AT&T joins a growing and humiliating list of victims of corporate cyberattacks that share a common story – inadequate board governance. What’s different is that their board, filled with ex-CEOs and well-connected, should have asked better.
The telecom giant shockingly revealed that, in April, hackers “exfiltrated the files” of “almost all” of AT&T’s 100 million wireless customers. The 2022 and 2023 stolen data identifies customers’ voice and text contact numbers, frequency, duration and, for some, cell tower locations.
This should concern any user or recipient. It worried federal investigators enough that the US Department of Justice twice requested that AT&T delay disclosure.
Technology analysts blame AT&T for the Snowflake server security bug in which more than 150 popular companies, including Allstate, Neiman Marcus and Ticketmaster, failed to use simple multi-factor authentication to protect customer data.
Investigative cyber reporter Brian Krebs wrote: “It remains unclear why so many large corporations continue to believe it is somehow acceptable to store so much sensitive customer data with so little security protection. This may be because, aside from the class action lawsuits that invariably follow these breaches, there are few holding companies accountable for lax security practices.”
Chaos often emanates from quiet boardrooms where directors often lack the awareness, interest, drive and/or competence to assess and address cyber risk. As for AT&T’s deep chart, it’s the proxy statement releases that speak volumes.
Shadows follow
Despite the omnipresent news of digital risk and its long history of breaches dating back to 2001, AT&T’s dismissive cyber approach hides in plain sight.
In its eighty-page 2024 proxy statement, the word “cybersecurity” appears only four times—once in a director’s biography related to private equity experience, and the rest hidden in the perfunctory wording of board and committee assignments. of the audit.
Lazily, two out of four investor relations cases are repeated literally“The audit committee also reviews and discusses with management the company’s data privacy and security, including cyber security, risk exposures, policies and practices, including the steps management has taken to detect, monitor and control such risks and the potential impact of these exposures on the company’s business, financial results, operations and reputation” on representative pages 20 and 36. In one instance, a similarly vague statement, “furthermore, the audit committee, as well as the board of directors, receive reports from officials with responsibility for cyber security” continues.
Not surprisingly, its 8-K disclosure about the April breach concludes, “AT&T told the SEC that it does not believe this incident is likely to materially affect AT&T’s financial condition or results of operations.” That remains to be seen.
Incidentally, in April, the FCC fined the major mobile carriers $200 million collectively for consciously sharing customer data. While AT&T reported over $120 billion in 2023 revenue, the materiality could affect the company’s “business, financial results, operations and reputation,” to use the proxy statement’s phrase.
This is exactly what boards often miss – an attack on cyber remediation only bypasses the execution of the strategy. And that’s the last thing CEO John Stankey needs as he enters his fifth year at the helm. Since he became CEO in mid-2020, AT&T shares are down over 17%, while the S&P and Dow are up 79% and 55%, respectively.
Telegraft
The long-awaited SEC regulations exclude board cyber expertise or technology committee requirements. AT&T happily agreed.
In May, it re-elected ten board members, seven of whom have been on the board a decade or more. This is classic embedding.
Proxy conflates technology with innovation as a qualification, offers no definition of skills, and labels five principals (Stankey, Marissa Mayer, Glenn Hutchins, Stephen Luczo, and Luis Ubiñas) with such experience. All warrant a much closer look.
Its youngest member, CEO of AI startup Sunshine Products and director of Walmart, the 48-year-old tech mogul Mayer, lowers the board’s average age to 64. She led Yahoo! during its infamous cyber troubles and eventual sale to Verizon.
Stankey, an executive from the Time Warner sale, briefly served as AT&T’s CIO and CTO from 2003-2006. Luczo is a managing partner of Crosspoint Capital, a private equity firm “focused on cybersecurity and data privacy.” He is also the former chairman and CEO of data storage firm Seagate.
Others are a stretch. Investment banker and co-chairman of the Brookings Institution, Hutchins, “brings significant leadership, business planning and human capital management expertise,” the rep says. Ubiñas, a former McKinsey partner and head of the Ford Foundation, now heads the Statue of Liberty-Ellis Island Foundation.
Others, alphabetically, bring chops of political, executive and financial services.
- Scott Ford, a board director since 2012, is the current CEO of Westrock Coffee Company and former head of telecom Alltell, now part of Verizon. He “has experience managing complex business operations in diverse regulatory environments internationally and has led several major business transformations.”
- William Kennard, chairman of the board, trained as a lawyer and served in senior jobs at the FCC in the 1990s. His later career included stints in Carlyle’s asset management and as US ambassador to the European Union.
- Michael McAllister is the former CEO of healthcare provider Humana.
- Beth Mooney, former CEO and chairman of KeyCorp bank, served at the Federal Reserve.
- Matthew Rose is the former CEO and chairman of the BNSF railroad company.
- Cynthia Taylor is currently CEO of energy firm Oil States International. She is a CPA with experience at EY and the Federal Reserve.
In a c-suite credentialed room, couldn’t someone push for more cyber attention?
High-profile board appointments bring huge salaries and access. Each fetched over $400,000 in 2023 and with the Kennard chair carrying over $850,000. Stankey made over $22 million annually in total compensation in each of the past three years.
Now they have a mess that could very well “become” material. In addition to potential customer payouts and class action settlements, could Congressional hearings, regulatory sanctions, and remedial penalties be looming? This erodes c-suite strategy time.
Perhaps, after all, for bed boards, crisis navigation defines caution. But is the golden parachute worth the career crash? And where can 100+ million customers go to reclaim their privacy and security? Who is your board calling?