The U.S. Securities and Exchange Commission will review a dispute between Express Scripts Holding Co. and New York State Comptroller Thomas DiNapoli over his effort to force the prescription-benefits manager to increase cyber-risk disclosures.
Express Scripts told the SEC last month it would exclude the proposal from its annual proxy statement. DiNapoli, who’s pushing for the company’s board to report its efforts to prevent and mitigate cyber threats, objected last week in a letter to the regulator.
“We’re at the point where everyone -- investors, directors, regulators -- is recognizing that this is a critical issue,” said Gianna McCarthy, director of corporate governance at the comptroller’s office, which oversees about $164 million of Express Scripts stock for the $200 billion New York State Common Retirement Fund. “Investors need more disclosure.”
DiNapoli filed the proposal in November, two months after credit-reporting company Equifax Inc. revealed a breach that compromised personal information of about half the U.S. population. He assailed Express Scripts’ scant disclosure of how cyber risks are managed and cited a government-commissioned report showing the health care industry incurs a disproportionate share of hacking attacks.
Express Scripts said it devotes significant resources to safeguard confidential patient and client data and to keep up with changes in technology and regulatory standards.
“Such a complex and critical element of our business is properly a matter for our management and board of directors to oversee, as this is who shareholders have entrusted to run the day-to-day operations of the business,” St. Louis-based Express Scripts said in an emailed statement. “Moreover, the effectiveness of our cyber risk management strategy depends upon a measure of confidentiality that could be undermined by the New York State Comptroller’s proposed disclosures.”
Judy Burns, an SEC spokeswoman, declined to comment.
Express Scripts is one of the largest managers of drug benefits for employers, unions and state and local governments, using its size to negotiate discounts with drugmakers. In December, the company told the SEC it wouldn’t put the proposal up for a vote at its annual meeting because it didn’t raise “significant policy” issues that went beyond its ordinary business practices.
Last week, DiNapoli’s office rejected those arguments, saying “risks for inadequate cybersecurity measures” can transcend a company’s ordinary business.
“Cybersecurity is one of the most critical matters facing businesses today,” DiNapoli said Tuesday in a statement. “This is especially true for health care companies that hold vast amounts of private patient data. While Express Scripts acknowledges that its ability to operate depends on its technology infrastructure, it has provided shareholders with insufficient information about board oversight or actions taken to mitigate cyber risk in its operations.”
Copyright 2018 Bloomberg. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.
Complete your profile to continue reading and get FREE access to BenefitsPRO, part of your ALM digital membership.
Your access to unlimited BenefitsPRO content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking benefits news and analysis, on-site and via our newsletters and custom alerts
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical converage of the property casualty insurance and financial advisory markets on our other ALM sites, PropertyCasualty360 and ThinkAdvisor
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.