The major cyber breach that Yahoo announced last week has ripple effects not only for the multimedia platform, but for every company. The incident already has caught the attention of a senator who is calling on the U.S. Securities and Exchange Commission (SEC) to investigate how Yahoo disclosed the breach to shareholders and the public.
Background on the Breach
Ashley Marchand Orme
Account data for at least 500 million users was stolen by what Yahoo has called a “state-sponsored actor” in what CNN Money calls one of the largest data breaches ever. Compromised information includes names, email addresses, phone numbers, dates of birth, encrypted passwords, and security questions.
Yahoo has not named a country of origin for the hacker. The company, which Verizon is seeking to acquire, is still one of the busiest online sites, boasting one billion monthly users.
The breach occurred in late 2014, according to Yahoo, but the company just disclosed the incident in a press release dated Sept. 22, 2016. The Financial Times reports that Yahoo CEO Marissa Mayer may have known about the breach as early as July of this year, raising questions as to why it wasn’t disclosed sooner.
Attention From Lawmakers
Sen. Mark R. Warner (D.-VA), a member of the Senate Intelligence and Banking Committees and cofounder of the Senate Cybersecurity Caucus, sent a letter to the SEC yesterday asking the agency to investigate whether Yahoo complied with federal securities law regarding how and when it disclosed the incident.
“Data security increasingly represents an issue of vital importance to management, customers, and shareholders, with major corporate liability, business continuity, and governance implications,” the senator wrote.
Warner—who cofounded the company that became Nextel, a wireless service operator that merged with Verizon—also told the SEC that “since published reports indicate fewer than 100 of approximately 9,000 publicly listed companies have reported a material data breach since 2010, I encourage you to evaluate the adequacy of current SEC thresholds for disclosing events of this nature.”
And Warner isn’t the only lawmaker pushing for increased cyber regulations. Earlier this month, New York Governor Andrew Cuomo (D-NY) announced proposed cybersecurity regulations to increase the responsibility of banks and insurance to protect their information systems and customer information. The regulations, if instated, would apply to companies regulated by the New York Department of Financial Services (NYDFS) and would require them to—among other steps—establish a cybersecurity policy and incident response plan. Companies would also have to notify the NYDFS within 72 hours of any cyber event that is likely to affect operations or nonpublic information.
The Boardroom Response
Any company—whether public, private, or nonprofit—can fall prey to a breach, and even companies with formal cybersecurity plans can find themselves the victims of a breach. Preliminary data from the 2016-2017 NACD Public Company Governance Survey show what corporate directors are already doing to oversee cyber-related risks.
When asked which cybersecurity oversight practices the survey respondents’ boards had performed over the past 12 months—and directors could select multiple answers—the most common responses included:
Reviewed the company’s current approach to protecting its most critical data assets (76.6%)
Reviewed the technology infrastructure used to protect the company’s most critical data assets (73.6%)
Communicated with management about the types of cyber-risk information the board requires (64.4%)
Reviewed the company’s response plan in the case of a breach (59.3%).
“Corporate directors should ask management for an accurate and externally validated report on the state of the organization with respect to cyber risk,” said Robert Clyde, a board director for ISACA, which is a global IT and cybersecurity professional association, and White Cloud Security. “They should also ask what framework is being followed for IT governance.”
Aside from high-profile breaches of emails and email providers, Clyde says that breaches related to ransomware are increasing.
“Ransomware encrypts data that can only be decrypted by paying the attacker a fee in Bitcoins. According to the NACD Cyber-Risk Oversight Handbook and many other organizations, the key control to reduce the risk of attack—including ransomware—is restricting user installation of applications, called ‘whitelisting’ or ‘Trusted App Listing,’” Clyde said. “Yet this highly recommended control is rarely implemented. Boards should ask organizations for their plans to implement this specific control.”
