Leon Kamhi, Head of Responsibility, Hermes Investment Management:
In recent months, some of the UK’s largest companies have suffered major data breaches or significant technical issues which have resulted in disruption for stakeholders, including customers, staff and investors.
When these events occur, consumers are the first to be hit by having their data compromised or losing essential service, which can be extraordinarily frustrating. However, for investors these events also provide an important lens through which to look at the companies in their portfolio.
On the most basic level, if consumers think a company cannot be trusted to keep their personal data safe – causing anything from embarrassment to financial harm – it is a real and substantial revenue risk. Furthermore, investors need to consider cyber security as a broader theme and a more significant issue – as it could end up changing the faces of the boards running the companies we own and provide the push for diversity we have been seeking.
Hacking the hack
Cyber attacks do not just target consumer information, nor do they go for the largest firms in the index. In industries in which intellectual property provides the competitive edge, stopping an individual or organisation from accessing data, systems and infrastructure is key, and SMEs are increasingly in the line of sight.
For example, a pharmaceutical firm needs to protect its research and development information as fiercely as an airline does its customer credit card details. Most companies today do not just sell groceries, build houses or even trade derivatives, they also run a substantial IT operation, and it is increasingly important that the board reflects this new way of doing business.
Investors need a company board to be on top of the specific elements that can impact it as a business. Hackers can bring an entire system to a halt if they are able to stop certain processes.
A board should not just be aware of the company’s cyber strategy, but should also be monitoring how it is working, frequently testing it, spotting any weak points and challenging executives on where it needs to change. Moreover, boards should also be evaluating how well a company responds when there is a breach.
Because of the technological advancements and disruptions that have taken place over the past decade, companies need executives who are responsible for the day-to-day cyber security at the highest level and who actively work with key business heads.
Who is on board?
When considering how to expand or improve their business strategy, many companies look at who currently is on the board and how to leverage their skills.
However, as technology has evolved at such a pace, and continues to do so, we are encouraging boards to modify the way they think about board structure and focus on who and what skillset should be on the board. Today, that means having an individual that has substantial IT expertise, fluency and capability to not onlyenable the business to develop and implement a robust IT infrastructure, but also for the purpose of cyber security.
This does not mean simply bringing in one independent director with generic IT skills, but an individual who has a deep understanding of the technological landscape and potential threats to their business and infrastructure. Ideally, a board should have more than one person who understands the technological landscape, inclusive of the risks, to ensure they are able to have a robust ongoing dialogue.
Putting this into practice may be hard for companies that have traditionally appointed former senior executives, either from their own or related sectors, which often results in group think and a lack of diversity amongst the board. The “grey hair” approach to accessing experience is one that is going to be tough to break down.
A well-managed board can significantly benefit from the range of perspectives brought by directors who have diverse technical, professional and country experience as well as diversity in gender, ethnicity, demographic and age. For example, as regards age, most UK board members are between 55 and 65, which demonstrates a serious lack of diversity of age.
As companies’ clientele and ways in which they bring their products or services to market evolve, a variety of skills will be required on the board. An individual with expertise and fluency in the ever changing technological landscape, could provide a significant value add. Moreover, very few companies are going to be able to appoint an experienced tech CEO as a director.
Investors can never know for certain if a company is going to be completely safeguarded against a cyber-attack or technical failure – but in this day it is worth seeking out those taking cybersecurity seriously.
This is non-cyclical. We are not backing out of this new technical age. Company boards that will be the most successful in the future are already amending their boards to reflect it.