The major cyber breach that Yahoo announced last week has ripple effects not only for the multimedia platform, but for every company. The incident already has caught the attention of a senator who is calling on the U.S. Securities and Exchange Commission (SEC) to investigate how Yahoo disclosed the breach to shareholders and the public.
Background on the Breach
Ashley Marchand Orme
Account data for at least 500 million users was stolen by what Yahoo has called a “state-sponsored actor” in what CNN Money calls one of the largest data breaches ever. Compromised information includes names, email addresses, phone numbers, dates of birth, encrypted passwords, and security questions.
Yahoo has not named a country of origin for the hacker. The company, which Verizon is seeking to acquire, is still one of the busiest online sites, boasting one billion monthly users.
The breach occurred in late 2014, according to Yahoo, but the company just disclosed the incident in a press release dated Sept. 22, 2016. The Financial Times reports that Yahoo CEO Marissa Mayer may have known about the breach as early as July of this year, raising questions as to why it wasn’t disclosed sooner.
Attention From Lawmakers
Sen. Mark R. Warner (D.-VA), a member of the Senate Intelligence and Banking Committees and cofounder of the Senate Cybersecurity Caucus, sent a letter to the SEC yesterday asking the agency to investigate whether Yahoo complied with federal securities law regarding how and when it disclosed the incident.
“Data security increasingly represents an issue of vital importance to management, customers, and shareholders, with major corporate liability, business continuity, and governance implications,” the senator wrote.
Warner—who cofounded the company that became Nextel, a wireless service operator that merged with Verizon—also told the SEC that “since published reports indicate fewer than 100 of approximately 9,000 publicly listed companies have reported a material data breach since 2010, I encourage you to evaluate the adequacy of current SEC thresholds for disclosing events of this nature.”
And Warner isn’t the only lawmaker pushing for increased cyber regulations. Earlier this month, New York Governor Andrew Cuomo (D-NY) announced proposed cybersecurity regulations to increase the responsibility of banks and insurance to protect their information systems and customer information. The regulations, if instated, would apply to companies regulated by the New York Department of Financial Services (NYDFS) and would require them to—among other steps—establish a cybersecurity policy and incident response plan. Companies would also have to notify the NYDFS within 72 hours of any cyber event that is likely to affect operations or nonpublic information.
The Boardroom Response
Any company—whether public, private, or nonprofit—can fall prey to a breach, and even companies with formal cybersecurity plans can find themselves the victims of a breach. Preliminary data from the 2016-2017 NACD Public Company Governance Survey show what corporate directors are already doing to oversee cyber-related risks.
When asked which cybersecurity oversight practices the survey respondents’ boards had performed over the past 12 months—and directors could select multiple answers—the most common responses included:
Reviewed the company’s current approach to protecting its most critical data assets (76.6%)
Reviewed the technology infrastructure used to protect the company’s most critical data assets (73.6%)
Communicated with management about the types of cyber-risk information the board requires (64.4%)
Reviewed the company’s response plan in the case of a breach (59.3%).
“Corporate directors should ask management for an accurate and externally validated report on the state of the organization with respect to cyber risk,” said Robert Clyde, a board director for ISACA, which is a global IT and cybersecurity professional association, and White Cloud Security. “They should also ask what framework is being followed for IT governance.”
Aside from high-profile breaches of emails and email providers, Clyde says that breaches related to ransomware are increasing.
“Ransomware encrypts data that can only be decrypted by paying the attacker a fee in Bitcoins. According to the NACD Cyber-Risk Oversight Handbook and many other organizations, the key control to reduce the risk of attack—including ransomware—is restricting user installation of applications, called ‘whitelisting’ or ‘Trusted App Listing,’” Clyde said. “Yet this highly recommended control is rarely implemented. Boards should ask organizations for their plans to implement this specific control.”
