Information on the cybersecurity of companies and their products is hard to obtain at the moment. Robeco cybersecurity expert Vincent Toms talks about the changing impact of cyber threats and the cybersecurity risk framework and ranking system he is developing for Robeco holdings, as well as the plans the company has to include cybersecurity in its sustainability engagement activities.
“We approach cybersecurity as a risk factor that can be of influence when assessing the investment attractiveness of a company. There are currently more than 90,000 known vulnerabilities and over 50,000 exploits of these vulnerabilities. And these numbers grow every day. Keeping up with these ‘known’ vulnerabilities and updating the IT environment (legacy) takes considerable time and resources.”
“Basic digital hygiene is essential. The root causes of most data breaches and attacks are still a lack of on-time patching, easy-to-guess passwords and unsecure installations. This is low-hanging fruit for attackers.”
“The situation has changed significantly over the last few years. We have seen cybersecurity controls receiving more attention from management boards. The topic has even gained the attention of shareholders, who have been voting to make cybersecurity part of executive-level bonus systems. Serious hacks and regulatory and supply chain pressures have all contributed to these developments.”
“However, you will not find details on how much companies spend on cybersecurity in corporate disclosure information. And that’s is a pity, because it does not give the kind of assurance that we are looking for.”
Corporate disclosure information will not tell you how much a company is investing in IT and cybersecurity
“Also, we have not yet reached the stage when we can say when buying a product if it is more secure or less secure. While manufacturers and suppliers can claim that their products are very secure, there is no guarantee. And even if they are secure by design, you have to look at a product’s life cycle because something that is safe now may not be two days from now. I know some companies that put a lot of effort into securing their digital environment. If they can’t ensure that their clients’ data is safeguarded, they will lose the trust of customers. The Cybersecurity Council of the Netherlands advises companies to spend 10% of their IT budget on cybersecurity, yet the question of whether this is enough, too little or too much cannot be answered.”
“There are several cyber risk domains that need to be covered by an organization in order to minimize the chance and impact of an attack. Their efforts need to be balanced with the threats (for example, business risk), the level of controls (costs) and the impact of possible damage (cost of an attack).”
“In our research, we assess how a company complies with the key controls per risk domain. The key controls we look at are based on several international cybersecurity frameworks. At the end of this, we give the company a score, which is then compared to peers in order to make a relative ranking. This score can be a factor of influence when deciding whether to invest in a company.”
“Cybersecurity affects many sectors. We decided to start with trends funds because the cyber risk associated with trends, and particularly fintech, is high compared to other industries and trust is very important. Our holdings in these funds give us exposure to companies that have a large digital footprint. Our approach is to work agile and start small, make it work, make it lean and mean, and then make it bigger. When we see that our ranking framework works, we can use it for other funds.”
“The threat of cyber risks in the digital world is increasing, yet often this is not taken into account in the investment process. Investors are very much used to assessing physical risks such as those associated with the supply chain or production. But as corporate value generation increasingly moves online, the risks are changing and therefore investors’ analyses should change too. Today’s investment community is still far behind when it comes to assessing cyber risks and their impact on investments. Robeco is now closing this gap.”
“Initially I was asked to rate ten companies, as a pilot. The longer-term goal is to integrate the cyber ranking in Robeco’s investment process and sustainability engagement. And, there is a vision to include it in one of their SDGs. So, it fits the Robeco philosophy.”
Investors want to know the level of cyber security and associated risk of an investment. And Robeco can make that happen, just like with sustainability
“The vision is that over time, there will be a reciprocal relationship between the cybersecurity ranking and the sustainability engagement. When shortcomings in the ranking of portfolio holdings or attractive investment candidates are discovered, the engagement team will work with the company in question to improve their cybersecurity practices. This will benefit both the company and investors. The outcome of such engagement may influence the cyber ranking.”
“The goal is to have insight into the cybersecurity and risk profile of a company and to integrate this information in the investment and engagement processes. Hopefully, this will also improve corporate governance reporting on this topic. For example, information on CO2 emissions is now included in public reports and we believe that cybersecurity data should be treated equally in the future.”
“We are now at the stage of improving the risk rating method and reporting standards. So, we plan to finish reviewing the framework and key controls by the end of this year. Then we want to test and automate the framework, after which we will scale it up and add more companies to the ranking. Our aim is to rate 2,000 to 5,000 companies within three years.”
The contents of this document have not been reviewed by the Securities and Futures Commission ("SFC") in Hong Kong. If you are in any doubt about any of the contents of this document, you should obtain independent professional advice. This document has been distributed by Robeco Hong Kong Limited (‘Robeco’). Robeco is regulated by the SFC in Hong Kong.
