What trends will heat up the next proxy season and beyond? That’s a burning question for the 80 percent of public companies that hold annual meetings during the first half of the year according to statistics from Broadridge, as well as for those that will wrap up the year later in the fall mini-season. Prognosticating what’s to come this season is no easy task, since proxy season is a complex process.
Sometimes the trends we predict are no more than wishful thinking. To make plausible predictions, we must find empirical clues from shareholder resolutions (hundreds each year), director elections (at thousands of companies each year), and then consider the activity that happens behind the scenes in private dialogue.
Bearing in mind our evidence, we can ask a number of questions:
What new rules will be effective? New requirements will raise expectations during this proxy season.
What proposals were mostsuccessful in 2017? Success (getting more than a 50 percent vote) emboldens proponents, so these issues are unlikely to go away.
What proposals were most frequent in 2017? Even if vote tallies are low, proponents may try again.
What proposals or other actions arebeing planned right nowfor the 2018 spring season—based on survey data and other sources?
After seeking answers, we will conclude with what we think will be hot in the 2018 proxy season.
Clue 1: What new rules or policies will be effective?
Proxy seasons can be shaped by new rules put in place by the Securities and Exchange Commission (SEC), as well as by new voting policies from proxy advisors such as Institutional Shareholder Services (ISS). This spring, a few major developments are notable. First, this is the first year that the pay ratio rule will require disclosure of the ratio between the total pay of a company’s median employee and its CEO (or, alternatively, the median total pay of all the company’s employees, minus the CEO). Despite new SEC guidance on calculation, the results, when disclosed prior to the annual meeting, are likely to spark some shareholder outcry at annual meetings.
A few additional issues stand out based on 2018 ISS Americas Proxy Voting Guidelines Updates. ISS has said that it will support shareholder proposals asking for more disclosure on environmental risk, and its updates point to recent policy changes from the Task Force on Climate-Related Financial Disclosures (TCFD). “The updates to ISS’ climate change risk policy better aligns it with the TCFD’s recommendations, which explicitly seek transparency around the board and management’s role in assessing and managing climate-related risks and opportunities,” the report says. Other proxy season trends may include more support for resolutions opposing excessive director pay and resolutions supporting gender pay equity, as predicted in this recent report from Gibson Dunn.
Clue 2: What proposals were successful last year?
Let’s look at the most successful proposals at the 250 largest companies by revenue throughout 2017 according to full-year data from Proxy Monitor. This source is representative of broader trends because, as noted in Proxy Monitor’s early 2017 overview, shareholder proposals are more common at the largest companies. Moreover, “the companies in the Proxy Monitor database encompass the majority of holdings for most diversified investors in the equity markets, making this analysis appropriate for the average shareholder.”
According to the report, governance proposals seem to take the prize. Fifteen of the 294 proposals at the top 250 public companies in 2017, or about 5 percent of the 294 proposals from investors, received a majority vote. Most of these winners can be called “corporate governance” proposals, rather than social issues. Three were for environmental impact reports (at Occidental Petroleum Corp., Exxon Mobil Corp., and PPL Corp.), but all the rest had to do with governance.
Five proposals were victories for proxy access (National Oilwell Varco, Humana, IBM, and Kinder Morgan, Inc.), five for simple majority voting (Cognizant Technology Solutions Corp., Marathon Petroleum Corp., L Brands, Paccar, and First Energy Corp.) and two were specific governance proposals. Shareholders at CVS Health Corp. voted to reduce required ownership to call a special meeting, and shareholders at ADP voted to repeal a bylaw provision that had been adopted without shareholder approval. That vote happened in November, in the so-called “mini-season” (the one experienced by the 20 percent of companies that hold their annual meeting in the second half of the year).
Clue 3: What proposals were most frequent last year?
Now let’s look at the resolutions proposed most frequently last year. Looking again at the 294 resolutions studied in the Proxy Monitor data, the trends are clear. Classifying the proposals generally into the three categories, we see that social policy, with 164 resolutions, was the most popular proposal category, followed by corporate governance issues at 107. Executive compensation did not draw shareholder ire; only 23 resolutions focused on it, down from higher levels in the past.
Within social policy, the double-digit issues raised across at least 10 companies were environmental (48 issues were proposed—or 52 if you count four “sustainability metrics” proposals), lobbying (38), political spending (13), employment rights (17), gender equality (12), and human rights (12).
Diversity proposals are also notable. Although they were relatively rare compared to other 2017 issues, they showed show signs of growth. There were only three such proposals at major companies the previous year, while there were five in 2017. Furthermore, although they did not propose board diversity resolutions, State Street Corp., a major institutional investor, voted against directors serving on nominating committees for boards without women, and BlackRock also voted no at some boards over the diversity issue.
