Shareholder Questionnaires Seeking Board of Director Disclosures on Cybersecurity Oversight
By R. William “Bill” Ide III and Crystal J. Clark
Shareholders are being prodded by peers, governance “thought leaders,” the media and others to obtain disclosures from boards of directors on their oversight of cybersecurity. Certain pension funds have sent extensive, joint questionnaires to directors of public companies seeking detailed information as to the cybersecurity oversight systems and controls in place. Our view is that until the SEC provides further guidance, companies will generally find it in their interest to respond to such shareholder inquiries. Such disclosures, however, should be kept at a high level to demonstrate appropriate awareness and attention, while not disclosing specifics that could compromise the company’s cybersecurity strategy or raise issues under Regulation FD.
The Rationale for Shareholder Inquiries of Directors’ Cybersecurity Oversight
Although cyber attacks have been around for decades, during the last several years they have been rapidly increasing in volume, sophistication and magnitude. Studies indicate that, on average, companies are attacked 16,856 times a year.[1] In 2014, Sony, UPS, Home Depot, JPMorgan Chase, Morgan Stanley, AOL and eBay, to name a few, all experienced major cyber breaches. The cost of cyber incidents has also increased. Studies indicate that a cyber breach can now easily cost between $80 million and $200 million.[2] Significantly, recent cyber attacks have demonstrated the substantial impact that cyber attacks can have on shareholder value. For example, after the cyber attack on Target, Target profits fell 46 percent in the fourth quarter of 2013, and the company spent an estimated $61 million addressing the breach.[3] In addition, Target is facing more than 100 lawsuits as a result of the cyber breach, and some analysts have forecast that Target’s breach-related losses could top $1 billion.[4]
In today’s world, cyber risk is a significant enterprise risk requiring appropriate attention by companies’ boards. The SEC endorses that “risk oversight is a key competence of the board,”[5] and SEC Commissioner Luis Aguilar has remarked that “there can be little doubt that cyber-risk also must be considered as part of board’s overall risk oversight.”[6] Just as boards are charged with overseeing the financial systems and controls of the company, boards have a duty to oversee the company’s management of cybersecurity, including assuring that risk mitigation systems, processes and controls are appropriately developed and implemented.
What is Appropriate for SEC Disclosure and for Individual Shareholder Inquiries
There is no doubt that high-level dialogue and information exchange regarding cybersecurity oversight and the role of the board can lead to greater accountability and further encourage proper oversight of this critical enterprise risk. The SEC’s Proxy Disclosure Enhancements state that “disclosure about the board’s involvement in the oversight of the risk management process should provide important information to investors about how a company perceives the role of its board and the relationship between the board and senior management in managing the material risks facing the company.”[7] Questions about the role of the board with respect to cybersecurity and whether formal cybersecurity policies have been adopted, for instance, provide accountability and assurance.
On the other hand, requests for detailed information regarding a company’s cybersecurity program are inappropriate. As SEC Commissioner Luis Aguilar has commented, “It would be neither possible nor desirable, however, for the many, widely-dispersed shareholders of any public company to come together and manage, or direct the management of, [a] company’s business and affairs.”[8] Questions regarding the results of audits and assessments or the technologies and mitigations being deployed, for instance, are too detailed and cross the line between holding a board accountable and micromanaging. Providing shareholders with too much detail regarding a company’s cyber strategy could cause greater harm than good. For example, such requests could inappropriately expose a company’s vulnerabilities and risk mitigation tactics, and thereby subject the company to greater risk of successful cyber attack by potential hackers.
In sum, we believe that uniform disclosures through the SEC process provides the best balanced approach. Some shareholders, however, are now seeking specific information about companies’ cybersecurity efforts. Cyber risk presents a critical enterprise risk, and boards are responsible for overseeing their company’s management of this risk. Nevertheless, while it is appropriate for shareholders to ask for assurances of cybersecurity oversight, it is important for such requests to stay at a high level so as not to lead to micromanaging or create undue exposure that could subject a company to even greater risk of cyber attack.
About the Guest Bloggers:
William (“Bill”) Ide, III is a partner at McKenna Long & Aldridge LLP and serves as chairman of The Conference Board Governance Center Advisory Board. As chairman of the McKenna Long & Aldridge Governance Center, Mr. Ide represents boards of directors and companies in governance reviews, special investigations, maximizing board dynamics and governance policy development and advocacy.
Crystal J. Clark is an associate at McKenna Long & Aldridge LLP. As a member of the McKenna Long & Aldridge Governance Center, Ms. Clark she represents boards of directors and companies in governance reviews, special investigations, maximizing board dynamics and governance policy development and advocacy.
[1] Data breach statistics: An information resource for data breach prevention and response, IBM (April 2014), http://www-935.ibm.com/services/us/en/it-services/security-services/data-breach/.
[2] What Investors Need to Know About Cybersecurity: How to Evaluate Investment Risks, IRRC Institute and PwC Investor Resource Institute (August 2014), http://irrcinstitute.org/pdf/cybersecurity-july-2014.pdf.
[3] Elizabeth A. Harris & Nicole Perlroth, Target Missed Signs of a Data Breach, N.Y. Times, Mar. 13, 2014, http://www.nytimes.com/2014/03/14/business/target-missed-signs-of-a-data-breach.html?_r=0.
[4] Elizabeth A. Harris & Nicole Perlroth, Cyber Attack Insurance A Challenge for Business, N.Y. Times, June 8, 2014, http://www.nytimes.com/2014/06/09/business/cyberattack-insurance-a-challenge-for-business.html?_r=0.
[5] Proxy Disclosure Enhancements, SEC Rel. No. 33-9089 (December 2009), 74 Fed. Reg. 68334, http://www.sec.gov/rules/final/2009/33-9089.pdf.
[6] SEC, Comm’r Luis A. Aguilar, Boards of Directors Corporate, Governance and Cyber-Risks: Sharpening the Focus (June 10, 2014), http://www.sec.gov/News/Speech/Detail/Speech/1370542057946#.VDxBCbDF8XU.
[7] Proxy Disclosure Enhancements, SEC Rel. No. 33-9089 (December 2009), 74 Fed. Reg. 68334, http://www.sec.gov/rules/final/2009/33-9089.pdf.
[8] SEC, Comm’r Luis A. Aguilar, Boards of Directors Corporate, Governance and Cyber-Risks: Sharpening the Focus (June 10, 2014), http://www.sec.gov/News/Speech/Detail/Speech/1370542057946#.VDxBCbDF8XU.
[5] Proxy Disclosure Enhancements, SEC Rel. No. 33-9089 (December 2009), 74 Fed. Reg. 68334, http://www.sec.gov/rules/final/2009/33-9089.pdf.
[6] SEC, Comm’r Luis A. Aguilar, Boards of Directors Corporate, Governance and Cyber-Risks: Sharpening the Focus (June 10, 2014), http://www.sec.gov/News/Speech/Detail/Speech/1370542057946#.VDxBCbDF8XU
[…] I scramble to pack for my spring break trip to Taiwan, I came across this interesting blog from McKenna Long’s Bill Ide & Crystal Clark about how companies should react to […]