Attitudes to improving data security have improved as cybercrime becomes a multi-trillion dollar threat, a Robeco engagement program has found.
The Active Ownership team has just completed a three-year engagement program with nine companies, reaching a successful conclusion with seven of them. They were chosen because they operate using sensitive customer data in the payments, telecoms and household products sectors.
Most now have a clear strategy focused on improving their cybersecurity following a number of high-profile data breaches for some. However, most were reluctant to provide full transparency on their weaknesses, partly to avoid exposing any risk management gaps to criminals or competitors.
Cybercrime has become a global business on a par with the drugs industry, the costs of which have risen from about USD 500 billion in 2017 to an estimated USD 6 trillion in 2020. Since virtually all companies have digital operations in some form, their need to fortify and protect their digital assets has never been greater.
“As digitalization expands far beyond the tech realm, so do the associated cyber threats,” says Active Ownership Analyst Carolina Vergroesen. “Cybercrime can include anything from small, local security incidents with minor consequences, to cyberattacks which can disturb significant parts of the global economy.”
“Lax cybersecurity practices represent a clear and obvious threat to company business models. While these risks have become distinct in recent years, less clarity exists on the steps taken by companies to mitigate such risks.”
The engagement theme focused on five topics: governance and oversight; policy and procedure; risk management and controls; transparency and disclosure; and privacy by design. Originally, eleven companies were picked in 2018, but one was dropped after it was divested due to poor financial performance, and another was taken over.
“Most of the companies in our engagement peer group acknowledged the risks related to cybersecurity, but their approaches to this risk differed vastly,” says Vergroesen. “Whereas some considered it a top priority and an essential part of their license to operate, others saw it as merely one of many business risks. This variety resulted in clearly different success rates between companies and in relation to various objectives.”
“For the governance and oversight objective, nearly 80% of all companies had a clear strategy and governance hierarchy in place for managing cybersecurity. However, several transparency topics proved more challenging as most companies preferred to keep their cards close to their chest.”
“This is understandable given that hackers can more easily circumvent barriers if they know exactly which security systems are in place. However, this hesitancy to provide information affected our success rate for our policy and procedure and transparency and disclosure objectives in particular, where engagement was successfully closed with only five of the nine companies.”
The team saw more openness from companies regarding the risk management and controls objective. “Although companies hesitated to disclose their particular responses to cyber threats, they were more open to discussing the sensitivity and integrity of their security controls,” says Vergroesen.
“Several have dedicated teams that regularly test their company’s defenses in order to identify possible gaps in their current practices. We found this especially encouraging as the threat landscape is continuously changing, and companies should be prepared to adapt their security accordingly and respond quickly to with emerging threats.”
Data breaches involving personally identifiable information (PII) are particularly harmful for both the customers affected and the company’s reputation and legal liability. Overall, engagement with six of the nine companies was successfully closed for the privacy by design objective.
“Companies need to be clear to their customers what type of data is collected and for what purpose, and be informed in case of accidental breaches,” says Vergroesen.
Meanwhile, cybersecurity legislation is becoming globalized, greatly boosted in 2018 with the introduction of the EU’s General Data Protection Regulation (GDPR). This toughened guidelines for what is expected when collecting information for commercial use within the EU and has already been used against companies failing to comply with it. Later this year the California Privacy Rights Act (CPRA) in the US is expected to have a similar impact on companies as GDPR has had in the EU.
“We are encouraged to see that nearly 80% of countries worldwide have cybersecurity legislation in place,” says Vergroesen. “Continued expansion of this legislation is crucial in ensuring clear standards for companies to adhere to.”
“Although several of the companies under engagement went far beyond legal requirements, many cyber strategies were directly linked to specific legislation.”
But one flipside of the increased attention to cybersecurity is that it has created greater demand for IT specialists, and subsequently a skills gap. A report by the Information Systems Security Association shows that this gap between the demand for and supply of qualified technicians persisted for the fifth consecutive year in 2021.
“As cyber standards are raised globally, companies will have to vie for talent to hire the people who can work in this field,” says Vergroesen. “We believe companies should therefore focus on the development of cyber skills within their organizations, as simply acquiring outside talent might prove to be a difficult challenge.”
As the specific engagement program has ended, the team will now focus on the issue where it is an indirect consequence of digitalization across the spectrum.
“Although this engagement has come to a close, we continue to see the importance of cybersecurity across virtually all industries,” says Vergroesen.
“Specifically, our engagement themes on the digitalization of health care and the social impact of artificial intelligence continue to focus on companies’ diligent implementation of cybersecurity and data privacy practices. There is much work yet to be done; like technology itself it is always moving on.”
This information is for informational purposes only and should not be construed as an offer to sell or an invitation to buy any securities or products, nor as investment advice or recommendation.
The contents of this document have not been reviewed by the Monetary Authority of Singapore (“MAS”). Robeco Singapore Private Limited holds a capital markets services license for fund management issued by the MAS and is subject to certain clientele restrictions under such license.