NACD recently announced a new online cybersecurity learning program for directors. The multi-module course aims to enhance directors’ understanding of cybersecurity, and the difference between the board’s and management’s responsibilities related to cyber risks. Participants in the program, which is the product of partnership between NACD, Ridge Global, and the CERT Division of Carnegie Mellon University’s Software Engineering Institute, will work through a cyber-crisis simulation and take a comprehensive exam. Successful completion of the program will earn the participant a CERT Certificate in Cybersecurity Oversight.
CEO succession planning is one of a board’s most important responsibilities. However, many companies are unprepared for communicating executive transitions. A recent survey of senior-level corporate executives published by Alix Partners shows that about 50 percent of respondents felt their companies were unprepared for CEO succession, either because the company hadn’t identified possible successors or hadn’t sufficiently trained candidates for the top job.
Communications strategy is an integral part of CEO succession preparedness. Executive transitions can unfold quickly, demanding decisive action in developing the proper message and coordinating communications strategy both internally and externally. When thinking about a possible transition announcement, there are several foundational elements for successfully positioning a senior executive change.
Why is the CEO leaving?
There are a handful of standard reasons a company gives for an executive’s departure. Whether a CEO retires, steps down, is terminated, decides to spend more time with family, or pursues new opportunities, companies must present a clear rationale for the departure. Given nuances in language that could imply the motivations of the executive and company, word choice is especially important. Transitions that appear confusing, mysterious, or acrimonious will spook investors or stoke speculation.
In the age of investor activism, boards look for opportunities to demonstrate they will take action when a CEO is viewed as underperforming. This may lead to a press release that does not shower the outgoing executive with praise, therefore signaling a less-than-favorable view of the executive. Or the announcement may state the departure is by “mutual decision,” again a clear signal. Communicating CEO departure is a delicate balancing act.
When is the right time to communicate about a succession?
CEO transition announcements generally take financial markets by surprise and create immediate concern. As a result, some companies have found ways to prepare advance messaging for a planned transition to precondition the market to a future change.
For example, Kinder Morgan made a quick reference to a future CEO transition in its comments at an investor conference before an established timeline or formal announcement had been made. In another example, when dealing with a series of executive changes over the course of 15 months, Mack-Cali Realty Corp. issued an update about its executive search process six months after the CEO stepped down. Ultimately, the company named its new CEO, COO and president, CFO, and chief legal officer and secretary in one release. It should be noted that Mack-Cali’s case is fairly unique; in proprietary research, Edelman found the majority of companies identify a successor in the initial transition announcement. However, companies stand to learn from Mack-Cali and Kinder Morgan’s inventive approaches to communicating succession plans.
Who gets quoted in the release?
The presence of executive quotes in the release about their departure is another important signal of behind-the-scenes dynamics. If the outgoing CEO is quoted, this suggests some deference to that individual, especially if their quote comes first. If the chair or lead director praises the outgoing CEO in their quote, that again sends a message. However, if the chair makes a statement along the lines of “It’s time to take the company to the next level,” dissatisfaction with current leadership may be signaled to the audience, despite other symbolic cues in the announcement.
What’s the appropriate way to share the announcement?
CEO transition press releases tend to be brief, typically under 150 words. In addition to announcing via newswire, companies will notify their internal audiences directly at the time of the company’s external news announcement, and, if applicable, will also publish the news via their owned media channels (as in the case of Reddit and Twitter). Failure to get ahead of the news can make a company the target of speculation, as was the case with Proctor and Gamble (P&G) when the Wall Street Journalreported a likely scenario for P&G’s leadership transition based on analyst sources.
Employees should be briefed at the same time as the company’s news announcement, so that employees learn about the leadership change and plans for the company’s future from the source and not via the press.
How can companies leverage the media?
