John Stankey, CEO of AT&T
AT&T joins a growing and shameful list of cyberattack victims who share a common story: inadequate board governance. The difference is that their board, comprised of well-connected former CEOs, should have demanded better.
The telecom giant shockingly revealed that in April, hackers “exfiltrated the files” of “nearly all” of AT&T’s more than 100 million mobile customers. The stolen records from 2022 and 2023 identify the customers’ phone and text message numbers contacted, the frequency, duration, and, for some, the location of cell towers.
This should be concerning to any user or recipient. It concerned federal investigators enough that the U.S. Department of Justice twice demanded that AT&T delay disclosure.
Technology analysts are adding AT&T to the Snowflake server security breach in which more than 150 well-known companies, including Allstate, Neiman Marcus and Ticketmaster, failed to use simple multi-factor authentication to protect customer data.
Brian Krebs, an investigative cyber journalist, writes: “It remains unclear why so many large companies persist in believing it is acceptable to store so much sensitive customer data with so few security measures. One reason may be that, aside from the class-action lawsuits that invariably follow these breaches, few companies are held accountable for their sloppy security practices.”
Chaos is often the result of silent boards, where directors too often lack the awareness, interest, motivation and/or skills to assess and manage the risks associated with cyberattacks. As for AT&T’s board, it’s the omissions in proxy statements that speak volumes.
The shadows follow
Despite ubiquitous information about digital dangers and its own long history of breaches dating back to 2001, AT&T’s dismissive approach to cybersecurity is hiding in plain sight.
In its 80-page proxy statement for 2024, the word “cybersecurity” appears only four times: once in a director’s bio related to his private equity background and the rest hidden in superficial verbiage about the board and audit committee’s duties.
Lazily, two of the four investor relations cases repeat themselves textually“The Audit Committee also reviews and discusses with management the Company’s privacy and data security, including cybersecurity, risk exposures, policies and practices, including the steps taken by management to detect, monitor and control such risks and the potential impact of such exposures on the Company’s business, financial results, operations and reputation” on pages 20 and 36 of the proxy statements. In one instance, a similarly vague statement, “in addition, the Audit Committee, as well as the Board of Directors, receives reports from executives with cybersecurity responsibilities” follows.
Unsurprisingly, its 8-K disclosure about the April breach concludes: “AT&T has represented to the SEC that it does not believe this incident is likely to have a material impact on AT&T’s financial condition or results of operations.” That remains to be seen.
Coincidentally, in April the FCC fined the major wireless carriers a collective $200 million for knowingly sharing customer data. Although AT&T reported revenue of more than $120 billion in 2023, the materiality could affect the company’s “business, financial results, operations and reputation,” to use the jargon of the proxy statement.
This is exactly what boards often forget: A foray into cyber remediation only distracts from strategy execution. And that’s the last thing CEO John Stankey needs as he enters his fifth year at the helm of the company. Since he became CEO in mid-2020, AT&T shares have fallen more than 17%, while the S&P and Dow have climbed 79% and 55%, respectively.
Teletransplant
The SEC’s long-awaited regulations exclude requirements for cyber expertise on the board of directors or technical committees. AT&T has happily complied with these requirements.
In May, the party re-elected ten members of its board, seven of whom had been on the board for ten years or more. It is a classic example of retrenchment.
The proxy groups technology and innovation as a qualification, provides no definition of skills, and identifies five directors (Stankey, Marissa Mayer, Glenn Hutchins, Stephen Luczo, and Luis Ubiñas) with such experience. All of this deserves much closer examination.
Its newest member, tech mogul Mayer, 48, CEO of artificial intelligence startup Sunshine Products and Walmart executive, lowers the board’s average age to 64. She led Yahoo! through its infamous IT troubles and eventual sale to Verizon.
Stankey, an executive who stayed on after the Time Warner sale, briefly served as AT&T’s CIO and CTO from 2003 to 2006. Luczo is a managing partner at Crosspoint Capital, a private equity firm “focused on cybersecurity and data privacy.” He is also the former chairman and CEO of data storage company Seagate.
The others are a bit of a stretch. The proxy statement says that Hutchins, an investment banker and co-president of the Brookings Institution, “brings significant expertise in leadership, business planning and human capital management.” Ubiñas, a former McKinsey partner and Ford Foundation director, now chairs the Statue of Liberty-Ellis Island Foundation.
The others, in alphabetical order, bring skills in the political, executive and financial fields.
- Scott Ford, a board member since 2012, is the current CEO of Westrock Coffee Company and a former executive at telecommunications company Alltell, now part of Verizon. He “has experience managing complex business operations in diverse regulatory environments internationally and has led several major business transformations.”
- William Kennard, chairman of the board, trained as a lawyer and held senior positions at the FCC in the 1990s. His career later took him to work at Carlyle Asset Management and as U.S. ambassador to the European Union.
- Michael McAllister is the former CEO of health care provider Humana.
- Beth Mooney, former CEO and president of KeyCorp Bank, worked at the Federal Reserve.
- Matthew Rose is the former CEO and chairman of BNSF railroad.
- Cynthia Taylor is currently CEO of energy company Oil States International. She is a certified public accountant and has worked at EY and the Federal Reserve.
In a room with senior management credentials, couldn’t someone push for more attention to cybersecurity?
The top board appointments offer significant compensation and access. Each earned more than $400,000 in 2023, and Chairman Kennard earned more than $850,000. Stankey has earned more than $22 million per year in total compensation in each of the past three years.
They now find themselves with a mess that could well “become” big. In addition to likely customer compensation and class action settlements, are congressional hearings, regulatory sanctions and remediation penalties looming? This is eroding executives’ time for strategy.
Perhaps, in the end, for boards of directors, crisis management trumps risk management. But is the golden parachute worth the cost? And where could more than 100 million customers turn to regain their privacy and security? Who does your board call?