NACD recently announced a new online cybersecurity learning program for directors. The multi-module course aims to enhance directors’ understanding of cybersecurity, and the difference between the board’s and management’s responsibilities related to cyber risks. Participants in the program, which is the product of partnership between NACD, Ridge Global, and the CERT Division of Carnegie Mellon University’s Software Engineering Institute, will work through a cyber-crisis simulation and take a comprehensive exam. Successful completion of the program will earn the participant a CERT Certificate in Cybersecurity Oversight.
The release asserts that current disclosure rules may not mandate enough disclosures about activities of audit committees in the reports they make in annual proxy statements and explores possible disclosure mandates in several areas—most of them pertaining to the external auditor. The areas outlined are as follows:
Audit Committee’s Oversight of the Auditor
Audit Committee’s Process for Appointing or Retaining the Auditor
Qualifications of the Audit Firm and Certain Members of the Engagement Team Selected by the Audit Committee
Location of Audit Committee Disclosures in Commission Filings
Smaller Reporting Companies and Emerging Growth Companies
In addition to these areas, the SEC asks for comment on the possible need for disclosures on accounting and financial reporting process or internal audits and invites comment on the scope of audit committee work.
Throughout the 55-page release, the SEC asks questions—74 in all—seeking the views of interested parties, such as audit committee members and investors, on what disclosures would be valuable. All but two of these questions pertain to oversight of the independent auditor.
2. What exactly is a concept release?
A concept release is an early indication that an agency is thinking about a matter and may issue new rules or standards on it. Any agency may issue a concept release. This current SEC concept release is the only one issued so far in 2015, and it is the first SEC concept release issued since 2011. (There were no SEC concept releases at all from 2012–2014.) While there are no recent studies showing the correlation between concept releases and rulemaking, we can assume that new rulemaking may follow. In this sense, concept releases are not the same as interpretive releases, which interpret new laws or court decisions, or policy statements, which clarify the SEC’s positions on particular matters.
3. How does this SEC concept release fit into the SEC’s overall “disclosure effectiveness initiative”?
The release is aimed at improving audit committee disclosures in concert with the stated goal of the SEC’s ongoing disclosure effectiveness initiative, described in a recent NACD Directorship article. Under this initiative, the SEC’s Division of Corporation Finance is reviewing the disclosure requirements under Regulation S-K (regarding company disclosures generally) and Regulation S-X (regarding company disclosures in financial statements) to “facilitate timely, material disclosure by companies….” So far the SEC has focused on the forms 10-K (annual report), 10-Q (quarterly report), and 8-K (updates). Later phases of the project will cover the compensation and governance information in proxy statements.
If the SEC’s new concept release on audit committee disclosures leads to rules mandating additional disclosures that are not material to investors, it would operate against the goals of the initiative. As SEC Chair Mary Jo White said in her keynote speech at NACD’s fall conference two years ago, “[w]e must continuously consider whether information overload is occurring as rules proliferate and as we contemplate what should and should not be required to be disclosed going forward.”
4. Has NACD commented on the SEC’s concept release?
Yes. On Sept. 8, 2015, the NACD submitted a comment letter affirming the importance of improved disclosures. However, the letter also argues that the choice of what to disclose should be up to audit committees themselves because they are in the best position to describe how they are fulfilling those duties. The NACD letter cautions that information should only be included in a proxy statement (or any other disclosure for that matter) if it would be useful to investors.
In the letter, NACD proposes that audit committees take voluntary action by finding new ways of disclosing the broad scope of their work. NACD has also offered to convene a meeting between the SEC and audit committee leaders in order to accomplish this.
The NACD letter followed a more detailed comment submitted to the SEC on Aug. 3, 2015, by Dennis Beresford, a member of the NACD board of directors, an experienced director and audit committee leader, and the former chair of the Financial Accounting Standards Board (FASB).
In his letter, Mr. Beresford states that the concept release focuses too heavily on the audit committee’s relationship with the auditor, which he says is important but should not dominate the committee’s work. He notes that of the 74 questions asked in the release, all but the last two focus on this topic.
