The Equifax data breach began almost nine months ago. The company announced the attack back in September 2017. In some sense, the hack that affected half the U.S. population feels like ancient history. But a data breach of that scale is going to have an extended fallout, and it has become particularly relevant this proxy season, as a number of public companies face aggressive shareholder proposals on cybersecurity.
Equifax itself is one of them. Unfortunately for the beleaguered credit-rating agency, its data breach – and its willingness to share information about it – have remained very much in the news. Just this month, it added another 2.4 million consumers to its latest count of those affected by the breach, bringing the total to 147.9 million. This followed a February statement from Senator Elizabeth Warren (D-MA), who, upon finishing a five-month investigation, concluded that Equifax “failed to disclose the full scale of the hack.” In March, chair of the House Energy and Commerce Committee, Greg Walden (R-OR), expressed his dissatisfaction with Equifax’s response to his own committee’s probe and said that he was determined to keep digging for answers.
But Congress isn’t the only body pushing for change on cybersecurity disclosures. Shareholders, who are getting more aggressive about pushing social and environmental agendas with public companies, are pressing them on cybersecurity issues as well. This proxy season, the UAW Retirees Medical Benefits Trust, for instance, is asking Equifax for a report:
[O]n the governance measures Equifax has implemented to more effectively monitor and manage financial and reputational risks related to cybersecurity incidents that have a material effect on the company, including whether Equifax has revised senior executive compensation metrics or policies . . . .”
The UAW isn’t alone in looking to hit executives in their own wallets over cyber-preparedness. A New York state retirement fund has submitted a proposal asking Verizon, which recently purchased the infamously breached Yahoo, to tie the compensation of senior executives to the company’s performance on cybersecurity. There’s some precedent for the proposal too, as Verizon already ties the pay of its senior execs to “diversity and carbon-intensity metrics.”
Dodging such proposals doesn’t appear to be an option either. One issuer – Express Scripts – tried to fend off a cybersecurity proposal, only to be rejected by the SEC. Two months after the Equifax breach, the New York State Comptroller filed a proposal asking Express Scripts, a huge drug-benefit manager, to report on its efforts to mitigate cyber-threats. The proposal noted that the healthcare industry is a popular target for cyber-attacks. Express Scripts tried to reject the proposal, arguing that it dealt with ordinary business and not the kind of “significant policy” issues that can be put to a shareholder vote. The SEC, however, just denied that request.
It appears that shareholder questions on cybersecurity – like stories about the Equifax breach – are going to be with us for a long time to come.