AT&T joins a growing and ignominious list of corporate cyberattack victims who share a common story — inadequate board governance. What’s different is that their board, stacked with former and well-connected CEOs, should have demanded better.
The telecom giant shockingly disclosed that, in April, hackers “exfiltrated files” of “nearly all” of AT&T’s over 100 million wireless customers. The stolen 2022 and 2023 records identify customers’ voice and text contacted numbers, frequency, duration and, for some, cell tower locations.
That should worry any user or recipient. It concerned federal investigators enough that the U.S. Department of Justice twice demanded AT&T postpone disclosure.
Tech analysts add AT&T to the Snowflake server security lapse in which over 150 well-known companies, including Allstate, Neiman Marcus and Ticketmaster, failed to use simple multi-factor authentication to protect customer data.
Cyber investigative journalist Brian Krebs wrote, “It remains unclear why so many major corporations persist in the belief that it is somehow acceptable to store so much sensitive customer data with so few security protections. That may be because, apart from the class-action lawsuits that invariably ensue after these breaches, there is little holding companies accountable for sloppy security practices.”
The chaos frequently stems from quiet boardrooms where directors too often lack awareness, interest, incentive and/or competence to appreciate and address cyber risk. As for AT&T’s deep board, it’s the proxy statement omissions that tell much.
Shadows Follow
Despite omnipresent digital danger news and its own lengthy breach history dating back to 2001, AT&T’s dismissive cyber approach hides in plain view.
In its eighty-page 2024 proxy statement, the word “cybersecurity” appears just four times — once in a director’s biography related to private equity experience and the rest stashed in perfunctory board and audit committee duties verbiage.
Lazily, two of investor relations’ four instances repeat verbatim, “The audit committee also reviews and discusses with management the company’s privacy and data security, including cybersecurity, risk exposures, policies, and practices, including the steps management has taken to detect, monitor and control such risks and the potential impact of those exposures on the company’s business, financial results, operations and reputation” on proxy pages 20 and 36. In one case, a similarly vague statement, “in addition, the audit committee, as well as the board of directors, receive reports from officers with responsibilities for cybersecurity” follows.
Not surprisingly, its 8-K disclosure about the April breach concludes, “AT&T told the SEC it does not believe this incident is likely to materially impact AT&T’s financial condition or results of operations.” That remains to be seen.
Coincidentally, in April, the FCC fined the big mobile carriers $200 million collectively for knowingly sharing customer data. While AT&T reported over $120 billion in 2023 revenues, materiality can affect the company’s “business, financial results, operations and reputation,” to use the proxy statement’s parlance.
That’s exactly what boards so often miss — a foray into cyber remediation only detours strategy execution. And that’s the last thing CEO John Stankey needs as he enters his fifth year at the helm. Since becoming CEO in mid-2020, AT&T shares are down over 17%, while the S&P and Dow soared 79% and 55%, respectively.
Tele-graft
The SEC’s long-awaited regulations exclude board cyber expertise or tech committee requirements. AT&T gladly complied.
In May, it re-elected ten board members, seven of whom have been on the board a decade or more. That’s classic entrenchment.
The proxy bundles technology with innovation as a qualification, provides no skills definition and tags five directors (Stankey, Marissa Mayer, Glenn Hutchins, Stephen Luczo and Luis Ubiñas) with such experience. All warrants a much closer look.
Its newest member, AI startup Sunshine Products CEO and Walmart director, 48 year-old tech magnate Mayer, lowers the board’s average age to 64. She headed Yahoo! during its notorious cyber woes and eventual sale to Verizon.
Stankey, an executive holdover from the Time Warner divestiture, did serve briefly as AT&T’s CIO and CTO from 2003-2006. Luczo is a managing partner of Crosspoint Capital, a private equity firm “focused on cybersecurity and data privacy.” He is also the former chair and CEO of data storage firm Seagate.
The others are a stretch. The proxy indicates that, investment banker and Brookings Institution co-chair, Hutchins, “brings significant leadership, business planning and human capital management expertise.” Ubiñas, a former McKinsey partner and Ford Foundation head, now chairs the Statue of Liberty-Ellis Island Foundation.
The others, alphabetically, bring political, executive and financial services chops.
- Scott Ford, board director since 2012, is the current CEO of Westrock Coffee Company and former head of telecom Alltell, now part of Verizon. He “has experience managing complex business operations in various regulatory environments internationally and has led several major business transformations.”
- William Kennard, the board’s chair, trained as a lawyer and served in senior jobs at the FCC in the 1990s. His career later included stints at Carlyle asset management and as the U.S. ambassador to the European Union.
- Michael McAllister is health care provider Humana’s former CEO.
- Beth Mooney, KeyCorp bank’s former CEO and chair, served at the Federal Reserve.
- Matthew Rose is the former CEO and chair of rail company BNSF.
- Cynthia Taylor is currently CEO of energy firm Oil States International. She is a CPA with experience at EY and the Federal Reserve.
In a c-suite credentialed room, couldn’t someone push for more cyber attention?
High-profile board appointments bring great pay and access. Each pocketed over $400,000 in 2023 and with chair Kennard hauling in over $850,000. Stankey tallied over $22 million annually in total compensation in each of the past three years.
Now they have a mess that may very well “become” material. In addition to likely customer payouts and class action settlements, do congressional hearings, regulatory sanctions and remediation penalties loom? That erodes c-suite strategy time.
Perhaps, ultimately, for marquee boards, crisis navigation outpoints stewardship. But is the golden parachute worth the career crash? And where might 100+ million customers go to get their privacy and security back? Who’s your board calling?