Based on his experience, Mr. Beresford suggests that audit committee reports need to cover a wider range of topics, as suggested by the Audit Committee Collaboration, a group that includes NACD. In order of priority, these topics include:
Scope of duties (as referenced in the audit committee charter).
Committee composition (especially information on qualifications of the “audit committee financial expert”).
Oversight of financial reporting (highlighting how the committee is assessing the quality of financial reporting).
Oversight of independent audit (selection of the audit firm and lead engagement partner, and compensation, oversight, and evaluation of the audit firm). Mr. Beresford argues that the disclosure of the lead engagement partner’s name is unnecessary. [This is the subject of a separate Public Company Accounting Oversight Board (PCAOB) release on Rules to Require Disclosure of Certain Audit Participants on a New PCAOB Form.]
Risk assessment and risk management (which is often assigned to the audit committee).
Information technology (such as cybersecurity, which is also often assigned to the committee).
Internal audit (namely, internal audit plan review and results).
Legal and compliance (such as any discussions with legal counsel).
This list of possible topics for voluntary audit committee disclosures accords with NACD’s own publications on audit committee work. These subjects are frequently discussed in meetings of our Audit Committee Chair Advisory Council and in the webcasts and gatherings we produce with KPMG’s Audit Committee Institute.
Notably, Mr. Beresford warns against turning these subjects into mandatory “check-the-box” disclosures. Because audit committee reports are still in an early stage of development, he hopes “that the SEC allows them to continue to develop largely as ‘best practices’ without becoming overly prescriptive [emphasis added].” Regarding disclosure of the name of the lead engagement partner, he says that this should be left to the discretion of audit committees: “If they felt it would be useful to investors, they could include it in their reports in the proxy statement.”
5. Are there any other agency concept releases that audit committee members should know about?
Yes. On July 1, 2015, the PCAOB issued a concept release on Audit Quality Indicators (AQIs) with a comment deadline of Sept. 29, 2015. The release notes that “[t]aken together with qualitative context, the indicators may inform discussions among…audit committees and audit firms.”
NACD does not plan to comment on this release. However, we note that NACD member J. Michael Cook, chair of Comcast’s audit committee, together with Comcast’s executive vice president and chief accounting officer, Lawrence J. Salva, sent acomment letter advising the PCAOB of their views: “We encourage the PCAOB to be judicious with regard to the number of recommended AQIs, as we believe too many AQIs would lessen their impact. As you have previously noted, audit committees have many responsibilities and a limited amount of time, and as you are aware, audit quality requires more than measurable indicators; skepticism and independence are necessary to turn quantifiable indicators into real audit quality.”
6. What is the key takeaway from the SEC and PCAOB concept releases for audit committees?
The SEC and PCAOB are being proactive on the audit committee front. The SEC wants audit committees to say more about their activities in the proxy statement, and the PCAOB wants audit committees to use specific metrics to judge the quality of audits. Comments from the director community have pointed out the importance of ensuring that disclosures are material and that metrics are useful. In response to these two concept releases, audit committee leaders and members might consider taking two main actions:
Review disclosures and their metrics to ensure they are useful.
Reach out to the SEC and PCAOB to express views on these matters.
A Final Word
SEC and PCAOB regulators strive to strengthen the U.S. economy through enlightened rulemaking, but they cannot do it alone. They need to hear the voice of the director. NACD members can make a positive difference in this regard.
On August 5, 2015, the Securities and Exchange Commission released its final pay-ratio rule under the Dodd–Frank Wall Street Reform and Consumer Protection Act (hereafter Dodd–Frank). The announcement comes more than five years after Congress passed Dodd–Frank in July 2010 and nearly two years after the SEC first proposed the pay-ratio rule in September 2013. The release describing the new rule is a 294-page document that will be analyzed and applied in the weeks and months to come. Meanwhile, here are some basic FAQs to help boards and compensation committees understand the implications of this much-anticipated development.
What disclosure will the new rule require?
