Proxy advisors and shareholders are paying an increasing amount of attention to cybersecurity because the stakes are high – a cyberattack can be catastrophic for a company.
A successful cyber attack can target confidential information integral to the competitive edge of a business (including trade secrets, supplier and client lists, information regarding research and development projects, pricing information and more) or impair the digital infrastructure and freeze operations.
Cyberattacks can also expose businesses to legal risks. In a recent trilogy of cases, the Ontario Court of Appeal considered whether businesses that are victims of cyberattacks can be liable under the tort of intrusion upon seclusion. While the Court limited the prospect of a victim of a cyberattack being found liable under that tort, it noted that victims can be found liable under other causes of action, such as breach of contract and the tort of negligence. Moreover, companies may have obligations under privacy laws, such as the Personal Information Protection and Electronic Documents Act, to safeguard personal information collected in the course of commercial activities.
ISS has suggested that cyber risk governance should be considered alongside ESG considerations because “the inherent similarity between cyber risk and ESG makes the former an excellent addition to the set of metrics investors should use to evaluate responsible corporate behavior.”
Glass Lewis also introduced a new section in its 2023 Proxy Voting Guidelines to address cybersecurity governance. According to Glass Lewis, cyber risk is material for all companies. Therefore, there should be increased board oversight of cybersecurity issues. Glass Lewis now expects all companies to disclose in their proxy circulars details regarding board-level efforts to oversee issues related to cybersecurity. Further, Glass Lewis may make a negative voting recommendation if cyberattacks have caused “significant harm” to investors and the board’s oversight is inadequate or the proxy circular does not contain sufficient disclosure regarding cybersecurity issues.
Given that there is increasing attention to cybersecurity issues from proxy advisors and shareholders, all companies should do more to increase board-level oversight of cyber risk. Activists will likely begin to highlight cyber security vulnerabilities at a growing rate when advocating for management changes and expect swift consequences for boards that fail to adequately protect company value from the threat of a cyber attack.
The number of companies with at least one director with cybersecurity experience has increased only marginally among S&P 500 companies, and this number has even decreased for the Russell 3000. It would be helpful for boards to have at least one director with cybersecurity experience and to receive regular and proactive reports on cybersecurity issues if they do not already do so.
Much like how companies that rely on a physical infrastructure are vulnerable to extreme environmental events and disasters, companies that rely on a digital infrastructure are vulnerable to cyberattacks. Companies – from the board-level and down – must take cybersecurity seriously.
The author would like to thank Zack Goldford and Hussain Ali for their significant contribution to this article.
