Railpen urges all investors to elevate cyber security

Warning icon on a digital LCD display with reflection. Concept of cyber attack, malware, ransomware, data breach, system hacking, virus, spyware, compromised information and urgent attention.

The growing threat of cyberattacks at portfolio companies – from the growth in AI, IT skill shortages and geopolitics – is viewed as a key risk at the £34 billion Railpen. The investor outlines how other asset owners and managers can engage on the issue.

Railpen, the £34 billion fund for the members of the UK railways pension schemes, is urging fellow investors to recognise the financial materiality of cybersecurity in their portfolios.

Together with Royal London Asset Management, Railpen has laid out how investors can ensure best practice among portfolio companies, identify and engage on cybersecurity and participate in policy advocacy to help build a supportive regulatory environment. The report, Cyber Security Risk and Resilience, follows on from 2019 when Railpen joining forces with the UK’s largest defined contribution fund, Nest, to produce a joint report on cyber and data security.

“We are seeing a concerning disconnect between leaders’ awareness and preparedness for cyber attacks,” says Sophie Harris, senior investment analyst, sustainable ownership at Railpen.

“We believe investors have an important role to play when it comes to closing the gap and forcing business to start taking cyber preparedness more seriously. Recognising the importance of cybersecurity resilience, we encourage asset managers to develop their understanding of the financial materiality of cybersecurity, use the investor expectations as a tool for engagement with companies that face a high level of risk, and report on progress to their clients.”

How big is the risk?

Cyber risk sits in supply chains and with third parties. The growth in AI, IT skills shortages and geopolitics have also spiked cyber risk in recent years.

Sponsored Content

“Contagion risk in supply chains can be evaluated through third-party management strategies. Additionally, a company’s employee training programmes and incident response plans can provide insight into its preparedness for AI generated risks,” say the authors.

According to the IMF, cyber incidents with malicious intent have almost doubled since Covid. Meanwhile, the World Economic Forum 2024 Outlook reported that 29 per cent of organisations stated that they had been materially affected by a cyber incident in the past 12 months. Cyberattacks have also become more costly, as the risk of extreme losses has increased, sometimes putting firms at risk of insolvency. Global cybercrime costs are expected to surge to £8.2 trillion by the end of 2025 but the actual extent of the damage is likely to be much higher as many attacks go undetected or unreported.

The report cites figures that put the average loss associated with a data breach and the recovery process at US$4.88 million. In another trend, cybersecurity risk is increasingly being transferred to insurers. An estimated US$12 billion of gross premiums were written in 2023. But insurance doesn’t cover all the risks. Companies share price falls, they face elevated costs of debt and increased audit fees and the threat of regulatory action too.

“The increasing number, cost, and threat drivers of cybersecurity incidents, coupled with a disconnect between awareness of, spending on and preparedness for this risk at a company level, is leading to growing cybersecurity risk across portfolios. We believe cybersecurity needs more attention, particularly due to its systemic implications, and we invite investors to take action,” states the report.

What are the engagement priorities?

Corporates need robust board oversight of cybersecurity practices. Investors need to ensure the boards at portfolio companies are actively involved in cybersecurity governance, helping to set the right tone at the top and aligning cybersecurity strategies with business objectives.

It’s an area pension funds like Nest are keenly focused, explains Diandra Soobiah, director of responsible investment and a member of the UK’s Cybersecurity Coalition set up in 2019 to address the systemic risk posed by cyber security alongside Brunel Pension Partnership, Border to Coast and USS.

“We expect corporate boards to be adequately prepared for cyberattacks with operational resilience at the heart of a cybersecurity strategy. We will use the guidance to enhance our engagements with companies to help protect our 13 million members from this systemic risk,” she says.

Comprehensive due diligence and proactive risk management of external parties are critical. This includes assessing the cybersecurity posture of suppliers and acquisition targets to mitigate risks and ensure the integrity of the supply chain.

Fostering a resilient culture is fundamental and should be supported by strong vulnerability management and penetration testing; obtaining relevant cybersecurity certifications ensures that daily operations are secure and reduces the risk of cyber incidents.

The report also stresses the importance of working with peers and government bodies to enhance cybersecurity standards. “Collaborative efforts can lead to the sharing of best practices, threat intelligence, and coordinated responses to cyber threats,” it states.

