Governance

Corporate governance

F-Secure's corporate governance practices comply with applicable Finnish laws as well as the rules, regulations and guidelines of NASDAQ Helsinki Oy and the Finnish Financial Supervisory Authority. This statement has been prepared in accordance with Finnish Corporate Governance Code (publicly available at http://cgfinland.fi/en/) issued by the Securities Market Association of Finland in 2015.

F-Secure's corporate governance statement

The statement includes the tasks and responsibilities of the Board of Directors, Board Committees and other main governing bodies. The statement also describes the main features of internal control and risk management pertaining to the financial reporting process.

The key elements of the Corporate Governance practices of F-Secure Corporation are described in brief on this page.


 

Code of conduct

F-Secure sees itself as a company having a vital and important role in helping prevention of unethical conduct in connected life through providing security and privacy solutions for consumers and corporations. F-Secure strives to conduct all its business in an ethical and lawful manner and has gathered its primary indicators of compliance to this code of conduct. Each employee of F-Secure is expected to know and comply with this code and report any suspected violations that they become aware of. F-Secure's subcontractors are also requested to act in compliance with this code or corresponding code of their own of at least as high standard as this code.

  1. Equal opportunities
    F-Secure is committed to equality of opportunity in all its employment practices, policies and procedures.
  2. Conflict of interests prevention
    F-Secure employees shall avoid any activity that might lead to or suggest a conflict of interest, in the form of personal benefit, between personal activities and the business of F-Secure.
  3. No bribery or corruption
    F-Secure is committed to working against corruption in all its forms, including extortion and bribery. F-Secure does not pay or authorize payment of or receive bribes or other illegal payments to obtain or retain business. Company has adopted an Anti-Bribery Policy.
  4. Compliance with laws
    F-Secure complies with all mandatory applicable laws and regulations in the countries it operates. We also follow and embrace export control and fair competition laws and practices. As a public, listed Finnish company F-Secure complies with the rules and regulations of the NASDAQ OMX Helsinki Ltd.
  5. Protection of human rights
    F-Secure supports and respects protection of internationally proclaimed human rights.
  6. Messaging.
    F-Secure endeavors to conduct its messaging in a responsible manner.
  7. Respect for the environment
    F-Secure is environmentally friendly and operates in a manner that conserves the environment.
  8. Supplier requirements
    F-Secure requires its service providers to comply with this code of conduct or provide their own code of conduct substantially similar to F-Secure's.
  9. Information security, privacy and third party rights
    F-Secure protects the privacy and integrity of data of its business partners, end users and employees. We shall honor third party rights, including the rights of the open source community.
  10. Working with malware
    F-Secure strives to do no harm to anybody when handling malicious content. We do our best to cooperate with authorities and law enforcement in order to ensure the safety of the general public. However, our products are developed independent of governmental direction.

Articles of association

  1. Business name and domicile 
    The Finnish name of the Company is F-Secure Oyj and the English name is F-Secure Corporation, and the Company's domicile is the City of Helsinki.
  2. Line of activity
    The Company's line of activity shall be the production of software, the import, export and sale of computers, electric devices, software, and the supply of services related to information technology, as well as consultation, training and publication activities related to information technology. The Company may also be engaged in securities trading.
  3. Book-entry securities system
    After a registration date specified by the Board of Directors, the shares of the Company will be incorporated in the book-entry securities system. After the registration date the right to receive funds distributed by the Company and to subscribe for shares when increasing the share capital shall be restricted to persons
    • Who have been registered as shareholders in the Shareholders' Register on the matching day
    • Whose right to payment has been registered on the matching day on the book-entry account of a registered shareholder and entered in the Shareholders' Register or
    • In case a share is nominee registered, on whose book-entry account the share has been registered on the record date and whose nominee has been registered in the Shareholders' Register of the Company on the record date as the nominee of the shares.
  4. Board of directors
    The Company shall have a Board of Directors, which shall include at minimum three and at maximum seven ordinary members. The term of office of a member of the Board of Directors shall expire at the end of the first Annual General Meeting of Shareholders following the election.
  5. Company president
    The Board of Directors of the Company shall appoint a President and determine his/her remuneration terms.
  6. Signing of the business name
    In addition to the members of the Board of Directors, who can sign the business name of the Company jointly, the name can also be signed by the person or persons whom the Board of Directors has authorized to sign the business name, by the President of the Company and the Chairman of the Board of Directors alone, and by two members of the Board of Directors jointly. The Board of Directors shall decide on authorizing persons to sign for the Company per procuram.
  7. Financial period
    The financial year of the Company is the calendar year.
  8. Auditors
    The Company shall have one Auditor, who shall be an auditing entity approved by the Finnish Central Chamber of Commerce. The term of office of the Auditor shall expire at the end of the first Annual General Meeting of Shareholders following the election.
  9. Call to a General Meeting and right to participate in and vote at the General Meeting

    The notice of a General Meeting of Shareholders shall be delivered to the shareholders within a period stipulated by the law by publishing the notice on the Company's website.

