Target Breach: Hold Board Responsible?New Report Recommends Ousting Board Members
Although Target Corp. has already replaced its CIO and is looking for a new CEO in the wake of its major data breach, it also should replace seven of the 10 members of its board of directors, a consulting firm says in a report for shareholders.
See Also: Ransomware: The Look at Future Trends
The report contends that the board members who served on the audit and corporate responsibility committees should have provided better oversight into fraud and other cyber-risks.
The study reinforces that boards need to address cybersecurity risks just as they deal with other types of enterprise risks, says Kim Peretti, an attorney at Alston & Bird who specializes in data breach response. "Boards need to be proactively engaged in understanding IT security risk and need to be asking probing questions in advance of a breach," she says.
Report to Shareholders
Institutional Shareholder Services, which works on behalf of institutional shareholders regarding corporate governance, risk and proxy voting, prepared the new report on Target.
Released in advance of the annual Target shareholders meeting to be held June 11, the report is based on publicly disclosed information. ISS declined to comment further on its research.
"ISS believes that in light of the company's significant exposure to customer credit card information and online retailing, these [board] committees should have been aware of, and more closely monitoring, the possibility of theft of sensitive information, especially since it involves shoppers and the communities in which the company operates, as well as the overall impact on brand reputation and brand value," the report says.
Target has provided "little disclosure" of the risk assessment process conducted by the committees or the board that would "assure shareholders of a robust risk identification and oversight program," the report notes. "What may be of concern to shareholders is the failure of these committees, and possibly by extension, the full board, to recognize the potential threat faced by the company."
The report notes that in discussions with ISS, Target executives said the data breach highlighted to the board the need for greater cybersecurity. "The company acknowledged the need for more stringent internal capabilities to identify potential risks with less reliance on external reports which suggested the systems were robust enough," the report says.
ISS concludes its report by saying Target was inadequately prepared "for the significant risks of doing business in today's electronic commerce environment. The responsibility for oversight of these risks lies squarely with the audit committee and the corporate responsibility committee."
Those committees, ISS says, are responsible for overseeing risk assessment and risk management, including the risk of fraud and oversight of reputational risk. "It appears that failure of the committees to ensure appropriate management of these risks set the stage for the data breach, which has resulted in significant losses to the company and its shareholders," the report alleges.
Target recently reported its profits dropped for the second consecutive quarter (see: Post-Breach, Target Profits Decline Again).
Reaction to the Conclusions
A report from a consulting firm recommending that a company dismiss board members because of their handling of data security issues is unusual, says Peretti, the attorney. "It's the first that we're seeing [such] drastic or significant conclusions [like] in this report," she says. "Companies are still struggling with appropriate cybersecurity governance."
Ellen Giblin, an attorney at the Ashcroft Law Firm who specializes in privacy and data security, says the recommendations from ISS should serve as a wake-up call to boards of directors in all business sectors. "It's critical for board members to understand the issues and the importance of funding [security based on] the size and scope of the organization," she says.
Yet the report's recommendation to replace seven out of 10 board members seems "radical," Giblin says. "It seems like a lot to lose at once. I don't think you'd want a major turnover like that and lose that much experience and corporate knowledge of a company all at once."
Julie Conroy, research director for Aite Group, says the report highlights the need for boards and senior executives to be held accountable for cybersecurity. "We've seen numerous examples of the way in which cyber-failures have bottom-line impact," she says. "It is incumbent upon executives and boards to keep close tabs on their firms' approach to security. All board members won't be cyber-experts, but they will need to have resources available to them to help them to understand what is in place and effectively fulfill their fiduciary duty."