by Steven Haas

Steven Haas (photo courtesy of author)

Glass Lewis & Co. recently published its updated Benchmark Policy Guidelines for 2024 (the “Policy”), which reflect investors’ continuing focus on corporate disclosure and board oversight of cyber risks. The Policy indicates that Glass Lewis may recommend “against” directors following a cybersecurity incident if it finds the board’s risk oversight or its post-incident response to be insufficient. The Policy also provides guidance on what Glass Lewis expects companies to disclose after such an incident.  

While the updated Policy says Glass Lewis generally will not make voting recommendations based on cyber oversight or disclosure, it states that, if “a company has been materially impacted by a cyber-attack, we may recommend against appropriate directors should we find the board’s oversight, response or disclosures concerning cybersecurity-related issues to be insufficient or are not provided to shareholder.” 

With respect to disclosure, the updated Policy provides that, if “a company has been materially impacted by a cyber-attack,” Glass Lewis “believe[s] shareholders can reasonably expect periodic updates from the company communicating its ongoing progress towards resolving and remediating the impact of the cyber-attack.” For example, Glass Lewis indicates that a company’s disclosure would include “details such as when the company has fully restored its information systems, when the company has returned to normal operations, what resources the company is providing for affected stakeholders, and any other potentially relevant information, until the company considers the impact of the cyber-attack to be fully remediated.” The Policy states, however, that companies should not “reveal specific and/or technical details that could impede the company’s response or remediation of the incident or that could assist threat actors.”

Steven Haas is a Partner at Hunton Andrews Kurth LLP. This post first appeared on the firm’s blog.

The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright of this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).