The dust settled recently on another chapter of the Target Corp. data breach litigation. Although the five shareholder derivative lawsuits filed against Target’s officers and directors have been dismissed, they underscore the critical oversight function played by corporate directors when it comes to keeping an organization’s cyber defenses up to par. While the ink isn’t quite dry on the court papers, it’s time to start reflecting on the lessons of the skirmish.
In the midst of the 2013 holiday shopping season, news leaked that hackers had installed malware on Target’s credit card payment system and lifted the credit card information of more than 70 million shoppers. That’s almost 30 percent of the adult population in the U.S.
Predictably, litigation was filed, regulatory and congressional investigations commenced, and heads rolled. Banks, shareholders, and customers all filed lawsuits against the company. Target’s CEO was shown the door.
And Target’s directors and officers were caught in the crossfire. In a series of derivative lawsuits, shareholders claimed that the retailer’s board and C-suite violated their fiduciary duties by not providing proper oversight for the company’s information security program, not making prompt and accurate public disclosures about the breach, and ignoring red flags that Target’s IT systems were vulnerable to attack.
The four derivative cases filed in federal court were consolidated (one derivative lawsuit remained in state court) and Target’s board formed a Special Litigation Committee (SLC) to investigate the shareholders’ accusations. The SLC was vested with “complete power and authority” to investigate and make all decisions concerning the derivative lawsuits, including what action, if any, would be “in Target’s best interests.” Target did not appoint sitting independent directors but retained two independent experts with no ties to the company—a retired judge and a law professor. The SLC conducted a 21-month investigation with the help of independent counsel, interviewing 68 witnesses, reviewing several hundred thousand documents, and retaining the assistance of independent forensics and governance experts.
On March 30, 2016, the SLC issued a 91-page report, concluding that it would not be in Target’s best interest to pursue claims against the officers and directors and that it would seek the dismissal of all derivative suits.
Minnesota law, where Target is headquartered, provides broad deference to an SLC. Neither judges nor plaintiffs’ are permitted to second-guess the SLC members’ conclusions so long as the committee’s members are independent and the SLC’s investigative process is ‘adequate, appropriate and pursued in good faith.” By these standards, U.S. District Judge Paul A. Magnuson recently dismissed the derivative cases with the “non-objection” of the shareholders, subject to their lawyers’ right to petition the court for legal fees.
Target isn’t the only data-breach-related derivative case filed by shareholders against corporate officers and directors. Wyndham Worldwide Corp.’s leadership faced derivative claims relating to three separate data breaches at the company’s resort properties. After protracted litigation, the derivative claims were dismissed in October 2014, in large measure because Wyndham board’s was fully engaged on data security issues and was already at work bolstering the company’s cybersecurity defenses when the derivative suit was filed. A data-breach-related derivative action was also filed against the directors and officers of Home Depot, which remains pending.
Despite the differences between the Target and Wyndham derivative suits, both cases contain important lessons for corporate executives and sitting board members.
Treat data security as more than “just an IT issue.” Boards must be engaged on data security issues and have the ability to ask the right questions and assess the answers. Board members don’t know what they can’t see. Developing expertise in data security isn’t the objective; rather, it’s for directors to exercise their oversight function. Board members can get cybersecurity training and engage outside technical and legal advisors to assist them in protecting their organizations from data breaches.
Evaluate board information flow on cybersecurity issues. How are board members kept up-to-date on data security issues? Are regular briefings held with the chief information officer (CIO) to discuss cybersecurity safeguards, internal controls, and budgets? Boards might also consider appointing special committees and special legal counsel charged with data security oversight.
Prepare for cyberattacks in advance. Boards should ask tough questions about their organization’s state of preparedness to respond to all aspects of a cyber-attack, from reputational risk to regulatory implications. Get your house in order now, and not during or after an attack. Not surprisingly, multiple studies—including the Ponemon Institute’s 2016 Cost of Data Breach Study—suggest that there is a correlation between an organization’s up-front spending on cybersecurity preparation and the ultimate downstream costs of responding to a breach.
Decide whether and when to investigate data breaches. Before hackers strike, boards must decide whether and when to proactively investigate the breach, wait to see if lawsuits are filed, or wait to see if regulators take notice. Regardless, boards should be prepared to make this difficult decision, which will establish the tone of the company’s relationship with customers, shareholders, law enforcement, regulators, and the press.
Develop a flexible cyber-risk management framework. Cyber-risk oversight isn’t a one-time endeavor, nor is there a one-size-fits-all solution. The threat environment is constantly changing and depends, in part, on a company’s sector, profile, and type of information collected and stored. While cyber-criminals swiped credit card data in the Target and Wyndham cases, the threat environment has escalated to holding organizations hostage for ransomware payments and stealing industrial secrets.
Cybercrime is scary and unpredictable. It poses risks to a company’s brand, reputation, and bottom line. Board members are on the hot seat, vested with the opportunity and responsibility to oversee cybersecurity and protect the company they serve.
