- Institutional Shareholder Services ("ISS") recommended that Target's shareholders vote against the election of seven of its 10 director nominees for "failing to provide sufficient risk oversight" in connection with Target's well-chronicled cybersecurity breach in late 2013.
- ISS asserted that the seven directors, who were members of the Target Board's audit and/or corporate responsibility committees, failed to properly monitor the risk of theft of customer information.
- ISS's position on the Target situation involves troubling presumptions regarding director accountability and confuses the risk oversight role of the Board.
On June 11, 2014, shareholders of Target Corporation voted to
elect each of its 10 nominees to the Board of Directors despite
ISS's controversial recommendation that its clients vote
against the election of seven nominees who served on Target's
audit and/or corporate responsibility Board committees, which were
tasked with overseeing Target's risk assessment processes.
ISS's "against" recommendation arose out of a
well-chronicled data breach in which hackers accessed and
reportedly stole credit card data from some 40 million accounts of
Target customers in a three-week period during the 2013 holiday
season. ISS concluded that, in light of Target's significant
exposure to customer credit card information and online retailing,
the members of the audit and corporate responsibility committees
"should have been aware of, and more closely monitoring, the
possibility of theft of sensitive information." Essentially,
ISS appears to have concluded that the fact that something went
wrong, of itself, necessarily means that there was a governance
failure. Interestingly, Glass Lewis, itself no shrinking violet
when it comes to targeting governance failures, concluded that
there was insufficient evidence of a director oversight failure to
justify an "against" or even a "withhold" vote
by its clients.
In a letter to shareholders, Target's interim Board chair
challenged ISS's conclusions and described steps that Target
had taken prior to the data breach to protect against cybersecurity
attacks. Those steps included investing hundreds of millions of
dollars in network security resources, dedicating more than 300
employees to information security, requiring annual data security
training for all of Target's 350,000 employees, and operating a
security center staffed around the clock with trained professionals
to review suspicious network activity.
We are pleased that Target's shareholders rejected ISS's
recommendations and voted to re-elect each contested nominee by a
substantial margin—the contested nominees received, on
average, the support of 75 percent of the votes cast. We believe
that ISS's position in this situation was ill-advised,
especially in its analysis of the Target Board's fulfillment of
its risk oversight responsibilities. It is difficult to imagine how
ISS determined that Target's directors failed to perform their
oversight responsibilities without access to the information
regarding cybersecurity risks given to the Board or its committees,
or to any discussions that the directors had at the Board or
committee level regarding the integrity or weaknesses of
Target's security systems or possible threats. Further, there
is a logical fallacy inherent in the assumption that there were
oversight failures in the boardroom solely based on the fact that
something bad happened.
Moreover, in our judgment, ISS's view confuses the roles of the
Board and management in risk oversight. As Target noted in its
proxy statement, "the primary responsibility for the
identification, assessment and management of the various risks that
we face belongs with management." The Board's oversight
role deals with risk assessment and ensuring that the company has
in place adequate systems to monitor and detect risks—and
Target had dedicated hundreds of employees and many millions of
dollars to information security in an effort to fulfill that
role.
Ultimately, the successful election of Target's directors
indicates not only that shareholders accept and support the
fundamental notion that Boards have a duty of oversight but also
that shareholders do not see directors as guarantors of
results.
While the contested Target nominees ultimately managed to weather
the storm and retain their Board seats, ISS's position on their
culpability for a cybersecurity attack nonetheless serves as a
warning to directors to expect challenges to their oversight of
risks generally, even without clear indications of any director
inattention, when things go wrong. It also highlights the need for
Boards to consider enterprise risk management as part of their
ongoing activities, which consideration should, of course, be
carefully documented.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.