Cybersecurity risks are ever present and are a key risk for almost all businesses. Ensuring cybersecurity and data protection will only become more complicated and material to managing business risks. With this in mind, and with the expectation of more regulations to govern these issues, companies need to regularly review and enhance their cybersecurity and data protection. Board governance of the subject is becoming crucial.

Kroger, US

Issue
American grocery store retailer The Kroger Company has seen two significant security breaches in the last two years. The most recent breach happened in early 2021 and was the result of a breach at one of the company’s third-party vendors.

Action
Accellion, a third-party vendor providing secure file transfers, notified Kroger of an unauthorized access to its data in 2021, due to a vulnerability in Accellion’s file transfer service. We engaged the company to request better disclosure of the data breach, including efficacy of its vendor management program and the steps the company has taken to safeguard against similar issues.

Kroger informed us of some of the key elements of their data privacy and cybersecurity program and governance. Kroger shared that they are currently in litigation with Acellion and thus limited in the information they can share about this incident. The company has already discontinued the use of Accellion product. It conducted a forensic investigation to identify the full impact of the breach. It has also started to notify individuals whose data may have been compromised and has set up a monitoring program for individuals impacted by the breach.

We expressed our concerns for heightened cybersecurity risk at traditional retailers given their access to large volumes of data. In addition to the vast amount of sensitive customer data, which makes them a target for cyber-attack, their further entry into online sales and delivery has exposed them to new sources of cybersecurity risks as they collaborate to expand their online presence.

Outcomes and next steps
We expect Kroger to disclose key learnings from this incident and the steps they have taken to mitigate this risk in its next ESG reporting. We also encourage more disclosure around data ownership and control when the company enters into collaborative relationship.

InterContinental Hotels Group (IHG), UK

Issue
InterContinental Hotels Group (IHG) was the focus of a cyberattack in 2017. The incident involved customer payment card-stealing malware. We have continued to engage the company around its cybersecurity procedures since the incident.

Action
In 2017, attackers installed malware on the company’s servers, compromising the hotels' payment card processing systems, which in turn ingested information contained in credit card tracks such as cardholder names, card numbers, and internal verification codes. The leaked information enabled cards cloning and fraudulent payments.

In 2021, we engaged the company to ask for an update of their cybersecurity program, including the new measures being taken to alleviate cybersecurity risk and the governance of the board on this subject. The company reported that, on average, each employee spends two hours annually on cybersecurity risk training. IHG further reported that it has adopted the latest best practices for managing cybersecurity talent, including regular performance checks, retention programs, and personal development plans. The Chief Information Security Officer is in charge of the implementation of the firm’s cybersecurity strategy and the Board receives cybersecurity risk metrics on a quarterly basis. IHG reported that the 2021 budget for cybersecurity was over $30m, largely in-line with 2020 budget.

IHG indicated that its global privacy program covers a wide range of responsibilities, including ongoing monitoring of new privacy developments, regular privacy reporting to the board’s audit committee and update of privacy notices. In 2021, the initiatives IHG focused on included data minimization and removal and compliance of new privacy requirements in different countries. The company has adopted KPIs for measuring cyber maturity, high-risk assets, resources and budget spend, external threats and other areas.

IHG has indicated that practices are internally and externally audited and reviews are conducted to ensure that the validity and stringency of their cybersecurity risk program is kept up to date.

Outcomes and next steps
We note IHG’s implementation of an enhanced cybersecurity risk platform and practices to manage cybersecurity and data protection.

All companies pursing sustainable growth have to consider the sustainably of their supply chain. There are many issues involved in the supply chain and companies should have measures to govern its direct suppliers. Among all settings, we view ethics and compliance as the most important attributes of suppliers that companies need to monitor.

Hitachi, Japan

Issue
Technology companies are particularly vulnerable to forced labor in their supply chains due to extensive use of migrant labor in the manufacturing of technology and electronics products in emerging markets, and the protracted supply chains of many ICT products. The sector has faced increasing scrutiny around its failure to adequately address labor abuses connected to products sold to millions of customers across the world.

Action
We engaged Hitachi on how it addresses the risk of forced labor in its global supply chains and asked the company to enhance its management of this issue. Hitachi established a Human Rights Policy in 2013 that stated clearly their respect for human rights in their Sustainable Procurement Guidelines. The company explained that it had been briefing its suppliers to ensure they are aware of the policy and the guidelines. The company is seeking implementation of the guidelines by its major suppliers, requesting self-inspections using a check sheet, and providing feedback on the results to the internal procurement department. We asked the company to disclose the status and results of supplier audits, particularly regarding the on-site audits, and to disclose how the results would mitigate the risk of forced labor. We believe the number of reviews conducted was small, and that the scope of reviews had been limited and thus, the risk could persist in its supply chain.

Outcomes and next steps
We suggested the company increase the frequency and scope of its supplier monitoring program with regards to human rights and will check for improvements in 2022.