A recent Cybersecurity Ventures survey predicts potential global cybercrime-related losses of $8 trillion in 2023, up from $5.5 trillion in 2021, with ransomware attacks hitting organisations once every 11 seconds. The World Economic Forum’s latest report on global risks again ranks cyber as one of the top 10 risks to businesses. A CGI-Oxford Economics study from 2017, quoted by the UN Principles for Responsible Investment (UNPRI), found that a serious cyber security incident could cause an average permanent decline of 1.8% in a company’s share price. Figures and findings like this show that cyber security risks should not be underestimated, given their ability to damage a company’s bottom line and its reputation.
Reports on cyber security have been prepared by the ISS ESG & ISS Corporate Solutions business units.
Key Takeaways
- Cyber threats take an array of forms that may pose risks for investors.
- The US, EU, and UN are developing rules to guide company disclosures on cyber security.
- Investors may wish to raise the issue of cyber security risk management practices in their board engagement, using current rules to assess company performance.
- ISS ESG offers a new product, the ISS ESG Cyber Risk Score, which flags the likelihood of a portfolio company suffering a material cyber security incident. The Cyber Risk Score can support investors as they navigate potential cyber threats to their portfolios.
The European Union Agency for Cybersecurity (ENISA) identified the major varieties of cyber threats in its 2022 Threat Landscape Report:
- Ransomware, where cybercriminals take control of a target’s assets and demand a ransom in exchange for the assets return
- Malware, such as viruses, worms, or trojan horses that adversely impact company systems
- Social Engineering threats, where users are lured into opening documents, files, or e-mails, or visiting websites, thereby granting cybercriminals access to systems or services
- Threats against data, including data breaches or data leaks
- Threats against availability: Denial of service, where data is rendered unavailable to the proper users
- Threats against availability: Internet threats, where access to the internet is disrupted
- Disinformation/misinformation
- Supply-chain attacks, where both the supplier and the customer are targets
Given this array of cyber security threats, investors may well be concerned about risks to the companies in their portfolios. The SEC in the US and the European Parliament in the EU are currently developing rules to encourage corporate disclosures of cyber security breaches.
The SEC’s new disclosure rules:
- Speed up disclosure of cyber security breaches
- Increase the amount of data to be disclosed
- Require disclosure of cyber security systems
- Require disclosure of cyber security oversight
The latest proposed piece of legislation from the EU, the Cyber Resilience Act, addresses insecurities in wireless and wired products and software, shifting the onus for security onto manufacturers. The Cyber Resilience Act was proposed because, with “growth in smart and connected products, a cyber security incident in one product can have an impact on the entire supply chain, possibly leading to severe disruption of economic… activities across the [EU] market.”
In addition to the Act, two key directives on critical and digital infrastructure became official in January, and member countries have 21 months to implement them. These directives aim to strengthen the EU’s resilience against online and offline threats from cyberattacks. The two Directives entering into force are:
- The Directive on measures for a high common level of cyber security across the Union(NIS 2 Directive)
- The Directive on the resilience of critical entities(CER Directive)
The regulatory landscape in Asia-Pacific (APAC) is generally less developed than in the US or the EU, according to press reports. There is a “lack of alignment on regulation and variations in cyber maturity across APAC,” which makes a unified response to attacks difficult.
According to the Global Cyber Security Index, for example, which ranks maturity levels globally, Korea and Singapore are ranked 4th, Malaysia 5th, and Japan 7th, while other APAC countries, such as the Philippines and Myanmar, rank 61st and 99th, respectively, so there are wide variations. The index is topped by the US at number 1 and UK at number 2. While there are regulatory developments in Australia and Singapore, large economies such as India have no consistent approach and Hong Kong is still working on legislation.
To bring corporations and their investors together to discuss the threat of cyber security and potential preventive activities, in 2018 and 2019, the UN Principles for Responsible Investment supported 53 institutional investors, representing more than $12 trillion in assets under management, in collectively engaging with global companies in the healthcare, financial, consumer goods, information technology, and communications industries. The exercise was to help understand “how companies are positioned to identify, manage and remediate a potential cyber security breach” and resulted in an engagement document on cyber security governance.
Most recently, ISS ESG announced, in the US in January, the launch of the ISS ESG Cyber Risk Score. The Cyber Risk Score supports investors by signaling the relative likelihood of a portfolio company suffering a material cyber security incident within the next 12 months, based on its external security posture. The product also allows a corporation to view its own score and compare it with those of its peers.
The new Cyber Risk Score is based on the regular collection of global risk indicators that reflect a company’s cyber security risk behaviors, such as organisational security postures, software services, and the use of third-party service providers. These are combined with historical data so the modeling can use machine learning to identify patterns indicative of potential breach events.
The Score already covers companies in the S&P 400, S&P 500, and S&P 600, while the whole Russell 3000 will be completed in the first quarter of this year. For investors, the full dataset can be accessed via the ISS proprietary platform DataDesk. While the Cyber Risk Score will be added to ISS’ Benchmark Governance Research and Voting reports for S&P 500 companies in time for the upcoming 2023 proxy season, it will not impact ISS’ policy application or voting recommendations.
Conclusion
Investors concerned about cyber threats to their portfolios may wish to engage with companies to ensure board oversight, board expertise, and cyber security monitoring across the value chain. They could also assess whether companies are complying with the latest directives and regulations and set disclosure expectations accordingly. Investors pursuing such an approach can use the new ISS Cyber Risk Score to benchmark portfolio companies against their peers and as a tool for engagement to drive better disclosure on cyber security.
Explore ISS ESG solutions mentioned in this report:
- Assess and manage cyber risk across your ESG investments with ISS Cyber Risk Score.
By: Paul Hodgson, Senior Editor, ISS Corporate Solutions