While investors might have come to the realization they need to start asking cybersecurity-related questions of their portfolio companies, getting started can be a bit more testing.
Some money management firms, however, are already working on it.
"As investors we need to better understand from companies the materiality of the exposure to cyberrisk to their business and the quality of their risk mitigation" or business resilience, said My-Linh Ngo, senior ESG analyst at BlueBay Asset Management in London. "We have started to raise questions in this area with companies in higher risk sectors we meet," such as retail and financial sectors, "and intend to continue to do so going forward."
Legal & General Investment Management has been engaging on the topic since 2011, said David Patt, senior analyst, corporate governance and public policy in London. "Investors need to discuss these issues at the highest level with board directors to raise awareness and get the board involved. It is a key operational and financial risk, not something just left for the IT department to deal with. This issue will only intensify in the future, so investors need to start the conversation with companies today to better understand their exposure."
Hermes Investment Management thinks of cybersecurity as both a governance and social issue, and the potential "value destruction" of a company is a big worry, said Louise Dudley, London-based portfolio manager on the global equities team.
In looking at a company, Hermes executives want to know what has been done to prepare for any cyberrisk, what evidence companies have in terms of the validity of their cyber solutions and what their plans are going forward.
"And what is the worst case: what does that look like for you?" added Ms. Dudley.
When it comes to the responses managers are getting, Robeco's Michiel Plakman, portfolio manager, Robeco global equity and Daniëlle Essink-Zuiderwijk, senior social engagement specialist of Robeco's active ownership team said it depends on the company. "For most companies that are not in the (technology, media and telecommunications) or financial services (sectors,) data security is still an after-thought," they said in a joint statement. "However, with the move to digital, this will become more important, and as shown by GDPR, every company will need a detailed cybersecurity and data privacy strategy."
As part of a collaborative engagement to help improve investor understanding of the project, the Principles for Responsible Investment has put together a list of key questions to help equip investors in conversation with companies on the topic. These questions include:
- Does the company publicly commit to be in compliance with all relevant laws, including cyber and data protection laws?
- Does the company provide training on information and/or cybersecurity requirements to all employees?
- Are there any controversies related to cyberattacks? How does the company respond to the cyberattacks and what is the broader stakeholder feedback on cyberattacks at the company?