The need for companies to maintain robust cybersecurity and risk management policies has never been more evident. No one is immune to data breaches, with the likelihood being that cyberattacks will increase in their severity and frequency.
We believe technology companies could be most at risk. They typically have high information sensitivity, may hold a large amount of customer data, and could have reduced business continuity plans and risk management practices. Yet many do not identify a key line of responsibility for cybersecurity, show little evidence of staff training, and have limited board oversight of the cyber strategy, despite being in sectors historically targeted for cyberattacks.
There are signs that cybersecurity is emerging as a significant ESG theme as highlighted by the findings of the recent Perennial Better Future Survey released in November 2022.
After two years of Greenhouse Gas (GHG) emissions and alignment with the Paris Agreement being the top priority for corporates, in 2022 cybersecurity concerns took pole position, up from fourth in 2021. This was consistent across both larger and smaller companies, demonstrating the risks of increasing cyberattacks and the material concerns this brings, including reputational risk, fines and regulatory attention, customer loss and litigation.
For the Perennial Better Future portfolio, we have responded by making cybersecurity a significant part of our ESG engagement, developing an Assessment Framework that allows us to evaluate companies’ cyber resilience on a spectrum of materiality and risk.
Materiality in our scoring framework is defined as how significant a cyberattack would affect the business. This is based on an assessment of Information sensitivity, volume and magnitude of information, defence provided from business continuity plans and response management.
Risk in our proprietary scoring framework is defined as how exposed a company is to a cybersecurity attack. This is based on an assessment of compliance and policies, governance, and sector exposure. In relation to the “sector exposure”, factors considered include:
- Has the company been subject to material cyberattacks recently? Evidence shows that when an organisation has experienced one attack, more are likely to follow.
- Is the company in a sector prone to cyber and/or privacy attacks?
So, to understand portfolio companies’ approaches to cybersecurity, questions are posed regarding the nature of the information held on customers, how cyber is embedded in risk management practices, the governance structure of cyber risk and the level of preparedness for a cyberattack.
The company responses, as well as our understanding of the business, and supplemented with publicly available information, allow us to score the companies using our framework. It means close monitoring of the companies identified as higher risk in our framework, including ongoing engagement to help them improve their cybersecurity.
It is also critical for an organisation’s cyber strategy to be proactively overseen by the board, and for all staff to be regularly engaging in relevant cybersecurity training, as stipulated by the Australian Institute of Company Directors’ Governance Principles launched in 2022.
Make no mistake – the importance of cybersecurity will grow exponentially. Global connectivity and the use of cloud services to store sensitive data, and the sophistication of cyber criminals, puts every company is at risk, and boards and management will need to implement and consistently review the processes and tools to protect confidential information to avoid financial consequence.
This article has been prepared and issued by Perennial Better Future Pty Limited (ABN 45 647 633 065) (Perennial Better Future) and Perennial Partners Limited (ABN 90 612 829 160) (Perennial Partners) as Corporate Authorised Representatives (No. 1293138) of Perennial Value Management Limited (PVM) (ABN 22 090 879 904, AFSL No. 247293). Any opinions expressed in the above article are the opinions of the individual author and not necessarily representative of the views of either Perennial Partners or PVM. This article does not take into account your investment objectives, particular needs or financial situation and reliance should not be placed on this as the basis for making an investment, financial or other decision. While every effort has been made to ensure the information in this report is accurate; its accuracy, reliability or completeness is not guaranteed. Past performance is not a reliable indicator of future performance.