CEO transitions typically raise many questions with internal and external audiences, and the media is often quick to report on perceived corporate instability. Companies should consider a proactive strategy to ensure their messages around a leadership transition are understood and conveyed in the first wave of media coverage. A common strategy is to pre-brief a trusted reporter or two to secure a more holistic or accurate story at the outset of the announcement, with an embargo time established to coincide with the press release timeline. Another option is to hold a post-announcement briefing with reporters to provide greater context and answer questions.
How can companies mitigate concerns about financial performance?
The first likely question from the investment community when a company announces a CEO transition is “Does this mean the company will underperform projections?” Companies should consider reaffirmation of their financial guidance if possible at the time of the announcement. Another approach is to package the CEO succession announcement with a quarterly earnings announcement. This approach allows the company to simultaneously address any questions or concerns about financial performance.
As boards develop their transition plans, they will be best prepared for changes at the top of the organization by considering their communications approach as early in the process as possible. During transition planning, communications staff can develop materials to guide executives through a successfully executed exit process that establishes a positive narrative for both the outgoing and incoming CEO alike.
Lisa Schultz McGann is a senior account supervisor in the Financial Communications and Capital Markets practice at Edelman, the largest PR firm in the world.
Shareholder engagement remains highly topical in boardrooms across North America. Issuers are recognizing the benefits of speaking directly with institutional shareholders on a broad range of topics beyond financial results, particularly in today’s environment of increasingly influential proxy advisors and the ever-present specter of activists.
The task of engaging with shareholders used to rest with investor relations and senior management. But recently, directors have become more involved in engagements, particularly on matters related to the board, the CEO and executive compensation.
To provide perspective on the director’s role in engaging with shareholders, Steve Chan and Michelle Tan of Hugessen Consulting spoke with Richard DeWolfe, chair of the board of Manulife Financial Corp., and Margaret Foran, chief governance officer of Prudential Financial and chair of the governance committee of Occidental Petroleum Corp.
The role of directors in shareholder engagement is evolving. Who should lead engagements with shareholders?
DeWolfe: I prefer to engage shareholders on behalf of the board without the presence of management. This allows investors to express any concerns that they may have to the board directly—not filtered by management, not couched in language that management may find concerning or offensive. I have maintained a practice of having the head of investor relations (IR) accompany me for the purpose of listening and taking notes.
Foran: I believe that, as a starting point, the majority of engagements should be led by management, whether the corporate secretary or IR. If you talk with your top investors, most will say that it is not absolutely necessary to have a director involved in an engagement. Obviously, there are certain topics that the board needs to be involved in, including executive compensation, CEO pay, and succession. It’s hard to talk to the CEO or someone who reports to the CEO about their own pay.
Should directors directly engage with shareholders? Why or why not?
DeWolfe: We can find 1001 excuses why directors shouldn’t speak with shareholders. Directors are there to represent shareholders’ interest, so it seems ridiculous that there wouldn’t be an obligation on the part of the board to communicate with shareholders. One of the dangers of ignoring shareholders is hastening the arrival of activists.
I encourage all board members to act as observers in any and all investor presentations, to listen and understand the concerns of shareholders. However, not all directors are the best communicators in the sense of being able to articulate the issues or answer questions from shareholders. There should be a few directors who are designated spokespersons for the board and responsible for leading these discussions. This is one of the skills boards should consider as they recruit directors.
Foran: I go back to what I initially said: a lot of this can and should be done by management. There are some instances and there are some subjects that are harder to [discuss] without a director. Also, some investors want to talk to board members, so I think that to categorically say “never” [directly engage] is probably wrong. I think boards have to keep an open mind. I also agree that if you’re not prepared, then it can be a real negative [experience]. Every one of the institutional investors I know has stories of directors who have just been horrible [to work with]. At the same time, a good director who shows oversight, independence, and knowledge of the issue, and is a good communicator is a real plus. A real negative is having a meeting where the director does not do a good job, and at that point, it would be better to not have a director present at [at a shareholder meeting].
Smaller shareholders tend to rely more heavily on the proxy advisors. How can directors effectively engage with this part of the shareholder base?
