Data is sometimes called the “new oil” given its integral role in the functioning of the world’s economy. But how safe is this data? As more business activity and social interaction moves online – particularly in the wake of the coronavirus pandemic – companies’ approach to cyber security is being scrutinised. Through a dedicated engagement programme, we’re helping to influence companies’ policies and best practices in this area.
Cyber-security incidents are on the rise, and regulators and investors are increasingly scrutinising companies’ policies and protections, given the costly implications of these incidents
To foster dialogue and compliance on cyber issues, we engaged 17 companies in the most vulnerable sectors, to understand their approaches and share best practices across these industries
Our research highlighted the hallmarks of a robust approach to cyber security, including the need for companies to think about not just their internal systems but their wider ecosystem
We plan to extend this engagement to other industries, because these issues are of growing and universal relevance as more business activity and social interaction moves online
Cyber security is a growing concern for businesses, institutions and individuals, with a rise in incidents such as critical data breaches, ransomware and “email spoofing” incidents, and operational breakdowns. The risks increase as more business activity and social interaction moves online – a trend that has been accelerated by the coronavirus pandemic. A report by the security firm McAfee with the Center for Strategic and International Studies estimated the annual cost of cybercrime at USD 600 billion. And as the potential risks grow in scale and complexity, the costs will likely increase.
Given the high stakes, cyber risks are attracting increasing regulatory scrutiny. Similarly, investors want to be confident that the companies in which they invest have the necessary protections in place – given that these risks can threaten their ability to operate and, ultimately, their existence.
Our dedicated engagement programme
To enhance and share knowledge on this topic, Allianz Global Investors has spent two years conducting a cyber-security engagement programme. Working with our portfolio managers, we selected 17 firms spanning financials, technology and the internet – sectors with a potentially high exposure to cyber risk, where we would expect to see comprehensive and robust protections.
We found this engagement helpful in several ways, such as identifying companies with an elevated cyber-security risk, producing more accurate ESG risk ratings, and progressively embedding cyber-risk considerations into the investment case. Furthermore, driving more transparency around this topic is critical, as companies’ current public disclosures on cyber-security may not allow investors to assess the risks fully.
We summarise our key findings below, with more detail available in our full report here:
Organisations that are advanced on this issue have a highly structured approach – These companies can identify, quantify and mitigate the risks (eg, through insurance) and they include provisions on their balance sheet.
Maturity level is positively correlated with cyber resilience – Companies that have faced cyber risks for longer are likely to have more robust governance and security practices in place – not least because they have had to combat more live incidents. They also tend to have a larger budget allocated to managing those risks.
Improved cyber security can be a competitive advantage – As rigorous cyber security becomes, in effect, a company’s licence to operate, firms with a more robust and tested approach can likely have the confidence to move faster to seize new opportunities; this may favour firms with a simpler business model.
Reputational damage can be the biggest cost – Losses due to cyber incidents range from operational interruptions to large fines and compensation payments, but the most material impact could be the damage to the reputation of affected companies – although this can be difficult to quantify.
Businesses need to think about their entire ecosystem – Rather than focusing only on protecting their own assets, they need to address the threats that come from important stakeholders (such as infected client devices) and other third parties in the value chain.
People can be the weakest link in cyber-security defence – A cyber incident is not necessarily a deliberate attack – an internal failure caused by human error or oversight can also cause system unavailability.
From insights to positive stewardship outcomes
While generating a wealth of insights, this type of engagement is constructive in several ways. It gives companies a better understanding of the information they should provide to help investors assess the risks related to cyber security. And it also contributes to continuous improvement in disclosure and practices. By tracking publicly available information on the 17 companies involved in the engagement, we found that six of them have improved their disclosures, risk management and governance. One company has appointed a chief information security officer; others have added a cyber-threat intelligence team or appointed a group data protection officer. Cyber risk management is increasingly likely to be included in firms’ key performance indicators, and training is generally being improved on these issues.
Next we plan to expand this project to other industries, given the universal relevance of these issues. We are committed to sharing knowledge and communicating our expectations to companies, as well as embedding cyber factors into our investment cases. Dialogue is critical to these goals.
