'Cybersecurity disclosure can make companies vulnerable to attacks'

twitter-iconfacebook-iconlinkedin-iconmail-iconprint-icon
Search supported by
'Cybersecurity disclosure can make companies vulnerable to attacks'

Our increasing reliance on technology has positives but it can also bring the bad, and when it comes to disclosure, this can make a company more vulnerable to cyber attacks, warns Carlota Garcia-Manas.

In a Q&A with FTAdviser In Focus the head of engagement at Royal London Asset Management explains why engagement on cybersecurity is more critical than ever for financial services companies.

RLAM started to engage with its holding companies on cybersecurity in 2020 as part of a broader “innovation, technology and society” engagement theme.

It has since launched a second phase of engagement, particularly with debt issuers, to be able to evaluate risk in its credit portfolios.

It said the findings from these conversations allowed it to understand the risk mitigation measures that its holdings have in place, which are not obvious from their public disclosure on many occasions.

Carlota Garcia-Manas, head of engagement at RLAM

 

 

 

Advisers are particularly vulnerable [to cyber threats] and in general well prepared.

 

 

FTA: What warning signs are you seeing in businesses' adoption of technology?

CGM: Cyber attacks have skyrocketed, with techniques used by criminals that include ransomware, denial of service (DOS), phishing and clickjacking, which all look to exploit firms' vulnerabilities on security. This has prompted firms to increasingly adopt sophisticated risk management systems to enable cyber resilience.

We are beginning to see through our engagement with companies that they are committing to cybersecurity strategies by creating a specific chief information security officer role with direct reporting lines to the board, and by offering supporting resources, detailed disclosures on training and simulations, and clear identification of cyber risks and their inclusion on remuneration packages.

FTA: To what extent is cybersecurity a threat for financial services companies and advisers?

CGM: This phenomenon is a global issue affecting governments as well as businesses of all sizes – it affects national and economic security, and with very few exceptions is cross-sectional of all aspects of society.

That includes financial institutions and advisers. The latter are particularly vulnerable and in general well prepared due to their reliance on data platforms, cross-continental platforms and shared technologies, for example stock exchanges.

FTA: How can increasing disclosure make a company more vulnerable to cyber attacks?

CGM: A number of companies that we have engaged with use a technology platform created by hackers who are dedicated to making the internet safer by helping companies close their exposure to cyber attacks.

By using a platform of this kind, it opens themselves up to ‘ethical hackers’ who can help spot where the vulnerabilities lie to help companies stay ahead of any potential threats. There are ways for those initiatives to be abused, but in general it provides companies with a certain level of control.

Supply chains and M&A activity tend to exacerbate the risks to a well-functioning cyber risk management.

In the first two phases of our engagement, we requested companies disclose a standalone cyber resilience policy. While some companies have published such information, the majority found that this approach described in unnecessary detail some of the mechanisms they used to protect their systems. As we agreed with this rationale, we removed this request.

FTA: Are some forms of disclosure more dangerous than others?

CGM: In some instances, companies have disclosed full coding with little additional risk. But there could be elements of systems, technology platforms or protocols, for example adopting a double-password authorisation approach, encryptions, and their dependencies such as third-party protocols, disclosure of which could compromise a business.

FTA: What should companies do to ensure they fend off cyber attacks?

CGM: The existence of a chief information security officer role and tailored training across the workforce and simulations are a useful starting point to evaluate a company’s cyber resilience.

We have also found that supply chains and merger and acquisition activity tend to exacerbate the risks to a well-functioning cyber risk management. We have therefore requested both areas to be included in our engagement.

FTA: Is there anything financial advisers in particular should be aware of when it comes to using technology and fending off cyber attacks?

CGM: Financial advisers are not dissimilar to other sectors. Additional elements of best practice include the certification to ISO 27000 for business operations. This allows a robust approach to information security and a focus on clients’ data safety.

Companies should also disclose their use of the National Institute of Standards and Technology cybersecurity framework as a reference for controls to prevent, detect and address cybersecurity threats.

FTA: How can active and passive managers help businesses with their cybersecurity?

CGM: Fund managers can help businesses with their cybersecurity through engagement with their holding companies and by making sure they have their own cyber resilience systems up to date.

Excessive cybersecurity disclosure could make companies more susceptible to attacks. For this reason, we find engagement is a particularly useful tool for monitoring this increasing risk to ensure it is not being overlooked.

While organisations can never entirely rule out the risk of a cybersecurity incident, companies that are implementing these best practices are better placed to adapt and respond to these emerging risks.

Our continued engagement proves ever-more essential in the wake of the coronavirus pandemic, so over the course of 2022 we continue to seek adoption of key measures for achieving cyber resilience as defined by our engagement to date.

carmen.reichman@ft.com