Cybersecurity is moving up the agenda for institutional investors and their money managers as a responsible investment consideration, as several high-profile attacks and breaches bring the issue to the front of investors' minds.
Sources at retirement plans and money management firms said the issue is being considered in particular when thinking through environmental, social and governance factors within investment portfolios.
Some investors already are weaving cybersecurity into their expectations when it comes to money management. "Cybersecurity is increasingly important for investors, companies and regulators," said Diandra Soobiah, London-based head of responsible investment at the £1.8 billion ($2.4 billion) National Employment Savings Trust, London. "Cyberattacks are part of a new reality for companies. The significant economic costs of such attacks make this a clear risk issue for NEST, and we expect companies to report on how they manage it."
Executives at the multiemployer defined contribution plan also want to see company boards taking a proactive stance on cybersecurity. "This will be a future area of engagement for us and we plan to work collaboratively with other organizations on our engagement activities," added Ms. Soobiah.
Others are only at the start of their work. "Many institutional investors are just beginning to look at the governance issues around cybersecurity," said Fiona Reynolds, managing director at the Principles for Responsible Investment in London. "We have seen all too clearly in recent months the enormous reputational and financial consequences when adequate safeguards are not put in place to secure sensitive information."
A number of recent breaches, such as of the U.K.'s National Health Service and U.S. credit bureau Equifax Inc., demonstrate the potential impact on portfolios, said sources. David Averre, head of credit analysis at Insight Investment in London, said from a fixed-income perspective, cybersecurity so far has not been a material financial issue. "However, there have been a few instances of late which should raise some red flags for investors."
He cited the Equifax incident, which saw its stock price drop 27%, market capitalization decrease by $4.6 billion and company bonds lose 6% of their value.
While questions are not yet coming from investors, "following Equifax, I would be surprised if we did not start receiving questions from clients and how we are trying to gauge where the risks are in the companies in which we invest," he said.
To enhance investor understanding, the PRI is coordinating a group of institutional investors, representing more than $10 trillion in assets, to engage in dialogue with listed large-capitalization companies, added Olivia Mooney, London-based senior manager, corporate governance, at the PRI.
"It will build investors' understanding about how their portfolio companies are positioned to be resilient to cyberthreats and will seek to improve companies' disclosure about their cyberrisks, policies and governance. Investors don't need to have highly technical expertise. At this stage, they need to start the conversation to be assured companies are considering and managing their risk effectively."