As we embrace digitization, vast amounts of personal data have become vulnerable. Protecting this information is of paramount importance, not only for the financial repercussions of a data breach but also because of the responsibility that firms have to safeguard the information they request users trust them with. It is not enough to be able to respond to an attack that happened to a peer or another company; firms should be actively investing in technology and infrastructure such that they are prepared to prevent tomorrow’s attempted hack. An underfunded or ill-prepared cybersecurity effort has the potential to land a company in serious hot water with regulators, investors, and customers alike. (For more on this, listen to our recent Capital Considerations podcast episode, Cybersecurity Threats: Staying safe in an increasingly vulnerable world, where we spoke with cybersecurity expert Morgan Wright on the importance of proactive investment in cybersecurity infrastructure.)
What is corporate engagement and our approach
As investors, we consider a number of relevant financial risks, including cybersecurity, in our equity research. While we do not invest exclusively in companies that have fulfilled all best practices, we do use the levers at our disposal to mitigate identified risks. One of these levers is corporate engagement, a broad term that encompasses any number of actions investors might take to make company management aware of concerns or issues as they arise in the normal due diligence and monitoring process. Engagement could take the form of conversations with management, written letters, or shareholder proposals at annual meetings.
Engagement is a hallmark of environmental, social, and governmental (ESG) investing. ESG-oriented managers and investors believe that these risks associated with company practices have the ability to impact long-term shareholder returns, just as more traditional risks would. Active engagement through constructive conversations with company management provides an avenue to address these risks, and to work alongside management to develop corrective practices that will improve company sustainability and long-term risk/return expectations. It also provides investors with an opportunity to gain further clarity on any issues of concern or confusion.
As long-term investors, our aim is to maintain constructive relationships with management teams, and to act as a partner in their work to adjust or introduce behaviors and processes. The goal, always, is to ensure that ESG risks are being considered in management strategy in order to maximize shareholder value.
Our engagement efforts
As the world relies more and more on technology and digital recordkeeping, increasing amounts of personal data are stored online, in private firm databases, and with third-party providers. The rate of this trend accelerated rapidly as COVID-19 forced many in-person activities and transactions online. For a healthcare provider, the increasing quantities of personally identifiable information (PII) and personal health information (PHI) stored online poses a notable risk.
We believe that our resources are best utilized through focused, targeted engagement efforts on select topics. We decided that a commonsense point of focus was on the preparedness of healthcare providers to the increased challenge of data protection. With the pandemic ushering in both a higher amount of retail health data accumulated and an increased reliance on digital recordkeeping, it was paramount to ensure that this risk, like any other, was being preemptively managed by companies that might find themselves most affected.
After extensive research across our portfolio investments, we identified two firms that we felt, based on available information, may be vulnerable to ransomware attacks. Both, a national pharmacy chain and a clinical laboratory chain, hold vast amounts of PII and PHI on large portions of the population. COVID-19 testing further broadened their network of customers. After gathering information from public reporting, company disclosures, and third-party ESG data providers, we were able to engage directly with management to both present our findings and ask further questions. In these cases, speaking with management was a further step taken in ensuring that risk mitigation practices were in place. After conversations with key management personnel, we were able to move forward with comfort in the systems these firms had instituted, their responses to the increased reliance on technology during the pandemic, and their data security governance infrastructure, all of which may not have been reflected in full in published materials due to the sensitive nature of the topic.
The risks associated with a data breach are far-reaching, and would likely include reputational damage, legal ramifications, and certainly an impacted bottom line as firms pay their way through a clean-up operation. The opportunity cost of lost business should the server get shut down only further emphasizes the devastating nature of these attacks. Even beyond the reputational damage, though, the social implications of a firm violating individuals’ right to privacy by suffering a data breach should be considered as another spoke of the wheel.
As investors, we are cognizant of the dangers of becoming complacent in cybersecurity risk management. Engagement with management helps to assure us that we’re aware of the risks embedded in our portfolio and that we’re comfortable with the steps management teams are taking to address these risks. While the risk of a data breach can never be fully eliminated, a flexible and comprehensive approach to cybersecurity can help to mitigate it, and we want to ensure that our portfolio companies are not taking any chances.