In light of recent high-profile data breaches at companies such as and , investors are increasingly aware of the need to assess cybersecurity risk within their investment portfolios.
The investor case for engaging on cybersecurity is clear: a data breach can have a material impact on share price, cause business disruptions and impact customer trust. While some investors comprehensively engage with portfolio companies on this to mitigate risks and identify opportunities, many more are only just recognising the need to do so.
In late May, the PRI hosted a half-day event to discuss investor risks relating to cyber security issues, from a governance and social lens. We also hosted the launch of Ranking Digital Rights’ 2018 Corporate Accountability Indexwhich grades 22 internet, mobile, and telecommunications companies against 35 indicators evaluating how transparent they are about their commitment and policies affecting freedom of expression and privacy. The 2018 index is the third Corporate Accountability Index launched, meaning Ranking Digital Rights can produce comparative analysis and track the progress of chosen companies.
Accountability and transparency
The panel at the event discussed the fact that while cyber incidents are increasingly frequent, and seemingly inevitable, companies must communicate how they work to mitigate risks, protect data and secure business operations. At the event, we discussed five ways to enhance cyber security governance.
Compliance with legal and regulatory requirements
The regulatory landscape around cyber security and data protection is changing and companies are facing an increasing number of legal requirements. For example, the European Union’s General Data Protection Regulation (GDPR) came into force in May 2018 with extraterritorial application. The regulation aims to strengthen data protection by requiring companies to monitor how their data is used, by demanding companies to process data in a transparent manner, communicate users’ rights, and notify breaches. Failing to comply with the requirements can result in material fines.
The GDPR explicitly recognises the importance of transparency and accountability by upping obligations and strengthening user rights. Countries that have to comply with the regulation are also free to implement additional provisions and requirements, which will put further pressure on companies that have to comply.
Transparency is key
Speakers highlighted the importance of transparency in holding companies to account and protecting privacy. According to the Corporate Accountability Index:
- Companies that are members of the Global Network Initiative performed the best overall, given that they are required to undergo third-party assessments of their commitments on due diligence, transparency, and accountability.
- Despite a challenging legal environment, Chinese companies “can – and do – compete with one another to improve transparency in areas that are not directly related to compliance with government censorship and surveillance requirements”.
- There is still much to be done around how companies design, manage and govern digital platforms.
Education across the organisation
Human error is considered one of the biggest contributors to cyber security breaches. This can be minimised through proactive measures. Cyber security processes and procedures should be embedded throughout the organisation and expanded through education and training for all staff. Users too must be more cautious of the information they share with companies, and understand how it is being used. Through increased transparency, users will be better equipped to monitor their own personal data and hold companies accountable for what they do with it.
The panel and subject experts at the event discussed the fact that cyber security goes beyond breaches and theft, and relates to risks regarding the sharing and use of data, and how freedom of expression is managed.
Privacy by design
In order to protect personal data, companies must take privacy considerations seriously. As per the Corporate Accountability Index, “Companies don’t disclose enough about how users’ information is handled, including what is collected and shared, with whom, and under what circumstances.” However, the level of disclosure is expected to improve with the advent of GDPR, as it will keep the collection of personal data to what is necessary in the normal course of business, and enable users and customers to have maximum control over how their information is used and shared.
In this context, one of the key messages from the panel was that companies should focus on “privacy by design” so that privacy and data protection are
key considerations at the start of and throughout a project, rather than an afterthought. By integrating these considerations from the beginning, companies will be more agile at identifying vulnerabilities, and demonstrate better preparedness for dealing with privacy concerns.
There were a number of references throughout the day to the need for a broader understanding of risks in relation to the protection of free speech, the right to privacy (including the debate around users’ right to be forgotten), and increased transparency around interaction with governments. The Corporate Accountability Index called for open corporate communication on how companies deal with formal government and private requests to remove content, and how they commit to users’ freedom of expression. This is an increasingly complex issue as companies need to strike a balance between users’ rights to freely express their opinions without interference, including views that can be regarded as offensive or degrading.
There is a greater onus on companies to communicate with users and other stakeholders when their business operations are affected by a government shutdown. Such restrictions are a threat to human rights, and can have severe consequences in the event of a political crisis or for people living under an authoritarian government. Overall, a holistic approach to cyber security is necessary to protect people, process and technology – or the cyber ecosystem.
Recommendations for investor engagement
- Request further information on company preparedness for cyber-attacks, legal and regulatory developments.
- Request comparative data that provides greater visibility of companies’ processes and procedures on cyber security and data protection.
- Engage with companies on the types of data they hold and process, where the data is held, and how it is protected.
- Enquire if companies are communicating their policies relevant to privacy and interactions with governments and enforcing these policies with third parties.