Search the Site

Issuers Take Their Medicine on Cyber Risk Proposals

Issuers Take Their Medicine on Cyber Risk Proposals

The Equifax data breach began almost nine months ago. The company announced the attack back in September 2017. In some sense, the hack that affected half the U.S. population feels like ancient history. But a data breach of that scale is going to have an extended fallout, and it has become particularly relevant this proxy season, as a number of public companies face aggressive shareholder proposals on cybersecurity.

Equifax itself is one of them. Unfortunately for the beleaguered credit-rating agency, its data breach – and its willingness to share information about it – have remained very much in the news. Just this month, it added another 2.4 million consumers to its latest count of those affected by the breach, bringing the total to 147.9 million. This followed a February statement from Senator Elizabeth Warren (D-MA), who, upon finishing a five-month investigation, concluded that Equifax “failed to disclose the full scale of the hack.” In March, chair of the House Energy and Commerce Committee, Greg Walden (R-OR), expressed his dissatisfaction with Equifax’s response to his own committee’s probe and said that he was determined to keep digging for answers.

But Congress isn’t the only body pushing for change on cybersecurity disclosures. Shareholders, who are getting more aggressive about pushing social and environmental agendas with public companies, are pressing them on cybersecurity issues as well. This proxy season, the UAW Retirees Medical Benefits Trust, for instance, is asking Equifax for a report:

[O]n the governance measures Equifax has implemented to more effectively monitor and manage financial and reputational risks related to cybersecurity incidents that have a material effect on the company, including whether Equifax has revised senior executive compensation metrics or policies . . . .”

The UAW isn’t alone in looking to hit executives in their own wallets over cyber-preparedness. A New York state retirement fund has submitted a proposal asking Verizon, which recently purchased the infamously breached Yahoo, to tie the compensation of senior executives to  the company’s performance on cybersecurity. There’s some precedent for the proposal too, as Verizon already ties the pay of its senior execs to “diversity and carbon-intensity metrics.”

Dodging such proposals doesn’t appear to be an option either. One issuer – Express Scripts – tried to fend off a cybersecurity proposal, only to be rejected by the SEC. Two months after the Equifax breach, the New York State Comptroller filed a proposal asking Express Scripts, a huge drug-benefit manager, to report on its efforts to mitigate cyber-threats. The proposal noted that the healthcare industry is a popular target for cyber-attacks. Express Scripts tried to reject the proposal, arguing that it dealt with ordinary business and not the kind of “significant policy” issues that can be put to a shareholder vote. The SEC, however, just denied that request.

It appears that shareholder questions on cybersecurity – like stories about the Equifax breach – are going to be with us for a long time to come.

Related Articles

Are You Ready for Clayton’s Take on Disclosure Effectiveness?

President Trump’s administration hasn’t taken up many of the causes championed by the previous occupant of the White House. In fact, the current c...

Governance Advocates Looking to Close GAAP in CEO Pay Calculations

A company underperforms. Its stock price tanks. The CEO collects a big payday. It’s far from a unique story in Corporate America. Some stakeholde...

Wall Street Still Charmed by Musk

As preoccupied as Elon Musk can get with his petty feuds and outlandish side projects (spoiler alert: very), his antics haven’t stopped Tesla Inc. f...