switzerlandde
Cyber risk should be addressed at board level

Cyber risk should be addressed at board level

04-08-2016 | Einblicke

Cyber risk should be addressed at board level as it poses an increasing threat to companies and investors, says Robeco’s head of Governance and Active Ownership.

  • Carola van Lamoen
    Carola
    van Lamoen
    Head of Active Ownership

Speed read

  • Cyber risk is moving up the corporate governance agenda
  • Board oversight is vital to address threats and plan responses
  • Viewpoint gives investors ammunition to start dialogues

Many companies view cyber security risks as simply a hacking threat that can be combatted with anti-virus software, while others don’t train staff in how to deal with a problem, warns Carola van Lamoen. And for some companies, the very software they use to conduct business may be exposing them to serious risk, she says.

The issue was hotly debated at the annual conference of the International Corporate Governance Network (ICGN), whose Corporate Risk Oversight Committee is co-chaired by Van Lamoen. The committee launched a Viewpoint outlining its aims on cyber risk which was widely circulated among ICGN members.

Aktuelle Einblicke zum Thema Nachhaltigkeit
Aktuelle Einblicke zum Thema Nachhaltigkeit
Anmelden

Corporate risk oversight

“One of the main takeaways was that cyber risk is now so serious it is something for boards to directly address as part of their corporate risk oversight,” says Van Lamoen, Head of the Governance and Active Ownership team at Robeco. “In the past, cyber risk was an issue that was dealt with by some department on the 4th floor, but that’s no longer acceptable.”

“It has become an issue of how cyber risk oversight is arranged, and whether boards are aware of their need to act and communicate. There is significant room for improvement here because cyber risk has increased, in two main areas: the risk of being hacked as the cyber criminals become more professional, and the risk of the wrong implementation of software. Even without a hacker, substantial risks can be faced if you don’t have your IT department in order.”

A lack of technical knowledge may be putting off some board members from trying to tackle the problem, but that doesn’t let them off the hook, adds George Dallas, Policy Director at the ICGN. “Cyber risk is a global threat for companies and investors. It is also a matter of corporate governance, to ensure that companies are taking appropriate steps to both understand and protect against cyber attacks specifically – but also other information technology risks in a broader context,” he says.

‘Non-executive directors should build awareness of cyber risks’

“A great challenge is the technical complexity linked to cyber risk. Even though many board directors may not have strong technical backgrounds, this does not absolve the board for accountability in terms of how cyber risks are governed. As a global investor-led body, ICGN believes that non-executive directors should build awareness of cyber risks, and that investors should also be prepared to engage with both directors and executive management to ensure that these risks are given appropriate attention and oversight.”

The new Viewpoint gives investors some ammunition to start a dialogue with companies on this issue. “We provided an overview of topics and questions that are relevant when talking to companies; there are questions that investors can ask directors at a policy level,” Van Lamoen says. “Conferences are a good place for Viewpoints such as this to be discussed; the idea really is to generate debate on the topic.”

High profile hacks

Some recent high profile cases include USD 81 million that was stolen from Asian financial institutions using a malware link; ‘denial of service’ attacks that brought down websites; and hacking that led to sensitive credit card details being stolen from online retailers.

An example of the major impact of wrong implementation of software was Knight Capital, which deployed untested software to a production environment containing a bug. When the firm released the software into production, their trading activities caused a major disruption in the prices of 148 companies listed at the New York Stock Exchange; Knight Capital's stock price collapsed by 70%.

Van Lamoen says there is a danger that companies which are hacked will hush it up to avoid any embarrassment, leaving investors in the dark. “It differs between companies. Obviously as an investor it’s good to know first of all how a company is dealing with it. They need to be transparent on who is ultimately responsible, how cyber risks are mapped and what systems are maintained to prevent incidents, and if any incidents do happen, how this will be addressed,” she says.

Company culture vital

Some viruses get into a company when an employee clicks on a link in their email while using a corporate computer without realizing that it contains malware that is sophisticated enough to bypass firewalls. “So you should create a culture where people are not worried about reporting a problem if something goes wrong, because otherwise it can be extremely harmful to the company,” Van Lamoen says.

“This starts at the top, through board-level oversight. Board members should provide adequate resources to deal with these kinds of issues. That was a big topic of debate at the conference; how much resources do you actually need for this, and what is enough? It’s difficult to say – you would only really know if it’s not enough when something goes wrong. But we accept that there are limits to what companies can do.”

