The major cyber breach that Yahoo announced last week has ripple effects not only for the multimedia platform, but for every company. The incident already has caught the attention of a senator who is calling on the U.S. Securities and Exchange Commission (SEC) to investigate how Yahoo disclosed the breach to shareholders and the public.
Background on the Breach
Ashley Marchand Orme
Account data for at least 500 million users was stolen by what Yahoo has called a “state-sponsored actor” in what CNN Money calls one of the largest data breaches ever. Compromised information includes names, email addresses, phone numbers, dates of birth, encrypted passwords, and security questions.
Yahoo has not named a country of origin for the hacker. The company, which Verizon is seeking to acquire, is still one of the busiest online sites, boasting one billion monthly users.
The breach occurred in late 2014, according to Yahoo, but the company just disclosed the incident in a press release dated Sept. 22, 2016. The Financial Times reports that Yahoo CEO Marissa Mayer may have known about the breach as early as July of this year, raising questions as to why it wasn’t disclosed sooner.
Attention From Lawmakers
Sen. Mark R. Warner (D.-VA), a member of the Senate Intelligence and Banking Committees and cofounder of the Senate Cybersecurity Caucus, sent a letter to the SEC yesterday asking the agency to investigate whether Yahoo complied with federal securities law regarding how and when it disclosed the incident.
“Data security increasingly represents an issue of vital importance to management, customers, and shareholders, with major corporate liability, business continuity, and governance implications,” the senator wrote.
Warner—who cofounded the company that became Nextel, a wireless service operator that merged with Verizon—also told the SEC that “since published reports indicate fewer than 100 of approximately 9,000 publicly listed companies have reported a material data breach since 2010, I encourage you to evaluate the adequacy of current SEC thresholds for disclosing events of this nature.”
And Warner isn’t the only lawmaker pushing for increased cyber regulations. Earlier this month, New York Governor Andrew Cuomo (D-NY) announced proposed cybersecurity regulations to increase the responsibility of banks and insurance to protect their information systems and customer information. The regulations, if instated, would apply to companies regulated by the New York Department of Financial Services (NYDFS) and would require them to—among other steps—establish a cybersecurity policy and incident response plan. Companies would also have to notify the NYDFS within 72 hours of any cyber event that is likely to affect operations or nonpublic information.
The Boardroom Response
Any company—whether public, private, or nonprofit—can fall prey to a breach, and even companies with formal cybersecurity plans can find themselves the victims of a breach. Preliminary data from the 2016-2017 NACD Public Company Governance Survey show what corporate directors are already doing to oversee cyber-related risks.
When asked which cybersecurity oversight practices the survey respondents’ boards had performed over the past 12 months—and directors could select multiple answers—the most common responses included:
Reviewed the company’s current approach to protecting its most critical data assets (76.6%)
Reviewed the technology infrastructure used to protect the company’s most critical data assets (73.6%)
Communicated with management about the types of cyber-risk information the board requires (64.4%)
Reviewed the company’s response plan in the case of a breach (59.3%).
“Corporate directors should ask management for an accurate and externally validated report on the state of the organization with respect to cyber risk,” said Robert Clyde, a board director for ISACA, which is a global IT and cybersecurity professional association, and White Cloud Security. “They should also ask what framework is being followed for IT governance.”
Aside from high-profile breaches of emails and email providers, Clyde says that breaches related to ransomware are increasing.
“Ransomware encrypts data that can only be decrypted by paying the attacker a fee in Bitcoins. According to the NACD Cyber-Risk Oversight Handbook and many other organizations, the key control to reduce the risk of attack—including ransomware—is restricting user installation of applications, called ‘whitelisting’ or ‘Trusted App Listing,’” Clyde said. “Yet this highly recommended control is rarely implemented. Boards should ask organizations for their plans to implement this specific control.”
NACD recently announced a new online cybersecurity learning program for directors. The multi-module course aims to enhance directors’ understanding of cybersecurity, and the difference between the board’s and management’s responsibilities related to cyber risks. Participants in the program, which is the product of partnership between NACD, Ridge Global, and the CERT Division of Carnegie Mellon University’s Software Engineering Institute, will work through a cyber-crisis simulation and take a comprehensive exam. Successful completion of the program will earn the participant a CERT Certificate in Cybersecurity Oversight.
