Before We Adjourn: ISS vs. Target: The Good, Bad, and Ugly

by TK Kerstetter
Corporate Board Member
Third Quarter 2014

The “ugly” in this scenario is
determining a standard of
fairness for holding directors
responsible for cyber breaches
and what the ramifications
will be if even the most
governance-prudent boards
are voted out because of a
hacker’s access through a
HVAC vendor of the company.
Cyber risk and data security
have put us in a new
governance paradigm. For the
sake of our future boardroom
talent and our long-term
shareholder value, we must
find a fairer way to review
board performance, or we
risk an even greater
consequence. ..
answer to that is yes, then
maybe the bigger question is,
“Will we have any competent
or currently affluent board
candidates who will want to
risk their reputation and
wealth by serving on a board?”
I’m not saying the Target
board is without responsibility,
but I do want to take a
balanced look at the fairness
of ISS’s recommendation.

The Good—No Public Company
Should Be Exempt from Review
Proxy advisory firms and
institutional investors have the
responsibility to review board
and management performance
and call out corporations
when leadership is negligent
or underinformed and such
actions lead to a reduction in
shareholder value. ISS is right
to investigate what happened
on Target’s board and to get a
feel for how the board handles
its fiduciary duties. If it comes
out that a board was negligent
and isn’t governance sensitive,
then let the chips fall where
they may.

The Bad—Target’s Board
Deserves a Fair Review
First of all, it is important to
note that another proxy firm,
Glass, Lewis and Co., took a
different stance to the Target
breach and annual meeting
vote, saying there wasn’t
enough evidence available to
conclude the data breach was
due to negligence by Target’s
board. This is an important
point, and these directors
deserve some review before
By the time this article is
published, Target Corp. will
have had its annual meeting,
and we will know if proxy
adviser Institutional Shareholder
Services (ISS) was successful in
its recommendation that
shareholders withhold votes on
seven of Target’s 10 directors,
thereby removing them from
the board. The withhold
recommendation was based
on the significant data breach
announced by the retailer
in December 2013 and was
aimed at directors comprising
the audit and corporate
responsibility committees
who were accused of failing
to ensure appropriate
management of these risks.
Regardless of the outcome,
there is a bigger issue to be
concerned about here. Should
directors, especially those who
go about their fiduciary duties
by following good governance
practices, be held responsible
for all risks that might occur
under their watch, whether
they be cyber risks or blackswan
events? And if the
launching a “replace the
board” campaign. In fact, it’s
extremely important to note
that Target has had a track
record of being very sensitive
to effective corporate
governance. Simply put, in
my opinion, you will not find
many public companies that
have been more attentive to
establishing a prudent
governance platform. Target’s
platform has term limits,
annual management
succession reviews, an
overboarding policy, majority
voting, and no poison pill,
just to name a few. In short,
prior to this breach, this
board and shareholder support
team were governance role
models that other company
boards should aspire to.
Further, the issue of big data
and cyber risk is way too
large for any organization
(including our government
and national defense) to
completely get their arms
around to ensure absolute
security. I guarantee this will
not be the last good company
that has a big breach. So that
begs the question: Is it fair to
throw the whole lot out?

The Ugly—Board Life
after Target
If I were a betting man, I
would bet that if lawsuits on
this breach move forward,
we will find out that Target’s
board, while maybe not doing
enough, was not negligent in
its discussions over cyber
risk. I may look foolish later,
but that’s my bet today.