An investment will involve a high degree of risk, and you should consider carefully whether an investment is suitable for you.
Warning/Important note: This website contains information which is only available to qualified investors as defined below. If you are not a qualified investor, please click “I Disagree” to leave the website.
By clicking on "I agree", I declare that:
1 - This website may only be accessed directly or indirectly by the following persons in Singapore:
1) “institutional investor” under section 304 of the Securities and Futures Act (Cap.289)(“SFA”), which means:
(i) the Government; (ii) a statutory board as may be prescribed by regulations made under section 341 of the SFA; (iii) an entity that is wholly and beneficially owned, whether directly or indirectly, by a central government of a country and whose principal activity is (A) to manage its own funds; (B) to manage the funds of the central government of that country (which may include the reserves of that central government and any pension or provident fund of that country); or (C) to manage the funds (which may include the reserves of that central government and any pension or provident fund of that country) of another entity that is wholly and beneficially owned, whether directly or indirectly, by the central government of that country; (iv) any entity (A) that is wholly and beneficially owned, whether directly or indirectly, by the central government of a country; and (B) whose funds are managed by an entity mentioned in sub-paragraph (iii); (v) a central bank in a jurisdiction other than Singapore; (vi) a central government in a country other than Singapore; (vii) an agency (of a central government in a country other than Singapore) that is incorporated or established in a country other than Singapore; (viii) a multilateral agency, international organisation or supranational agency as may be prescribed by regulations made under section 341 of the SFA; (ix) a bank that is licensed under the Banking Act (Cap.19); (x) a merchant bank that is approved as a financial institution under section 28 of the Monetary Authority of Singapore Act (Cap.186); (xi) a finance company that is licensed under the Finance Companies Act (Cap.108); (xii) a company or co-operative society that is licensed under the Insurance Act (Cap.142) to carry on insurance business in Singapore; (xiii) a company licensed under the Trust Companies Act (Cap.336); (xiv) a holder of a capital markets services licence; (xv) an approved exchange; (xvi) a recognised market operator; (xvii) an approved clearing house; (xviii) a recognised clearing house; (xix) a licensed trade repository; (xx) a licensed foreign trade repository; (xxi) an approved holding company; (xxii) a Depository as defined in section 81SF of the SFA; (xxiii) an entity or a trust formed or incorporated in a jurisdiction other than Singapore, which is regulated for the carrying on of any financial activity in that jurisdiction by a public authority of that jurisdiction that exercises a function that corresponds to a regulatory function of the Authority under this Act, the Banking Act (Cap.19), the Finance Companies Act (Cap.108), the Monetary Authority of Singapore Act (Cap.186), the Insurance Act (Cap.142), the Trust Companies Act (Cap.336) or such other Act as may be prescribed by regulations made under section 341 of the SFA; (xxiv) a pension fund, or collective investment scheme, whether constituted in Singapore or elsewhere; (xxv) a person (other than an individual) who carries on the business of dealing in bonds with accredited investors or expert investors; (xxvi) the trustee of such trust as the Authority may prescribe, when acting in that capacity; or; (xxvii) such other person as the Authority may prescribe.
2) “relevant person” under section 305(1) of the SFA, which means:
(i) An accredited investor; (ii) a corporation the sole business of which is to hold investments and the entire share capital of which is owned by one or more individuals, each of whom is an accredited investor; (iii) a trustee of a trust the sole purpose of which is to hold investments and each beneficiary of which is an individual who is an accredited investor; (iv) an officer or equivalent person of the person making the offer (such person being an entity) or a spouse, parent, brother, sister, son or daughter of that officer or equivalent person; or (v) a spouse, parent, brother, sister, son or daughter of the person making the offer (such person being an individual).
3) any person who acquires the units [in a collective investment scheme] as principal if the offer is on terms that the units may only be required at a consideration of not less than $200,000 (or its equivalent in a foreign currency) for each transaction, whether such amount is to be paid for in cash or by exchange of units in a collective investment scheme, securities, securities-based derivatives contracts or other assets, and if the following condition is satisfied: (i) the offer is not accompanied by an advertisement making an offer or calling attention to the offer or intended offer; (ii) no selling or promotional expenses are paid or incurred in connection with the offer other than those incurred for administrative or professional services, or by way of commission or fee for services rendered by any of the persons specified in section 302B(1)(d)(i) to (vi) of the SFA; and (iii) no prospectus in respect of the offer has been registered by the Authority or, where a prospectus has been registered (A) the prospectus has eAccxpired pursuant to section 299 of the SFA; or (B) the person making the offer has before making the offer 1. informed the Authority by notice in writing of its intent to make the offer in reliance on the exemption under this subsection; and 2. taken reasonable steps to inform in writing the person to whom the offer is made that the offer is made in reliance on the exemption under this subsection.
4) Or otherwise pursuant to, and in accordance with the conditions of, any other applicable provision of the SFA.
If you are not any of the types of persons described above, you are not authorized to enter this website and you should leave this website immediately.
