Corporate Cybersecurity Risk – A Guide for Investors: Part 1

Part 1 covers why investors should engage, which asset classes to engage in, and how they can evaluate cyber risk.

Introduction – Investor Engagement on Cybersecurity

The increasing sophistication and frequency of cyber-attacks have exposed companies of all industries and geographies to significant risks including data loss, business interruption, reputational damage and financial loss. There is growing appreciation that cybersecurity is not just a technical matter but a key component of overall corporate risk and governance that can be objectively assessed with data.

In response, investors are now analyzing cyber risk in their portfolios and engaging with portfolio companies on the topic of cybersecurity to protect their investments and maximize risk-adjusted returns, consistent with fiduciary duties. Through the market mechanism, this process can generate societal benefits by accelerating the adoption of cybersecurity best-practices and raising the cyber resilience of individual firms and the broader financial system.

From “Unknown Risk” to Systematic Analysis and Investor Engagement

On October 30, 2023 the SEC filed a lawsuit against SolarWinds–a company that experienced one of the largest cyber incidents in recent history. The lawsuit alleges that the company provided misleading public statements about its cybersecurity initiatives in its filings and public statements, which prevented investors from knowing the actual risk associated with the company. With this lawsuit and recent changes in disclosure requirements, the SEC is signaling that investors must be able to analyze cyber risks in their investments.

This high-profile case is not a one-off event, but part of the growing trend in cybersecurity-related disclosure requirements, regulatory enforcement, and corporate litigation. Investors now find themselves exposed to a previously unconsidered portfolio risk factor with real-world implications – cybersecurity.

Concerns about cybersecurity and inaccurate or incomplete representations of cybersecurity programs by corporates have led investors to demand independent, comparable, and quantifiable information on the state of a company’s cybersecurity practices. In particular, investors need forward-looking indicators for those practices and factors most relevant to a company’s real-world risk of material cybersecurity incident.

Thanks to new outside-in data and innovative approaches to integration, the evaluation of cybersecurity performance is no longer limited to regulated, infrequent public disclosures or subjective corporate surveys. Objective, data driven, correlated cyber risk analytics and indicators are now available for assessing the cyber performance of any global company with a digital footprint – listed or not. This can empower even non-technical investors to engage with corporations about their cybersecurity practices and credibly advocate for improvement with transparent and real-time feed-back.

This paper offers a practical guide on why and how investors can engage on this vital topic, including:

• Why investors should engage companies on cyber as part of their fiduciary duty
• Which asset classes are currently best suited for investor engagement on cyber
• How investors can develop a data-driven approach to cybersecurity engagement
• Practical considerations for productive corporate engagement on cybersecurity
• Case Study: How investors can quantify the effectiveness of cyber engagement

(1) Why Engage - The Implications of Cybersecurity Performance for Investors

Is cybersecurity really a material issue for investors to consider and engage on? The answer is “yes” - as both an indicator of governance quality and downside risk potential.

First, consider governance. Investors value companies with good corporate governance – a broad concept encompassing effective board oversight, risk management and reporting. But consistent evaluation of governance quality is a challenge. Faced with incomplete information, investors look for indicators of governance that signal corporate risk and quality. The perception of such qualitative factors is often a consideration in investment analysis for capital allocation and corporate valuation.

Cybersecurity maturity can be seen as a unique proxy for corporate governance and as a positive indicator of effective systems and risk management. As corporate workloads and products become increasingly digital, effective oversight and protection of these functions can contribute to broader managerial effectiveness. From an investor perspective, companies that make the strategic investments in people, systems and internal procedures to effectively manage their cybersecurity are also likely to be capable of effectively managing their business overall. In other words, good corporate cyber maturity is evidence of good corporate management.

Next, consider investment downside risk. Research shows that poor cybersecurity can have a negative impact on share price, stock volatility, probability of credit default and market share. According to the SEC lawsuit, SolarWind’s stock price declined ~35% in the first month after disclosure of the attack. Credit rating agency Moody’s has warned that these incidents— including recent examples at Clorox, MGM and Johnson Controls — can be credit rating negative for affected companies. And the financial materiality of attacks is only likely to grow as regulatory-mandated disclosure and transparency improves.

Taken together, cybersecurity is no longer a niche topic but a mainstream risk and opportunity for global investors. As such, it is imperative that investors can objectively gauge how their corporate portfolio investments are managing cyber risk, and proactively address this through investor engagement.