The Viewpoint includes a three-point plan for investors to consider. It advises that companies should have: 

  • Strategy process and plan oversight: this includes an assessment of what business operations are most vulnerable to cyber attack, and responses are integrated within the board’s corporate risk strategy;
  • Risk program management oversight: led by how the company is improving alignment between its business and IT strategies, priorities and budgeting to fund it, along with employee training;
  • Risk response readiness: particularly how does a company’s cyber risk response plan fully address the ‘what ifs?’ and warning signs identified in risk evaluation, plus making a list of its 10 most recent IT problems and what was done to fix them.

“Taken together, these illustrate the need for board members to ensure an approach is used that is designed for complex, dynamic environments,” says Van Lamoen. “It is important that cyber risk oversight is integrated with the strategy and risk management of the company, particularly with regard to identifying a company’s critical data and informational assets.”

Logo

Wichtige rechtliche hinweise

Die auf dieser Website dargestellten Inhalte richten sich ausschliesslich an qualifizierte Anleger gemäss Definition im Schweizer Kollektivanlagengesetz vom 23. Juni 2006 (KAG) und seiner Durchführungsverordnung oder an „unabhängige Vermögensverwalter“, auf die die zusätzlichen folgenden Voraussetzungen zutreffen. Qualifizierte Anleger sind insbesondere regulierte Finanzvermittler wie Banken, Wertpapierhändler, Fondsverwaltungsgesellschaften und Vermögensverwalter von kollektiven Kapitalanlagen sowie Zentralbanken, regulierte Versicherungsgesellschaften, Organe der öffentlichen Hand und Altersvorsorgeeinrichtungen mit professioneller Tresorerie oder Unternehmen mit professioneller Tresorerie.

Die Inhalte richten sich allerdings nicht an nicht-qualifizierte Anleger. Indem Sie unten auf „Ich stimme zu“ klicken, signalisieren Sie Ihre Bestätigung und Ihr Einverständnis, dass Sie in Ihrer Funktion als qualifizierter Anleger gemäß KAG oder „unabhängiger Vermögensverwalter“ agieren, der die zusätzlichen im Folgenden aufgeführten Voraussetzungen erfüllt. Wenn Sie ein „unabhängiger Vermögensverwalter“ sind, der alle Voraussetzungen gemäß §3 Abs. 2 c) KAG in Verbindung mit §3 KAG KAG erfüllt, bestätigen Sie durch Anklicken von „Ich stimme zu“, dass Sie die Inhalte dieser Website ausschließlich für die Kunden Ihres Kundenstamms verwenden, die qualifizierte Anleger gemäss KAG sind.

Vertreter für die ausländischen, bei der Eidgenössischen Finanzmarktaufsicht (FINMA) für den Vertrieb in der Schweiz an nicht-qualifizierte Anleger registrierten Fonds in der Schweiz ist die ACOLIN Fund Services AG, Affolternstrasse 56, 8050 Zürich, und die Zahlstelle ist UBS Schweiz AG, Bahnhofstrasse 45, 8001 Zürich. Eine Liste der bei der FINMA registrierten Fonds finden Sie auf www.finma.ch.

Weder die Informationen noch die Meinungen, die auf der Website veröffentlicht wurden, stellen ein Angebot, eine Andienung oder Empfehlung zum Kauf, Verkauf oder zur Verfügung über Anlagen, zum Abschluss von sonstigen Transaktionen oder eine Anlageberatung oder einen Anlageservice dar. Eine Anlage in ein Produkt der Robeco/RobecoSAM AG sollte nur nach Studium der zugehörigen juristischen Unterlagen, beispielsweise der Bestimmungen zur Verwaltung, der Satzung, der Prospekte, der Dokumente mit wesentlichen Informationen für den Anleger und der Jahres- und Halbjahresberichte erfolgen, die alle kostenfrei auf dieser Website, am Geschäftssitz des Vertreters in der Schweiz sowie bei allen Niederlassungen von Robeco/RobecoSAM AG in den Ländern erhältlich sind, in denen Robeco vertreten ist. Für die in der Schweiz vertriebenen Fonds ist Erfüllungsort und Gerichtsstand der Geschäftssitz des Vertreters in der Schweiz.

Diese Website richtet sich nicht an Personen in Rechtsgebieten, in denen aufgrund der Staatsbürgerschaft der Person, des Wohnorts oder aus sonstigen Gründen die Veröffentlichung bzw. Verfügbarkeit dieser Website verboten ist. Den Personen, auf die derartige Einschränkungen zutreffen, ist der Zugriff auf diese Website nicht gestattet.

Nicht Zustimmen