The growing threat of cyberattacks at portfolio companies – from the growth in AI, IT skill shortages and geopolitics – is viewed as a key risk at the £34 billion Railpen. The investor outlines how other asset owners and managers can engage on the issue.
Railpen, the £34 billion fund for the members of the UK railways pension schemes, is urging fellow investors to recognise the financial materiality of cybersecurity in their portfolios.
Together with Royal London Asset Management, Railpen has laid out how investors can ensure best practice among portfolio companies, identify and engage on cybersecurity and participate in policy advocacy to help build a supportive regulatory environment. The report, Cyber Security Risk and Resilience, follows on from 2019 when Railpen joining forces with the UK’s largest defined contribution fund, Nest, to produce a joint report on cyber and data security.
“We are seeing a concerning disconnect between leaders’ awareness and preparedness for cyber attacks,” says Sophie Harris, senior investment analyst, sustainable ownership at Railpen.
“We believe investors have an important role to play when it comes to closing the gap and forcing business to start taking cyber preparedness more seriously. Recognising the importance of cybersecurity resilience, we encourage asset managers to develop their understanding of the financial materiality of cybersecurity, use the investor expectations as a tool for engagement with companies that face a high level of risk, and report on progress to their clients.”
How big is the risk?
Cyber risk sits in supply chains and with third parties. The growth in AI, IT skills shortages and geopolitics have also spiked cyber risk in recent years.
“Contagion risk in supply chains can be evaluated through third-party management strategies. Additionally, a company’s employee training programmes and incident response plans can provide insight into its preparedness for AI generated risks,” say the authors.
According to the IMF, cyber incidents with malicious intent have almost doubled since Covid. Meanwhile, the World Economic Forum 2024 Outlook reported that 29 per cent of organisations stated that they had been materially affected by a cyber incident in the past 12 months. Cyberattacks have also become more costly, as the risk of extreme losses has increased, sometimes putting firms at risk of insolvency. Global cybercrime costs are expected to surge to £8.2 trillion by the end of 2025 but the actual extent of the damage is likely to be much higher as many attacks go undetected or unreported.
The report cites figures that put the average loss associated with a data breach and the recovery process at US$4.88 million. In another trend, cybersecurity risk is increasingly being transferred to insurers. An estimated US$12 billion of gross premiums were written in 2023. But insurance doesn’t cover all the risks. Companies share price falls, they face elevated costs of debt and increased audit fees and the threat of regulatory action too.
“The increasing number, cost, and threat drivers of cybersecurity incidents, coupled with a disconnect between awareness of, spending on and preparedness for this risk at a company level, is leading to growing cybersecurity risk across portfolios. We believe cybersecurity needs more attention, particularly due to its systemic implications, and we invite investors to take action,” states the report.
What are the engagement priorities?
Corporates need robust board oversight of cybersecurity practices. Investors need to ensure the boards at portfolio companies are actively involved in cybersecurity governance, helping to set the right tone at the top and aligning cybersecurity strategies with business objectives.
It’s an area pension funds like Nest are keenly focused, explains Diandra Soobiah, director of responsible investment and a member of the UK’s Cybersecurity Coalition set up in 2019 to address the systemic risk posed by cyber security alongside Brunel Pension Partnership, Border to Coast and USS.
“We expect corporate boards to be adequately prepared for cyberattacks with operational resilience at the heart of a cybersecurity strategy. We will use the guidance to enhance our engagements with companies to help protect our 13 million members from this systemic risk,” she says.
Comprehensive due diligence and proactive risk management of external parties are critical. This includes assessing the cybersecurity posture of suppliers and acquisition targets to mitigate risks and ensure the integrity of the supply chain.
Fostering a resilient culture is fundamental and should be supported by strong vulnerability management and penetration testing; obtaining relevant cybersecurity certifications ensures that daily operations are secure and reduces the risk of cyber incidents.
The report also stresses the importance of working with peers and government bodies to enhance cybersecurity standards. “Collaborative efforts can lead to the sharing of best practices, threat intelligence, and coordinated responses to cyber threats,” it states.
Other key areas where investor engagement can reap dividends includes timely disclosure of cybersecurity breaches and the inclusion of information security and cyber resilience in executive compensation KPIs. The authors suggest corporates introduce cyber covenants in supplier contracts and develop innovative and tailored training programs across the workforce.
“We encourage investors to use the expectations outlined in this report to assess companies’ baseline approach to cybersecurity and to measure companies’ progress towards best practice,” write the authors.
Investors should focus their efforts on identifying and engaging with companies that face high-risk exposure. Identifying the laggards in vulnerable sectors (healthcare, manufacturing, finance and utilities, to name a few) can enable investors to proactively engage with companies.
Investors should also be prepared to escalate. When a company fails to respond to questions on cybersecurity or is deemed to fall far below investor expectations on best practice, escalation can be a useful tool to secure a response or encourage change
Actively engaging in public policy advocacy regarding cybersecurity, including responding to consultations such as those from the SEC on cyber reporting is another approach. By undertaking public policy advocacy, investors can help shape the regulatory landscape to support positive cybersecurity outcomes and ensure that the standards set by bodies like the SEC are practical, effective, and aligned with the realities of the market.
“Cyber incidents will continue, with increasing frequency and sophistication. Investors can only protect value by understanding the risk factors, governance and strategy, and by knowing what questions to ask. This collaborative engagement has built on our understanding and provided valuable insights on set expectations,” concludes Faith Ward, chief responsible investment officer, Brunel Pension Partnership.
