Railpen, one of the largest pension managers in the UK and responsible for managing £34 billion of assets on behalf of over 350,000 members, has published a new report in partnership with Royal London Asset Management, which manages £170 billion, on growing cybersecurity risks in investment portfolios.
The report, Cybersecurity Risk & Resilience: Guidance for Investors, provides an evidence-based perspective on the financial materiality and threat landscape of cybersecurity risk, as well as up-to-date practical guidance for both asset owners and asset managers on how to engage with portfolio companies on the issue.
The Guidance has been developed using insight from Railpen’s and Royal London Asset Management’s combined engagement with companies over the past five years and seeks to answer three key questions:
- Why should investors care about cybersecurity?
- What should investors expect of portfolio companies?
- What can investors do?
Based on the evidence presented in the report, Railpen and Royal London Asset Management together are calling on investors to take the following steps to address cybersecurity risks:
- Recognise the financial materiality of cybersecurity to their portfolios
- Use the expectations and framework outlined in the report as a tool to assess portfolio companies’ baseline approach to cybersecurity and measure their progress towards best practice
- Identify and engage with companies that face high-risk exposure, using sector-specific vulnerabilities as a lens for screening and the report’s recommended questions to initiate dialogue
- Participate in policy advocacy on cybersecurity, as a supportive regulatory environment will enable improved alignment between company disclosures and investors’ expectations
In 2019, Railpen joined a coalition of investors, led by Royal London Asset Management, dedicated to addressing the systemic risks surrounding this thematic stewardship issue by engaging with portfolio companies and participating in policy advocacy. This work built upon a report that same year by Railpen and Nest.
Caroline Escott, Senior Investment Manager, Sustainable Ownership at Railpen, says: “Cyber resiliency might not be a top priority for investors when building and reviewing their portfolios – but it absolutely should be. The World Economic Forum reports that 29% of organisations have been materially affected by a cyber incident over the past 12 months alone.
“Railpen follows the evidence to understand how issues such as cybersecurity affect the value of the companies we invest in. Through understanding, monitoring and influencing the behaviour of those companies, we can help ensure our portfolios are resilient to material ESG risks and, as a result, protect and enhance the long-term value of members’ savings.
“This report leverages our coalition’s experience of engaging with companies and policymakers over several years on cybersecurity. It’s designed to help investors understand what best practice looks like when it comes to cybersecurity disclosure and practice, using real-life examples to bring it to life. We published this guidance to further empower other investors to ask the right questions of companies and take the necessary steps to ensure their investments are protected over the long-term.”
Sophie Harris, Senior Investment Analyst, Sustainable Ownership, Railpen, adds: “We are seeing a concerning disconnect between leaders’ awareness and preparedness for cyber attacks. Around 40% of CISOs surveyed by Proofpoint concede that their organisation is unprepared to cope with a targeted cyberattack. While it is positive to see regulators starting to take action, with the U.S. Securities and Exchange Commission’s cybersecurity rules, we believe investors have an important role to play when it comes to closing the gap and forcing business to start taking cyber preparedness more seriously.
“Recognising the importance of cybersecurity resilience, we encourage asset managers to develop their understanding of the financial materiality of cybersecurity, use the investor expectations as a tool for engagement with companies that face a high level of risk, and report on progress to their clients.”
Georgina Chiu, Senior Engagement Manager at Royal London Asset Management, says: “Driving corporate change requires a collaborative effort from asset managers, asset owners, regulators and policy makers. We founded the coalition because we understand the very real threat that cyber presents to our industry, driven by geopolitical threats, the development of Generative AI and increased supply chain vulnerabilities.
“There are a number of actions investors can take to tackle the growing risk of cybersecurity to portfolio companies. This report demonstrates how we are creating a step change for the industry, by elevating stewardship from reactive engagement after a cyber incident has occurred, to a proactive dialogue on resilience.”
You can read the full report here
- Ends -
Notes to Editors
About Royal London Asset Management
Established in 1988, Royal London Asset Management is one of the UK's leading fund management companies, providing investment management solutions to both wholesale and institutional clients such as not-for-profit organisations, local authorities and the insurance sector.
Royal London Asset Management manages £169 billion of assets as at 30 June 2024. It invests in all major asset classes including UK and overseas equities, government bonds, investment grade and high yield corporate bonds, property and cash.
Issued by Royal London Asset Management Limited, registered in England and Wales number 2244297; authorised and regulated by the Financial Conduct Authority. Registered Office: 80 Fenchurch Street, London, EC3N 2ER.
About Railpen
Railpen is authorised and regulated by the Financial Conduct Authority (FCA).
Railpen acts as the investment manager and administrator of the railways pensions schemes and is responsible for the management of around £34bn.
Railpen runs the railways pensions schemes on behalf of its parent, the Railways Pension Trustee Company Limited (RPTCL).
The Cybersecurity Coalition includes Railpen, Royal London Asset Management, Nest, Universities Superannuation Scheme, Border to Coast Pensions Partnership and Brunel Pension Partnership.
Railpen and Nest’s 2019 report, ‘Why UK pension funds should consider cyber and data security in their investment approach’
The views expressed are those of the author at the date of publication unless otherwise indicated, which are subject to change, and is not investment advice.