Within corporate governance, the double-digit issues were chair independence (28 resolutions), proxy access (22), and special meetings (15). Remaining corporate governance issues were introduced at 9 or fewer companies. Although ISS flagged director overboarding as an issue for 2017 and revised its guidelines accordingly, there were no proposals about this last year.
Finally, within executive pay, no particular issue dominated. Various new requirements in pay approval and pay disclosure (say on pay, pay ratio, etc.) have largely resolved this issue.
Clue 4: What proposals or other actions are being planned for 2018?
As of early January 2018, we have little data on shareholder resolutions to be included in 2018 proxy statements. While some companies have already released their 2018 proxies, none of these contain shareholder resolutions. However, we do know what ISS is recommending with respect to shareholder resolutions in the newest revisions to its proxy voting guidelines for 2018.
As reported in the Wall Street Journal on December 22, companies preparing their 2018 proxy statements can expect “continuing pressure from investors to enhance disclosures regarding board composition, climate change risk, and cybersecurity.” The prediction is based on a survey conducted by executive search firm Russell Reynolds. Secondary trends included the usual mix of corporate governance, board composition, and executive compensation.
Of course, shareholder proposals are not the only way to change a company. Instead of submitting a shareholder resolution on an issue, a shareholder can wage a so-called proxy fight by sending investors a separate proxy voting card with an alternative slate of directors, or, in the case of companies with proxy access, by including a dissident slate in the company’s proxy. (There is still no such thing as a universal proxy card that allows investors to mix and match candidates from the nominating committee and dissidents, despite an SEC proposal in that regard.) According to FactSet, 2017 saw 75 proxy fights for board seats. While this is fewer than in 2016—which at 101 proxy fights was a banner year—the battles were waged upon household names: ADP, General Motors Co., and Procter & Gamble Co., among others.
What’s Hot and Why
Here is our short-list of five proxy issues that are likely to appear in 2018.
Pay Ratio. Shareholders will be reading these disclosures for the first time.
Environmental proposals. They have been both frequent and successful in recent times, and because ISS is drawing attention to them again this year.
Governance mechanics. Why? Because they matter. They are rarely discussed by bloggers due to their dry and technical nature, but governance issues continue to be popular proxy issues, with more than 100 last year, and with the highest rate of success (12 wins last year—a strong result since majority votes on resolutions remain extremely rare).
Activism. As Douglas Chia, head of corporate governance at the Conference Board, stated in a recent Equilar report, “public company boards will have their work cut out for them in 2018 with activism continuing to dominate the governance landscape.”
Now that the U.S. Securities and Exchange Commission (SEC) has released an order approving the Public Company Accounting Oversight Board’s (PCAOB) new rules on the auditor’s report, what items should the audit committee and shareholders look for there?
The Auditor’s Report on an Audit of Financial Statements When the Auditor Expresses an Unqualified Opinion and Related Amendments to PCAOB Standards, released by the PCAOB June 1 and approved by the SEC October 23, contains five main changes, including one that requires careful reading between the lines.
As NACD summarized in a recent brief to its members, the new PCAOB standard will require auditors to:
Standardize the format of the auditor’s report, placing the auditor’s opinion in the first section of the auditor’s report, followed by the basis for the opinion. This change makes the auditor’s opinion easier to find in the auditor’s report.
Disclose the auditor’s tenure, stating when the audit firm began its current service to the company. This new requirement comes in lieu of limiting audit firm tenure through mandatory audit firm rotation, a concept NACD and others have rejected in the past.
State that the auditor is required to be “independent.” This requirement is intended to strengthen shareholder confidence in the auditor’s report, possibly as an offset to the tenure disclosure, if it reveals that the auditor has been serving the client for more than a quarter century, for example.
State that the financial statements are free from material misstatements “whether due to error or fraud.” This change aligns with other recent or pending regulations on error vs. fraud, such as the proposed executive pay clawbacks rule still pending under Dodd-Frank, which mandated disgorgement of performance-based pay after financial restatements even if restatements were due to error rather than to fraud.
Report on critical audit matters (CAMs), defined as “matters communicated or required to be communicated to the audit committee and that: (1) relate to accounts or disclosures that are material to the financial statements; and (2) involved especially challenging, subjective, or complex auditor judgment.” A number of commenters said that the CAMs mandate is “redundant” with existing reports, which already reveal the required information. See for example NACD’s comment to the PCAOB or State Street’s comment.
The key letter in CAM is M, for material. For those who may wonder what may be “material” to the financial statements, join the club. The SEC has still never defined this term, leaving this job to the courts as they interpret federal securities laws.