Craig A. Newman is a litigation partner in Patterson Belknap Webb & Tyler LLP and chair of the firm’s Privacy and Data Security practice. He represents public and private companies, professional service firms, nonprofits institutions and their boards in litigation, governance and data security matters. Mr. Newman, a former journalist, has served as general counsel of both a media and technology consortium and private equity firm.
The sustainability information in CSR reports is not, from our perspective, “investment-grade;” that is, it is not necessarily material, not industry specific, not comparable, and not auditable.
Business news headlines on any given day highlight the importance of sustainability issues such as resource scarcity, climate change, population growth, globalization, and transformative technologies. In today’s world, management of these and other sustainability risks and opportunities influences corporate success. Thus, understandably, investors are increasingly requesting information on how companies are managing these factors.
A concept release from the Securities and Exchange Commission (SEC) on disclosure effectiveness includes a lengthy discussion of sustainability disclosure. In the release, the SEC states that it is “interested in receiving feedback on the importance of sustainability and public policy matters to informed investment and voting decisions.” We hope that the SEC’s request for input on sustainability issues signals an understanding that the information investors consider “material”—much like the world around it—is changing. As a result, corporate disclosures should also evolve to provide investors with the information they need to make informed investment and voting decisions.
Sustainability issues are increasingly important to a company’s financial condition and operating performance, and thus merit the attention of its board. At more than 55 percent of S&P 500 companies, the board oversees sustainability, according to the Investor Responsibility Research Center Institute. Such boards are to be applauded for taking a more holistic view of risk oversight, and for getting out in front of global challenges.
This shift in focus by investors and the business community is driven by a growing recognition that sustainability issues are business issues, not only born of social or political concerns. One recent study found that when companies focus their efforts on managing material sustainability factors—namely, those critically linked to their core business—they outperform their peers with significantly higher return on sales, sales growth, return on assets, and return on equity. They also show significantly improved risk-adjusted shareholder returns.
Clearly, the board plays a key role in developing a company’s capacity to create long-term value and in safeguarding its assets. In this regard, a board’s careful consideration of information on material sustainability factors would help it to fulfill its oversight responsibilities, by assisting it in understanding, prioritizing, and monitoring business-related risks and opportunities.
For example, a board should regularly consider how its company measures, manages, and reports its material sustainability risks. A pharmaceuticals company might consider how it is addressing a $431 billion counterfeit drug market, where mitigation strategies in an increasingly complex, global supply chain could stem or reverse the loss of consumer confidence and company revenues, and prevent up to 100,000 deaths each year (see Roger Bate’s 2012 book Phake: The Deadly World of Falsified and Substandard Medicines). The plunging stock price and loss of goodwill suffered by Chipotle Mexican Grill after outbreaks of E. coli and norovirus at its restaurants demonstrate the way in which a failure to manage sustainability risk factors can seriously damage a company’s reputation and shareholder value.
Moreover, sustainability issues not only raise risks, but also present opportunities that can and should be taken into account by the board as it considers development and implementation of the company’s strategic goals.
Sustainability issues may have a material impact on a company’s ability to achieve such goals. For automakers, a strategy that incorporates fuel-efficient technologies and alternative fuels can help the company capitalize on legal and consumer trends regarding fuel economy and emissions in a market where car ownership is projected to triple by 2050.
Sustainability issues directly affect a company’s financial condition and operating performance. Therefore, it is not surprising that investors are increasingly demanding more effective and useful sustainability information. Many companies have made efforts to meet this demand through disclosures in corporate social responsibility (CSR) reports, by responding to questionnaires, or otherwise engaging with investors. The sustainability information in CSR reports is not, from our perspective, “investment-grade;” that is, it is not necessarily material, not industry specific, not comparable, and not auditable. To that point, a 2015 PwC study found that 82 percent of investors said they are dissatisfied with how risks and opportunities are identified and quantified in financial terms; 74 percent of the investors polled said they are dissatisfied with the comparability of sustainability reporting between companies in the same industry.
What the markets have lacked, until now, are standards that can guide companies in disclosing material sustainability information in a format that is decision-useful. These standards must be industry specific. Sustainability issues affect financial performance differently depending on the topic and the industry. Therefore, investors need guidance on which sustainability issues are material to which industries, and they need industry-specific metrics by which to evaluate and compare the performance of reporting companies.
The Sustainability Accounting Standards Board (SASB), an independent 501(c)(3) nonprofit, was created to address this market inefficiency. The mission of SASB is to develop and disseminate industry standards for sustainability disclosure that help public corporations provide material, decision-useful information to investors via MD&A and other relevant sections of SEC filings such as the Form 10-K and 20-F. SASB’s standards are formulated with broad market participation and draw upon metrics already used by the corporate community. They will continue to evolve, as our world, and thus material sustainability issues, change.
Investors want to place their funds in entities that have good prospects for the future. To do so, they evaluate the information that is material to a company’s prospects. Not all that information rests in the financial statements that reflect a company’s current financial condition. We believe that, in today’s world, risks and opportunities not yet reflected in a company’s financial statements influence its success. And, the information that is “material” to investors—much like the world around it—has changed.
To help companies disclose material sustainability information, the capital markets need standards for disclosure of sustainability information that are created by the market, specific to industry, and compatible with U.S. securities law.
