How investors can better gauge corporates’ cyber risks

Assessing how companies approach cyber and data security is increasingly important for investors, but no easy task. Some UK pension funds are setting useful examples on this front.
How investors can better gauge corporates’ cyber risks

A lack of adequate cyber security can have a huge impact on investment performance, so asset owners should take action to minimise such risks within their portfolio companies, says a new report by two British pension funds, with clear implications for their peers elsewhere.

Corporates cannot predict when cyber-attacks will happen but they must assume that they will and become more resistant to them, argue RPMI Railpen, the retirement plan provider for the UK rail industry, and Nest, an occupational scheme provider. The duo have analysed the fallout from cyber-attacks and how they are approaching the topic. 

Asian retirement plans are largely seen lagging their European peers when it comes to cyber-security but, given the risks, may feel it is worth taking more seriously.
Richard Williams, Railpen

“[Pension] trustees need to acknowledge that it is not a matter of ‘if’ but ‘when’ their investee companies will face a serious cyber security breach,” said Richard Williams, chief investment officer of RPMI Railpen's £25 billion ($32.2 billion).

Mark Fawcett, Nest’s CIO, took a similarly hard line on the report's release yesterday (November 6). “The worst thing people can do is bury their heads in the sand. Cyber-attacks can seriously undermine the performance of a company, making what would seem an ideal investment opportunity turn into a costly mistake."

Shareholders in Facebook and Uber are all too aware of the financial downside of data breaches, noted the RPMI Railpen/Nest report (see also chart below).

The social networking site operator saw its market value plunge by $119 billion (20%) after 87 million user-accounts were hacked in March last year, while the cab-hailing app’s share price fell by $20 billion to $48 billion in late 2016 following its own cyber scandal.


The trouble is there is no obvious common approach for addressing cyber or data security risks, the report said, but there are ways that asset owners can lower the cyber-attack risk in their portfolios.

These include: considering the risks as part of investment due diligence, actively engaging portfolio companies, and holding fund managers to account on the topic.

“There was no coverage on cyber security by three of the biggest index fund managers in their 2018 sustainability or stewardship reports,” the paper noted. “Asset owners need to encourage asset managers to prioritise this issue and adequately report on how they address it.”

Mark Fawcett, Nest

Brunel Pension Partnership, a British local authority fund, raises cyber security in questions when it is tendering for investment mandates, the report said. It assesses how the manager is handing the issue directly, both initially and on an ongoing basis.

Likewise, as an index investor, Nest is keen to understand how to identify the biggest cyber risks across its portfolio, given the lack of reporting from companies. The fast-growing £8 billion fund undertook a research project last year to investigate cyber and data security and the potential impact they could have on its investments.

The fund met cyber experts from various organisations and industries, including representatives from PwC, the National Cyber Security Centre, UN Principles for Responsible Investment and Legal & General Investment Management. This helped Nest better understand the topic with a view to developing a suitable strategy, the report added.

Other retirement plans should be doing the same, suggested Fawcett. “Pension funds should check if the businesses they invest in take the threat of cyber-attacks seriously to help protect their members’ investments.”


¬ Haymarket Media Limited. All rights reserved.