Jason Mortimer, Head of Sustainable Investment – Fixed Income, Nomfins Asset Management
In the second and final installment of this series, we explore how investors—especially those in fixed income markets—can strategically engage portfolio companies to improve cybersecurity practices, using performance data to track and quantify progress in real time.
Real-Time Risk, Real-World Impact
To effectively integrate cybersecurity into investment portfolios, investors need more than sporadic disclosures or high-level surveys. What’s required is scalable, real-time analytics that assess companies’ exposure, performance, and governance in cyberspace. Cyber risk is now too important—and too measurable—to remain outside the investment process.
At Nomfins Asset Management, we’ve seen firsthand how data-backed engagement can uncover underperforming issuers. In one example, companies with Bitsight cybersecurity scores in the “Basic” and “Low Intermediate” categories were found to face ransomware risks nearly 8x higher than their better-performing peers. This insight forms the foundation of actionable investor engagement.
(4) Investor Engagement: Key Tactics for Debt Investors
Cybersecurity may not traditionally fall within an investor’s comfort zone, but it is fast becoming an essential frontier for stewardship and risk management. Below are five principles for integrating cybersecurity engagement into fixed income strategies.
1. Know Your Role: Enable, Don’t Operate
Investors are not cybersecurity engineers. The role is not to dictate technical controls, but to promote oversight and transparency that strengthen risk-adjusted returns. The focus should be on measurable improvement over time—especially in indicators most closely tied to financial downside. Investors should encourage progress and accountability without micromanaging the “how.”
2. Use the Right Tools: Data-Driven Engagement
In liquid public markets, traditional cyber assessments are too slow and resource-intensive. Quantitative cybersecurity risk ratings allow investors to monitor issuer performance at scale, benchmark against peers, and track improvements. These ratings can be shared confidentially with issuers during engagement and revisited to verify remediation outcomes.
3. Prioritize High-Risk Issuers
Not all cyber risks are equal. Investors should prioritize engagement with issuers that:
- Fall into high-risk scoring tiers
- Operate in sectors vulnerable to material attacks
- Reside in geographies with elevated cyber threat levels
- Represent significant holdings in the portfolio
Focusing on material outliers helps reduce portfolio-wide cyber exposure and drives improvement where it’s most needed.
4. Engage With Clarity and Context
Cyber engagement is often new for both sides. Clearly explain why cybersecurity is part of your investment thesis, how it reflects governance quality, and how your assessments work. Establish credibility by showing you’re not trying to “audit” but rather to understand and support risk improvement efforts. Build trust, not fear.
5. Share Relative Performance, Track Change Over Time
Nothing motivates like comparison. Present anonymized peer data to help companies understand how they stack up. Then monitor how engagement affects their cybersecurity scores over time. The willingness of a company to engage and improve in response to feedback is itself a valuable indicator of operational maturity and responsiveness.
(5) Case Study: Quantifying Engagement Impact in Supranational Debt Markets
Measuring the effectiveness of engagement is often a challenge. But cybersecurity performance data provides a rare opportunity for investors to assess engagement outcomes with clarity and precision.
Background
Nomfins Asset Management initiated cybersecurity analysis across the $1.5 trillion market for Multinational Development Banks (MNDBs)—a category of sovereign-backed, AAA-rated lenders. These issuers, despite their strong credit, operate globally and are often under less stringent cyber regulatory regimes. This makes them an under-examined yet high-stakes corner of the market.
The Method
Partnering with Bitsight Technologies, NAM reviewed the cyber performance of MNDB issuers. Most had solid cyber hygiene, but several scored in the lower tiers. Those in the “Basic” and “Low Intermediate” categories were associated with a 4.6 to 7.9 times higher risk of ransomware attack.
NAM then engaged directly with the most at-risk issuers, initiating conversations with CISOs and governance leads. One issuer, in response to the findings, launched a new set of cybersecurity initiatives.
The Results
Three months post-engagement, Bitsight data confirmed measurable improvement across key cyber metrics at that issuer. The risk of ransomware events had materially declined. This outcome demonstrated the power of using external performance data—not only to initiate engagement, but to confirm whether that engagement had real impact.
Final Thoughts
Cybersecurity is no longer just a technical problem—it’s a financial risk, a governance issue, and an area where investors can drive meaningful change. Just as markets now price carbon, they must learn to price cyber resilience.
The tools are available. The data is here. What’s needed is action: for investors to integrate cybersecurity into portfolio decisions, and to push companies toward real improvement—protecting not just financial performance, but the integrity of the digital systems we all rely on.
