I went to a conference recently where a member of one of the UK security agencies was speaking – he couldn’t give his name, no photographs were allowed, no mention on social media and he could not be further than 6 feet away from his laptop at any time. My interest was piqued!
It was like something out of Spooks! Immediately I envisioned shifty characters skulking around in the shadows trying to steal official secrets from hapless civil servants – however, the reality is far from it. While some well publicised leaks come from carelessly leaving laptops in public places, or being photographed with sensitive data on clearly visible paperwork, that’s not the biggest danger. What is? Sophisticated cyber-attacks.
“Paul” regaled us with tales of poor passwords and cyber snooping through family member’s social media along with people plugging in dropped memory sticks to computers. I know, you’ve heard all this before, but there are instances of companies in a takeover process being completely stripped of their intellectual property before a deal is done!
You only have to open the paper to see it. The press is full of worrying data breaches at well-known companies – in the past year we have seen this everywhere, from the financial sector to airlines to supermarkets to the London Tube – investors therefore need to address cyber security with the companies they invest in.
In fact, it’s estimated that sophisticated techniques used by hostile states pass down into organised crime in around 6 years. So it makes sense to listen to the security agencies when they advise us on what we should be asking boards of investee companies. Cyber security is being addressed at a national level both in the UK and US – most recently the US has introduced the US Cybersecurity Disclosure Act requiring listed companies to disclose (in public filings) whether any of the board members are considered to be a cyber security expert.
The discussions we have with boards of the companies we invest in include: how they identify their most valuable assets whether that be physical or intellectual, how they identify the threats to those assets and how they adapt a risk management programme to deal with those threats. We are interested at what level within the organisation these issues are considered at, whether there is sufficient expertise on the board to understand them and how often the company tests their defences and how they learn from incidents.
It’s not perfect; we aren’t able to attend board meetings. However, by addressing this issue with companies when we have the opportunity, we hope it encourages them to start having serious discussions around the board table.
About the author
Miranda Beacham is Corporate Governance Manager in the ESG Research team. She is responsible for monitoring, engaging and voting of investee companies in line with our Responsible Investment Policy. She joined us in 1994 as a research assistant in the UK equity team and has 25 years’ industry experience*. Miranda studied Chemistry at Napier University and has the IMC professional qualification.
*As at 30 April 2019.