The COVID-19 effect: Cybersecurity and data privacy

Discover how COVID-19 is impacting cybersecurity and data privacy
November 2020

David Sneyd

Vice President, Analyst, Responsible Investment

LEARN MORE ABOUT THE AUTHOR
Subscribe to our Insights

Risk warnings

The value of investments and any income derived from them can go down as well as up and investors may not get back the original amount invested.

Views and opinions have been arrived at by BMO Global Asset Management and should not be considered to be a recommendation or solicitation to buy or sell any companies that may be mentioned.

The information, opinions, estimates or forecasts contained in this document were obtained from sources reasonably believed to be reliable and are subject to change at any time.

 

COVID-19 is transforming many aspects of our lives. Notably, it’s accelerating our reliance on technology. This journey further into the digital world will certainly bring great benefits and opportunities – but not without significant risks.

Over the past few months, we’ve been considering COVID19’s effect on cybersecurity and data privacy – and how we as investors can help.

Overview 

The way governments and companies are using technology-based solutions during this crisis is threatening our cybersecurity and human right to data privacy:

Risk warnings

The value of investments and any income derived from them can go down as well as up and investors may not get back the original amount invested.

Views and opinions have been arrived at by BMO Global Asset Management and should not be considered to be a recommendation or solicitation to buy or sell any companies that may be mentioned.

 

18 million

phishing emails related to COVID-19 blocked daily by Google in April 20201

400%

increase in cyberattack complaints received by the FBI’s Cyber Division in March-April 20202

18,000

people’s personal details exposed online in a Public Health Wales data breach3

The information, opinions, estimates or forecasts contained in this document were obtained from sources reasonably believed to be reliable and are subject to change at any time.

 

Frightening figures indeed – but all is not lost. Investors can use their influence as stewards of capital to help companies manage these risks to create a safer cyberspace for us all.

The changing risk landscape 


Cybersecurity

Companies around the world have been forced to disrupt traditional workflows and structures to enable their employees to work from home. Many companies have taken data security risks they may never have agreed to in normal circumstances, no longer able to rely on the relative safety of central operating systems. And the time is unfortunately rife for fraud: cybercriminals have adapted their tactics to better exploit these new working patterns. With employees busy adjusting to their new way of working, they may be more susceptible to phishing scams that in these circumstances could appear more legitimate and believable.

Meanwhile, management are understandably distracted right now as they endeavour to navigate their businesses through the pandemic. Attention may therefore be diverted from information governance to seemingly more pressing matters, which further threatens their businesses’ cybersecurity.

 

Data privacy

There are large amounts of data flowing at the moment as governments work with private companies to develop technological solutions for bringing the virus under control, such as contact tracing apps. Every symptom update and restaurant check-in provides more and more information about the health and whereabouts of entire populations. Although this may feel like Christmas for those in the data industry, handling such sensitive information requires extreme caution. Each proposed solution for maintaining public health comes with risks related to our human right to privacy that must be considered carefully; mass surveillance may sound Orwellian, but it’s not off the cards currently. Companies and governments must both ensure that the data being captured through these solutions is used to fight the virus and to fight the virus only.

Moreover, emergency measures enacted now to control the virus, such as the speedy production of health apps, pose real problems for data protection. And there are plenty of examples – England’s test and trace programme was recently accused of breaking GDPR law, having been launched without an assessment of its impact on privacy.4 Similarly, governments’ reliance on private companies to handle public data runs the risk of enhancing the powers of dominant data platforms and players. This in turn amplifies the risks associated with data harvesting, the monetisation of health data and potentially privacy-invasive services.

Signatory of: 

Principles for responsible investment logo

Investigation through collaboration


Between 2017-2019, we collaborated with 50+ institutional investors through a United Nations chief Principles for Responsible Investment initiative to work alongside companies on these issues.

Our collaboration had three main objectives:

> Improve our knowledge on what companies are doing to manage cybersecurity risks (specifically assessing their policies and governance structures)

> Engage and encourage an expansion of the quality of disclosure

> Broadcast more broadly to the market about where we see things going, and develop a best practice regime to point towards

Talking to companies revealed significant gaps in public cybersecurity-related disclosures. Some companies are still only in the early stages of building an understanding of the issue, while others are concerned that too much disclosure may unintentionally benefit hackers.

Overall, though, companies were very open to dialogue, and willingly made their experts (usually information security officers or data protection officers) available to give investors a good insight into how they are managing cybersecurity risks.

 


Key learnings


> Board oversight of cyber security issues increased quite significantly between 2017-2019.

       > By 2019, most companies engaged had allocated responsibility for cyber security at the Board level.

> Most companies engaged did not rule out the possibility of appointing directors with specific cyber security    skills. However, they did not flag this as a priority criterion for Board appointments.

> Many companies revealed they were prioritising training to address gaps in Board knowledge and expertise.

> Companies’ efforts to address cyber security risks through their entire data supply chain were inconsistent and generally lacking.

Overall, companies have significantly increase their investments in cyber security in the last few years, increasing their capacity to deal with security issues and protect data.

 

Want to know more? Read the full UN PRI report to discover the details of our findings.

