Information on the cybersecurity of companies and their products is hard to obtain at the moment. Robeco cybersecurity expert Vincent Toms talks about the changing impact of cyber threats and the cybersecurity risk framework and ranking system he is developing for Robeco holdings, as well as the plans the company has to include cybersecurity in its sustainability engagement activities.
“We approach cybersecurity as a risk factor that can be of influence when assessing the investment attractiveness of a company. There are currently more than 90,000 known vulnerabilities and over 50,000 exploits of these vulnerabilities. And these numbers grow every day. Keeping up with these ‘known’ vulnerabilities and updating the IT environment (legacy) takes considerable time and resources.”
“Basic digital hygiene is essential. The root causes of most data breaches and attacks are still a lack of on-time patching, easy-to-guess passwords and unsecure installations. This is low-hanging fruit for attackers.”
“The situation has changed significantly over the last few years. We have seen cybersecurity controls receiving more attention from management boards. The topic has even gained the attention of shareholders, who have been voting to make cybersecurity part of executive-level bonus systems. Serious hacks and regulatory and supply chain pressures have all contributed to these developments.”
“However, you will not find details on how much companies spend on cybersecurity in corporate disclosure information. And that’s is a pity, because it does not give the kind of assurance that we are looking for.”
Corporate disclosure information will not tell you how much a company is investing in IT and cybersecurity
“Also, we have not yet reached the stage when we can say when buying a product if it is more secure or less secure. While manufacturers and suppliers can claim that their products are very secure, there is no guarantee. And even if they are secure by design, you have to look at a product’s life cycle because something that is safe now may not be two days from now. I know some companies that put a lot of effort into securing their digital environment. If they can’t ensure that their clients’ data is safeguarded, they will lose the trust of customers. The Cybersecurity Council of the Netherlands advises companies to spend 10% of their IT budget on cybersecurity, yet the question of whether this is enough, too little or too much cannot be answered.”
“There are several cyber risk domains that need to be covered by an organization in order to minimize the chance and impact of an attack. Their efforts need to be balanced with the threats (for example, business risk), the level of controls (costs) and the impact of possible damage (cost of an attack).”
“In our research, we assess how a company complies with the key controls per risk domain. The key controls we look at are based on several international cybersecurity frameworks. At the end of this, we give the company a score, which is then compared to peers in order to make a relative ranking. This score can be a factor of influence when deciding whether to invest in a company.”
“Cybersecurity affects many sectors. We decided to start with trends funds because the cyber risk associated with trends, and particularly fintech, is high compared to other industries and trust is very important. Our holdings in these funds give us exposure to companies that have a large digital footprint. Our approach is to work agile and start small, make it work, make it lean and mean, and then make it bigger. When we see that our ranking framework works, we can use it for other funds.”
“The threat of cyber risks in the digital world is increasing, yet often this is not taken into account in the investment process. Investors are very much used to assessing physical risks such as those associated with the supply chain or production. But as corporate value generation increasingly moves online, the risks are changing and therefore investors’ analyses should change too. Today’s investment community is still far behind when it comes to assessing cyber risks and their impact on investments. Robeco is now closing this gap.”
“Initially I was asked to rate ten companies, as a pilot. The longer-term goal is to integrate the cyber ranking in Robeco’s investment process and sustainability engagement. And, there is a vision to include it in one of their SDGs. So, it fits the Robeco philosophy.”
Investors want to know the level of cyber security and associated risk of an investment. And Robeco can make that happen, just like with sustainability
“The vision is that over time, there will be a reciprocal relationship between the cybersecurity ranking and the sustainability engagement. When shortcomings in the ranking of portfolio holdings or attractive investment candidates are discovered, the engagement team will work with the company in question to improve their cybersecurity practices. This will benefit both the company and investors. The outcome of such engagement may influence the cyber ranking.”
“The goal is to have insight into the cybersecurity and risk profile of a company and to integrate this information in the investment and engagement processes. Hopefully, this will also improve corporate governance reporting on this topic. For example, information on CO2 emissions is now included in public reports and we believe that cybersecurity data should be treated equally in the future.”
“We are now at the stage of improving the risk rating method and reporting standards. So, we plan to finish reviewing the framework and key controls by the end of this year. Then we want to test and automate the framework, after which we will scale it up and add more companies to the ranking. Our aim is to rate 2,000 to 5,000 companies within three years.”
The Robeco Capital Growth Funds have not been registered under the United States Investment Company Act of 1940, as amended, nor or the United States Securities Act of 1933, as amended. None of the shares may be offered or sold, directly or indirectly in the United States or to any U.S. Person (within the meaning of Regulation S promulgated under the Securities Act of 1933, as amended (the “Securities Act”)). Furthermore, Robeco Institutional Asset Management B.V. (Robeco) does not provide investment advisory services, or hold itself out as providing investment advisory services, in the United States or to any U.S. Person (within the meaning of Regulation S promulgated under the Securities Act).
This website is intended for use only by non-U.S. Persons outside of the United States (within the meaning of Regulation S promulgated under the Securities Act who are professional investors, or professional fiduciaries representing such non-U.S. Person investors. By clicking “I Agree” on our website disclaimer and accessing the information on this website, including any subdomain thereof, you are certifying and agreeing to the following: (i) you have read, understood and agree to this disclaimer, (ii) you have informed yourself of any applicable legal restrictions and represent that by accessing the information contained on this website, you are not in violation of, and will not be causing Robeco or any of its affiliated entities or issuers to violate, any applicable laws and, as a result, you are legally authorized to access such information on behalf of yourself and any underlying investment advisory client, (iii) you understand and acknowledge that certain information presented herein relates to securities that have not been registered under the Securities Act, and may be offered or sold only outside the United States and only to, or for the account or benefit of, non-U.S. Persons (within the meaning of Regulation S under the Securities Act), (iv) you are, or are a discretionary investment adviser representing, a non-U.S. Person (within the meaning of Regulation S under the Securities Act) located outside of the United States and (v) you are, or are a discretionary investment adviser representing, a professional non-retail investor. Access to this website has been limited so that it shall not constitute directed selling efforts (as defined in Regulation S under the Securities Act) in the United States and so that it shall not be deemed to constitute Robeco holding itself out generally to the public in the U.S. as an investment adviser. Nothing contained herein constitutes an offer to sell securities or solicitation of an offer to purchase any securities in any jurisdiction. We reserve the right to deny access to any visitor, including, but not limited to, those visitors with IP addresses residing in the United States.
This website has been carefully prepared by Robeco. The information contained in this publication is based upon sources of information believed to be reliable. Robeco is not answerable for the accuracy or completeness of the facts, opinions, expectations and results referred to therein. Whilst every care has been taken in the preparation of this website, we do not accept any responsibility for damage of any kind resulting from incorrect or incomplete information. This website is subject to change without notice. The value of the investments may fluctuate. Past performance is no guarantee of future results. If the currency in which the past performance is displayed differs from the currency of the country in which you reside, then you should be aware that due to exchange rate fluctuations the performance shown may increase or decrease if converted into your local currency. For investment professional use only. Not for use by the general public.