Glass Lewis: Managing Cybersecurity Risk Requires Trustworthy, Timely Data Insights

This blog was written by Pallavi Sharma and originally appeared on glasslewis.com and be read here. It has been republished with permission.

Cybersecurity continues to pose a significant risk to public companies and their investors.

Companies are under attack from malicious actors. From ransomware to security breaches targeting critical infrastructure, cyber risk continues to escalate. The FBI reported $43 billion has been stolen over the last five years from companies through impersonation of executive emails. Attacks targeting critical infrastructure appear to be increasing and the financial loss could be tremendous; according to a recent Moody’s analysis, $22 trillion of Moody’s-scored debt is associated with sectors having High or Very High cyber risk exposure. High-profile cybersecurity attacks continue to dominate the news cycle, and public companies like Uber, Activision, and others have all experienced public cybersecurity incidents in recent months.

The business impact of these incidents can no longer be ignored. Costs to businesses and investors can include: remediation and litigation costs (including regulatory action); increased cyber protection costs and insurance premiums; reputational damage; lost revenue; and damage to the stock-price and long-term shareholder value.

Investors have become deeply concerned about cybersecurity and how security incidents can impact their investments. Warren Buffett has called cybersecurity the “number one problem with mankind.” In the RBC Global Asset Management Responsible Investment Survey, investors ranked cybersecurity as the number one most concerning environmental, social, and governance (ESG) issue. The Securities and Exchange Commission has turned its attention to the issue as well, with proposed rules on cybersecurity risk management and oversight.

Nonetheless, there are instances where investors today may be in the dark when it comes to understanding the cybersecurity risk posture of the companies in which they invest. Collecting meaningful, consistent data from their investments regarding cybersecurity risk presents a real challenge. Cyber risks and incidents are inconsistently disclosed by public companies. Direct engagements often produce qualitative, subjective data and give investors no real sense for a company’s actual or comparative security performance.

Investors have also expressed challenges in evaluating a more technical risk like cybersecurity without having background in the issue. The ever-changing nature of cybersecurity also means that the typical disclosure regime may be inadequate to address a dynamic risk.

Glass Lewis is partnering with Bitsight to help investors tackle the significant and constantly changing challenge of understanding cybersecurity risk.

In 2011, Bitsight created the world’s first cybersecurity rating system and has since partnered with many of the world’s leading investment organizations including Glass Lewis and Moody’s to improve investor and market awareness of cyber risks. Today, thousands of investors, enterprises, insurers, government institutions and other market stakeholders trust Bitsight’s independent ratings and data to make better risk management decisions.

Bitsight continuously and non-intrusively collects cybersecurity performance data about public and private companies. Using this data, Bitsight creates quantitative, objective ratings and analytics that are similar to credit scores and updated daily. Independently studies show that Bitsight’s ratings and analytics are significantly correlated with cybersecurity incidents. Poor cybersecurity performance as measured by Bitsight increased an organization’s risk of experiencing a cybersecurity incident.

Glass Lewis is leveraging the cybersecurity expertise of Bitsight to provide investors insight into the level of cyber risk that a company is exposed to. Glass Lewis Proxy Papers feature a point in time snapshot of a public company’s cybersecurity performance, as of the first day of the current quarter, pulled directly from the Bitsight platform. The report features the company’s overall Bitsight Security Rating and how the organization benchmarks against its peers in 20 major risk categories.

Investors use Bitsight to manage cyber risk to their portfolios and help with engagement strategy. Bitsight’s cybersecurity analytics help investors assess the effectiveness of the policies, controls, governance and procedures that a company is implementing, providing investors greater visibility into how well the cyber risk program is being executed. Bitsight’s measurements also provide investors with further validation of management’s intentions. Bitsight’s data is not only useful as a risk screen. Independent analysis has found that investors leveraging Bitsight Security Ratings in an investment strategy can earn higher returns while reducing risk.

With the Bitsight cybersecurity report in Glass Lewis Proxy Papers, investors get a comprehensive and accessible overview of key portfolio risks and opportunities integrated directly into their proxy voting and stewardship.

Click to learn more about Glass Lewis’ Cybersecurity Partnership with Bitsight.