Investors are being poorly served by a haphazard approach from fund managers to the growing threat of cyber crime damaging the companies in which they invest, with a lack of clarity from the businesses themselves compounding the problem.
Banks have led the way in developing cyber defenses and some top fund managers have ramped up pressure on companies to do more, but the broader picture is less encouraging.
“I don’t see any visible stand asset managers are taking, like they do on other social responsibility items,” said Malcolm Harkins, information security chief at U.S. cyber security start-up Cylance Inc.
The soft underbelly of companies outside the banking sector was exposed again this month when hackers leaked details of nearly 37 million clients of Ashley Madison. The infidelity website had to postpone its stock market listing and now faces a $750 million lawsuit.
More than half the value of companies worldwide is in intangible assets, such as intellectual property, much of which is stored on computers and could therefore be vulnerable to hackers.
That figure could be as high as $37.5 trillion of the $71 trillion in enterprise value of 58,000 companies, according to Brand Finance, a consultancy specializing in valuation of intangible assets. The World Economic Forum said that robust protection against cyber risk could add as much as $22 trillion to the global economy by 2020.
The global financial cost of attacks is rising fast—up more than 10 percent last year, a report by specialist researcher Ponemon Institute said.
Though some might argue that investors can sell out of businesses they consider to be performing badly on cyber safety, the reality is less straightforward. Passive funds that track a specific index or sector have no leeway, while pension funds tend to demand a longer-term view from asset managers.
But even those keen to evaluate cyber risk face an uphill struggle, hampered by a lack of resources, poor data and weak disclosure from companies.
Sacha Sadan, corporate governance head at the fund arm of insurer Legal & General, told Reuters that cyber risk is one of his team’s top priorities for corporate engagement but described the approach of some rivals as “hit and miss.”
“We would rather a company, when they come to talk to us, had a slide that said ‘this is what we’re doing’. At the moment, it’s us asking them and they say, ‘well, most other shareholders don’t ask’.”
A Reuters survey of fund firms with a combined $16 trillion in assets showed pressure on company boards is far from uniform.
Only four of 12 governance chiefs at British, French, German and U.S. fund houses interviewed by telephone and email said they considered cyber risk a “top priority” across all of their investments. The remainder said they either discussed the issue case by case or that there was too little information for proper risk-assessment.
BlackRock, the world’s biggest asset manager, is among those that have engaged with companies, though it declined to provide further detail on examples in its quarterly governance report.
In its latest report BlackRock said it had spoken to a large insurer and “shared perspectives” gained from speaking to cyber experts and other companies.
As for the types of business meriting closer examination, Jessica Ground, global head of stewardship at Schroders, said that less-obvious targets such as travel agents need to do more. Another chief named online gaming as a sector laggard.
Most fund managers do have dedicated teams supervising governance. But these often number fewer than 10 people to analyze and speak to thousands of companies on a broad range of topics, with matters such as executive pay regularly given higher priority than cyber security.
On the other side of the fence, the companies themselves are far from united in their approach.
“There is significant divergence across companies as to how prepared they are,” said Antony Marsden at Henderson Global Investors.
Though attitude to cyber risk is inherently difficult to quantify, analysis of the most recent annual reports of the 10 biggest companies in Europe and the United States showed variable communication on the issue.
Only three of the Europeans—Novo Nordisk, HSBC and Royal Dutch Shell — had a separate section on cyber risk or information security. Across all 10 reports there were a mere 14 mentions of keywords “cyber,” “information security,” “hack” or “hacking.”
That compares with five of the U.S. companies—Apple , Wells Fargo, Facebook, General Electric and JPMorgan — and 63 keyword references, partly influenced by more banks featuring in the list.
When, Not If
“You can look at an annual report and see some companies talk a lot about what would happen if the euro were to fail … But just as important is what happens if you get hacked,” L&G’s Sadan said. “You will get hacked. So what’s your contingency planning?”
Several smaller U.S. investment firms with a mandate for socially responsible investment are already pressing companies publicly over data security matters, including the filing of proxy resolutions at shareholder meetings.
Arjuna Capital, for example, had American Express shareholders vote on whether it should report annually on how its board oversees privacy and data security. Amex opposed the idea, saying its board receives regular updates, and the proposal won only 22 percent of the vote at the annual meeting.
Highlighting the lack of a consistent approach from asset managers, a number of large fund firms opposed the resolution.
It is little wonder, then, that some have yet to address a skills gap that leaves them ill-equipped for proper risk-assessment.
“The frameworks for dealing with cyber risk, about what it means for our business and what can we do about it, are only now being put in place,” said Sandra Carlisle at Newton Asset Management.
Rules in the United States requiring companies to report data privacy breaches are likely to be replicated in Europe in the near future, which will aid funds’ understanding of the risks.
In the meantime, investors are very much in the dark.
“What you get is assurance that people are looking at these things,” said Iain Richards at Anglo-U.S. fund firm Columbia Threadneedle. “There’s a scarcity of meaningful disclosure.”
(Additional reporting by Carolyn Cohn; Editing by David Goodman)