|
 Banks have led the way in developing cyber defenses and some top
fund managers have ramped up pressure on companies to do more, but
the broader picture is less encouraging.
"I don't see any visible stand asset managers are taking, like they
do on other social responsibility items," said Malcolm Harkins,
information security chief at U.S. cyber security start-up Cylance
Inc.
The soft underbelly of companies outside the banking sector was
exposed again this month when hackers leaked details of nearly 37
million clients of Ashley Madison. The infidelity website had to
postpone its stock market listing and now faces a $750 million
lawsuit.
More than half the value of companies worldwide is in intangible
assets, such as intellectual property, much of which is stored on
computers and could therefore be vulnerable to hackers.
That figure could be as high as $37.5 trillion of the $71 trillion
in enterprise value of 58,000 companies, according to Brand Finance,
a consultancy specializing in valuation of intangible assets. The
World Economic Forum said that robust protection against cyber risk
could add as much as $22 trillion to the global economy by 2020.
The global financial cost of attacks is rising fast -- up more than
10 percent last year, a report by specialist researcher Ponemon
Institute said.
Though some might argue that investors can sell out of businesses
they consider to be performing badly on cyber safety, the reality is
less straightforward. Passive funds that track a specific index or
sector have no leeway, while pension funds tend to demand a
longer-term view from asset managers.
But even those keen to evaluate cyber risk face an uphill struggle,
hampered by a lack of resources, poor data and weak disclosure from
companies.
Sacha Sadan, corporate governance head at the fund arm of insurer
Legal & General <LGEN.L>, told Reuters that cyber risk is one of his
team's top priorities for corporate engagement but described the
approach of some rivals as "hit and miss".
"We would rather a company, when they come to talk to us, had a
slide that said 'this is what we're doing'. At the moment, it's us
asking them and they say, 'well, most other shareholders don't
ask'."
MIXED PRIORITIES
A Reuters survey of fund firms with a combined $16 trillion in
assets showed pressure on company boards is far from uniform.
Only four of 12 governance chiefs at British, French, German and
U.S. fund houses interviewed by telephone and email said they
considered cyber risk a "top priority" across all of their
investments. The remainder said they either discussed the issue case
by case or that there was too little information for proper
risk-assessment.
BlackRock <BLK.N>, the world's biggest asset manager, is among those
that have engaged with companies, though it declined to provide
further detail on examples in its quarterly governance report.
In its latest report BlackRock said it had spoken to a large insurer
and "shared perspectives" gained from speaking to cyber experts and
other companies.
As for the types of business meriting closer examination, Jessica
Ground, global head of stewardship at Schroders <SDR.L>, said that
less-obvious targets such as travel agents need to do more. Another
chief named online gaming as a sector laggard.
Most fund managers do have dedicated teams supervising governance.
But these often number fewer than 10 people to analyze and speak to
thousands of companies on a broad range of topics, with matters such
as executive pay regularly given higher priority than cyber
security.
On the other side of the fence, the companies themselves are far
from united in their approach.
[to top of second column] |
"There is significant divergence across companies as to how prepared
they are," said Antony Marsden at Henderson Global Investors
<HGGH.L>.
Though attitude to cyber risk is inherently difficult to quantify,
analysis of the most recent annual reports of the 10 biggest
companies in Europe and the United States showed variable
communication on the issue.
Only three of the Europeans -- Novo Nordisk <NOVOb.CO>, HSBC
<HSBA.L> and Royal Dutch Shell <RDSa.L> -- had a separate section on
cyber risk or information security. Across all 10 reports there were
a mere 14 mentions of keywords "cyber", "information security",
"hack" or "hacking".
That compares with five of the U.S. companies -- Apple <AAPL.O>,
Wells Fargo <WFC.N>, Facebook <FB.O>, General Electric <GE.N> and
JPMorgan <JPM.N> -- and 63 keyword references, partly influenced by
more banks featuring in the list.
WHEN, NOT IF
"You can look at an annual report and see some companies talk a lot
about what would happen if the euro were to fail ... But just as
important is what happens if you get hacked," L&G's Sadan said. "You
will get hacked. So what's your contingency planning?"
Several smaller U.S. investment firms with a mandate for socially
responsible investment are already pressing companies publicly over
data security matters, including the filing of proxy resolutions at
shareholder meetings.
Arjuna Capital, for example, had American Express <AXP.N>
shareholders vote on whether it should report annually on how its
board oversees privacy and data security. Amex opposed the idea,
saying its board receives regular updates, and the proposal won only
22 percent of the vote at the annual meeting.
Highlighting the lack of a consistent approach from asset managers,
a number of large fund firms opposed the resolution.
It is little wonder, then, that some have yet to address a skills
gap that leaves them ill-equipped for proper risk-assessment.
"The frameworks for dealing with cyber risk, about what it means for
our business and what can we do about it, are only now being put in
place," said Sandra Carlisle at Newton Asset Management.
Rules in the United States requiring companies to report data
privacy breaches are likely to be replicated in Europe in the near
future, which will aid funds' understanding of the risks.
In the meantime, investors are very much in the dark.
"What you get is assurance that people are looking at these things,"
said Iain Richards at Anglo-U.S. fund firm Columbia Threadneedle.
"There's a scarcity of meaningful disclosure."
(Additional reporting by Carolyn Cohn; Editing by David Goodman)
[© 2015 Thomson Reuters. All rights
reserved.] Copyright 2015 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
 |
