Media and Cybersecurity
Investors are reflecting societal debate about how electronic media use and abuse deeply influence everyday life and the nature of public discourse in two types of proposals in 2018—at the three big social media platforms, Alphabet, Facebook and Twitter—and at credit reporting agency Equifax, with a related proposal to Express Scripts on cyber risk and personal health information. (Also see ESG Pay Links for a proposal seeking an executive pay link to cybersecurity oversight.)
Arjuna Capital first raised concern about “fake news” last year at Alphabet and Facebook; its proposal seeking a report about the phenomenon and a review of its impact on “the democratic process, free speech, and a cohesive society, as well as reputational and operational risks” earned scant support at these closely held companies (1.4 percent at Alphabet and 0.8 percent at Facebook). But proponents persist. Arjuna joined NYSCRF and Harrington Investments to file again at both companies in 2018, adding Twitter as well. The Illinois Treasurer’s Office, a new proponent, joined in.
At Alphabet, the 2018 resolution asks for a report “on major global content management controversies (including election interference)…reviewing the efficacy of governance, oversight and policies on content disseminated on its platform and assessing the magnitude of any risks posed to the company’s finances, operations, and reputation.” It suggests the report “include assessment of the scope and scale of platform abuses and address related ethical concerns on the use of artificial intelligence.”
The proposal introduces the idea of the company as an “information fiduciary” and asserts it has an “obligation to demonstrate how it responsibly manages content on its platform” because its “disclosures have been minimal, guarded, and inadequate.” The problem is made acute because of continued controversy over the role Google, Alphabet’s subsidiary, played in the 2016 U.S. election “and what experts say is an ongoing threat to the democratic process,” the resolution says. The proponents reason that because ads designed by Russian agents seem to have affected YouTube and Google, the company is at risk, as are its investors. It points to multiple congressional investigations and the possibility of legislation that will require more disclosure about ad purchases, Google’s main source of revenue. In short, tech companies’ predominance could prompt lawmakers to put in place tighter regulations that force greater transparency and accountability, as is happening in Europe. Ad revenue also could be reduced if companies flee digital platforms that sully their brands, the proposal suggests, which has occurred if companies’ ads become “associated with objectionable content.”
At Facebook and Twitter, the resolution is slightly different. At Facebook it asks for a report “on the major global content management controversies (election interference, hate speech and violence)… reviewing governance oversight and policies to assess the ethical, legal, and reputational risks of content disseminated on its platform.” At Twitter, the list of concerns is “election interference, fake news, hate speech and sexual harassment.”
In her speech at the Davos economic summit this January, British Prime Minister Theresa May connected economic development and security to internet company activity, specifically highlighting a role for investors and corporate social responsibility and this shareholder activity. She said:
…investors can play a vital role by considering the social impact of the companies they are investing in. This is fundamental to the proper functioning of markets, choice and competition. Shareholders should care about these social impacts because the business model of a company is not sustainable if it does not command public support and consent…. For example, earlier this month a group of shareholders demanded that Facebook and Twitter disclose more information about sexual harassment, fake news, hate speech and other forms of abuse that take place on the companies’ platforms.
May concluded, “So investors can make a big difference here by ensuring trust and safety issues are being properly considered. And I urge them to do so.”
The UAW Retirees’ Medical Benefits Trust wants a report from Equifax, where the information of more than 145 million Americans was hacked last year. Using the same approach employed with the opioid crisis report request at Amerisource Bergen, noted above, the proposal asks for a report
on the governance measures Equifax has implemented to more effectively monitor and manage financial and reputational risks related to cybersecurity incidents that have a material effect on the company, including whether Equifax has revised senior executive compensation metrics or policies, adopted or changed mechanisms for obtaining input from stakeholders, made changes to the Board or Technology Committee evaluation process, implemented additional director education on cybersecurity or altered criteria for the Board’s evaluation of director nominees.
NYSCRF has filed at Express Scripts, which has challenged the proposal at the SEC, arguing it relates to ordinary business, but the commission has not responded yet. The proposal seeks a report “on its cyber risk and actions taken to mitigate that risk.” It says the report should include:
- aspects of business or operations that give rise to material cyber risk;
- the extent to which the Company outsources functions that have material cyber risks, descriptions of those functions and how the Company addresses those risks;
- descriptions of cyber incidents experienced by the Company that individually or in the aggregate are material, including a description of costs and consequences;
- risks related to cyber incidents that remain undetected for an extended period;
- description of relevant insurance coverage;
- compliance, regulatory or contractual obligations related to cyber risk;
- certification to widely recognized standards;
- and how cyber risks and cyber incidents are reflected in financial statements.
The report should also discuss the scope and frequency of the Board’s oversight of cyber risks which may include review of relevant systems, policies, and procedures, related to:
- determining critical assets (e.g., customer information);
- employee training on data security and privacy-related risks;
- due diligence for third party vendors and potential acquisitions;
- data breach and incident response plans;
- minimization of data collection and retention; and
- security policies and audit frequency