• info@esgwise.org

Investors Urged to Screen for Cybersecurity Risks

Railpen and RLAM say regulation alone won’t give investors full view of companies’ cyber efforts.

New stewardship guidance published by UK pension fund Railpen and Royal London Asset Management (RLAM) said asset owners and managers should do more to identify and engage with portfolio companies’ facing high levels of exposure to cyber risk. They should assess their baseline approach to cybersecurity and measure progress against this going forwards. 

As part of the guidance, RLAM and Railpen have called on investors to engage with policymakers on cybersecurity-related risks to help shape the regulatory landscape by supporting the development of related standards that are transparent, robust, practical and “aligned with the realities of the market”. 

“With the rise of digital transformation and the fast pace of AI adoption, cybersecurity has become a strategic priority for many companies, given its potential impact on their businesses,” Jen Sisson, CEO of the International Corporate Governance Network (ICGN), told ESG Investor. 

“Many institutional investors consider cybersecurity risks and opportunities as a key factor in their analysis of a company’s long-term value.” 

New cyber rules set to impact investors include the EU’s Digital Operational Resilience Act (DORA), which will come into effect on 17 January as part of the bloc’s digital finance package.  

Under the regulation, financial institutions must implement comprehensive ICT risk management, continuous monitoring, resilience testing and incident response plans and business continuity measures. 

“DORA is a hot topic, and something that is long-overdue,” said Charles Radclyffe, Partner at ESG data company EthicsGrade. “It’s perhaps a surprise that other sectors haven’t considered digital resilience to the same degree as the finance industry, but one would presume this will follow in the years to come.” 

The European Supervisory Authorities have expressed concern on the implementation of DORA, noting several potential compliance challenges for investors. 

The EU’s AI Act, finalised in December 2023, could also have an impact on investors who fail to get on top of the cyber exposure of portfolio companies. Under the rules, organisations who fail to comply with their AI obligations could be fined up to 7% of global annual turnover. 

“Regulatory frameworks like DORA and the EU AI Act have increased expectations, demanding stronger governance and risk management across the financial system,” said Sisson. 

In its 2025 Global Cybersecurity Outlook, the World Economic Forum’s (WEF) said that 76% of chief information security officers surveyed said the splintering of cybersecurity rules was a “significant compliance challenge”. 

In 2019, Railpen published a report with UK pension fund Nest on the issues surrounding cyber and data security.  

In the same year, RLAM set up a Cybersecurity Coalition, comprising of investors such as Railpen, Nest, Border to Coast and Brunel Pension Partnership, in a bid to address the systemic risks around cybersecurity. 

Engaging at the source 

While it is important that investors engage with the development of cybersecurity-related policy, investors also need to engage directly with portfolio companies on the associated risks, the guidance noted.  

“Cybersecurity is one of those issues where digging beneath what is disclosed in a company’s written reporting really pays off,” said Caroline Escott, Railpen’s Senior Investment Manager of Sustainable Ownership.  

“Many companies are nervous about providing too much publicly-available detail on their cyber defences in case it proves to be a ‘red rag to a bull’ for hackers. While Railpen has been supportive of moves by policymakers to improve corporate cyber disclosures, there’s no substitute for speaking to companies directly.” 

The guidance suggested using a sector-specific approach to proactively engage with “laggards” in vulnerable sectors in order to increase cyber resilience. 

For example, a 2023 report found that the healthcare industry was the most targeted sector of third-party cyber breaches, accounting for almost 35% of all incidents in 2022. 

Other vulnerable sectors include manufacturing, finance and insurance, and energy and utilities, according to RLAM and Railpen. 

ICGN’s Sisson said it is “critical” that company boards can also demonstrate to their investors how they are overseeing cybersecurity risks and controls. 

“Boards play a vital part in overseeing cybersecurity risks and controls and ensuring the responsible deployment of technologies by their companies,” she said.  

“This requires knowledge and a readiness to challenge management on internal controls and risk management processes.” 

EthicsGrade’s Radclyffe also highlighted the importance of exploring cybersecurity-related risks in company supply chains, which he said can be “catastrophic” to capital value when these risks manifest.  

“These are all topics that should have been front and centre of investors’ minds 30 years ago, when it was clear that digitalisation was going to be the future,” he added.  

“It’s already late to be thinking about the risks inherent in [something like] AI governance in supply chains, but perhaps the financial harms of cyber are better evidenced – and the opportunities of AI are too alluring.” 

The post Investors Urged to Screen for Cybersecurity Risks appeared first on ESG Investor.

Leave a Reply

Your email address will not be published. Required fields are marked *