Our increasing reliance on technology has positives but it can also bring the bad, and when it comes to disclosure, this can make a company more vulnerable to cyber attacks, warns Carlota Garcia-Manas.
In a Q&A with FTAdviser In Focus the head of engagement at Royal London Asset Management explains why engagement on cybersecurity is more critical than ever for financial services companies.
RLAM started to engage with its holding companies on cybersecurity in 2020 as part of a broader “innovation, technology and society” engagement theme.
It has since launched a second phase of engagement, particularly with debt issuers, to be able to evaluate risk in its credit portfolios.
It said the findings from these conversations allowed it to understand the risk mitigation measures that its holdings have in place, which are not obvious from their public disclosure on many occasions.
FTA: What warning signs are you seeing in businesses' adoption of technology?
CGM: Cyber attacks have skyrocketed, with techniques used by criminals that include ransomware, denial of service (DOS), phishing and clickjacking, which all look to exploit firms' vulnerabilities on security. This has prompted firms to increasingly adopt sophisticated risk management systems to enable cyber resilience.
We are beginning to see through our engagement with companies that they are committing to cybersecurity strategies by creating a specific chief information security officer role with direct reporting lines to the board, and by offering supporting resources, detailed disclosures on training and simulations, and clear identification of cyber risks and their inclusion on remuneration packages.
FTA: To what extent is cybersecurity a threat for financial services companies and advisers?
CGM: This phenomenon is a global issue affecting governments as well as businesses of all sizes – it affects national and economic security, and with very few exceptions is cross-sectional of all aspects of society.
That includes financial institutions and advisers. The latter are particularly vulnerable and in general well prepared due to their reliance on data platforms, cross-continental platforms and shared technologies, for example stock exchanges.
FTA: How can increasing disclosure make a company more vulnerable to cyber attacks?
CGM: A number of companies that we have engaged with use a technology platform created by hackers who are dedicated to making the internet safer by helping companies close their exposure to cyber attacks.
By using a platform of this kind, it opens themselves up to ‘ethical hackers’ who can help spot where the vulnerabilities lie to help companies stay ahead of any potential threats. There are ways for those initiatives to be abused, but in general it provides companies with a certain level of control.
In the first two phases of our engagement, we requested companies disclose a standalone cyber resilience policy. While some companies have published such information, the majority found that this approach described in unnecessary detail some of the mechanisms they used to protect their systems. As we agreed with this rationale, we removed this request.