BY SIMON JESSOP AND
Investors are being poorly served by a haphazard
approach from fund managers to the growing threat of cyber crime damaging the
companies in which they invest, with a lack of clarity from the businesses
themselves compounding the problem.
Banks have led the way in developing cyber
defenses and some top fund managers have ramped up pressure on companies to do
more, but the broader picture is less encouraging.
"I don't see any visible stand asset
managers are taking, like they do on other social responsibility items,"
said Malcolm Harkins, information security chief at U.S. cyber security
start-up Cylance Inc.
The soft underbelly of companies outside the
banking sector was exposed again this month when hackers leaked details of
nearly 37 million clients of Ashley Madison. The infidelity website had to
postpone its stock market listing and now faces a $750 million lawsuit.
More than half the value of companies worldwide
is in intangible assets, such as intellectual property, much of which is stored
on computers and could therefore be vulnerable to hackers.
That figure could be as high as $37.5 trillion
of the $71 trillion in enterprise value of 58,000 companies, according to Brand
Finance, a consultancy specializing in valuation of intangible assets. The
World Economic Forum said that robust protection against cyber risk could add
as much as $22 trillion to the global economy by 2020.
The global financial cost of attacks is rising
fast -- up more than 10 percent last year, a report by specialist researcher
Ponemon Institute said.
Though some might argue that investors can sell
out of businesses they consider to be performing badly on cyber safety, the
reality is less straightforward. Passive funds that track a specific index or
sector have no leeway, while pension funds tend to demand a longer-term view
from asset managers.
But even those keen to evaluate cyber risk face
an uphill struggle, hampered by a lack of resources, poor data and weak
disclosure from companies.
Sacha Sadan, corporate governance head at the
fund arm of insurer Legal & General (LGEN.L), told Reuters that cyber risk is one of his
team's top priorities for corporate engagement but described the approach of
some rivals as "hit and miss".
"We would rather a company, when they come
to talk to us, had a slide that said 'this is what we're doing'. At the moment,
it's us asking them and they say, 'well, most other shareholders don't
ask'."
MIXED PRIORITIES
A Reuters survey of fund firms with a combined
$16 trillion in assets showed pressure on company boards is far from uniform.
Only four of 12 governance chiefs at British,
French, German and U.S. fund houses interviewed by telephone and email said
they considered cyber risk a "top priority" across all of their
investments. The remainder said they either discussed the issue case by case or
that there was too little information for proper risk-assessment.
BlackRock (BLK.N), the world's biggest asset manager, is among
those that have engaged with companies, though it declined to provide further
detail on examples in its quarterly governance report.
In its latest report BlackRock said it had
spoken to a large insurer and "shared perspectives" gained from
speaking to cyber experts and other companies.
As for the types of business meriting closer
examination, Jessica Ground, global head of stewardship at Schroders (SDR.L), said that less-obvious targets such as travel
agents need to do more. Another chief named online gaming as a sector laggard.
Most fund managers do have dedicated teams
supervising governance. But these often number fewer than 10 people to analyze
and speak to thousands of companies on a broad range of topics, with matters
such as executive pay regularly given higher priority than cyber security.
On the other side of the fence, the companies
themselves are far from united in their approach.
"There is significant divergence across
companies as to how prepared they are," said Antony Marsden at Henderson
Global Investors (HGGH.L).
Though attitude to cyber risk is inherently
difficult to quantify, analysis of the most recent annual reports of the 10 biggest
companies in Europe and the United States showed variable communication on the
issue.
Only three of the Europeans -- Novo Nordisk (NOVOb.CO), HSBC (HSBA.L) and Royal Dutch Shell (RDSa.L) -- had a separate section on cyber risk or
information security. Across all 10 reports there were a mere 14 mentions of
keywords "cyber", "information security", "hack"
or "hacking".
That compares with five of the U.S. companies --
Apple (AAPL.O), Wells Fargo (WFC.N), Facebook (FB.O), General Electric (GE.N) and JPMorgan (JPM.N) -- and 63 keyword references, partly
influenced by more banks featuring in the list.
WHEN, NOT IF
"You can look at an annual report and see
some companies talk a lot about what would happen if the euro were to fail
... But just as important is what happens if you get hacked,"
L&G's Sadan said. "You will get hacked. So what's your contingency
planning?"
Several smaller U.S. investment firms with a
mandate for socially responsible investment are already pressing companies
publicly over data security matters, including the filing of proxy resolutions
at shareholder meetings.
Arjuna Capital, for example, had American
Express (AXP.N) shareholders vote on whether it should report
annually on how its board oversees privacy and data security. Amex opposed the
idea, saying its board receives regular updates, and the proposal won only 22
percent of the vote at the annual meeting.
Highlighting the lack of a consistent approach
from asset managers, a number of large fund firms opposed the resolution.
It is little wonder, then, that some have yet to
address a skills gap that leaves them ill-equipped for proper risk-assessment.
"The frameworks for dealing with cyber
risk, about what it means for our business and what can we do about it, are
only now being put in place," said Sandra Carlisle at Newton Asset
Management.
Rules in the United States requiring companies
to report data privacy breaches are likely to be replicated in Europe in the
near future, which will aid funds' understanding of the risks.
In the meantime, investors are very much in the
dark.
"What you get is assurance that people are
looking at these things," said Iain Richards at Anglo-U.S. fund firm
Columbia Threadneedle. "There's a scarcity of meaningful disclosure."
No comments:
Post a Comment