Governance

04 Nov 2019 11:42

04 Nov 2019 11:42

04 Nov 2019 11:42

10 Jan 2020 12:03

F-Secure's Disclosure Policy describes the key principles and practices that the company applies in its investor relations and financial reporting.

Disclosure policy (pdf)

F-Secure's corporate governance practices comply with applicable Finnish laws as well as the rules, regulations and guidelines of NASDAQ Helsinki Oy and the Finnish Financial Supervisory Authority. This statement has been prepared in accordance with Finnish Corporate Governance Code (publicly available at https://cgfinland.fi/en) issued by the Securities Market Association of Finland in 2015.

The statement includes the tasks and responsibilities of the Board of Directors, Board Committees and other main governing bodies. The statement also describes the main features of internal control and risk management pertaining to the financial reporting process.

The key elements of the Corporate Governance practices of F-Secure Corporation are described in brief on this page.

The remuneration of the Board is decided by the Annual general meeting. The decisions are made public after the meeting. Read more about the decisions on remuneration on the Annual General Meeting section.

The Board of Directors decides on the remuneration and other benefits of the CEO. The CEO also belongs to the Company's long-term incentive program. The Board of Directors decides on the remuneration and other benefits of the Leadership Team.

More information on the remuneration of the CEO and Leadership team, option programs and other related issues can be found in note 27 to the financial statements in the Annual Report.

The following statement contains broad information on remuneration issues in F-Secure. The statement has been prepared according to the Finnish Corporate Governance Recommendation for Listed Companies published by the Securities Market Association. Please find the statement below. This statement is updated on regular basis if changes occur.

1. Business name and domicile 
   The Finnish name of the Company is F-Secure Oyj and the English name is F-Secure Corporation, and the Company's domicile is the City of Helsinki.
2. Line of activity
   The Company's line of activity shall be the production of software, the import, export and sale of computers, electric devices, software, and the supply of services related to information technology, as well as consultation, training and publication activities related to information technology. The Company may also be engaged in securities trading.
3. Book-entry securities system
   After a registration date specified by the Board of Directors, the shares of the Company will be incorporated in the book-entry securities system. After the registration date the right to receive funds distributed by the Company and to subscribe for shares when increasing the share capital shall be restricted to persons
   • Who have been registered as shareholders in the Shareholders' Register on the matching day
   • Whose right to payment has been registered on the matching day on the book-entry account of a registered shareholder and entered in the Shareholders' Register or
   • In case a share is nominee registered, on whose book-entry account the share has been registered on the record date and whose nominee has been registered in the Shareholders' Register of the Company on the record date as the nominee of the shares.
4. Board of directors
   The Company shall have a Board of Directors, which shall include at minimum three and at maximum seven ordinary members. The term of office of a member of the Board of Directors shall expire at the end of the first Annual General Meeting of Shareholders following the election.
5. Company president
   The Board of Directors of the Company shall appoint a President and determine his/her remuneration terms.
6. Signing of the business name
   In addition to the members of the Board of Directors, who can sign the business name of the Company jointly, the name can also be signed by the person or persons whom the Board of Directors has authorized to sign the business name, by the President of the Company and the Chairman of the Board of Directors alone, and by two members of the Board of Directors jointly. The Board of Directors shall decide on authorizing persons to sign for the Company per procuram.
7. Financial period
   The financial year of the Company is the calendar year.
8. Auditors
   The Company shall have one Auditor, who shall be an auditing entity approved by the Finnish Central Chamber of Commerce. The term of office of the Auditor shall expire at the end of the first Annual General Meeting of Shareholders following the election.

9. Call to a General Meeting and right to participate in and vote at the General Meeting
   The notice of a General Meeting of Shareholders shall be delivered to the shareholders within a period stipulated by the law by publishing the notice on the Company's website.

   To be entitled to participate in the General Meeting, a shareholder shall notify the Company about his/her intention to participate in the General Meeting no later than on the date indicated in the notice.

   At a General Meeting of Shareholders, each share has one (1) vote. The voting method shall be decided by the Chairman of the Meeting.

10. Annual General Meeting of Shareholders
    The Annual General Meeting of Shareholders shall be held annually on the date designated by the Board of Directors within a period from the end of the financial year as defined by the law. In addition to the domicile of the Company, the General Meeting of Shareholders can be held in Espoo or Vantaa. At the Annual General Meeting there shall be presented:
    • The financial statements and the Annual Report
    • The Auditors' Report (decisions made regarding)
    • The approval of the financial statement
    • The measures to which the profit or loss of the adopted balance sheet and/or consolidated balance sheet may give cause
    • The granting of release from liability to the Members of the Board of Directors and to the President
    • The remunerations of the Members of the Board of Directors and Auditors
    • The number of the Members of the Board of Directors (elected)
    • The members of the Board of Directors
    • One auditor and a reserve auditor, if necessary

The objective of F-Secure's risk management is to ensure a current, correct and holistic understanding and prioritized management of key uncertainties related to strategy implementation and business operations. The process and risk management methods in use are constantly developed to respond to the changing needs of the company. During 2017 the development was concentrated on the risk management framework and a new model considering the following three risk categories was taken in use.

• Strategic risks: Risks related to strategic objectives and competitive environment, managed by the leadership team and board of directors
• Business risks: risks that threaten the achievement of the business objectives, identified and managed by the organizational units as part of the operational planning and management
• Operational risks: Risks relating to the company's daily operations and processes as well as to potential disruptions, managed within the organizational units

The objective in organizing the risk management process has been to empower the organization to identify and manage risks. This approach enables understanding of risk management objectives and distribution of responsibility for risk management decisions making in in adequate level of the organization.

