Cyber attacks pose such a grave threat to pension investors that Nest, one of the UK’s largest schemes, is developing a FTSE-style index with British intelligence services to track the risk.
Nest, which has eight million members and looks after £8.5 billion in assets, is working with the National Cyber Security Centre, a branch of GCHQ, to build a ‘cyber security awareness index’ of companies, to highlight which pose the greatest and least risk to investors.
Sign up to our weekly newsletter
Get better with money, in every way.
The pension scheme intends to incorporate cyber risk into its investment strategy as an extension of its environmental, social and good governance (ESG) obligations.
The World Economic Forum placed cyber attacks and data fraud or theft in the top 10 global risks for 2019. While by 2020 analysts expect spending on cyber security to rise to $125 billion (£97 billion), the latest forecast puts the expected cost of cyber attacks at $90 trillion (£70 trillion) by 2030.
Diandra Soobiah, head of responsible investment at Nest, said: “As a responsible investor, we want to know the full impact our investments have and what might be affecting them. This means taking an holistic approach so our investment strategy is not undermined by something we were not considering.
“Our research shows cyber security is a clear financial risk facing pension schemes’ assets and is therefore an area we want to do more on.” The principal aim of the planned transparent index of companies is to encourage positive behavioural change within the boardrooms of firms that are the least cyber security risk aware.
Cyber security and data breaches can cause financial and reputational damage that impacts companies’ performance, hitting the investment returns of pension funds and lowering the level of retirement income pensioners receive.
A swathe of high-profile companies have been hit in recent years. British Airways was attacked in September 2018 when 380,000 customer bank details were hacked, resulting in a $229m fine with a possible £500m lawsuit on top.
Want to know whether your pension is looking after the planet? Check out the Good Guide to Pensions
Last March tech giant Facebook, ubiquitous in investment portfolios, suffered the data breach of 87 million users resulting in a $5 billion (£3.9 billion) fine and a $119 billion (£177 billon) fall in market value (20 per cent). Yahoo has also had personal data stolen, including names, emails, dates of birth, phone numbers, passwords, and security questions, leading to a fall in value of around $350 million (£272 million).
Companies that hold the most data are most at risk, said Soobiah, in sectors such as healthcare and banking, international conglomerates that have old legacy systems and global supply chains, and groups where there has been a lot of mergers and acquisitions and so gaps in security. She said: “Nest is primarily an index investor in equities. We want to be able to identify the biggest risks across our global portfolio. There are some features that make companies more at risk than others.
Nest will confront firms it believes should be doing more to prevent cyber attacks, Soobiah added. She said: “We want to be assured that company boards are overseeing the management of cyber security risks effectively and doing all they can to minimise financial and reputational damage when an attack does occur.”
Recent changes to the rules for pension schemes have placed ESG investing topics even higher on their agenda, and among them cyber security risk has been gaining increasing focus. Research by Nest found companies with good cyber security include a strong corporate culture where training, raising awareness and educating staff on the threat is crucial, and embedding it in how people work day to day.
Board level responsibility, working hand in hand with the IT department to understand technical information and make important decisions, was another factor.
A final positive indicator was where the level of spend on cyber security at a company increased year on year. Nest wants other pension funds to use its research as a guide to improve their own risk management.
Mark Fawcett, chief investment officer at Nest, said: “The worst thing people can do is bury their heads in the sand. Cyber-attacks can seriously undermine the performance of a company, making what would seem an ideal investment opportunity turn into a costly mistake.
“Pension funds should check if the businesses they invest in take the threat of cyber attacks seriously to help protect their members’ investments. The financial impact and importance of cyber attacks can no longer be denied and needs to be considered in any responsible investment strategy. Companies cannot stop attacks from occurring, but preparedness and operational resilience is key.”