In the first installment of a two-part series, Jason Mortimer, Head of Sustainable Investment – Fixed Income at Nomfins Asset Management, explores how investors can integrate cybersecurity risk into portfolio management. With cyber threats now recognized among the top global risks, investors have a clear opportunity—and responsibility—to engage with companies on their cyber resilience strategies.
Cyber Threats: A Growing Concern for Investors
The rising complexity and frequency of cyberattacks have made cybersecurity a fundamental risk consideration across sectors and geographies. From data breaches to operational shutdowns, the financial and reputational impact of cyber incidents is no longer hypothetical. As digital infrastructure becomes central to business operations, so does the need to assess and manage the vulnerabilities tied to it.
Recognizing this shift, investors are beginning to view cybersecurity not as a technical concern, but as a key part of corporate governance and enterprise risk management. Data-driven tools now allow for objective assessment of a company’s cyber posture, empowering even non-technical investors to identify red flags, engage with management, and drive improvements that safeguard both financial performance and societal stability.
From Blind Spots to Boardroom Issues
A defining moment in the evolving regulatory landscape occurred on October 30, 2023, when the U.S. Securities and Exchange Commission filed a lawsuit against SolarWinds. The company, which experienced a massive breach, was accused of misleading investors about the strength of its cybersecurity protocols. The case underscores a broader movement—heightened regulatory expectations around cyber disclosures, and growing investor demand for transparency.
Cybersecurity is increasingly treated as a governance issue—where lack of clarity, incomplete reporting, or underperformance may be signs of broader management weaknesses. Investors need clear, forward-looking signals to assess cyber readiness. Fortunately, external data providers are now offering analytics that monitor cybersecurity performance based on observable digital indicators—extending the ability to evaluate both public and private companies globally.
Why Investors Should Engage on Cybersecurity
Governance as a Proxy
Cybersecurity readiness is a useful proxy for broader corporate governance quality. A company that makes proactive investments in securing its systems is more likely to demonstrate effective management elsewhere. In this way, cybersecurity maturity offers a measurable signal of operational discipline and strategic foresight.
Managing Investment Downside
Cyber breaches can severely impact financial performance. The SolarWinds breach led to a 35% drop in share price within a month. Ratings agencies such as Moody’s now routinely flag cyber incidents as credit-negative events. Similarly, recent high-profile attacks on firms like Clorox and MGM have shown just how financially material these risks can be.
Where Investors Can Engage
Although cybersecurity is relevant across asset classes, some types of investors are uniquely positioned to push for change.
Credit Markets
Credit investors, focused on downside risk, are well-aligned to make cybersecurity a central engagement topic. Since they lack voting rights or equity influence, engaging with management on issues like cybersecurity can be a powerful and constructive form of risk oversight.
Private Debt
Smaller borrowers often have limited cyber capabilities and insurance coverage, making them vulnerable to attacks. Lenders in private markets are increasingly incorporating cybersecurity evaluations into due diligence processes and even offering technical support to improve borrowers’ defenses—particularly in developing regions and high-risk industries.
Infrastructure Assets
Critical infrastructure—spanning sectors like energy, water, transport, and telecommunications—is particularly exposed to cyber threats, with national security implications. As geopolitical tensions escalate, cyber risk for these assets becomes not only an investment concern but a public interest issue. Engagement here can strengthen compliance, risk controls, and even license-to-operate.
Public Equity
While shareholders can influence corporate behavior, market incentives often favor short-term returns over long-term resilience. Minority investors may be reluctant to advocate for costly but necessary cybersecurity investments, creating a misalignment of risk and return. This highlights the need for better disclosure standards and active stewardship.
Building a Data-Driven Cyber Risk Framework
Most investors aren’t cybersecurity experts—and they don’t need to be. What’s more important is having a clear sense of where risk exposure lies and how well companies are managing it, particularly compared to their peers.
A structured approach involves:
- Bottom-Up Analysis
Evaluate how a company’s cybersecurity posture affects its ability to mitigate operational, financial, or reputational damage. Look for relative performance against sector benchmarks and risk-adjusted indicators. - Top-Down Sector Insights
Analyze which sectors and geographies are most vulnerable to cyberattacks. Research trends in breach frequency, cost impact, and known threat actors to identify where risks are concentrated. - Real-Time Monitoring
Use cybersecurity risk ratings and performance analytics that update frequently. These tools can serve as early warning indicators, allowing investors to intervene before risks become material.
A Practical Example of Data-Driven Engagement
At Nomfins Asset Management, an internal alert system flagged a U.S. healthcare company with rapidly declining cybersecurity ratings. Analysis revealed that the firm faced a significantly higher risk of breach than industry peers. Although specific vulnerabilities were not disclosed, the data indicated systemic weaknesses. Investor engagement followed, raising the issue with the company and prompting a review of its cybersecurity strategy. This underscores the power of real-time, outside-in data in shaping meaningful investor action.
What’s Next
In Part 2, we’ll explore how fixed income investors can structure effective engagement with companies on cybersecurity risks. We’ll also walk through a case study that shows how to measure the tangible outcomes of investor-led cyber engagement.
