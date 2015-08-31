(Repeats Friday story, no change to text)
* Survey of assets managers highlights weak disclosure
* Only three of Europe's top 10 companies flag risk in
report
* Boards urged to bring in tech-savvy executives
By Simon Jessop and Ross Kerber
LONDON/BOSTON, Aug 28 Investors are being poorly
served by a haphazard approach from fund managers to the growing
threat of cyber crime damaging the companies in which they
invest, with a lack of clarity from the businesses themselves
compounding the problem.
Banks have led the way in developing cyber defences and some
top fund managers have ramped up pressure on companies to do
more, but the broader picture is less encouraging.
"I don't see any visible stand asset managers are taking,
like they do on other social responsibility items," said Malcolm
Harkins, information security chief at U.S. cyber security
start-up Cylance Inc.
The soft underbelly of companies outside the banking sector
was exposed again this month when hackers leaked details of
nearly 37 million clients of Ashley Madison. The infidelity
website had to postpone its stock market listing and now faces a
$750 million lawsuit.
More than half the value of companies worldwide is in
intangible assets, such as intellectual property, much of which
is stored on computers and could therefore be vulnerable to
hackers.
That figure could be as high as $37.5 trillion of the $71
trillion in enterprise value of 58,000 companies, according to
Brand Finance, a consultancy specialising in valuation of
intangible assets. The World Economic Forum said that robust
protection against cyber risk could add as much as $22 trillion
to the global economy by 2020.
The global financial cost of attacks is rising fast -- up
more than 10 percent last year, a report by specialist
researcher Ponemon Institute said.
Though some might argue that investors can sell out of
businesses they consider to be performing badly on cyber safety,
the reality is less straightforward. Passive funds that track a
specific index or sector have no leeway, while pension funds
tend to demand a longer-term view from asset managers.
But even those keen to evaluate cyber risk face an uphill
struggle, hampered by a lack of resources, poor data and weak
disclosure from companies.
Sacha Sadan, corporate governance head at the fund arm of
insurer Legal & General, told Reuters that cyber risk
is one of his team's top priorities for corporate engagement but
described the approach of some rivals as "hit and miss".
"We would rather a company, when they come to talk to us,
had a slide that said 'this is what we're doing'. At the moment,
it's us asking them and they say, 'well, most other shareholders
don't ask'."
MIXED PRIORITIES
A Reuters survey of fund firms with a combined $16 trillion
in assets showed pressure on company boards is far from uniform.
Only four of 12 governance chiefs at British, French, German
and U.S. fund houses interviewed by telephone and email said
they considered cyber risk a "top priority" across all of their
investments. The remainder said they either discussed the issue
case by case or that there was too little information for proper
risk-assessment.
BlackRock, the world's biggest asset manager, is
among those that have engaged with companies, though it declined
to provide further detail on examples in its quarterly
governance report.
In its latest report BlackRock said it had spoken to a large
insurer and "shared perspectives" gained from speaking to cyber
experts and other companies.
As for the types of business meriting closer examination,
Jessica Ground, global head of stewardship at Schroders,
said that less-obvious targets such as travel agents need to do
more. Another chief named online gaming as a sector laggard.
Most fund managers do have dedicated teams supervising
governance. But these often number fewer than 10 people to
analyse and speak to thousands of companies on a broad range of
topics, with matters such as executive pay regularly given
higher priority than cyber security.
On the other side of the fence, the companies themselves are
far from united in their approach.
"There is significant divergence across companies as to how
prepared they are," said Antony Marsden at Henderson Global
Investors.
Though attitude to cyber risk is inherently difficult to
quantify, analysis of the most recent annual reports of the 10
biggest companies in Europe and the United States showed
variable communication on the issue.
Only three of the Europeans -- Novo Nordisk, HSBC
and Royal Dutch Shell -- had a separate
section on cyber risk or information security. Across all 10
reports there were a mere 14 mentions of keywords "cyber",
"information security", "hack" or "hacking".
That compares with five of the U.S. companies -- Apple
, Wells Fargo, Facebook, General Electric
and JPMorgan -- and 63 keyword references,
partly influenced by more banks featuring in the list.
WHEN, NOT IF
"You can look at an annual report and see some companies
talk a lot about what would happen if the euro were to fail
... But just as important is what happens if you get hacked,"
L&G's Sadan said. "You will get hacked. So what's your
contingency planning?"
Several smaller U.S. investment firms with a mandate for
socially responsible investment are already pressing companies
publicly over data security matters, including the filing of
proxy resolutions at shareholder meetings.
Arjuna Capital, for example, had American Express
shareholders vote on whether it should report annually on how
its board oversees privacy and data security. Amex opposed the
idea, saying its board receives regular updates, and the
proposal won only 22 percent of the vote at the annual meeting.
Highlighting the lack of a consistent approach from asset
managers, a number of large fund firms opposed the resolution.
It is little wonder, then, that some have yet to address a
skills gap that leaves them ill-equipped for proper
risk-assessment.
"The frameworks for dealing with cyber risk, about what it
means for our business and what can we do about it, are only now
being put in place," said Sandra Carlisle at Newton Asset
Management.
Rules in the United States requiring companies to report
data privacy breaches are likely to be replicated in Europe in
the near future, which will aid funds' understanding of the
risks.
In the meantime, investors are very much in the dark.
"What you get is assurance that people are looking at these
things," said Iain Richards at Anglo-U.S. fund firm Columbia
Threadneedle. "There's a scarcity of meaningful disclosure."
