As cyber-crime increases, investors don’t want to be kept in the dark.
Everyone knows that password protection is the first rule of cybersecurity, but few have been punished as severely for forgetting it as SolarWinds. By choosing the password ‘solarwinds123’, the US software firm opened the door to a calamitous cyber-attack.
A malicious code entered its systems and was then transmitted through software updates to 18,000 SolarWinds’ customers. As well as the general public, customers that were affected included the US Departments of Homeland Security, State, Commerce, Energy, Treasury, Justice, and the Pentagon. Some believed that Russian cyber-spies were behind the attack.
Lawsuits and governmental investigations were launched against the company, highlighting the reputational and financial risks investors can be exposed to if investee companies don’t shore up their cyber-defences.
For every attack that hits the headlines, many more do damage under the radar. The costs of global cyber-crime are expected to reach US$10.5 trillion a year by 2025, according to research company Cybersecurity Ventures. In 2021, cybercrime cost US$6 trillion.
As the frequency and severity of cyber-attacks increase, companies’ information on security risk management practices “are coming under increased scrutiny” from investors, warns Jennifer Vieno, Manager of ESG Research at ratings and data company Sustainalytics.
In RBC Global Asset Management’s (RBC GAM) latest Responsible Investment Survey, cybersecurity was named one of the top three engagement themes by 56% of asset owners and managers.
“From the investor’s perspective, the business case to engage on the topic is clear,” says Betina Vaz Boni, Senior Associate of Governance at the UN-convened Principles for Responsible Investment (PRI).
“Cyber incidents can cripple business operations, materialise into legal and regulatory risks, cause a material impact on returns, impact customer trust and have adverse impacts on portfolio company valuation and earnings.”
Russia’s invasion of Ukraine has only heightened investors’ concerns, according to Katerina Kosmopoulou, Partner at asset manager J. Stern & Co.
“The recent attack by Russia on Ukraine has reignited fears of cyber-warfare, with concerns arising about the potential for attacks on critical infrastructure in the West, including the potential for cyber-attacks against the mission-critical industrial, utility, financial and government sectors,” she says.
The World Economic Forum (WEF) has called on companies to consider cybersecurity as part of their ESG risk managements. Companies that fail to implement good governance on cybersecurity or use appropriate tools and metrics will be considered “less resilient and less sustainable”, WEF said.
However, the complex, technical and ever-changing nature of cyber-related risks means that installing cybersecurity defences is challenging for companies – particularly more resource-limited small and medium-sized enterprises (SMEs). Further, experts tell ESG Investor that investee companies are reluctant to be transparent about their exposure to and management of cyber-related risks.
The complexities of cybersecurity may also “dissuade ESG and investment professionals from seeking an informed discussion with portfolio companies”, PRI’s Vaz Boni notes.
But, with new regulations being finalised, investors need to push investee corporates to better identify their exposure to cyber-related risks and disclose exactly what they are doing to address them.
Information under wraps
Publicly available information from corporates on cybersecurity remains thin on the ground, experts say. This goes against best practice – sharing intelligence with peers can improve risk awareness – and investor interests.
“Corporate information in the public domain does not assure investors that companies have adequate governance structures and measures in place to deal with cybersecurity challenges,” says Vaz Boni.
Understandably, firms want as little known about their cybersecurity governance and protection as possible.
“Most companies try to keep any cyber-related issues under the radar as it also exposes them to reputational risk,” says Anna Macdonald, Fund Manager at Amati Global Investors.
But this makes it difficult for investors looking to engage with investee companies on the steps they have taken to ensure they are protected against cybersecurity threats.
The PRI led a collaborative engagement on cyber governance between 2017-2019, which involved 55 institutional investors with a collective US$12 trillion in assets. As part of the programme, they engaged 53 portfolio companies across a variety of sectors on their management of cyber-related risks.
Over the two years, targeted companies made “significant strides” in reporting on cyber-related governance mechanisms and processes to their investors, says Vaz Boni.
Following the engagement initiative, the PRI published guidance on disclosure expectations for investors looking to engage with companies on cybersecurity themes.
The guidance noted that, at a high level, investors should look to validate board oversight of cyber-related risk, ensure cyber resilience is integrated into the corporate strategy, set disclosure expectations, and benchmark portfolio companies on their cybersecurity-related performance against their peers as a tool for engagement to drive better disclosure.
RBC GAM expects companies to demonstrate “cyber policies and procedures, including employee training and audit practices”, says Melanie Adams, the firm’s Head of Corporate Governance and Responsible Investment.
BMO Global Asset Management has said investee companies should apply cybersecurity and data privacy standards across their supply chains and be able to demonstrate how they ensure this.
