By Betina Vaz Boni, Analyst, Governance Issues, PRI
No organisation, regardless of size, is immune to cyber-security threats, and the COVID-19 outbreak has only increased our exposure.
Ongoing worldwide lockdown measures have made working from home the norm, thus increasing the chances of being exposed to cyber attacks and practices such as phishing – fraudulent messages that resemble e-mails from trusted sources.
Even more worrying are the attacks targeting the critical infrastructure of those directly involved in responding to the pandemic, such as governmental agencies and healthcare providers. Recent examples include a medical facility that was testing a coronavirus vaccine suffering a ransomware attack, and the Italian social security website allegedly being hit by several cyber attacks. These organisations have been on the frontline of combating Covid-19 and cyber incidents can jeopardize their ability to mitigate the impacts of the outbreak.
Attacks on these types of organisations are not new. A ransomware attack in 2017 hit several healthcare organisations worldwide, costing the UK’s National Health System – one of the worst affected – £92m. Also, the number and sophistication of attacks has increased exponentially – a 2019 report from Accenture found that cyber security breaches had risen by over 65% over the last five years.
Various stakeholders could be potentially affected by a cyber attack, whether by financial consequences (such as loss of share value and regulatory penalties) or reputational, societal, physical and psychological ones.
As such, investor scrutiny is essential – although the cyber-security landscape is not easy to navigate, and corporate disclosures are not particularly revealing. Companies consider cyber security a sensitive topic and hesitate to make their preparations public for fear of being targeted by criminals and losing their competitive advantage.
The role of governance
Governance can be a proxy for the strength of cyber resilience within a firm. It allows investors to assess if a company has an organisation-wide approach to cyber security, without having to delve into technical detail, which can sometimes be overwhelming for people lacking cyber expertise.
In this sense, governance structures and processes can be indicative of a companies’ readiness to address potential threats and robustness of the steps being taken to manage cyber risks.
Collaborative engagement on cyber security
The PRI initiated a three-year collaborative engagement on cyber governance in 2017. Representing over US$12trn in assets, 55 institutional investors engaged 53 portfolio companies from five different sectors to understand how they are demonstrating preparedness and addressing cyber-related risks, using governance as a proxy for resilience.
To inform this dialogue, the PRI published a report assessing the cyber-related disclosures of publicly traded companies against 14 indicators covering cyber security policy, board oversight and reporting, access to expertise, training and assessment. Investors participating in this engagement used the analysis to drive their conversations with companies.
The key learnings from the engagement and the level of progress achieved are discussed in detail in our latest report, Engaging on cyber security: results of the PRI collaborative engagement. Some of these are listed below:
Progress in disclosures
An analysis of corporate reporting over the engagement period reveals that the number of the companies leading on disclosure increased, as did the level of detail and scope of information disclosed.
However, cyber security-related disclosures are still not the norm – private dialogue with companies proved to add value to investors seeking to understand how they were positioned to manage cyber risks.
The conversations provided insights in four areas: board oversight, board expertise, cyber-security monitoring across the value chain and building capacity. These are further discussed in our report along with examples of good disclosure practice.
The extent of board buy-in on cyber security can be a good litmus test for the effectiveness of a company’s approach to cyber risk. Although companies are increasingly disclosing clear board accountability in this area, they appear to demonstrate different levels of comfort in communicating how boards assess and oversee company-wide cyber-security improvements. Nonetheless, the engagement dialogue provided some good examples of detailed board reporting and monitoring of cyber performance.
Having a board member with cyber expertise is not common, with only one-fifth of the companies engaged disclosing related information. When investors raised the issue in the engagement dialogues, companies indicated that they look for a spectrum of skills and experience and while this includes cyber security and IT, these can’t be considered in isolation. The conversations also revealed that companies prioritised upskilling the board using external expertise and training, where deficits in knowledge were noted.
Many companies rely on third-party service providers to collect and process private data but may not be fully aware of the cyber vulnerabilities this brings. The conversations indicated that they need to do much more to address this exposure. Investors could start by encouraging companies to disclose a data protection policy covering all operations, including those of third parties, something which less than half of respondents did in 2019.
The engagement found that companies, particularly in the financial sector, had significantly increased their cyber-security investments in the last few years, building their capacity to deal with attacks and protect data. Companies are strengthening their resilience in other ways too – by collaborating with industry partners, being innovative with cyber-security training and through the use of insurance.
We have reached a point of no return when it comes to our personal and professional reliance on technology. This dependence goes hand in hand with the persistence and increasing intensity of cyber risks - the latest World Economic Forum Global Risks Report recognised cyber attacks as one of the top 10 risks of the next decade.
Companies can only ignore these threats at their peril. So, investors should continue to engage with them, and in doing so, prioritising organisations that are playing a critical role in fighting the pandemic.
There is still a long way to go before investors have enough data to assess companies on their cyber-security performance. Nonetheless, the learnings and recommendations from the PRI’s engagement can shed light on best practice and how to assess companies’ disclosures, and it can support investors in future conversations with companies.
This blog is written by PRI staff members and guest contributors. Our goal is to contribute to the broader debate around topical issues and to help showcase some of our research and other work that we undertake in support of our signatories.
Please note that although you can expect to find some posts here that broadly accord with the PRI’s official views, the blog authors write in their individual capacity and there is no “house view”. Nor do the views and opinions expressed on this blog constitute financial or other professional advice.
If you have any questions, please contact us at firstname.lastname@example.org.