Cybersecurity and measures to prevent cyber-attacks are more important than ever for investors and proxy advisors, as they affect all corporations regardless of industry.
Sophisticated cyber-attacks, such as the hacks during 2022, have exposed the vulnerability of corporations in Australia to shortcomings in their security systems. Such attacks not only involve negative media coverage, fines and other financial costs for these firms, but also erode customer and stakeholder trust. As a result, cybersecurity and measures to prevent cyber-attacks are more important than ever for investors and proxy advisors (not to mention customers) and they affect all corporations regardless of industry.
Since the end of 2021, proxy advisor CGI Glass Lewis has partnered with BitSight Cybersecurity Ratings to include an evaluation of the cyber risk performance of corporations in their Proxy Papers. The data provided is similar to an ESG rating but focused specifically on the cybersecurity ecosystem. BitSight’s assessment is based on public disclosures examining company policies, due diligence processes, user behaviour and data breaches, amongst other issues.
CGI Glass Lewis’ Proxy Papers already include ESG scores from third parties Sustainalytics and Arabesque. These ratings are publicly available on their respective websites, giving issuers the ability to check their score ahead of the AGM or at any other time. However, BitSight’s Cybersecurity Rating assessments are not public, so if issuers want to know their score, they have to request a free report from BitSight directly. Paid versions, including a full assessment, are also available. Issuers can also engage with BitSight to address any issues or concerns raised in the assessment.
From an investor point of view, the aim is to understand a company’s exposure to data privacy and security risks and the possible financial implications. That is to say, how material are cybersecurity risks for the company?
BlackRock’s Approach to Data Privacy and Security for Investment Stewardship provides more guidance for issuers. They expect the board to effectively oversee cybersecurity risk, particularly if it is a material risk for the organisation. BlackRock also considers whether customer consent and personal data processing are being appropriately managed to ensure a minimal risk of information being lost or stolen. To avoid any controversies, issuers should disclose their due diligence process for ensuring that transfers of information to third parties are carried out in an appropriate manner.
Interestingly, the recent data breaches represent a lesson learned for both issuers and investors given that they are similarly exposed to cybersecurity issues either from hackers or due to human error. These threats are real and good corporate governance practices are required to effectively manage risks and defend against hacking attempts. Having a robust cybersecurity strategy and controls in place to protect the company from reputational, legal and financial risks is ultimately a responsibility of the board.
Georgeson’s Insights
- Ensure the board is aware of the cybersecurity strategy and actively participates in the decision-making. Expertise in technology and cybersecurity as well as governance can be hard to find but you can also consider board education or external advisors as well as ensuring that KMP update the board regularly on progress.
- Be transparent and disclose the steps you are taking to address and prevent any cyber-attack. Demonstrate that you treat cyber risks like any other business risks.
- Understanding the materiality of cybersecurity for your company is crucial to addressing it appropriately for the level of risk.
- Be aware that you can engage with BitSight if you believe its assessment does not fully represent your situation.
- Data security regulations vary across different countries and jurisdictions and are rapidly evolving. Being able to anticipate regulatory risks and not just comply will put you ahead of the game.
- While CGI Glass Lewis states that the third-party information included in their Proxy Papers (Arabesque, Sustainalytics and BitSight) does not influence their voting recommendations, this information does end up in the hands of investors. Engaging with proxy advisors and investors on material ESG topics can help you avoid any nasty surprises in future.