This document has been prepared on a confidential basis solely for the recipient and is for information purposes only. Any reproduction or distribution of this documentation, in whole or in part, or the disclosure of its contents, without the prior written consent of Robeco, is prohibited. By accepting this documentation, the recipient agrees to the foregoing
This document is intended to provide the reader with information on Robeco’s specific capabilities, but does not constitute a recommendation to buy or sell certain securities or investment products. Investment decisions should only be based on the relevant prospectus and on thorough financial, fiscal and legal advice. Please refer to the relevant offering documents for details including the risk factors before making any investment decisions.
The contents of this document are based upon sources of information believed to be reliable. This document is not intended for distribution to or use by any person or entity in any jurisdiction or country where such distribution or use would be contrary to local law or regulation.
Investment Involves risks. Historical returns are provided for illustrative purposes only and do not necessarily reflect Robeco’s expectations for the future. The value of your investments may fluctuate. Past performance is no indication of current or future performance.
Please read this information carefully.
This website is prepared and issued by Robeco Hong Kong Limited ("Robeco"), which is a corporation licensed by the Securities and Futures Commission in Hong Kong to engage in Type 1 (dealing in securities); Type 4 (advising in securities) and Type 9 (asset management) regulated activities. This website has not been reviewed by the Securities and Futures Commission or any regulatory authority in Hong Kong.
2. Important risk disclosures
Robeco Capital Growth Funds (“the Funds”) are distinguished by their respective specific investment policies or any other specific features. Please read carefully for the risks of the Funds:
3. Local legal and sales restrictions
The information contained in the Website is being provided for information purposes.
Neither information nor any opinion expressed on the Website constitutes a solicitation, an offer or a recommendation to buy, sell or dispose of any investment, to engage in any other transaction or to provide any investment advice or service. The information contained in the Website does not constitute investment advice or a recommendation and was prepared without regard to the specific objectives, financial situation or needs of any particular person who may receive it. An investment in a Robeco product should only be made after reading the related legal documents such as management regulations, prospectuses, most recent annual and semi-annual reports, which can be all be obtained free of charge at www.robeco.com/hk/en and at the Robeco Hong Kong office.
4. Use of the Website
The information is based on certain assumptions, information and conditions applicable at a certain time and may be subject to change at any time without notice. Robeco aims to provide accurate, complete and up-to-date information, obtained from sources of information believed to be reliable. Persons accessing the Website are responsible for their choice and use of the information.
5. Investment performance
No assurance can be given that the investment objective of any investment products will be achieved. No representation or promise as to the performance of any investment products or the return on an investment is made. The value of your investments may fluctuate. The value of the assets of Robeco investment products may also fluctuate as a result of the investment policy and/or the developments on the financial markets. Results obtained in the past are no guarantee for the future. Past performance, projection, or forecast included in this Website should not be taken as an indication or guarantee of future performance, and no representation or warranty, express or implied, is made regarding future performance. Fund performance figures are based on the month-end trading prices and are calculated on a total return basis with dividends reinvested. Return figures versus the benchmark show the investment management result before management and/or performance fees; the fund returns are with dividends reinvested and based on net asset values with prices and exchange rates of the valuation moment of the benchmark.
Investments involve risks. Past performance is not a guide to future performance. Potential investors should read the terms and conditions contained in the relevant offering documents and in particular the investment policies and the risk factors before any investment decision is made. Investors should ensure they fully understand the risks associated with the fund and should also consider their own investment objective and risk tolerance level. Investors are reminded that the value and income (if any) from shares of the fund may be volatile and could change substantially within a short period of time, and investors may not get back the amount they have invested in the fund. If in doubt, please seek independent financial and professional advice.
6. Third party websites
Following links to any other off-site pages or websites of third parties shall be at the own risk of the person following such link. Robeco has not reviewed any of the websites linked to or referred to by the Website and does not endorse or accept any responsibility for their content nor the products, services or other items offered through them. Robeco shall have no liability for any losses or damages arising from the use of or reliance on the information contained on websites of third parties, including, without limitation, any loss of profit or any other direct or indirect damage.
7. Limitation of liability
Robeco as well as (possible) other suppliers of information to the Website accept no responsibility for the contents of the Website or the information or recommendations contained herein, which moreover may be changed without notice.
Robeco assumes no responsibility for ensuring, and makes no warranty, that the functioning of the Website will be uninterrupted or error-free. Robeco assumes no responsibility for the consequences of e-mail messages regarding a Robeco (transaction) service, which either cannot be received or sent, are damaged, received or sent incorrectly, or not received or sent on time.
Neither will Robeco be liable for any loss or damage that may result from access to and use of the Website.
8. Intellectual property
All copyrights, patents, intellectual and other property, and licenses regarding the information on the Website are held and obtained by Robeco. These rights will not be passed to persons accessing this information.
10. Applicable law
The Website shall be governed by and construed in accordance with the laws of Hong Kong. All disputes arising out of or in connection with the Website shall be submitted to the exclusive jurisdiction of the courts of Hong Kong.