Engaging on cyber security: results of the PRI collaborative engagement 2017-2019

Recommendations for engagement & disclosure expectations

In a world where innovation and digital connectedness are critical to economic growth, it would be unwise to ignore threats to the shared digital environment. Cyber risk is a prominent one, given its systemic relevance and the potential severity of impact.

At an organisational level, cyber risk can undermine a company’s ability to leverage data as a value driver, disrupt operations and reduce trust in products and services. Cyber events can also lead to network disruptions; due to the complex environments in which companies operate, the weaknesses in their infrastructure may not just result in threats to their own business but may also impact other actors in the digital ecosystem with whom they interact, such as suppliers, service providers and customers.³⁴

In such a context, investor scrutiny around cyber risk management and governance is more important than ever. However, the technical nature of this risk may dissuade ESG and investment professionals from seeking an informed discussion with portfolio companies. To overcome some of the perceived barriers to effective engagement, the below provides tools and guidance for investors.

Key recommendations and questions for company engagement

This section sets out five high-level recommendations for investors and provides examples of questions that they can raise when engaging with companies on cyber security.

1. Validate board oversight

As regulations on cyber security and data protection increase in reach and scope, there will be growing focus on how boards are fulfilling their fiduciary responsibilities around cyber resilience.³⁵ The extent of board buy-in on cyber security can also be a good litmus test for the effectiveness of a company’s approach to cyber risk. Ownership at the management level and ad hoc reporting of incidents are no longer sufficient to respond to the ever-increasing and sophisticated challenges from high-impact cyber events. It is therefore critical for investors to validate oversight, competencies and accountability for cyber security at the board level.

Potential questions:

What is the governance structure underpinning cyber security at your organisation, and can you demonstrate its effectiveness?
Do you have board expertise on cyber security?
How do you address gaps in skills and experience relating to cyber security on your board?

2. Ensure cyber resilience is integrated into overall strategy

Cyber security plans cannot exist in a vacuum. In order to have a holistic position on cyber security, boards should integrate cyber risk into their enterprise risk management and consider implications for broader business decisions, e.g. relating to mergers and acquisitions, investments, value chain and the customer proposition. Investors should be asking companies about their thinking on strategic orientation when it comes to cyber resilience through preventative and compliance-oriented cyber defences.

Potential questions:

What are your strategic and compliance priorities regarding cyber security?
What are your key concerns about cyber security within your value chain?

3. Check for common language

It is important that management information on cyber security is clear and accessible, rather than technical and jargon-heavy, and that there are measures and metrics in place to enable non-IT experts within the firm to evaluate and drive progress against expectations set by the board. Investors should review how board thinking on cyber is driven across the organisation by looking for inconsistencies between policies, benchmarks and incentives.

Potential questions:

Could you provide examples of cyber security metrics reported to the board, and how these are linked to wider incentives and benchmarking across the company?
How has board reporting on cyber security aided improvements in cyber security plans and strategy?

4. Look beyond technical controls

Cyber security concerns have led to an arms race for bigger and better technological solutions. However, cyber security is not just a technological challenge. Equal or even greater attention should be assigned to people, policies and processes. Indeed, a majority of data breaches within organisations are the result of human actors and preventative measures and infrastructure enhancements can only go so far if they are not properly integrated and utilised.³⁶ Investors speaking to portfolio companies should raise questions that provide insights regarding the priority accorded to cyber security and the extent of cyber security awareness.

Potential questions:

What are your learnings from cyber security breaches you have experienced and how have you modified existing mechanisms to reflect these learnings?
How are you strengthening organisational capacity as part of your cyber security defence?

5. Set disclosure expectations

One of the reasons that companies may not be effectively communicating their cyber security measures in the public domain is that may be unaware of investors’ expectations regarding disclosure on the topic. Private dialogues with companies can enable candid conversations on the need for improved disclosure and address perceived barriers (e.g. concerns regarding greater exposure to attacks from increased disclosure). Investors can also set out what they deem as the minimum in terms of disclosure based on current reporting practices across sectors.

To support investor efforts, and based on our learnings from the collaborative engagement programme and research, we outline below a set of disclosure expectations: these can be used to identify gaps in company disclosure, benchmark portfolio companies against their peers, and as a tool for engagement to drive better disclosure on cyber security (see Box, Disclosure expectations).

Disclosure expectations

The disclosure expectations refer to the indicators used in the engagement and have been broken down into three broad categories, based on the levels of public reporting among target companies as of 2019.

Common standards of disclosure:

Includes three areas of company reporting that are well established. Within the research sample, over 80% of companies disclosed these indicators.

Commitment to legal compliance on cyber security and data protection (Indicator 1)
Data protection and privacy policy (Indicator 2)
Incorporation of cyber security into business continuity and risk management plans (Indicator 14)

Emerging disclosure:

Identifies four areas where reporting is becoming more commonplace. Over 50% of companies in the research sample provided disclosure on these indicators.

Board committee responsibility for cyber security issues (Indicator 5)
Frequency and channels of communication of cyber security issues to the board (Indicator 6)
Internal or external cyber expertise, including through industry-wide collaboration (Indicator 9)
Financial capacity and team resources for cyber security (Indicator 8)
Incident management plan (Indicator 13)

Areas for expanded public reporting:

Identifies two indicators that are basic and with no disclosure sensitivities but where, surprisingly, reporting among companies is below par.

Identification of named senior person or executive committee responsible for cyber security (Indicator 4)
Evidence of training on cyber security requirements to all staff (Indicator 11)

Other areas not currently incorporated in the minimum disclosure expectations but included in the initial benchmark research – such as audits (Indicator 12), extent of policy coverage (Indicator 3), board expertise on cyber (Indicator 10) and detailed board reporting (Indicator 7) – can be raised in private engagement conversations and be considered for future expectations.

Next steps

Cyber risk is an issue that will grow in complexity, especially given the unprecedent rate of wider technological advances and innovation. For example, the rapid advance of artificial intelligence technology is likely to add a new dimension to the threat, posing challenges for companies, investors and regulatory bodies alike.

Going forward, and building on this work, the PRI will explore related themes such as artificial intelligence and the ethics of innovation as well as appropriate governance mechanisms and regulatory gaps. To support investors in understanding related risks and opportunities and formulating their response, the PRI will also consider the broader implications of technology for sustainable development and responsible investment, looking across the entire investment chain.