(2) Where to Engage - Which Asset Classes Are Best Suited to Cyber Engagement

Shareholder interests tend to drive corporate engagement, but the defensive nature of corporate cybersecurity makes it especially relevant for credit investors, infrastructure, and private debt markets.

For equity investors, engaging companies on cyber risk management aligns with protecting long-term corporate value. But practically speaking, there is a limit on how much minority shareholders – who typically focus on maximizing profit and dividends – will advocate for the up-front costs of effective cyber risk-mitigation. This is an example of market failure because the costs of insufficient cybersecurity defenses are ultimately borne by the firm, its customers, and society at large, and has led to calls for better transparency, regulatory oversight, and even corporate legal liability.

Credit investors on the other hand are more attuned to downside and corporate default risk as key drivers of return. Cybersecurity, as a predominately downside risk factor, is a topic naturally aligned to these investors’ specific risk priorities. In fact, engaging on a unique topic like cybersecurity with specific, and actionable feedback can be an effective way for credit holders to gain the attention of corporate management, as they lack the voting and board representation rights of shareholders.

Private debt markets are also well suited for investor engagement on cyber security. Borrowers in these markets are often small, with weaker credit profiles, and lack comprehensive cybersecurity resources and insurance coverage – factors that increase the risk of default from cyber-attack. As a result, some private market lenders now integrate cybersecurity risk ratings as part of lending due diligence. Certain development finance organizations have taken this a step further, by incorporating cybersecurity performance evaluations into both underwriting risk assessment and technical assistance for borrowers operating in high-risk industries and regions.

Infrastructure assets can also benefit from investor engagement on cybersecurity. For many types of critical national infrastructure – such as electricity, water, energy, telecommunications, transportation and health - the materiality of cybersecurity to the issuer's mission is significant, while geopolitical developments are increasing the threat of disruptive and destructive intent to these assets. As regulation on operating conditions and compliance are key drivers of risk for infrastructure, engagement for effective cybersecurity performance not just a question of investment-return but also of license-to-operate.

(3) How to Assess: Developing a Systematic Evaluation of Cybersecurity With Data

Investors don’t typically have expertise in cybersecurity technology and operations, and this can make cybersecurity engagement seem intimidating and opaque. But with empirically grounded cyber risk analytics, investors can now meaningfully engage with companies on cybersecurity.

Effective investor engagement begins with understanding a company’s exposure to and management of a particular risk. But when it comes to cybersecurity, in-depth technical knowledge of specific cybersecurity procedures and controls is not strictly necessary. Rather, having a view on what industries and regions are most exposed to cybersecurity risks, and the cybersecurity performance of a company relative to peers is more important to the overall investment analysis. This distinction is critical and means that the analytical approach and data used by investors differs from those of corporate risk managers and cybersecurity professionals.

A good place for investors to start is by identifying how downside cybersecurity risks could materially affect an entity’s business. From here, it is possible to build a bottoms-up assessment framework with consistently available data to gauge how well the entity manages material cyber risks over time and relative to peers.

For integration of these insights into investment decisions, investors need a top-down understanding of cybersecurity materiality, such as by sector and geographic region. Research on attack trends, quantitative modeling of financial impacts, and empirical observations of the relative vulnerability of industry sectors provides additional important context when evaluating a company’s cybersecurity performance in investment analysis.

Cybersecurity risk ratings and performance analytics data can enable even non-specialist investors to assess cybersecurity risk consistently and prioritize higher risk issuers for meaningful engagement. For example it is now possible to track performance data across a set of materiality-weighted cyber risk vectors that refresh daily for high frequency observability. Investors can use this data as a downside early warning signal for adverse cyber events, as a low-latency proxy for broader corporate governance and technology management, or both.

Workflows for active portfolio scanning and rapid follow-up engagement can have real-world applicability for cybersecurity-aware investors. In one instance, Nomura Asset Management privately engaged with a US medical company whose cybersecurity risk rating had fallen significantly on both absolute and relative measures. The company’s performance indicated a four-times higher risk of data breach against a standardized assessment, with a real-world risk to the company’s reputation and the medical privacy of customers. In this case, a relative assessment of risk was more important to investors for identifying and engaging with the company than technical understanding of specific cybersecurity vulnerabilities.

In Part 2, we discuss what fixed income investors should consider when engaging firms on cyber risk, and we walk through a case study that highlights how investors can quantify their cybersecurity engagement impact.

To gain further insights into how investors can mitigate cyber risk, please contact Jason Mortimer.