In today’s rapidly evolving investment landscape, information security and climate risks have become critical governance concerns. As the threats from cyber-attacks and climate change continue to mount – and regulators address these subjects – investors may expect portfolio companies to demonstrate robust programs and strategies to mitigate these risks, as they can have material financial impact.
Companies that fail to prioritize addressing cyber-attacks and climate change may fall behind their peers and may face heightened exposure to material security breaches and/or the negative impacts of climate change. By prioritizing information security and climate resilience, businesses not only can protect their assets and reputation but can also ensure long-term sustainability for their stakeholders and value creation for their shareholders.
Even while they develop such skills within their boards, however, companies still face traditional governance concerns such as audits, financial restatements, and identifying material weaknesses. Addressing both these new and older governance issues will be an ongoing challenge for companies. Investors seeking to track company performance in these areas can draw on ISS ESG’s Governance QualityScore data, while other ISS ESG solutions such as Cyber Risk Score, Climate Solutions, or ESG Corporate Rating can provide additional insights into information security and climate risk more generally.
Director Skills in Demand
Having directors with expertise in information security and climate resilience can provide invaluable guidance and oversight to companies. By having directors with those skills on their boards, companies can better position themselves to understand and manage the impact of their operations on cyber-security and the environment. Such directors can help ensure that management takes active steps to mitigate risks and capitalize on opportunities.
In recent years, boards of U.S. companies have made significant progress in building robust directorships with information security skills. According to ISS ESG’s Governance QualityScore data, in 2023, 784 boards of the Russell 3000 had three or more directors with information security skills (Figure 1). (Note that the total number of companies varies across figures because of variation in the number of companies that disclose information for a given factor.)
Figure 1: Number of Directors on Russell 3000 Company Boards with Information Security Skills
Source: Governance QualityScore data as of December 31, 2023
These 784 boards with 3+ information security-skilled directors represent a 30% increase over the previous year. With new cyber-security disclosure rules from the U.S. Securities and Exchange Commission (SEC) in place, and cyber threats looming large for companies, the presence of such directors is likely to become more scrutinized by investors.
Climate resilience skills do not yet have comparable representation, however. Despite the growing importance of climate risks and opportunities, most boards in the Russell 3000 still lack directors with expertise in this area (Figure 2).
Figure 2: Number of Directors on Russell 3000 Company Boards with Climate Resilience Skills
Source: Governance QualityScore data as of December 31, 2023
In addition to industry-materiality considerations, the disparity between information security and climate resilience skills could be attributed to the relative newness of climate concerns compared to the relative maturity of cyber security as a component of risk management. As a result, professionals with expertise on climate-related topics may be more difficult to find and recruit.
Another emerging area of focus is Human Capital Management, where SEC rules are expected in Spring 2024. According to ISS ESG’s Governance QualityScore data, less than half of listed US companies (47%) disclose a board committee in charge of these matters (Figure 3).
Figure 3: US-Listed Russell 3000 Companies with Human Capital Committees
Source: Governance QualityScore data as of December 31, 2023
Enduring Governance Risks
Even as companies and their boards of directors navigate the complex landscape of emerging risks, these new risks do not supersede existing governance risks but rather add to them. Traditional risk areas such as audit, financial restatements, and identifying material weaknesses still require diligent oversight. A comprehensive approach to governance risk management involves considering both new and older risks and ensuring that companies have robust strategies and programs in place to address them.
Governance QualityScore data indicates that over the past five years, there has been a 162% increase in restatements (Figure 4) and a 157% increase in material weakness identifications (Figure 5).
Figure 4: Growth in Restatements among Russell 3000 Companies, 2019-2023 (%)
Source: Governance QualityScore data as of December 31, 2023
Figure 5: Growth in Material Weakness Identifications among Russell 3000 Companies, 2019-2023 (%)
Source: Governance QualityScore data as of December 31, 2023
Further, nearly 30% of Russell 3000 constituents have had the same auditor for 21 years or more (Figure 6). This indicates a high degree of consistency and stability in the audit function, which can be beneficial for investors who value predictability in financial reporting.
Figure 6: Auditor Tenure in Russell 3000 Companies
Source: Governance QualityScore data as of December 31, 2023
However, long-tenured auditors may lack fresh perspective and independence that new auditors could bring to the table. As a comparison, the European Union implemented rules in 2014 for mandatory rotation of auditors after 10 years, with a maximum duration of 24 years under certain circumstances.
Conclusion
The intersection of new and older governance risks creates a complex risk landscape for companies and their boards of directors. An important concern for investors is whether companies address both emerging risks such as information security and climate, as well as established risks such as audits, restatements, and material weaknesses.
A comprehensive approach to governance risk management involves considering all relevant risks and ensuring that companies have robust strategies and programs in place to address them. ISS ESG Governance QualityScore data can help investors in monitoring these aspects of company governance. The ISS ESG Cyber Risk Score and Climate Solutions, as well as the ISS ESG Corporate Rating, can also help investors in determining their exposure to information security and climate risks.
Explore ISS ESG solutions mentioned in this report:
- ISS ESG’s Governance QualityScore supports investors as they consider governance in their quality analyses and incorporate unique compensation, board, and shareholder responsiveness data into management assessments.
- Assess and manage cyber risk across your ESG investments with ISS Cyber Risk Score.
- Use ISS ESG Climate Solutions to help you gain a better understanding of your exposure to climate-related risks and use the insights to safeguard your investment portfolios.
- Identify ESG risks and seize investment opportunities with the ISS ESG Corporate Rating.
By: Hinza Zeru, Vice President, Product, ISS ESG
Guillaume Tassin, Associate Director, Product, ISS ESG