Different risk modelling and quantification methods developed by the F-Secure risk management consulting services are used to identify and analyze the risks when appropriate. During 2017, a new method for risk quantification was taken in use to analyze selected risks. Financial quantification is useful to analyze cases where the risk consequence has high variation. In these cases, it is adequate to create good understanding of the different outcome options of the realization of risk prior to deciding on the risk treatment strategy.

The most significant risks and their treatment strategies are reported annually to the Audit Committee of the Board of Directors.

Risks are defined as uncertainties which can impact the achievement of the Company's short and long term objectives. Risks are assessed as a combination of probability and impact.

Endpoint protection market disruption

Endpoint security market is highly competitive. Operating system manufacturers have increased their focus to built-in security features and at the same time new vendors and technologies have emerged. Successful security vendors must have in-depth understanding of cyber security threat landscape, hacker techniques and technologies used as well as continue to innovate in defense technologies.

Market Consolidation

The cyber security market is consolidating due to economies of scale. Companies have to succeed in choosing the right acquisition targets, as well as successfully integrate target companies.

Failure to innovate and develop new technologies

In a rapidly evolving industry it is vital to keep the products and services relevant to the customers while introducing new technologies to the market. The Company is driving technology simplification and R&D effectivization initiatives as well as investments to artificial intelligence to ensure a competitive product portfolio.

Failure to attract and retain talent

Competition for capable personnel is increasing and there is structural undersupply of talent in the security industry. The Company is thus further developing and adopting new ways of recruitment, building its own talent and knowledge pools and investing to training and development of personnel.

Other risks that affect the F-Secure business include but are not limited to:

• Intellectual property (IPR) claims against F-Secure
• Risk exposure from contractual liability requirements
• Failure of new product launches
• Potential security threats related to F-Secure's products and services
• Credit risk due to regional political or financial climate and regulation
• Tax risk relating to changing laws and regulations and interpretations of said regulations by the relevant authorities

The purpose of Internal Control is to ensure that operations are effective and aligned with the strategy, and that financial reporting and management information is reliable and in compliance with applicable regulations and operating principles.

Internal control consists of all the guidelines, policies, processes, practices and relevant information about organizational structure that help ensure that the business conduct is in compliance with all applicable regulations. The purpose of internal control is also to ensure that accounting and financial information provides a true and accurate reflection of the activities and financial situation of the company. Actual performance is monitored against sales and cost targets by operative reporting systems on a daily, weekly, or monthly basis.

The Company constantly monitors its key financial processes linked to sales, revenue, costs and profitability as well as incoming and outgoing payment transactions. If any inconsistencies appear, the issues are handled without delay. The Company's finance department is responsible for the consistency and reliability of internal control methods. The finance team works in close cooperation with the CFO and businesses, providing relevant data for business planning purposes and sales estimates. The team also regularly assesses and monitors the reliability of estimates and revenue recognition.

F-Secure's Audit Committee considers regularly the need for and appropriateness of a separate Internal Audit function. To date, the Audit Committee has concluded that, due to the size, organizational structure and largely centrally controlled financial management of the Company, a separate Internal Audit function is not necessary.

In the absence of an Internal Audit function, attention is paid to periodical review of the written guidelines and policies concerning accounting, reporting, documentation, authorization, risk management, internal control and other relevant matters in all departments. Related controls are also tested from time to time. The guidelines and policies are coordinated by the Company's finance department with active involvement by the legal team.

The absence of a separate Internal Audit function is considered when defining the scope of the Company's external audit. Where necessary, the Board may also purchase Internal Audit services from an external provider.

To facilitate transparency and exchange of information on Internal Audit related matters, the financial management team has frequent meetings with the auditors. The Audit Committee also meets regularly with the auditors and head of the Company's legal team to discuss related matters of their areas of responsibility.

The Company has taken into use two direct lines for all employees to notify the Board and Leadership Team of any unethical activity or abuse.

F-Secure's IR-function is in charge of the company's insider issues, with the exception of project based insider issues, which are managed by the Legal department. The Company follows the insider regulations of NASDAQ Helsinki Oy and has adopted the new Market Abuse Regulations (EU, N:o 596/2014, "MAR"), which came into force on 3 July 2016. F-Secure has published an internal guideline on insider issues and regularly trains employees and management on insider issues.

Insider registries

F-Secure maintains three separate lists of insiders and other persons relevant for insider issues:

• project based insiders (maintained by the Legal team)
• list of persons discharging managerial responsibilities, as well as persons closely associated with them, as specified by MAR
• other insiders, including people participating in the preparation of financial reporting or otherwise having access to significant non-published financial information.

Managers' transactions

Persons discharging managerial responsibilities ("Managers") comprise the Board of Directors, the CEO, the CFO and other members of the Leadership Team. These persons have a duty to notify within three business days F-Secure and the Finnish Financial Supervisory Authority of every transaction in their own account relating to Financial Instruments of F-Secure. The Company publishes these notifications as a stock exchange release, as specified by MAR. All releases published on managers' transactions are available on the Company's website.

Closed window

All insiders or their interest parties are not entitled to trade shares, options, or other securities 30 days prior to the publication of financial reports. Additionally, project-based insiders are never entitled to trade shares, options, or other securities during the duration of an insider project, including the day the insider information is made public.

Silent period

F-Secure observes a silent period of 21 days before each quarterly report announcement. During the silent period, the Company will arrange neither meetings nor conference calls with the investor community.

The auditor is elected by the Annual General Meeting for a term of service ending at the close of the next Annual General Meeting. The auditor is responsible for auditing the consolidated and parent company's financial statements and accounting. The auditor reports to the Board of Directors or the Audit Committee at least once a year.