From the fitness tracker on my wrist, to the powerful smartphone in my pocket, or the computer these words have been typed on, society is becoming ever more reliant on technology. There are, of course, positives to this. Home working through the Covid pandemic for some and subsequent flexible working practices have only become possible through the use of technological platforms that, at a social level, have connected people across the world.
Unfortunately, with the good comes the bad. We have seen an alarming rise in hacking in recent times from individuals and groups whose targets range from everyday consumers to major government institutions.
Frighteningly, data from the International Monetary Fund indicates that the number of cybersecurity attacks tripled over the last decade as hackers sought to use their skills for all sorts of nefarious purposes, from stealing financial information to manipulating news flow and public opinion. If anything, recent events have only served to heighten concerns further.
In such a context, the growing trend for cybersecurity investment and regulation should come as no surprise.
Technology has become so prevalent that all investors, whether directly or indirectly, are exposed to the sector. It will constitute a large component of many portfolios, and it is only reasonable to expect this to increase further as the global economy continues to decarbonise.
See also: – Tech risks could turn the sector into a ‘sustainability disaster’
However, with the inherent innovation that underpins its development, the number of emerging ESG concerns in technology are increasing. It is therefore the responsibility of asset managers to ensure cybersecurity investment regulation and funding remains an active priority.
Vulnerability from disclosure
In 2020, RLAM initiated critical engagement on cybersecurity issues with our holding companies. We have continued this in 2021, contacting 24 companies, including some that did not respond to us previously. With most, the quality of engagement was strong, with some inviting chairpersons and C-suite executives to join the meetings, while others brought their chief information security officers (CISO) and other technical experts. In both instances, we found the discussions rich and insightful.
Cybersecurity is one of those rare exceptions to the rule; as an asset manager that actively engages with companies, we usually look for greater levels of transparency. But in this case, we recognise that increasing disclosure may in fact make a company more vulnerable to cyberattacks, and it is common to find that most companies have only partial information published on their websites.
This makes engagement more critical than ever. Admittedly, even this is no proxy for robust systems and training programmes being in place, with a cyber-resilient society now widely recognised as an issue of national and economic security. But, by engaging, investors can reinforce their understanding of the companies’ practices and gain a much deeper understanding of the measures put in place to properly manage the risk of cyber-attack. The findings from our conversations with companies have aided our understanding of the risk mitigation measures that companies have in place – measures that may not be obvious from their public disclosures.
How to engage
How does an asset manager effectively engage with companies on these issues? We have developed a set of minimum and advanced expectations for companies that will enable us to assess how well they manage their cyber risks – to the extent possible as an outsider looking in. Our focus is questioning and understanding how companies are addressing cyber risk. What we’ve found is it often involves having a board member or an appointed executive (such as a CISO) with responsibility for information security and cyber resilience.
We are also mindful of signals that may act as “red flags” – unusually low levels of disclosure, or those that are known to have experienced a breach, for example – and engage with them to find out what has happened, and how the company plans to take it’s cybersecurity measures forward.
Although organisations can never entirely rule out the risk of a cybersecurity incident, companies that are implementing these best practices are better placed to adapt and respond to these emerging risks.