The elusive goal of corporate cybersecurity transparency is a key, yet enigmatic, issue for investors to address.
When speaking to a range of investors and cybersecurity experts, none of them were surprised to see cybersecurity featuring as a top two- and ten-year risk in the World Economic Forum’s 2023 Global Risks Report.
“Breaches can cripple business operations and have significant adverse effects on customers and employees, not to mention share price,” says Nick Pelosi, Manager of Engagement for EOS at Federated Hermes.
The costs of cyber-crime reached US$6 trillion in 2021 and are expected to hit US$10.5 trillion a year by 2025, research firm Cybersecurity Ventures has estimated. Based on those figures, if cyber-crime were an economy, it would be the third largest after the US and China, according to analysis by the Swiss private bank Lombard Odier.
“Cyber-risks are liabilities which are currently not reported on balance sheets,” Charles Radclyffe, Partner at ESG data company EthicsGrade, tells ESG Investor.
“Were investors buying shares in Royal Mail in December able to factor in the risk that the company wouldn’t be able to provide any international distribution services in January due to an apparent ransomware attack?” he asks.
“Aside from some finger-in-the-air guesswork as to whether they might be an attractive target for cyber-criminals, there is almost no data available outside of a handful of organisations as to the propensity of such an attack.”
With the world and its economies almost entirely online, it’s more important than ever that investors have transparency of companies’ lines of defence against potential cyber-attacks, such as ransomware and, increasingly, state-sponsored cyber warfare.
It’s a topic that has topped investors’ engagement and voting agendas this year, while the US Securities and Exchange Commission (SEC) prepares its final ruling on corporate cybersecurity disclosures.
Pulling back the curtain
In March 2022, the SEC launched a consultation outlining proposed cybersecurity reporting rules for publicly listed companies. Ironically, the finalised draft was subject to a technological glitch – one which also hit the SEC’s climate risk disclosure rules – forcing the agency to re-open the consultation.
Further progress on cybersecurity disclosure rules is now expected in April, but debate around its scope and potential effectiveness rages on.
Fortunately, the general consensus reached in consultation responses is that disclosure on cybersecurity is sorely needed.
A collaborative engagement on cyber governance, led by the UN-convened Principles for Responsible Investment (PRI) between 2017-19, highlighted that companies increasingly recognise cyber risks and their impacts. However, companies are not disclosing the information necessary for investors to evaluate whether they have adequate governance structures and cybersecurity measures in place.
“The SEC’s disclosure proposals would allow investors to better assess company policies, controls, accountability and board oversight related to cybersecurity,” says Betina Vaz Boni, PRI’s Senior Analyst on Governance.
The proposed rules will require public companies to include mandatory annual disclosures about the board directors’ understanding of cybersecurity risks, reporting on individual board members’ cybersecurity expertise, and their subsequent roles in addressing such risks, alongside publishing a broader overview of the company’s cybersecurity risk management programmes.
The SEC’s expansion from focusing strictly on the protection of personal data to considering any material harm to companies is a “significant shift”, according to Edward McNicholas, Co-leader of law firm Ropes & Gray’s Privacy and Cybersecurity Practice.
“[The SEC] is moving out of the realm of legal compliance and into governance by having it be focused on the 10-K disclosure, meaning corporate boards of directors will need to disclose their cybersecurity expertise, as they will be expected to have oversight of cybersecurity risks, therefore driving more standardised methods of reporting,” he says.
Beyond ensuring accountability and transparency at a board-level, PRI’s Vaz Boni notes that it’s equally important for investors to have visibility of companies’ efforts in cybersecurity training and education.
“Details on training and education efforts should be properly disclosed, because providing regular training to all staff on cyber threats, handling sensitive information, IT policies and procedures is essential for effective governance of cybersecurity,” she says.
Upsetting the balance
However, with issues as sensitive as cybersecurity, it’s pivotal that the SEC strikes the right balance between ensuring transparency and drawing attention to potential vulnerabilities, according to industry experts. The agency’s proposed requirement that companies must report a cyber-attack within four business days risks upsetting this balance.
It’s a “very aggressive position” for the SEC to take, says McNicholas. “Four days into an attack, very often the only thing a company will feel comfortable saying is that there was an incident and they are looking into it, which won’t be reassuring to markets in any way at all.”
He suggests that making a non-public report to the SEC four days after a cyber-attack would make more sense.
“If companies publicly disclose that they were exposed to a cyber-attack in its early stages when they have yet to close off that vulnerability, their report could entice other attackers. If you divert firefighters in the middle of fighting the fire, that’s not wise.”
