Cyber risk should be addressed at board level as it poses an increasing threat to companies and investors, says Robeco’s head of Governance and Active Ownership.
Many companies view cyber security risks as simply a hacking threat that can be combatted with anti-virus software, while others don’t train staff in how to deal with a problem, warns Carola van Lamoen. And for some companies, the very software they use to conduct business may be exposing them to serious risk, she says.
The issue was hotly debated at the annual conference of the International Corporate Governance Network (ICGN), whose Corporate Risk Oversight Committee is co-chaired by Van Lamoen. The committee launched a Viewpoint outlining its aims on cyber risk which was widely circulated among ICGN members.
“One of the main takeaways was that cyber risk is now so serious it is something for boards to directly address as part of their corporate risk oversight,” says Van Lamoen, Head of the Governance and Active Ownership team at Robeco. “In the past, cyber risk was an issue that was dealt with by some department on the 4th floor, but that’s no longer acceptable.”
“It has become an issue of how cyber risk oversight is arranged, and whether boards are aware of their need to act and communicate. There is significant room for improvement here because cyber risk has increased, in two main areas: the risk of being hacked as the cyber criminals become more professional, and the risk of the wrong implementation of software. Even without a hacker, substantial risks can be faced if you don’t have your IT department in order.”
A lack of technical knowledge may be putting off some board members from trying to tackle the problem, but that doesn’t let them off the hook, adds George Dallas, Policy Director at the ICGN. “Cyber risk is a global threat for companies and investors. It is also a matter of corporate governance, to ensure that companies are taking appropriate steps to both understand and protect against cyber attacks specifically – but also other information technology risks in a broader context,” he says.
‘Non-executive directors should build awareness of cyber risks’
“A great challenge is the technical complexity linked to cyber risk. Even though many board directors may not have strong technical backgrounds, this does not absolve the board for accountability in terms of how cyber risks are governed. As a global investor-led body, ICGN believes that non-executive directors should build awareness of cyber risks, and that investors should also be prepared to engage with both directors and executive management to ensure that these risks are given appropriate attention and oversight.”
The new Viewpoint gives investors some ammunition to start a dialogue with companies on this issue. “We provided an overview of topics and questions that are relevant when talking to companies; there are questions that investors can ask directors at a policy level,” Van Lamoen says. “Conferences are a good place for Viewpoints such as this to be discussed; the idea really is to generate debate on the topic.”
Some recent high profile cases include USD 81 million that was stolen from Asian financial institutions using a malware link; ‘denial of service’ attacks that brought down websites; and hacking that led to sensitive credit card details being stolen from online retailers.
An example of the major impact of wrong implementation of software was Knight Capital, which deployed untested software to a production environment containing a bug. When the firm released the software into production, their trading activities caused a major disruption in the prices of 148 companies listed at the New York Stock Exchange; Knight Capital's stock price collapsed by 70%.
Van Lamoen says there is a danger that companies which are hacked will hush it up to avoid any embarrassment, leaving investors in the dark. “It differs between companies. Obviously as an investor it’s good to know first of all how a company is dealing with it. They need to be transparent on who is ultimately responsible, how cyber risks are mapped and what systems are maintained to prevent incidents, and if any incidents do happen, how this will be addressed,” she says.
Some viruses get into a company when an employee clicks on a link in their email while using a corporate computer without realizing that it contains malware that is sophisticated enough to bypass firewalls. “So you should create a culture where people are not worried about reporting a problem if something goes wrong, because otherwise it can be extremely harmful to the company,” Van Lamoen says.
“This starts at the top, through board-level oversight. Board members should provide adequate resources to deal with these kinds of issues. That was a big topic of debate at the conference; how much resources do you actually need for this, and what is enough? It’s difficult to say – you would only really know if it’s not enough when something goes wrong. But we accept that there are limits to what companies can do.”
The Viewpoint includes a three-point plan for investors to consider. It advises that companies should have:
“Taken together, these illustrate the need for board members to ensure an approach is used that is designed for complex, dynamic environments,” says Van Lamoen. “It is important that cyber risk oversight is integrated with the strategy and risk management of the company, particularly with regard to identifying a company’s critical data and informational assets.”
Please read this important information before proceeding further. It contains legal and regulatory notices relevant to the information contained on this website.
The information contained in the Website is NOT FOR RETAIL CLIENTS - The information contained in the Website is solely intended for professional investors, defined as investors which (1) qualify as professional clients within the meaning of the Markets in Financial Instruments Directive (MiFID), (2) have requested to be treated as professional clients within the meaning of the MiFID or (3) are authorized to receive such information under any other applicable laws. The value of the investments may fluctuate. Past performance is no guarantee of future results. Investors may not get back the amount originally invested. Neither Robeco Institutional Asset Management B.V. nor any of its affiliates guarantees the performance or the future returns of any investments. If the currency in which the past performance is displayed differs from the currency of the country in which you reside, then you should be aware that due to exchange rate fluctuations the performance shown may increase or decrease if converted into your local currency.
In the UK, Robeco Institutional Asset Management B.V. (“ROBECO”) only markets its funds to institutional clients and professional investors. Private investors seeking information about ROBECO should visit our corporate website www.robeco.com or contact their financial adviser. ROBECO will not be liable for any damages or losses suffered by private investors accessing these areas.
In the UK, ROBECO Funds has marketing approval for the funds listed on this website, all of which are UCITS funds. ROBECO is authorized by the AFM and subject to limited regulation by the Financial Conduct Authority. Details about the extent of our regulation by the Financial Conduct Authority are available from us on request.
Many of the protections provided by the United Kingdom regulatory framework may not apply to investments in ROBECO Funds, including access to the Financial Services Compensation Scheme and the Financial Ombudsman Service. No representation, warranty or undertaking is given as to the accuracy or completeness of the information on this website.
If you are not an institutional client or professional investor you should therefore not proceed. By proceeding please note that we will be treating you as a professional client for regulatory purposes and you agree to be bound by our terms and conditions.