Railpen, the UK’s rail workers’ pension fund managing £34bn of assets on behalf of 350,000 members, and Royal London Asset Management (RLAM), which manages £170bn in total assets, have published a joint report on growing cybersecurity risks in investment portfolios.
The report, Cybersecurity risk and resilience: Guidance for investors, provides an evidence-based perspective on the financial materiality and threat landscape of cybersecurity risk, as well as up-to-date practical guidance for both asset owners and asset managers on how to engage with portfolio companies on the issue.
The guidance has been developed using insight from both Railpen and RLAM engagement with companies over the last five years and seeks to answer three key questions:
- Why should investors care about cybersecurity?
- What should investors expect of portfolio companies?
- What can investors do?
Based on the evidence presented in the report, both Railpen and RLAM are calling on investors to recognise the financial materiality of cybersecurity to their portfolios and use the expectations and framework outlined in the report as a tool to assess portfolio companies’ baseline approach to cybersecurity and measure their progress towards best practice.
The duo is also calling on investors to Identify and engage with companies that face high-risk exposure, using sector-specific vulnerabilities as a lens for screening and the report’s recommended questions to initiate dialogue.
Lastly, it said that investors should participate in policy advocacy on cybersecurity, as a supportive regulatory environment will enable improved alignment between company disclosures and investors’ expectations.
In 2019, Railpen joined a coalition of investors — the Cybersecurity Coalition — led by RLAM, dedicated to addressing the systemic risks surrounding this thematic stewardship issue by engaging with portfolio companies and participating in policy advocacy. This work built upon a report that same year by Railpen and UK workplace pension scheme NEST.
Caroline Escott, senior investment manager of sustainable ownership at Railpen, said that cyber resiliency “absolutely should be” a top priority for investors when building and reviewing their portfolios.
She pointed out that The World Economic Forum reported that 29% of organisations have been materially affected by a cyber incident over the past 12 months alone.
“Railpen follows the evidence to understand how issues such as cybersecurity affect the value of the companies we invest in. Through understanding, monitoring and influencing the behaviour of those companies, we can help ensure our portfolios are resilient to material ESG risks and, as a result, protect and enhance the long-term value of members’ savings,” she added.
Best practice
Escott said the report leverages the cyber security coalition’s experience of engaging with companies and policymakers over several years on cybersecurity and it’s designed to help investors understand what best practice looks like when it comes to cybersecurity disclosure and practice, using real-life examples to bring it to life.
She continued: “We published this guidance to further empower other investors to ask the right questions of companies and take the necessary steps to ensure their investments are protected over the long term.”
Sophie Harris, senior investment analyst of sustainable ownership at Railpen, added that there is “concerning” disconnect between leaders’ awareness and preparedness for cyber attacks.
She pointed out that around 40% of chief information security officers surveyed by Proofpoint conceded that their organisation is unprepared to cope with a targeted cyber attack.
She said that while it is positive to see regulators starting to take action, with the US Securities and Exchange Commission’s cybersecurity rules, investors have an “important role to play” when it comes to closing the gap and forcing businesses to start taking cyber preparedness more seriously.
“Recognising the importance of cybersecurity resilience, we encourage asset managers to develop their understanding of the financial materiality of cybersecurity, use the investor expectations as a tool for engagement with companies that face a high level of risk, and report on progress to their clients,” Harris noted.
Georgina Chiu, senior engagement manager at RLAM, added that driving corporate change requires a collaborative effort from asset managers, asset owners, regulators and policy makers.
She said: “We founded the coalition because we understand the very real threat that cyber presents to our industry, driven by geopolitical threats, the development of generative AI and increased supply chain vulnerabilities.”
Chiu added that there are a number of actions investors can take to tackle the growing risk of cybersecurity to portfolio companies.
“This report demonstrates how we are creating a step change for the industry, by elevating stewardship from reactive engagement after a cyber incident has occurred, to a proactive dialogue on resilience,” she noted.
DORA
In the European Union, the Digital Operational Resilience Act (DORA) will come into effect on 17 January 2025, forming a part of the EU’s Digital Finance Package.
The act aims to create a harmonised regulatory framework strengthening the information and communication technology (ICT) security of financial entities (which includes pension schemes). Its objective is to achieve a high common level of digital operational resilience across all EU member states.
In recent months, the European Supervisory Authorities (ESAs) expressed deep concerns over the growing uncertainty surrounding the implementation of DORA, highlighting several potential regulatory and compliance challenges that institutional investors and financial entities will face.
Read the digital edition of IPE’s latest magazine
No comments yet