January 2018 | Jeff Barbieri, ESG Analyst; Justin Peavey, Chief Information Security Officer
Cyber attacks can result in lost or compromised data and business disruptions that result in litigation, loss of customer trust, and brand deterioration. Unfortunately, even the most sophisticated, comprehensive cybersecurity policies and systems cannot deter every attacking attempt. As cyber criminals and their tools become more advanced and nuanced, the importance of a good cybersecurity program grows for companies in every sector.
No company or industry is insulated. Cyber criminals and spies don’t target only those companies with highly sensitive information; they attack any company they can and figure out afterward whether they’ve obtained valuable information. Acknowledging that any company is a potential target, we take a “when, not if” approach to this issue during ESG engagement, focusing on management’s awareness of cybersecurity risks and planned responses to a data breach or other cyber crisis. As with any form of corporate risk, we expect management teams to understand their biggest cyber threats and be able to articulate how they’ve aligned information security programs to mitigate these threats.
The following are the types of cybersecurity questions we typically ask
companies across all sectors.
We expect an answer that may include one or more of the following:
Vulnerability management. With software and system vulnerabilities identified constantly, it can be extremely difficult to update systems promptly each time a vendor releases new security patches. Companies with highly distributed and heterogeneous computer systems, including those embedded in manufacturing, point-of-sale, or other delivery-chain components, may be at risk of service outages and compromise.
Insufficient tools and staff to investigate attacks. Companies should recognize that detection of and response to cyber attacks is just as important as protection, and that they can’t predict what the next successful attack will look like. We like to see companies treat cyber defense as an active rather than a passive process, with staff assigned to watch for and investigate anomalies. We also like to see strong collaborative cyber-information-sharing relationships with industry associations and peers.
Unintentional user error and process risks. Companies should recognize that most data breaches are caused by accidental or careless mishandling of information, or from failure to follow established processes. They should be able to discuss their challenges and approaches to reducing risks in this area, including user training, data-loss prevention programs, and an operational risk-management focus.
Excessive access privileges and challenges managing access.Attackers often take on the identity of internal staff. Breaches are much more manageable if staff have access only to necessary information and functionality for their jobs. For many companies, managing proper access across disparate applications and data systems as staff members change roles is a complex yet common problem, one that often requires significant attention.
We look for an informed answer that demonstrates an understanding of their chief cyber risks. For example:
Cyber criminals who look for information they can quickly profit from, such as consumer data, material nonpublic information (MNPI), financial accounts access, or other information that can be resold or otherwise used to make money. Companies should also recognize their “ransom risk” and realize where and how their operations might be easily compromised, or where damaging and embarrassing information might be accessed by criminals looking for extortion opportunities.
Hacktivists (computer hackers whose aim is to promote a social or political cause) who may have objections to the company’s business or executives and who may wish to publicly harm or disparage the firm. This risk is acute for companies perceived as socially irresponsible.
Spies who target proprietary information of competitor firms or who target companies to benefit a foreign government. Companies should recognize whether they might be a target for espionage and be aware of whom the most likely attackers might be. Firms that compete directly with foreign government interests should be particularly concerned.
Even the fiercest industry competitors should consider an open dialogue with peers; no one goes it alone when identifying cyber threats. If attackers find vulnerability in one company’s systems, they’ll surely try the same approach with that company’s industry peers.
We worry when a company answers “no” or suggests that its systems are impenetrable. Nearly every company has been attacked by cyber criminals, so the question is how aware the company is of their cyber-attack risks. Conversely, we aren’t necessarily concerned if a company has been successfully attacked if they can express lessons learned and improvements made. Unfortunately, many firms aren’t prompted to improve their cyber programs until they experience a cyber crime firsthand. Those that have been attacked may have better, more mature programs as a result.
Of course, we want to hear a definitive “yes.” If the function reports to the highest levels of the company (the board, CEO, or a senior-level committee), this can signal that the company takes cyber risk seriously. However, reporting to someone senior doesn’t help if that individual isn’t interested in cyber risk or doesn’t have the time to provide proper oversight.
When the information security program doesn’t report to the highest level, we inquire further about whether escalation channels are available and if information security is part of a company’s information technology (IT) department, which can have its own budget constraints and competition for resources with other IT priorities. Regardless of structure, every company should have a Chief Information Security Officer (CISO) with an unobstructed escalation channel to the board or board equivalent. Notably, both structures have proven successful; the more important question is why the current structure works for the company and how leadership arrived at this structure.
It is not feasible for every company to have a cybersecurity expert on its board. Boards have limited seats to cover vast areas of expertise, so it may not be efficient to dedicate one of those seats to something as specific as cybersecurity. Nonetheless, a board should be receiving frequent education and updates from the CISO.
At some companies, the audit committee is responsible for overseeing cyber risk. While this may work in certain sectors, most audit committees already have extensive and complex responsibilities, making it unlikely that they can dedicate the time necessary to manage cybersecurity. If a company has shoehorned responsibility for cyber risk into its audit committee, this may signal that the company is not taking the issue seriously.
At Wellington, our ESG and information security teams regularly collaborate to update our engagement questions and discuss what we should expect to hear in response from management teams on this evolving topic.
With an international transition to a lower-carbon economy underway, many teams at Wellington are focused on our responsibility to help our clients understand the potential effects of climate change on...Read more
Looking beyond the first-round effects of the recently passed US tax act, our head of US macroanalysis considers the longer-term impact on capital raising and capital allocation decisions, economic growth,...Read more
In this collection of our most recent thought leadership, our experts grapple with the role of active and passive strategies, unpack new developments that suggest the potential for further EM...Read more
Our China equities portfolio manager believes that asset owners need to better understand the A-share market and what their inclusion in global equity indexes may mean for their emerging markets...Read more
Eugene Khmelnik, who specializes in the oil sector, examines what rising interest rates may mean for the shale industry, which has so far only existed under extremely loose monetary policy....Read more
This content is intended for institutional or professional investors only and is restricted to our Insights subscribers. You may already be a subscriber if you receive our regular Insights emails or if you are a client.
Please verify your subscription by providing your email address below.
Thank you for your interest in our Insights content.
Your information is not on our subscription list — please register to access this content.
I certify that I am a qualified institutional or professional investor and would like to become an Insights subscriber.
Please verify your subscription by providing your email address below.
Thank you for your interest in becoming an Insights subscriber.
Sharing our investment knowledge is an important part of our client-centered culture.
Since our content is intended for institutional or professional investors, we will email you regarding your subscription after a brief internal review process to verify your status.