Railpen and Royal London Asset Management have shared guidance on the cybersecurity risks in investment portfolios, urging investors to recognise the financial materiality of cybersecurity to their portfolios, and take the necessary steps to address this.

The report, Cybersecurity Risk & Resilience: Guidance for Investors, aims to provide an evidence-based perspective on the financial materiality and threat landscape of cybersecurity risk, with practical guidance for both asset owners and asset managers on how to engage with portfolio companies on the issue.

This builds on the work of a coalition of investors, led by Royal London Asset Management, which aims to address the systemic risks surrounding a thematic stewardship issue by engaging with portfolio companies and participating in policy advocacy.

In particular, Railpen and Royal London Asset Management encouraged investors to use the expectations and framework outlined in the report as a tool to assess portfolio companies’ baseline approach to cybersecurity and measure their progress towards best practice

The pair also called on investors to identify and engage with companies that face high-risk exposure, using sector-specific vulnerabilities as a lens for screening and the report’s recommended questions to initiate dialogue.

In addition to this, Railpen and Royal London Asset Management stressed the need for investors to participate in policy advocacy on cybersecurity, as a supportive regulatory environment will enable improved alignment between company disclosures and investors’ expectations

Commenting on the guidance, Railpen senior investment manager, sustainable ownership, Caroline Escott, stressed that while cyber resiliency might not be a top priority for investors when building and reviewing their portfolios, "it absolutely should be".

"The World Economic Forum reports that 29 per cent of organisations have been materially affected by a cyber incident over the past 12 months alone," she continued.

"Through understanding, monitoring and influencing the behaviour of those companies, we can help ensure our portfolios are resilient to material environmental, social and governance (ESG) risks and, as a result, protect and enhance the long-term value of members’ savings.

“This report leverages our coalition’s experience of engaging with companies and policymakers over several years on cybersecurity. It’s designed to help investors understand what best practice looks like when it comes to cybersecurity disclosure and practice, using real-life examples to bring it to life.

"We published this guidance to further empower other investors to ask the right questions of companies and take the necessary steps to ensure their investments are protected over the long-term.”

This was echoed by Railpen sustainable ownership senior investment analyst, Sophie Harris, who warned of a "concerning disconnect" between leaders’ awareness and preparedness for cyber attacks.

"Around 40 per cent of chief information security officer's surveyed by Proofpoint concede that their organisation is unprepared to cope with a targeted cyberattack," she continued.

"While it is positive to see regulators starting to take action, with the U.S. Securities and Exchange Commission’s cybersecurity rules, we believe investors have an important role to play when it comes to closing the gap and forcing business to start taking cyber preparedness more seriously.

“Recognising the importance of cybersecurity resilience, we encourage asset managers to develop their understanding of the financial materiality of cybersecurity, use the investor expectations as a tool for engagement with companies that face a high level of risk, and report on progress to their clients.”

Royal London Asset Management senior engagement manager, Georgina Chiu, also stressed the need for collaboration from asset managers, asset owners, regulators and policy makers in order to drive corporate change.

"We founded the coalition because we understand the very real threat that cyber presents to our industry, driven by geopolitical threats, the development of Generative AI and increased supply chain vulnerabilities," Chiu stated.

“There are a number of actions investors can take to tackle the growing risk of cybersecurity to portfolio companies. This report demonstrates how we are creating a step change for the industry, by elevating stewardship from reactive engagement after a cyber incident has occurred, to a proactive dialogue on resilience.”

---