now loading...
Wealth Asia Connect Middle East Treasury & Capital Markets Europe ESG Forum TechTalk

Covid-19 / Viewpoint
Why cyber-security and governance should go hand in hand
The extent of board buy-in on cyber-security can be a good litmus test for the effectiveness of a company’s approach to cyber-risk
Betina Vaz Boni 23 Apr 2020

No organization, regardless of size, is immune to cyber-security threats, and the Covid-19 outbreak has only increased our exposure.

Ongoing worldwide lockdown measures have made working from home the norm, thus increasing the chances of being exposed to cyber-attacks and practices such as phishing - fraudulent messages that resemble e-mails from trusted sources.

Even more worrying are the attacks targeting the critical infrastructure of those directly involved in responding to the pandemic, such as governmental agencies and healthcare providers.

Recent examples include a medical facility that was testing a coronavirus vaccine suffering a ransomware attack, and the Italian social security website being hit by several cyber-attacks.

These organizations have been on the frontline of combating Covid-19 and cyber-incidents can jeopardize their ability to mitigate the impacts of the outbreak.

Attacks on these types of organizations are not new. A ransomware attack in 2017 hit several healthcare organizations worldwide, costing the UK’s National Health System - one of the worst affected - 92 million pounds sterling.

Also, the number and sophistication of attacks has increased exponentially - a 2019 report from Accenture found that cyber-security breaches had risen by over 65% over the last five years.

Various stakeholders could be potentially affected by a cyber-attack, whether by financial consequences (such as loss of share value and regulatory penalties) or reputational, societal, physical and psychological ones.

As such, investor scrutiny is essential - although the cyber-security landscape is not easy to navigate, and corporate disclosures are not particularly revealing.

Companies consider cyber-security a sensitive topic and hesitate to make their preparations public for fear of being targeted by criminals and losing their competitive advantage.

Governance can be a proxy for the strength of cyber-resilience within a firm. It allows investors to assess if a company has an organization-wide approach to cyber-security, without having to delve into technical detail, which can sometimes be overwhelming for people lacking cyber-expertise.

In this sense, governance structures and processes can be indicative of a companies’ readiness to address potential threats and robustness of the steps being taken to manage cyber-risks.

The Principles for Responsible Investment (PRI) released a new report April 22 - Engaging on cyber-security: Results of the PRI collaborative engagement 2017-2019. The report details the key learnings from a PRI three-year collaborative engagement on cyber-governance.

Representing over US$12 trillion in assets, 55 institutional investors engaged 53 portfolio companies from five different sectors to understand how they are demonstrating preparedness and addressing cyber-related risks, using governance as a proxy for resilience.

To inform this dialogue, the PRI published a report in July 2018, Stepping Up Governance on Cyber-Security, assessing the cyber-related disclosures of publicly traded companies against 14 indicators covering cyber-security policy, board oversight and reporting, access to expertise, training and assessment.

Investors participating in this engagement used the analysis to drive their conversations with companies.

An analysis of corporate reporting over the engagement period reveals that the number of the companies leading on disclosure increased, as did the level of detail and scope of information disclosed.

However, cyber security-related disclosures are still not the norm - private dialogue with companies proved to add value to investors seeking to understand how they were positioned to manage cyber-risks.

The conversations provided insights in four areas: board oversight, board expertise, cyber-security monitoring across the value chain and building capacity.

The extent of board buy-in on cyber-security can be a good litmus test for the effectiveness of a company’s approach to cyber-risk. Although companies are increasingly disclosing clear board accountability in this area, they appear to demonstrate different levels of comfort in communicating how boards assess and oversee company-wide cyber-security improvements.

Nonetheless, the engagement dialogue provided some good examples of detailed board reporting and monitoring of cyber-performance.

Having a board member with cyber-expertise is not common, with only one-fifth of the companies engaged disclosing related information. When investors raised the issue in the engagement dialogues, companies indicated that they look for a spectrum of skills and experience and while this includes cyber-security and IT, these can’t be considered in isolation.

The conversations also revealed that companies prioritized upskilling the board using external expertise and training, where deficits in knowledge were noted.

Many companies rely on third-party service providers to collect and process private data but may not be fully aware of the cyber-vulnerabilities this brings. The conversations indicated that they need to do much more to address this exposure.

Investors could start by encouraging companies to disclose a data protection policy covering all operations, including those of third parties, something which less than half of respondents did in 2019.

The engagement found that companies, particularly in the financial sector, had significantly increased their cyber-security investments in the last few years, building their capacity to deal with attacks and protect data.

Companies are strengthening their resilience in other ways too - by collaborating with industry partners, being innovative with cyber-security training and through the use of insurance.

We have reached a point of no return when it comes to our personal and professional reliance on technology. This dependence goes hand-in-hand with the persistence and increasing intensity of cyber-risks - the latest World Economic Forum Global Risks Report recognized cyber-attacks as one of the top 10 risks of the next decade.

Companies can only ignore these threats at their peril. So, investors should continue to engage with them, and in doing so, prioritizing organizations that are playing a critical role in fighting the pandemic.

There is still a long way to go before investors have enough data to assess companies on their cyber-security performance. Nonetheless, the learnings and recommendations from the PRI’s engagement can shed light on best practice and how to assess companies’ disclosures, and it can support investors in future conversations with companies. 

Betina Vaz Boni is ananalyst, governance issues, PRI

Conversation
Jason Pellmar
Jason Pellmar
new business manager, infrastructure & natural resources, South Asia
International Finance Corporation
- JOINED THE EVENT -
In-person roundtable
Breaking barriers - Scaling the sustainable finance agenda in Asia-Pacific
View Highlights
Conversation
Alex Escucha (moderator)
Alex Escucha (moderator)
president
Institute for Economic Development and Econometric Analysis (IDEA)
- JOINED THE EVENT -
18th Philippine Summit
Bouncing back better
View Highlights
ESG Investing / Viewpoint
AI can transform, accelerate climate change fight
Regulations / Viewpoint
Tariffs on China cleantech harm green transition
Green Finance / Asia Connect / Viewpoint
India accelerates EV manufacturing hub ambitions
About Us Subscriptions Terms of Use Privacy Policy Contact Us
© 2024 Asset Publishing and Research Limited. All Rights Reserved.