The going definition of “material” is more than 40 years old. The SEC release cites TSC Industries v. Northway, Inc., 426 U.S. 438, 449 (1976), in which the U.S. Supreme Court states that a fact is material if there is “a substantial likelihood that the . . . fact would have been viewed by the reasonable investor as having significantly altered the ‘total mix’ of information made available.” In that same case, the Supreme Court said that determining materiality requires “delicate assessments of the inferences a ‘reasonable shareholder’ would draw from a given set of facts and the significance of those inferences to him . . .”
Such wisdom is not lost on the PCAOB and SEC. In its June 1 release, the PCAOB cites as CAMs the auditor’s evaluation of the company’s “goodwill impairment assessment” and, more broadly, the auditor’s assessment of the company’s “ability to continue as a going concern.” These two examples are material to financial statements. By contrast, the following two examples are not material to the financial statement: a loss contingency already discussed with the audit committee and “determined to be remote;” and a “potential illegal act.”
Audit committees need to ensure that their auditors are in a position to recognize critical audit matters, and to learn from those matters. But this does not mean looking for problems where there are none.
Significantly, SEC Chair Jay Clayton had this to say about the new standard:
“I would be disappointed if the new audit reporting standard, which has the potential to provide investors with meaningful incremental information, instead resulted in frivolous litigation costs, defensive, lawyer-driven auditor communications, or antagonistic auditor-audit committee relationships — with Main Street investors ending up in a worse position than they were before.
I therefore urge all involved in the implementation of the revised auditing standards, including the Commission and the PCAOB, to pay close attention to these issues going forward, including carefully reading the guidance provided in the approval order and the PCAOB’s adopting release.”
To Chairman Clayton’s point, the SEC makes this point in its approval order:
“As the [PCAOB] notes, in order to succeed, any claim based on these new statements would have to establish all of the elements of the relevant cause of action (e.g., when applicable, scienter, loss causation, and reliance). Moreover, as discussed above, CAMs could be used to defend as well as initiate litigation. …However, because of these risks and other concerns expressed by commenters, we expect the Board to monitor the Proposed Rules after implementation for any unintended consequences.“ (SEC approval order , pp. 32–33)
Shareholders and others should read between the lines of auditor’s report (appreciating the regulations behind it), but they should not expect auditors to “look under rocks” to find problems. That is the job of management, internal control, and the audit committee. The auditor’s job is to focus on the audit of the financial statements to ensure that they conform to generally accepted accounting principles (GAAP). Given the complexity of GAAP, that is a big enough job as it is.
The CAM standard can’t be mastered overnight and won’t be required any time soon. Auditors of large accelerated filers will not be required to adopt CAM changes until audits of fiscal years ending on or after June 30, 2019—with audits of all remaining filers to adopt CAM changes for fiscal years ending on or after December 15, 2020.
By contrast, all the other changes will apply to audits of fiscal years ending on or after December 15, 2017. That mean, essentially that auditors must work on this immediately, since most companies they are working with right now have fiscal years ending December 31, 2017. (According to Audit Analytics, 71 percent of public companies have a fiscal year ending December 31.)
So now is the time to prepare for the changes! In its above-cited report on the new rule, NACD prepared questions for directors to ask, along with related resources.
Questions for Boards
For which fiscal year will our auditor first be required to report on CAMs?
What areas during the audit do we anticipate our auditor will find challenging, subjective, or complex—and how can we preemptively address those concerns?
How will the auditor’s insights in the newly expanded report affect our ongoing work as we prepare the audit committee report for the proxy and review risk disclosures in the annual report on Form 10-K?
Undergraduate, graduate, and professional students of cybersecurity from around the world gathered earlier this year to participate in a cybersecurity competition that simulated the international policy challenges associated with a global cyberattack. While the goal was to practice sound policy decisions, the majority of competing teams unintentionally led the U.S. into starting an international war. Given a variety of diplomatic and other means of responding to cyberattacks, participants largely took the aggressive approach of hacking back in response to cyberattacks from China, and to disastrous consequences.
While the competition’s participants are all students today, they may well go on to be corporate directors and government leaders of tomorrow. Based on current debate about how organizations in the private sector should respond to cyberattacks, it seems the actions taken by these students may well be representative of a broader trend. In fact, there is enough of a push for organizations to be legally authorized to “hack back” that earlier this year a member of Congress proposed a bill to empower people “to defend themselves online, just as they have the legal authority to do during a physical assault.”
As a business leader, I believe this measure would do more harm than good.
What Is Hack Back?
Hack back, which is sometimes called counterstrike, is a term used to refer to an organization taking offensive action to pursue, and potentially subdue, cyberattackers that have targeted them. For the purposes of this article, I am specifically talking about action taken by private sector organizations that affects computers external to their own network. We are not discussing government actions, which tend to occur within existing legal frameworks and are subject to government oversight.
