latames
Working to fortify digital assets to beat cybercrime

Working to fortify digital assets to beat cybercrime

22-10-2021 | Visión

Attitudes to improving data security have improved as cybercrime becomes a multi-trillion dollar threat, a Robeco engagement program has found.

  • Peter van der Werf
    Peter
    van der Werf
    Engagement Specialist
  • Carolina Vergroesen
    Carolina
    Vergroesen
    Active Ownership Analyst

Speed read

  • Three-year engagement to improve cybersecurity at nine companies
  • Most have a clear strategy but are reluctant to advertise weaknesses
  • Ongoing skills gap means companies should nurture cyber skills internally

The Active Ownership team has just completed a three-year engagement program with nine companies, reaching a successful conclusion with seven of them. They were chosen because they operate using sensitive customer data in the payments, telecoms and household products sectors.

Most now have a clear strategy focused on improving their cybersecurity following a number of high-profile data breaches for some. However, most were reluctant to provide full transparency on their weaknesses, partly to avoid exposing any risk management gaps to criminals or competitors.

Cybercrime has become a global business on a par with the drugs industry, the costs of which have risen from about USD 500 billion in 2017 to an estimated USD 6 trillion in 2020. Since virtually all companies have digital operations in some form, their need to fortify and protect their digital assets has never been greater.

“As digitalization expands far beyond the tech realm, so do the associated cyber threats,” says Active Ownership Analyst Carolina Vergroesen. “Cybercrime can include anything from small, local security incidents with minor consequences, to cyberattacks which can disturb significant parts of the global economy.”

“Lax cybersecurity practices represent a clear and obvious threat to company business models. While these risks have become distinct in recent years, less clarity exists on the steps taken by companies to mitigate such risks.”

Conozca las perspectivas más recientes
Conozca las perspectivas más recientes
Suscríbase

Five topics for engagement

The engagement theme focused on five topics: governance and oversight; policy and procedure; risk management and controls; transparency and disclosure; and privacy by design. Originally, eleven companies were picked in 2018, but one was dropped after it was divested due to poor financial performance, and another was taken over.

“Most of the companies in our engagement peer group acknowledged the risks related to cybersecurity, but their approaches to this risk differed vastly,” says Vergroesen. “Whereas some considered it a top priority and an essential part of their license to operate, others saw it as merely one of many business risks. This variety resulted in clearly different success rates between companies and in relation to various objectives.”

“For the governance and oversight objective, nearly 80% of all companies had a clear strategy and governance hierarchy in place for managing cybersecurity. However, several transparency topics proved more challenging as most companies preferred to keep their cards close to their chest.”

Circumventing barriers

“This is understandable given that hackers can more easily circumvent barriers if they know exactly which security systems are in place. However, this hesitancy to provide information affected our success rate for our policy and procedure and transparency and disclosure objectives in particular, where engagement was successfully closed with only five of the nine companies.”

The team saw more openness from companies regarding the risk management and controls objective. “Although companies hesitated to disclose their particular responses to cyber threats, they were more open to discussing the sensitivity and integrity of their security controls,” says Vergroesen.

“Several have dedicated teams that regularly test their company’s defenses in order to identify possible gaps in their current practices. We found this especially encouraging as the threat landscape is continuously changing, and companies should be prepared to adapt their security accordingly and respond quickly to with emerging threats.”

Privacy as a priority

Data breaches involving personally identifiable information (PII) are particularly harmful for both the customers affected and the company’s reputation and legal liability. Overall, engagement with six of the nine companies was successfully closed for the privacy by design objective.

“Companies need to be clear to their customers what type of data is collected and for what purpose, and be informed in case of accidental breaches,” says Vergroesen.

“Although most companies had some form of privacy policy in place, the quality of these policies varied substantially. Whereas some were global and very detailed, others were local and only met legal requirements rather than being truly informative for clients.”

Legislation is helping

Meanwhile, cybersecurity legislation is becoming globalized, greatly boosted in 2018 with the introduction of the EU’s General Data Protection Regulation (GDPR). This toughened guidelines for what is expected when collecting information for commercial use within the EU and has already been used against companies failing to comply with it. Later this year the California Privacy Rights Act (CPRA) in the US is expected to have a similar impact on companies as GDPR has had in the EU.

“We are encouraged to see that nearly 80% of countries worldwide have cybersecurity legislation in place,” says Vergroesen. “Continued expansion of this legislation is crucial in ensuring clear standards for companies to adhere to.”

“Although several of the companies under engagement went far beyond legal requirements, many cyber strategies were directly linked to specific legislation.”

Skills shortage

But one flipside of the increased attention to cybersecurity is that it has created greater demand for IT specialists, and subsequently a skills gap. A report by the Information Systems Security Association shows that this gap between the demand for and supply of qualified technicians persisted for the fifth consecutive year in 2021.