Caroline Escott, Senior Investment Manager at UK pension fund Railpen, acknowledges this fine line and the “sensitivity of the issue” for companies, but notes that this shouldn’t stop efforts to increase transparency, pointing to recent cyber disclosure guidance published by the Cybersecurity Coalition, led by Royal London Asset Management (RLAM).
“Cybersecurity is an issue which investors really need to work on having a conversation with portfolio companies about in order to better understand the approach being taken,” she says.
The coalition’s guidance outlines its minimum expectations of companies, including appointing a Chief Information Security Officer (CISO) with supporting resources, and the inclusion of cyber covenants in supplier contracts and effective due diligence.
However, from Radclyffe’s point of view, the SEC could intervene further when it comes to disclosures of connections between companies and organised cyber-crime.
“Most organisations will readily pay ransomware attackers in order to ensure smooth sailing back to normal operations,” he says. “Of course, the ransomware payments are made via third parties (potentially via insurance companies and third-party IT firms) but the effect is the same – there is a flow of funds from listed companies to organised crime, which under any other context would be a front-page scandal.”
Ransomware payments could be made illegal, he notes, which would potentially freeze out this form of cyber-crime.
There’s a growing need for regulators and governments globally to take action on cybersecurity alongside investors, as companies increasingly fall victim to state-sponsored attacks.
“We see increased risk now as there is essentially a cold cyberwar going on with state-aligned actors – from Russia and North Korea – attempting to infiltrate company cybersecurity,” says Pelosi from EOS at Federated Hermes.
In 2017, the US charged two Russian spies and two of their conspirators for a state-sponsored cyber-attack against Yahoo which commenced in 2014 and involved stealing information from 500 million accounts. The US Department of Justice said the spies were wanted for “computer hacking, economic espionage and other criminal offenses in connection with a conspiracy”.
A North Korean nation-state group called TA444 has also recently been linked to a wave of financially motivated and malicious email attacks targeting a number of industry verticals through malware-infected attachments.
It signifies a new frontier in warfare, where companies are the targets. Tensions between Russia and Ukraine were exacerbated in cyberspace years before Russia invaded Ukraine in February 2022. Russia’s Operation Armageddon has been active since 2013, targeting Ukrainian government, law enforcement and military officials in an effort to steal information. In 2015, Russian hackers targeted power distribution companies in western Ukraine, resulting in a power outage for more than 230,000 people. Russia tried a similar attack in August 2022.
“Heightened geopolitical tensions […] means we are likely to continue to see an increase in state-sponsored cyber-attacks, not only targeting defence and government agencies, but also investors’ portfolio companies,” warns Railpen’s Escott.
“We recognise that the rapidly developing and well-funded nature of cyber-attacks (particularly those sponsored by state actors) means that it is impossible to stop these attacks taking place completely.”
Planning for the worst
The prospect of investee companies falling victim to a state-sponsored cyber-attack is likely daunting, but investors can be proactive through engagement on cybersecurity risks, despite it being a complex and ever-changing issue.
“Investors can proactively manage risk by looking for and encouraging effective board oversight over cybersecurity,” says Pelosi, noting that this can involve evaluating whether the issue of cybersecurity has been assigned to a board committee or included in the skills and expertise matrix for directors.
Companies can also be assessed on whether senior executives are demonstrably committed to investing in the improvement of the company’s cybersecurity measures, as well as keeping up with new and emerging threats.
Both Pelosi and Ropes & Gray’s McNicholas emphasise the importance of investors pushing for third-party cybersecurity audits, supported by disclosures on the extent to which investee companies have implemented those audit recommendations.
“[Investors] likely wouldn’t invest in a company if they had not audited their financials, so it needs to be the same when it comes to their cybersecurity programme,” says McNicholas.
However, the sheer complexity of cybersecurity means that many investors are dissuaded from engaging with companies in the first place.
The key is collaboration, according to Escott, who notes that Railpen co-engages with portfolio companies on cybersecurity alongside the asset owner’s CISO.
“We find that the expertise [the CISO] brings to these conversations and our assessment of a company’s cybersecurity approach is invaluable, and we have also noticed the positive way in which his presence changes the dynamic of the conversations with firms’ own senior security experts,” she says.
“Our engagements through the [Cybersecurity] Coalition has emphasised to us that the best companies are proactively, extensively and openly collaborating with their peers (competitors) and government agencies to share learnings and keep as informed as possible of evolving cyber threats,” Escott adds.
“I think that, as investors, we are used to companies operating, to a certain extent, individually on core business issues and I would encourage investors to probe portfolio firms for evidence that they are ‘plugged in’ and contributing to the available networks.”