Cyber Security Risk Prompts Global Engagement
Cyber security risk is real and pervasive, as demonstrated by recent attacks that have thrown big banks, personal credit rating agencies, web services providers, the U.S. intelligence community and even the U.K. National Health Service into a frenzy. As we have seen, threats can emerge from various sources, both internal and external, resulting in data breaches that can negatively impact share price, reputation and loss of trust in the organisation to secure sensitive data. The Yahoo breach reported in 2016 is a case in point – the news that the breach had exposed more than a billion customer accounts postponed the planned acquisition by Verizon, resulted in serious reputational damage and lowered the deal price by some $350 million.
Such high-profile incidents have put cyber security firmly on the radar of the investment community. This year at least four cybersecurity related resolutions show that investors are keen to understand how cyber aware their portfolio companies are and whether they have appropriate mechanisms to manage a breach. However, there are yawning gaps in current corporate disclosure on this topic, making it challenging to properly evaluate companies. This is particularly problematic since regulatory regimes on data privacy and cyber security continues to be strengthened across the world. For instance, in Europe, the general data protection regulation will come into force in May 2018, creating obligations for companies that process and hold data in the European Union, regardless of where they are located. Notably, the penalties for not adhering to these requirements can go up to EUR 20 million. Similarly, in Australia, the Australian Privacy Act mandates that companies implement security safeguards to protect personal information and notify customers of data breaches.
To improve corporate disclosure and enhance understanding of the underlying cyber vulnerabilities, PRI is coordinating a global collaborative engagement on this topic. Fifty-three institutional investors representing over U.S. $12 trillion in assets under management will be engaging with companies on their cyber security governance. Questions raised with companies will enable dialogue on whether there is sufficient board oversight on cyber issues, whether they have access to internal or external expertise and are taking adequate measures to manage cyber security risks. The collaborative engagement will focus on listed multinational companies in the consumer, healthcare, financial, IT and telecommunication sectors.
As this dialogue progresses over the next year or so, participating members will have further clarity on how material cyber security risk is for companies in their portfolios, how information flows to the board on cyber security matters and how companies benchmark their performance against peers. Using these findings, they will also put together a set of investor expectations on cyber security governance that companies should be able to meet. Most importantly, through this engagement, they will be signalling to companies that further meaningful information on cyber security is warranted and such information will enable investors to discern which companies are likely to manage risks appropriately.
Manager, Governance Issues, UN Principles for Responsible Investment (PRI)