“As cyber standards are raised globally, companies will have to vie for talent to hire the people who can work in this field,” says Vergroesen. “We believe companies should therefore focus on the development of cyber skills within their organizations, as simply acquiring outside talent might prove to be a difficult challenge.”

Further cybersecurity work

As the specific engagement program has ended, the team will now focus on the issue where it is an indirect consequence of digitalization across the spectrum.

“Although this engagement has come to a close, we continue to see the importance of cybersecurity across virtually all industries,” says Vergroesen.

“Specifically, our engagement themes on the digitalization of health care and the social impact of artificial intelligence continue to focus on companies’ diligent implementation of cybersecurity and data privacy practices. There is much work yet to be done; like technology itself it is always moving on.”

Logo

Información importante

Los Fondos Robeco Capital Growth no han sido inscritos conforme a la Ley de sociedades de inversión de Estados Unidos (United States Investment Company Act) de 1940, en su versión en vigor, ni conforme a la Ley de valores de Estados Unidos (United States Securities Act) de 1933, en su versión en vigor. Ninguna de las acciones puede ser ofrecida o vendida, directa o indirectamente, en los Estados Unidos ni a ninguna Persona estadounidense en el sentido de la Regulation S promulgada en virtud de la Ley de Valores de 1933, en su versión en vigor (en lo sucesivo, la “Ley de Valores”)). Asimismo, Robeco Institutional Asset Management B.V. (Robeco) no presta servicios de asesoramiento de inversión, ni da a entender que puede ofrecer este tipo de servicios, en los Estados Unidos ni a ninguna Persona estadounidense (en el sentido de la Regulation S promulgada en virtud de la Ley de Valores).

Este sitio Web está únicamente destinado a su uso por Personas no estadounidenses fuera de Estados Unidos (en el sentido de la Regulation S promulgada en virtud de la Ley de Valores) que sean inversores profesionales o fiduciarios profesionales que representen a dichos inversores que no sean Personas estadounidenses. Al hacer clic en el botón “Acepto” que se encuentra en el aviso sobre descargo de responsabilidad de nuestro sitio Web y acceder a la información que se encuentra en dicho sitio, incluidos sus subdominios, usted confirma y acepta lo siguiente: (i) que ha leído, comprendido y aceptado el presente aviso legal, (ii) que se ha informado de las restricciones legales aplicables y que, al acceder a la información contenida en este sitio Web, manifiesta que no infringe, ni provocará que Robeco o alguna de sus entidades o emisores vinculados infrinjan, ninguna ley aplicable, por lo que usted está legalmente autorizado a acceder a dicha información, en su propio nombre y en representación de sus clientes de asesoramiento de inversión, en su caso, (iii) que usted comprende y acepta que determinada información contenida en el presente documento se refiere a valores que no han sido inscritos en virtud de la Ley de Valores, y que solo pueden venderse u ofrecerse fuera de Estados Unidos y únicamente por cuenta o en beneficio de Personas no estadounidenses (en el sentido de la Regulation S promulgada en virtud de la Ley de Valores), (iv) que usted es, o actúa como asesor de inversión discrecional en representación de, una Persona no estadounidense (en el sentido de la Regulation S promulgada en virtud de la Ley de Valores) situada fuera de los Estados Unidos y (v) que usted es, o actúa como asesor de inversión discrecional en representación de, un inversión profesional no minorista. El acceso a este sitio Web ha sido limitado, de manera que no constituya intento de venta dirigida (según se define este concepto en la Regulation S promulgada en virtud de la Ley de Valores) en Estados Unidos, y que no pueda entenderse que a través del mismo Robeco dé a entender al público estadounidense en general que ofrece servicios de asesoramiento de inversión. Nada de lo aquí señalado constituye una oferta de venta de valores o la promoción de una oferta de compra de valores en ninguna jurisdicción. Nos reservamos el derecho a denegar acceso a cualquier visitante, incluidos, a título únicamente ilustrativo, aquellos visitantes con direcciones IP ubicadas en Estados Unidos.

Este sitio Web ha sido cuidadosamente elaborado por Robeco. La información de esta publicación proviene de fuentes que son consideradas fiables. Robeco no es responsable de la exactitud o de la exhaustividad de los hechos, opiniones, expectativas y resultados referidos en la misma. Aunque en la elaboración de este sitio Web se ha extremado la precaución, no aceptamos responsabilidad alguna por los daños de ningún tipo que se deriven de una información incorrecta o incompleta. El presente sitio Web podrá sufrir cambios sin previo aviso. El valor de las inversiones puede fluctuar. Rendimientos anteriores no son garantía de resultados futuros. Si la divisa en que se expresa el rendimiento pasado difiere de la divisa del país en que usted reside, tenga en cuenta que el rendimiento mostrado podría aumentar o disminuir al convertirlo a su divisa local debido a las fluctuaciones de los tipos de cambio. Para inversores profesionales únicamente. Prohibida su comunicación al público en general.

No estoy de acuerdo