September 22, 2021—At a White House cybersecurity summit in August, President Biden described cybersecurity as a “core national security challenge… and the federal government can’t meet this challenge alone,” in a blunt assessment of our critical infrastructure resiliency. The issue of cybersecurity is hardly new and is only growing as we move towards an increasingly digitized world. The FBI’s Internet Crime Complaint Center (IC3) has recorded over two million complaints in the last five years, totaling over $13 billion in losses.
Source: FBI’s Internet Crime Report, 2020. https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf
These complaints cover everything from phishing to identity theft but are largely instances targeting individuals on a smaller scale. Perhaps looming larger are the broader attacks, ones that have shut down entire organizations using a relatively simple plan: break into a company’s operating software, encrypt swaths of data, and threaten to sell it on the dark web until multi-million dollar figures are paid out. While some breaches aim to disrupt critical infrastructure—the May hack of the Colonial Pipeline and the resulting fuel shortages, for example—others have a different goal in mind: monetize the private information of users and customers.
As we embrace digitization, vast amounts of personal data have become vulnerable. Protecting this information is of paramount importance, not only for the financial repercussions of a data breach but also because of the responsibility that firms have to safeguard the information they request users trust them with. It is not enough to be able to respond to an attack that happened to a peer or another company; firms should be actively investing in technology and infrastructure such that they are prepared to prevent tomorrow’s attempted hack. An underfunded or ill-prepared cybersecurity effort has the potential to land a company in serious hot water with regulators, investors, and customers alike. (For more on this, listen to our recent Capital Considerations podcast episode, Cybersecurity Threats: Staying safe in an increasingly vulnerable world, where we spoke with cybersecurity expert Morgan Wright on the importance of proactive investment in cybersecurity infrastructure.)
What is corporate engagement and our approach
As investors, we consider a number of relevant financial risks, including cybersecurity, in our equity research. While we do not invest exclusively in companies that have fulfilled all best practices, we do use the levers at our disposal to mitigate identified risks. One of these levers is corporate engagement, a broad term that encompasses any number of actions investors might take to make company management aware of concerns or issues as they arise in the normal due diligence and monitoring process. Engagement could take the form of conversations with management, written letters, or shareholder proposals at annual meetings.
Engagement is a hallmark of environmental, social, and governmental (ESG) investing. ESG-oriented managers and investors believe that these risks associated with company practices have the ability to impact long-term shareholder returns, just as more traditional risks would. Active engagement through constructive conversations with company management provides an avenue to address these risks, and to work alongside management to develop corrective practices that will improve company sustainability and long-term risk/return expectations. It also provides investors with an opportunity to gain further clarity on any issues of concern or confusion.
As long-term investors, our aim is to maintain constructive relationships with management teams, and to act as a partner in their work to adjust or introduce behaviors and processes. The goal, always, is to ensure that ESG risks are being considered in management strategy in order to maximize shareholder value.
Our engagement efforts
As the world relies more and more on technology and digital recordkeeping, increasing amounts of personal data are stored online, in private firm databases, and with third-party providers. The rate of this trend accelerated rapidly as COVID-19 forced many in-person activities and transactions online. For a healthcare provider, the increasing quantities of personally identifiable information (PII) and personal health information (PHI) stored online poses a notable risk.
We believe that our resources are best utilized through focused, targeted engagement efforts on select topics. We decided that a commonsense point of focus was on the preparedness of healthcare providers to the increased challenge of data protection. With the pandemic ushering in both a higher amount of retail health data accumulated and an increased reliance on digital recordkeeping, it was paramount to ensure that this risk, like any other, was being preemptively managed by companies that might find themselves most affected.
After extensive research across our portfolio investments, we identified two firms that we felt, based on available information, may be vulnerable to ransomware attacks. Both, a national pharmacy chain and a clinical laboratory chain, hold vast amounts of PII and PHI on large portions of the population. COVID-19 testing further broadened their network of customers. After gathering information from public reporting, company disclosures, and third-party ESG data providers, we were able to engage directly with management to both present our findings and ask further questions. In these cases, speaking with management was a further step taken in ensuring that risk mitigation practices were in place. After conversations with key management personnel, we were able to move forward with comfort in the systems these firms had instituted, their responses to the increased reliance on technology during the pandemic, and their data security governance infrastructure, all of which may not have been reflected in full in published materials due to the sensitive nature of the topic.
The risks associated with a data breach are far-reaching, and would likely include reputational damage, legal ramifications, and certainly an impacted bottom line as firms pay their way through a clean-up operation. The opportunity cost of lost business should the server get shut down only further emphasizes the devastating nature of these attacks. Even beyond the reputational damage, though, the social implications of a firm violating individuals’ right to privacy by suffering a data breach should be considered as another spoke of the wheel.
As investors, we are cognizant of the dangers of becoming complacent in cybersecurity risk management. Engagement with management helps to assure us that we’re aware of the risks embedded in our portfolio and that we’re comfortable with the steps management teams are taking to address these risks. While the risk of a data breach can never be fully eliminated, a flexible and comprehensive approach to cybersecurity can help to mitigate it, and we want to ensure that our portfolio companies are not taking any chances.
Wilmington Trust is a registered service mark used in connection with various fiduciary and non-fiduciary services offered by certain subsidiaries of M&T Bank Corporation including, but not limited to, Manufacturers & Traders Trust Company (M&T Bank), Wilmington Trust Company (WTC) operating in Delaware only, Wilmington Trust, N.A. (WTNA), Wilmington Trust Investment Advisors, Inc. (WTIA), Wilmington Funds Management Corporation (WFMC), and Wilmington Trust Investment Management, LLC (WTIM). Such services include trustee, custodial, agency, investment management, and other services. International corporate and institutional services are offered through M&T Bank Corporation’s international subsidiaries. Loans, credit cards, retail and business deposits, and other business and personal banking services and products are offered by M&T Bank, member FDIC.
Facts and views presented in this report have not been reviewed by, and may not reflect information known to, professionals in other business areas of Wilmington Trust or M&T Bank who may provide or seek to provide financial services to entities referred to in this report. M&T Bank and Wilmington Trust have established information barriers between their various business groups. As a result, M&T Bank and Wilmington Trust do not disclose certain client relationships with, or compensation received from, such entities in their reports.
The information on Wilmington Wire has been obtained from sources believed to be reliable, but its accuracy and completeness are not guaranteed. The opinions, estimates, and projections constitute the judgment of Wilmington Trust and are subject to change without notice. This commentary is for informational purposes only and is not intended as an offer or solicitation for the sale of any financial product or service or a recommendation or determination that any investment strategy is suitable for a specific investor. Investors should seek financial advice regarding the suitability of any investment strategy based on the investor’s objectives, financial situation, and particular needs. Diversification does not ensure a profit or guarantee against a loss. There is no assurance that any investment strategy will succeed.
Past performance cannot guarantee future results. Investing involves risk and you may incur a profit or a loss.
Indexes are not available for direct investment.
Reference to the company names mentioned in this blog is merely for explaining the market view and should not be construed as investment advice or investment recommendations of those companies. Third party trademarks and brands are the property of their respective owners.