Cybersecurity Risk & Resilience: Guidance for Investors

The report, Cybersecurity Risk & Resilience: Guidance for Investors, provides an evidence-based perspective on the financial materiality and threat landscape of cybersecurity risk, as well as up-to-date practical guidance for both asset owners and asset managers on how to engage with portfolio companies on the issue.

It seeks to answer three key questions:

1. Why should investors care about cybersecurity?
2. What should investors expect of portfolio companies?
3. What can investors do?

Based on the evidence presented in the report, Railpen and Royal London Asset Management together are calling on investors to take the following steps to address cybersecurity risks:

• Recognise the financial materiality of cybersecurity to their portfolios
• Use the expectations and framework outlined in the report as a tool to assess portfolio companies’ baseline approach to cybersecurity and measure their progress towards best practice
• Identify and engage with companies that face high-risk exposure, using sector-specific vulnerabilities as a lens for screening and the report’s recommended questions to initiate dialogue
• Participate in policy advocacy on cybersecurity, as a supportive regulatory environment will enable improved alignment between company disclosures and investors’ expectations