Foran: Engagement is not just meetings, be it with management or board members. You engage through your proxy statement, your website, and letters, and I think people underestimate the effect that these venues can have. At Prudential, we have a letter to our shareholders from our board as well as the lead director [in the proxy statement], in addition to a video from the lead director that we embed in the proxy statement on our website. That video has gotten an unbelievable number of hits. For some of the smaller shareholders that may not have time or resources to engage, receiving a letter with the video link [to say], “We can’t engage with everyone, we just wanted you to see this, and if you have any feedback, let us know” can be very powerful.
What are your thoughts on engaging with the proxy advisors?
DeWolfe: We undertook engagement with the proxy advisors this year for the first time and I thought it was really helpful. First of all, we found them very responsive. We wanted to address concerns that they had raised about our proxy, and it gave us an opportunity to better understand how their judgments are formed. It gives you an opportunity to discuss your point of view on those things. And I think it would be helpful if more companies did engage them so that [the proxy advisors] were not simply making these judgments, or publishing opinions, without an opportunity to discuss how that advice was formulated.
Any advice for boards who expect to receive a negative say-on-pay recommendation from a proxy advisor? Can engagement with shareholders and/or proxy advisors help mitigate this?
DeWolfe: What I would say is that you can’t formulate your pay for performance on the basis of what you think the proxy advisor is going to say. You have to design your compensation systems on the basis of the economics of your business and what you believe will fairly reward management while maintaining the best interest of the shareholders.
If you know that your approach is likely to result in a “no,” it makes sense to engage key shareholders in advance. My suggestion is that it’s easier to explain your position up front rather than falling back and being criticized and then having your explanation seem like an excuse.
Foran: Don’t underestimate your disclosure. Proxy advisors and shareholders read proxy statements very closely. It’s like a test. Even though you may fail the multiple choice [section], if you have a good story, then you are probably going to get extra credit on the essays.
It is much better to make the extra effort and do a great job of telling your story in the proxy, and perhaps reinforce that with a meeting with investors and proxy advisors, than have to use a meeting to try to fill in the gaps in your proxy. To me, a good offense is better than a good defense, so figure out what your investors and the proxy advisors look at and address [those items] in the proxy statement.
People like to hate the proxy advisors, but they are just doing their job. If you are really unique, you need to tell that unique story. If you are going to fail on the quantitative tests, then tell that really good story, and that story is a board story, one the board believes in. You need to light the candle instead of cursing the darkness.
Is shareholder engagement an effective tool in dealing with activist shareholders?
DeWolfe: Director-led shareholder engagement allows boards to get ahead of being the subject of an activist attack. If your board knows the expectations of shareholders in advance, you’re on far safer ground than if you decide to hide in the boardroom and ignore shareholder expectations.
How would you describe your general experience with shareholder engagement?
DeWolfe: Going back probably 10 years ago when this really became a question for the board, my view was that having engagement was better than not having any engagement. However, you can’t just say “Well, we are going to have an engagement program,” and then go off and do it. It needs to be carefully planned and orchestrated to ensure that you are talking to the right people, covering the right bases, keeping track of the subjects of interest and ultimately using that as a way of guiding management in terms of meeting shareholders’ expectations. At the end of the day, it’s really using the board to keep management apprised of shareholder expectations and vice versa so people aren’t surprised. The only surprise people like is a birthday present.
Foran: I started doing this years ago when I was at Pfizer, starting with a meeting with the lead director and chairs of the committees with our top 30 investors. We invited them to Pfizer for an afternoon event and cocktails. This was in 2007, and one law firm called it “governance run amuck”. Now look where we are today.
If you talk with the major institutional shareholders, they will tell you that a rapidly increasing number of their engagements involve board members. So you see engagement evolving. People shouldn’t go crazy, but there are certainly companies and instances where it makes a lot of sense.
This article also appears in Director Journal, the official publication of the Institute of Corporate Directors.