Glass Lewis & Co. recently published its updated Benchmark Policy Guidelines for 2024 (the “Policy”), which reflect investors’ continuing focus on corporate disclosure and board oversight of cyber risks. The Policy indicates that Glass Lewis may recommend “against” directors following a cybersecurity incident if it finds the board’s risk oversight or its post-incident response to be insufficient. The Policy also provides guidance on what Glass Lewis expects companies to disclose after such an incident.
While the updated Policy says Glass Lewis generally will not make voting recommendations based on cyber oversight or disclosure, it states that, if “a company has been materially impacted by a cyber-attack, we may recommend against appropriate directors should we find the board’s oversight, response or disclosures concerning cybersecurity-related issues to be insufficient or are not provided to shareholder.”
With respect to disclosure, the updated Policy provides that, if “a company has been materially impacted by a cyber-attack,” Glass Lewis “believe[s] shareholders can reasonably expect periodic updates from the company communicating its ongoing progress towards resolving and remediating the impact of the cyber-attack.” For example, Glass Lewis indicates that a company’s disclosure would include “details such as when the company has fully restored its information systems, when the company has returned to normal operations, what resources the company is providing for affected stakeholders, and any other potentially relevant information, until the company considers the impact of the cyber-attack to be fully remediated.” The Policy states, however, that companies should not “reveal specific and/or technical details that could impede the company’s response or remediation of the incident or that could assist threat actors.”