Hack back activities go beyond defensive measures that organizations may put in place to protect their environments. It is generally understood that hack back activities extend beyond the victim’s own network, systems, and assets, and may involve accessing, modifying, or damaging computers or networks that do not belong to the victim. Directors should note that today it is illegal under the Computer Fraud and Abuse Act for private parties to access or damage computer systems without authorization from the technology owners or an appropriate government entity, even if these systems are being used to attack you. That is what proponents of hack back want to change, and the proposed bill goes some way towards doing this.
The Case for “Self Defense”
In response to the legal restriction, proponents of a law to legalize hacking back at cyberattackers often argue that the same principle should apply as that which allows US citizens to defend themselves against intruders in their homes—even with violent force. While it may sound reasonable to implement equal force to defend a network, the Internet is a space of systems designed specifically for the purpose interacting and communicating. Technology and users are increasingly interconnected. As a result, it’s almost impossible to ensure that defensive action targeted at a specific actor or group of actors will only affect the intended targets.
The reality of the argument for hacking back in self-defense is unfortunately more akin to standing by your fence and lobbing grenades into the street, hoping to get lucky and stop an attacker as they flee. With such an approach, even if you do manage to reach your attacker, you’ll almost certainly cause terrible collateral damage. Can your organization afford to clean up such a mess? What would be the repercussions for your reputation and position in the marketplace?
Another significant challenge for private sector organizations looking to hack back is that, unlike governments, they typically do not have the large-scale, sophisticated intelligence gathering programs needed to accurately attribute cyberattacks to the correct actor. Attackers constantly change their techniques to stay one step ahead of defenders and law enforcement, including leveraging deception techniques. This means that even when there are indications that point to a specific attacker, it is difficult to verify that they have not been planted to throw off suspicion, or to incriminate another party.
Similarly, it is difficult to judge motivations accurately and to determine an appropriate response. There is a fear that once people have hack back in their arsenal, it will become the de facto response rather than using the broad range of options that exist otherwise. This is even more problematic when you consider that devices operating unwillingly as part of a botnet may be used to carry out an attack. These infected devices and their owners are as much victims of the attacker as the primary target. Any attempt to hack back could cause them more harm.
The Security Poverty Line
Should hack back be made a lawful response to a cyberattack, effective participation is likely to be costly, as the technique requires specialized skills. Not every organization will be able to afford to participate. If the authorization framework is not stringent, many organizations may try to participate with insufficient expertise, which is likely to be either ineffective or damaging, or potentially both. However, there are other organizations that will not have the maturity or budget to participate even in this way.
These are the same organizations that today cannot afford a great deal of in-house security expertise and technologies to protect themselves, and currently are also the most vulnerable. As organizations that do have sufficient resources begin to hack back, the cost of attacking these organizations will increase. Profit-motivated attackers will eventually shift towards targeting the less-resourced organizations that reside below the security poverty line, increasing their vulnerability.
A Lawless Land
Creating a policy framework that provides sufficient oversight of hack-back efforts would be impractical and costly. Who would run it? How would it be funded? And why would this be significantly more desirable than the status quo? When the U.S. government takes action against attackers, they must meet a stringent burden of proof for attribution, and even when that has been done, there are strict parameters determining the types of targets that can be pursued, and the kind of action that can be taken.
Even if such a framework could be devised and policed, there would still be significant legal risks posed to a variety of stakeholders at a company. While the Internet is a borderless space accessed from every country in the world, each of those countries has their own legal system. Even if an American company was authorized to hack back, how could you ensure your organization would avoid falling afoul of the laws of another country, not to mention international law?
What Directors Can Do
The discussion around hacking back so far has largely been driven by hyperbole, fear, and indignation. Feelings of fear and indignation are certainly easy to relate to, and as corporate directors, powerlessness does not sit well with us. It is our instinct and duty to defend our organizations from avoidable harm.
The potential costs of a misstep or unintended consequences from hack back should deter business leaders from undertaking such an effort. If another company or a group of individuals is affected, the company that hacked back could see themselves incurring expensive legal proceedings, reputational damage, and loss of trust by many of their stakeholders. Attempts to make organizations exempt from this kind of legal action are problematic as it raises the question of how we can spot and stop accidental or intentional abuses of the system.
It’s one thing for students to unintentionally trigger war in the safe confines of a competitive mock scenario, and another thing entirely to be the business leader that does so in the real world. Directors of companies must instead work together to find better solutions to our complex cybersecurity problems. We should not legitimize vigilantism, particularly given the significant potential risks with dubious benefits.
Corey Thomas is CEO of Rapid7. All opinions expressed here are his own.