Disney is asking shareholders to vote against a proposal by gadfly investor James McRitchie that would require the company to issue a feasibility report on the use of cyber security and data privacy metrics in Disney's incentive plans. The proposal warns that cyber-threats are on the rise and quotes a UK Parliamentary committee studying the subject which concluded that to reduce risk, "a portion of CEO compensation should be linked to effective cyber security." Disney responded that its incentive program already considers performance with regard to cyber security and data privacy for those executives tasked with that responsibility, through the consideration of non-financial performance factors in setting individual awards.
Disney subsequently followed up with a supplemental filing that addressed the proposal specifically, summarized Disney's "robust oversight" of data security matters and explained that with regard to incentive plan design, the Compensation Committee selects broad financial metrics that it believes promote long-term shareholder value. Noting that the use of of specific cyber security metrics across the board risks placing "undue emphasis on these matters for executives who do not have direct responsibility for these matters," Disney highlights the importance of tying metrics to long-term value creation while also mitigating risk in other aspects of the plan's design.
Disney shareholders will consider the proposal at the company's annual meeting in St. Louis, Missouri on March 7. Although the proposal is unlikely to pass, the care and succinct clarity of Disney's response, including the judicious use of a supplemental filing, may be instructive for companies facing similar types of ESG proposals.