While the release explaining it demands further study, the new rule can be summarized as follows:
Companies will be required to disclose the ratio of the median pay of all employees, excluding the “principal executive officer” (in most cases, the CEO), to the total pay of that principal executive officer for the most recently completed fiscal year, as disclosed in that year’s summary compensation table. The calculation for median employee pay can be made for any time during the last three months of the year.
The final rule defines employees as “any U.S. and non-U.S. full-time, part-time, seasonal, or temporary worker (including officers other than the [CEO]) employed by the registrant or any of its subsidiaries as of the last day of the registrant’s last completed fiscal year” (p. 216). Like the proposed rule, the final rule allows statistical sampling and estimates as long as these are “reasonable” (p. 14). Although the word reasonable appears at least 100 times in the release announcing the rule, it is not defined because the SEC believes that “companies would be in the best position to determine what is reasonable in light of their own employee population and access to compensation data.”The ratio would have to appear in any filing that requires executive compensation disclosure, including 10-K annual reports, registration statements, and proxy statements. The SEC final rule specifically mentions the compensation discussion and analysis (CD&A) and the summary compensation table. “In this manner, the pay ratio information will be presented in the same context as other information that shareholders can use in making their voting decisions on executive compensation” (p. 39).
When will the new rule go into effect?
Companies must begin reporting the new data in the first fiscal year beginning on or after January 1, 2017. The pay ratio will appear in the 2018 proxy statement disclosing compensation for 2017. After that, companies will be required to update the disclosure at least once every three years.
To whom will the new rule apply?
The new rule will apply to all U.S. public companies but exempts smaller reporting companies (defined as having a public float of less than $75 million) and emerging growth companies (defined as a having total annual gross revenues of less than $1 billion during their most recently completed fiscal year). It also exempts foreign companies (including Canadian companies listing in the United States) and investment companies (mutual funds). The rule also contains an exemption for U.S.-based global companies that cannot access the median pay data due to foreign data-privacy laws. New public companies would not need to comply with the new rule until their first annual report and proxy statement after they register with the SEC.
What aspects of the rule are likely to raise concerns in boardrooms?
In a comment letter filed on December 1, 2013, NACD expressed concerns that the rule defined the term employees too broadly. We encouraged the SEC to increase the flexibility of the pay-ratio rule by permitting the use of industry averages, by defining employees as full-time U.S. employees, and by permitting supplemental notes to correct any distortions caused by the use of “total pay” figures. The SEC’s final rule does not specifically authorize the use of industry averages, although it appears to permit their use to supplement company-based data. Nor does the final rule exclude part-time workers or foreign workers, allowing an exclusion of only up to 5 percent of a non-U.S. workforce.
In combination, these factors in the final rule may cause the ratio of median employee to CEO pay to appear relatively small in industries that employ part-time or non-U.S. workers. Over time an industry pattern may emerge, but initially there could be a hit to reputation. Boards can start now in preparing for potential impact on company reputation and employee morale.
What do boards and committees need to do in the short term?
First, board members should become familiar with the requirements of the new rule, with help from their compensation committees and their compensation advisor. Then they will be in a position to ask informed questions. Compensation committees can begin by asking their chief human resources officer (CHRO) and chief financial officer (CFO) the following questions:
Do we have the information available to calculate the two numbers required for the ratio so that the board can begin its analysis? What technical and definitional issues, if any, may arise in this calculation, and what support might you need to resolve those issues? What is your rough estimate of the cost of calculation (e.g., staff time, data systems requirements, and/or third-party analysis)?
Will you work with an external compensation firm or other external consultant (such as a payroll expert) to determine the ratio?
Can the external advisor estimate the ratios of peer companies on the basis of publicly available data? What are the pros and cons of having the company’s consultant collaborate with the board’s compensation advisor in calculating such estimates?
Similarly, they might consider asking the following two questions of the independent firm that advises the board on CEO and senior management pay:
What information, if any, is currently available on estimated ratios of employee/
CEO pay for our industry peers so we know where we stand?
