Citing significant risks associated with multiple recent data breaches, Verizon Communications investors have filed a shareholder proposal calling on the company’s board to link senior executive compensation to the effectiveness of its cyber security and data privacy practices.
While Verizon has long claimed that data privacy and data security are top priorities, the proposal notes, in 2016 the company’s division that helps Fortune 500 companies respond to data breaches suffered a data breach of its own, including information on some 1.5 million customers of Verizon Enterprises.
Verizon’s acquisitions of Yahoo! and AOL – and the company’s plan to combine the firms into a new digital media and advertising company called Oath, with billions of customers – raise additional concerns, according to the shareholders. In October 2017, it was announced that all three billion accounts in Yahoo! had been breached prior to its acquisition by Verizon.
Trillium Asset Management filed the shareholder proposal on behalf of its client, the Park Foundation. The New York State Common Retirement Fund is a co-filer of the proposal, which will be voted on at Verizon’s annual meeting on May 3 in Renton, Washington.
“We want Verizon executives to put money where their mouths are and to adopt accountability mechanisms that link compensation to security and privacy performance,” said Jonas Kron, senior vice president of Trillium Asset Management. “Saying ‘Trust us’ and providing a list of protocols is not enough. Executive compensation is already linked to key metrics such as earnings per share, free cash flow and revenue; cyber security and data privacy are equally important mission-critical concerns.”
Jon Jensen, Executive Director of the Park Foundation, said: “The only way Verizon will take this issue seriously is if the leadership at the top of the company see real personal consequences for failing to do so. Verizon has the ability to create state-of-the-art security and privacy protection. It owes that to its customers and shareholders.”
Establishing how to put a price and a value to the management of these risks is well within Verizon’s abilities. Last year Verizon renegotiated its acquisition of Yahoo! after disclosure of massive hacking incidents. Verizon’s general counsel said in December that the company felt it had “enough clarity that we can put parameters around the risk here and negotiate a deal that effectively compensates us for the risk.” Verizon should now put a price on the performance of its own executives in addressing cyber security and data privacy concerns, Kron said.
Michael Connor, Executive Director of Open MIC, a non-profit that works to foster shareholder engagement with tech and media companies, noted that the shareholder proposal addresses issues that are critically important to Verizon’s future growth. “Verizon talks a lot about the importance of cyber security and privacy – which is admirable – but breaches that affect millions can have serious repercussions,” Connor said. “If Verizon is going to succeed with its plan to make Oath a global advertising platform with an audience of billions, it needs to incentivize senior management to protect customer data and privacy.”
The shareholder proposal notes that in September 2017, the co-director of the Securities and Exchange Commission’s Enforcement Division announced the creation of a “Cyber Unit” stating, “Cyber-related threats and misconduct are among the greatest risks facing investors and the securities industry.” And prior to becoming the Chairman of the SEC, in his capacity as a private sector attorney, Jay Clayton wrote that “cyber-threats are among the most urgent risk to America's economic and national security and the personal safety of its citizens.” But recent guidance from the SEC does little to incentivize executives to do better. Until that happens investors need to demand accountability.
Verizon had sought to keep the proposal from being voted on by shareholders, arguing recently to the staff of the SEC that cyber security and data privacy were “ordinary business” issues. In a letter this month, the SEC staff rejected the company’s argument, the first time the SEC staff has considered and permitted a shareholder proposal on cyber security and data privacy.
Important Disclosure: This is not a recommendation to buy or sell any of the securities mentioned. It should not be assumed that investments in such securities have been or will be profitable. The specific securities were selected on an objective basis and do not represent all of the securities purchased, sold or recommended for advisory clients.