Executives from two London pension funds are calling on asset owners to consider cybersecurity risk as financially material for fund investments.
The £8 billion ($10 billion) defined contribution multiemployer National Employment Savings Trust and the £30 billion defined benefit RPMI Railpen issued the plea in a report Wednesday.
With 2018 cyberbreaches at British Airways PLC set to cost the firm a potential total of $729 million in fines and lawsuits and another at Facebook Inc., which is costing the firm billions of dollars in fines around the globe and $119 billion loss in a market value, companies held by investors could be collectively spending $90 trillion by 2030, the report said.
With one-third of U.K. businesses identified cybersecurity breaches or attacks in the last year, the two London funds want fellow investors to look at the cyberrisks as part of their pre-investment due diligence and are encouraging engagement efforts and cybersecurity concerns in voting at annual general meetings.
"Cyberattacks can seriously undermine the performance of a company, making what would seem an ideal investment opportunity turn into a costly mistake," NEST CIO Mark Fawcett said in a news release.
NEST and Railpen called on investors to align cybersecurity programs with the business risk to determine if management is allocating resources to cyber issues effectively and to scrutinize boards over the metrics used to assess cyberrisk to prevent board complacency.
"Companies should be ready for questions from investors, and pension funds need to start raising the topic with their money managers," said Railpen CIO Richard Williams in the release.
Ernst & Young found that so far in 2019, 89% of companies disclosed a focus on cybersecurity in the risk oversight section of their proxy statements, up from 80% a year earlier. A separate report from the consulting firm found that 54% of Fortune 100 companies sought cybersecurity as an area of expertise for board members, up from 40% last year.
Jocelyn Brown, senior investment manager of sustainable ownership at Railpen said in a telephone interview that "companies are upping their game. "We engage with executives on company boards on cybersecurity both collectively and individually. Companies are getting well-prepared in terms of what they are reporting and what they have learned about cybersecurity," she said.
Ms. Brown added investors should consider how companies think about cybersecurity as part of the "enterprise risk management process," or how they are considering cyberrisk in supply chains.
The report acknowledged there is shortage of reporting standards, which are at investors' disposal, citing Accenture Security index, which assesses performance across 33 cybersecurity factors at both the industry and country level.
To help other investors compare companies' preparedness for cyberrisks, NEST has supported a project commissioned by the U.K.'s National Cyber Security Centre to develop a cybersecurity index.