Shareholder engagement remains highly topical in boardrooms across North America. Issuers are recognizing the benefits of speaking directly with institutional shareholders on a broad range of topics beyond financial results, particularly in today’s environment of increasingly influential proxy advisors and the ever-present specter of activists.
The task of engaging with shareholders used to rest with investor relations and senior management. But recently, directors have become more involved in engagements, particularly on matters related to the board, the CEO and executive compensation.
To provide perspective on the director’s role in engaging with shareholders, Steve Chan and Michelle Tan of Hugessen Consulting spoke with Richard DeWolfe, chair of the board of Manulife Financial Corp., and Margaret Foran, chief governance officer of Prudential Financial and chair of the governance committee of Occidental Petroleum Corp.
The role of directors in shareholder engagement is evolving. Who should lead engagements with shareholders?
DeWolfe: I prefer to engage shareholders on behalf of the board without the presence of management. This allows investors to express any concerns that they may have to the board directly—not filtered by management, not couched in language that management may find concerning or offensive. I have maintained a practice of having the head of investor relations (IR) accompany me for the purpose of listening and taking notes.
Foran: I believe that, as a starting point, the majority of engagements should be led by management, whether the corporate secretary or IR. If you talk with your top investors, most will say that it is not absolutely necessary to have a director involved in an engagement. Obviously, there are certain topics that the board needs to be involved in, including executive compensation, CEO pay, and succession. It’s hard to talk to the CEO or someone who reports to the CEO about their own pay.
Should directors directly engage with shareholders? Why or why not?
DeWolfe: We can find 1001 excuses why directors shouldn’t speak with shareholders. Directors are there to represent shareholders’ interest, so it seems ridiculous that there wouldn’t be an obligation on the part of the board to communicate with shareholders. One of the dangers of ignoring shareholders is hastening the arrival of activists.
I encourage all board members to act as observers in any and all investor presentations, to listen and understand the concerns of shareholders. However, not all directors are the best communicators in the sense of being able to articulate the issues or answer questions from shareholders. There should be a few directors who are designated spokespersons for the board and responsible for leading these discussions. This is one of the skills boards should consider as they recruit directors.
Foran: I go back to what I initially said: a lot of this can and should be done by management. There are some instances and there are some subjects that are harder to [discuss] without a director. Also, some investors want to talk to board members, so I think that to categorically say “never” [directly engage] is probably wrong. I think boards have to keep an open mind. I also agree that if you’re not prepared, then it can be a real negative [experience]. Every one of the institutional investors I know has stories of directors who have just been horrible [to work with]. At the same time, a good director who shows oversight, independence, and knowledge of the issue, and is a good communicator is a real plus. A real negative is having a meeting where the director does not do a good job, and at that point, it would be better to not have a director present at [at a shareholder meeting].
Smaller shareholders tend to rely more heavily on the proxy advisors. How can directors effectively engage with this part of the shareholder base?
Foran: Engagement is not just meetings, be it with management or board members. You engage through your proxy statement, your website, and letters, and I think people underestimate the effect that these venues can have. At Prudential, we have a letter to our shareholders from our board as well as the lead director [in the proxy statement], in addition to a video from the lead director that we embed in the proxy statement on our website. That video has gotten an unbelievable number of hits. For some of the smaller shareholders that may not have time or resources to engage, receiving a letter with the video link [to say], “We can’t engage with everyone, we just wanted you to see this, and if you have any feedback, let us know” can be very powerful.
What are your thoughts on engaging with the proxy advisors?
DeWolfe: We undertook engagement with the proxy advisors this year for the first time and I thought it was really helpful. First of all, we found them very responsive. We wanted to address concerns that they had raised about our proxy, and it gave us an opportunity to better understand how their judgments are formed. It gives you an opportunity to discuss your point of view on those things. And I think it would be helpful if more companies did engage them so that [the proxy advisors] were not simply making these judgments, or publishing opinions, without an opportunity to discuss how that advice was formulated.