The management and disclosure of sustainability issues merits the attention of directors. The public comment period for the SEC’s disclosure effectiveness concept release runs through July 21. This is an important opportunity for publicly held companies and their directors to be heard on these critical issues, and to stress the importance of a market standard that serves investors while not overburdening issuers.
Aulana Peters was an SEC Commissioner from 1984-1988. Elisse Walter was the 30th chair of the SEC. Peters and Walter serve on the SASB board of Directors.
North Carolina State University’s Enterprise Risk Management Initiative and Protiviti have completed their latest survey of C-level executives and directors regarding the macroeconomic, strategic, and operational risks their organizations face. More than 500 board members and C-level executives participated in this year’s study. Noting some common themes, we’ve ranked the risks in order of priority on an overall basis below. Last year’s rankings are included in parentheses:
No. 1 (previously No. 1)—Regulatory changes and scrutiny may increase, noticeably affecting the manner in which organizations’ products or services will be produced or delivered. This risk has been ranked at the top in each of the surveys we’ve conducted over the past four years, and is the top risk in many industry groups. The cost of regulation and its impact on business models remain high in many industries.
No. 2 (previously No. 2)—Economic conditions in markets the organization currently serves may significantly restrict growth opportunities. Declining oil and gas prices, equity markets, and commodity prices, in general, have contributed to economic uncertainty. Short-termism is a concern as business investment has yet to catch up with pre-financial crisis levels. A new normal may be unfolding as businesses adapt their operations to an environment of slower organic growth.
No. 3 (previously No. 3)—The organization may not be sufficiently prepared to manage cyber threats that have the potential to significantly disrupt core operations and/or damage its brand.This risk continues to be an issue of escalating concern. The harsh glare of the public spotlight on high-profile breaches at major retailers, global financial institutions and other organizations has led executives and directors to realize it is most likely not a matter of if a cyber risk event might occur, but when.
No. 4 (previously No. 4)—Succession challenges and the ability to attract and retain top talent may limit the ability to achieve operational targets. As roundtables facilitated by the National Association of Corporate Directors and Protiviti in 2015 indicated, directors understand that talent strategy is inexplicably tied to overall business strategy. Companies need talented people with the requisite knowledge, skills, and core values to execute challenging growth and innovation strategies.
No. 5 (previously No. 7)—Privacy, identity, and information security risks may not be addressed with sufficient resources. The technological complexities giving rise to cybersecurity threats also spawn increased privacy/identity and other information security risks. As the digital world enables individuals to connect and share information, it presents more opportunities for companies to lose sensitive customer and private information, in effect, creating a “moving target” for companies to manage.
No. 6 (previously No. 11)—Rapid speed of disruptive innovations and/or new technologies within the industry may outpace the organization’s ability to compete and/or manage the risk appropriately, without making significant changes to the business model. Innovation can be disruptive if it improves the customer experience in ways that the market does not expect, typically by lowering the price significantly, or by designing a product or service that transforms the way in which the consumer’s needs are fulfilled. Whereas disruptive innovations may have once taken a decade or more to transform an industry, the elapsed time frame is compressing significantly, leaving very little time for reaction. Sustaining a business model in the face of digitally enabled competition requires constant innovation to stay ahead of the change curve.
No. 7 (previously No. 6)—Resistance to change could restrict the organization from making necessary adjustments to the business model and core operations. Positioning the organization as agile, adaptive, and resilient in the face of change is top-of-mind for many executives and directors. It’s a smart move. Early movers that exploit market opportunities and respond to emerging risks are more likely to survive and prosper in a rapidly changing environment.
No. 8 (previously No. 17)—Anticipated volatility in global financial markets and currencies may create significant, challenging issues for an organization to address. There are many forces at work that intensify this risk, e.g., high asset prices, slowing global growth, China’s approach to foreign exchange, declining commodity prices, uncertainty associated with central bank policies, and less confidence in policymakers’ ability to respond to market issues quickly and effectively.
No. 9 (previously No. 5)—The organization’s culture may not sufficiently encourage timely identification and escalation of significant risk issues. The collective impact of the tone at the top, tone in the middle and tone at the bottom on risk management, compliance and responsible business behavior has a huge effect on timely escalation of risk issues to the people who matter. This is a cultural issue requiring constant attention by management and oversight by the board.
No. 10 (previously No. 9)—Sustaining customer loyalty and retention may be increasingly difficult due to evolving customer preferences and/or demographic shifts in the existing customer base. Disruptive innovations and the rapid pace of change continue to drive significant changes in the marketplace. Customer preferences are subject to rapid shifts, making it difficult to retain customers in an environment of slower growth. Sustaining customer loyalty and retention is a high priority for customer-focused organizations because senior executives know that preserving customer loyalty is more cost-effective than acquiring new customers.
A board of directors may want to consider the above risks in evaluating its risk oversight focus for the coming year in the context of the nature of the entity’s risks inherent in its operations. If the company has not identified these issues as risks, directors should consider asking why not.
Jim DeLoach is a managing director with Protiviti, a global consulting firm.