2 Terms and Conditions
You acknowledge that you have read these Terms and Conditions (“Terms”) prior to accessing the website located at www.robeco.com/sg (“Website”) and you agree to be bound by the Terms. If you do not agree to all of the Terms, you are not an authorised user and you should not use the Website. The Website is owned by Robeco Singapore Private Limited (company registration number: UEN. 201541306Z), which is licensed by the Monetary Authority of Singapore (“MAS”) pursuant to the Securities and Futures Act (Cap.289) (“SFA”) of Singapore, and is managed by Robeco Singapore Private Limited and/or its affiliates (collectively, as “Robeco”). The Website is intended for and should be accessed by institutional investors or accredited investors (as defined under Section 4A of the SFA) of Singapore. The Website is not directed to, or intended for distribution to or use by, any person or entity who is a citizen or resident of or located in any locality, state, country or other jurisdiction where such distribution, publication, availability or use would be contrary to law or regulation or which would subject the Robeco to any registration or licensing requirement within such jurisdiction. It is your responsibility to observe all applicable laws, rules and regulations of any relevant jurisdiction. The content contained in the Website is owned by Robeco and/or its information providers and is protected by applicable copyrights, trademarks, service marks, and/or other intellectual property rights. You may not copy, distribute, modify, post, frame or link the Website, including any text, graphics, video, audio, software code, user interface, design or logos. You may not distribute, modify, transmit, reuse, repost, or use the content of the Website for public or commercial use, including all text, images, audio and/or video. Robeco may terminate your access to the Website for any reason, without prior notice. Neither Robeco, nor any of its associates, nor any director, officer or employee accepts any liability whatsoever for any loss arising directly or indirectly from the access of the Website. You agree to indemnity and hold Robeco, its associates, directors, officers or employees harmless against any and all claims, losses, liability, costs and expenses arising from your use of the Website due to violation of the Terms. Robeco reserves the right to change, modify, add or remove any parts of the Terms at any time and for any reason. The Terms shall deemed to be effective immediately upon posting. The Terms shall be governed by, and shall be construed in accordance with, the law of Singapore.
The Website has not been reviewed by the MAS. Accordingly, the Website may not be accessed directly or indirectly to persons in Singapore other than (i) to an institutional investor under Section 304 of the SFA, (ii) to a relevant person pursuant to Section 305(1), or any person pursuant to Section 305(2), and in accordance with the conditions specified in Section 305, of the SFA, or (iii) otherwise pursuant to, and in accordance with the conditions of, any other applicable provision of the SFA.
Nothing in the Website constitutes tax, accounting, regulatory, legal or investment advice. The Website is for informational purposes only and should not be construed as an offer to sell or an invitation to buy any securities or products, nor as investment advice or recommendation or for the purpose of soliciting any action in relation to Robeco’s businesses, or solicitation by anyone in any jurisdiction in which such an offer or solicitation is not authorised or to any person to whom it is unlawful to make such an offer and solicitation. Any reproduction or distribution of information from the Website, in whole or in part, or the disclosure of its contents, without the prior written consent of Robeco, is prohibited. By accessing to the Website, you agree to the foregoing.
The funds referred to in the Website are for information only. It is not a recommendation or investment advice, nor does it mean the funds is suitable for all investors. The contents of the website is not reviewed by the MAS. Any decision to participate in the funds should be made only after reviewing the sections regarding investment considerations, conflicts of interest, risk factors and the relevant Singapore selling restrictions. You should consult your professional adviser if you are in doubt about the stringent restrictions applicable to the use of the Website, regulatory status of the funds, applicable regulatory protection, associated risks and suitability of the funds to your objectives.
Any decisions made based on the information contained in the Website are the sole responsibility of yours. Any investments made or to be made shall be with your independent analyses based on your financial situation and objectives. The investments and strategies contained in the Website may not be suitable for all investors and are not guaranteed by Robeco.
Investment involves risks and may lose value. Historical returns are provided for illustrative purposes only and do not necessarily reflect Robeco’s expectations for the future. The value of your investments may fluctuate. Past performance is no indication of current or future performance. The Website may contain projections or other forward looking statements regarding future events or future financial performance of countries, markets or companies and such projection or forecast is not indicative of the future. The information contained in the Website, including any data, projections and underlying assumptions are based upon certain assumptions, management forecasts and analysis of information available on an “as is” basis and without warranties of any kind, whether express or implied, and reflects prevailing conditions and Robeco’s views as of the date published or indicated, and maybe superseded by subsequent events or for other reasons. The information contained in the Website are accordingly subject to change at any time without notice and Robeco are under no obligation to notify you of any of these changes. Robeco expressly disclaims all liability for errors and omissions in the information presented in the Website and for the use or interpretation by others of information contained in the Website.
Robeco Singapore Private Limited holds a capital markets services licence for fund management issued by the MAS and is subject to certain clientele restrictions under such licence. An investment will involve a high degree of risk, and you should consider carefully whether an investment is suitable for you.