Cybersecurity becoming big ESG concern

Cybersecurity is moving up the agenda for institutional investors and their money managers as a responsible investment consideration, as several high-profile attacks and breaches bring the issue to the front of investors' minds.

Sources at retirement plans and money management firms said the issue is being considered in particular when thinking through environmental, social and governance factors within investment portfolios.

Some investors already are weaving cybersecurity into their expectations when it comes to money management. "Cybersecurity is increasingly important for investors, companies and regulators," said Diandra Soobiah, London-based head of responsible investment at the £1.8 billion ($2.4 billion) National Employment Savings Trust, London. "Cyberattacks are part of a new reality for companies. The significant economic costs of such attacks make this a clear risk issue for NEST, and we expect companies to report on how they manage it."

Executives at the multiemployer defined contribution plan also want to see company boards taking a proactive stance on cybersecurity. "This will be a future area of engagement for us and we plan to work collaboratively with other organizations on our engagement activities," added Ms. Soobiah.

Others are only at the start of their work. "Many institutional investors are just beginning to look at the governance issues around cybersecurity," said Fiona Reynolds, managing director at the Principles for Responsible Investment in London. "We have seen all too clearly in recent months the enormous reputational and financial consequences when adequate safeguards are not put in place to secure sensitive information."

A number of recent breaches, such as of the U.K.'s National Health Service and U.S. credit bureau Equifax Inc., demonstrate the potential impact on portfolios, said sources. David Averre, head of credit analysis at Insight Investment in London, said from a fixed-income perspective, cybersecurity so far has not been a material financial issue. "However, there have been a few instances of late which should raise some red flags for investors."

He cited the Equifax incident, which saw its stock price drop 27%, market capitalization decrease by $4.6 billion and company bonds lose 6% of their value.

While questions are not yet coming from investors, "following Equifax, I would be surprised if we did not start receiving questions from clients and how we are trying to gauge where the risks are in the companies in which we invest," he said.

To enhance investor understanding, the PRI is coordinating a group of institutional investors, representing more than $10 trillion in assets, to engage in dialogue with listed large-capitalization companies, added Olivia Mooney, London-based senior manager, corporate governance, at the PRI.

"It will build investors' understanding about how their portfolio companies are positioned to be resilient to cyberthreats and will seek to improve companies' disclosure about their cyberrisks, policies and governance. Investors don't need to have highly technical expertise. At this stage, they need to start the conversation to be assured companies are considering and managing their risk effectively."

A number of money management executives said some clients view cybersecurity as an ESG issue, while others said the questions are not yet being asked.

"We are seeing clients take a greater interest in cybersecurity, which is increasingly becoming a talking point at client meetings and asked about in client communications," said David Sheasby, Edinburgh-based head of stewardship and ESG at Martin Currie Investment Management Ltd. "As investors, we take cybersecurity very seriously and are assigning an increasing weight to this issue in our analysis and company engagement." The firm is part of the PRI's collaborative work on the topic.

For the managers themselves, the issue is a consideration within investment portfolios. "Whether it is an ESG or a business issue is less of a concern for us, what matters is the relevancy to the companies in our portfolio," said David Shammai, senior responsible investment and governance specialist at APG Asset Management in Amsterdam, which runs assets for the €394 billion ($470.4 billion) ABP, Heerlen, Netherlands.

"It can be viewed as an ESG issue given the marketwide applicability, the need for collaboration regardless of the investment strategy and perhaps also the ethical dimension. At the same time, this is really a business matter that for most companies is a lot to do with risk management and systems — clear business issues."

APG has an "integrative approach with members of the ESG team and the investment teams working collaboratively, sharing knowledge and working jointly on engagements with our portfolio companies," added Mr. Shammai.

Regarding where it fits on the ESG spectrum, sources locate cybersecurity across both social and governance factors.

Cybersecurity is a wide issue, said Felipe Gordillo, Paris-based senior ESG analyst at BNP Paribas Asset Management, speaking on a panel discussion on the topic at the PRI in Person annual conference in Berlin on Sept. 25. Thinking about the relationship with climate change, for example, autonomous cars are a much-cited development. "You need data for that, but (you need) cybersecurity to know the car won't get hacked," he said. "I think about cybersecurity from two pillars: It is a social issue, about the quality and safety of products" and there is a corporate governance angle," he said.

Speaking on the same panel, Adam Black, head of ESG and sustainability at Coller Capital in London, added executives are "looking for competence" at companies when it comes to the issue of cybersecurity. "And due diligence … it is a living issue, and needs to be embedded in the lifecycle of an investment."

Coller Capital's latest Global Private Equity Barometer, released in June, found 45% of limited partners will require their general partners to undertake cybersecurity risk assessments for their portfolio companies within three to five years. Currently only 9% require this of their GPs.

Insight Investment executives view cybersecurity as an ESG issue because "responsibility for ensuring IT security is as good as it can be rests with the board of directors. Strong governance by the board, typically through the audit and risk function, should ensure the right questions are being asked and executive management is challenged. But cybersecurity is also a social issue — it has to be when there is the potential for so many customers and non-customers to be impacted," said Mr. Averre.

The issue has been on the agenda for some time at BlueBay Asset Management, which signed on to the PRI's cybersecurity working group.

"Cybersecurity is an ESG issue in the sense that it raises ethical and human rights concerns about data privacy and data security," such as who has control or ownership of personal data and whether consent has been sought and gained on the use of that data, said My-Linh Ngo, senior ESG analyst with BlueBay in London. "It also links to issues of customer relations in terms of impact on trust and loyalty." She said high-profile attacks have raised investor awareness.

But it's not just a risk issue. With spending on cyber issues growing faster than overall information technology spending, "some strategies may be well positioned to take advantage of the companies emerging to offer solutions as spending on cybersecurity rises to meet the threats," said Lucy Thomas, Sydney, Australia-based global head of sustainable investment at Willis Towers Watson PLC.

"Last year we rated a (venture capital) strategy that invests in cybersecurity companies specifically. Our manager research team conducted some research on the cybersecurity theme and felt there was a compelling opportunity for our clients to invest in a strategy with exposure to this theme. They met with a number of players in the industry and conducted due diligence on one particular manager which resulted in a positive rating and some of our clients are now invested in the strategy," said Ms. Thomas.