In the runup to proxy season, boards are facing a high level of pressure to address cyber risks amidst increased shareholder scrutiny. We spoke to Sharon Klein, partner and co-chair of the privacy, security and data protection practice at Blank Rome LLP, and Yelena Barychev, partner and co-lead of the ESG team at Blank Rome, about considerations for boards ahead of proxy season and liabilities that can arise from the SEC’s disclosure rules on cyber.
Directors & Boards: What do you believe boards need to consider in the area of cybersecurity ahead of the coming proxy season?
Sharon Klein: In reviewing the company’s proxy statement for the 2024 annual meeting of shareholders, the board needs to ask management how cybersecurity disclosures made in the company’s annual report on Form 10-K are being reconciled with disclosures drafted for the proxy statement and whether they are consistent with each other.
Under the SEC rules adopted in July 2023, every public company discloses information regarding cybersecurity risk management, strategy and governance in its annual report on Form 10-K, which may overlap with information that the company also has to disclose in its proxy statement. For example, a public company is required to: disclose the “extent of the board’s role in the risk oversight” of the company in its proxy statement, as well as “[d]escribe the board of directors’ oversight of risks from cybersecurity threats” and identify, if applicable, “any board committee or subcommittee responsible for the oversight of risks from cybersecurity threats” in its Form 10-K. Although the SEC has drawn a narrow distinction between these requirements and stated that “the former requires description of the board’s leadership structure and administration of risk oversight generally, while the latter requires detail of the board’s oversight of specific cybersecurity risk,” it is likely that a public company will be discussing its focus on cybersecurity in the risk oversight section of the proxy statement and such disclosures should be consistent with its Form 10-K.
DB: How would you describe the level of shareholder scrutiny around cybersecurity at this time? Is it higher than we have seen in the past? Has it risen incrementally? What are you observing?
Yelena Barychev: Disclosures of material cybersecurity incidents in its current report on Form 8-K, as well as disclosures regarding cybersecurity risk management, strategy and governance in its annual report on Form 10-K, under the SEC rules adopted in July 2023, will likely result in increased shareholder scrutiny of how the company is addressing its cybersecurity vulnerabilities. Based on Form 10-K disclosures, shareholders will be able to evaluate the company’s processes for assessing, identifying and managing material risks from cybersecurity threats, including the processes by which the company evaluates critical third parties and the board or board committee responsible for the oversight of risks from cybersecurity threats is informed about such risks and management’s role in assessing and managing the company’s material risks from cybersecurity threats.
In its 2024 Benchmark Policy Guidelines, Glass Lewis stated that cyber-related disclosure “can help shareholders understand the seriousness with which companies take this issue.” Glass Lewis also indicated that if “cyberattacks have caused significant harm to shareholders,” it “will closely evaluate the board’s oversight of cybersecurity as well as the company’s response and disclosures.” But if “a company has been materially impacted by a cyber-attack,” Glass Lewis may recommend against appropriate directors, provided it finds “the board’s oversight, response or disclosure concerning cybersecurity-related issues to be insufficient, or are not provided to shareholders.”
To read the full article, please click here.
"Cybersecurity Considerations for Proxy Season," by Bill Hayes was published in Directors & Boards March 26, 2024.