The Conference Board uses cookies to improve our website, enhance your experience, and deliver relevant messages and offers about our products. Detailed information on the use of cookies on this site is provided in our cookie policy. For more information on how The Conference Board collects and uses personal data, please visit our privacy policy. By continuing to use this Site or by clicking "OK", you consent to the use of cookies. 

04 Jun. 2014 | Comments (0)

By Donna Dabney, Executive Director, Governance Center, The Conference Board Several news sources recently reported that ISS is recommending a vote against seven of Target’s ten directors because they served on the Audit Committee or the Corporate Responsibility Committee at the time of the well-publicized data breach at Target last year.  How directors satisfy investors about the quality of their oversight is one of the key issues identified by The Conference Board Task Force on Investor Engagement in its reports released in March.1 That issue—the quality of director oversight--is front and center of the ISS recommendation to vote against seven of Target’s ten directors. In examining a recommendation to vote against directors, it is important to consider the role of directors in governance of a public company.  It is well accepted that directors are responsible for assuring systems are in place to detect, prevent, and respond to important risks to the enterprise. While we don’t know all the facts in the Target situation, publicly available information indicates the following. Target’s Audit Committee is charged under its charter with reviewing and discussing with management its approach to risk assessment and risk management, including the risk of fraud, and the commitment of internal audit resources to audit the Corporation’s guidelines, policies, and procedures to mitigate identified risks. In its proxy statement, Target states that the Corporate Responsibility Committee has oversight of reputational risk. The Target proxy statement lays out a typical allocation of risk management responsibilities.

The primary responsibility for the identification, assessment and management of the various risks that we face belongs with management. The Board’s oversight of these risks occurs as an integral and continuous part of the Board’s oversight of our business.

A detailed report from BloombergBusinessweek2 indicates the following facts regarding the data breach:

1. Target had taken action to prepare for such an attack. Six months earlier the company began installing a malware detection tool made by the computer security firm FireEye, whose customers also include the CIA and the Pentagon. Target had a team of security specialists in Bangalore to monitor its computers around the clock. If Bangalore noticed anything suspicious, Target’s security operations center in Minneapolis would be notified.

2. The security system alerted the team in Minneapolis on a timely basis, as it was designed to do.

3. For some reason, the security team in Minneapolis did not react to the alert until after the data had been breached.

In a June 2, 2014 supplemental filing with the Securities and Exchange Commission, the interim chair of Target’s board of directors made the following points regarding cyber security: Your Board fully recognizes the importance of its oversight responsibilities in this area. Under the Board’s leadership and oversight, Target took significant action to address evolving cyber-crime risks before the breach, by:
    • Investing hundreds of millions of dollars in network security personnel, processes, technology and related resources
    • Dedicating more than 300 employees to information security (more than double from five years ago)
    • Requiring annual data security training for all Target employees (more than 350,000)
    • Operating a Security Operations Center staffed around the clock with trained professionals to review suspicious network activity
    • Investing in network monitoring technology to enhance Target’s ability to detect potential cyber-attacks
    • Becoming a founding member of the National Cyber-Forensics & Training Alliance (NCFTA), a partnership of public, private and academic participants focused on identifying, mitigating and neutralizing cyber-threats
The board’s role is to understand whether management has properly identified an important risk and has systems in place to monitor and mitigate the risk. Apparently at Target, cyber security risk was identified and management had systems in place to address the risk. News reports indicate the issue arose from human error - security personnel did not react to the system alerts. The role of directors is one of oversight, not of day to day management. Directors cannot be expected to manage security personnel to ensure that they are doing their job; this role is clearly and squarely a management function. Based on publicly available data, it would appear that the ISS decision to recommend a vote against seven out of ten directors on the Target board due to the data breach appears to be wrong on many levels.

1. It expands the board’s role from one of oversight to one of management.

2. It ignores the disruption and impact on shareholder value that changing out 70 percent of the board may cause to a company that is already under stress and undergoing a search for a new CEO.

3. It does not appear to take into account the quality of the directors it is recommending against.

4. It targets directors who served on two committees, yet it is not clear that the full board delegated oversight of cyber security risk to those committees.

We don't know what happened in the board room at Target, and we don't know whether ISS has reasons not publicly expressed that would justify this extraordinary action. Clearly, directors play a central role in overseeing public companies and an investor’s right to vote on directors is key to assuring accountability.  At the same time, voting against directors is a remedy that most investors believe should be used only when the facts clearly support that result.  The Target case is evidence that companies and investors need to work together to identify better ways to give investors insight into the quality of board oversight.  Over the next year, The Conference Board Governance Center will be working to identify where this is being done effectively. About the Blogger:   [caption id="attachment_2780" align="alignleft" width="100"]Donna Dabney, Executive Director, The Conference Board Governance Center Donna Dabney, Executive Director, The Conference Board Governance Center[/caption] Donna Dabney joined The Conference Board as Executive Director, Governance Center, in August, 2012. In her current position, Donna leads The Conference Board’s efforts in the areas of corporate governance and sustainable value creation. Prior to joining The Conference Board, Donna was Vice President, Corporate Secretary and Corporate Governance Counsel of Alcoa Inc. and she participated for over 15 years in board and committee meetings of Alcoa and Reynolds Metals Company. As part of her work with the Alcoa Board of Directors, she gained experience with sustainable development in the Amazon region of Brazil. Donna is a member of the board of directors of American Forests, the oldest national conservation organization in the U.S., the New York Advisory Board of the Society of Corporate Secretaries and Governance Professionals and previously served on the board of a public/private consortium promoting development in Richmond, Virgina.
[1] The Conference Board Task Force Recommendations can be found at www.conferenceboard.org/governance. [2] “Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It”, Michael Riley, Ben Elgin, Dune Lawrence, and Carol Matlack BloombergBusinessWeek, Technology (March 13, 2014)
  • About the Author:Donna Dabney

    Donna Dabney

    Donna Dabney, former Executive Director of The Conference Board Governance Center, is currently a Senior Advisor to the Governance Center.  Prior to joining The Conference Board, Donna was Vice …

    Full Bio | More from Donna Dabney

     

0 Comment Comment Policy

Please Sign In to post a comment.

    Subscribe to the Governance Blog
    SUBSCRIBE
    Support Our Work

    Support our nonpartisan, nonprofit research and insights which help leaders address societal challenges.

    Donate

    OTHER RELATED CONTENT

    RESEARCH & INSIGHTS

    WEBCASTS

    CONFERENCES & EVENTS

    Global Horizons

    Global Horizons

    March 22 - 25, 2021

    Organization Design Conference

    Organization Design Conference

    November 17 - 18, 2020

    Performance Management Conference

    Performance Management Conference

    November 17 - December 09, 2020

    COUNCILS

    BLOGS

    PRESS RELEASES & IN THE NEWS