Update on the current board issues: April 2014

Issues in brief


Cybersecurity framework: A starting point for companies

Back to top

The National Institute of Standards and Technology’s (NIST) new Cybersecurity Framework could be a starting point for companies trying to mitigate the continuing cyber threat risk.

Charles Beard, a principal in PwC’s forensics practice and former senior vice president and general manager of Science Applications International Corp.’s cybersecurity group, and the Honorable Tom Ridge, former US Secretary of Homeland Security and co-founder of Ridge-Schmidt Cyber, discussed cybersecurity risk during PwC’s Center for Board Governance cybersecurity webcast on March 27.

“There are five things not addressed in the framework that are important for independent directors to understand,” Beard said during the PwC webcast. They are:

  1. Duties and obligations of companies wherever they operate
  2. The “technical debt” (the cost of deferred maintenance on technical projects that remain incomplete)
  3. The identity of threat adversaries and actors (i.e., countries, hacktivists, employees)
  4. How the company should think about cyber threats in terms of risk tolerance
  5. The element of time (for larger companies, a cyber risk plan may take years)

“Cyber attacks are not only a clear and present danger; they are a permanent danger,” said Ridge. “Companies need to see that they have a cybersecurity risk plan embedded in their risk plan.”

Ridge called the NIST framework a modest step toward minimizing the cyber threat, and added that it should be used as a way for companies to start looking at their critical assets and how to protect them from hackers.

The framework includes a taxonomy and a risk management tool that allows companies to describe their current cybersecurity condition, assess progress toward their desired cybersecurity state, identify and prioritize opportunities for improvement, and communicate cybersecurity risks to stakeholders.

Additionally, the Department of Homeland Security (DHS) created the Critical Infrastructure Cyber Community (C3) Voluntary Program. It is designed to connect companies and governmental agencies with the DHS to help manage cyber risks.

A cybersecurity risk plan can help a board understand the risks involved as well as the plans for risk mitigation. Ridge has some questions directors should consider asking management:

  • What is the governance structure around your IT?
  • Is there an individual or team accountable?
  • How often do we get reports on this accountability? Is there a dashboard?
  • Will our company be reactive or preemptive with regard to cyber threats?
  • Do we need to bring a third party to help?

Here are links to more information on cybersecurity:


Views on raising ownership threshold needed to file shareholder proposals

Back to top

Calling the current shareholder proxy proposal system outdated, burdensome, and costly, SEC Commissioner Daniel Gallagher and NASDAQ General Counsel and Chief Regulatory Officer Edward Knight have separately called for the commission to raise the ownership threshold shareholders need to meet in order to file a proxy proposal.

In a March 27 speech to Tulane University Law School, Gallagher said the SEC should limit its involvement in issues related to corporate governance and that rules, such as minimum required shareholdings and the amount of time shares are held, should be revised.

Gallagher says the $2,000 limit, which was instituted in 1998, is “absurdly low” and proposes it be raised to $200,000 or maybe even $2 million. Ultimately, however, he said the limits should be based on a fixed percentage that is “scalable, varies less over time, better aligns with the way many companies manage their shareholder relations, and is more consistent with the Commission’s existing requirements.”

In addition to including viewpoints from sitting directors, the report offers some suggested actions boards could take to improve succession planning. Those actions offered by Prof. Larcker and Scott Saslow, founder and CEO of The Institute of Executive Development, include:

In an OpEd article (Registration required) in the March 26 Wall Street Journal, Knight said the current shareholder proposal process is costly for companies. He suggests the SEC update the 1998 rule and require those shareholders with only a minimum $2,000 level of shareholder ownership to demonstrate a wider level of support, perhaps 5% or 10% of a company’s outstanding shares, in an online vote.

In his speech, Gallagher calls for the SEC to institute a “three strikes and you’re out” policy when it comes to shareholders resubmitting proposals. “That is, if a proposal fails in its third year to garner majority support, the proposal should be excludable for the following five years,” he said. “The thresholds for the prior two years should be high enough to demonstrate that the proposal is realistically on the path toward 50%, for example, 5% [in the first year] and 20% [in the second year].”

Knight and Gallagher both point to the cost to companies and the high failure rate of shareholder proposals as reasons to change the proxy proposal system. Citing his experience at NASDAQ OMX, Knight states that a proposal costs a minimum of $50,000 to process. He says that includes staff hours, outside counsel, proxy firm outreach, and outreach to investors. Gallagher adds that only 7% of proposals were approved in 2013 even though the number of proposals increased to 820 from 739 in 2012.

The Council of Institutional Investors Executive Director Ann Yerger wrote in a March 27 Wall Street Journal letter to the editor that shareholder proposals are important and do not overburden many public companies.

“The number of shares held by a proponent is irrelevant; what matters is how shareholders at large view the issue the proposal raises,” Yerger wrote. “In the end, these shareholder proposals, while generally nonbinding, have led to profound improvements in director accountability and corporate governance practices and regulations.”


More on the SEC and proxy advisory firms

Back to top

Last month SEC Chair Mary Jo White told attendees at the US Chamber of Commerce’s Capital Markets Summit that the Commission expects to review regulations for proxy advisory firms. This comes three months after the SEC held a roundtable discussing the need for regulation in that sector.

“The staff now will be making recommendations to me in the very near term about what additional action might be taken on these issues,” a March 19 Reuters article quoted White. However, she did not offer any details on any rules or changes that could be in store for proxy advisory firms, including Glass Lewis and Institutional Shareholder Services.

White’s comments come after a December SEC roundtable on proxy advisory firms where various stakeholders in the capital markets told the Commission about the advantages and disadvantages of regulation. [For more information about the roundtable, visit the SEC Proxy Advisory Services Roundtable web page or read November 2013 BoardroomDirect Issues in brief (SEC roundtable to address proxy advisory firm issues).]