Engaging on cyber security: results of the PRI collaborative engagement 2017-2019

Executive summary

Cyber security has been recognised as a risk in the World Economic Forum Global Risks Report for several years, with the latest version ranking cyber security as one of the top 10 risks that the world will face in the next 10 years.¹ As the incidence of cyber attacks and the costs of security failures increase, institutional investors want to be on the front foot in assessing portfolio exposure to cyber security-related risks. However, poor corporate disclosure on this topic and lack of advanced technical expertise make it difficult for investors to understand how companies are addressing this growing challenge.

Against this backdrop, the PRI initiated a collaborative engagement with 55 institutional investors representing over US$12trn in assets under management. Using cyber governance as a proxy for cyber resilience, these investors engaged 53 companies in a range of sectors (healthcare, financial, consumer goods, information technology and telecommunications) over 2017-2019. On the basis of research commissioned by the PRI, they pressed for improved disclosure on cyber security policy, board oversight and reporting, access to expertise, training and assessment.

This report provides investors with:

An analysis of how companies within this initiative have progressed on corporate reporting over the last two years;
Insights from the PRI collaborative engagement that shed light on how cyber risks are being perceived and addressed among companies from diverse sectors; and
A set of investor recommendations on engagement, including tools to benchmark disclosure and set expectations.

Over the engagement period, the targeted companies made significant strides in reporting on cyber-related governance mechanisms and processes. The average score across the companies improved from 6.1 to 8.5 (out of 14 indicators) over 2017-19. The number of companies leading on disclosure increased, as did the level of detail and scope of information disclosed. However, despite these positive trends, cyber security-related disclosures cannot be considered the norm – for instance, in 2019, a majority of the targeted companies did not provide information on audits, evidence of cyber security training for all staff or details of relevant board expertise.²

Nonetheless, companies were open and willing to engage in private conversations with investors and made their experts available to provide a comprehensive view of their approach to cyber security. The engagement conversations enabled investors to scrutinise governance practices and discuss current and future expectations around cyber security maturity. Key learnings from the dialogues regarding board oversight, board expertise, cyber security monitoring across the value chain and capacity building are explored in detail in the report.

The report also includes recommendations, potential engagement questions and disclosure expectations for investors looking to initiate or continue engagement on cyber security. At a high level, we recommend that investors:

Validate board oversight of cyber risk;
Ensure cyber resilience is integrated into corporate strategy;
Check for common language;
Look beyond technical controls; and
Set disclosure expectations.

Furthermore, investors can use the set of disclosure expectations to identify gaps in company disclosure, benchmark portfolio companies against their peers, and as a tool for engagement to drive better disclosure on cyber security.

Going forward, and building on our work on cyber security, the PRI will explore related themes such as artificial intelligence and the ethics of innovation as well as appropriate governance mechanisms and regulatory gaps. To support investors in understanding related risks and opportunities and formulating their response, the PRI will also consider the broader implications of technology for sustainable development and responsible investment, looking across the entire investment chain.

Introduction

The proliferation of digital technologies has considerably increased the vulnerability of companies and governments to cyber attacks in recent years. A 2019 report from Accenture found that cyber security breaches had risen by over 65% over the last five years.³ As increased automation and smart technologies are embraced, cyber threats are expected to become more frequent and intense. As a result, it is estimated that the cost of data breaches will rise from US$3trn each year to over US$5trn in 2024.⁴

The impacts are, however, not purely financial. The harms caused by cyber attacks can be reputational (e.g. damaged relationships with customers, intense media scrutiny and loss of key staff), societal (e.g. disruption to daily life through impacts on key services, a negative perception of technology), physical (e.g. loss of life, damage to infrastructure) and psychological (e.g. victims left depressed, embarrassed, shamed or confused).⁵

It is only prudent, then, that companies take measures to secure against a possible threat. However, this is easier than done given the increasing sophistication of attacks, inconspicuous nature of the instigators of cyber attacks and rising costs of cyber defence. In fact, several market studies have illustrated that companies are struggling with cyber risk management.⁶ And corporate disclosures related to these practices fail to offer assurances to the contrary.⁷

These cyber-related business challenges are, therefore, raising concerns for institutional investors. They are keen to develop better understanding of the scope of these risks and their potential impact on portfolio companies. However, the ever-changing cyber security landscape is complex to navigate – there are no established standards or ways to compare the levels of cyber risk across different sectors or companies.⁸ Also, investors are not privy to internal management discussions around cyber readiness or incident management and rely on company boards and management for their oversight, governance and disclosure of this enterprise risk.

In this context, cyber governance can be a proxy for the strength of cyber resilience within the firm, allowing investors to assess whether a company has an organisationwide approach to cyber security, without having to delve into technical nitty-gritty. Disclosures around governance would provide assurance to investors of appropriate policies and controls, levels of accountability and strong board oversight to validate the adequacy and sufficiency of cyber security procedures.

