Search the Site

Issuers Take Their Medicine on Cyber Risk Proposals

Issuers Take Their Medicine on Cyber Risk Proposals

The Equifax data breach began almost nine months ago. The company announced the attack back in September 2017. In some sense, the hack that affected half the U.S. population feels like ancient history. But a data breach of that scale is going to have an extended fallout, and it has become particularly relevant this proxy season, as a number of public companies face aggressive shareholder proposals on cybersecurity.

Equifax itself is one of them. Unfortunately for the beleaguered credit-rating agency, its data breach – and its willingness to share information about it – have remained very much in the news. Just this month, it added another 2.4 million consumers to its latest count of those affected by the breach, bringing the total to 147.9 million. This followed a February statement from Senator Elizabeth Warren (D-MA), who, upon finishing a five-month investigation, concluded that Equifax “failed to disclose the full scale of the hack.” In March, chair of the House Energy and Commerce Committee, Greg Walden (R-OR), expressed his dissatisfaction with Equifax’s response to his own committee’s probe and said that he was determined to keep digging for answers.

But Congress isn’t the only body pushing for change on cybersecurity disclosures. Shareholders, who are getting more aggressive about pushing social and environmental agendas with public companies, are pressing them on cybersecurity issues as well. This proxy season, the UAW Retirees Medical Benefits Trust, for instance, is asking Equifax for a report:

[O]n the governance measures Equifax has implemented to more effectively monitor and manage financial and reputational risks related to cybersecurity incidents that have a material effect on the company, including whether Equifax has revised senior executive compensation metrics or policies . . . .”

The UAW isn’t alone in looking to hit executives in their own wallets over cyber-preparedness. A New York state retirement fund has submitted a proposal asking Verizon, which recently purchased the infamously breached Yahoo, to tie the compensation of senior executives to  the company’s performance on cybersecurity. There’s some precedent for the proposal too, as Verizon already ties the pay of its senior execs to “diversity and carbon-intensity metrics.”

Dodging such proposals doesn’t appear to be an option either. One issuer – Express Scripts – tried to fend off a cybersecurity proposal, only to be rejected by the SEC. Two months after the Equifax breach, the New York State Comptroller filed a proposal asking Express Scripts, a huge drug-benefit manager, to report on its efforts to mitigate cyber-threats. The proposal noted that the healthcare industry is a popular target for cyber-attacks. Express Scripts tried to reject the proposal, arguing that it dealt with ordinary business and not the kind of “significant policy” issues that can be put to a shareholder vote. The SEC, however, just denied that request.

It appears that shareholder questions on cybersecurity – like stories about the Equifax breach – are going to be with us for a long time to come.

Related Articles

U.S. Cannabis Law Opens Door to Canadian Invasion

Federal law makes the possession and sale of marijuana illegal throughout the United States. As we’ve long known, this federal policy keeps American...

Retailers Adjust to the Amazon Effect

When founder Jeff Bezos introduced Amazon.com to the world more than 20 years ago, it was supposed to signal the demise of the bookstore. The threa...

Amazon has Healthcare Fever: Six Symptoms You Should Recognize

It’s obvious that Amazon is becoming a player in the healthcare space. And it’s making plenty of people in the industry sick. A mere sneeze out...