Gone are the days when the security of a company’s data was seen as the responsibility of the IT department.These days, it’sa key concern for corporate governance. Boards must take the lead in ensuring data is protected and investigating whether company mechanisms are up to the job.
Cybersecurity risk is real and pervasive, as demonstrated by recent attacks that have put big banks, personal credit rating agencies, internet providers, the UK National Health Service and even the US intelligence community on high alert.
Threats can emerge from various sources, both internal and external, resulting in data breaches that can have a negative impact on share price, reputation and trust in the organisation’s ability to secure sensitive data, including personal information and intellectual property. A 2017 study by IT consultant CGI and Oxford Economics concluded that severe breaches caused share prices to fall by an average of 1.8 per cent.
Despite high-profile incidents, many institutional investors are only just beginning to look at the governance issues surrounding cybersecurity. This year, several cybersecurity-related resolutions have shown that investors are keen to understand how cyber aware their portfolio companies are and whether they have appropriate mechanisms to manage a breach. All of this can be difficult to assess, however, because of gaps in corporate disclosure on this topic.
An additional – and serious – consideration for boards is that the regulatory regime on data privacy and cybersecurity is being strengthened across the world with fines and penalties for data breaches.
Last year, for example, the US Congress has introduced the bipartisan Cybersecurity Disclosure Act of 2017, which would require publicly traded companies to disclose the cybersecurity expertise of any members of the board or general partner and, if the board does not have such expertise, disclose the measures the board has taken to identify and nominate future members.
In Europe, the General Data Protection Regulation came into force in May 2018, creating obligations for companies that process and hold data in the EU regardless of where they are located. Notably, the penalties for not adhering to these requirements can be up to €20 million. Similarly, in Australia, the Australian Privacy Act mandates that companies implement security safeguards to protect personal information and notify customers of data breaches.
Investors need to discuss these issues with board directors to raise awareness of potential data compromises and ensure the board is involved in assessing the robustness of security measures. This issue will only continue to intensify in the future, so investors need to start the conversation with companies now to better understand their exposure.
Global collaborative action
To improve corporate disclosure and enhance understanding of the underlying cyber vulnerabilities, Principles for Responsible Investment (PRI) has been co-ordinating a global collaborative engagement on this topic. More than 50 institutional investors, representing more than US$12 trillion in assets under management, are now engaging with companies on their cybersecurity governance.
Our report, Stepping up governance on cyber security: What is corporate disclosure telling investors?, provides a snapshot, based on a study of 100 companies, primarily in the healthcare, financial and retail sectors. The study, which forms the basis of our collaborative engagement, found that although companies are increasingly recognising cyber risks and their impacts, corporate information in the public domain does not reassure investors that companies have adequate governance structures and measures in place to deal with cybersecurity challenges.
As this dialogue progresses over the next year or so, participating members will have further clarity on how material cybersecurity risk is for companies in their portfolio, how information flows to the board on cybersecurity matters and what the process is for evaluation against peers.
Using these findings, the PRI will also put together a set of investor expectations on cybersecurity governance that companies should be able to meet. Through this process, investors will be signalling to companies that further meaningful disclosure on cybersecurity is warranted, and this will enable them to discern which companies are likely to manage risks appropriately.
Boards need to work closely with senior management to escalate the message across the organisation that security is everyone’s problem. Keeping data secure is not about buying the latest security software; it is about everyone in the company taking responsibility for keeping data secure, whether it’s deleting emails with attachments from unknown sources or protecting the data on laptops that employees take home with them.
Board members could start by ensuring that cybersecurity is on the agenda at meetings. If these issues are delegated to senior management, then the board must have regular updates from those individuals to stay current on the topic.
Fiona Reynolds is chief executive of Principles for Responsible Investment.
www.top1000funds.comis the media partner for the PRI in Person, to be held in San Francisco next week.