Target’s high-profile data breach made headlines worldwide. Despite this, neither Target’s 2014 proxy statement nor the company’s initial annual meeting-related engagement materials discussed in a meaningful way the massive data theft or the board’s responses to it.
After investors’ concerns emerged before the meeting, the company engaged in a solicitation effort to defend the board’s response to the breach. When the votes were tallied, none of the members of Target’s audit and governance panels received support from more than 81 percent of the votes cast. Target lead director James A. Johnson received the lowest support-62.9 percent of the votes cast.
In the direct wake of the 2014 data breach issues and the dearth of proxy- related disclosure on those matters, SEC Commissioner Luis A. Aguilar fired a shot across the bow of boards that lack disclosure. In a June 10, 2014, speech (“Boards of Directors, Corporate Governance and Cyber Risks: Sharpening the Focus”) delivered at a New York Stock Exchange (NYSE)-hosted cybersecurity conference, Aguilar said, “[B]oard oversight of cyber-risk management is critical to ensuring that companies are taking adequate steps to prevent, and prepare for, the harms that can result from such attacks. There is no substitution for proper preparation, deliberation, and engagement on cybersecurity issues.”
Noting the wide damage crater caused by cyber events, Aguilar noted that the board- room plan should include “whether, and how, the cyber-attack will need to be dis- closed internally and externally (both to customers and to investors).”
Shareholders care about breaches
Are shareholders apathetic about data breaches? Some reports equate the lack of sharp, downward stock movements in the wake of disclosures of hacks or other data breaches (or quick rebounds from such price drops when they occur) with share- holders apathy over cybersecurity prob- lems. In a recent Harvard Business Review article (Why Data Breaches Don’t Hurt Stock Prices, March 31, 2015), cybersecurity strategist Elena Kvochko and New York Times Chief Technology Officer Rajiv Pant dismiss this easy explanation. They argue that muted stock price reactions to data breaches reflect the absence of timely information and quality tools to price cyber risk:”Shareholders still don’t have good metrics, tools, and approaches to measure the impact of cyber attacks on businesses and translate that into a dollar value . . . The long and mid-term effects of lost intellectual property, disclosure of sensitive data, and loss of customer confidence may result in loss of market share, but these effects are difficult to quantify.” Faced with this information vacuum, Kvochko and Pant noted that “shareholders only react to breach news when it has direct impact on business operations, such as litigation charges (for example, in the case of Target) or results in immediate changes to a company’s expected profitability.”
Indeed, stock prices may not tell the whole story. Contrary to the conventional wisdom, recent survey data show investors understand the long-term risks stemming from hacks and they may actually shy away from investing in companies with multiple breaches. A recent survey- conducted by FTI Consulting on behalf of consulting giant KPMG LLP-of more than 130 global institutional investors with an estimated $3 trillion under management found that cyber events may affect investors’ confidence in the board and demand for the affected companies’ shares.
Investors opined that less than half of boards of the companies that they currently invest in have adequate skills to manage rising cyberthreats. They also believe that 43 percent of board members have “unac- ceptable skills and knowledge to manage innovation and risk in the digital world.”
More ominously for boards, four of five investor respondents (79 percent) suggested that they may blacklist stocks of hacked firms. As for a remedy, 86 percent of the surveyed investors told KPMG and FTI that they want to see increases in the time boards spend on addressing cyber risk.
For more on how boards should plan for stronger cyber governance, download your copy of Navigating the Digital Age. Get the book here.