As investors, we believe responsible management of cybersecurity risk is important. We have found engaging with our investee companies has been useful in monitoring this risk, particularly given the confidentiality of policies and general lack of public disclosures in this area.
Why are we engaging with cyber security?
- The threat of a cyber-attack remains ever present. Research by the UK’s National Cyber Security Centre found that 39% of UK businesses identified a cyber breach or attack in the past 12 months.
- Cyber security risk affects business and investment performance. Six months after a breach the average share price performance falls -3.0% against NASDAQ performance . A month after a cybersecurity attack, bondholders lose 2% of wealth .
- Regulatory risk from more stringent regulation. Globally regulators are recognising and responding to cybersecurity risks by focusing on improving systemic cyber resilience through regulation. This increases the regulatory risk for investors as laggards are likely to receive fines.
- Public disclosure is limited. Due to the sensitivity of the matter, companies are not inclined to disclose details on their cybersecurity systems, policies, and practices. We recognise increasing disclosure may not be in the best interest of the companies or their investors.
The changing regulatory landscape
There has been an increase in focus on cybersecurity globally by regulators. The U.S. Securities and Exchange Commission (SEC) proposed a new rule this year which would enhance cyber security disclosure by public companies . This includes timely disclosure of material incidents and other areas covered in our investor expectations, such as the Board of Directors’ oversight of cybersecurity risk. We co-signed a response to the SEC supporting the proposal and highlighting the alignment between our experience and the Commission’s proposal.
Phase 3 engagement process
Since the programme’s inception in 2019 we have targeted over 49 companies during three phases and have engaged with 69% of them. In 2022, we launched phase 3 of our cyber security engagement programme. We identified 12 companies in our portfolios that may be at higher risk to cyber-attacks due to their exposure to threat, technology dependency and service criticality. We assessed each company based on a set of investors’ expectations - see 'Investor expectations: cybersecurity engagement'.
Actively seeking ‘friendly’ cyber-attacks enables companies to avoid group think on cybersecurity and resolve vulnerabilities before bad actors exploit them. One company had an innovative ‘bug bounty’ programme in which hackers were invited to find vulnerabilities in their website and paid for their exploits.
There is value from collaborating with peers and government bodies. Many companies emphasised the step change increase in collaboration following the Russian invasion of Ukraine and subsequent heightened risk of cyber-attack.
Overall, this engagement programme reassured us that the targeted companies are broadly meeting our expectations as investors. In addition, companies are focusing resources on cyber security and we were pleased to hear the value companies found in these conversations in terms of better understanding investors’ expectations.
Further details on the changing regulatory landscape, best practice examples and our learnings are found in our latest report:
 Bischoff, Paul. 2021. How data breaches affect stock market share prices. Comparitech. https://www.comparitech.com/ blog/information-security/data-breach-share-price-analysis/#NASDAQ_benchmark_validation (link as of 23/11/21)
 Cyberattacks and Impact on Bond Valuation by Subramanian R. Iyer, Betty J. Simkins, Heng Emily Wang :: SSRN
Past performance is not a reliable indicator of future results. The value of investments and the income from them is not guaranteed and may go down as well as up and investors may not get back the amount originally invested. The views expressed are those of the author at the date of publication unless otherwise indicated, which are subject to change, and is not investment advice.