If you will be working with the company’s external advisor in collecting relevant data and/or preparing estimated ratio information (if one is retained by CHRO/
CFO), would such activity be perceived as compromising your independence under current SEC rules? If so, how can we proactively counteract such a perception?
Having gained insights from these initial questions, directors might want to consider the following:
How comprehensive and compelling are our current published disclosures about our pay philosophy? Have we clearly communicated the link between our strategy, pay plan design, and pay outcomes?
Does our pay philosophy include employee pay beyond the executive level? Are there opportunities to address this issue in a more detailed way? For example, does our published pay philosophy specifically discuss the issue of pay distribution patterns and/or “fairness”? If not, is this something we might consider addressing?
What information, if any, have we received from surveys regarding employee satisfaction with compensation levels?
What feedback, if any, have we received from our major shareholders about our compensation plan and our pay-for-performance track record? If we have heard concerns, what have we done to resolve them?
If the early estimated ratio for total pay appears out of proportion to any available estimates for our peers and/or industry, how should we interpret this discrepancy? What would this tell us about the structure of our reward system?
What would be the impact of early voluntary disclosure?
What implications might this new rule have for D&O liability?
Any new disclosure rule immediately triggers potential director liability, absent a safe harbor provision. Although shareholder lawsuits against companies are often triggered by weak stock prices, the putative grounds for lawsuits are usually based on alleged disclosure violations, particularly in changes-of-control. For more on D&O litigation, see the May–June 2015 issue of NACD Directorship.
Is the new rule likely to be challenged?
It is possible that trade groups such as the U.S. Chamber of Commerce may try to get the rule vacated by a federal court. In a statement released via e-mail on August 5, David Hirschmann, president of the Chamber’s Center for Capital Markets Competitiveness, stated, “We will continue to review the rule and explore our options for how best to clean up the mess it has created.” In the past this type of cleanup has meant legal action. In July 2011, the Chamber joined the Business Roundtable to successfully vacate a proxy access rule under Dodd–Frank that would have mandated a particular form of shareholder access to director nominations via the proxy ballot. Similarly, in April 2014, the National Association of Manufacturers and others succeeded in getting a court to declare an aspect of the conflict minerals rule under Dodd–Frank to be a violation of free speech.
What long-term impact might the new rule have on human capital at corporations?
Compliance with the new rule is important, but the core issue for companies remains the same: developing a pay structure, at all levels of the organization, that is aligned with the firm’s strategy and aimed at long-term value creation. Sustained corporate performance is based in large part on human talent, and compensation is one of the key factors in motivating employees. Furthermore, payroll and benefits represent a significant percentage of capital allocation at many companies. For these reasons, among others, many boards will likely take a greater interest in pay at lower levels, and they will want independent verification of a wider band of pay practices. More broadly, a growing number of boards are stepping up their oversight of management’s talent development activities across the organization. For guidance, directors can turn to the Report of the NACD Blue Ribbon Commission on Talent Development.
What resources does NACD have to help compensation committees cope with this and other current compensation matters?
NACD will continue to monitor the pay-ratio disclosure issue and other Dodd–Frank compliance matters as they evolve, providing further guidance and perspective on these and related matters.
 “Consistent with the proposal, the final rule does not specify any required methodology for registrants to use in identifying the median employee. Instead, the final rule permits registrants the flexibility to choose a method to identify the median employee based on their own facts and circumstances“ (p. 113). “The proposed rule did not prescribe specific estimation techniques or confidence levels for identifying the median employee because we believed that companies would be in the best position to determine what is reasonable in light of their own employee population and access to compensation data” (p. 98).
 Note: “Fairness” was one of the five principles of pay recommended by NACD in the Report of the NACD Blue Ribbon Commission on Executive Compensation (2003), and was also cited in the more recent Report of the NACD Blue Ribbon Commission on the Compensation Committee (2015).