Asset manager Schroders asks investee companies whether they have assigned a board-level member responsibility of the cybersecurity strategy, and whether, and to what extent, they work with external cybersecurity specialists.
Last year, asset manager Robeco completed a three-year cybersecurity-focused engagement programme with nine companies handling sensitive customer data across payments, telecoms and household products sectors. Engagement focused on five topics: governance and oversight, policy and procedure, risk management and controls, transparency and disclosure, and privacy by design.
Robeco noted that seven of the nine now have a “clear strategy focused on improving their cybersecurity following a number of high-profile data breaches for some”.
Management consultancy firm McKinsey also published ten key points for companies to address in order to ensure they have a robust cybersecurity strategy. Recommendations include staging frequent and realistic attack and crisis simulations within the organisation, setting up efficient interfaces with law enforcement and regulators, and reporting regularly on risk remediation to the board and other stakeholders.
Rebooting the system
To the relief of many investors, incoming regulation will force companies to be more transparent about their exposure to and management of cybersecurity risks.
In December 2021, the EU Parliament approved the Network and Information Security 2 (NIS2) Directive, which will be finalised this year and replace the existing NIS Directive. The new regulation will introduce baseline cyber-related risk management measures, reporting obligations, and remedies and sanctions for enforcement for a wide scope of companies spanning sectors including energy, financial services, digital infrastructure, and healthcare.
This will helpfully “strengthen” existing measures and better streamline reporting from companies, says Vieno.
Once finalised, member states will have two years to incorporate the provisions into national law.
Last month, the European Commission also proposed a new cybersecurity regulation introducing a framework for governance, risk management and control for EU institutions, bodies, offices and agencies across all member states. It includes a recommendation for an inter-institutional Cybersecurity Board, which would boost cybersecurity capabilities, implement a baseline of measures addressing identified risks, and extend the mandate of the Computer Emergency Response Team.
On 9 March, the US Securities and Exchange Commission (SEC) also proposed amendments to its rules to enhance and standardise US public companies’ disclosures on cybersecurity risk management, strategy, governance and incident reporting. The comment period will close in May.
The proposed amendments would require companies to periodically disclose their policies and procedures for managing cyber-related threats, the board of directors’ degree of oversight of cybersecurity risks, and provide updates about previously reported cybersecurity incidents.
US SEC Chair Gary Gensler acknowledged that investors want to know more about how companies are managing risks in this area. “Companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner,” he said.
If adopted, these required corporate disclosures “would be very helpful for investors to assess how a company is managing its cyber-related risk,” confirms RBC GAM’s Adams.
“We welcome any regulatory initiatives like the one by the SEC that would improve disclosures, without of course comprising security,” agrees Kosmopoulou.
The PRI is also preparing a response to the US SEC’s proposal, encouraging its signatories to provide comments on the usefulness of the proposed disclosure, Vaz Boni tells ESG Investor.
As cyber-crime increases in frequency, data providers, global organisations and asset managers are working to provide and upscale solutions. Some of these give asset owners opportunities to protect and enhance the value of their investments.
Sustainability and cybersecurity provider ISS Corporate Solutions partnered with OneTrust Vendorpedia to launch the ISS Cyber Risk Scores. These will provide investors with an empirical indicator of a corporate’s exposure to cyber threats and associated supply chain risks.
WEF’s Centre for Cybersecurity is a hub for technology leaders to identify future global risks from next-generation technology in order to “avert a cyber pandemic”. The centre has collaborated with the UK’s University of Oxford to launch a joint work programme enabling companies globally to collaboratively share and develop research and responses to cybersecurity threats.
Investment in cybersecurity firms is also on the rise.
The UK government noted that 2021 was a record year for cybersecurity investment, with over £1 billion raised by cyber firms through 84 deals over a 12-month period.
Amati’s Macdonald points to NCC Group as a UK-listed company providing “a range of cybersecurity solutions from detection and response, advisory services and software resilience”. Other notable examples include Falanx and DarkTrace, she says.
Legal and General Investment Management has a Cybersecurity UCITS ETF that falls under Article 8 of the EU’s Sustainable Finance Disclosure Regulation. As well as investing in companies providing cybersecurity and services, it identifies companies developing relevant hardware and software, as well as those providing cybersecurity consultancy and secure digital services.
For many investors, however, ongoing engagement with firms on their digital strategies and cybersecurity policies will be a growing priority.
“Cyber-attacks are increasing in frequency and intensity, making it critical for companies to have both proactive and reactive mechanisms in place, in the event they are the target of such an attack,” says Sustainalytics’ Vieno.
“As companies continue to digitise and business models shift to incorporate a complex mix of technology and data supply chains, stakeholders are reckoning with a significant realignment in global risk.”