NOTICE OF EXEMPT SOLICITATION
Name of the registrant:
Express Scripts Holding Company
Name of person relying on exemption:
New York State Comptroller Thomas P. DiNapoli, Trustee of the New York State Common Retirement Fund
Address of person relying on exemption:
Office of the New York State Comptroller
Division of Legal Services
110 State Street, 14th Floor
Albany, NY 12236
Written material:
Letter to shareholders urging support for Item 5, stockholder proposal requesting a cyber risk report at Express Scripts Holding Company’s annual meeting to be held on Thursday, May 10, 2018.
Dear Fellow Express Scripts Shareowner,
I urge you to vote FOR Item 5, my Stockholder Proposal requesting a Cyber Risk Report at Express Scripts Holding Company’s annual meeting to be held on Thursday, May 10, 2018.
As a long-term Express Scripts Holding Company shareowner with approximately 1.8 million shares valued at $130 million, I have been and remain deeply concerned about the Company’s lack of transparency around cyber risk practices. Cyber risk has been identified as an area of urgent concern for public companies by members of Congress on both sides of the aisle, Commissioners and Staff of the Securities Exchange Commission, corporate management and directors, investor groups and the healthcare industry itself.
Proposal 5 requests that the Board prepare a report that will allow investors to assess cyber risk practices, including identifying the source of cybersecurity risk (including from outsourced functions); explaining how the company addresses those risks; describing past cyber incidents experienced by the company; outlining risks related to cyber incidents that remain undetected for an extended period; describing relevant insurance coverage; providing information on compliance, regulatory or contractual obligations related to cyber risk; and explaining how cybersecurity risks are reflected in financial statements. The Resolution adds that the report should address the scope and frequency of the Board’s oversight of cyber risks.
In urging further regulation of cybersecurity disclosure, SEC Commissioner Kara Stein observed:
Unfortunately, the risks and costs of cyberattacks appear to be growing. And the consequences of such attacks could have devastating and long-lasting collateral effects. Cybercriminals are only becoming more cunning and sophisticated. It is estimated that cybercrime will cost businesses approximately $6 trillion per year on average through 2021. Globally, the average cost of cybercrime has increased 62% over the last five years. In addition, the cost of unintentional data loss—the most expensive component of a cyberattack—has risen nearly ten percent over the last three years alone. Not surprisingly, public companies, investors, and other market participants increasingly view confronting and mitigating cyberrisk as a major priority.1
1 Commissioner Kara M. Stein, Statement on Commissioner Statement and Guidance on Public Company Cybersecurity Disclosures (2018), available at, https://www.sec.gov/news/public-statement/statement-stein-2018-02-21
Recent breaches have illustrated the magnitude of the risk posed by cyber attacks. For example, Equifax reported that attackers had found a flaw in its website and used it to obtain the personal information of as many as 147 million Americans. The stolen data included names, Social Security numbers, birth dates, addresses and driver’s license numbers. The breach has so far cost Equifax more than $439 million and could top $600 million, which would make it the most costly data breach in history.
As might be expected, a systematic review of academic literature suggests that “negative security events, [such as] security breaches, have a significant negative impact [on] the stock price of the breached firms.”2
Like Equifax, Express Scripts has a substantial amount of personal data. The nature of the pharmacy benefit management industry carries an inherent risk of data breach. Customers entrust Express Scripts with their most private information and would be understandably outraged in the event of a breach. Shareholders have a right to know what Express Scripts is doing to prevent the monetary costs and reputational harm associated with such an event, which could result in the loss of substantial business for the company.
For all these reasons, I urge you to vote FOR Shareholder Proposal 5 to promote the transparency investors need to evaluate cyber risk and make informed investment decisions.
|
Sincerely, |
|
|
|
Thomas P. DiNapoli
|
|
State Comptroller |
This is not a solicitation of authority to vote your proxy. Please DO NOT send us your proxy card but return it to the proxy voting agent in the envelope that was or will be provided to you by Express Scripts. Neither the Comptroller nor the Fund is able to vote your proxies, and this communication does not contemplate such an event. This communication is meant to inform you about the Comptroller’s opinion and to give you valuable decision-making information when you review your shareholder proxy for the 2018 annual shareholders’ meeting of Express Scripts.
2 Georgios Spanos & Lefteris Angelis, The Impact of Information Security Events to the Stock Market: A Systematic Literature Review, 58 Computers & Security at 226 (2016)( “In total, 37 related papers conducting 45 studies were found by the systematic search of bibliographic sources.”)