FTA: Are some forms of disclosure more dangerous than others?
CGM: In some instances, companies have disclosed full coding with little additional risk. But there could be elements of systems, technology platforms or protocols, for example adopting a double-password authorisation approach, encryptions, and their dependencies such as third-party protocols, disclosure of which could compromise a business.
FTA: What should companies do to ensure they fend off cyber attacks?
CGM: The existence of a chief information security officer role and tailored training across the workforce and simulations are a useful starting point to evaluate a company’s cyber resilience.
We have also found that supply chains and merger and acquisition activity tend to exacerbate the risks to a well-functioning cyber risk management. We have therefore requested both areas to be included in our engagement.
FTA: Is there anything financial advisers in particular should be aware of when it comes to using technology and fending off cyber attacks?
CGM: Financial advisers are not dissimilar to other sectors. Additional elements of best practice include the certification to ISO 27000 for business operations. This allows a robust approach to information security and a focus on clients’ data safety.
Companies should also disclose their use of the National Institute of Standards and Technology cybersecurity framework as a reference for controls to prevent, detect and address cybersecurity threats.
FTA: How can active and passive managers help businesses with their cybersecurity?
CGM: Fund managers can help businesses with their cybersecurity through engagement with their holding companies and by making sure they have their own cyber resilience systems up to date.
Excessive cybersecurity disclosure could make companies more susceptible to attacks. For this reason, we find engagement is a particularly useful tool for monitoring this increasing risk to ensure it is not being overlooked.
While organisations can never entirely rule out the risk of a cybersecurity incident, companies that are implementing these best practices are better placed to adapt and respond to these emerging risks.
Our continued engagement proves ever-more essential in the wake of the coronavirus pandemic, so over the course of 2022 we continue to seek adoption of key measures for achieving cyber resilience as defined by our engagement to date.
carmen.reichman@ft.com