Skip to main content
MENU
Subscribe
  • Subscribe
  • Account
  • LOGIN
  • Topics
    • Alternatives
    • Consultants
    • Coronavirus
    • Courts
    • Defined Contribution
    • ESG
    • ETFs
    • Hedge Funds
    • Industry Voices
    • Investing
    • Money Management
    • Opinion
    • Partner Content
    • Pension Funds
    • Private Equity
    • Real Estate
    • Russia-Ukraine War
    • SECURE Act 2.0
    • Special Reports
    • White Papers
  • Rankings & Awards
    • 1,000 Largest Retirement Plans
    • Top-Performing Managers
    • Largest Money Managers
    • DC Money Managers
    • DC Record Keepers
    • Largest Hedge Fund Managers
    • World's Largest Retirement Funds
    • Best Places to Work in Money Management
    • Excellence & Innovation Awards
    • Eddy Awards
  • ETFs
    • Latest ETF News
    • Fund Screener
    • Education Center
    • Equities
    • Fixed Income
    • Commodities
    • Actively Managed
    • Alternatives
    • ESG Rated
  • ESG
    • Latest ESG News
    • The Institutional Investor’s Guide to ESG Investing
    • Climate Change: The Inescapable Opportunity
    • Impact Investing
    • 2022 ESG Investing Conference
    • ESG Rated ETFs
  • Defined Contribution
    • Latest DC News
    • DC Money Manager Rankings
    • DC Record Keeper Rankings
    • Innovations in DC
    • Trends in DC: Focus on Retirement Income
    • 2022 Defined Contribution East Conference
    • 2022 DC Investment Lineup Conference
  • Searches & Hires
    • Latest Searches & Hires News
    • Searches & Hires Database
    • RFPs
  • Performance Data
    • P&I Research Center
    • Earnings Tracker
    • Endowment Returns Tracker
    • Corporate Pension Contribution Tracker
    • Pension Fund Returns Tracker
    • Pension Risk Transfer Database
    • Future of Investments Research Series
    • Charts & Infographics
    • Polls
  • Careers
  • Events
    • View All Conferences
    • View All Webinars
    • 2022 Innovation Investing Conference
    • 2022 Defined Contribution East Conference
    • 2022 ESG Investing Conference
    • 2022 DC Investment Lineup Conference
    • 2022 Alternatives Investing Conference
Breadcrumb
  1. Home
  2. MONEY MANAGEMENT
January 23, 2017 12:00 AM

Get real on cybersecurity

  • Tweet
  • Share
  • Share
  • Email
  • More
    Reprints Print
    Roger Schillerstrom

    Cybersecurity represents a high-profile risk management challenge that corporations must address at the level of board of directors as a top priority. Minimizing cybersecurity risks is a critical fiduciary duty for directors as well as asset owners and other institutional investors.

    The apparent Russian hacking to undermine the U.S. presidential election process should have raised the profile of cyberthreats to all significant companies and institutions, and should drive more attention to the exposure. At the very least, one director on every board must have cybersecurity expertise.

    Cyberthreats expose investors to risks. For example, Verizon Communications Inc.'s proposed acquisition of Yahoo Inc.'s operating business is still at risk of termination over “security incidents disclosed” by Yahoo last month and in September, according to a Jan. 9 Yahoo filing with the Securities and Exchange Commission.

    The vulnerability of even an Internet-savvy company such as Yahoo shows the challenge of protecting against cyber risks and responding to cyberattacks.

    While most large companies and institutions, those most likely to be attacked by cyber criminals or vandals, have built protections against such attacks, without someone knowledgeable on their boards they cannot know if the companies' efforts are sufficient and keeping pace with the sophistication of the attackers.

    Only 52 companies in the S&P 500 stock index have at least one director identified with cybersecurity expertise, according to data from ISS Analytics. The companies include Arthur J. Gallagher & Co., Boeing Co., Bank of America Corp., Bank of New York Mellon Corp., Chevron Corp., General Motors Co., Raytheon Co., State Street Corp. and Wells Fargo & Co. In all, there are 55 directors whose companies disclose them as having cyber competency.

    Of the S&P 500 companies, the list amounts to about 1% of the 5,534 directors on boards of the companies.

