BlackRock's Q2 Investment Stewardship Report contains important insights on its view of what may constitute effective cybersecurity risk mitigation in the context of its 2017 engagement with an unnamed consumer credit reporting agency that had experienced a major breach.
Among the share-worthy takeaways:
- Acknowledging that corporate cybersecurity controls necessarily vary by sector, BlackRock aims to understand how the board oversees company-specific business operation and client/consumer data risks.
- Responsive risk-mitigation actions taken by the company that BlackRock found noteworthy include:
- Leadership changes (CEO, CIO, CISO)
- Structural changes: Formation of a technology committee to conduct an independent review of the incident and report to the board; retention of outside consultants; expansion of internal team expertise; enhancement of operational protocol
- Compensation program changes: Expansion of clawback policy to include misconduct or failure of oversight that results in significant financial or reputational harm; addition of a cybersecurity performance measure as one of the metrics to evaluate employee performance under the annual bonus plan; discontinued performance share grants tied to 3-year cumulative adjusted earnings/share to avoid incentivizing limited cybersecurity spending
- The company has been responsive to shareholders on disclosing information to enable their assessment of management and board oversight of material cyber risks.
BlackRock's accounts of other engagement scenarios provide (among other things) instructive reminders on its expectation of investor-informed activist settlements and related preference for independent director rather than activist fund nominees, and its new (for 2018) CEO over-boarding policy (page 3).