Cybersecurity risk is real and pervasive as demonstrated by recent attacks that have put the frighteners on big banks, web services providers, the NHS and even the US intelligence community.
Threats can emerge from various sources, both internal and external, resulting in data breaches that can negatively impact share price, reputation and loss of trust in the organisation to secure sensitive data, including intellectual property.
Thus, cybersecurity becomes a governance issue, if organisations are seen to be abrogating their duty of care when it comes to protecting sensitive data about employees or credit information; or, in the public sector, if information about members of the public relating to healthcare or other private matters is lost.
But despite these high-profile incidents, many institutional investors are only just beginning to look at the governance issues concerning cybersecurity.
Investors are keen to understand how the companies in their portfolios appreciate the material risks regarding data protection; how prepared their portfolio companies are to address these risks; and whether they have appropriate mechanisms in place to deter threats. This can be difficult to assess, however, because of gaps in current corporate disclosure on this topic.
A 2017 study by IT consultant CGI and Oxford Economics concluded that severe breaches caused share prices to fall by an average of 1.8% on a permanent basis. A McKinsey-World Economic Forum study that same year of cybersecurity risk management practices found that: “Senior-management time and attention was identified as the single biggest driver of maturity in managing cybersecurity risks—more important than company size, sector and resources provided.”
Not just an IT issue
Boards are facing increased scrutiny and liability exposure in relation to cybersecurity and data privacy. Given the increasingly large amounts of data that companies are gathering and storing, there is a greater likelihood that they will be the targets of cyber-attacks or data breaches.
Mark Tims, a partner in the technology risk practice at KMPG, notes: “Board oversight of cybersecurity is no longer a leading practice, it is a necessity. Investors, governments and regulators are increasing demands and challenging boards to demonstrate diligence and leadership.”
Gone are the days when cyber-risk was seen solely as the provenance of the IT department. These days, it is up to boards to take the lead in ensuring the protection of data, and interrogating whether company mechanisms are up to the job.
An additional—and serious—consideration for boards is that the regulatory regime on data privacy and cybersecurity is being strengthened across the world, with fines and penalties for data breaches.
–Mark Tims, partner, KMPG
In Europe, for example, the General Data Protection Regulation came into force in May 2018, creating obligations for companies that process and hold data in the EU regardless of where they are located. Notably, the penalties for not adhering to these requirements can be up to €20m.
Similarly, in Australia, the Australian Privacy Act mandates that companies implement security safeguards to protect personal information and notify customers of data breaches.
Last year, the US Congress introduced the bipartisan Cybersecurity Disclosure Act of 2017-18 (S.536), which would require publicly traded companies to disclose the cybersecurity expertise of any members of the board or general partner and, if the board does not have such expertise, disclose the measures they have taken to identify and nominate future nominees to the board.
This was originally put forward in 2015. However, recent high-profile cybersecurity incidents at both public and private companies has considerably heightened awareness of this issue, especially across the US public sector, who know they themselves could be vulnerable to cyber-attacks.
There are also murmurings that the US Securities and Exchange Commission (SEC) could consider board cybersecurity expertise as a factor when evaluating whether a registered entity has a sufficient cyber-risk management programme in place.
Robust security measures
Investors need to discuss these issues with board directors to raise awareness of potential data compromise and ensure the board is involved in assessing the robustness of security measures. This issue will only continue to intensify in the future, so investors need to start the conversation with companies now to better understand their exposure.
To improve corporate disclosure and enhance understanding of the underlying cyber vulnerabilities, the PRI is coordinating a global collaborative engagement on this topic. Fifty-three institutional investors representing more than US$12trn in assets under management will be engaging with companies on their cybersecurity governance.
Questions raised with companies will enable dialogue on whether there is sufficient board oversight on cyber issues, and whether they have sufficient access to internal or external expertise and are taking adequate measures to manage cybersecurity risks. This collaborative engagement will focus on listed multinational companies in consumer, healthcare, financial, IT and telecommunication sectors.
As this dialogue progresses over the next year or so, participating members will have further clarity on how material cybersecurity risk is for companies in their portfolio, how information flows to the board on cybersecurity matters and what is the process of evaluation against peers.
Using these findings, they will also put together a set of investor expectations on cybersecurity governance that companies should be able to meet. Most importantly, through this dialogue they will be signalling to companies that further meaningful information on cybersecurity is warranted, and such information will enable investors to discern which companies are likely to manage risks appropriately.
Board members could start by ensuring that cybersecurity is on the agenda at board meetings. If these issues are delegated to senior management, then the board must have regular updates from those individuals in order to stay current on the topic.
The global cybersecurity market is expected to reach more than US$205bn by 2024, according to a report last year by Grand View Research, Inc., clearly underscoring how quickly this issue has moved up the business agenda. The study noted that cybersecurity is becoming a strategic imperative for organisations owing to increased focus on protecting information in the wake of high-profile data thefts and breaches.
Boards need to work closely with senior management to escalate the message across the organisation that security is everyone’s problem. Keeping data secure is not about buying the latest security software; it is about everyone in the company taking responsibility for keeping data secure, whether it’s deleting emails with attachments from unknown sources to protecting the data on laptops that employees take home with them.
Changing corporate culture is never going to be easy, but getting employees to understand their role in keeping data safe will go a long way to mitigating cyber-risks.
Cyber-risk checklist
Board members can address cyber-risks using the following checklist:
• Understanding the cyber-risks facing the organisation and the material risks they present to the business.
• Regularly speaking with senior managers and the CIO to determine the robustness of existing cybersecurity measures and whether enhancements or upgrades are necessary.
• Assessing the level of readiness to deal with and communicate data breaches.
• Ensuring that vendors in the supply chain are also putting measures in place to withstand data breaches.
• Learning best practices from other organisations in the same industry sector.
Fiona Reynolds is managing director of the UN Principles for Responsible Investment.