    Shareholders must do more to raise the profile of the issue at the board level by seeking board expertise, and through more disclosure initiatives. But shareholders have not generally so far embraced the issue in terms of proxy proposals.

    In 2014, 2015 and 2016, only seven proposals were filed that called for a report on board oversight of privacy and data security. Four were withdrawn, and three came to a shareholder vote, all at American Express Co., with votes ranging from 78% to 78.8% to reject the proposal.

    As a yardstick for gauging shareholder interest, the small number of proxy proposals indicates that cybersecurity hasn't been a priority. The lack of shareholder concern likely helps explain the inattention at the board level.

    Even so, far more corporations must embrace cybersecurity at the board level as a basis for building a management infrastructure that can oversee corporate efforts to identify, prevent, and respond to cyberattacks. Corporations, with or without board-level expertise, must explain to shareholders how they manage the issue, and they must provide enough disclosure so shareholders can evaluate the cybersecurity approach.

    Some boards leave it to audit committees to take on oversight of cybersecurity, but Mary Jo White, SEC chairwoman who announced in November she would step down at the end of the Obama administration, warned about the audit committee taking on an additional responsibility, thus diluting its core focus on financial concerns.

    Beyond the competitive, financial and reputational pressures to minimize cyber risk, regulations are coming that will push corporations to strengthen cybersecurity.

    The Federal Reserve, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp. on Oct. 1 jointly proposed rule-making to enhance cyber risk management standards at larger, interconnected financial service companies under their regulatory oversight.

    In a comment submitted on the proposal, Reginald P. Best, president and chief product officer, Lumeta Corp., which provides cyber situational awareness analytics tools and services to seven of the largest financial services companies, said: “In our experience, covered entities have limited tools or processes to authoritatively evaluate their situational awareness. There is a false sense of security that organizations have that they know and understand what is happening on their networks.”

    The proposal would require financial institutions that come under the oversight “to establish and maintain a corporate governance structure that implements the cyber risk management program on an enterprise-wide basis.”

    SEC guidelines require companies to disclose material cybersecurity risks. But these guidelines, dating to 2011, need updating to stay up with cyber risks.

    In 2015, a bill called the Cybersecurity Disclosure Act of 2015 was introduced in the Senate seeking to encourage “transparency in the oversight of cybersecurity risks.” It would require companies to disclose whether any director has cybersecurity expertise or, if not, why this expertise on the board is not necessary. The legislation was directed at enhancing disclosure to better inform shareholders and encourage companies to act, rather than requiring any such cyber expertise on boards.

    The bill, which never made it out of committee, could be revived in the new Congress, considering the firestorm over the Russian hacking that heightened attention to cyber risk. Boards must keep pace with technology innovation and cyber risks.

    PricewaterhouseCoopers in a 2016 report recommended companies develop a set of cybermetrics to assess risks and develop a framework for managing vulnerabilities. That is a good idea to begin to measure effectiveness because what gets measured gets managed.

    Corporations have to demonstrate that they are adding board cyber competency, and disclose such moves to show shareholders they are doing so. Like corporations, asset owners and other institutional investors have a fiduciary duty to minimize unrewarded risk exposures and must embrace cybersecurity as a priority, and encourage companies they invest in, or that provide them with services, to do likewise.

    Related Articles
    G-7 countries establish elements to target cybersecurity in global finance indu…
    Plans face threats to crucial data
    Plans ask about cybersecurity insurance — but not for them
    SEC sets marketwide risks, money market funds and cybersecurity as top examinat…
    New York financial firms will have to implement cybersecurity programs
    S&P warns institutions on cybersecurity
    Cybersecurity breaches cost companies billions in value; financial companies hi…
    Reducing cyberrisk exposure from outside service partners
    Lack of guidance putting institutions at end of line
    Still more victims in cyber wars
    Express Scripts clashes with DiNapoli over cyberrisk disclosure
    Recommended for You
    ONLINE_190409823_AR_0_IKORPGTOQWEM.jpg
    Fidelity AUM rises 9% in year ended March 31
    Baxter_Georgette_i.jpg
    RhumbLine selects client service-business development director
    Exchange_Traded_Funds_Tablet_i.jpg
    SEI joins ETF fray with U.S. large-cap stock funds
    Alternatives: Investing Across the Spectrum
    Sponsored Content: Alternatives: Investing Across the Spectrum