Investing involves risk. The value of an investment and the income from it will fluctuate and investors may not get back the principal invested. Investing in the water-related resource sector may be significantly affected by events relating to international political and economic developments, water conservation, the success of exploration projects, commodity prices and tax and other government regulations. Past performance is not indicative of future performance. This is a marketing communication. It is for informational purposes only. This document does not constitute investment advice or a recommendation to buy, sell or hold any security and shall not be deemed an offer to sell or a solicitation of an offer to buy any security.
The views and opinions expressed herein, which are subject to change without notice, are those of the issuer or its affiliated companies at the time of publication. Certain data used are derived from various sources believed to be reliable, but the accuracy or completeness of the data is not guaranteed and no liability is assumed for any direct or consequential losses arising from their use. The duplication, publication, extraction or transmission of the contents, irrespective of the form, is not permitted.
This material has not been reviewed by any regulatory authorities. In mainland China, it is used only as supporting material to the offshore investment products offered by commercial banks under the Qualified Domestic Institutional Investors scheme pursuant to applicable rules and regulations. This document does not constitute a public offer by virtue of Act Number 26.831 of the Argentine Republic and General Resolution No. 622/2013 of the NSC. This communication's sole purpose is to inform and does not under any circumstance constitute promotion or publicity of Allianz Global Investors products and/or services in Colombia or to Colombian residents pursuant to part 4 of Decree 2555 of 2010. This communication does not in any way aim to directly or indirectly initiate the purchase of a product or the provision of a service offered by Allianz Global Investors. Via reception of his document, each resident in Colombia acknowledges and accepts to have contacted Allianz Global Investors via their own initiative and that the communication under no circumstances does not arise from any promotional or marketing activities carried out by Allianz Global Investors. Colombian residents accept that accessing any type of social network page of Allianz Global Investors is done under their own responsibility and initiative and are aware that they may access specific information on the products and services of Allianz Global Investors. This communication is strictly private and confidential and may not be reproduced. This communication does not constitute a public offer of securities in Colombia pursuant to the public offer regulation set forth in Decree 2555 of 2010. This communication and the information provided herein should not be considered a solicitation or an offer by Allianz Global Investors or its affiliates to provide any financial products in Brazil, Panama, Peru, and Uruguay. In Australia, this material is presented by Allianz Global Investors Asia Pacific Limited (“AllianzGI AP”) and is intended for the use of investment consultants and other institutional/professional investors only, and is not directed to the public or individual retail investors. AllianzGI AP is not licensed to provide financial services to retail clients in Australia. AllianzGI AP (Australian Registered Body Number 160 464 200) is exempt from the requirement to hold an Australian Foreign Financial Service License under the Corporations Act 2001 (Cth) pursuant to ASIC Class Order (CO 03/1103) with respect to the provision of financial services to wholesale clients only. AllianzGI AP is licensed and regulated by Hong Kong Securities and Futures Commission under Hong Kong laws, which differ from Australian laws.
This document is being distributed by the following Allianz Global Investors companies: Allianz Global Investors U.S. LLC, an investment adviser registered with the U.S. Securities and Exchange Commission; Allianz Global Investors Distributors LLC, distributor registered with FINRA, is affiliated with Allianz Global Investors U.S. LLC; Allianz Global Investors GmbH, an investment company in Germany, authorized by the German Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin); Allianz Global Investors (Schweiz) AG; Allianz Global Investors Asia Pacific Ltd., licensed by the Hong Kong Securities and Futures Commission; Allianz Global Investors Singapore Ltd., regulated by the Monetary Authority of Singapore [Company Registration No. 199907169Z]; Allianz Global Investors Japan Co., Ltd., registered in Japan as a Financial Instruments Business Operator [Registered No. The Director of Kanto Local Finance Bureau (Financial Instruments Business Operator), No. 424, Member of Japan Investment Advisers Association and Investment Trust Association, Japan]; and Allianz Global Investors Taiwan Ltd., licensed by Financial Supervisory Commission in Taiwan.