The Cyber Security Engagement Programme, coordinated by Royal London Asset Management, engaged with an American pharmaceutical company in Phase 3 of the engagement and were reassured by its consistent application of cybersecurity principles across business units, including a recent acquisition, and the level of board oversight. Following discussions, we have seen improved disclosures in 2023, where director biographies had been updated to include cybersecurity experience. We have also noted an emphasis on Board’s active role in reviewing company’s cybersecurity risks and dedicated ESG reporting.
Another conversation with a British financial services company was positive – it welcomed our feedback on how its practices and disclosures could be improved. We were satisfied that appropriate improvements have been made following a 2021 fine for failure to report breaches and encouraged related public disclosures. The company has also demonstrated best practice on governance and risk management processes surrounding cyber security. While the security of the information perimeter is an area for improvement, through the dialogue, we gained comfort that the company was focused on this area.
The dialogue with a logistics company provided opportunity to understand its response to the cyber-attack in 2022, and management shared insights on how it has improved the company’s cyber resilience since. This included the appointment of a Chief Information Security Officer (CISO) and the implementation of enhanced security measures based on recommendations from cyber experts at Google and Microsoft. While we appreciate the improvements made by the company, we recognise that further alignment with best practices is necessary. We will provide recommendations to the company and continue to monitor their progress against our investor expectations.