The Principles for Responsible Investment (PRI) says 53 institutional investors representing more than $12trn (€10.3trn) in assets under management are collectively engaging on cyber security with global companies in the healthcare, financial, consumer goods, information technology and communications sectors.
Noting that cyber security risk is “real and pervasive”, the PRI has released a report showing that there are no minimum standards of regular public disclosure on cyber security practices from large-cap listed companies that investors can use to inform basic engagement and investment analysis.
And, although companies are increasingly recognising cyber risks, corporate information in the public domain “does not reassure investors” that they have adequate governance structures and measures in place to deal with the challenges.
“The lack of public disclosure also makes it difficult for investors to differentiate between those companies that are proactively developing, monitoring and managing cyber security risks versus those failing to prioritise these risks,” the PRI says.
“From an investor’s perspective, the business case to engage with companies on this topic is clear-cut.”The 19-page report, “Stepping up governance on cyber security: what is corporate disclosure telling investors?” is available here.
The research evaluated the public disclosure of 100 companies on cyber security, covering 14 indicators on aspects such as policy, governance and flow of communication, access to expertise, training and assessment, and other procedures.
“From an investor’s perspective, the business case to engage with companies is clear-cut.”
According to the World Economic Forum’s latest report on global risks, cyber security is ranked as one of the top five risks to businesses, reaffirming the need for company boards to prioritise this issue.
“Boards need to work closely with senior management to escalate the message across the organisation that security is everyone’s problem,” said PRI CEO Fiona Reynolds. “Board members could start by ensuring that cyber security is on the agenda at board meetings. If these issues are delegated to senior management, then the board must have regular updates from those individuals in order to stay current on the topic.”