The median total compensation for KFMC100 directors rose slightly to

$288,000 according to figures reported in company proxy statements, and

the median cash retainer was $100,000, up from $85,000 the previous year.

Two companies stated that they offered no cash retainer to directors.

Figure 15

Figure 16

6%

7%

15%

41%

16%

11%

2%

2%

66% CEO is also chairman of the board

16% Non-executive chairman

18% Chairman or executive chairman

>$150,000

$125,001 to $150,000

$100,001 to $125,000

$75,001 to $100,000

$50,001 to $75,000

$25,001 to $50,000

$1 to $25,000

$0

Cash Retainers

44

One or more directors with work experience anywhere

outside the US

Frequency of board meetings.

Half of the KFMC100 boards met eight or more times in 2013, and the average

number of meetings was 8.2.

Global business experience on KFMC100 boards.

Although 88% of KFMC100 boards included at least one director who had

held a significant work assignment outside the United States, only 28% had

members with experience in Brazil, Russia, India, or China. About 9% of

directors joining boards in 2013 were born, educated, or worked in one of

those markets.

Figure 17

Figure 18

88%

28%

12% 0 to 5 meetings

38% 6 to 7 meetings

24% 8 to 9 meetings

17% 10 to 12 meetings

9% 13 to 19 meetings

One or more directors with work experience specifically

in BRIC countries


1

2

3

4

5

Gender balance on KFMC100 boards.

Only 21% of all KFMC100 board seats were held by women, and 95% of those

were independent directorships.

Distribution of female directors among KFMC100 boards.

There was at least one women on every board in the KFMC100; as recently as

2011, there were four companies with all-male boards. The average number

of women on a KFMC100 board was 2.5.

Figure 19

Figure 20

Number of female directors

21% Female

79% Male

13 companies

42 companies

26 companies

15 companies

4 companies

46

Age of KFMC100 directors.

Excluding CEOs, there were 1,108 individual directors in the KFMC100, half

of whom were between the ages of 60 and 69. The median age was 65.

Compared with the previous year, there were slightly fewer directors under

age 50, and a few more over age 75.

KFMC100 retirement age policies.

There was an established retirement age for directors at 79 of the KFMC100,

with an average mandatory retirement age of 72. The policies seemed to

make little difference: 19 companies made exceptions in 2013, and companies

with no stated age limit had an average age that was only slightly higher. The

average age of a departing director was 68.

Retirement policy Companies Exceptions Average director age

Mandatory retirement age 46 9 63.1

Policy explicitly allows exceptions 33 10 63

No retirement age policy 21 -- 63.3

Figure 21

Figure 22

3% 49 or younger

7% 50 to 54

18% 55 to 59

21% 60 to 64

29% 65 to 69

17% 70 to 74

5% 75 and over


Duration of directorships.

Directors in the KFMC100 tend to serve a long time on boards. Among the 73

directors who left or retired in 2013, the average tenure was 10 years. The

current average tenure is 7.9 years, and 26% of directors have been in their

seats a decade or longer.

Individual director review policy.

Board renewal and improvement were sometimes approached by a vigorous

annual review of each individual director. In their 2013 proxy statement, 44

KFMC100 companies indicated that individual reviews were their policy.

Figure 23

Figure 24

Board seats held for

12 years or more

9 years or more

6 years or more

3 years or more

16%

27%

45%

66%

56% Boards with no stated individual review policy

44% Boards that perform individual reviews of directors

48

Korn Ferry has recruited CEOs and board directors for more than 40 years. Our

dedicated Board & CEO Services practice is committed to improving governance

practices worldwide. Our approach includes Board Director and CEO Search and

Selection, CEO Succession Planning and Assessment, Board Effectiveness, and

Director/Executive Compensation Consulting.

Visit www.kornferry.com/BoardCEOServices for more information.

Key contacts:

© 2014 The Korn Ferry Institute

About Korn Ferry’s Board & CEO Services Practice

Joe GriesedieckVice Chairman and Co-Leader,

Board & CEO Services

[email protected]

+1 415.288.5367

Jane StevensonVice Chairman & Global Leader

for CEO Succession

[email protected]

+1 404.577.7542

Robert HallaganVice Chairman

[email protected]

+1 617.790.5790

Dennis Carey Vice Chairman

[email protected]

+1 215.656.5348

Nels OlsonVice Chairman and Co-Leader,

Board & CEO Services

[email protected]

+1 202.955.0926

Stephen MaderVice Chairman

[email protected]

+1 617.790.5700

About Korn Ferry

At Korn Ferry, we design, build, attract

and ignite talent. Since our inception,

clients have trusted us to help recruit

world-class leadership. Today, we

are a single source for leadership and

talent consulting services to empower

businesses and leaders to reach their

goals. Our solutions range from executive

recruitment and leadership development

programs, to enterprise learning,

succession planning and recruitment

process outsourcing (RPO).

Visit www.kornferry.com for more

information on our services, and

www.kornferryinstitute.com for

more articles, research and insights.

2014 KFMC

KO

RN

FE

RR

Y

KF

MC

100

20

14

Documents

Korn Ferry Market Cap 100 - 2014 · KORN FERRY MARKET CAP 100 1 Introduction Cybercrime comes with a staggering price tag: an estimated .4% to 1.4% of global GDP. The cost to the