latamen
Cyber risk should be addressed at board level

Cyber risk should be addressed at board level

04-08-2016 | Insight

Cyber risk should be addressed at board level as it poses an increasing threat to companies and investors, says Robeco’s head of Governance and Active Ownership.

  • Carola van Lamoen
    Carola
    van Lamoen
    Head of Active Ownership

Speed read

  • Cyber risk is moving up the corporate governance agenda
  • Board oversight is vital to address threats and plan responses
  • Viewpoint gives investors ammunition to start dialogues

Many companies view cyber security risks as simply a hacking threat that can be combatted with anti-virus software, while others don’t train staff in how to deal with a problem, warns Carola van Lamoen. And for some companies, the very software they use to conduct business may be exposing them to serious risk, she says.

The issue was hotly debated at the annual conference of the International Corporate Governance Network (ICGN), whose Corporate Risk Oversight Committee is co-chaired by Van Lamoen. The committee launched a Viewpoint outlining its aims on cyber risk which was widely circulated among ICGN members.

Stay informed on Sustainable Investing with monthly mail updates
Stay informed on Sustainable Investing with monthly mail updates
Subscribe

Corporate risk oversight

“One of the main takeaways was that cyber risk is now so serious it is something for boards to directly address as part of their corporate risk oversight,” says Van Lamoen, Head of the Governance and Active Ownership team at Robeco. “In the past, cyber risk was an issue that was dealt with by some department on the 4th floor, but that’s no longer acceptable.”

“It has become an issue of how cyber risk oversight is arranged, and whether boards are aware of their need to act and communicate. There is significant room for improvement here because cyber risk has increased, in two main areas: the risk of being hacked as the cyber criminals become more professional, and the risk of the wrong implementation of software. Even without a hacker, substantial risks can be faced if you don’t have your IT department in order.”

A lack of technical knowledge may be putting off some board members from trying to tackle the problem, but that doesn’t let them off the hook, adds George Dallas, Policy Director at the ICGN. “Cyber risk is a global threat for companies and investors. It is also a matter of corporate governance, to ensure that companies are taking appropriate steps to both understand and protect against cyber attacks specifically – but also other information technology risks in a broader context,” he says.

‘Non-executive directors should build awareness of cyber risks’

“A great challenge is the technical complexity linked to cyber risk. Even though many board directors may not have strong technical backgrounds, this does not absolve the board for accountability in terms of how cyber risks are governed. As a global investor-led body, ICGN believes that non-executive directors should build awareness of cyber risks, and that investors should also be prepared to engage with both directors and executive management to ensure that these risks are given appropriate attention and oversight.”

The new Viewpoint gives investors some ammunition to start a dialogue with companies on this issue. “We provided an overview of topics and questions that are relevant when talking to companies; there are questions that investors can ask directors at a policy level,” Van Lamoen says. “Conferences are a good place for Viewpoints such as this to be discussed; the idea really is to generate debate on the topic.”

High profile hacks

Some recent high profile cases include USD 81 million that was stolen from Asian financial institutions using a malware link; ‘denial of service’ attacks that brought down websites; and hacking that led to sensitive credit card details being stolen from online retailers.

An example of the major impact of wrong implementation of software was Knight Capital, which deployed untested software to a production environment containing a bug. When the firm released the software into production, their trading activities caused a major disruption in the prices of 148 companies listed at the New York Stock Exchange; Knight Capital's stock price collapsed by 70%.

Van Lamoen says there is a danger that companies which are hacked will hush it up to avoid any embarrassment, leaving investors in the dark. “It differs between companies. Obviously as an investor it’s good to know first of all how a company is dealing with it. They need to be transparent on who is ultimately responsible, how cyber risks are mapped and what systems are maintained to prevent incidents, and if any incidents do happen, how this will be addressed,” she says.

Company culture vital

Some viruses get into a company when an employee clicks on a link in their email while using a corporate computer without realizing that it contains malware that is sophisticated enough to bypass firewalls. “So you should create a culture where people are not worried about reporting a problem if something goes wrong, because otherwise it can be extremely harmful to the company,” Van Lamoen says.

