NEST and RPMI Railpen, two well-known UK pension investors, have moved to fill a gap in the advice available to pension scheme trustees on cyber security risk with a report concentrating on the risk it poses to their portfolios.
In a statement announcing publication of the report, the schemes said that while there is guidance for trustees on how to build cyber resilience with regard to the scheme itself and its data, there was to date no equivalent advice for them on how to incorporate cyber security into their investment and stewardship processes.
”Generally,” the report states, “little is understood by pension funds about these risks and there is seemingly no obvious common or standardised approach for addressing them.”
And yet cyber security risks were financially material and of interest to members and other stakeholders, according to the report, referring to “numerous papers and articles […] citing cyber security as a prominent and growing issue that can have strong, negative implications on investment performance”.
The report lists recent cyber attacks and their financial impact, such as the hacking of 380,000 British Airways accounts in September 2018 that led to a $229m (€208m) fine “with a possible £500m (€581m) lawsuit on top”.
The document presents case studies on research and engagement carried out on cyber security by some UK pension funds, and suggests questions trustees can put to their asset managers and portfolio companies on the topic.
Richard Williams, CIO at RPMI Railpen, the investment manager for the UK’s £31bn (€34bn) railways pension schemes, said: “Trustees need to acknowledge that it is not a matter of ‘if’ but ‘when’ their investee companies will face a serious cyber security breach.
“[This] publication provides a toolkit for pension scheme trustees. Companies should be ready for questions from investors, and pension funds need to start raising the topic with their managers.”