Any advice for boards who expect to receive a negative say-on-pay recommendation from a proxy advisor? Can engagement with shareholders and/or proxy advisors help mitigate this?
DeWolfe: What I would say is that you can’t formulate your pay for performance on the basis of what you think the proxy advisor is going to say. You have to design your compensation systems on the basis of the economics of your business and what you believe will fairly reward management while maintaining the best interest of the shareholders.
If you know that your approach is likely to result in a “no,” it makes sense to engage key shareholders in advance. My suggestion is that it’s easier to explain your position up front rather than falling back and being criticized and then having your explanation seem like an excuse.
Foran: Don’t underestimate your disclosure. Proxy advisors and shareholders read proxy statements very closely. It’s like a test. Even though you may fail the multiple choice [section], if you have a good story, then you are probably going to get extra credit on the essays.
It is much better to make the extra effort and do a great job of telling your story in the proxy, and perhaps reinforce that with a meeting with investors and proxy advisors, than have to use a meeting to try to fill in the gaps in your proxy. To me, a good offense is better than a good defense, so figure out what your investors and the proxy advisors look at and address [those items] in the proxy statement.
People like to hate the proxy advisors, but they are just doing their job. If you are really unique, you need to tell that unique story. If you are going to fail on the quantitative tests, then tell that really good story, and that story is a board story, one the board believes in. You need to light the candle instead of cursing the darkness.
Is shareholder engagement an effective tool in dealing with activist shareholders?
DeWolfe: Director-led shareholder engagement allows boards to get ahead of being the subject of an activist attack. If your board knows the expectations of shareholders in advance, you’re on far safer ground than if you decide to hide in the boardroom and ignore shareholder expectations.
How would you describe your general experience with shareholder engagement?
DeWolfe: Going back probably 10 years ago when this really became a question for the board, my view was that having engagement was better than not having any engagement. However, you can’t just say “Well, we are going to have an engagement program,” and then go off and do it. It needs to be carefully planned and orchestrated to ensure that you are talking to the right people, covering the right bases, keeping track of the subjects of interest and ultimately using that as a way of guiding management in terms of meeting shareholders’ expectations. At the end of the day, it’s really using the board to keep management apprised of shareholder expectations and vice versa so people aren’t surprised. The only surprise people like is a birthday present.
Foran: I started doing this years ago when I was at Pfizer, starting with a meeting with the lead director and chairs of the committees with our top 30 investors. We invited them to Pfizer for an afternoon event and cocktails. This was in 2007, and one law firm called it “governance run amuck”. Now look where we are today.
If you talk with the major institutional shareholders, they will tell you that a rapidly increasing number of their engagements involve board members. So you see engagement evolving. People shouldn’t go crazy, but there are certainly companies and instances where it makes a lot of sense.
This article also appears in Director Journal, the official publication of the Institute of Corporate Directors.
Front and center for boards and senior management is the call to align the company’s day-to-day activities with long-term value creation, said Bill McCracken, co-chair of the NACD Blue Ribbon Commission (BRC) that produced the newly-released report on The Board and Long-Term Value Creation. McCracken, who is also a director of NACD and the MDU Resources Group, president of Executive Consulting Group, and the former CEO of CA Technologies, co-chaired the commission with Dr. Karen Horn, director of Eli Lilly & Co., Norfolk Southern Corp., and T. Rowe Price Mutual Funds, and vice chair of the NACD board.
What’s the first step for boards in creating long-term value? “Draw a clear line between the daily objectives and long-term strategy,” said McCracken. “Ask, ‘Have we done a good job articulating that? Do investors buy into the strategy? And does the company have the capabilities it needs to execute that strategy?’”
Dona D. Young—chair of the nominating and governance committee for Foot Locker Inc. and a director of Aegon N.V. and Save the Children—served as moderator for a panel that also included Margaret M. Foran, a director at Occidental Petroleum and the chief governance officer, vice president, and corporate secretary of Prudential Financial; and Brian L. Schorr, partner and chief legal officer of Trian Fund Management LP, director of the Bronx High School of Science Endowment Fund, and a trustee of the New York University School of Law. Young and Foran were both BRC Commissioners in 2015; Schorr was a member of the 2014 BRC, which focused on the board’s role in strategy development.
