Do Investors Care About Cybersecurity?

Given the financial, reputational, and legal harm that can arise from cyber breaches, corporate shareholders and investors are increasingly concerned about the cybersecurity of the companies in their investment portfolio. How will investors begin to engage with companies on this issue?

A few weeks ago, the Council of Institutional Investors (CII) offered a roadmap for future shareholder engagement on cybersecurity. The CII is an association of large institutional investors, including many of the world’s largest pension funds. In a published document called “Prioritizing Cybersecurity,” the CII laid out five critical questions that investors should be asking board members regarding their company’s cybersecurity practices.

Why is this important?

Since the SEC’s 2011 guidance on cybersecurity disclosure, large institutional investors had been mostly silent about engaging with companies on the issue of cybersecurity. Many attorneys and corporate governance experts expected investors to take more active role in understanding and overseeing cybersecurity initiatives within their investment portfolio. With “Prioritizing Cybersecurity,” the CII becomes one of the first investor organizations to publicly outline critical questions that large institutional investors should be considering in their investment decisions. It may be viewed as a framework for future investor initiatives and engagements with their portfolio companies on cybersecurity.

You don’t have to be an expert

One critical issue facing directors today surrounds their level of sophistication on cybersecurity. What should boards be expected to do? The CII clearly states that investors do not expect directors to develop a deep, technical understanding of cyber threats. This is a significant statement, as a number of companies and board members are struggling to properly define the scope of the director’s role in cybersecurity. However, the CII suggests that directors do need to understand their company's’ risk management strategy and understand how data is being protected, and where weaknesses lie.

The 5 key cybersecurity questions for boards

So what then are the 5 key questions to ask of portfolio company boards?

1. How are risks being communicated to boards, and at which frequency?

According to the CII, the frequency of corporate communications to board members about cybersecurity depends on company size, industry, and other factors. However, boards should be seeking regular updates on cybersecurity. Some boards may rely on internal company resources for updates, while others may seek out third parties.

2. Has the company’s cybersecurity strategy been evaluated?

The CII states that boards need to make sure their companies’ have established comprehensive strategies that includes to protect sensitive and critical data. These measures ultimately need to mitigate the compromise of data that would cause any financial, operational, reputational, or legal harm. These include:

• How sensitive and critical data is being protected
• How companies are evaluating the security of their supply chain (third parties, vendors, and suppliers)
• Whether or not third parties will be involved to assess the company’s cyber risk management efforts

3. Is the company structured appropriately to address cybersecurity risks?

The CII suggests that boards should oversee the company’s corporate governance framework around cybersecurity. Cybersecurity needs to flow all the way up through management. The C-suite and General Counsel needs to work with risk and security teams to set an agenda for identifying and responding to cyber risk. Additionally, investors should make sure directors and the board have appropriate qualifications be held accountable for the company's cybersecurity program.

4. How does the board evaluate the effectiveness of the company’s security program?

This is one of the critical questions posed by the CII. Investors should encourage their boards to use cybersecurity performance metrics that suit the company’s risk profile. These include:

• The quantity and/or scale of vulnerabilities, attacks and/or incidents detected and/or resolved
• The resources expended to detect and resolve vulnerabilities
• Achieving and maintaining compliance with regulations and/or security best practices

The CII also notes that investors should be especially encouraged if the board is benchmarking security performance against peers and competitors to measure cybersecurity performance.

5. Is the company’s disclosure of cyber risk fair and accurate?

The CII is concerned that investors do not have all of the cybersecurity information appropriate to make an investment decision. Investors should encourage companies to disclose material cyber risk and security incidents. Disclosure is not always mandatory, thus investors should notify boards if they are concerned with interpretations of what constitutes material cyber risk.