May 1, 2018

 

 

Dear Fellow Express Scripts Shareowner,

 

I urge you to vote FOR Item 5, my Stockholder Proposal requesting a Cyber Risk Report at Express Scripts Holding Company’s annual meeting to be held on Thursday, May 10, 2018.

 

As a long-term Express Scripts Holding Company shareowner with approximately 1.8 million shares valued at $130 million, I have been and remain deeply concerned about the Company’s lack of transparency around cyber risk practices. Cyber risk has been identified as an area of urgent concern for public companies by members of Congress on both sides of the aisle, Commissioners and Staff of the Securities Exchange Commission, corporate management and directors, investor groups and the healthcare industry itself.

 

Proposal 5 requests that the Board prepare a report that will allow investors to assess cyber risk practices, including identifying the source of cybersecurity risk (including from outsourced functions); explaining how the company addresses those risks; describing past cyber incidents experienced by the company; outlining risks related to cyber incidents that remain undetected for an extended period; describing relevant insurance coverage; providing information on compliance, regulatory or contractual obligations related to cyber risk; and explaining how cybersecurity risks are reflected in financial statements. The Resolution adds that the report should address the scope and frequency of the Board’s oversight of cyber risks.

 

In urging further regulation of cybersecurity disclosure, SEC Commissioner Kara Stein observed:

 

 

¹ Commissioner Kara M. Stein, Statement on Commissioner Statement and Guidance on Public Company Cybersecurity Disclosures (2018), available at, https://www.sec.gov/news/public-statement/statement-stein-2018-02-21

 

 

Recent breaches have illustrated the magnitude of the risk posed by cyber attacks. For example, Equifax reported that attackers had found a flaw in its website and used it to obtain the personal information of as many as 147 million Americans. The stolen data included names, Social Security numbers, birth dates, addresses and driver’s license numbers.  The breach has so far cost Equifax more than $439 million and could top $600 million, which would make it the most costly data breach in history.

As might be expected, a systematic review of academic literature suggests that “negative security events, [such as] security breaches, have a significant negative impact [on] the stock price of the breached firms.”²

 

Like Equifax, Express Scripts has a substantial amount of personal data. The nature of the pharmacy benefit management industry carries an inherent risk of data breach. Customers entrust Express Scripts with their most private information and would be understandably outraged in the event of a breach. Shareholders have a right to know what Express Scripts is doing to prevent the monetary costs and reputational harm associated with such an event, which could result in the loss of substantial business for the company.

For all these reasons, I urge you to vote FOR Shareholder Proposal 5 to promote the transparency investors need to evaluate cyber risk and make informed investment decisions.

 

	Sincerely,
	Thomas P. DiNapoli
	State Comptroller

 

 

This is not a solicitation of authority to vote your proxy. Please DO NOT send us your proxy card but return it to the proxy voting agent in the envelope that was or will be provided to you by Express Scripts. Neither the Comptroller nor the Fund is able to vote your proxies, and this communication does not contemplate such an event. This communication is meant to inform you about the Comptroller’s opinion and to give you valuable decision-making information when you review your shareholder proxy for the 2018 annual shareholders’ meeting of Express Scripts.

 

 

 

 

---