Minutes | Board Risk Committee (RC) Meeting | 6 February 2015

RC Attendees: Rinalia Abdul Rahim, Ram Mohan – Co-Chair, Mike Silber – Co-Chair, Jonne Soininen, and Suzanne Woolf

RC Member Apologies: Kuo-Wei Wu

Other Board Member Attendees: Fadi Chehadé, Steve Crocker, Chris Disspain, Asha Hemrajani, and Markus Kummer

Executive and Staff Attendees: Francisco Arias (Director, Technical Services), Akram Atallah (President, Global Domains Division), Susanna Bennett (Chief Operating Officer), Megan Bishop (Board Support Coordinator), Xavier Calvez (Chief Financial Officer), David Conrad (Chief Technology Officer), Dan Halloran (Deputy General Counsel), John Jeffrey (General Counsel and Secretary), Patrick Jones (Senior Director, Global Stakeholder Engagement), Jacks Khawaja (Enterprise Risk Director), Cyrus Namazi (V.P., DNS Industry Engagement), Ashwin Rangan (Chief Innovation and Information Officer), Amy Stathos (Deputy General Counsel), and Christine Willet (V.P., gTLD Operations)


The following is a summary of discussions, actions taken, and actions identified:

  1. Minutes – The RC approved the minutes from the 15 October 2014 meeting.

  2. Top 10 Enterprise Risks – Ram Mohan provided an overview of the agenda item, explaining that the presented list of identified top ten risks to the organization were sorted based upon the 2014 ratings for likelihood and severity, and agreed upon in the Global Leader Workshop in December 2014. The RC discussed the risks identified, clarification and refinement of the definitions, and prioritization of the identified risks, as well as potential additional risks.

    • Action: Staff to clarify the language for some of the listed risks as needed, and review the balance of operational and reputational risk items to see if they capture the necessary scope.

  3. Spear-Phishing Incident and Mitigation – Staff provided an overview of the spear-phishing incident and cyber security in general. Staff provided a summary of the spear-phishing incident and information accessed, the lessons learned as a result of the incident. Staff provided an overview of the types of sensitive data within ICANN's IT-enabled services as well as the additional cyber security training, tests, reviews, and protections being instituted and the timetable for each task. Staff described the proposed three-phase approach and relative costs over the next five years in order to increase ICANN's cyber security. The RC discussed the proposal, the affiliated costs and the additional information needed in order to provide a recommendation to the Board.

    • Actions:
      • Staff to update and clarify the three-phase proposal and affiliated costs based upon the RC's comments and questions, and provide this update to the RC for review.

      • Staff to determine the best method of sharing a report with the community and a means to gain input from the community.

  4. Universal Acceptance of TLDs Initiative – Staff provided a brief overview of the Universal Acceptance of TLDs Initiative and progress to date. The RC discussed the progress thus far and potential resources necessary for the continuation of the Initiative. Staff indicated that an informal workshop of volunteers was assembled in Washington D.C. in January 2015 in order to discuss ways in which to move forward with the Initiative. As a result of the workshop, staff developed a proposal that will be presented to the community, focusing on communications, messaging, and getting more volunteers involved. Once the community provides input, staff will finalize the proposal and present it to the RC to review the process and the expected outcomes. Once that is completed, the proposal would then be presented to the BFC for budget purposes.

    • Action: Staff to prepare proposal regarding the Initiative, obtain community input, and then present to the RC for review.

  5. New gTLD Risk/Quantification Presentation – Staff provided an overview of the reasons why an updated New gTLD Risk Assessment has been conducted, the methodology used, the risks that were identified, and the cost quantification of those risks. The RC discussed the risks and costs, and ways in which to reflect the results.