About the engagement

In this context, the PRI initiated in June 2017 a collaborative engagement on cyber security governance. The engagement received significant interest from signatories – 55 institutional investors, with assets under management of over US$12trn, joined the group.

cyber_fig1

The focus of the engagement was defined based on input from an advisory group of investors and industry experts. While acknowledging that no business is immune to cyber attacks, the engagement was narrowed down to the financial, healthcare, telecommunications, information technology and consumer discretionary sectors based on an assessment of exposure to cyber security risks, frequency and impact of incidents, and responses to these incidents. For instance, the financial industry was a focus because of its continued exposure to threats (a 2019 Accenture report estimated the annual average cost of cyber crime for companies in the banking sector to be US$18.37m), despite companies demonstrating greater cyber readiness relative to other sectors. The healthcare industry, on the other hand, was selected because of the potentially catastrophic impact from a possible breach and the low level of preparedness across the sector.

To understand the state of play and gaps in cyber securityrelated disclosures across these companies, the PRI commissioned benchmark research in 2017. The companies were assessed against 14 indicators of cyber governance and risk management (see Figure 1). A key finding of this research was that there were no minimum standards of regular public disclosure on cyber security practices at large cap-listed companies. While companies generally perceived cyber security as a key organisational risk, very few communicated that they have policies, governance structures and processes that were effective at tackling cyber threats. Overall, the research concluded that companies must be encouraged to expand public reporting to demonstrate sound monitoring and management of risks.

Figure 1: Research indicators

cyber_fig1_v2

Taking these findings into consideration, investors held meetings with 53 companies in the financial (20), healthcare (15), consumer goods (nine), telecommunication (five) and information technology (four) sectors over the course of this engagement. The key objectives of the collective engagement are outlined below:

Build investors’ knowledge of how their portfolio companies are positioned to manage cyber risk (with a focus on companies’ policies and governance structures)
The engagement conversations were structured to enable investors to scrutinise policies and governance practices, raise questions around approaches to cyber risks, and discuss current and future expectations around cyber security maturity. The engagement also sought to identify good practices and a create a better understanding of how equipped company boards were for tackling cyber securityrelated challenges.

Improve the amount and quality of company disclosure on cyber risk and governance.
The benchmark research, which scored companies on 14 indicators (see Figure 1), was used as the basis for investorcompany dialogue. Through the engagement, investors sought to raise these scores and improve the quality of the information being published. A comparative analysis of disclosure over 2017-19 tracked progress against this objective; this is illustrated in the next section of the report.

Establish investor expectations on what companies can and should disclose regarding cyber risk governance.
The last objective was to draw up a list of indicators for public cyber security disclosure that could form the basis of investors’ expectations on this topic. This list is intended to facilitate further investor engagement on the issue and enable the development of appropriate governance norms on cyber security.

Engagement process

cyber_fig3

Sector snapshots

cyber_fig4

Level of disclosure on research indicators

cyber_fig5

cyber_fig6

Engagement case studies

Engagement case study: progress in disclosure

Verizon Communications provides annual perspectives to businesses on what cyber threats they are likely to face in the coming year through its Data Breach Investigations Report. However, the PRI investor collaboration initially found very little public information on the company’s own cyber security governance and management.

It was only through engagement, led by NEI Investments, with Verizon’s General Counsel & Corporate Secretary and Chief Information Security Officer that it became clear that cyber security was a top enterprise risk for the company due to the sensitive nature of the customer data it handles and; that it had a number of best practice approaches in its operations and governance. These included board committee oversight of cyber security risk and product privacy, executive staff responsible for cyber security and privacy, the existence of a security council comprised of various department heads, and robust employee training on the subject.

The engagement encouraged Verizon to enhance its disclosure. The company also came under pressure from investors outside of the collaborative engagement to report on the feasibility of tying executive compensation to data security performance.

Following the engagement, Verizon significantly improved cyber governance disclosure in its proxy circular, transparency report and corporate responsibility reporting, meeting 12 of the 14 indicators (compared to 5 in the initial assessment) in PRI’s assessment

Engagement case study: From laggard to leader

Private equity firm Eurazeo demonstrated the greatest improvement as a result of the collaborative engagement on cyber security. The company’s score increased from zero to 12 in PRI’s assessments on cyber disclosure over 2017-19.

In the initial discussions Sparinvest, the lead investor for this engagement, learnt that Eurazeo was reluctant to publish the details of cyber security measures that were already in place. However, during the course of the engagement, the company reported that it had introduced a cyber security policy, set up a related governance framework and had conducted a risk materiality analysis on cyber security. It also began to disclose details on cyber training and insurance.

Sparinvest found that benchmarking the company against best-in-class peers and, specifically, discussing how other firms report on cyber security may have helped the company overcome initial concerns around reporting.

Sparinvest also found that cyber security is now part of Eurazeo’s overall ESG policy towards its portfolio companies – meaning that the companies in which Eurazeo invests also benefit from its improved expertise in this field.

As a lead investor on the engagement with Eurazeo, Sparinvest noted: “We gained increased knowledge of the cyber security risks faced by companies in certain sectors and the policies that should ideally be in place to mitigate them. It has given us a useful framework for conducting investment analysis and future engagements with companies on this topic.”