Support our nonpartisan, nonprofit research and insights which help leaders address societal challenges.Donate
04 Jun. 2014 | Comments (0)
The primary responsibility for the identification, assessment and management of the various risks that we face belongs with management. The Board’s oversight of these risks occurs as an integral and continuous part of the Board’s oversight of our business.A detailed report from BloombergBusinessweek2 indicates the following facts regarding the data breach:
1. Target had taken action to prepare for such an attack. Six months earlier the company began installing a malware detection tool made by the computer security firm FireEye, whose customers also include the CIA and the Pentagon. Target had a team of security specialists in Bangalore to monitor its computers around the clock. If Bangalore noticed anything suspicious, Target’s security operations center in Minneapolis would be notified.
2. The security system alerted the team in Minneapolis on a timely basis, as it was designed to do.
3. For some reason, the security team in Minneapolis did not react to the alert until after the data had been breached.In a June 2, 2014 supplemental filing with the Securities and Exchange Commission, the interim chair of Target’s board of directors made the following points regarding cyber security: Your Board fully recognizes the importance of its oversight responsibilities in this area. Under the Board’s leadership and oversight, Target took significant action to address evolving cyber-crime risks before the breach, by:
- Investing hundreds of millions of dollars in network security personnel, processes, technology and related resources
- Dedicating more than 300 employees to information security (more than double from five years ago)
- Requiring annual data security training for all Target employees (more than 350,000)
- Operating a Security Operations Center staffed around the clock with trained professionals to review suspicious network activity
- Investing in network monitoring technology to enhance Target’s ability to detect potential cyber-attacks
- Becoming a founding member of the National Cyber-Forensics & Training Alliance (NCFTA), a partnership of public, private and academic participants focused on identifying, mitigating and neutralizing cyber-threats
1. It expands the board’s role from one of oversight to one of management.
2. It ignores the disruption and impact on shareholder value that changing out 70 percent of the board may cause to a company that is already under stress and undergoing a search for a new CEO.
3. It does not appear to take into account the quality of the directors it is recommending against.
4. It targets directors who served on two committees, yet it is not clear that the full board delegated oversight of cyber security risk to those committees.We don't know what happened in the board room at Target, and we don't know whether ISS has reasons not publicly expressed that would justify this extraordinary action. Clearly, directors play a central role in overseeing public companies and an investor’s right to vote on directors is key to assuring accountability. At the same time, voting against directors is a remedy that most investors believe should be used only when the facts clearly support that result. The Target case is evidence that companies and investors need to work together to identify better ways to give investors insight into the quality of board oversight. Over the next year, The Conference Board Governance Center will be working to identify where this is being done effectively. About the Blogger: [caption id="attachment_2780" align="alignleft" width="100"] Donna Dabney, Executive Director, The Conference Board Governance Center[/caption] Donna Dabney joined The Conference Board as Executive Director, Governance Center, in August, 2012. In her current position, Donna leads The Conference Board’s efforts in the areas of corporate governance and sustainable value creation. Prior to joining The Conference Board, Donna was Vice President, Corporate Secretary and Corporate Governance Counsel of Alcoa Inc. and she participated for over 15 years in board and committee meetings of Alcoa and Reynolds Metals Company. As part of her work with the Alcoa Board of Directors, she gained experience with sustainable development in the Amazon region of Brazil. Donna is a member of the board of directors of American Forests, the oldest national conservation organization in the U.S., the New York Advisory Board of the Society of Corporate Secretaries and Governance Professionals and previously served on the board of a public/private consortium promoting development in Richmond, Virgina.
 The Conference Board Task Force Recommendations can be found at www.conferenceboard.org/governance.  “Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It”, Michael Riley, Ben Elgin, Dune Lawrence, and Carol Matlack BloombergBusinessWeek, Technology (March 13, 2014)