The Conference Board Governance Center Blog

Jun
04
2014

Did ISS get it right in recommending a vote against Target’s directors?

By Donna Dabney, Executive Director, Governance Center, The Conference Board

Several news sources recently reported that ISS is recommending a vote against seven of Target’s ten directors because they served on the Audit Committee or the Corporate Responsibility Committee at the time of the well-publicized data breach at Target last year.  How directors satisfy investors about the quality of their oversight is one of the key issues identified by The Conference Board Task Force on Investor Engagement in its reports released in March.1 That issue—the quality of director oversight–is front and center of the ISS recommendation to vote against seven of Target’s ten directors.

In examining a recommendation to vote against directors, it is important to consider the role of directors in governance of a public company.  It is well accepted that directors are responsible for assuring systems are in place to detect, prevent, and respond to important risks to the enterprise.

While we don’t know all the facts in the Target situation, publicly available information indicates the following.

Target’s Audit Committee is charged under its charter with reviewing and discussing with management its approach to risk assessment and risk management, including the risk of fraud, and the commitment of internal audit resources to audit the Corporation’s guidelines, policies, and procedures to mitigate identified risks.

In its proxy statement, Target states that the Corporate Responsibility Committee has oversight of reputational risk.

The Target proxy statement lays out a typical allocation of risk management responsibilities.

The primary responsibility for the identification, assessment and management of the various risks that we face belongs with management. The Board’s oversight of these risks occurs as an integral and continuous part of the Board’s oversight of our business.

A detailed report from BloombergBusinessweek2 indicates the following facts regarding the data breach:

1. Target had taken action to prepare for such an attack. Six months earlier the company began installing a malware detection tool made by the computer security firm FireEye, whose customers also include the CIA and the Pentagon. Target had a team of security specialists in Bangalore to monitor its computers around the clock. If Bangalore noticed anything suspicious, Target’s security operations center in Minneapolis would be notified.

2. The security system alerted the team in Minneapolis on a timely basis, as it was designed to do.

3. For some reason, the security team in Minneapolis did not react to the alert until after the data had been breached.

In a June 2, 2014 supplemental filing with the Securities and Exchange Commission, the interim chair of Target’s board of directors made the following points regarding cyber security:

Your Board fully recognizes the importance of its oversight responsibilities in this area. Under the Board’s leadership and oversight, Target took significant action to address evolving cyber-crime risks before the breach, by:

    • Investing hundreds of millions of dollars in network security personnel, processes, technology and related resources
    • Dedicating more than 300 employees to information security (more than double from five years ago)
    • Requiring annual data security training for all Target employees (more than 350,000)
    • Operating a Security Operations Center staffed around the clock with trained professionals to review suspicious network activity
    • Investing in network monitoring technology to enhance Target’s ability to detect potential cyber-attacks
    • Becoming a founding member of the National Cyber-Forensics & Training Alliance (NCFTA), a partnership of public, private and academic participants focused on identifying, mitigating and neutralizing cyber-threats

The board’s role is to understand whether management has properly identified an important risk and has systems in place to monitor and mitigate the risk. Apparently at Target, cyber security risk was identified and management had systems in place to address the risk. News reports indicate the issue arose from human error – security personnel did not react to the system alerts.

The role of directors is one of oversight, not of day to day management. Directors cannot be expected to manage security personnel to ensure that they are doing their job; this role is clearly and squarely a management function.

Based on publicly available data, it would appear that the ISS decision to recommend a vote against seven out of ten directors on the Target board due to the data breach appears to be wrong on many levels.

1. It expands the board’s role from one of oversight to one of management.

2. It ignores the disruption and impact on shareholder value that changing out 70 percent of the board may cause to a company that is already under stress and undergoing a search for a new CEO.

3. It does not appear to take into account the quality of the directors it is recommending against.

4. It targets directors who served on two committees, yet it is not clear that the full board delegated oversight of cyber security risk to those committees.

We don’t know what happened in the board room at Target, and we don’t know whether ISS has reasons not publicly expressed that would justify this extraordinary action.

Clearly, directors play a central role in overseeing public companies and an investor’s right to vote on directors is key to assuring accountability.  At the same time, voting against directors is a remedy that most investors believe should be used only when the facts clearly support that result.  The Target case is evidence that companies and investors need to work together to identify better ways to give investors insight into the quality of board oversight.  Over the next year, The Conference Board Governance Center will be working to identify where this is being done effectively.

About the Blogger:

 

Donna Dabney, Executive Director, The Conference Board Governance Center

Donna Dabney, Executive Director, The Conference Board Governance Center

Donna Dabney joined The Conference Board as Executive Director, Governance Center, in August, 2012. In her current position, Donna leads The Conference Board’s efforts in the areas of corporate governance and sustainable value creation. Prior to joining The Conference Board, Donna was Vice President, Corporate Secretary and Corporate Governance Counsel of Alcoa Inc. and she participated for over 15 years in board and committee meetings of Alcoa and Reynolds Metals Company. As part of her work with the Alcoa Board of Directors, she gained experience with sustainable development in the Amazon region of Brazil. Donna is a member of the board of directors of American Forests, the oldest national conservation organization in the U.S., the New York Advisory Board of the Society of Corporate Secretaries and Governance Professionals and previously served on the board of a public/private consortium promoting development in Richmond, Virgina.


[1] The Conference Board Task Force Recommendations can be found at www.conferenceboard.org/governance.

[2] “Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It”, Michael Riley, Ben Elgin, Dune Lawrence, and Carol Matlack BloombergBusinessWeek, Technology (March 13, 2014)



You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “Did ISS get it right in recommending a vote against Target’s directors?”

  1. Donna is right to raise this issue and she does it well. I haven’t seen the ISS report, but from what Donna presents, voting against members of Target’s Audit committee looks too much like scapegoating.

    Contrast their actions with the Board of Netflix. Last year shareowners passed three proxy proposals by wide margins, ranging from 81%-96% to repeal supermajority requirements, institute majority voting for directors and to repeal the classified board. The Netflix board ignored these and other similar votes by shareowners going back to 2011.

    I don’t know ISS’ recommendation on Netflix but that is a board they should be targeting for replacement.

  2. Donna is right to raise this issue and she does it well. I haven’t seen the ISS report, but from what Donna presents, voting against members of Target’s Audit committee looks too much like scapegoating.

    Contrast their actions with the Board of Netflix. Last year shareowners passed three proxy proposals by wide margins, ranging from 81%-96% to repeal supermajority requirements, institute majority voting for directors and to repeal the classified board. The Netflix board on these and other similar votes by shareowners going back to 2011.

    I don’t know ISS’ recommendation on Netflix but that is a board they should be targeting for replacement.

Leave a Reply