    To be entitled to participate in the General Meeting, a shareholder shall notify the Company about his/her intention to participate in the General Meeting no later than on the date indicated in the notice.

    At a General Meeting of Shareholders, each share has one (1) vote. The voting method shall be decided by the Chairman of the Meeting.

  10. Annual General Meeting of Shareholders.
    The Annual General Meeting of Shareholders shall be held annually on the date designated by the Board of Directors within a period from the end of the financial year as defined by the law. In addition to the domicile of the Company, the General Meeting of Shareholders can be held in Espoo or Vantaa. At the Annual General Meeting there shall be presented:
    • The financial statements and the Annual Report
    • The Auditors' Report (decisions made regarding)
    • The approval of the financial statement
    • The measures to which the profit or loss of the adopted balance sheet and/or consolidated balance sheet may give cause
    • The granting of release from liability to the Members of the Board of Directors and to the President
    • The remunerations of the Members of the Board of Directors and Auditors
    • The number of the Members of the Board of Directors (elected)
    • The members of the Board of Directors
    • One auditor and a reserve auditor, if necessary

Annual General Meeting

Under the Finnish Companies Act, shareholders exercise their decision-making power at General Meetings of Shareholders. A General Meeting is normally held once a year as an Annual General Meeting (AGM). A shareholder may propose items to be included on the agenda provided they are within the authority of the shareholders' meeting and the Board of Directors has been informed of the request in due time. The invitation to the AGM is published on the Company's website.

The AGM decides on matters stipulated by the Company's Articles of Association and the Finnish Companies Act, including:

  • the adoption of the Financial Statements
  • the distribution of profit for the year
  • discharging the members of the Board of Directors and CEO from liability
  • the selection of members of the Board and the decision on their remuneration
  • the election of the auditor
  • other proposals made by the Board or shareholders

Each share carries one vote in the General Meeting.

Articles of Association

More information and materials

Additional information on Annual General Meetings is available in the Materials section.

Board of directors

Members of the Board of Directors

Duties of the board of directors

The objective of the Board of Directors is to direct the company with the aim of achieving the best possible return on invested capital for shareholders in the long term.

The Board's responsibilities and duties are defined in detail in the Rules of Procedure of the Board of Directors and it covers the following main areas:

  • approving the strategy of F-Secure, overseeing its operations and annual budgets
  • approving any major investments, acquisitions, changes in corporate structure or other significant decisions
  • ensuring that the supervision of the Company's accounting and financial management is duly organized
  • ensuring that internal control and risk management systems are in place approving personnel policies and rewards systems
  • preparing matters to be handled by the General Meeting of shareholders

The Board of Directors meets as frequently as necessary, at least five times during its term. The Board of Directors has quorum when more than half of the members are present. An annual self-assessment is carried out by the Board to evaluate its operations.

In accordance with F-Secure's Articles of Association, the Board of Directors comprises three to seven members, which are elected at the Annual General Meeting for a period of office that extends to the following AGM. The majority of Board members shall be independent from the Company and from its major shareholders.

One member of the Board of Directors is elected from F-Secure Corporation's personnel in the following manner: an election is arranged for F-Secure personnel. Each permanent employee of F-Secure Corporation is eligible as a candidate. The Executive Committee interviews three persons who have obtained the highest number of votes in the elections, and chooses a candidate from amongst them to be proposed for election as a new member of the Board by the Annual General Meeting.

The Board's Executive Committee prepares the proposals for board candidates to be approved by the shareholders at the General Meeting. Proposals are based on candidates' skills and qualifications and on maintaining diversity on the Board of Directors. Currently both genders are represented in the Board of Directors.

Board committees

The Board has two permanent Committees: an Audit Committee and an Executive Committee (nomination and remuneration issues).

Audit Committee

The Audit Committee reviews, instructs and evaluates risk management, internal controls, IT strategy and practices, financial reporting as well as auditing of the accounts. The Audit Committee also regularly considers the need for a separate internal audit function. Members of the Audit Committee must have broad business knowledge, as well as an adequate knowledge of and experience in financial and supervisory matters. All members of the Audit Committee must be independent from F-Secure Corporation and from major shareholders in the company.

