Clorox’s 2023 investor meeting exemplifies and re-affirms why corporate cyber governance too often remains primarily a rhetorical charade.
Just a few months after a devastating summertime cyberattack that upended production, dented revenues by nearly $500 million and cut valuation over $3 billion, Clorox opted to further entrench, empower and enrich its board and c-suite.
The consumer products giant rewarded CEO Linda Randle with the self-supervising, dual title of board chair. Matthew Shattock, the chair during the recent crisis, was retained and simply re-designated as the board’s lead independent director. The other ten directors ran unopposed and were summarily re-appointed.
Intriguingly, during its proxy meeting week, the company also internally circulated a vague memo announcing chief information security officer Amy Bogac’s departure.
Those simultaneous, well-orchestrated moves illustrate the whispered reality of many corporate boardrooms. If and when breaches occur, blame hostile external actors, fund remediation and pin responsibility on IT staff. That tacit approach places CISOs in an unwinnable position — keep your well-paying, high-stress job by acquiescing to board cyber apathy and bear the career downside when severe incidents occur.
Show Don’t Tell
Proxy statements, a grossly underutilized information well, can quickly reveal (or conceal) much about strategy, corporate governance and incentives. For instance, despite Clorox’s massive cyber crisis, its 2023 proxy is filled with several concerning, lax “business as usual” governance red flags, including:
- The opening statements from the outgoing chair Shattock and CEO Randle make zero mention of cybersecurity. Clearly, although the large-scale August cyberbreach occurred after the 2023 June fiscal year end, it easily qualifies as a material financial reporting “subsequent event.” Curiously, tucked 35 pages deep in the proxy is the following boilerplate disclosure, “the Board has provided oversight with respect to management’s investigation of and response to the cyber attack disclosed by the Company on August 14, 2023, including, but not limited to, public disclosures, the operational and financial impact, and the Company’s remediation efforts.” Remarkably, such noteworthy bad news was omitted from the top two leaders’ letters.
- The proxy statement recommended re-election of all twelve directors — all were re-appointed. Even independent of the breach, Clorox’s post-pandemic struggles are well documented. Shares are down over 33% since CEO Randle took charge in September 2020. Conversely, her total compensation grew each year, including a 36% bump to over $11.6 million for FY 2023.
- Despite the cyber crisis and rapidly evolving digital era demands, Clorox chose not to establish a technology or cybersecurity committee. Therefore, cybersecurity remains one of numerous audit committee responsibilities.
- The proxy statement designates eight directors for cybersecurity oversight. Yet, none has any professional IT or cyber experience. Audit committee chair Christopher Williams is an investment banker. While audit committee member Julia Denman works in finance and compliance at Microsoft, experience at a tech firm hardly qualifies as cybersecurity expertise.
- In a statement on cyber readiness, the proxy indicates that “the Company’s cyber preparedness team is led by our chief information and data officer and our chief information security officer.” However, chief information and data officer Chau Banks is not a proxy-worthy “named executive officer.” Her exclusion signals a diminished c-suite role. The CISO was likely another layer away from the board, as Bloomberg disclosed that Banks will assume CISO responsibilities until a replacement is found. Such, even interim, job consolidation compounds risk, especially as Clorox’s recovery continues.
- The proxy statement outlines a seven-point cyber preparedness plan which includes common practices such as NIST compliance, insurance coverage, benchmarking and consulting guidance. Notable and worrisome, the wording is nearly verbatim to the 2022 and prior year disclosures. Clearly, the sizable 2023 breach and business interruption warrant more than a “copy and paste.” More substantively, the cyber defense design and implementation proved insufficient. No insights are offered about if, how and/or when Clorox will fortify future policies and practices.
The chasm between boards and cybersecurity leaders is a profound problem.
A recent survey of 600 board members published in the Harvard Business Review by Lucia Milică and Keri Pearlson found “despite investments of time and money, most directors (65%) still believe their organizations are at risk of a material cyberattack within the next 12 months, and almost half believe they are unprepared to cope with a targeted attack.” Further, the study revealed that “just 69% of responding board members see eye-to-eye with their CISOs. Fewer than half (47%) of members serve on boards that interact with their CISOs regularly, and almost a third of them only see their CISOs at board presentations.”
In turn, it’s not surprising that, despite widespread corporate posturing and espoused cyber risk concern, “weather the storm” remains a common governance crisis response. Serious boards forge real accountability plans through tough conversations, independent assessments and meaningful agreement well before setbacks occur.
A close look shows that Clorox’s proxy day scripts the organizational oligarchs’ crisis survival playbook. Do and spend just enough to avoid compliance, regulatory and legal headaches, persevere through bad press and escape with little or no consequence to personal prestige, professional identity and hefty income streams.
Was Clorox cyber chief Bogac’s departure exasperated resignation or board abandonment? We may never know, as airtight employee separation agreements are rarely made public. And who’s really reading proxy statements anyway?