Cyber risk should be addressed at board level as it poses an increasing threat to companies and investors, says Robeco’s head of Governance and Active Ownership.
Many companies view cyber security risks as simply a hacking threat that can be combatted with anti-virus software, while others don’t train staff in how to deal with a problem, warns Carola van Lamoen. And for some companies, the very software they use to conduct business may be exposing them to serious risk, she says.
The issue was hotly debated at the annual conference of the International Corporate Governance Network (ICGN), whose Corporate Risk Oversight Committee is co-chaired by Van Lamoen. The committee launched a Viewpoint outlining its aims on cyber risk which was widely circulated among ICGN members.
“One of the main takeaways was that cyber risk is now so serious it is something for boards to directly address as part of their corporate risk oversight,” says Van Lamoen, Head of the Governance and Active Ownership team at Robeco. “In the past, cyber risk was an issue that was dealt with by some department on the 4th floor, but that’s no longer acceptable.”
“It has become an issue of how cyber risk oversight is arranged, and whether boards are aware of their need to act and communicate. There is significant room for improvement here because cyber risk has increased, in two main areas: the risk of being hacked as the cyber criminals become more professional, and the risk of the wrong implementation of software. Even without a hacker, substantial risks can be faced if you don’t have your IT department in order.”
A lack of technical knowledge may be putting off some board members from trying to tackle the problem, but that doesn’t let them off the hook, adds George Dallas, Policy Director at the ICGN. “Cyber risk is a global threat for companies and investors. It is also a matter of corporate governance, to ensure that companies are taking appropriate steps to both understand and protect against cyber attacks specifically – but also other information technology risks in a broader context,” he says.
‘Non-executive directors should build awareness of cyber risks’
“A great challenge is the technical complexity linked to cyber risk. Even though many board directors may not have strong technical backgrounds, this does not absolve the board for accountability in terms of how cyber risks are governed. As a global investor-led body, ICGN believes that non-executive directors should build awareness of cyber risks, and that investors should also be prepared to engage with both directors and executive management to ensure that these risks are given appropriate attention and oversight.”
The new Viewpoint gives investors some ammunition to start a dialogue with companies on this issue. “We provided an overview of topics and questions that are relevant when talking to companies; there are questions that investors can ask directors at a policy level,” Van Lamoen says. “Conferences are a good place for Viewpoints such as this to be discussed; the idea really is to generate debate on the topic.”
Some recent high profile cases include USD 81 million that was stolen from Asian financial institutions using a malware link; ‘denial of service’ attacks that brought down websites; and hacking that led to sensitive credit card details being stolen from online retailers.
An example of the major impact of wrong implementation of software was Knight Capital, which deployed untested software to a production environment containing a bug. When the firm released the software into production, their trading activities caused a major disruption in the prices of 148 companies listed at the New York Stock Exchange; Knight Capital's stock price collapsed by 70%.
Van Lamoen says there is a danger that companies which are hacked will hush it up to avoid any embarrassment, leaving investors in the dark. “It differs between companies. Obviously as an investor it’s good to know first of all how a company is dealing with it. They need to be transparent on who is ultimately responsible, how cyber risks are mapped and what systems are maintained to prevent incidents, and if any incidents do happen, how this will be addressed,” she says.
Some viruses get into a company when an employee clicks on a link in their email while using a corporate computer without realizing that it contains malware that is sophisticated enough to bypass firewalls. “So you should create a culture where people are not worried about reporting a problem if something goes wrong, because otherwise it can be extremely harmful to the company,” Van Lamoen says.
“This starts at the top, through board-level oversight. Board members should provide adequate resources to deal with these kinds of issues. That was a big topic of debate at the conference; how much resources do you actually need for this, and what is enough? It’s difficult to say – you would only really know if it’s not enough when something goes wrong. But we accept that there are limits to what companies can do.”
The Viewpoint includes a three-point plan for investors to consider. It advises that companies should have:
“Taken together, these illustrate the need for board members to ensure an approach is used that is designed for complex, dynamic environments,” says Van Lamoen. “It is important that cyber risk oversight is integrated with the strategy and risk management of the company, particularly with regard to identifying a company’s critical data and informational assets.”
The content displayed on this website is exclusively directed at qualified investors, as defined in the swiss collective investment schemes act of 23 june 2006 ("cisa") and its implementing ordinance, or at “independent asset managers” which meet additional requirements as set out below. Qualified investors are in particular regulated financial intermediaries such as banks, securities dealers, fund management companies and asset managers of collective investment schemes and central banks, regulated insurance companies, public entities and retirement benefits institutions with professional treasury or companies with professional treasury.
The contents, however, are not intended for non-qualified investors. By clicking "I agree" below, you confirm and acknowledge that you act in your capacity as qualified investor pursuant to CISA or as an “independent asset manager” who meets the additional requirements set out hereafter. In the event that you are an "independent asset manager" who meets all the requirements set out in Art. 3 para. 2 let. c) CISA in conjunction with Art. 3 CISO, by clicking "I Agree" below you confirm that you will use the content of this website only for those of your clients which are qualified investors pursuant to CISA.
Representative in Switzerland of the foreign funds registered with the Swiss Financial Market Supervisory Authority ("FINMA") for distribution in or from Switzerland to non-qualified investors is Robeco Switzerland AG, Josefstrasse 218, 8005 Zürich, and the paying agent is UBS Switzerland AG, Bahnhofstrasse 45, 8001 Zürich. Please consult www.finma.ch for a list of FINMA registered funds.
Neither information nor any opinion expressed on the website constitutes a solicitation, an offer or a recommendation to buy, sell or dispose of any investment, to engage in any other transaction or to provide any investment advice or service. An investment in a Robeco/Robeco Switzerland product should only be made after reading the related legal documents such as management regulations, articles of association, prospectuses, key investor information documents and annual and semi-annual reports, which can be all be obtained free of charge at this website, at the registered seat of the representative in Switzerland, as well as at the Robeco/Robeco Switzerland offices in each country where Robeco has a presence. In respect of the funds distributed in Switzerland, the place of performance and jurisdiction is the registered office of the representative in Switzerland.
This website is not directed to any person in any jurisdiction where, by reason of that person's nationality, residence or otherwise, the publication or availability of this website is prohibited. Persons in respect of whom such prohibitions apply must not access this website.