Railpen and Royal London Asset Management publish new guidance for investors on cybersecurity risk and resilience

The report, Cybersecurity Risk & Resilience: Guidance for Investors, provides an evidence-based perspective on the financial materiality and threat landscape of cybersecurity risk, as well as up-to-date practical guidance for both asset owners and asset managers on how to engage with portfolio companies on the issue.

The Guidance has been developed using insight from Railpen’s and Royal London Asset Management’s combined engagement with companies over the past five years and seeks to answer three key questions:

1. Why should investors care about cybersecurity?
2. What should investors expect of portfolio companies?
3. What can investors do?

Based on the evidence presented in the report, Railpen and Royal London Asset Management together are calling on investors to take the following steps to address cybersecurity risks:

• Recognise the financial materiality of cybersecurity to their portfolios
• Use the expectations and framework outlined in the report as a tool to assess portfolio companies’ baseline approach to cybersecurity and measure their progress towards best practice
• Identify and engage with companies that face high-risk exposure, using sector-specific vulnerabilities as a lens for screening and the report’s recommended questions to initiate dialogue
• Participate in policy advocacy on cybersecurity, as a supportive regulatory environment will enable improved alignment between company disclosures and investors’ expectations

In 2019, Railpen joined a coalition of investors, led by Royal London Asset Management, dedicated to addressing the systemic risks surrounding this thematic stewardship issue by engaging with portfolio companies and participating in policy advocacy. This work built upon a report that same year by Railpen and Nest.

Caroline Escott, Senior Investment Manager, Sustainable Ownership at Railpen, says: “Cyber resiliency might not be a top priority for investors when building and reviewing their portfolios – but it absolutely should be. The World Economic Forum reports that 29% of organisations have been materially affected by a cyber incident over the past 12 months alone.

“Railpen follows the evidence to understand how issues such as cybersecurity affect the value of the companies we invest in. Through understanding, monitoring and influencing the behaviour of those companies, we can help ensure our portfolios are resilient to material ESG risks and, as a result, protect and enhance the long-term value of members’ savings.

Sophie Harris, Senior Investment Analyst, Sustainable Ownership, Railpen, adds: “We are seeing a concerning disconnect between leaders’ awareness and preparedness for cyber attacks. Around 40% of CISOs surveyed by Proofpoint concede that their organisation is unprepared to cope with a targeted cyberattack. While it is positive to see regulators starting to take action, with the U.S. Securities and Exchange Commission’s cybersecurity rules, we believe investors have an important role to play when it comes to closing the gap and forcing business to start taking cyber preparedness more seriously.

“Recognising the importance of cybersecurity resilience, we encourage asset managers to develop their understanding of the financial materiality of cybersecurity, use the investor expectations as a tool for engagement with companies that face a high level of risk, and report on progress to their clients.”

Georgina Chiu, Senior Engagement Manager at Royal London Asset Management, says: “Driving corporate change requires a collaborative effort from asset managers, asset owners, regulators and policy makers. We founded the coalition because we understand the very real threat that cyber presents to our industry, driven by geopolitical threats, the development of Generative AI and increased supply chain vulnerabilities.

“There are a number of actions investors can take to tackle the growing risk of cybersecurity to portfolio companies. This report demonstrates how we are creating a step change for the industry, by elevating stewardship from reactive engagement after a cyber incident has occurred, to a proactive dialogue on resilience.”

Read the full report – Cybersecurity Risk & Resilience: Guidance for Investors