Cybersecurity continues to pose a significant risk to public companies and their investors. Companies are under attack from malicious actors. From ransomware to security breaches targeting critical infrastructure, cyber risk continues to escalate. The FBI reported $43 billion has been stolen over the last five years from companies through impersonation of executive emails. Attacks targeting critical infrastructure appear to be increasing and the financial loss could be tremendous; according to a recent Moody’s analysis, $22 trillion of Moody’s-scored debt is associated with sectors having High or Very High cyber risk exposure. High-profile cybersecurity attacks continue to dominate the news cycle, and public companies like Uber, Activision, and others have all experienced public cybersecurity incidents in recent months.
The business impact of these incidents can no longer be ignored. Costs to businesses and investors can include: remediation and litigation costs (including regulatory action); increased cyber protection costs and insurance premiums; reputational damage; lost revenue; and damage to the stock-price and long-term shareholder value.
Investors have become deeply concerned about cybersecurity and how security incidents can impact their investments. Warren Buffett has called cybersecurity the “number one problem with mankind.” In the RBC Global Asset Management Responsible Investment Survey, investors ranked cybersecurity as the number one most concerning environmental, social, and governance (ESG) issue. In addition to pressure from owners, regulators are turning their attention to the issue as well, with the Securities and Exchange Commission proposing rules on cybersecurity risk management and oversight.
Nonetheless, there are instances where public companies and investors may be in the dark when it comes to understanding their cybersecurity risk exposure. In particular, many companies and investors face challenges in evaluating a more technical risk like cybersecurity without having background in the issue. The ever-changing nature of cybersecurity also means that the typical disclosure regime may be inadequate to address a dynamic risk.
Indeed, collecting meaningful, consistent data regarding cybersecurity risk presents a real challenge. Cyber risks and incidents are inconsistently disclosed by public companies, and direct engagements often produce qualitative, subjective data, giving investors no real sense for a company’s actual or comparative security performance.
******
Glass Lewis is partnering with BitSight to help public companies and their investors tackle the significant and constantly changing challenge of understanding cybersecurity risk.
In 2011, BitSight created the world’s first cybersecurity rating system and has since partnered with many of the world’s leading investment organizations including Glass Lewis and Moody’s to improve investor and market awareness of cyber risks. Today, thousands of investors, enterprises, insurers, government institutions and other market stakeholders trust BitSight’s independent ratings and data to make better risk management decisions.
BitSight continuously and non-intrusively collects cybersecurity performance data about public and private companies. Using this data, BitSight creates quantitative, objective ratings and analytics that are similar to credit scores and updated daily. Independently studies show that BitSight’s ratings and analytics are significantly correlated with cybersecurity incidents. Poor cybersecurity performance as measured by BitSight increased an organization’s risk of experiencing a cybersecurity incident.
Glass Lewis partnered with BitSight to launch the Cybersecurity Risk Evaluation Solution for public companies. Cyber risk management isn’t just a concern for the IT department. Poor cyber risk mitigation is a governance issue and impacts a company’s operations and financial performance. The solution enables public companies to receive a customized analysis of their cyber risk issues along with guidance on how to communicate their cyber risk mitigation plan to their stakeholders and shareholder.
Glass Lewis is also leveraging the cybersecurity expertise of BitSight to provide clients insight into the level of cyber risk that a company is exposed to. Glass Lewis Proxy Papers feature a point in time snapshot of a public company’s cybersecurity performance, as of the first day of the current quarter, pulled directly from the BitSight platform. The report features the company’s overall BitSight Security Rating and how the organization benchmarks against its peers in 20 major risk categories.
Investors use BitSight to manage cyber risk to their portfolios and help with engagement strategy. BitSight’s analytics help investors assess the effectiveness of the policies, controls, governance and procedures that a company is implementing, providing investors greater visibility into how well the cyber risk program is being executed. BitSight’s measurements also provide investors with further validation of management’s intentions. BitSight’s data is not only useful as a risk screen. Independent analysis has found that investors leveraging BitSight Security Ratings in an investment strategy can earn higher returns while reducing risk.
The Cybersecurity Risk Evaluation Solution helps guide public companies to identify and mitigate cyber risk and communicate their plan to the market. BitSight cybersecurity analysis in Glass Lewis Proxy Papers provides a comprehensive and accessible relative overview of key portfolio risks and opportunities, integrated directly into Glass Lewis’ industry-leading proxy voting and governance reports.
If you represent a public company, please click here for a review of how we can help with your cyber risk mitigation strategies.
If you are investor, please click here to learn more about cyber risk information in our Proxy Paper reports.