Companies face heightened risks, as well as increased opportunities, as a result of the rapid advance of technological innovation, but what is the role of the company secretary in assisting companies to navigate these risks and exploit these opportunities? A new HKICS guidance note provides an introduction to this increasingly important area of company secretarial practice.

Earlier this year, the Institute set up seven new Interest Groups (see ‘The HKICS Interest Groups’ below) under the Technical Consultation Panel to look into key areas of corporate governance and company secretarial practice with a view to producing guidance to HKICS members and the wider profession and community. The first guidance note, produced by the Public Governance Interest Group was published in August this year. This month sees the publication of the second Interest Group guidance note, produced by the Technology Interest Group and looking at a range of technological issues that company secretaries need to be aware of.

Under the title ‘Technology and the company secretary’, the guidance note first tackles the question of the degree of responsibility company secretaries have for technological issues. There is, of course, significant diversity in the way companies set up their company secretarial function, and technological issues may not be considered part of the core duties and responsibilities of company secretaries. Moreover, larger companies will usually have a number of other executives specialising in IT issues.

The guidance note emphasises, however, that technology is not an area company secretaries can afford to ignore. Technology is transforming the environment within which we live and work and no company can be immune from the disruptive power of the new technological innovations surfacing at an ever increasing rate. Put simply, technology is a game changer for companies across all industries and it therefore needs to be continually assessed and reviewed by the board.

Issues which are critical for the board, the guidance note points out, will also be critical for company secretaries as trusted advisers to the board. ‘There are all too many examples of what can happen if these risks are not managed properly, with the consequences being operational, financial and, importantly, reputational,’ the guidance note states.

Issues of concern

The new guidance, being the first of a series of guidance notes on technology-related issues, provides an overview of the main issues that company secretaries need to consider. As mentioned above, the degree of responsibility which company secretaries will have for these issues will depend on how the company secretarial function has been established in particular companies, but some awareness of these issues will be expected of company secretaries, particularly in their role as trusted advisers to the board. It is no coincidence that the first three items in the list below focus on company secretaries’ board support function in technology-related areas.

Board composition

Hong Kong companies’ boards have traditionally not been strong on technology expertise. While today discussions are gradually shifting from IT enhancements to include issues such as cybersecurity, data protection and technology more generally, board members may need training or assistance to fully understand and be able to provide oversight in these areas.

Board agendas

Company secretaries need to consider whether technology should be a regular agenda item for board or board committee discussions – the answer to this will probably depend on how important technology is to a particular business, or what personal data a business regularly manages. For example, for those companies where IT infrastructures are linked to the outside world or key services are outsourced, cybersecurity risks may need to be assessed at board level.

Board oversight

Company secretaries should work with IT security executives, compliance and/or risk officers and IT auditors as necessary, to raise the board’s awareness and knowledge of the subject matter, and to keep the board abreast of evolving legal and regulatory developments and aware of its ultimate responsibility for overseeing technology-related issues.

Technology-related internal controls

Company secretaries, who are generally responsible for facilitating oversight of internal controls, should undertake a holistic review of the effectiveness of their company’s technology-related controls and ensure, in conjunction with relevant professionals, that an appropriate system of technology-related controls is in place. This can then be reported to the board as part of the annual confirmation on appropriate and effective internal controls and risk management.

Classified information

Company secretaries deal with a large amount of sensitive and confidential information, much of which may be stored or transferred electronically. In any business it is important to have a system in place to define what kind of information or documentation is confidential or classified and therefore needs extra care in terms of handling and security protection. The related IT controls should then be assessed to determine if they are adequate to protect the information or documentation.

Personal data

Any data held by a company may be the subject of an inadvertent or a deliberate breach, but sensitive data, such as personal data is particularly vulnerable. Company secretaries should therefore ensure that their company’s system of internal controls and risk management encompasses the risk of data breach, and also be aware of the personal data collected and held by them, such as that relating to board members (which could be particularly sensitive) and their members of staff.

Audit plan

Company secretaries have a role to play in ensuring that technology risks are formally integrated into their company’s internal audit plan and reported to the board or audit committee or risk management committee, as appropriate.

Incident response

Companies need to have incident response plans for all incident scenarios, including cyber attacks or data breaches, which may require immediate action in order to contain the incident and limit the damage. The steps taken during the first 24 hours after the attack or the breach can often be crucial in controlling the resulting operational, financial and reputational damage, and company secretaries will no doubt have a key role to play in any incident or crisis management committee.

Disclosure obligations

A cyber attack or a data breach may require disclosure to the affected individuals, to the public and/or to shareholders, depending on the nature and scale of the attack or breach and its actual or potential impact on a company. Company secretaries should be aware of when such issues might require disclosure and what form this disclosure should take so that they can respond quickly to try to contain the damage to their company.

Use of new technology

As well as being an area of risk, technology provides opportunities – many boards are now using or considering the use of board portal technology, enabling board members to carry their board papers with them wherever they may be in the world.
The Hong Kong Companies Registry now encourages e-filings and artificial intelligence is being billed as the key to unlocking innovation in the legal sector.

Social media

Among certain sectors of society, such as the younger generation, social media is taking over from traditional media and social media amplifies many of the risk areas described above. It makes it easier for classified or confidential information or documentation to be leaked and the speed at which news can travel on social media means that the need for immediate responses to incidents is only heightened. This is another area for company secretaries to watch out for.

What’s next?

As mentioned above, the new Technology Interest Group guidance note will be the first of a series of guidance notes on technology-related issues. In its follow-up guidance notes, the Technology Interest Group will address some of the above issues in more detail and provide practical guidance to company secretaries to try and ensure that they have the confidence to raise and deal with whatever technology and innovation related issues may arise.

The new guidance note is available on the Institute’s website (www.hkics.org.hk).

SIDEBAR: The HKICS Interest Groups

The members of the Technology Interest Group are:

Chair
Gillian Meller FCIS FCS, Member of Company Secretaries Panel, HKICS, and Legal Director & Secretary, MTR Corporation Ltd

Members
Effie Tang, Senior Manager, BDO Ltd
Ricky Cheng, Director – Risk Advisory Services, BDO Ltd
Philip Miller ACIS, Member of Technical Consultation Panel, HKICS, and Assistant Company Secretary, The Hongkong and Shanghai Banking Corporation Ltd
Mark Johnson, Partner, Debevoise & Plimpton LLP.

The other Interest Groups, set up earlier this year by the Institute, cover the following areas:
company law
competition law
ethics, bribery and corruption
public governance
securities law and regulation, and
takeovers, mergers and acquisitions.

Look out for a review of the next HKICS Interest Group guidance note on Hong Kong’s new competition law in next month’s journal.

Close