Harry Truman famously had a sign on his desk in the Oval Office that said: “The buck stops here!” Certainly this is not what Harry meant, but a buck is not worth now what it was during his presidency. Truman probably would not recognize how political responsibility has evolved either. What has not changed, though, is the visceral appeal of that slogan, and how it speaks to a leader’s assumption of responsibility. Its simplicity, however, masks an important consideration: just because it is courageous, comforting, and evidence of strong leadership for an institution’s ultimate directing mind(s) to assume responsibility, it does not always mean in all cases responsibility should rest there. (My children often point out to me when I identify issues like this I express them in a manner as confusing as the message in a fortune cookie, which I could accept until the characterization was recently refined to say this would only be the case if the fortune cookies were baked large enough to house the pompous verbosity of an old lawyer. Ouch.)
What triggered this reflection on responsibility was the recent shareholder meeting of Target Corp. The story started at the end of last year, when hackers stole information associated with approximately 40 million credit and debit card accounts of Target’s customers during the holiday season. The theft had very significant consequences for Target and its shareholders, including the expenditure of many millions of dollars in investigations, training and security enhancements, the resignations of the company’s chief executive and chief information officers, the initiation of multiple claims against the company, and a meaningful decline in the market price of the company’s shares.
In the lead up to Target’s 2014 annual meeting of shareholders, Institutional Shareholder Services Inc., a powerful proxy advisory firm, recommended Target’s shareholders vote against the election of seven of its 10 director nominees for “failing to provide sufficient risk oversight” in connection with the company’s cybersecurity breach. ISS asserted the seven directors, who were members of the Target board’s audit and/or corporate responsibility committees, failed to properly monitor the risk of theft of customer information.
I have written previously in this space about the role of proxy advisory firms, and so will not repeat myself. I will note, however, since that time the Canadian Securities Administrators have advised they will develop a policy-based approach to the regulation of proxy advisory firms, in order to promote transparency and understanding in proxy advisory services.
What is notable in the case of Target is the assumption made in ISS’ recommendation about the role and responsibilities of the board. In making its recommendation, ISS highlighted the role of the audit and corporate responsibility committees in providing risk oversight and, in the context of Target’s business, found these committees should have been more cognizant of the company’s exposure to cyber attacks and better prepared. This raises the question of the scope of board responsibilities. If the board’s oversight role is focused on risk identification and assessment, and ensuring the company implements appropriate systems and personnel to detect and monitor risks, is it clear there were oversight failures simply because there was a breach? Target noted in its proxy statement “the primary responsibility for the identification, assessment and management of the various risks that we face belongs with management,” and Target’s senior executives tendered their resignations. ISS also criticized Target for not having an independent chairperson of its board of directors and suggested this may have played a role in the board’s failure to provide effective risk oversight.
At a higher level, the real question is whether companies would be better off replacing boards entirely, or at least in part, in cases such as this. At the recent Target shareholder meeting, all of the board members (including the seven ISS had recommended against) were voted back into office by significant margins. This perhaps suggests the shareholders have spoken, at least in this circumstance, as to their view of the proper sphere and consequences of board responsibility.
Ultimately, as with many legal issues, each circumstance is very fact-specific, and the answer that best serves the interests of the company will depend on the forces at play. Target’s shareholders demonstrated their recognition that imposing ultimate responsibility on the board for every adverse occurrence may be unwarranted or worse. Those seeking clear direction on how this principle applies in all cases will be disappointed, sort of like receiving the apocryphal fortune cookie message: “Your fortune is in another cookie.”
Neill May is a partner at Goodmans LLP in Toronto focusing on securities law, with an emphasis on M&A and corporate finance. E-mail him at email@example.com. The opinions expressed in this article are those of the author alone.