 


The power of collaboration

By speaking to companies with a unified voice, investors can more effectively communicate their concerns whilst gaining power and legitimacy from the perspective of corporate management. Furthermore, collaborations can help build knowledge and skills whilst enhancing engagement efficiency.


Best practice expectations 


We view cybersecurity and data privacy issues as a key component of the ‘G’ in ESG – Governance.

 

Board oversight

Companies should ensure that cybersecurity and data privacy are organisational priorities. We expect the Board itself to view these issues as essential considerations to the entire business strategy, and be confident that the highest levels of procedures are followed. When engaging with companies, we would look to learn how the Board is overseeing these procedures: do they have access within the organisation; do they meet one-to-one with internal managers; what internal KPIs are fed up to them, etc.

 

Expertise

We would expect a dedicated cybersecurity expert on the Board, or sufficient, up-to-date knowledge on the associated risks shared between Board members. In the past, this has only applied to technology-focused companies. But in today’s increasingly digital world, more companies are inherently technology-focused and therefore require Board members who are capable of handling cyber threats.

 

Data supply chain

Data often doesn’t stay within company servers – it’s passed down supply chains, and increasingly out to third parties and beyond. As ESG investors, we’re familiar with engaging on labour and environmental supply chains – now we must apply this to data too. We expect companies to apply cybersecurity/data privacy standards all the way down their supply chain, and be able to demonstrate how they ensure this.

 

Human firewall

When it comes to a business security strategy, you are only as strong as your weakest link. Cyberattacks often involve social engineering – manipulating other people to make mistakes. Therefore, every employee with access to a company’s network is a vulnerability. We expect companies to create a ‘human firewall’ by developing a culture among staff where cybersecurity and data privacy are prioritised and are essential to what it means to be an employee at that company.

“Companies around the world have been forced to disrupt traditional workflows and structures”

A closer look at the corporate culture 


Management can help implement a human firewall to protect their business by fostering an effective corporate culture around cybersecurity and responsible data handling. For example, they could make the rules around these issues a part of the company’s core principles. However, cultural KPIs can be challenging to implement and measure.

At BMO, we’ve been engaging banks for a while here. We believe that tone at the top is important – management should ensure business leaders are owning and speaking through their actions, demonstrating prioritisation of addressing these issues.

Other possible means of establishing the right attitude to cybersecurity and data privacy include proper recognition through participating in events such as Data Protection Day, or effective staff training. But on the latter, it’s important to note that the stock compliance videos that we’re all more than familiar with don’t really cut it anymore. Companies now must go above and beyond the minimum compliance requirements to ensure cybersecurity and data privacy are taken seriously within their business.

 


Final thoughts 


COVID-19 has disrupted our working lives in ways that seemed quite unimaginable to many last year. Mass working-from-home patterns have strained the cybersecurity of many businesses and organisations. Meanwhile, technological solutions to control the virus could seriously threaten our human right to privacy if the data involved is not handled responsibly. Health priorities must be balanced with our citizens’ rights, which remain no matter the crisis at hand.

But for all its problems, the virus also creates opportunities for investor engagement. As companies navigate through new working environments, now is a better time than ever for investors to engage management on their cybersecurity strategies to ensure they are suitably robust as we dive deeper into our digital future.

Related articles

No posts matching your criteria

The ESG implications of COVID-19: Annual General Meetings (AGMs)

Discover how COVID-19 has pushed AGMs around the world into an online format.

The ESG implications of COVID-19: Executive Pay

Explore the executive pay implications of COVID-19 at top UK companies

COVID-19: the early impact on staff and stakeholders

We discuss the early implications of the coronavirus pandemic on staff and stakeholders across sectors.

Corporate governance implications of the COVID-19 pandemic

We consider early corporate governance implications of the COVID-19 pandemic

Coronavirus and climate change

We consider the effects of the COVID-19 pandemic on climate change.

Responsible Investment – a glossary of terms

Its wide-ranging nature means that responsible investment involves a host of associated language and jargon. Here we explain some of the most commonly used terms.

 

Active ownership 

Discharging responsibilities as investors and owners in a company through engagement and voting to influence the management of environmental, social and governance (ESG) issues.

Stewardship

The responsible allocation, management and oversight of capital to create long-term value for clients and beneficiaries leading to sustainable benefits for the economy, the environment and society.*

Environmental, Social and Governance (ESG)

A framework that breaks the broad concept of sustainability down into these 3 key issues.

Engagement

Entering dialogue with companies after investment, to support and encourage positive change in the management of key ESG issues.

Sustainable Development Goals (SDGs)

The 17 goals set by the United Nations in 2015 are a global framework for achieving a better and more sustainable future. They address the global challenges we face, including those related to poverty, inequality, climate, environmental degradation, prosperity and peace and justice. The UN is targeting completion of all 17 interconnecting goals by 2030.

 

* https://www.frc.org.uk/getattachment/5aae591d-d9d3-4cf4-814a-d14e156a1d87/Stewardship Code_Final2.pdf, p. 4. The Investment Association reserves the right to review its alignment with the FRC definition at any time.