On June 11, when Target holds its annual meeting, shareholders will make a decision that could have far-reaching impact beyond this particular company or, for that matter, the entire retail sector.
Institutional Shareholder Services (ISS), the eminent proxy advisory firm, has urged them to oust seven of Target’s ten board members over the mismanagement related to November’s massive data breach. By ISS’ lights, the corporate response to the breach – a new chief information officer and enhanced security – was days late and many pennies short.
The recommendation is significant for at least three reasons.
First, ISS has put the burden squarely where it belongs, on the shoulders of directors whose duty is to advance long-term corporate interests while protecting its most critical assets. In this case, that means safe cyber-systems, effective cyber-supply chain management, and battle-tested cyber-breach recovery and response plans.
Second, this bold move eloquently underscores cybersecurity as a second-to-none corporate priority for any industry. You wouldn’t think that, at this stage of the game, the point needs to be underscored, yet Paul Ferrillo, counsel in the securities litigation department at Weil, Gotshal & Manges, cites recent findings by the security firm Mandiant that suggest otherwise.
Mandiant found the average time it takes to detect a breach is 229 days; cold comfort that that number is down from 243 in 2013. Meanwhile, fewer companies – 33%, down from 37% in 2012 – were able to detect their own breaches.
Third, the ISS sortie is extremely well-timed as a necessary counterweight to some fairly surprising numbers also reported in May. These numbers show a conspicuous stability in stock value among companies that experienced major breaches. They could be read to suggest that cyber-disasters simply don’t impact stock value.
“Investors are just overwhelmed,” says Ferrillo. “The cyber-security crisis is now so pandemic that it’s hard for people to respond one way or another to the news of yet another breach, unless they’re personally victimized.”
Consider: In mid-May, eBay reported that names, contact info, and passwords were hacked. That day, company stock fell a mere 8 cents. A breach at T. J. Maxx hit 94 million customers in 2007 and stock fell 12% — yet quintupled over the next few years as investors saw a ripe buying opportunity. Adobe Systems was breached last October, affecting 38 million users and three million encrypted credit card records. The stock has since risen 10%.
And Target? After a huge initial hit following the breach, the stock stabilized in 2013 while subsequent losses in 2014 are attributed to unrelated causes. After the ISS recommendation, Target shares were “slightly lower” in pre-market trading even as the company earned a Buy from TheStreet.
Yet, if the ISS recommendation did not significantly affect Target’s immediate share value, it provides an admonitory reminder that any data correlating breaches to steady per-share results could blunt the sense of urgency with which public companies address this issue. If it takes a bit of activism to wake up directors, so be it. In any event, the consequences of mismanaging cybersecurity could now include loss of control over your own governance structure.
Of course, the consequences involve much more as well. One obvious consideration is unknown loss: how much higher would per-share value be had there been no breach? “Stock price in the abstract misses the point,” says Gerald Ferguson, a partner at BakerHostetler and co-chair of its Privacy and Data Protection Practice. “It takes a lot of future investment to make up for the long-term reputational harm, including time focused on defensive activity that could otherwise be spent working to achieve real growth.
“You can’t really plan for the future when you’re preoccupied with something in the past,” adds Ferguson.
In this context, additional survey findings resonate as two-thirds of breached organizations say they’re unable to place a hard cost on the incidents. (The other third averaged $415,000.) Ancillary losses are likewise incalculable. There are the executives who lose their jobs. There’s the litigation – such as the two recent actions against the boards of Target and Wyndham Worldwide Hotels – threatening directors with personal liability. And, the SEC, FINRA, FTC, along with diverse other regulators, are looming impatiently in the wings.
If investors are numb to it all, officers and directors cannot afford to be. And, if anything less than systemic change is unacceptable, remember that “stable stock values do not drive change,” as Ferillo puts it. “What does drive change – what should cause a razor-sharp focus on cybersecurity – is the potential loss of foot traffic in department stores because shoppers are afraid to shop there.”
What a boon, were the activists to follow ISS’ lead and focus on data security with the same intensity they’ve accorded issues like executive pay. Here may be further argument that, not just speculators, the activists can indeed bring durable value to the companies they target.
The likeliest best-case scenario is that a dynamic tension between current boards and those who would supplant them will force ongoing change, hopefully a more rapid-paced change than what we’ve seen since 2012. It’s called “creative conflict.”
Richard Levick, Esq., is Chairman and CEO of LEVICK, a global strategic communications firm.
Don't Miss: The Best HDR TVs