Home    The growing importance of ESG   Cyber Security / Data Privacy – Assessing how companies manage cyber risk


In a previous article, we discussed climate change as one primary environmental, social and governance (ESG) concern for investors. In today’s information-driven economies, cyber security and data privacy are also critical ESG factors. For example, 67% of institutional investors surveyed by RBC Global Asset Management (RBC GAM) rank cyber security as a top ESG concern.1 Another survey of businesses by the World Economic Forum identifies cyber attacks as the leading threat in economically advanced regions.2

The breach of a company’s information technology infrastructure can have far-reaching impacts on its financial, legal, reputational and even physical integrity. Moreover, these breaches pose significant risks to customers, business partners and other key stakeholders. As a result, cyber security and data privacy are key risk considerations for investors, as they can drastically impact the value of an investment. With more employees working from home due to COVID-19, and governments and companies collecting and sharing personal information in new ways, cyber security and data protection are among the most critical issues RBC GAM’s investment teams are paying attention to.

Why cyber security and data privacy are investment issues

The business impacts of cyber breaches often fall into five categories:

  1. Disruptions to a company’s operations and its employees’ work.
  2. Damage to a company’s brand and customer confidence and trust.
  3. Risk to sensitive personal and financial information of customers, suppliers and government and business partners.
  4. Potential lawsuits and legal/regulatory penalties resulting from a company’s security breach and/or misuse of customer data.
  5. Significant downgrades of the company’s total value or other financial consequences resulting from any of the above scenarios.

The importance of data across sectors and industries, plus numerous highly publicized information technology breaches in recent years, have resulted in an increased focus on how well a company’s vital business operations and personal information are protected. The COVID-19 pandemic, which has resulted in more personal data being collected by governments and companies and more business operations and transactions being completed electronically, has further underscored the importance of the integrity of information systems.

Cyber security, data privacy and ESG investing in action

Engaging with the companies we invest in is central to RBC GAM’s approach to responsible investment. As a full assessment of risk is a central component in all our investment strategies, our portfolio managers engage with corporate management teams and boards to ensure full disclosure of a company’s policies, practices and procedures around cyber security and data privacy.

A company’s exposure to cyber security and data privacy issues are largely a function of its business model, what data it collects and how it processes, stores and shares that data. While each situation is unique, some of the common criteria we look at across different types of companies include:

  • Quality and scope of its disclosure of its cyber security and data privacy risks, and its plan to monitor and improve its systems in a rapidly evolving landscape.
  • Degree of board oversight and accountability.
  • Proficiency and compliance with relevant laws and regulations.
  • Commitment to collecting only necessary data and ensuring the informed consent of its stakeholders in doing so.
  • Ability to implement robust security management practices.
  • Awareness of the importance of cyber security and data privacy at all levels of the firm.
  • General approach to corporate governance.

COVID-19 is leading to investors looking at cyber security and data privacy risks more closely, as companies across several industries have quickly shifted to remote working environments. Understanding what measures are in place to safeguard systems and sensitive data has become an increasingly important issue for investors.

Derek Butcher, Senior ESG Analyst, Corporate Governance & Responsible Investment, RBC Global Asset Management


The future of IT security issues

Client interest in responsible investing is growing.3 Furthermore, the impact of technology on the day-to-day lives of clients and the highly public nature of major data breaches means that a company’s hard-won reputation is at stake. As a result, it is critical for asset managers and advisors to be aware of the cyber security and data privacy risk levels of a given investment. In a world where personal data is collected, stored and mined for value on an unprecedented scale, how companies deal with technology’s threats and opportunities will continue to be one of the most pressing ESG concerns globally.

In addition to our previous article on climate change, keep an eye out for our upcoming article on another critical ESG issue: employee management. For more information about investment risks related to cyber security, data privacy and other ESG factors, visit https://www.rbcgam.com/ri.

1 RBC Global Asset Management, 2019 Responsible Investment Survey Key Findings.
2 World Economic Forum, Insight Report: Regional Risks for Doing Business 2018.
3 Responsible Investment Association, 2019 RIA Investor Opinion Survey: Canadian Investor Perspectives on Plastic, October 2019.

This has been provided by RBC Global Asset Management Inc. (RBC GAM) and is for informational purposes, as of the date noted only. It is not intended to provide professional advice and such information should not be relied upon as such.  Information obtained from third parties is believed to be reliable but RBC GAM and its affiliates assume no responsibility for any errors or omissions or for any loss or damage suffered. RBC GAM reserves the right at any time and without notice to change, amend or cease publication of the information. Some of the statements contained in this document may be considered forward-looking statements which provide current expectations or forecasts of future results or events. Forward-looking statements are not guarantees of future performance or events and involve risks and uncertainties. Do not place undue reliance on these statements because actual results or events may differ materially from those described in such forward-looking statements as a result of various factors. Before making any investment decisions, we encourage you to consider all relevant factors carefully. 

October 2020