Two of the United Kingdom’s largest pension funds have launched a guide to cyber risk for asset owners, something the World Economic Forum places in its top 10 global risks for 2019. The report by RPMI Railpen, investment manager for the £30 billion ($38 billion) pension fund for the UK’s railway workers and £8 billion ($10 billion) National Employment Savings Trust, NEST, the DC workplace pension scheme, highlights key cyber dangers asset owners should watch, and rules of engagement with investee companies and reticent asset managers.
It’s the latest initiative to underscore how responsible investment, in this case engagement, is increasingly an arena for cooperation and helping hands rather than competition.
“Today’s publication provides a toolkit for pension scheme trustees. Companies should be ready for questions from investors, and pension funds need to start raising the topic with their managers,” said Richard Williams, chief investment officer of RMPI Railpen.
The practical guide even extends an invitation to other pension funds to meet a corporate and go through engagement steps alongside NEST or Railpen. Engaging on cyber security is daunting for trustees without specialist technology expertise, and new UK regulations introduced in October have hastened pressure to integrate ESG, said Jocelyn Brown, senior investment manager, sustainable ownership at Railpen and co-author of the report.
Now DB and DC schemes’ statements of investment principles (SIPs) must include policies on financially material considerations including ESG, as well as outlining how they will steward investments and the extent to which non-financial matters, such as members’ ethical views, are considered when planning investments.
“So far, we have had interest from two other pension funds to join us in a collaborative meeting with a corporate. This is a chance to raise some of the topics in the report,” said Brown. “Cyber risk is rising up the agenda and we wanted to work with colleagues to put together a tool kit with practical areas where pension funds can integrate cyber into their investment approach.”
The approach underscores the importance of engagement. Corporates can only mitigate cyber risk with first-rate governance, argues Brown whose active engagement with companies on cyber risk runs alongside Railpen managing two thirds of its equity allocation in-house. It means investors need to ensure that corporate boards are set up to understand the risks, challenge approaches and approve strategies, she argues. Investors should also use their voting rights to express a view on how the board is performing – possibly voting against the board.
Other strategies could include urging boards to use remuneration to force staff to tackle cyber risk. For example, investor pressure following the 2017 hack at Equifax, the credit reporting agency which exposed the personal data of nearly 150 million people, led to the company adopting an enhanced clawback policy. It gives the compensation committee discretion to recoup incentive compensation from current and former employees if cyber risk is neglected.
Investors should not be thwarted from engaging on cyber risk by the lack of data. Admittedly, investors’ ability to scrutinise cyber risk and vote on “anything tangible” is hampered by the absence of good quality reporting and policy information, notes the report. According to the PRI there are no minimum standards of regular public disclosure on cyber security practices from large cap listed companies that investors can use to inform basic engagement and investment analysis. Moreover, companies fear that disclosure can lead to more hacks, acting as a disincentive to boost cyber security reporting “too much.” The advice: demand “a level of disclosure” that is not “counterproductive” based around best practice, cyber awareness at the company – and board level responsibility.
A lack of data also makes it difficult for investors to carry out pre-investment due diligence on cyber risk. Here the report flags helpful tools like cyber governance indices which rank companies worldwide by the strength of their defences and cyber governance. Third party ESG data and research from providers such as MSCI also contains assessments of cyber security and data privacy practices and controversies, notes the report.
Another piece of the puzzle involves persuading external managers to engage with investee companies, argues Brown.
“Managers will come to us seeking our views on what topics we consider material, and cyber risk is rising up managers’ priority list because of its financial materiality and the feedback they are seeing from clients like us.”
Railpen also engages alongside its external managers to check they are up to speed.
“We like to engage alongside our asset managers because even where we score them highly for ESG this gives us a chance to monitor them and check under the hood to see how they engage in practice.”
Persuading passive managers to act is more challenging.
“There is no coverage on cyber security by three of the largest index managers in their 2018 sustainability or stewardship reports,” she said.
It is forcing pension funds to lead the way. Research by report co-author and index investor Nest reveals companies most at risk include those holding large amounts of data, companies that have recently undergone a merger or acquisition, those with old legacy systems and global supply chains.