Responsible Investing

The COVID-19 effect: Cybersecurity and data privacy

This journey further into the digital world will certainly bring great benefits and opportunities – but not without significant risks.
November 2020

Subscribe to our insights

COVID-19 is transforming many aspects of our lives. Notably, it’s accelerating our reliance on technology. This journey further into the digital world will certainly bring great benefits and opportunities – but not without significant risks.

Over the past few months, we’ve been considering COVID-19’s effect on cybersecurity and data privacy – and how we as investors can help.


The way governments and companies are using technology-based solutions during this crisis is threatening our cybersecurity and human right to data privacy:

Frightening figures indeed – but all is not lost. Investors can use their influence as stewards of capital to help companies manage these risks to create a safer cyberspace for us all.

The changing risk landscape


Companies around the world have been forced to disrupt traditional workflows and structures to enable their employees to work from home. Many companies have taken data security risks they may never have agreed to in normal circumstances, no longer able to rely on the relative safety of central operating systems. And the time is unfortunately rife for fraud: cybercriminals have adapted their tactics to better exploit these new working patterns. With employees busy adjusting to their new way of working, they may be more susceptible to phishing scams that in these circumstances could appear more legitimate and believable.

Meanwhile, management are understandably distracted right now as they endeavour to navigate their businesses through the pandemic. Attention may therefore be diverted from information governance to seemingly more pressing matters, which further threatens their businesses’ cybersecurity.

Data privacy

There are large amounts of data flowing at the moment as governments work with private companies to develop technological solutions for bringing the virus under control, such as contact tracing apps. Every symptom update and restaurant check-in provides more and more information about the health and whereabouts of entire populations. Although this may feel like Christmas for those in the data industry, handling such sensitive information requires extreme caution. Each proposed solution for maintaining public health comes with risks related to our human right to privacy that must be considered carefully; mass surveillance may sound Orwellian, but it’s not off the cards currently. Companies and governments must both ensure that the data being captured through these solutions is used to fight the virus and to fight the virus only.

Moreover, emergency measures enacted now to control the virus, such as the speedy production of health apps, pose real problems for data protection. And there are plenty of examples – England’s test and trace programme was recently accused of breaking GDPR law, having been launched without an assessment of its impact on privacy. Similarly, governments’ reliance on private companies to handle public data runs the risk of enhancing the powers of dominant data platforms and players. This in turn amplifies the risks associated with data harvesting, the monetisation of health data and potentially privacy-invasive services.

Investigation through collaboration

Between 2017-2019, we collaborated with 50+ institutional investors through a United Nations Principles for Responsible Investment initiative to work alongside companies on these issues.

Our collaboration had three main objectives:

  • Improve our knowledge on what companies are doing to manage cybersecurity risks (specifically assessing their policies and governance structures)
  • Engage and encourage an expansion of the quality of disclosure
  • Broadcast more broadly to the market about where we see things going, and develop a best practice regime to point towards

Talking to companies revealed significant gaps in public cybersecurity-related disclosures. Some companies are still only in the early stages of building an understanding of the issue, while others are concerned that too much disclosure may unintentionally benefit hackers.

Overall, though, companies were very open to private dialogue, and willingly made their experts (usually chief information security officers or data protection officers) available to give investors a good insight into how they are managing cybersecurity risks.

Best practice expectations

We view cybersecurity and data privacy issues as a key component of the ‘G’ in ESG – Governance.

Board oversight

Companies should ensure that cybersecurity and data privacy are organisational priorities. We expect the Board itself to view these issues as essential considerations to the entire business strategy, and be confident that the highest levels of procedures are followed. When engaging with companies, we would look to learn how the Board is overseeing these procedures: do they have access within the organisation; do they meet one-to-one with internal managers; what internal KPIs are fed up to them, etc.


We would expect a dedicated cybersecurity expert on the Board, or sufficient, up-to-date knowledge on the associated risks shared between Board members. In the past, this has only applied to technology-focused companies. But in today’s increasingly digital world, more companies are inherently technology-focused and therefore require Board members who are capable of handling cyber threats.

Data supply chain

Data often doesn’t stay within company servers – it’s passed down supply chains, and increasingly out to third parties and beyond. As ESG investors, we’re familiar with engaging on labour and environmental supply chains – now we must apply this to data too. We expect companies to apply cybersecurity/data privacy standards all the way down their supply chain, and be able to demonstrate how they ensure this.

Human firewall

When it comes to a business security strategy, you are only as strong as your weakest link. Cyberattacks often involve social engineering – manipulating other people to make mistakes. Therefore, every employee with access to a company’s network is a vulnerability. We expect companies to create a ‘human firewall’ by developing a culture among staff where cybersecurity and data privacy are prioritised and are essential to what it means to be an employee at that company.

A closer look at corporate culture

Management can help implement a human firewall to protect their business by fostering an effective corporate culture around cybersecurity and responsible data handling. For example, they could make the rules around these issues a part of the company’s core principles. However, cultural KPIs can be challenging to implement and measure.

At BMO, we’ve been engaging banks for a while here. We believe that tone at the top is important – management should ensure business leaders are owning and speaking through their actions, demonstrating prioritisation of addressing these issues.

Other possible means of establishing the right attitude to cybersecurity and data privacy include proper recognition through participating in events such as Data Protection Day, or effective staff training. But on the latter, it’s important to note that the stock compliance videos that we’re all more than familiar with don’t really cut it anymore. Companies now must go above and beyond the minimum compliance requirements to ensure cybersecurity and data privacy are taken seriously within their business.

Final thoughts

COVID-19 has disrupted our working lives in ways that seemed quite unimaginable to many last year. Mass working-from-home patterns have strained the cybersecurity of many businesses and organisations. Meanwhile, technological solutions to control the virus could seriously threaten our human right to privacy if the data involved is not handled responsibly. Health priorities must be balanced with our citizens’ rights, which remain no matter the crisis at hand.

But for all its problems, the virus also creates opportunities for investor engagement. As companies navigate through new working environments, now is a better time than ever for investors to engage management on their cybersecurity strategies to ensure they are suitably robust as we dive deeper into our digital future.

Subscribe to our insights


Views and opinions have been arrived at by BMO Global Asset Management and should not be considered to be a recommendation or solicitation to buy or sell any companies that may be mentioned.

The information, opinions, estimates or forecasts contained in this document were obtained from sources reasonably believed to be reliable and are subject to change at any time.

Related articles

No posts matching your criteria