Between 2017-2019, we collaborated with 50+ institutional investors through a United Nations Principles for Responsible Investment initiative to work alongside companies on these issues.
Our collaboration had three main objectives:
- Improve our knowledge on what companies are doing to manage cybersecurity risks (specifically assessing their policies and governance structures)
- Engage and encourage an expansion of the quality of disclosure
- Broadcast more broadly to the market about where we see things going, and develop a best practice regime to point towards
Talking to companies revealed significant gaps in public cybersecurity-related disclosures. Some companies are still only in the early stages of building an understanding of the issue, while others are concerned that too much disclosure may unintentionally benefit hackers.
Overall, though, companies were very open to private dialogue, and willingly made their experts (usually chief information security officers or data protection officers) available to give investors a good insight into how they are managing cybersecurity risks.