A lack of adequate cyber security can have a huge impact on investment performance, so asset owners should take action to minimise such risks within their portfolio companies, says a new report by two British pension funds, with clear implications for their peers elsewhere.
Corporates cannot predict when cyber-attacks will happen but they must assume that they will and become more resistant to them, argue RPMI Railpen, the retirement plan provider for the UK rail industry, and Nest, an occupational scheme provider. The duo have analysed the fallout from cyber-attacks and how they are approaching the topic.
Shareholders in Facebook and Uber are all too aware of the financial downside of data breaches, noted the RPMI Railpen/Nest report (see also chart below).
The social networking site operator saw its market value plunge by $119 billion (20%) after 87 million user-accounts were hacked in March last year, while the cab-hailing app’s share price fell by $20 billion to $48 billion in late 2016 following its own cyber scandal.
REDUCING CYBER RISKS
The trouble is there is no obvious common approach for addressing cyber or data security risks, the report said, but there are ways that asset owners can lower the cyber-attack risk in their portfolios.
These include: considering the risks as part of investment due diligence, actively engaging portfolio companies, and holding fund managers to account on the topic.
“There was no coverage on cyber security by three of the biggest index fund managers in their 2018 sustainability or stewardship reports,” the paper noted. “Asset owners need to encourage asset managers to prioritise this issue and adequately report on how they address it.”
Likewise, as an index investor, Nest is keen to understand how to identify the biggest cyber risks across its portfolio, given the lack of reporting from companies. The fast-growing £8 billion fund undertook a research project last year to investigate cyber and data security and the potential impact they could have on its investments.
Brunel Pension Partnership, a British local authority fund, raises cyber security in questions when it is tendering for investment mandates, the report said. It assesses how the manager is handing the issue directly, both initially and on an ongoing basis.
The fund met cyber experts from various organisations and industries, including representatives from PwC, the National Cyber Security Centre, UN Principles for Responsible Investment and Legal & General Investment Management. This helped Nest better understand the topic with a view to developing a suitable strategy, the report added.
Other retirement plans should be doing the same, suggested Fawcett. “Pension funds should check if the businesses they invest in take the threat of cyber-attacks seriously to help protect their members’ investments.”
CHART: RECENT CYBER HACKS AND THEIR FINANCIAL IMPACT (Click for full view)