Institutional Shareholder Services (“ISS”), a prominent proxy adviser, has issued a report urging Target Corporation’s shareholders to oust seven of the company’s directors for “failure to provide sufficient risk oversight” on cybersecurity. The ISS report is the latest blow to the beleaguered company, which was the victim of a data breach that resulted in the compromise of 40 million credit and debit card numbers. The ISS report, in addition to the data breach itself, serves as a powerful reminder that cybersecurity poses significant enterprise-wide risks to companies that must be actively overseen by an informed board of directors. In this alert, we will discuss the ramifications of the ISS report and the steps that directors can take address the risk of cyber incidents.
In mid-November 2013, hackers used the credentials of a third-party vendor to install malware on Target’s payment card network. Target discovered and removed the malware in early December. (The company’s response was quite prompt – studies have shown that the average data breach continues for months or even years before it is discovered.) The malware was only on Target’s network for about three weeks, but in that time, hackers were able to capture and exfiltrate approximately 40 million credit and debit card numbers. Many of the payment card numbers were sold on the black market, including on carder websites. (For additional information regarding carder websites, see our coverage here.)
Target publicly disclosed the breach pursuant to state disclosure laws and immediately became the center of a national firestorm over privacy and data security. Among other things, the breach and subsequent disclosure triggered significant fallout litigation, including shareholder derivative suits against Target’s officers and directors alleging, among other things, breach of fiduciary duty, waste of corporate assets, and gross mismanagement.
The ISS Report
ISS conducted a review of how Target handled the data breach and this week issued a damning report that urged shareholders to remove seven of the company’s ten directors. The ISS recommendation targeted the directors who serve on the company’s corporate responsibility and audit committees and reported that the committees’ failure to “ensure appropriate management of [cybersecurity] risks set the stage for the data breach, which has resulted in significant losses to the company and its shareholders.” The report also criticized the board’s “largely reactionary” response to the breach.
Target quickly struck back, stating that its security was “among the best-in-class within the retail industry.” It also appointed a “digital advisory committee” to assist with technology and cybersecurity issues going forward. Another proxy adviser, Glass, Lewis & Co., issued its own report, but did not recommend the removal of any directors as a result of the breach. According to Glass Lewis, there is currently not enough evidence to conclude that the directors’ actions contributed to the breach, although it reserved the right to recommend removal in the future.
Recommendations for Directors
Directors of other companies should view Target’s breach experience and the ISS recommendations as a cautionary tale and ensure that they are exercising proper oversight of their company’s management of cybersecurity risks and responses to cyber incidents. With respect to cybersecurity risks, directors are not tasked with directly managing the concerns, but they should routinely ask management questions on data protection, including:
- What is the company’s cybersecurity risk profile?
- What are the company’s vulnerabilities?
- How is data protected?
- How and how often is network security assessed, and by whom?
- Is the company compliant with any applicable data security standards (e.g., the Payment Card Industry Data Security Standard or HIPAA)?
- Does the company have cyberinsurance? If so, are the coverage levels and exclusions appropriate for the company?
- Does the company have appropriate written policies regarding cybersecurity?
- Does the company provide regular training to employees regarding cybersecurity?
- Does the company have an incident response plan that will allow it to quickly and efficiently respond to a suspected cyber incident?
- Does the company require vendors to maintain appropriate levels of cybersecurity?
- Are vendors required to maintain insurance for cyber events, and if so, is the company named as an additional insured?
- Are vendors required to indemnify the company for failure to adequately protect the company’s data?
Directors ideally should receive reports directly from their information security team to ensure that they are fully informed and understand the company’s cyber risks and preparedness. Boards should also consider appointing directors with the knowledge and expertise to fully understand the company’s information technology systems and cyber risks, if current board members do not have that knowledge. For example, Neiman Marcus added two directors with extensive cyber experience following its breach in late 2013.
When a breach occurs, directors should ensure that they are kept apprised of the investigation, remediation, and disclosure of the breach. Breach response is a round-the-clock endeavor and the known facts about the breach can evolve rapidly, so directors should ensure that they are receiving regular updates from the personnel responsible for managing the response. Among other things, directors should ensure that the company is being represented by experienced counsel and forensic investigators (if appropriate).