The panel discussion amplified four key findings from this report:
Make short-term goals the building blocks of long-term strategy.
“It’s clear that short-term is not at odds with long-term,” Young said. “How do we integrate that concept in our companies?”
Panelists agreed that directors should determine how to break down long-term goals into measureable short-term milestones at the quarterly, half-year, and annual marks. As Schorr noted, “performance can’t be back-loaded: if a company consistently misses those short-term marks year-after-year, shareholders will question the integrity of the long-term goal you’re moving toward.” Among the BRC report’s tools for directors are examples of long-term-oriented performance metrics in nine different categories.
Directors also need to test the organization’s alignment between short-term metrics and long-term strategy with actual performance. Start off with your premise—or the long-term goal your organization is moving toward—and conduct historical look-backs on a regular basis, Foran said. “Were we right about our predictions? Did we reward the right things?”
Independent inquiry is not optional.
In order to be effective at setting those long-term goals and their relevant short-term milestones, directors must be knowledgeable about both the company and industry.
“We have to do our own homework and not rely solely on management [for information],” Young said. “How do board members engage in independent inquiry without making management feel like we don’t trust them?”
Directors should be reading press releases and analyst reports—not only those issued by their own company but also those of peers and competitors within the industry—to get a sense of what the trends are, Foran said. Trade publications and conferences are other key sources of data.
Schorr described an approach he himself uses: “At Trian, we focus on the income statement. We look at indicators such as EPS growth and EBITDA margins—do we see underperformance relative to what we believe is the company’s potential? Balance-sheet activists look for signs of excess cash, lower leverage ratios, or dividend payout ratios that are out of balance. We ask why. There may be a perfectly good reason; it’s just not well-articulated by management.”
Conduct regular individual-director evaluations.
McCracken highlighted the report’s recommendation on the need for long-term succession planning. When considering your company’s board composition, ask whether you have the capabilities and talent that will be needed to guide the company toward future goals, he said.
“We do strenuous 360-degree evaluations with management,” McCracken noted. “Why can’t we hold ourselves, as board members, to the same standard?” And since board members are peers, it is helpful to have a third party conduct the assessments. Young shared an example from her own experience in which individual director evaluations were truly 360-degree, incorporating input from senior management: “It was tremendously enlightening, really eye-opening.”
Be prepared to engage with shareholders.
The importance of regularly scheduled meetings with shareholders cannot be overestimated. “Don’t just wait for a problem to arise,” Shorr advised, noting that information exchange is a two-way street. The board should also have ways to gather unfiltered information about shareholders’ priorities and concerns.
McCracken emphasized this point: “In today’s world, board members need to talk to shareholders. Regulation FD is a non-issue, a red herring, and directors can’t use it as an excuse.” The BRC report provides detailed guidance that directors can use to prepare for shareholder meetings.
The BRC Report on the Board and Long-Term Value Creation is a natural extension of last year’s BRC report, which recommended that directors get involved in strategy decisions early on and remain involved with them, Schorr said. Doing so can help push management toward goals that promote long-term value creation with links to interim performance milestones that are clear to shareholders. “It’s more than understanding and doing defensive analysis. It’s getting into the boardroom and doing a lot of the things activists are doing,” Schorr said.
Moderator Young summarized the report’s significance this way: “This report helps directors to take a systems approach to engaging with management on strategy and driving value creation.”
This timely publication is the NACD’s twenty-second BRC report and represents the thought leadership of more than 20 eminent directors and trailblazers in business and government. Distributed to attendees of the GBLS and available to NACD members at www.nacdonline.org/value, the report contains the following practical guidance for the directors and boards of public, private, and nonprofit organizations:
Ten recommendations on the board’s role in driving long-term value creation
Eleven red flags that indicate a lack of alignment between short-term goals and long-term strategy
Specific steps directors can take regarding CEO selection and evaluation, capital allocation, and other elements related to long-term value creation
Eight appendices that offer detailed insights and practical boardroom tools