Let’s talk about risk
The value of investments and any income derived from them can go down as well as up and investors may not get back the original amount invested.
The information, opinions, estimates or forecasts contained in this document were obtained from sources reasonably believed to be reliable and are subject to change at any time.
The changing risk landscape
Investigation through collaboration
Between 2017-2019, we collaborated with 50+ institutional investors through a United Nations chief Principles for Responsible Investment initiative to work alongside companies on these issues.
Our collaboration had three main objectives:
> Improve our knowledge on what companies are doing to manage cybersecurity risks (specifically assessing their policies and governance structures)
> Engage and encourage an expansion of the quality of disclosure
> Broadcast more broadly to the market about where we see things going, and develop a best practice regime to point towards
Talking to companies revealed significant gaps in public cybersecurity-related disclosures. Some companies are still only in the early stages of building an understanding of the issue, while others are concerned that too much disclosure may unintentionally benefit hackers.
Overall, though, companies were very open to dialogue, and willingly made their experts (usually information security officers or data protection officers) available to give investors a good insight into how they are managing cybersecurity risks.
> Board oversight of cyber security issues increased quite significantly between 2017-2019.
> By 2019, most companies engaged had allocated responsibility for cyber security at the Board level.
> Most companies engaged did not rule out the possibility of appointing directors with specific cyber security skills. However, they did not flag this as a priority criterion for Board appointments.
> Many companies revealed they were prioritising training to address gaps in Board knowledge and expertise.
> Companies’ efforts to address cyber security risks through their entire data supply chain were inconsistent and generally lacking.
Overall, companies have significantly increase their investments in cyber security in the last few years, increasing their capacity to deal with security issues and protect data.
The power of collaboration
Best practice expectations
Companies should ensure that cybersecurity and data privacy are organisational priorities. We expect the Board itself to view these issues as essential considerations to the entire business strategy, and be confident that the highest levels of procedures are followed. When engaging with companies, we would look to learn how the Board is overseeing these procedures: do they have access within the organisation; do they meet one-to-one with internal managers; what internal KPIs are fed up to them, etc.
We would expect a dedicated cybersecurity expert on the Board, or sufficient, up-to-date knowledge on the associated risks shared between Board members. In the past, this has only applied to technology-focused companies. But in today’s increasingly digital world, more companies are inherently technology-focused and therefore require Board members who are capable of handling cyber threats.
Data supply chain
A closer look at the corporate culture
Management can help implement a human firewall to protect their business by fostering an effective corporate culture around cybersecurity and responsible data handling. For example, they could make the rules around these issues a part of the company’s core principles. However, cultural KPIs can be challenging to implement and measure.
At BMO, we’ve been engaging banks for a while here. We believe that tone at the top is important – management should ensure business leaders are owning and speaking through their actions, demonstrating prioritisation of addressing these issues.
Other possible means of establishing the right attitude to cybersecurity and data privacy include proper recognition through participating in events such as Data Protection Day, or effective staff training. But on the latter, it’s important to note that the stock compliance videos that we’re all more than familiar with don’t really cut it anymore. Companies now must go above and beyond the minimum compliance requirements to ensure cybersecurity and data privacy are taken seriously within their business.
COVID-19 has disrupted our working lives in ways that seemed quite unimaginable to many last year. Mass working-from-home patterns have strained the cybersecurity of many businesses and organisations. Meanwhile, technological solutions to control the virus could seriously threaten our human right to privacy if the data involved is not handled responsibly. Health priorities must be balanced with our citizens’ rights, which remain no matter the crisis at hand.