Executive Committee

The Executive Committee prepares material and instructs with issues related to the composition and compensation of the Board of Directors and the remuneration and incentivization of key managerial personnel. The Committee also prepares the proposals for the Board composition and remuneration for the Annual General Meeting of Shareholders.

Leadership team

Members of the leadership team

Duties of the CEO

The Board of Directors appoints the CEO and decides upon his/her remuneration and other benefits. The CEO is responsible for the day-to-day management of the Company. His/her duties include:

  • managing the business according to the instructions issued by the Board of Directors
  • presenting the matters to be handled in the Board of Directors' meetings
  • implementing the decisions made by the Board of Directors
  • other duties determined in the Companies Act

Duties of the leadership team

The Leadership Team supports the CEO in the daily operative management and development of the Company. The CEO appoints the Leadership Team members and decides upon the terms and conditions of their employment.

Remuneration

Remuneration of the board

The remuneration of the Board is decided by the Annual general meeting. The decisions are made public after the meeting. Read more about the decisions on remuneration on the Annual General Meeting section.

Annual general meeting

Remuneration of the CEO and management

The Board of Directors decides on the remuneration and other benefits of the CEO. The CEO also belongs to the Company's long-term incentive program. The Board of Directors decides on the remuneration and other benefits of the Leadership Team.

More information on the remuneration of the CEO and Leadership team, option programs and other related issues can be found in note 27 to the financial statements in the Annual Report.

Annual report

Remuneration statement

The following statement contains broad information on remuneration issues in F-Secure. The statement has been prepared according to the Finnish Corporate Governance Recommendation for Listed Companies published by the Securities Market Association. Please find the statement below. This statement is updated on regular basis if changes occur.


Risk management

The objective of F-Secure's risk management is to ensure a current, correct and holistic understanding and prioritized management of key uncertainties related to strategy implementation and business operations. The process and risk management methods in use are constantly developed to respond to the changing needs of the company. During 2017 the development was concentrated on the risk management framework and a new model considering the following three risk categories was taken in use.

  • Strategic risks: Risks related to strategic objectives and competitive environment, managed by the leadership team and board of directors
  • Business risks: risks that threaten the achievement of the business objectives, identified and managed by the organizational units as part of the operational planning and management
  • Operational risks: Risks relating to the company's daily operations and processes as well as to potential disruptions, managed within the organizational units

The objective in organizing the risk management process has been to empower the organization to identify and manage risks. This approach enables understanding of risk management objectives and distribution of responsibility for risk management decisions making in in adequate level of the organization.

Different risk modelling and quantification methods developed by the F-Secure risk management consulting services are used to identify and analyze the risks when appropriate. During 2017, a new method for risk quantification was taken in use to analyze selected risks. Financial quantification is useful to analyze cases where the risk consequence has high variation. In these cases, it is adequate to create good understanding of the different outcome options of the realization of risk prior to deciding on the risk treatment strategy.

The most significant risks and their treatment strategies are reported annually to the Audit Committee of the Board of Directors.

The most significant risks

Risks are defined as uncertainties which can impact the achievement of the Company's short and long term objectives. Risks are assessed as a combination of probability and impact.

Endpoint protection market disruption

Endpoint security market is highly competitive. Operating system manufacturers have increased their focus to built-in security features and at the same time new vendors and technologies have emerged. Successful security vendors must have in-depth understanding of cyber security threat landscape, hacker techniques and technologies used as well as continue to innovate in defense technologies.

Market Consolidation

The cyber security market is consolidating due to economies of scale. Companies have to succeed in choosing the right acquisition targets, as well as successfully integrate target companies.

Failure to innovate and develop new technologies

In a rapidly evolving industry it is vital to keep the products and services relevant to the customers while introducing new technologies to the market. The Company is driving technology simplification and R&D effectivization initiatives as well as investments to artificial intelligence to ensure a competitive product portfolio.

Failure to attract and retain talent

Competition for capable personnel is increasing and there is structural undersupply of talent in the security industry. The Company is thus further developing and adopting new ways of recruitment, building its own talent and knowledge pools and investing to training and development of personnel.

Other notable risks

Other risks that affect the F-Secure business include but are not limited to:

  • Intellectual property (IPR) claims against F-Secure
  • Risk exposure from contractual liability requirements
  • Failure of new product launches
  • Potential security threats related to F-Secure's products and services
  • Credit risk due to regional political or financial climate and regulation
  • Tax risk relating to changing laws and regulations and interpretations of said regulations by the relevant authorities

Internal control

The purpose of Internal Control is to ensure that operations are effective and aligned with the strategy, and that financial reporting and management information is reliable and in compliance with applicable regulations and operating principles.

