Why Board Members Should Be Aware of How Cybersecurity Is Impacting ESG

UK investors today take careful account of environmental, social and governance factors, and they are not satisfied with directors’ efforts to manage cybersecurity risk. About 85 percent of British investors polled by KPMG said that they wanted to see boards spend more time managing cybersecurity risk. Directors should expect increasing pressure from shareholders on this issue, as there is increasing understanding among UK investors that issues like strong corporate governance impact profit.

Importance of ESG to UK Investors

The UK Investment Association, in its annual survey, pointed to the increased interest investors are showing in environmental, social and governance factors within investment portfolios. “There has been a marked increase of interest,” the survey report said.

An analyst at UK investment firm Schroders wrote: “For Schroders, effective ESG integration means examining a company’s ESG performance and incorporating that analysis into investment decisions rather than outsourcing that analysis to third parties. Moreover, effective ESG integration is not just about preventing large downside controversy risks. Rather, the key value of examining business model sustainability lies with the insight it can bring to future growth. Investors understand the impact that issues like strong corporate governance can have in generating profits.”

Among ESG issues, cybersecurity is clearly moving up the agenda for institutional investors and their money managers as a consideration for responsible investment.

“Some investors already are weaving cybersecurity into their expectations when it comes to money management, because cybersecurity is increasingly important for investors, companies and regulators,” commented Diandra Soobiah, London-based head of responsible investment at the National Employment Savings Trust. Cyberattacks are part of a new reality for companies. The significant economic costs of such attacks make this a clear risk issue for NEST, and we expect companies to report on how they manage it.”

Enjoying what you are reading? Sign up now to receive more content from Diligent.

Investors and fund managers locate cybersecurity across both social and governance factors.

“I think about cybersecurity from two pillars: It is a social issue, about the quality and safety of products, and there is a corporate governance angle that says cybersecurity is a wide issue,” said Felipe Gordillo, Paris-based senior ESG analyst at BNP Paribas Asset Management.

Boards Must Take Action on Cybersecurity – Study

But UK institutional investors believe the majority of the companies they have invested millions in are not up to the job when it comes to delivering cybersecurity, according to KPMG UK research. And they blame directors for failing to make it a priority.

A poll of institutional investors in the UK believes that 43 per cent of board members have unacceptable skills and knowledge to manage innovation and risk in the digital world. A recent KPMG survey of FTSE 350 businesses found that 39 per cent of boards and management agreed they were severely lacking in their understanding of the area. And investors are not satisfied that boards are engaging with consultants to obtain the grasp of the subject that they should have.

Malcolm Marshall, global leader of KPMG’s cybersecurity practice, warned: “Investors see data breaches as a threat to a company’s material value and feel discouraged in investing in a business that has had its sensitive information compromised.”

He said: “There is an expectation from investors for businesses to increase their cyber capabilities from top to bottom, including the board. In a world where breaches are common, it is reasonable to expect boards to have prepared themselves. But what we are seeing is companies struggling to demonstrate that they are taking cyber risk seriously.”

“Companies’ cybersecurity and data management have come under increased scrutiny in the aftermath of recent high-profile cases of cybersecurity breaches. Investors are therefore looking to deepen their understanding of the issue and are calling for transparency around companies’ risk mitigation, budgeting, training and recovery action plans,” according to the nonprofit organisation Principles for Responsible Investment, a group of major corporations working to support the application of  environmental, social and governance (ESG) factors in investment.

Investors Engage with Boards on Cybersecurity

UK-based Legal & General Investment Management has been engaging on the topic since 2011, said David Patt, senior analyst, corporate governance and public policy, in London. “Investors need to discuss these issues at the highest level with board directors to raise awareness and get the board involved. It is a key operational and financial risk, not something just left for the IT department to deal with. This issue will only intensify in the future, so investors need to start the conversation with companies today to better understand their exposure.”

My-Linh Ngo, senior ESG analyst at BlueBay Asset Management in London, agreed: “As investors we need to better understand from companies the materiality of the exposure to cyber risk to their business and the quality of their risk mitigation” or business resilience, he insisted. “We have started to raise questions in this area with companies in higher-risk sectors we meet,” such as the retail and financial sectors, “and intend to continue to do so going forward.”[8]

To enhance investor understanding, the PRI is coordinating a group of institutional investors, representing more than US$10 trillion in assets, to engage in dialogue with listed large-capitalisation companies, noted Olivia Mooney, London-based senior manager, corporate governance, at the PRI in London.

“It will build investors’ understanding about how their portfolio companies are positioned to be resilient to cyber threats and will seek to improve companies’ disclosure about their cyber risks, policies and governance. Investors don’t need to have highly technical expertise. At this stage, they need to start the conversation to be assured companies are considering and managing their risk effectively.”[9]

Diligent’s Board Portal Manages Cybersecurity

For directors who are increasingly concerned about cybersecurity, Diligent’s board portal works in two ways: It provides the highest available grade of security for board communications, and it offers a library of information on the subject that is easily accessible to directors via the portal.

Diligent Boards moves all of the agendas, documents, annotations and discussions of board meetings online into one intuitive, secure portal. And it goes beyond digital board books to manage the full scope of a board’s moving parts – committees, contacts, voting, reporting and more.

A world of governance and IT knowledge informs the security behind Diligent Boards. Data is hosted on secure servers and a world-class infrastructure that Diligent owns and operates. All of Diligent’s solutions are ISO- and TRUSTe-certified and audited internationally with robust, customisable encryption and data access. If a device has been lost or compromised, our remote wiping capabilities allow you to mitigate risk swiftly.

Featured Blog