Corporate Cybersecurity Risk – A Guide for Investors Part 2

In part one, we covered how cyber insecurity is a top 4 risk in the World Economic Forum’s latest Global Risks Perception Survey; the fact that poor cybersecurity can have a negative impact on share price, stock volatility, probability of credit default and market share; and that investors can use cybersecurity performance data as a cyber incident risk early warning signal and governance indicator.

(4) How to engage: Practical considerations for debt investor cyber engagement

Firms are generally receptive to productive engagement on practical matters that address real risks and shape investor perceptions, making cybersecurity a meaningful engagement topic for active fixed income investors.

For investors, there are several key issues to consider when designing a corporate cybersecurity engagement strategy:

1. Understand your role. Investors aim is to maximize risk-adjusted returns by contributing to effective cyber-risk oversight, not direct intervention in a company's technology operations. Engagement strategies should consider scale, timeliness, overhead minimization and the potential financial impact from improved cybersecurity hygiene. Focus on improvement over time in the company’s relative and absolute cybersecurity performance indicators that most correlate to downside financial events. Challenge the company’s leaders to demonstrate better cybersecurity hygiene, then let them execute their own remediation plan.
2. Leverage quantitative analytics. Effective integration of cybersecurity risk in public-market investment portfolios requires real-time and large-scale analytics. In-depth consultative risk assessments would typically be relevant only in private market investments where credit exposure is concentrated, and liquidity is limited. The aim of the analysis is to understand the overall effectiveness of the policies, controls, governance and procedures that a company is implementing. Cybersecurity risk ratings can help investors efficiently assess issuer relative to peers without relying on qualitative and often generic self-disclosures. This information can be shared confidentially with companies for direct remediation and follow-up.
3. Prioritize your engagements. With quantitative cybersecurity risk ratings, investors can scan their portfolio to identify the lowest performers (i.e., the highest risk holdings) on material factors and prioritize efforts with those companies with especially poor performance relative to their peers. Identify which industry sectors and geographic regions are most at risk from financially material cyber-attacks and consider the sector’s level of cyber risk materiality and the size of your investment for prioritization. Driving improvement at material outliers is an efficient way to manage portfolio cyber security exposure, while also raising industry-wide cyber resilience.
4. Engage with purpose. Engagement on cybersecurity performance is typically a new experience for both the investor and the company involved. This requires investors to explain their approach for integrating cybersecurity performance in investment analysis and articulate why it has become a relevant engagement topic. Investors are not expected to have cybersecurity domain expertise, but having an understanding of the essential metrics, why they are meaningful and material, and how they can be indicative of broader security governance issues does add to investor credibility. Adopting a collaborative approach that fosters trust with the issuer can often lead to measurable improvement in cybersecurity performance and unique insights into the issuer’s internal governance and culture.
5. Give relative feedback. Measure relative results. Ensure that your portfolio companies are aware of the need to improve by presenting their assessment data versus anonymized peers. No single source – including externally scanned cybersecurity performance ratings – can give the complete picture of a company’s cyber risk and preparedness. But these data can give a consistent indication of relative performance, which is a powerful motivator in competitive markets. Externally sourced cybersecurity risk ratings can be easily shared with engagement counterparts, for seamlessly tracking of remediation to ineffective cyber controls and the resulting improvements to assessment scores. The company’s willingness to engage, and the timeliness and effectiveness of their remediation plan is itself an indicator of the company’s broader technology management and maturity.

When applied judiciously and with prudent double-checks, the integration of cyber security performance data can materially reduce the risk and impact of cyber-events for portfolio companies, while adding valuable context to the overall corporate governance assessment.

(5) Case Study: How investors can quantify cybersecurity engagement impact

While investor engagement with portfolio companies on governance and sustainability is now commonplace, objective measurement of engagement impact is often a challenge. For cybersecurity, investors can leverage cyber performance ratings and associated risk metrics to directly measure impact from engagement. This case study from Nomura Asset Management on cybersecurity engagement with supranational debt issuers shows how.

A recent ransomware incident that disabled the U.S. arm of a Chinese bank and briefly disrupted trade settlement in the US Treasury bond market is just the latest example of how cyber risks can affect not just individual banks but financial system integrity as a whole. Even before this event, Nomura Asset Management (NAM) has engaged with financial institutions in the $1.5 trillion multinational development bank (MNDB) sector on the topic of cybersecurity.

MNDB issuers are government-backed and typically AAA-credit rated financial institutions that fund their lending through issuance in debt capital markets. Since they do not issue common stock or pay dividends, MNDBs must appeal to debt investors on the strength of their sovereign backing, conservative finances, and high standards of governance and risk management – including cybersecurity. As vital providers of international development loans and technical assistance projects, MNDBs are highly exposed to both financial service sector and emerging market cyber risk, yet are typically exempt from national banking regulations and related cybersecurity oversight. As such, cybersecurity is a material yet traditionally overlooked comparison factor and investor engagement topic for MNDBs.

To assess cybersecurity management practices in the MNDB market, Nomura Asset Management partnered with Bitsight Technologies, a cybersecurity ratings provider, to quantify and analyze each issuer’s cybersecurity performance management and cyber maturity level for insights into relative ransomware risk as well as cyber oversight and governance quality. The resulting score distribution painted a picture of generally Intermediate-to-Advanced cybersecurity performance within the MNDB peer group, but with several concerning outliers. In particular, NAM identified high-risk MNDB issuers with Bitsight cybersecurity risk rating scores in the “Basic” and “Low Intermediate” range (Chart 1) that correlate with approximately 4.6 to 7.9 times higher risk of ransomware incident according to Bitsight research.

NAM engaged with the high-risk issuers by first explaining how cybersecurity is integrated into its governance quality framework and sustainable investment due-diligence process for MNDBs, and sought discussion with these organization’s CISOs for additional context. At one engagement target, the CISO followed up to report that new cybersecurity policies had been initiated and that specific risks were being remediated as a result of NAM’s engagement and shared data from Bitsight.

After three months, NAM was able to independently confirm through the Bitsight platform the quantitative improvement across all measures of that issuer’s cybersecurity practices, resulting in notable reductions in implied cyber incident risk (Table 1). These findings show how real-time performance data and analytics can enable data-driven cybersecurity engagement for measurable cybersecurity impact at portfolio companies.

CONCLUSION

Cybersecurity is one of the most pervasive and significant threats facing society today. As with the critical issue of climate change, a “whole of society” coordinated action is needed from companies, policy makers, and markets to effectively meet this challenge.

Technological solutions and regulatory oversight are already in place - what is needed now is for investors to “price” corporate cybersecurity performance by integrating it in investment decisions and engaging with firms to drive real-world improvement. Objective, comparable, and real-time performance data is the key to enable this cybersecurity-financial integration and engagement at scale.

By leveraging insights from Cybersecurity risk ratings and financially-material cybersecurity disclosures from firms, investors can better manage their own portfolio cyber risk, while contributing to the management and protection of digital systems on which we all depend.

To gain further insights into how investors can mitigate cyber risk, please contact Jason Mortimer.