“This starts at the top, through board-level oversight. Board members should provide adequate resources to deal with these kinds of issues. That was a big topic of debate at the conference; how much resources do you actually need for this, and what is enough? It’s difficult to say – you would only really know if it’s not enough when something goes wrong. But we accept that there are limits to what companies can do.”

The Viewpoint includes a three-point plan for investors to consider. It advises that companies should have: 

  • Strategy process and plan oversight: this includes an assessment of what business operations are most vulnerable to cyber attack, and responses are integrated within the board’s corporate risk strategy;
  • Risk program management oversight: led by how the company is improving alignment between its business and IT strategies, priorities and budgeting to fund it, along with employee training;
  • Risk response readiness: particularly how does a company’s cyber risk response plan fully address the ‘what ifs?’ and warning signs identified in risk evaluation, plus making a list of its 10 most recent IT problems and what was done to fix them.

“Taken together, these illustrate the need for board members to ensure an approach is used that is designed for complex, dynamic environments,” says Van Lamoen. “It is important that cyber risk oversight is integrated with the strategy and risk management of the company, particularly with regard to identifying a company’s critical data and informational assets.”

Important information

The Robeco Capital Growth Funds have not been registered under the United States Investment Company Act of 1940, as amended, nor or the United States Securities Act of 1933, as amended. None of the shares may be offered or sold, directly or indirectly in the United States or to any U.S. Person (within the meaning of Regulation S promulgated under the Securities Act of 1933, as amended (the “Securities Act”)). Furthermore, Robeco Institutional Asset Management B.V. (Robeco) does not provide investment advisory services, or hold itself out as providing investment advisory services, in the United States or to any U.S. Person (within the meaning of Regulation S promulgated under the Securities Act).

This website is intended for use only by non-U.S. Persons outside of the United States (within the meaning of Regulation S promulgated under the Securities Act who are professional investors, or professional fiduciaries representing such non-U.S. Person investors. By clicking “I Agree” on our website disclaimer and accessing the information on this website, including any subdomain thereof, you are certifying and agreeing to the following: (i) you have read, understood and agree to this disclaimer, (ii) you have informed yourself of any applicable legal restrictions and represent that by accessing the information contained on this website, you are not in violation of, and will not be causing Robeco or any of its affiliated entities or issuers to violate, any applicable laws and, as a result, you are legally authorized to access such information on behalf of yourself and any underlying investment advisory client, (iii) you understand and acknowledge that certain information presented herein relates to securities that have not been registered under the Securities Act, and may be offered or sold only outside the United States and only to, or for the account or benefit of, non-U.S. Persons (within the meaning of Regulation S under the Securities Act), (iv) you are, or are a discretionary investment adviser representing, a non-U.S. Person (within the meaning of Regulation S under the Securities Act) located outside of the United States and (v) you are, or are a discretionary investment adviser representing, a professional non-retail investor. Access to this website has been limited so that it shall not constitute directed selling efforts (as defined in Regulation S under the Securities Act) in the United States and so that it shall not be deemed to constitute Robeco holding itself out generally to the public in the U.S. as an investment adviser. Nothing contained herein constitutes an offer to sell securities or solicitation of an offer to purchase any securities in any jurisdiction. We reserve the right to deny access to any visitor, including, but not limited to, those visitors with IP addresses residing in the United States.

This website has been carefully prepared by Robeco. The information contained in this publication is based upon sources of information believed to be reliable. Robeco is not answerable for the accuracy or completeness of the facts, opinions, expectations and results referred to therein. Whilst every care has been taken in the preparation of this website, we do not accept any responsibility for damage of any kind resulting from incorrect or incomplete information. This website is subject to change without notice. The value of the investments may fluctuate. Past performance is no guarantee of future results. If the currency in which the past performance is displayed differs from the currency of the country in which you reside, then you should be aware that due to exchange rate fluctuations the performance shown may increase or decrease if converted into your local currency. For investment professional use only. Not for use by the general public.

I Disagree