japanja
'The impact of cyber risks has changed, and companies have to raise the standards'

'The impact of cyber risks has changed, and companies have to raise the standards'

24-07-2019 | インサイト

Information on the cybersecurity of companies and their products is hard to obtain at the moment. Robeco cybersecurity expert Vincent Toms talks about the changing impact of cyber threats and the cybersecurity risk framework and ranking system he is developing for Robeco holdings, as well as the plans the company has to include cybersecurity in its sustainability engagement activities.

  • Vincent  Toms
    Vincent
    Toms
    Analyst

Cybersecurity is a rapidly evolving field. How can we keep up with – or, better still, stay ahead of – all the threats?

“We approach cybersecurity as a risk factor that can be of influence when assessing the investment attractiveness of a company. There are currently more than 90,000 known vulnerabilities and over 50,000 exploits of these vulnerabilities. And these numbers grow every day. Keeping up with these ‘known’ vulnerabilities and updating the IT environment (legacy) takes considerable time and resources.” 

“Basic digital hygiene is essential. The root causes of most data breaches and attacks are still a lack of on-time patching, easy-to-guess passwords and unsecure installations. This is low-hanging fruit for attackers.” 

最新の「インサイト」を読む
最新の「インサイト」を読む
配信登録

Cybersecurity costs a lot, but a hack could cost more. How willing are companies to spend the money needed to create secure systems?

“The situation has changed significantly over the last few years. We have seen cybersecurity controls receiving more attention from management boards. The topic has even gained the attention of shareholders, who have been voting to make cybersecurity part of executive-level bonus systems. Serious hacks and regulatory and supply chain pressures have all contributed to these developments.”

“However, you will not find details on how much companies spend on cybersecurity in corporate disclosure information. And that’s is a pity, because it does not give the kind of assurance that we are looking for.”

Corporate disclosure information will not tell you how much a company is investing in IT and cybersecurity

“Also, we have not yet reached the stage when we can say when buying a product if it is more secure or less secure. While manufacturers and suppliers can claim that their products are very secure, there is no guarantee. And even if they are secure by design, you have to look at a product’s life cycle because something that is safe now may not be two days from now. I know some companies that put a lot of effort into securing their digital environment. If they can’t ensure that their clients’ data is safeguarded, they will lose the trust of customers. The Cybersecurity Council of the Netherlands advises companies to spend 10% of their IT budget on cybersecurity, yet the question of whether this is enough, too little or too much cannot be answered.”

What is the cybersecurity risk framework you are implementing?

“There are several cyber risk domains that need to be covered by an organization in order to minimize the chance and impact of an attack. Their efforts need to be balanced with the threats (for example, business risk), the level of controls (costs) and the impact of possible damage (cost of an attack).”

“In our research, we assess how a company complies with the key controls per risk domain. The key controls we look at are based on several international cybersecurity frameworks. At the end of this, we give the company a score, which is then compared to peers in order to make a relative ranking. This score can be a factor of influence when deciding whether to invest in a company.” 

Are trends funds more exposed to cyber risks than other funds?

“Cybersecurity affects many sectors. We decided to start with trends funds because the cyber risk associated with trends, and particularly fintech, is high compared to other industries and trust is very important. Our holdings in these funds give us exposure to companies that have a large digital footprint. Our approach is to work agile and start small, make it work, make it lean and mean, and then make it bigger. When we see that our ranking framework works, we can use it for other funds.”

What is behind the push to develop this cybersecurity ranking for Robeco holdings? And what goals and timelines were set for you when you joined Robeco?

“The threat of cyber risks in the digital world is increasing, yet often this is not taken into account in the investment process. Investors are very much used to assessing physical risks such as those associated with the supply chain or production. But as corporate value generation increasingly moves online, the risks are changing and therefore investors’ analyses should change too. Today’s investment community is still far behind when it comes to assessing cyber risks and their impact on investments. Robeco is now closing this gap.” 

“Initially I was asked to rate ten companies, as a pilot. The longer-term goal is to integrate the cyber ranking in Robeco’s investment process and sustainability engagement. And, there is a vision to include it in one of their SDGs. So, it fits the Robeco philosophy.”

Investors want to know the level of cyber security and associated risk of an investment. And Robeco can make that happen, just like with sustainability

How will cybersecurity be included in Robeco’s sustainability engagement activities?

“The vision is that over time, there will be a reciprocal relationship between the cybersecurity ranking and the sustainability engagement. When shortcomings in the ranking of portfolio holdings or attractive investment candidates are discovered, the engagement team will work with the company in question to improve their cybersecurity practices. This will benefit both the company and investors. The outcome of such engagement may influence the cyber ranking.”

“The goal is to have insight into the cybersecurity and risk profile of a company and to integrate this information in the investment and engagement processes. Hopefully, this will also improve corporate governance reporting on this topic. For example, information on CO2 emissions is now included in public reports and we believe that cybersecurity data should be treated equally in the future.”

Where are we now with this initiative and what is the next step?

“We are now at the stage of improving the risk rating method and reporting standards. So, we plan to finish reviewing the framework and key controls by the end of this year. Then we want to test and automate the framework, after which we will scale it up and add more companies to the ranking. Our aim is to rate 2,000 to 5,000 companies within three years.”

重要事項

当資料は情報提供を目的として、Robeco Institutional Asset Management B.V.が作成した英文資料、もしくはその英文資料をロベコ・ジャパン株式会社が翻訳したものです。資料中の個別の金融商品の売買の勧誘や推奨等を目的とするものではありません。記載された情報は十分信頼できるものであると考えておりますが、その正確性、完全性を保証するものではありません。意見や見通しはあくまで作成日における弊社の判断に基づくものであり、今後予告なしに変更されることがあります。運用状況、市場動向、意見等は、過去の一時点あるいは過去の一定期間についてのものであり、過去の実績は将来の運用成果を保証または示唆するものではありません。また、記載された投資方針・戦略等は全ての投資家の皆様に適合するとは限りません。当資料は法律、税務、会計面での助言の提供を意図するものではありません。

ご契約に際しては、必要に応じ専門家にご相談の上、最終的なご判断はお客様ご自身でなさるようお願い致します。

運用を行う資産の評価額は、組入有価証券等の価格、金融市場の相場や金利等の変動、及び組入有価証券の発行体の財務状況による信用力等の影響を受けて変動します。また、外貨建資産に投資する場合は為替変動の影響も受けます。運用によって生じた損益は、全て投資家の皆様に帰属します。したがって投資元本や一定の運用成果が保証されているものではなく、投資元本を上回る損失を被ることがあります。弊社が行う金融商品取引業に係る手数料または報酬は、締結される契約の種類や契約資産額により異なるため、当資料において記載せず別途ご提示させて頂く場合があります。具体的な手数料または報酬の金額・計算方法につきましては弊社担当者へお問合せください。

当資料及び記載されている情報、商品に関する権利は弊社に帰属します。したがって、弊社の書面による同意なくしてその全部もしくは一部を複製またはその他の方法で配布することはご遠慮ください。

商号等: ロベコ・ジャパン株式会社  金融商品取引業者 関東財務局長(金商)第2780号

加入協会: 一般社団法人 日本投資顧問業協会