Cyber risk is everywhere and nowadays, pension fund trustees generally know that their data is valuable. But do they assess it as part of their investment process?

RPMI Railpen and master trust Nest have published a report on how to take account of cyber security risks in pension fund investments, saying there is currently no equivalent guidance for trustees that focuses on investment processes 

 

Cyber security has climbed up the trustee and regulatory agenda, with the Pensions Regulator issuing guidance around how to minimise risk for pension funds themselves. In June, David Fairs, director of regulatory policy, analysis and advice, said the regulator had seen phishing emails purporting to come from master trusts, and membership lists being sold on the dark web for around $15 per member record. TPR has also started to see cases of ‘whaling’, where typically a financial controller receives an email which appears to come from the CEO with a request to settle an invoice. 

 

But it is not just pension funds themselves that are potential targets; the organisations they invest in are, too, and a hack constitutes a big business risk but also damage the reputation of investors, the new report, ‘Why UK pension funds should consider cyber and data security in their investment approach’, states.  

 

It lists 10 major data breaches where companies were hacked between 2008 and 2018: 

 

 

Hackers stole bank and credit card details, social security numbers, dates of birth, addresses and phone numbers among others. In the past 12 months, businesses have reported improved security mainly thanks to adding skilled staff and better governance, but the threat is not standing still. The report notes that some predict the cost of hacking to reach $90tn by 2030. 

 

Both Railpen and Nest have in-house investment teams. In 2018, Nest conducted research to see what impact cyber risks could have on its investments, and the fund is planning to look at relationships between cyber risk and financial and corporate governance. 

 

Governance varies, as does reporting; there are currently no agreed reporting standards for companies, so even where investors do make cyber risk part of the pre-investment analysis, they might struggle. However, some cyber governance indices, ranking companies by how strong their cyber defences are, do exist, and three ETFs are in planning as well, notes the report, which names a number of providers that assess firms’ cyber defences. 

 

 

 

Still, given the shortage of readily available information around companies’ cyber security practices, the report also recommends engagement and incorporating the topic in voting policies, noting that the UN Principles for Responsible Investment brought 53 investors to come with a set of expectations around cyber security in 2017. Railpen led the dialogue with a US company, bringing the company to agree to additional disclosures. 

 

RPMI also recommends that investment teams work with internal information security specialists. Sylvia King, head of IT security at RPMI, says the area is fast-moving, so “expert advice is essential”. 

 

Richard Williams, CIO at Railpen said trustees should acknowledge that an attack on an investee company is not a matter of ‘if’ but ‘when’, and investors therefore need tools to minimise the risk. 

 

“Companies should be ready for questions from investors, and pension funds need to start raising the topic with their managers,” said Williams. 

 

Brunel Pension Partnership, one of the eight Local Government Pension Scheme pools, has been an early adopter of cyber security assessment in its investments. The pool raises the topic with managers before they are appointed, making it part of its procurement process. Where Brunel has concerns, it sets conditions for the manager and monitors the area more frequently. 

  

 Nest’s chief Investment Officer, Mark Fawcett, says the most important thing for investors is not to bury their heads in the sand. 

 

“Cyber-attacks can seriously undermine the performance of a company, making what would seem an ideal investment opportunity turn into a costly mistake,” said Fawcett, adding: “The financial impact and importance of cyber-attacks can no longer be denied and needs to be considered in any responsible investment strategy. Companies cannot stop attacks from occurring, but preparedness and operational resilience is key.”