Aon’s “Corporate Disclosure of Cyber Risks May Get More Detailed Following a Change in ESG Ratings” discusses the challenges companies are encountering with ISS ESG’s updated Governance QualityScore (GQS) methodology, which may effectively force companies to choose between accepting a worse rating (which equates to a higher score) from ISS or over-disclosing information about their cybersecurity breaches, insurance, and other cyber-related practices.
As we previously reported, in late January, ISS ESG released an updated GQS Methodology Guide that includes 17 new factors, 11 of which address Information Security (IS) Oversight and IS Risk Management Oversight, which are two new subcategories within the Audit category. GQS is ISS’s proprietary rating system purportedly aimed at helping institutional investors review a company’s governance quality and assess risk; it is part of the ISS ESG “portfolio” of ratings offerings that include ESG Scorecard, E&S Disclosure QualityScore, Carbon Risk Rating, and others. Many companies’ scores went from best to worst or good to bad literally overnight as a result of the addition of these new factors.
While ISS indicates that companies’ GQS scores don’t impact its voting recommendations, the scores are included in ISS’s proxy research reports distributed to its investor clients in advance of companies’ annual meetings and are included in the "Corporate Governance" section of each company’s Yahoo Finance profile page. As a result of that visibility, as well as the fact that surveys show that investors do in fact use these scores to flag governance performance/quality concerns (see, e.g., “A Look at the World's Largest 50 Asset Managers” (SquareWell Partners) and “Rate the Raters 2020: Investor Survey and Interview Results” (SustainAbility), companies legitimately have concerns about the implications of these scores.
While some of the newly added factors are fairly innocuous and commonly disclosed in companies’ proxy statements or other SEC filings, particularly those in the IS Oversight subcategory, many of the factors in the IS Risk Management Oversight, such as those pertaining to the number and timing of cyber breaches (without regard to materiality) and cyber insurance coverage, are infrequently disclosed publicly - for good reason.
Aon observes:
[T]he questions ISS is including under Information Security Risk Management Oversight are not only uncommon in the marketplace but could result in risks associated with disclosing sensitive information should it be included in publicly filed Form 10-K disclosures…Our research finds that detailed disclosure surrounding cyber breaches and insurance coverage are uncommon. Public companies are balancing the need for transparency on their cyber-related practices — which can boost their ratings score and please ESG-savvy investors — with the risk of divulging vulnerable information on a firm’s cyber prevention plans.
According to the firm’s review of S&P 1500 Form 10-K disclosures for the most recent fiscal year as of January 31, 2021, companies commonly disclosed compliance with relevant data privacy and cybersecurity laws and regulations, the board’s cybersecurity oversight structure, and cyber risk mitigation measures. However, few companies disclose their risk mitigation measures with specificity, which ISS’s methodology calls for in order for companies to receive more “credit.” Similarly, while most companies disclose the maintenance of cyber insurance coverage, coverage amounts understandably are not disclosed; ISS’s methodology calls for companies to disclose that their coverage is sufficient to defray the costs of a cyber breach.
Aon encourages companies to seek to enhance their disclosure to assure their stakeholders that they have implemented effective cyber controls, including, e.g., more specificity concerning industry-specific risk mitigation efforts, without assuming undue risks associated with over-disclosing sensitive information for the sake of improving their ISS GQS rating.
Access additional resources on our Proxy Advisors page and Sustainability/ESG page - Ratings/Raters.
This post first appeared in the weekly Society Alert!