How cyber is underestimated as an ESG risk

Fund managers – especially credit firms – need to rethink how they assess target companies’ cyber resiliency as part of their ESG due diligence, writes Terésa Cutter, managing director and head of ESG and impact at private debt firm White Oak Global Advisors.

As data breaches grow in number and prominence, asset managers need clear policies on how to implement cybersecurity into every part of their environmental, social and governance due diligence evaluation of investments. Cybersecurity, also known as cyber-resilience, typically sits within ESG’s governance branch. But the recent rash of large-scale breaches highlights the potential impact on all facets of an organisation. Any company that has not incorporated cyber-planning into every part of the organisation is increasingly vulnerable to risks that could also have a social impact.

Terésa Cutter
Terésa Cutter; source: White Oak Global Advisors

According to the most recent RBC Global Asset Management study on the topic, two-thirds of 800 investors surveyed across the US, Canada and Europe rated cybersecurity as a top ESG concern. As a result, an increasing number of investors expect asset managers to have developed robust, firm-wide cyber-defence policies and evaluation capabilities for any kind of data breach.

An impact that stretches beyond G

Within ESG, governance generally considers the rights and responsibilities of a company’s management and ownership through the actions and policies of executives in the C-suite, the board and other stakeholders. Governance often focuses on general business ethics, corruption and accounting transparency, as well as behavioural aspects such as board diversity and executive pay.

Typically, cyber-resilience resides under the governance umbrella of ESG, as breaches typically expose operational risks that fall under management’s purview. However, prominent breaches – such as the ones that affected T-Mobile in August, the Colonial Pipeline in May, Capital One in 2019 and Equifax in 2017 – have demonstrated that an attack’s effects can ripple far beyond the C-suite and board.

The latest breach against T-Mobile displays the gravity of the situation. Stolen data from the cellphone carrier included first and last names, birth dates, US Social Security numbers and driving licence information, affecting more than 40 million current and prospective customers. The financial and social welfare of millions of customers may now be at risk.

The Colonial Pipeline ransomware attack threatened control over key pipelines supplying gas to the US East Coast, which could have imperilled critical infrastructure and the environment. Following the attack, calls for regulations and transparency into the sustainability of an organisation’s cybersecurity plans have only grown louder.

At Capital One, a hacker gained access to more than 100 million customers’ accounts and credit card applications, including 140,000 Social Security numbers, one million Canadian Social Insurance numbers and 80,000 bank account numbers. The attack jeopardised the social welfare of millions of customers, employees and community members.

The Equifax breach, which cost the giant credit reporting agency $700 million and led to a 30% drop in its share price, demonstrated how seemingly intangible concerns can lead to very tangible consequences to a company’s bottom line. The attack also affected 147 million Equifax customers, thereby underscoring its social impact.

In all, these breaches damaged public trust in corporations, institutions and infrastructure and affected many millions of people. For businesses, cyberattacks have the potential to erode customer trust and loyalty, as well as a company’s brand. Taken to the extreme, a cyber-breach can threaten a company’s reputation, the sustainability of its earnings and even lead to regulatory intervention and legal sanctions.

Extending cyber-resilience to every facet

For asset managers, robust cyber-resilience and response processes can help safeguard reputations and prevent outflows. More importantly, close monitoring of various ESG and technology factors enables better data security, business model resilience and critical incident risk management, thereby benefiting a broad range of stakeholders.

More pointedly, we as asset managers need to change the way we evaluate investment opportunities. We can no longer just check the box when we see that a company has stated policies and frameworks. This is particularly important in private credit where, by design, direct lenders are prohibited from controlling our borrowers’ governance, thus limiting our capacity to help them improve their cyber-resiliency.

We need to be able to assess the potential risk of a cyberattack to every part of the investment from an ESG standpoint and work with companies to find ways to mitigate those threats.

All companies need to manage cyber-risks to their systems proactively, beginning by cultivating a culture of cyber-resilience that prepares for everything from phishing attempts to protecting client data. A cyber-resilient culture starts from an understanding that breaches are inevitable, so every person within the organisation needs to know which role to play when a hack occurs.

The pandemic has accelerated digitisation across all sectors and industries, and presented more opportunities for large-scale security breaches. Consequently, the importance to investors of ESG factors such as cyber-risk management and protections, as well as transparent disclosures and reporting, should only increase for asset management firms.

Terésa Cutter is managing director and head of ESG and impact at White Oak Global Advisors