Other key areas where investor engagement can reap dividends includes timely disclosure of cybersecurity breaches and the inclusion of information security and cyber resilience in executive compensation KPIs. The authors suggest corporates introduce cyber covenants in supplier contracts and develop innovative and tailored training programs across the workforce.

“We encourage investors to use the expectations outlined in this report to assess companies’ baseline approach to cybersecurity and to measure companies’ progress towards best practice,” write the authors.

Investors should focus their efforts on identifying and engaging with companies that face high-risk exposure. Identifying the laggards in vulnerable sectors (healthcare, manufacturing, finance and utilities, to name a few) can enable investors to proactively engage with companies.

Investors should also be prepared to escalate. When a company fails to respond to questions on cybersecurity or is deemed to fall far below investor expectations on best practice, escalation can be a useful tool to secure a response or encourage change

Actively engaging in public policy advocacy regarding cybersecurity, including responding to consultations such as those from the SEC on cyber reporting is another approach. By undertaking public policy advocacy, investors can help shape the regulatory landscape to support positive cybersecurity outcomes and ensure that the standards set by bodies like the SEC are practical, effective, and aligned with the realities of the market.

“Cyber incidents will continue, with increasing frequency and sophistication. Investors can only protect value by understanding the risk factors, governance and strategy, and by knowing what questions to ask. This collaborative engagement has built on our understanding and provided valuable insights on set expectations,” concludes Faith Ward, chief responsible investment officer, Brunel Pension Partnership.

Leave a Comment

Silver is the new gold: France’s UMR targets opportunities in ageing economy

Silver is the new gold: France’s UMR targets opportunities in ageing economy

French pension organisation UMR has launched a multi-asset thematic program that will target opportunities in Europe’s ageing economy. It’s part of a broader strategy to increase diversification in private markets where it sees secondary markets as an increasingly important tool.

Sort content by

NZ Super cuts benchmark return expectation on US valuation concerns

A view that the US stock market is overvalued and equity risk premia will be lower over the long term has driven New Zealand Super to lower the return expectations for its reference portfolio following its recent five-yearly review of the benchmark. Co-chief investment officer Brad Dunstan also flags underweight commodity exposure as an area to address and explains why the fund remains sceptical of illiquidity premia despite seeing a growing case for private markets.

Sampension: Why there are many reasons to be optimistic

Now is not the time to reduce risk, argues Henrik Olejasz Larsen, chief investment officer of Sampension, Denmark’s $50 billion pension fund for public and private sector employees. In an interview with Top1000funds.com, he says corporate profits have not deteriorated, and although the market has been tested from multiple directions, the underlying optimism driving equities is strong enough to overrule the negative impact of geopolitical risk.

France’s Banque des Territoires looks for data centre opportunities

France’s Banque des Territoires, a subsidiary of Caisse des Dépôts, the country’s €323 billion state-owned financial institution, plans to invest more in data centres in France. The push is in line with government policy to build out AI infrastructure off the back of the country's access to cheap, green, nuclear energy that uniquely positions France to provide power to the AI industry while maintaining net zero credentials.

Why NYC pensions CIO hasn’t drunk the ‘TPA Kool-Aid’

Three decades of investing have given Monte Tarbox sharp eyes for recognising risk and opportunities, and he’s putting it to use as the new permanent chief investment officer of the $306 billion NYC Bureau of Asset Management. In an interview with Top1000funds.com, Tarbox outlines his vision for the fund, why he’s bullish on infrastructure but “nervous” on PE, and why he hasn’t drunk the TPA “Kool-Aid”.

How CPP is evolving risk management for a faster, more interconnected world

In an environment where multiple risks are emerging and their effects are compounding on the portfolio, CPP Investments' chief risk officer Priti Singh says the $572 billion fund is rethinking risk management from the ground up, shifting from reaction to preparation and embedding risk thinking earlier in investment decisions. She speaks to Amanda White about the fund's risk approach.

URS bets on nuclear to power AI and lower emissions

Next-generation nuclear energy, and the money pouring into it, will truly change the world, according to CIO of Utah Retirement System John Skjervem. It’s a lonely position as the CIO of a public pension fund but one Utah is embracing as it builds out early-stage investments in nuclear energy as part of its alternative energy portfolio. He speaks to Sarah Rundell in an exclusive interview about how investing in transformational energy technologies can be part of prudent investment management.