Internal control consists of all the guidelines, policies, processes, practices and relevant information about organizational structure that help ensure that the business conduct is in compliance with all applicable regulations. The purpose of internal control is also to ensure that accounting and financial information provides a true and accurate reflection of the activities and financial situation of the company. Actual performance is monitored against sales and cost targets by operative reporting systems on a daily, weekly, or monthly basis.

The Company constantly monitors its key financial processes linked to sales, revenue, costs and profitability as well as incoming and outgoing payment transactions. If any inconsistencies appear, the issues are handled without delay. The Company's finance department is responsible for the consistency and reliability of internal control methods. The finance team works in close cooperation with the CFO and businesses, providing relevant data for business planning purposes and sales estimates. The team also regularly assesses and monitors the reliability of estimates and revenue recognition.

Internal audit

F-Secure's Audit Committee considers regularly the need for and appropriateness of a separate Internal Audit function. To date, the Audit Committee has concluded that, due to the size, organizational structure and largely centrally controlled financial management of the Company, a separate Internal Audit function is not necessary.

In the absence of an Internal Audit function, attention is paid to periodical review of the written guidelines and policies concerning accounting, reporting, documentation, authorization, risk management, internal control and other relevant matters in all departments. Related controls are also tested from time to time. The guidelines and policies are coordinated by the Company's finance department with active involvement by the legal team.

The absence of a separate Internal Audit function is considered when defining the scope of the Company's external audit. Where necessary, the Board may also purchase Internal Audit services from an external provider.

To facilitate transparency and exchange of information on Internal Audit related matters, the financial management team has frequent meetings with the auditors. The Audit Committee also meets regularly with the auditors and head of the Company's legal team to discuss related matters of their areas of responsibility.

The Company has taken into use two direct lines for all employees to notify the Board and Leadership Team of any unethical activity or abuse.

Insider issues

F-Secure's IR-function is in charge of the company's insider issues, with the exception of project based insider issues, which are managed by the Legal department. The Company follows the insider regulations of NASDAQ Helsinki Oy and has adopted the new Market Abuse Regulations (EU, N:o 596/2014, "MAR"), which came into force on 3 July 2016. F-Secure has published an internal guideline on insider issues and regularly trains employees and management on insider issues.

Insider registries

F-Secure maintains three separate lists of insiders and other persons relevant for insider issues:

  • project based insiders (maintained by the Legal team)
  • list of persons discharging managerial responsibilities, as well as persons closely associated with them, as specified by MAR
  • other insiders, including people participating in the preparation of financial reporting or otherwise having access to significant non-published financial information.

Managers' transactions

Persons discharging managerial responsibilities ("Managers") comprise the Board of Directors, the CEO, the CFO and other members of the Leadership Team. These persons have a duty to notify within three business days F-Secure and the Finnish Financial Supervisory Authority of every transaction in their own account relating to Financial Instruments of F-Secure. The Company publishes these notifications as a stock exchange release, as specified by MAR. All releases published on managers' transactions are available on the Company's website.

Closed window

All insiders or their interest parties are not entitled to trade shares, options, or other securities 30 days prior to the publication of financial reports. Additionally, project-based insiders are never entitled to trade shares, options, or other securities during the duration of an insider project, including the day the insider information is made public.

Silent period

F-Secure observes a silent period of 21 days before each quarterly report announcement. During the silent period, the Company will arrange neither meetings nor conference calls with the investor community.

Auditors

The auditor is elected by the Annual General Meeting for a term of service ending at the close of the next Annual General Meeting. The auditor is responsible for auditing the consolidated and parent company's financial statements and accounting. The auditor reports to the Board of Directors or the Audit Committee at least once a year.

Corporate governance

F-Secure's corporate governance practices comply with applicable Finnish laws as well as the rules, regulations and guidelines of NASDAQ Helsinki Oy and the Finnish Financial Supervisory Authority. This statement has been prepared in accordance with Finnish Corporate Governance Code (publicly available at http://cgfinland.fi/en/) issued by the Securities Market Association of Finland in 2015.

F-Secure's corporate governance statement

The statement includes the tasks and responsibilities of the Board of Directors, Board Committees and other main governing bodies. The statement also describes the main features of internal control and risk management pertaining to the financial reporting process.

The key elements of the Corporate Governance practices of F-Secure Corporation are described in brief on this page.