- Institutional Shareholder Services ("ISS") recommended that Target's shareholders vote against the election of seven of its 10 director nominees for "failing to provide sufficient risk oversight" in connection with Target's well-chronicled cybersecurity breach in late 2013.
- ISS asserted that the seven directors, who were members of the Target Board's audit and/or corporate responsibility committees, failed to properly monitor the risk of theft of customer information.
- ISS's position on the Target situation involves troubling presumptions regarding director accountability and confuses the risk oversight role of the Board.
On June 11, 2014, shareholders of Target Corporation voted to elect each of its 10 nominees to the Board of Directors despite ISS's controversial recommendation that its clients vote against the election of seven nominees who served on Target's audit and/or corporate responsibility Board committees, which were tasked with overseeing Target's risk assessment processes. ISS's "against" recommendation arose out of a well-chronicled data breach in which hackers accessed and reportedly stole credit card data from some 40 million accounts of Target customers in a three-week period during the 2013 holiday season. ISS concluded that, in light of Target's significant exposure to customer credit card information and online retailing, the members of the audit and corporate responsibility committees "should have been aware of, and more closely monitoring, the possibility of theft of sensitive information." Essentially, ISS appears to have concluded that the fact that something went wrong, of itself, necessarily means that there was a governance failure. Interestingly, Glass Lewis, itself no shrinking violet when it comes to targeting governance failures, concluded that there was insufficient evidence of a director oversight failure to justify an "against" or even a "withhold" vote by its clients.
In a letter to shareholders, Target's interim Board chair challenged ISS's conclusions and described steps that Target had taken prior to the data breach to protect against cybersecurity attacks. Those steps included investing hundreds of millions of dollars in network security resources, dedicating more than 300 employees to information security, requiring annual data security training for all of Target's 350,000 employees, and operating a security center staffed around the clock with trained professionals to review suspicious network activity.
We are pleased that Target's shareholders rejected ISS's recommendations and voted to re-elect each contested nominee by a substantial margin—the contested nominees received, on average, the support of 75 percent of the votes cast. We believe that ISS's position in this situation was ill-advised, especially in its analysis of the Target Board's fulfillment of its risk oversight responsibilities. It is difficult to imagine how ISS determined that Target's directors failed to perform their oversight responsibilities without access to the information regarding cybersecurity risks given to the Board or its committees, or to any discussions that the directors had at the Board or committee level regarding the integrity or weaknesses of Target's security systems or possible threats. Further, there is a logical fallacy inherent in the assumption that there were oversight failures in the boardroom solely based on the fact that something bad happened.
Moreover, in our judgment, ISS's view confuses the roles of the Board and management in risk oversight. As Target noted in its proxy statement, "the primary responsibility for the identification, assessment and management of the various risks that we face belongs with management." The Board's oversight role deals with risk assessment and ensuring that the company has in place adequate systems to monitor and detect risks—and Target had dedicated hundreds of employees and many millions of dollars to information security in an effort to fulfill that role.
Ultimately, the successful election of Target's directors indicates not only that shareholders accept and support the fundamental notion that Boards have a duty of oversight but also that shareholders do not see directors as guarantors of results.
While the contested Target nominees ultimately managed to weather the storm and retain their Board seats, ISS's position on their culpability for a cybersecurity attack nonetheless serves as a warning to directors to expect challenges to their oversight of risks generally, even without clear indications of any director inattention, when things go wrong. It also highlights the need for Boards to consider enterprise risk management as part of their ongoing activities, which consideration should, of course, be carefully documented.