Cyber risk should be addressed at board level

Cyber risk should be addressed at board level

04-08-2016 | インサイト

Cyber risk should be addressed at board level as it poses an increasing threat to companies and investors, says Robeco’s head of Governance and Active Ownership.

  • Carola van Lamoen
    Carola
    van Lamoen
    Head of Active Ownership

Speed read

  • Cyber risk is moving up the corporate governance agenda
  • Board oversight is vital to address threats and plan responses
  • Viewpoint gives investors ammunition to start dialogues

Many companies view cyber security risks as simply a hacking threat that can be combatted with anti-virus software, while others don’t train staff in how to deal with a problem, warns Carola van Lamoen. And for some companies, the very software they use to conduct business may be exposing them to serious risk, she says.

The issue was hotly debated at the annual conference of the International Corporate Governance Network (ICGN), whose Corporate Risk Oversight Committee is co-chaired by Van Lamoen. The committee launched a Viewpoint outlining its aims on cyber risk which was widely circulated among ICGN members.

サステナビリティに関する最新の「インサイト」を読む
サステナビリティに関する最新の「インサイト」を読む
配信登録

Corporate risk oversight

“One of the main takeaways was that cyber risk is now so serious it is something for boards to directly address as part of their corporate risk oversight,” says Van Lamoen, Head of the Governance and Active Ownership team at Robeco. “In the past, cyber risk was an issue that was dealt with by some department on the 4th floor, but that’s no longer acceptable.”

“It has become an issue of how cyber risk oversight is arranged, and whether boards are aware of their need to act and communicate. There is significant room for improvement here because cyber risk has increased, in two main areas: the risk of being hacked as the cyber criminals become more professional, and the risk of the wrong implementation of software. Even without a hacker, substantial risks can be faced if you don’t have your IT department in order.”

A lack of technical knowledge may be putting off some board members from trying to tackle the problem, but that doesn’t let them off the hook, adds George Dallas, Policy Director at the ICGN. “Cyber risk is a global threat for companies and investors. It is also a matter of corporate governance, to ensure that companies are taking appropriate steps to both understand and protect against cyber attacks specifically – but also other information technology risks in a broader context,” he says.

‘Non-executive directors should build awareness of cyber risks’

“A great challenge is the technical complexity linked to cyber risk. Even though many board directors may not have strong technical backgrounds, this does not absolve the board for accountability in terms of how cyber risks are governed. As a global investor-led body, ICGN believes that non-executive directors should build awareness of cyber risks, and that investors should also be prepared to engage with both directors and executive management to ensure that these risks are given appropriate attention and oversight.”

The new Viewpoint gives investors some ammunition to start a dialogue with companies on this issue. “We provided an overview of topics and questions that are relevant when talking to companies; there are questions that investors can ask directors at a policy level,” Van Lamoen says. “Conferences are a good place for Viewpoints such as this to be discussed; the idea really is to generate debate on the topic.”

High profile hacks

Some recent high profile cases include USD 81 million that was stolen from Asian financial institutions using a malware link; ‘denial of service’ attacks that brought down websites; and hacking that led to sensitive credit card details being stolen from online retailers.

An example of the major impact of wrong implementation of software was Knight Capital, which deployed untested software to a production environment containing a bug. When the firm released the software into production, their trading activities caused a major disruption in the prices of 148 companies listed at the New York Stock Exchange; Knight Capital's stock price collapsed by 70%.

Van Lamoen says there is a danger that companies which are hacked will hush it up to avoid any embarrassment, leaving investors in the dark. “It differs between companies. Obviously as an investor it’s good to know first of all how a company is dealing with it. They need to be transparent on who is ultimately responsible, how cyber risks are mapped and what systems are maintained to prevent incidents, and if any incidents do happen, how this will be addressed,” she says.

Company culture vital

Some viruses get into a company when an employee clicks on a link in their email while using a corporate computer without realizing that it contains malware that is sophisticated enough to bypass firewalls. “So you should create a culture where people are not worried about reporting a problem if something goes wrong, because otherwise it can be extremely harmful to the company,” Van Lamoen says.

“This starts at the top, through board-level oversight. Board members should provide adequate resources to deal with these kinds of issues. That was a big topic of debate at the conference; how much resources do you actually need for this, and what is enough? It’s difficult to say – you would only really know if it’s not enough when something goes wrong. But we accept that there are limits to what companies can do.”

The Viewpoint includes a three-point plan for investors to consider. It advises that companies should have: 

  • Strategy process and plan oversight: this includes an assessment of what business operations are most vulnerable to cyber attack, and responses are integrated within the board’s corporate risk strategy;
  • Risk program management oversight: led by how the company is improving alignment between its business and IT strategies, priorities and budgeting to fund it, along with employee training;
  • Risk response readiness: particularly how does a company’s cyber risk response plan fully address the ‘what ifs?’ and warning signs identified in risk evaluation, plus making a list of its 10 most recent IT problems and what was done to fix them.

“Taken together, these illustrate the need for board members to ensure an approach is used that is designed for complex, dynamic environments,” says Van Lamoen. “It is important that cyber risk oversight is integrated with the strategy and risk management of the company, particularly with regard to identifying a company’s critical data and informational assets.”

重要事項

当資料は情報提供を目的として、Robeco Institutional Asset Management B.V.が作成した英文資料、もしくはその英文資料をロベコ・ジャパン株式会社が翻訳したものです。資料中の個別の金融商品の売買の勧誘や推奨等を目的とするものではありません。記載された情報は十分信頼できるものであると考えておりますが、その正確性、完全性を保証するものではありません。意見や見通しはあくまで作成日における弊社の判断に基づくものであり、今後予告なしに変更されることがあります。運用状況、市場動向、意見等は、過去の一時点あるいは過去の一定期間についてのものであり、過去の実績は将来の運用成果を保証または示唆するものではありません。また、記載された投資方針・戦略等は全ての投資家の皆様に適合するとは限りません。当資料は法律、税務、会計面での助言の提供を意図するものではありません。

ご契約に際しては、必要に応じ専門家にご相談の上、最終的なご判断はお客様ご自身でなさるようお願い致します。

運用を行う資産の評価額は、組入有価証券等の価格、金融市場の相場や金利等の変動、及び組入有価証券の発行体の財務状況による信用力等の影響を受けて変動します。また、外貨建資産に投資する場合は為替変動の影響も受けます。運用によって生じた損益は、全て投資家の皆様に帰属します。したがって投資元本や一定の運用成果が保証されているものではなく、投資元本を上回る損失を被ることがあります。弊社が行う金融商品取引業に係る手数料または報酬は、締結される契約の種類や契約資産額により異なるため、当資料において記載せず別途ご提示させて頂く場合があります。具体的な手数料または報酬の金額・計算方法につきましては弊社担当者へお問合せください。

当資料及び記載されている情報、商品に関する権利は弊社に帰属します。したがって、弊社の書面による同意なくしてその全部もしくは一部を複製またはその他の方法で配布することはご遠慮ください。

商号等: ロベコ・ジャパン株式会社  金融商品取引業者 関東財務局長(金商)第2780号

加入協会: 一般社団法人 日本投資顧問業協会