The U.S. Securities and Exchange Commission willreview a dispute between Express Scripts Holding Co. and New York StateComptroller Thomas DiNapoli over his effort to force theprescription-benefits manager to increase cyber-risk disclosures.

Express Scripts told the SEC last month itwould exclude the proposal from its annual proxy statement.DiNapoli, who’s pushing for the company’s board to report itsefforts to prevent and mitigate cyber threats, objected last weekin a letter to the regulator.

“We’re at the point where everyone -- investors, directors,regulators -- is recognizing that this is a critical issue,” saidGianna McCarthy, director of corporate governance at thecomptroller’s office, which oversees about $164 million of ExpressScripts stock for the $200 billion New York State Common RetirementFund. “Investors need more disclosure.”

DiNapoli filed the proposal in November, two months aftercredit-reporting company Equifax Inc. revealed a breach that compromised personalinformation of about half the U.S. population. He assailed ExpressScripts’ scant disclosure of how cyber risks are managed and citeda government-commissioned report showing the health care industryincurs a disproportionate share of hacking attacks.

Express Scripts said it devotes significant resources tosafeguard confidential patient and client data and to keep up withchanges in technology and regulatory standards.

“Such a complex and critical element of our business is properlya matter for our management and board of directors to oversee, asthis is who shareholders have entrusted to run the day-to-dayoperations of the business,” St. Louis-based Express Scriptssaid in an emailed statement. “Moreover, the effectiveness of ourcyber risk management strategy depends upon a measure ofconfidentiality that could be undermined by the New York StateComptroller’s proposed disclosures.”

Judy Burns, an SEC spokeswoman, declined to comment.

Express Scripts is one of the largest managers of drug benefitsfor employers, unions and state and local governments, using itssize to negotiate discounts with drugmakers. In December, thecompany told the SEC it wouldn’t put the proposal up for a vote atits annual meeting because it didn’t raise “significant policy”issues that went beyond its ordinary business practices.

Last week, DiNapoli’s office rejected those arguments, saying“risks for inadequate cybersecurity measures” can transcend acompany’s ordinary business.

“Cybersecurity is one of the most critical matters facingbusinesses today,” DiNapoli said Tuesday in a statement. “This isespecially true for health care companies that hold vast amounts ofprivate patient data. While Express Scripts acknowledges that itsability to operate depends on its technology infrastructure, it hasprovided shareholders with insufficient information about boardoversight or actions taken to mitigate cyber risk in itsoperations.”

Copyright 2018 Bloomberg. All rightsreserved. This material may not be published, broadcast, rewritten,or redistributed.