This article is part of a new series based on the results of the 2019 RBC Global Asset Management Responsible Investment Survey. The survey, entitled ‘Responsible Investing: An Evolving Landscape,’ revealed meaningful insights on the considerations of environmental, social and governance (ESG) factors by global institutional investors.
Almost two-thirds of the world’s institutional investors are concerned about the impact of cyber security threats on their investments, making it investors’ foremost environmental, social and governance (ESG) risk, according to the 2019 RBC Global Asset Management Responsible Investment Survey.
Of the nearly 800 investors surveyed in the United States, Canada, Europe and Asia, 67% reported concerns about cyber security. Anti-corruption was the second most prevalent concern, followed by water.
Cyber threats weighed heaviest on U.S. investors, at 71% of respondents. In Canada, 65% of investors cited cyber security as a concern, on par with a number of other ESG risks including climate change and executive compensation but slightly trailing anti-corruption.
In Europe and the UK, 59% of investors expressed concern about cyber security, the lowest of any region. Still, this put cyber security higher than any concerns in the region except climate change (88%) and water (84%).
Cyber attacks can affect the interests of all stakeholders, disrupting a company’s operations, affecting how its employees work and inflicting brand damage that can severely jeopardize customer loyalty and trust.
Clearly, investors are awakening to the profound, business-wide risk created by cyber security vulnerabilities.
Investment risks in cyberspace
The Equifax breach in 2017 remains the prime example of just how much damage cyber attacks can cause. Hackers stole the personal information of 147 million Americans, costing up to US$700 million1 and causing Equifax’s share price to drop 30% in a matter of days.2
While that breach was unique in its scale, cyber attacks have become remarkably common. In Canada, for example, about 87% of businesses reported falling victim to a breach in 20173 — and almost half of those companies lost sensitive data. That same year, the WannaCry ransomware attack badly disrupted the UK’s health system and Germany’s rail system.
Cyber attacks can affect the interests of all stakeholders, disrupting a company’s operations, affecting how its employees work and inflicting brand damage that can severely jeopardize customer loyalty and trust. A breach can also impact sensitive information related to clients, contractors and suppliers. And as tighter regulations are put in place, companies may be exposed to legal liability – making cyber security a key corporate governance concern for investors.
The threat of cyber attacks is so severe that the World Economic Forum in 2018 declared cyber security the top business risk in Europe, North America, and East Asia and the Pacific.
Achieving privacy and security
Investors are responding by applying increased scrutiny to companies’ data privacy and security controls, and by asking for information on a wide range of cyber topics, from corporate preparedness to risk management and board-level cyber governance.
Obtaining this information and comparing metrics across companies remains difficult, as there are no universally accepted cyber-risk metrics. Investors need to take an evolving approach by continuously monitoring companies and engaging with them on governance practices.
RBC Global Asset Management (RBC GAM) has in recent years engaged with a number of boards on oversight of their cyber- and privacy-risk management. Our investment teams work with the RBC GAM Corporate Governance and Responsible Investment (CGRI) team to understand and assess issues related to cybersecurity and privacy, as well as other ESG concerns.
Last year, our CGRI team led a successful engagement with a FTSE 100 company as part of a collaborative initiative coordinated by the United Nations’ Principles for Responsible Investment (PRI) network. The CGRI team first engaged with the company’s board, requesting further disclosure and clarification of its policies and strategies as well as board and management oversight of cyber risks. After reviewing the outcomes of the engagement, the team then engaged directly with the company’s Chief Technology Officer to determine:
- whether or not cyber security skills were formally sought after at the board level,
- the type of cyber-related information and data presented to the board,
- and the scope of operations covered by its cyber security policy.
Launched in the second half of 2017, the PRI initiative enabled over 50 institutional investors to collectively engage with companies across sectors. The primary goals were to build investors’ knowledge of how their portfolio companies were positioned to manage cyber risk, to establish investor expectations on what companies should disclose, and to improve the amount and quality of those disclosures.
The takeaway from that engagement, and from the RBC GAM Responsible Investment Survey: Companies that continually seek to address the growing threat of cyber attacks, and that work to effectively convey those efforts to investors, will be rewarded in a market increasingly attuned to cyber security and privacy.