Global Sustain
Sign up to the newsletter

Principles for Responsible Investment

Principles for Responsible Investment

Member: Society Premium
Since: 10.07.2014

5th Floor, 25 Camperdown Street, E1 8DZ London, United Kingdom

PRI: Engaging with companies on cyber security

06.04.2018 Share

Investors are seeing the value in engaging with companies on their cyber security governance.

Companies’ cyber security and data management have come under increased scrutiny in the aftermath of high-profile cases from Target, TalkTalk, Sony and more. Cyber attacks can compromise customer information, operational systems and sensitive business data such as financial data, supplier details and intellectual property. 

Cyber security should be a concern to investors as it can:
  • damage reputation and brand value;
  • create earnings risks and governance problems;
  • lead to consultancy, compensation, legal and regulatory costs.
Against this backdrop investors are looking to reduce this costly, global, cross-sector risk and maximise opportunities in their portfolios.

Investors are calling for companies to demonstrate that they understand cyber security as a risk across the business that must be adequately governed, and not left as the remit of the IT department.

They are seeking to deepen their understanding of companies’ risk mitigation, budgeting, training, recovery action plans and technical solutions.

PRI-coordinated collaborative engagement

Responding to strong interest from signatories, the PRI launched a collaborative engagement on cyber security in June 2017.

The engagment sees 53 institutional investors engaging with global companies in the healthcare, financial, consumer goods, information technology and telecommunication sectors to improve their approach to cyber security governance and their cyber security processes.

The engagement was established with the following objectives: 
  • Build investors’ knowledge of how their portfolio companies are positioned to manage cyber risk (with a focus on companies’ policies and governance structures).
  • Establish investor expectations on what companies can and/or should disclose regarding cyber risk governance.
  • Improve the amount and quality of company disclosure on cyber risk and governance.