    Reader Poll

    May 9, 2022
    SEE MORE POLLS >
    Sponsored
    White Papers
    Are Factors a Thing of the Past?
    Q2 2022 Credit Outlook: Carry On
    Leverage does not equal risk
    Is there a mid-cap gap in your DC plan?
    Out of the Shadows: The Revolution in Shadow Accounting
    The pivotal role of fixed income markets in the ESG revolution
    View More
    Sponsored Content
    Partner Content
    The Industrialization of ESG Investment
    For institutional investors, ETFs can make meeting liquidity needs easier
    Gold: the most effective commodity investment
    2021 Investment Outlook | Investing Beyond the Pandemic: A Reset for Portfolios
    Ten ways retirement plan professionals add value to plan sponsors
    Gold: an efficient hedge
    View More
    E-MAIL NEWSLETTERS

    Sign up and get the best of News delivered straight to your email inbox, free of charge. Choose your news – we will deliver.

    Subscribe Today
    May 9, 2022 page one

    Get access to the news, research and analysis of events affecting the retirement and institutional money management businesses from a worldwide network of reporters and editors.

    Subscribe
    Connect With Us
    • RSS
    • Twitter
    • Facebook
    • LinkedIn

    Our Mission

    To consistently deliver news, research and analysis to the executives who manage the flow of funds in the institutional investment market.

    About Us

    Main Office
    685 Third Avenue
    Tenth Floor
    New York, NY 10017-4036

    Chicago Office
    130 E. Randolph St.
    Suite 3200
    Chicago, IL 60601

    Contact Us

    Careers at Crain

    About Pensions & Investments

     

    Advertising
    • Media Kit
    • P&I Content Solutions
    • P&I Careers | Post a Job
    • Reprints & Permissions
    Resources
    • Subscribe
    • Newsletters
    • FAQ
    • P&I Research Center
    • Site map
    • Staff Directory
    Legal
    • Privacy Policy
    • Terms and Conditions
    • Privacy Request
    Pensions & Investments
    Copyright © 1996-2022. Crain Communications, Inc. All Rights Reserved.
    • Topics
      • Alternatives
      • Consultants
      • Coronavirus
      • Courts
      • Defined Contribution
      • ESG
      • ETFs
      • Hedge Funds
      • Industry Voices
      • Investing
      • Money Management
      • Opinion
      • Partner Content
      • Pension Funds
      • Private Equity
      • Real Estate
      • Russia-Ukraine War
      • SECURE Act 2.0
      • Special Reports
      • White Papers
    • Rankings & Awards
      • 1,000 Largest Retirement Plans
      • Top-Performing Managers
      • Largest Money Managers
      • DC Money Managers
      • DC Record Keepers
      • Largest Hedge Fund Managers
      • World's Largest Retirement Funds
      • Best Places to Work in Money Management
      • Excellence & Innovation Awards
      • Eddy Awards
    • ETFs
      • Latest ETF News
      • Fund Screener
      • Education Center
      • Equities
      • Fixed Income
      • Commodities
      • Actively Managed
      • Alternatives
      • ESG Rated
    • ESG
      • Latest ESG News
      • The Institutional Investor’s Guide to ESG Investing
      • Climate Change: The Inescapable Opportunity
      • Impact Investing
      • 2022 ESG Investing Conference
      • ESG Rated ETFs
    • Defined Contribution
      • Latest DC News
      • DC Money Manager Rankings
      • DC Record Keeper Rankings
      • Innovations in DC
      • Trends in DC: Focus on Retirement Income
      • 2022 Defined Contribution East Conference
      • 2022 DC Investment Lineup Conference
    • Searches & Hires
      • Latest Searches & Hires News
      • Searches & Hires Database
      • RFPs
    • Performance Data
      • P&I Research Center
      • Earnings Tracker
      • Endowment Returns Tracker
      • Corporate Pension Contribution Tracker
      • Pension Fund Returns Tracker
      • Pension Risk Transfer Database
      • Future of Investments Research Series
      • Charts & Infographics
      • Polls
    • Careers
    • Events
      • View All Conferences
      • View All Webinars
      • 2022 Innovation Investing Conference
      • 2022 Defined Contribution East Conference
      • 2022 ESG Investing Conference
      • 2022 DC Investment Lineup Conference
      • 2022 Alternatives Investing Conference